Rule-based application access management

US 8,752,128 B2
Filed: 08/24/2012
Issued: 06/10/2014
Est. Priority Date: 10/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

displaying resources;

providing altitude stored in a table for a set of the resources;

providing access control rules stored in the table for the set of resources at the altitude;

providing a file object and a path in a table entry of the table associated with a resource of the set of resources, wherein the table entry further includes the altitude and an access control rule of the access control rules;

receiving at runtime a request for the resource from an application having a process ID;

determining whether the process ID is associated with the file object and the path;

if it is determined that the process ID is associated with the file object and the path;

populating a runtime table with the altitude, the access control rule, and the process ID;

if it is determined that the process ID is not associated with the file object and the path;

setting the access control rule to a Pass Through access control rule;

populating the runtime table with the altitude, the Pass Through access control rule, and the process ID;

providing security settings for the set of resources at the altitude.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.

Citations

23 Claims

1. A method comprising:
- displaying resources;
  
  providing altitude stored in a table for a set of the resources;
  
  providing access control rules stored in the table for the set of resources at the altitude;
  
  providing a file object and a path in a table entry of the table associated with a resource of the set of resources, wherein the table entry further includes the altitude and an access control rule of the access control rules;
  
  receiving at runtime a request for the resource from an application having a process ID;
  
  determining whether the process ID is associated with the file object and the path;
  
  if it is determined that the process ID is associated with the file object and the path;
  
  populating a runtime table with the altitude, the access control rule, and the process ID;
  
  if it is determined that the process ID is not associated with the file object and the path;
  
  setting the access control rule to a Pass Through access control rule;
  
  populating the runtime table with the altitude, the Pass Through access control rule, and the process ID;
  
  providing security settings for the set of resources at the altitude.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the resources include files and registry keys, further comprising:
    - determining a current altitude, wherein the current altitude is represented as a whole number;
      
      setting up selective hooks for files at the current altitude in accordance with the altitude for files of the set of resources where the altitude equals the current altitude, while the current altitude is greater than zero.
  - 3. The method of claim 2, further comprising, while the current altitude is greater than zero, setting up registry hooks for registry keys at the current altitude in accordance with the altitude for registry keys of the set of resources where the altitude equals the current altitude.
  - 4. The method of claim 2, further comprising, while the current altitude is greater than zero, simulating an environment at the current altitude.
  - 5. The method of claim 2, further comprising, while the current altitude is greater than zero, decrementing the current altitude.
  - 6. The method of claim 1, further comprising, when the altitude is zero:
    - writing files to a system;
      
      changing a registry of the system;
      
      updating environment variables of the system.
  - 7. The method of claim 1, further comprising:
    - initiating a request in association with a process ID for a resource having a resource ID at a first altitude;
      
      looking up the process ID and the resource ID in a requestor-specific access control table for the first altitude to determine access control.
  - 8. The method of claim 7, further comprising:
    - looking up the resource ID in a resource-specific access control table for the first altitude to determine file access type;
      
      granting access of the file access type to the resource at the first altitude if the access control is Accept.
  - 9. The method of claim 7, further comprising executing an altitude-specific procedure if the access control is Pause.
  - 10. The method of claim 7, further comprising:
    - decrementing the first altitude, yielding a second altitude;
      
      looking up the process ID and the resource ID in a requestor-specific access control table for the second altitude to determine access control if the second altitude is greater than zero;
      
      granting access at altitude zero if the second altitude is zero.
  - 11. The method of claim 7, further comprising denying the request if the access control is Deny.

12. A system comprising:
- at least one processor;
  
  memory storing instructions configured to instruct the at least one processor to perform;
  
  displaying resources;
  
  providing altitude stored in a table for a set of the resources;
  
  providing access control rules stored in the table for the set of resources at the altitude;
  
  providing a file object and a path in a table entry of the table associated with a resource of the set of resources, wherein the table entry further includes the altitude and an access control rule of the access control rules;
  
  receiving at runtime a request for the resource from an application having a process ID;
  
  determining whether the process ID is associated with the file object and the path;
  
  if it is determined that the process ID is associated with the file object and the path;
  
  populating a runtime table with the altitude, the access control rule, and the process ID;
  
  if it is determined that the process ID is not associated with the file object and the path;
  
  setting the access control rule to a Pass Through access control rule;
  
  populating the runtime table with the altitude, the Pass Through access control rule, and the process ID;
  
  providing security settings for the set of resources at the altitude.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the resources include files and registry keys, further comprising:
    - determining a current altitude, wherein the current altitude is represented as a whole number;
      
      setting up selective hooks for files at the current altitude in accordance with the altitude for files of the set of resources where the altitude equals the current altitude, while the current altitude is greater than zero.
  - 14. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to perform, while the current altitude is greater than zero, setting up registry hooks for registry keys at the current altitude in accordance with the altitude for registry keys of the set of resources where the altitude equals the current altitude.
  - 15. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to perform, while the current altitude is greater than zero, simulating an environment at the current altitude.
  - 16. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to perform, while the current altitude is greater than zero, decrementing the current altitude.
  - 17. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to perform, when the altitude is zero:
    - writing files to a system;
      
      changing a registry of the system;
      
      updating environment variables of the system.
  - 18. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to perform:
    - initiating a request in association with a process ID for a resource having a resource ID at a first altitude;
      
      looking up the process ID and the resource ID in a requestor-specific access control table for the first altitude to determine access control.
  - 19. The system of claim 18, wherein the instructions are further configured to instruct the at least one processor to perform:
    - looking up the resource ID in a resource-specific access control table for the first altitude to determine file access type;
      
      granting access of the file access type to the resource at the first altitude if the access control is Accept.
  - 20. The system of claim 18, wherein the instructions are further configured to instruct the at least one processor to perform executing an altitude-specific procedure if the access control is Pause.
  - 21. The system of claim 18, wherein the instructions are further configured to instruct the at least one processor to perform:
    - decrementing the first altitude, yielding a second altitude;
      
      looking up the process ID and the resource ID in a requestor-specific access control table for the second altitude to determine access control if the second altitude is greater than zero;
      
      granting access at altitude zero if the second altitude is zero.
  - 22. The system of claim 18, wherein the instructions are further configured to instruct the at least one processor to perform denying the request if the access control is Deny.

23. A system comprising a processor, further comprising:
- means for displaying resources;
  
  means for providing altitude stored in a table for a set of the resources;
  
  means for providing access control rules stored in the table for the set of resources at the altitude;
  
  means for providing a file object and a path in a table entry of the table associated with a resource of the set of resources, wherein the table entry further includes the altitude and an access control rule of the access control rules;
  
  means for receiving at runtime a request for the resource from an application having a process ID;
  
  means for determining whether the process ID is associated with the file object and the path;
  
  means for populating a runtime table with the altitude, the access control rule, and the process ID if it is determined that the process ID is associated with the file object and the path;
  
  means for setting the access control rule to a Pass Through access control rule if it is determined that the process ID is not associated with the file object and the path;
  
  means for populating the runtime table with the altitude, the Pass Through access control rule, and the process ID if it is determined that the process ID is not associated with the file object and the path;
  
  means for providing security settings for the set of resources at the altitude.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Numecent Holdings Incorporated
Original Assignee
Numecent Holdings Incorporated
Inventors
Hitomi, Arthur Shingen, Tran, Robert, Kammer, Peter Joseph, Pfiffner, Doug, Nguyen, Huy
Primary Examiner(s)
Okeke, Izunna

Application Number

US13/594,546
Publication Number

US 20120324530A1
Time in Patent Office

655 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

H04L 41/0813   characterised by the condit...

H04L 41/145   involving simulating, desig...

H04L 43/0823   Errors, e.g. transmission e...

H04L 63/10   for controlling access to d...

H04L 63/108   when the policy decisions a...

Rule-based application access management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based application access management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links