Access control management
First Claim
1. An access control system, comprising a claims processing component configured to expand two or more input claims associated with a device into a set of output claims used to selectively authorize access to system resources by applying facts associated with the two or more input claims against a data structure to expand the two or more input claims into one or more output claims and thereafter iteratively applying a fact associated with the two or more input claims and a fact associated with at least one of the one or more output claims against the data structure to further expand the two or more input claims into the set of output claims;
- andan authorization component configured to match the set of output claims to an authorization table for rows that contain a matching resource claim, a matching subject claim, and a matching action claim to indicate the device is authorized to access a particular system resource;
wherein the claims processing component is configured to produce a first output claim by matching a first input claim, a second input claim, or both the first input claim and the second input claim with at least one row in a rules table;
wherein the claims processing component is configured to assign a type and a value of the matched row to the first output claim.
3 Assignments
0 Petitions
Accused Products
Abstract
The subject disclosure relates to authorization based on a determination of permissions that can be granted for an action(s) to be performed on a resource. The determination of the permission is based on a set of rules that represent a theory including a notion of trust that has been divided into different sized tables. The tables are utilized to evaluate two or more input claims and to facilitate a determination of whether access to at least one system resource is to be granted. The evaluation can include matching the two or more input claims to rows in the table, wherein access is allowed if a match is found.
10 Citations
13 Claims
-
1. An access control system, comprising a claims processing component configured to expand two or more input claims associated with a device into a set of output claims used to selectively authorize access to system resources by applying facts associated with the two or more input claims against a data structure to expand the two or more input claims into one or more output claims and thereafter iteratively applying a fact associated with the two or more input claims and a fact associated with at least one of the one or more output claims against the data structure to further expand the two or more input claims into the set of output claims;
- and
an authorization component configured to match the set of output claims to an authorization table for rows that contain a matching resource claim, a matching subject claim, and a matching action claim to indicate the device is authorized to access a particular system resource; wherein the claims processing component is configured to produce a first output claim by matching a first input claim, a second input claim, or both the first input claim and the second input claim with at least one row in a rules table; wherein the claims processing component is configured to assign a type and a value of the matched row to the first output claim. - View Dependent Claims (2, 3, 4, 5, 6)
- and
-
7. A method, comprising:
-
receiving an authorization request; using a processing unit, expanding a first input claim and a second input claim into a set of output claims used to selectively authorize access to system resources, wherein the expanding further comprises; matching the first input claim and the second input claim with a row in a rules table; producing a first output claim based on the matching; matching the first output claim and either the first input claim or the second input claim with another row in the rules table; and producing a second output claim as a result of the matching, wherein the second output claim comprises a type and a value of the another row; using the processing unit, correlating a plurality of output claims in the set of output claims to an authorization table; and authorizing an action for the first input claim and the second input claim as a result of the correlating. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A computer-readable storage memory comprising computer-executable instructions stored therein that, in response to execution, cause a computing system to perform operations, comprising:
-
expanding two or more input claims associated with a device into a set of output claims by applying facts associated with the two or more input claims against a data structure to expand the two or more input claims into one or more output claims and thereafter iteratively applying a fact associated with the two or more input claims and a fact associated with at least one of the one or more output claims against the data structure to further expand the two or more input claims into the set of output claims; and corresponding the set of output claims to an authorization table for rows that include a matching resource claim, subject claim, and action claim to indicate the device is authorized to access a system resource. - View Dependent Claims (13)
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsLangworthy, David E., Wang, Qian, Layman, Andrew John, Shewchuk, John Peter Jr., Yong, Shiung-Vei, Passmore, Charles Edgar, Wilson, Hervey Oliver, Baker, Caleb Geoffrey
-
Primary Examiner(s)Chea, Philip
-
Assistant Examiner(s)RAHIM, MONJUR
-
Application NumberUS13/230,799Publication NumberTime in Patent Office1,016 DaysField of Search726/4US Class Current726/4CPC Class CodesG06F 21/00 Security arrangements for p...G06F 21/604 Tools and structures for ma...G06F 21/6218 to a system of files or obj...G06F 2221/2141 Access rights, e.g. capabil...
