Controlling resource access based on resource properties
First Claim
Patent Images
1. In a computing environment, a method comprising:
- determining, by at least one processing unit, access to a resource based on policy decoupled from the resource, including by determining whether a resource label associated with the resource is cached, and if not, classifying the resource and caching the resource label, and if so, evaluating whether the resource label is valid or whether reclassification is needed, and evaluating the resource label associated with the resource against a user claim associated with an access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim;
responsive to a determination that the resource label is not valid, prompting reclassification of the resource to obtain a valid resource label;
responsive to a determination that the policy grants access to the resource based on the evaluation of the resource label and the user claim, allowing access to the resource; and
responsive to a determination that the policy does not grant access to the resource based on the evaluation of the resource label and the user claim, denying access to the resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.
53 Citations
20 Claims
-
1. In a computing environment, a method comprising:
-
determining, by at least one processing unit, access to a resource based on policy decoupled from the resource, including by determining whether a resource label associated with the resource is cached, and if not, classifying the resource and caching the resource label, and if so, evaluating whether the resource label is valid or whether reclassification is needed, and evaluating the resource label associated with the resource against a user claim associated with an access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim; responsive to a determination that the resource label is not valid, prompting reclassification of the resource to obtain a valid resource label; responsive to a determination that the policy grants access to the resource based on the evaluation of the resource label and the user claim, allowing access to the resource; and responsive to a determination that the policy does not grant access to the resource based on the evaluation of the resource label and the user claim, denying access to the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. In a computing environment, a system comprising:
-
one or more processors; and an authorization engine configured to be executed by the one or more processors to determine access to a resource based upon a policy, the authorization engine configured to evaluate a resource label associated with the resource against a user claim associated with an access request using information in the policy, including to determine whether the resource label is valid or whether reclassification is needed to obtain an updated resource label, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. One or more computer storage devices having computer-executable instructions stored thereon, which in response to execution by a computer, cause the computer to perform steps comprising:
processing an access request to grant or deny access to a resource, including evaluating one or more access-related operations corresponding to the access request, obtaining a policy that is decoupled from the resource, and using the policy to determine whether to grant or deny each of the one or more access-related operations, including by evaluating a resource label associated with the resource against a user claim associated with the access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim. - View Dependent Claims (17, 18, 19, 20)
Specification