Controlling resource access based on resource properties

US 9,038,168 B2
Filed: 11/20/2009
Issued: 05/19/2015
Est. Priority Date: 11/20/2009
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method comprising:

determining, by at least one processing unit, access to a resource based on policy decoupled from the resource, including by determining whether a resource label associated with the resource is cached, and if not, classifying the resource and caching the resource label, and if so, evaluating whether the resource label is valid or whether reclassification is needed, and evaluating the resource label associated with the resource against a user claim associated with an access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim;

responsive to a determination that the resource label is not valid, prompting reclassification of the resource to obtain a valid resource label;

responsive to a determination that the policy grants access to the resource based on the evaluation of the resource label and the user claim, allowing access to the resource; and

responsive to a determination that the policy does not grant access to the resource based on the evaluation of the resource label and the user claim, denying access to the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.

53 Citations

View as Search Results

20 Claims

1. In a computing environment, a method comprising:
- determining, by at least one processing unit, access to a resource based on policy decoupled from the resource, including by determining whether a resource label associated with the resource is cached, and if not, classifying the resource and caching the resource label, and if so, evaluating whether the resource label is valid or whether reclassification is needed, and evaluating the resource label associated with the resource against a user claim associated with an access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim;
  
  responsive to a determination that the resource label is not valid, prompting reclassification of the resource to obtain a valid resource label;
  
  responsive to a determination that the policy grants access to the resource based on the evaluation of the resource label and the user claim, allowing access to the resource; and
  
  responsive to a determination that the policy does not grant access to the resource based on the evaluation of the resource label and the user claim, denying access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - determining whether granting access requires both access control list verification and resource label verification or if only one of the access control list verification or the resource label verification is sufficient for access to the resource.
  - 3. The method of claim 2 wherein the classification rules comprise declarative instructions that assign certain resource labels to certain files.
  - 4. The method of claim 1 wherein the resource is a file, and further comprising:
    - performing reclassification of the resource to update the resource label based upon at least one of a change to content of the file, a change to one or more labels of the file, a change to other attributes of the file, a change to a location of the file, a change to a classification rule, or a state change to one or more classification rules.
  - 5. The method of claim 1 further comprising:
    - further determining the access based on an access control list coupled to the resource.
  - 6. The method of claim 1 wherein evaluating the resource label associated with the resource against the user claim associated with the access request comprises evaluating compound conditions.
  - 7. The method of claim 1 further comprising:
    - evaluating one or more access-related operations corresponding to the access request and determining whether each of the one or more access-related operations is allowed based on at least one of the resource label and an access control list.
  - 8. The method of claim 1 wherein evaluating the resource label against the user claim associated with the access request comprises determining whether a user clearance level value corresponding to data in the user claim achieves a resource sensitivity level value corresponding to data in the resource label.

9. In a computing environment, a system comprising:
- one or more processors; and
  
  an authorization engine configured to be executed by the one or more processors to determine access to a resource based upon a policy, the authorization engine configured to evaluate a resource label associated with the resource against a user claim associated with an access request using information in the policy, including to determine whether the resource label is valid or whether reclassification is needed to obtain an updated resource label, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the authorization engine is incorporated into a security model of an operating system.
  - 11. The system of claim 9 wherein the policy is based upon a combination of policy components.
  - 12. The system of claim 9 wherein the policy is maintained independent of the resource, and applies to a plurality of resources.
  - 13. The system of claim 9 further comprising:
    - a classifier configured to provide one or more resource labels for the resource, the resource including a file, and the classifier further configured to provide the one or more resource labels by classifying the contents of the file, including a sensitivity level associated with the contents of the file.
  - 14. The system of claim 9 wherein the resource is associated with an access control list, and wherein the authorization engine configured to evaluate the resource label against the user claim is further configured to evaluate the access control list against an access token to determine the access to the resource.
  - 15. The system of claim 9 wherein the resource comprises a file and wherein the resource label is cached in an alternate data stream of the file.

16. One or more computer storage devices having computer-executable instructions stored thereon, which in response to execution by a computer, cause the computer to perform steps comprising:
- processing an access request to grant or deny access to a resource, including evaluating one or more access-related operations corresponding to the access request, obtaining a policy that is decoupled from the resource, and using the policy to determine whether to grant or deny each of the one or more access-related operations, including by evaluating a resource label associated with the resource against a user claim associated with the access request, wherein the resource label comprises a classification property associated with the resource that is used to determine access to the resource, and wherein the access request identifies the resource requested by the user claim.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer storage devices of claim 16 wherein the resource is a file, and having further computer-executable instructions comprising, classifying the file into classification properties, including a classification property corresponding to the resource label.
  - 18. The one or more computer storage devices of claim 16 wherein the resource is a file, wherein the resource label is cached in association with the file, and having further computer-executable instructions comprising:
    - determining whether the resource label is valid and up-to-date;
      
      responsive to a determination that the resource label is not valid and up-to-date, obtaining a valid and up-to-date resource label; and
      
      caching the valid and up-to-date resource label in association with the file.
  - 19. The one or more computer storage devices of claim 16 wherein a plurality of policies are applicable, and wherein using the policy to determine whether to grant or deny the access-related operation further comprises logically combining a result of evaluating a resource label associated with the resource against a user claim with a result of at least one other policy evaluation.
  - 20. The one or more computer storage devices of claim 19 wherein a result of at least one other policy evaluation comprises an access control list-based evaluation result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Ben-Zvi, Nir, Perumal, Raja Pazhanivel, Samuelsson, Anders, Hamblin, Jeffrey B., Kalach, Ran, Li, Ziquan, Wollnik, Matthias H., Law, Clyde, Oltean, Paul Adrian
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
Ullah, Sharif E

Application Number

US12/622,441
Publication Number

US 20110126281A1
Time in Patent Office

2,006 Days
Field of Search

726/21, 726/26, 726/30
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Controlling resource access based on resource properties

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling resource access based on resource properties

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links