Rule-based application access management

US 9,054,963 B2
Filed: 07/07/2014
Issued: 06/09/2015
Est. Priority Date: 10/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining an altitude for at least one resource used in executing a streaming software application in a streaming software container;

determining access control rules for the at least one resource based on the altitude;

determining security settings for the at least one resource based on the altitude;

managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource;

receiving a request from a requestor for the at least one resource, the request in association with a process ID for the at least one resource having a resource ID;

determining the access control rules for the at least one resource based on the altitude further comprising, looking up the process ID and the resource ID in a requestor-specific access control table for the altitude to determine the access control rules, the access control rules specific to a requestor generating the request;

determining if the access control rules specify accept;

if it is determined that the access control rules specify accept, looking up in a resource-specific access control table for the altitude using the resource ID to determine requestor-agnostic security rules for the at least one resource;

managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, granting access to the at least one resource used in executing the streaming software application in the streaming software container according to the requestor-agnostic security rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.

253 Citations

18 Claims

1. A method comprising:
- determining an altitude for at least one resource used in executing a streaming software application in a streaming software container;
  
  determining access control rules for the at least one resource based on the altitude;
  
  determining security settings for the at least one resource based on the altitude;
  
  managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource;
  
  receiving a request from a requestor for the at least one resource, the request in association with a process ID for the at least one resource having a resource ID;
  
  determining the access control rules for the at least one resource based on the altitude further comprising, looking up the process ID and the resource ID in a requestor-specific access control table for the altitude to determine the access control rules, the access control rules specific to a requestor generating the request;
  
  determining if the access control rules specify accept;
  
  if it is determined that the access control rules specify accept, looking up in a resource-specific access control table for the altitude using the resource ID to determine requestor-agnostic security rules for the at least one resource;
  
  managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, granting access to the at least one resource used in executing the streaming software application in the streaming software container according to the requestor-agnostic security rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining if the altitude is zero;
      
      if it is determined that the altitude is zero, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, granting access for the requestor to the at least one resource used in executing the streaming software application in the streaming software container at the altitude of zero.
  - 3. The method of claim 1, wherein the access control rules for the at least one resource include one of accept, pause, and pass through.
  - 4. The method of claim 1, wherein the requestor-agnostic security rules for the at least one resource specify at least one of:
    - verify access, read-only access, and write-only access.
  - 5. The method of claim 1, further comprising:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules specify pause, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, pausing execution of the streaming software application in the streaming software container.
  - 6. The method of claim 1, further comprising:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules fail to specify pause, determining if the access control rules specify pass through;
      
      if it is determined that the access control rules fail to specify pass through, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, denying the requestor access to the at least one resource used in executing the streaming software application in the streaming software container.
  - 7. The method of claim 1, further comprising:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules fail to specify pause, determining if the access control rules specify pass through;
      
      if it is determined that the access control rules specify pass through, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising;
      
      decrementing the altitude to a lower altitude;
      
      determining new access control rules using the process ID and the resource ID at the lower altitude.
  - 8. The method of claim 1, wherein determining access control rules and security settings for the at least one resource further comprises:
    - determining an initial altitude for the at least one resource used in executing the streaming software application in the streaming software container;
      
      if it is determined that the initial altitude is zero, the method further comprising;
      
      writing files of the at least one resource to the streaming software container, the files of the at least one resource used to execute the streaming software application in the streaming software container;
      
      setting environment variables used in executing the streaming software application in the streaming software container;
      
      managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource, further comprising managing access to the files of the at least one resource.
  - 9. The method of claim 8, wherein if it is determined that the initial altitude is not zero, the method further comprising:
    - setting up selective hooks for the files of the at least one resource in the streaming software container, selectivity of the selective hooks based on the determined initial altitude, the at least one resource, and the requestor;
      
      managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource, further comprising using the selective hooks to manage access control to the at least one resource according to the access control rules and the security setting for the at least one resource.

10. A system comprising:
- at least one processor;
  
  memory storing instructions configured to instruct the at least one processor to perform;
  
  determining an altitude for at least one resource used in executing a streaming software application in a streaming software container;
  
  determining access control rules for the at least one resource based on the altitude;
  
  determining security settings for the at least one resource based on the altitude;
  
  managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource;
  
  receiving a request from a requestor for the at least one resource, the request in association with a process ID for the at least one resource having a resource ID;
  
  determining the access control rules for the at least one resource based on the altitude further comprising, looking up the process ID and the resource ID in a requestor-specific access control table for the altitude to determine the access control rules, the access control rules specific to a requestor generating the request;
  
  determining if the access control rules specify accept;
  
  if it is determined that the access control rules specify accept, looking up in a resource-specific access control table for the altitude using the resource ID to determine requestor-agnostic security rules for the at least one resource;
  
  managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, granting access to the at least one resource used in executing the streaming software application in the streaming software container according to the requestor-agnostic security rules.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to perform:
    - determining if the altitude is zero;
      
      if it is determined that the altitude is zero, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, granting access for the requestor to the at least one resource used in executing the streaming software application in the streaming software container at the altitude of zero.
  - 12. The system of claim 10, wherein the access control rules for the at least one resource include one of accept, pause, and pass through.
  - 13. The system of claim 10, wherein the requestor-agnostic security rules for the at least one resource specify at least one of:
    - verify access, read-only access, and write-only access.
  - 14. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to perform:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules specify pause, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, pausing execution of the streaming software application in the streaming software container.
  - 15. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to perform:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules fail to specify pause, determining if the access control rules specify pass through;
      
      if it is determined that the access control rules fail to specify pass through, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising, denying the requestor access to the at least one resource used in executing the streaming software application in the streaming software container.
  - 16. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to perform:
    - if it is determined that the access control rules fail to specify accept, determining if the access control rules specify pause;
      
      if it is determined that the access control rules fail to specify pause, determining if the access control rules specify pass through;
      
      if it is determined that the access control rules specify pass through, managing access control to the at least one resource used in executing the streaming software application in the streaming software container further comprising;
      
      decrementing the altitude to a lower altitude;
      
      determining new access control rules using the process ID and the resource ID at the lower altitude.
  - 17. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to perform:
    - determining an initial altitude for the at least one resource used in executing the streaming software application in the streaming software container;
      
      if it is determined that the initial altitude is zero, the method further comprising;
      
      writing files of the at least one resource to the streaming software container, the files of the at least one resource used to execute the streaming software application in the streaming software container;
      
      setting environment variables used in executing the streaming software application in the streaming software container;
      
      managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource, further comprising managing access to the files of the at least one resource.
  - 18. The system of claim 17, wherein the instructions are further configured to instruct the at least one processor to perform:
    - setting up selective hooks for the files of the at least one resource in the streaming software container, selectivity of the selective hooks based on the determined initial altitude, the at least one resource, and the requestor;
      
      managing access control to the at least one resource used in executing the streaming software application in the streaming software container based on the access control rules and the security settings for the at least one resource, further comprising using the selective hooks to manage access control to the at least one resource according to the access control rules and the security setting for the at least one resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Numecent Holdings Incorporated
Original Assignee
Numecent Holdings Incorporated
Inventors
Hitomi, Arthur S., Tran, Robert, Kammer, Peter J., Pfiffner, Doug, Nguyen, Huy
Primary Examiner(s)
Okeke, Izunna

Application Number

US14/324,571
Publication Number

US 20140325610A1
Time in Patent Office

337 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

H04L 41/0813   characterised by the condit...

H04L 41/145   involving simulating, desig...

H04L 43/0823   Errors, e.g. transmission e...

H04L 63/10   for controlling access to d...

H04L 63/108   when the policy decisions a...

Rule-based application access management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

253 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Rule-based application access management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

253 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others