Access authorization having embedded policies

US 9,069,941 B2
Filed: 05/09/2013
Issued: 06/30/2015
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of setting a revocable policy on a target process, the method comprising:

receiving, via an access control application programming interface (“

API”

), a first request from a controlling process to set a revocable policy on a target process;

determining whether the controlling process possesses adequate privilege to set the revocable policy on the target process;

upon determining that the controlling process possesses adequate privilege to set the revocable policy on the target process, setting an indication to apply the revocable policy on the target process;

when the revocable policy is applied on the target process, sending to the controlling process an identifier, wherein the identifier provides authorization to revoke the revocable policy;

receiving, via the API, a second request to revoke the revocable policy on the target process, wherein the second request includes the identifier;

based upon the identifier, authenticating the second request as having authorization to revoke the revocable policy on the target process; and

revoking the revocable policy on the target process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image'"'"'s integrity prior to extracting the embedded policy.

Citations

27 Claims

1. A computer-implemented method of setting a revocable policy on a target process, the method comprising:
- receiving, via an access control application programming interface (“
  
  API”
  
  ), a first request from a controlling process to set a revocable policy on a target process;
  
  determining whether the controlling process possesses adequate privilege to set the revocable policy on the target process;
  
  upon determining that the controlling process possesses adequate privilege to set the revocable policy on the target process, setting an indication to apply the revocable policy on the target process;
  
  when the revocable policy is applied on the target process, sending to the controlling process an identifier, wherein the identifier provides authorization to revoke the revocable policy;
  
  receiving, via the API, a second request to revoke the revocable policy on the target process, wherein the second request includes the identifier;
  
  based upon the identifier, authenticating the second request as having authorization to revoke the revocable policy on the target process; and
  
  revoking the revocable policy on the target process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1 wherein the identifier authenticates the controlling process.
  - 3. The computer-implemented method of claim 1 wherein the identifier is a cookie.
  - 4. The computer-implemented method of claim 1 wherein the identifier identifies the policy that is to be revoked.
  - 5. The computer-implemented method of claim 1 wherein the second request is received, via the API, from the target process.
  - 6. The computer-implemented method of claim 1 wherein the second request is received, via the API, from the controlling process.
  - 7. The computer-implemented method of claim 1 further comprising:
    - preserving state information of the target process prior to the setting of the indication to apply the revocable policy on the target process.
  - 8. The computer-implemented method of claim 1 further comprising:
    - applying a prior policy to the target process, wherein the prior policy was applied to the target process prior to the setting of the indication to apply the revocable policy on the target process.
  - 9. The computer-implemented method of claim 8 wherein the identifier identifies the prior policy.

10. A computer storage media encoding computer-executable instructions that when executed by a processor perform a method of setting a revocable policy on a target process, the method comprising:
- receiving, via an access control application programming interface (“
  
  API”
  
  ), a first request from a controlling process to set a revocable policy on a target process;
  
  determining whether the controlling process possesses adequate privilege to set the revocable policy on the target process;
  
  upon determining that the controlling process possesses adequate privilege to set the revocable policy on the target process, setting an indication to apply the revocable policy on the target process;
  
  when the revocable policy is set on the target process, sending to the controlling process an identifier, wherein the identifier provides authorization to revoke the revocable policy;
  
  receiving, via the API, a second request to revoke the revocable policy on the target process, wherein the second request includes the identifier;
  
  based upon the identifier, authenticating the second request as having authorization to revoke the revocable policy on the target process; and
  
  revoking the revocable policy on the target process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer storage media of claim 10 wherein the identifier authenticates the controlling process.
  - 12. The computer storage media of claim 10 wherein the identifier is a cookie.
  - 13. The computer storage media of claim 10 wherein the identifier identifies the policy that is to be revoked.
  - 14. The computer storage media of claim 10 wherein the second request is received, via the API, from the target process.
  - 15. The computer storage media of claim 10 wherein the second request is received, via the API, from the controlling process.
  - 16. The computer storage media of claim 10 wherein the method further comprises:
    - preserving state information of the target process prior to the setting of the indication to apply the revocable policy on the target process.
  - 17. The computer storage media of claim 10 wherein the method further comprises:
    - applying a prior policy to the target process, wherein the prior policy was applied to the target process prior to the setting of the indication to apply the revocable policy on the target process.
  - 18. The computer storage media of claim 17 wherein the identifier identifies the prior policy.

19. A system for setting a revocable policy, the system comprising:
- a processor;
  
  a memory communicatively coupled to the processor, the memory comprising;
  
  computer-executable instructions encoding a controlling process;
  
  computer-executable instructions encoding a target process;
  
  computer-executable instructions encoding an access control application programming interface (“
  
  API”
  
  ) communicatively coupled to an operating system, the controlling process, and the target process; and
  
  computer-executable instructions encoding the operating system, the operating system comprised of;
  
  an authorization module configured to;
  
  determine whether the controlling process possesses adequateprivilege to set a revocable policy on the target process; and
  
  authenticate a request to revoke the revocable policy on the target process;
  
  a policy store configured to store the revocable policy; and
  
  wherein the operating system is configured to;
  
  receive a first request, via the API, from the controlling process to set the revocable policy on the target process;
  
  set within the policy store an indication to apply the revocable policy on the target process;
  
  send to the controlling process, via the API, an identifier, wherein the identifier provides authorization to revoke the revocable policy;
  
  receive a second request to revoke the revocable policy on the target process, wherein the second request includes the identifier; and
  
  revoke the revocable policy stored in the policy store.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19 wherein the identifier authenticates the controlling process.
  - 21. The system of claim 19 wherein the identifier is a cookie.
  - 22. The system of claim 19 wherein the identifier identifies the policy that is to be revoked.
  - 23. The system of claim 19 wherein the operating system is further configured to receive the second request, via the API, from the target process.
  - 24. The system of claim 19 wherein the operating system is further configured to receive the second request, via the API, from the controlling process.
  - 25. The system of claim 19 wherein state information of the target process is stored in the policy store.
  - 26. The system of claim 19 wherein a prior policy of the target process is stored in the policy store.
  - 27. The system of claim 26 wherein the identifier identifies the prior policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Golan, Gilad, Vayman, Mark
Primary Examiner(s)
Lipman, Jacob

Application Number

US13/890,965
Publication Number

US 20130254835A1
Time in Patent Office

782 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/30   Authentication, i.e. establ...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/62   Protecting access to data v...

Access authorization having embedded policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization having embedded policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links