Data driven role based security

US 9,537,863 B2
Filed: 08/11/2014
Issued: 01/03/2017
Est. Priority Date: 05/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method for use at a computer system, the computer system including a processor and system memory, the method for controlling access to a computing object, the method comprising the processor:

obtaining a user context for a user identity during user input activity entered into the computer system through a running application;

defining a derived role for the user identity relative to the computing object, the derived role defined from data context for accessing the computing object by the computer system on behalf of the user identity, the data context accessed based on the user context;

accessing a control expression governing access to the computing object for the derived role;

forming a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and

determining the user identity'"'"'s access to the computing object in accordance with the set of permissions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data driven role based security is provided. At login, the system queries for a data context in connection with access to computing objects of a computing system. When a request for access to computing objects is received by the computing system, one or more control expressions specified for the computing object being accessed are evaluated. The evaluation of the control expressions may reference the user context or the data context previously established, and returns a set of effective permissions. Access to the computing object is then granted if the set of permissions includes an appropriate permission for the request for access.

Citations

20 Claims

1. A method for use at a computer system, the computer system including a processor and system memory, the method for controlling access to a computing object, the method comprising the processor:
- obtaining a user context for a user identity during user input activity entered into the computer system through a running application;
  
  defining a derived role for the user identity relative to the computing object, the derived role defined from data context for accessing the computing object by the computer system on behalf of the user identity, the data context accessed based on the user context;
  
  accessing a control expression governing access to the computing object for the derived role;
  
  forming a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and
  
  determining the user identity'"'"'s access to the computing object in accordance with the set of permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein evaluating the control expression comprises evaluating the control expression for each of a plurality of versions of the computing object on a network, the plurality of versions including the current version.
  - 3. The method of claim 1, wherein evaluating the control expression comprises evaluating the control expression for an access control list governing access to the computing object, the evaluation based on the data context.
  - 4. The method of claim 1, wherein evaluating the control expression comprises evaluating a set of static permissions included in an object governing access to the computing object.
  - 5. The method of claim 1, wherein determining the user identity'"'"'s access to the computing object in accordance with the set of permissions comprises denying the user identity access to the computing object.
  - 6. The method of claim 1, wherein obtaining a user context for a user identity during user input activity comprises obtaining a user context for the user identity during a user login;
    - andfurther comprising using the user context to query the data context from stored data during the user login.
  - 7. The method of claim 6, wherein querying the data access context comprises querying for an updated data context in response to receiving an additional request for access to the computing object.

8. A computer program product for use a computer system, the computer program product for implementing a method for controlling runtime access to a computing object, the computer program product comprising one or more computer storage devices having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
- detect a user context for a user identity during user input activity entered into the computer system through a running application;
  
  retrieve a data context based on the detected user context, the data context for accessing the computing object by the computer system on behalf of the user identity;
  
  define a derived role for the user identity relative to the computing object, the derived role defined from data context;
  
  access a control expression governing access to the computing object for the derived role,form a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and
  
  determine the user identity'"'"'s access to the computing object in accordance with the set of permissions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein computer-executable instructions that, when executed, cause the computer system to evaluate the control expression comprise computer-executable instructions that, when executed, cause the computer system to evaluate the programmatic control expression for each of a plurality of versions of the computing object on a network, the plurality of versions including the current version.
  - 10. The computer program product of claim 8, wherein computer-executable instructions that, when executed, cause the computer system to evaluate the control expression comprise computer-executable instructions that, when executed, cause the computer system to evaluate the control expression for an access control list governing access to the computing object, the evaluation based on the data context.
  - 11. The computer program product of claim 8, wherein computer-executable instructions that, when executed, cause the computer system to evaluate the control expression comprise computer-executable instructions that, when executed, cause the computer system to evaluate a set of static permissions included in an object governing access to the computing object.
  - 12. The computer program product of claim 8, wherein computer-executable instructions that, when executed, cause the computer system to determine the user identity'"'"'s access to the computing object in accordance with the set of permissions comprise computer-executable instructions that, when executed, cause the computer system to deny the user identity access to the computing object.
  - 13. The computer program product of claim 8, further comprising computer-executable instructions that, when executed, cause the computer system to, prior to defining the derived role, query for the data access context in response to receiving the user based context based on credentials identifying the user identity.
  - 14. The computer program product of claim 13, wherein comprising computer-executable instructions that, when executed, cause the computer system to query for the data access context comprise comprising computer-executable instructions that, when executed, cause the computer system to query for an updated data context in response to receiving an additional request for access to the computing object.

15. A computer system, the computer system comprising:
- one or more processors;
  
  system memory coupled to one or more processors, the system memory storing instructions that are executable by the processor; and
  
  the one or more processors configured to execute the instructions stored in the system memory to control access to a computing object, including the following;
  
  detect a user context for a user identity during user input activity entered into the computer system through a running application;
  
  define a derived role for a user identity relative to the computing object in system memory, the derived role defined from data context the data context accessed based on the detected user context;
  
  access a control expression governing access to the computing object for the derived role,form a set of permissions for the user identity in system memory by evaluating the control expression in the system memory based on the current version of the computing object and the data context; and
  
  determine the user identity'"'"'s access to the computing object in accordance with the set of permissions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein the one or more processors configured to execute the instructions to evaluate the control expression comprises the one or more processors configured to execute the instructions to evaluate the control expression against a plurality of versions of the computing object on a network, the plurality of versions including the current version.
  - 17. The computer system of claim 15, wherein the one or more processors configured to execute the instructions to evaluate the control expression comprises the one or more processors configured to execute the instructions to evaluate the control expression for an access control list governing access to the computing object, the evaluation based on the data context.
  - 18. The computer system of claim 15, wherein the one or more processors configured to execute the instructions to evaluate the control expression comprises the one or more processors configured to execute the instructions to evaluate a set of static permissions included in an object governing access to the computing object.
  - 19. The computer system of claim 15, further comprising the one or more processors configured to execute the instructions to, prior to defining the derived roll, query for the data access context in response to receiving the user based context based on credentials identifying the user identity.
  - 20. The computer system of claim 19, wherein the one or more processors configured to execute the instructions to query for the data access context comprises the one or more processors configured to execute the instructions to query for an updated data access context in response to receiving an additional request for access to the computing object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Ivanov, Sergei, Barrows, John August
Primary Examiner(s)
LEWIS, LISA C

Application Number

US14/457,045
Publication Number

US 20140351892A1
Time in Patent Office

876 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

Data driven role based security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data driven role based security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links