Method and apparatus for extensible security authorization grouping

US 20060156384A1
Filed: 01/10/2005
Published: 07/13/2006
Est. Priority Date: 01/10/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:

a group service having a store of groups, each group including at least one of the plurality of users; and

an authorization service that determines, based on permission information, permission for one of the plurality of users to perform a first action using a first software product with respect to a first object, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products;

wherein access to the first and second objects is unrestricted by a systems administrator.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing an extensible grouping mechanism for security applications for use in a computer system. Groups may be established and maintained by non-system administrators and used to control actions that are taken with respect to objects, such as files and other resources. The groups and associated security functions may be implemented across a plurality of different software products and optionally integrated into an existing security mechanism maintained by system administrators. Software products used in the system may be arranged to request authorization to perform requested actions with respect to objects access to which is not controlled by a systems administrator.

34 Citations

View as Search Results

20 Claims

1. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups, each group including at least one of the plurality of users; and
  
  an authorization service that determines, based on permission information, permission for one of the plurality of users to perform a first action using a first software product with respect to a first object, and that determines permission for one of the plurality of users to perform a second action using a second software product with respect to a second object, the permission information indicating authorization for at least one group or user to perform at least one action with respect to an object for the plurality of software products;
  
  wherein access to the first and second objects is unrestricted by a systems administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12)
- - 2. The apparatus of claim 1, wherein the permission information is created by a non-systems administrator.
  - 3. The apparatus of claim 1, wherein the permission information is stored in a single location.
  - 4. The apparatus of claim 1, wherein a non-systems administrator controls which users and/or groups correspond to each of the groups.
  - 5. The apparatus of claim 1, wherein the authorization service obtains securable object class (SOC) information from at least one of the plurality of software products that includes at least one object type and actions that are performable with respect to the object type.
  - 6. The apparatus of claim 1, wherein the permission information includes authorization entries (ACEs) for a plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users.
  - 7. The apparatus of claim 1, wherein the computer system further comprising a store of operating system or directory groups (OS/D groups) that are used by at least one system administrator to control access to certain objects, and wherein at least one group in the store of groups includes at least one OS/D group.
  - 8. The apparatus of claim 1, wherein the authorization service includes inheritance information for two objects that is used to associate permission information for one of the objects in the other object.
  - 9. The apparatus of claim 8, wherein permission information for an object is determined based on permission information for a related object based on inheritance information.
  - 10. The apparatus of claim 1, wherein the authorization service includes a first authorization service that operates with the first software product, and a second authorization service that operates with the second software product.
  - 12. The apparatus of claim 11, wherein the store of groups includes at least two different group types, a first group type being controlled by a system administrator, a second group type being controlled by a non-system administrator, each group in the second group type including a first type group, a second type group, or a user.

11. An apparatus for use in a computer system including a plurality of users and a plurality of software products, including first and second software products, each for performing at least one action with respect to an object, the apparatus comprising:
- a group service having a store of groups, each group including at least one of the plurality of users; and
  
  an authorization service that determines permission for at least one user to perform an action with respect to an object based on permission information, the permission information indicating at least one action that may be performed with respect to an object by at least one group or user;
  
  wherein at least one non-system administrator defines at least some of the permission information to assign authorization to one or more groups or users to perform a first action with respect to a first object using a first software product, and wherein at least one non-system administrator assigns authorization to one or more groups or users to perform a second action with respect to a second object using second software product.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 11, wherein each of the plurality of software products is arranged to send a request to the authorization service including an identity of a user requesting to perform an identified action with respect to an identified object, and is arranged to perform the identified action upon receiving authorization from the authorization service.
  - 14. The apparatus of claim 11, wherein each of the plurality of software products is arranged to provide permission information to the authorization service including at least one object type and a set of actions that are performable with respect to the object type.
  - 15. The apparatus of claim 11, wherein the permission information includes authorization entries (ACEs) for a plurality of objects, each authorization entry including an object identifier and a corresponding indication of authorized or unauthorized actions for one or more groups or users.
  - 16. The apparatus of claim 11, wherein the authorization service includes a plurality of authorization service modules each operating with a corresponding one of the plurality of software products.

17. A method for operating a computer system, comprising:
- receiving a first request regarding a first action requested to be performed by a first user with respect to a first object using a first software product, access to the first object being unrestricted by permissions established by a systems administrator;
  
  determining authorization for the first user to perform the first action using the first software product based on at least one group that the first user is associated with and permission information defining authorization for at least one group to perform at least one action with respect to at least one object;
  
  receiving a second request regarding a second action requested to be performed by a second user with respect to a second object using a second software product, access to the second object being unrestricted by permissions established by a systems administrator; and
  
  determining authorization for the second user to perform the second action using the second software product based on at least one group that the second user is associated with and the permission information.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the first and second requests are sent by the first and second software products, respectively.
  - 19. The method of claim 17, wherein a set of users or groups that correspond to at least one group is controlled by a user with less than system administrator privileges.
  - 20. The method of claim 17, wherein the at least one group includes a group that is controlled by a system administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shelepov, Bulat Y., Minium, Dennis W., Fu, Xiongjian

Granted Patent

US 8,191,115 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Method and apparatus for extensible security authorization grouping

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for extensible security authorization grouping

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links