METHODS AND SYSTEMS FOR SPECIFYING AND ENFORCING ACCESS CONTROL IN A DISTRIBUTED SYSTEM

US 20070261102A1
Filed: 05/04/2006
Published: 11/08/2007
Est. Priority Date: 05/04/2006
Status: Active Grant

First Claim

Patent Images

1. In a system having a plurality of servers providing, to one or more principals, access to protected objects, a method of specifying and facilitating the consistent enforcement of access control policies associated with the protected objects, the method comprising:

(a) receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers;

(b) evaluating the transitive closure of the list of group identifiers comprising the access list associated with the protected object to identify at least one principal authorized to access the protected object; and

(c) determining that the requesting principal is represented in the closure of the access control list; and

(d) providing the requesting principal access to the protected object.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for controlling access to objects of a distributed computing environment are described. In one configuration, a computing device receives a request from a principal to access a protected object and evaluating the transitive closure of the list of group identifiers. The protected object is associated with an access control list and has a time-invariant list of group identifiers. The list of group identifiers includes the access list is associated with the protected object to identify at least one principal authorized to access the protected object.

82 Citations

View as Search Results

13 Claims

1. In a system having a plurality of servers providing, to one or more principals, access to protected objects, a method of specifying and facilitating the consistent enforcement of access control policies associated with the protected objects, the method comprising:
- (a) receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers;
  
  (b) evaluating the transitive closure of the list of group identifiers comprising the access list associated with the protected object to identify at least one principal authorized to access the protected object; and
  
  (c) determining that the requesting principal is represented in the closure of the access control list; and
  
  (d) providing the requesting principal access to the protected object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 13)
- - 2. The method of claim 1 wherein step (a) comprises receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers that includes at least one group identifier identifying a group having membership that monotonically increases.
  - 3. The method of claim 1 wherein step (a) comprises receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers that includes at least one group identifier identifying a group having membership that monotonically decreases.
  - 4. The method of claim 2 wherein the time-invariant list of group identifiers further includes at least one group identifier identifying a versioned group.
  - 5. The method of claim 2 wherein the time-invariant list of group identifiers further includes at least one group identifier identifying a group having a membership comprising a single principal.
  - 6. The method of claim 1 wherein step (a) comprises receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers that includes at least one of the following:
    - participant, superuser, presenter, gone from session, authenticated participants, authenticators, session keep-alive, and author.
  - 7. The method of claim 1 wherein step (a) comprises receiving a request from a meeting attendee to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers.
  - 8. The method of claim 1 wherein step (a) comprises receiving a request from a webinar attendee to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifiers.
  - 10. The system of claim 8 wherein the time-invariant list of group identifiers that includes at least one group identifier identifying a group having membership that monotonically increases.
  - 13. The system of claim 8 wherein the time-invariant list of group identifiers that includes at least one of the following:
    - participant, superuser, presenter, gone from session, authenticated participants, authenticators, session keep-alive, and author.

9. A system having a plurality of servers providing protected objects to one or more principals, the system implementing consistent enforcement of access control policies associated with the protected objects, a server comprising:
- means for receiving a request from a principal to access a protected object, the protected object associated with an access control list comprising a time-invariant list of group identifier;
  
  means for evaluating the transitive closure of the access control list associated with the protected object to identify at least one principal authorized to access the protected object;
  
  means for determining that the requesting principal is represented in the closure of the access control list; and
  
  means for providing the requesting principal access to the protected objected.
- View Dependent Claims (11, 12)
- - 11. The system of claim 9 wherein the time-invariant list of group identifiers further includes at least one group identifier identifying a versioned group.
  - 12. The system of claim 9 wherein the time-invariant list of group identifiers further includes at least on group identifier identifying a group having a membership comprising a single principal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GOTO Group Incorporated (LogMeIn, Inc.)
Original Assignee
Citrix Online LLC (Cloud Software Group)
Inventors
Kennedy, John, Spataro, Tony, Mittal, Vishal, Thapliyal, Ashish

Granted Patent

US 7,895,639 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

METHODS AND SYSTEMS FOR SPECIFYING AND ENFORCING ACCESS CONTROL IN A DISTRIBUTED SYSTEM

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR SPECIFYING AND ENFORCING ACCESS CONTROL IN A DISTRIBUTED SYSTEM

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links