Scoped access control metadata element

US 7,730,094 B2
Filed: 08/19/2005
Issued: 06/01/2010
Est. Priority Date: 10/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:

receiving, from a first user, a request to access a first resource;

determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes;

a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource;

a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and

a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies;

determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes;

a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource;

a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and

a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies;

determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element;

determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element;

determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element;

in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and

in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and data structures for communicating object metadata are provided. A generic metadata container is presented that allows object metadata to be described in an extensible manner using protocol-neutral and platform-independent methodologies. A metadata scope refers to a dynamic universe of targets to which the included metadata statements correspond. Metadata properties provide a mechanism to describe the metadata itself, and metadata security can be used to ensure authentic metadata is sent and received. Mechanisms are also provided to allow refinement and replacement of metadata statements. The generic metadata container can be adapted to dynamically define access control rights to a range of objects by a range of users, including granted and denied access rights.

191 Citations

17 Claims

1. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:
- receiving, from a first user, a request to access a first resource;
  
  determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes;
  
  a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource;
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies;
  
  determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes;
  
  a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource;
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies;
  
  determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element;
  
  determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element;
  
  determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element;
  
  in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and
  
  in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first access right comprises granted access to the first resource.
  - 3. The method of claim 1, wherein the first access right comprises denied access to the first resource.
  - 4. The method of claim 1, wherein the first resource comprises a file stored on a storage device.
  - 5. The method of claim 1, wherein the first resource comprises a web service.
  - 6. The method of claim 1, wherein an application program that identifies the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.
  - 7. The method of claim 1, wherein an authentication token that identifies the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.
  - 8. The method of claim 1, wherein biometric information corresponding to the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.

9. A computer comprising a processor controlling operation of the computer according to computer readable instructions stored in a memory, wherein, upon execution of the computer readable instructions by the processor, the computer performs a method for determining access rights to a range of objects by a range of users through scope information, comprising:
- receiving, from a first user, request to access a first resource;
  
  determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes;
  
  a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource;
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies;
  
  determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes;
  
  a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource; and
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies;
  
  determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element;
  
  determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element;
  
  determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element;
  
  in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and
  
  in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer of claim 9, wherein the first access right comprises granted access to the first resource.
  - 11. The computer of claim 9, wherein the first access right comprises denied access to the first resource.
  - 12. The computer of claim 9, wherein the first resource comprises a file stored on a storage device.
  - 13. The computer of claim 9, wherein the first resource comprises a web service.
  - 14. The computer of claim 9, wherein an application program that identifies the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.
  - 15. The computer of claim 9, wherein an authentication token that identifies the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.
  - 16. The computer of claim 9, wherein biometric information corresponding to the first user is used in determining that the first user is among the plurality of users to which the first access control metadata element applies.

17. A method for determining access rights to a range of objects by a range of users through scope information, the method performed by a computer system including system memory and one or more processors, the method comprising:
- receiving, from a first user, a request to access a first resource;
  
  determining that a scope of a first access control metadata element encompasses the first resource, wherein the first access control metadata element includes;
  
  a first set of one or more XML statements that define the scope of the first access control metadata element by selecting a plurality of resources, the scope of the first access control metadata element encompassing the first resource and at least one other resource;
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the first access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the first access control metadata element applies;
  
  determining that a scope of a second access control metadata element encompasses the first resource, wherein the second access control metadata element includes;
  
  a first set of one or more XML access control-related statements that define the scope of the second access control metadata element by selecting one or more resources, the scope of the second access control metadata element encompassing the first resource; and
  
  a second set of one or more XML statements that define access rights for the plurality of resources within the scope of the second access control metadata element; and
  
  a third set of one or more XML statements that define a plurality of users to which the second access control metadata element applies;
  
  determining that the first user is among the plurality of users to which the first access control metadata element applies as defined by the third set of one or more XML statements of the first access control metadata element;
  
  determining that the first user is among the plurality of users to which the second access control metadata element applies as defined by the third set of one or more XML statements of the second access control metadata element;
  
  determining that a first access right defined in the first access control metadata element conflicts with a second access right defined in the second access control metadata element;
  
  in response to determining that the first access right conflicts with the second access right, determining whether the first access right supersedes the second access right; and
  
  in response to determining that the first access right supersedes the second access right, applying the first access right to the access request from the first user;
  
  wherein the scope of the first access control metadata element comprises a subdirectory; and
  
  wherein the scope of the second access control metadata element comprises a directory in which the subdirectory is located.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaler, Christopher G., Waingold, Elliot, Della-Libera, Giovanni
Primary Examiner(s)
Ali; Mohammad
Assistant Examiner(s)
FILIPCZYK, MARCIN R

Application Number

US11/207,034
Publication Number

US 20050278390A1
Time in Patent Office

1,747 Days
Field of Search

707/1, 707/9, 707/3, 707 5- 7, 707/785, 707/791
US Class Current

707/785
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 45/34   Source routing

H04L 45/566   Routing instructions carrie...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 67/02   based on web technology, e....

Y10S 707/99939   Privileged access

Scoped access control metadata element

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

191 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Scoped access control metadata element

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

191 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links