Scoped access control metadata element

US 8,015,204 B2
Filed: 10/15/2002
Issued: 09/06/2011
Est. Priority Date: 10/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computing system for controlling access to a plurality of objects, the computing system comprising:

a processor; and

memory that stores a scoped access control metadata element that controls access to a plurality of objects that are stored in a computer storage medium of the computing system, wherein the scoped access control metadata element comprises;

a resource scope statement that identifies a plurality of objects for which the scoped access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for a plurality of file objects located at or below the specified portion of the directory hierarchy; and

a rules statement that includes a plurality of rule statements that each define different access control rules for accessing the plurality of objects, including;

a first rule statement that includes;

a first statement scope that identifies a first set of one or more users to whom the first rule statement applies and who may access the plurality of objects, including a rule that defines the first set of one or more users as users that have been authenticated; and

a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of objects; and

a second rule statement that includes;

a second statement scope that identifies a second set of one or more users to whom the second rule statement applies and who may also access the plurality of objects; and

a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of objects,the computing system further comprising memory that stores computer-executable instructions that, when executed, implement a method, comprising;

receiving a request from a user to access one of the plurality of file objects, the user included in one or more of the first set of one or more users or the second set of one or more users;

determining that the scoped access control metadata element provides access rights to the one of the plurality of file objects; and

granting the user access to the one of the plurality of file objects, as defined by the scoped access control metadata element.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and data structures for communicating object metadata are provided. A generic metadata container is presented that allows object metadata to be described in an extensible manner using protocol-neutral and platform-independent methodologies. A metadata scope refers to a dynamic universe of targets to which the included metadata statements correspond. Metadata properties provide a mechanism to describe the metadata itself, and metadata security can be used to ensure authentic metadata is sent and received. Mechanisms are also provided to allow refinement and replacement of metadata statements. The generic metadata container can be adapted to dynamically define access control rights to a range of objects by a range of users, including granted and denied access rights.

218 Citations

22 Claims

1. A computing system for controlling access to a plurality of objects, the computing system comprising:
- a processor; and
  
  memory that stores a scoped access control metadata element that controls access to a plurality of objects that are stored in a computer storage medium of the computing system, wherein the scoped access control metadata element comprises;
  
  a resource scope statement that identifies a plurality of objects for which the scoped access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for a plurality of file objects located at or below the specified portion of the directory hierarchy; and
  
  a rules statement that includes a plurality of rule statements that each define different access control rules for accessing the plurality of objects, including;
  
  a first rule statement that includes;
  
  a first statement scope that identifies a first set of one or more users to whom the first rule statement applies and who may access the plurality of objects, including a rule that defines the first set of one or more users as users that have been authenticated; and
  
  a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of objects; and
  
  a second rule statement that includes;
  
  a second statement scope that identifies a second set of one or more users to whom the second rule statement applies and who may also access the plurality of objects; and
  
  a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of objects,the computing system further comprising memory that stores computer-executable instructions that, when executed, implement a method, comprising;
  
  receiving a request from a user to access one of the plurality of file objects, the user included in one or more of the first set of one or more users or the second set of one or more users;
  
  determining that the scoped access control metadata element provides access rights to the one of the plurality of file objects; and
  
  granting the user access to the one of the plurality of file objects, as defined by the scoped access control metadata element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computing system of claim 1, wherein the scoped access control metadata element further comprises:
    - one or more properties statements that describe properties of the scoped access control metadata element, the properties comprising an expiration time of the scoped access control metadata element.
  - 3. The computing system of claim 1, wherein the scoped access control metadata element further comprises:
    - one or more security statements that define authentication measures to be applied when a user attempts to modify the scoped access control metadata element.
  - 4. The computing system of claim 1, wherein the resource scope statement also defines a Uniform Resource Identifier (URI) indicating that the scoped access control metadata element provides access rights for a plurality of web pages or web services located under the URI, including a web service.
  - 5. The computing system of claim 1, wherein the rules statement contains references the plurality of rule statements, such that the rules are not directly contained within the rules statement.
  - 6. The computing system of claim 1, wherein the scoped access control metadata element further comprises:
    - an indication that the scoped access control metadata element cannot be replaced by, or merged or intersected with another scoped access control metadata element.
  - 7. The computing system of claim 1, wherein the second rule statement also includes:
    - a deny statement that defines what access rights the second set of one or more users are denied for accessing any one of the plurality of objects.
  - 8. The computing system of claim 7, wherein the second statement scope identifies the second set of one or more users as all users belonging to a user group.
  - 9. The computing system of claim 7, wherein the second statement scope identifies the second set of one or more users as an explicit list of users.
  - 10. The computing system of claim 7, wherein the second statement scope identifies the second set of one or more users as all users who provide a correct key or password.
  - 11. The computing system of claim 7, wherein the second statement scope identifies the second set of one or more users as all users who provide a properly signed message.
  - 12. The computing system of claim 1, wherein the first rule statement also includes a deny statement that defines what access rights the first set of one or more users are denied for accessing any one of the plurality of objects.

13. A computer storage medium storing a particular data structure comprising:
- a scope element that contains criteria for determining a plurality of objects the particular data structure applies to for controlling what users may access the plurality of objects, wherein the criteria of the scope element defines a portion of a directory hierarchy indicating that the particular data structure provides access rights for a plurality of file objects located under the portion of the directory hierarchy; and
  
  one or more rule elements that define access rights for accessing the plurality of file objects, including;
  
  a first rule element that contains (1) first user rules that define a first set of one or more users to whom the first rule element applies and who may access the plurality of file objects, including a first rule that defines the first set of one or more users as users that have been authenticated, and (2) first access rules that define what access rights the first set of one or more users are granted for accessing any one of the plurality of file objects; and
  
  a second rule element that contains (1) second user rules that define a second set of one or more users to whom the second rule element applies and who may also access the plurality of file objects, and (2) second access rules that define what different access rights the second set of one or more users are granted for accessing any one of the plurality of file objects,the computer storage medium further storing computer-executable instructions that, when executed by at least one processor of a computer system, implement a method, comprising;
  
  an act of the computer system receiving a request from a user to access the one of the plurality of file objects, the user included in at least the first set of one or more users;
  
  an act of the computer system determining that the particular data structure controls what users may access the plurality of file objects, as defined by the criteria of the scope element of the particular data structure;
  
  an act of the computer system determining that the user is included in the first set of one or more users and that the user has been authenticated, as defined by the first user rules of the first rule element of the particular data structure; and
  
  an act of the computer system granting the user access to the one of the plurality of file objects, as defined by the first access rules of the first rule element of the particular data structure.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer storage medium of claim 13, wherein the particular data structure further comprises:
    - one or more properties elements that describe properties of the particular data structure, the properties comprising one or more of a name, author, or expiration time of the particular data structure.
  - 15. The computer storage medium of claim 13, wherein the particular data structure further comprises:
    - one or more security elements that define authentication measures to be applied when a user attempts to modify the particular data structure.
  - 16. The computer storage medium of claim 13, wherein the one or more rule elements contain references to rules for defining the range of users such that the rules are not directly contained within the data structure.
  - 17. The computer storage medium of claim 13, wherein the particular data structure further comprises:
    - an indication that the particular data structure cannot be replaced by, or merged or intersected with another data structure.

18. A method for determining whether a user has access to a requested object, comprising:
- receiving, at a computing system which includes at least one processor, a request from a user to access a particular file object;
  
  accessing an access control metadata element stored on the computing system to determine whether the user is authorized to access the particular file object, comprising;
  
  determining that the access control metadata element provides access rights to the particular file object based on a resource scope statement that identifies a plurality of file objects, including the particular file object, for which the access control metadata element provides access rights by defining a portion of a directory hierarchy indicating that the scoped access control metadata element provides access rights for the plurality of file objects, which are located at or below the specified portion of the directory hierarchy, including the particular file object;
  
  determining that the access control metadata element provides access rights for the user based on one or more rule statements, the one or more rule statements including;
  
  a first rule statement that includes (i) a first statement scope that identifies a first set of one or more users, including the user, to whom the first rule statement applies, the first statement scope including a first rule that defines the first set of one or more users as users that have been authenticated, and (ii) a first grant statement that defines what access rights the first set of one or more users are granted for accessing any one of the plurality of file objects; and
  
  a second rule statement that includes (i) a second statement scope that identifies a second set of one or more users to whom the second rule statement applies, and (ii) a second grant statement that defines what different access rights the second set of one or more users are granted for accessing any one of the plurality of file objects;
  
  determining that at least the first rule statement grants the user access to the particular file object based on the first statement scope and the first grant statement; and
  
  upon determining that the first rule statement grants the user access to the particular file object, and upon determining that the particular file object is within the plurality of file objects identified by the resource scope statement, granting the user access to the particular file object in accordance with the first grant statement defined in the first rule statement of the access control metadata element.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, further comprising:
    - receiving, at a computing system, a request from the user to modify the access control metadata element; and
      
      determining whether the user is authenticated to modify the access control metadata element based on one or more security statements that define authentication measures to be applied when a user attempts to modify the access control metadata element.
  - 20. The method of claim 18, wherein the resource scope statement also defines a Uniform Resource Identifier (URI) indicating that the access control metadata element provides access rights for a plurality of web pages or web services located under the URI, including a web service.
  - 21. The method of claim 18, wherein the rules statement contains references the one or more rule statements, such that the rules are not directly contained within the rules statement.
  - 22. The method of claim 18, wherein the access control metadata element further comprises:
    - an indication that the access control metadata element cannot be replaced by, or merged or intersected with another access control metadata element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Waingold, Elliot, Kaler, Christopher G., Della-Libera, Giovanni M.
Primary Examiner(s)
FILIPCZYK, MARCIN R

Application Number

US10/270,441
Publication Number

US 20030074356A1
Time in Patent Office

3,248 Days
Field of Search

707 1- 10, 707/100, 707/783, 707/802, 707/999.001, 707/999.003, 707/999.006, 707/999.009, 707/999.101, 707/786, 707/791, 711/163
US Class Current

707/783
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 45/34   Source routing

H04L 45/566   Routing instructions carrie...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 67/02   based on web technology, e....

Y10S 707/99939   Privileged access

Scoped access control metadata element

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

218 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Scoped access control metadata element

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

218 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others