Target-based access check independent of access request

US 8,561,152 B2
Filed: 05/17/2011
Issued: 10/15/2013
Est. Priority Date: 05/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

building, at a target computing system controlling access to a resource, a context of a principal independently of the principal requesting access to the resource, the context including an authenticated identifier of the principal and one or more attributes associated with the principal; and

applying, at the target system and independently of the principal requesting access to the resource, an authorization policy to the context;

determining, at the target system based on the applying, whether the principal is permitted to access the resource;

providing, based on the determining, an indication of whether the principal is permitted to access the resource;

modifying the context;

applying, at the target system, the authorization policy to the modified context;

determining, at the target system based on the applying of the authorization policy to the modified context, whether a principal having the modified context is permitted to access the resource; and

providing, to an administrator and based on the determining of whether a principal having the modified context is permitted to access the resource, an indication of whether the principal having the modified context is permitted to access the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A context of a principal is built, at a target system controlling access to a resource, independently of the principal requesting access to the resource. An authorization policy is applied, at the target system, to the context to determine whether the principal is permitted to access the resource, and an indication of whether the principal is permitted to access the resource is provided (e.g., to an administrator). Modifications can be made to the context and the authorization re-applied to determine whether a principal having the modified context is permitted to access the resource.

121 Citations

20 Claims

1. A method comprising:
- building, at a target computing system controlling access to a resource, a context of a principal independently of the principal requesting access to the resource, the context including an authenticated identifier of the principal and one or more attributes associated with the principal; and
  
  applying, at the target system and independently of the principal requesting access to the resource, an authorization policy to the context;
  
  determining, at the target system based on the applying, whether the principal is permitted to access the resource;
  
  providing, based on the determining, an indication of whether the principal is permitted to access the resource;
  
  modifying the context;
  
  applying, at the target system, the authorization policy to the modified context;
  
  determining, at the target system based on the applying of the authorization policy to the modified context, whether a principal having the modified context is permitted to access the resource; and
  
  providing, to an administrator and based on the determining of whether a principal having the modified context is permitted to access the resource, an indication of whether the principal having the modified context is permitted to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, the resource comprising a resource included as part of or coupled to the target computing system.
  - 3. The method as recited in claim 1, performing the building and applying in response to a request from the administrator.
  - 4. The method as recited in claim 1, a first one or more of the attributes being modified by a device of a first realm through which a path from a requesting device associated with the principal to the target computing system passes, and a second one or more of the attributes being modified by a device of a second realm through which the path passes.
  - 5. The method as recited in claim 4, an attribute being modified comprising an attribute being added to a context of the principal or removed from the context of the principal by a device of a realm.
  - 6. The method as recited in claim 1, the principal comprising a user of a requesting device, and the context including one or more user attributes of the user of the requesting device.
  - 7. The method as recited in claim 1, the context including one or more attributes of a requesting device associated with the principal.
  - 8. The method as recited in claim 1, the context including one or more attributes that include static information.
  - 9. The method as recited in claim 1, the context including one or more attributes that include contextual information.

10. One or more computer storage devices having stored thereon multiple instructions that, when executed by one or more processors of a target system, cause the one or more processors to:
- build a context of a principal as if the principal were requesting access to a resource, a resource manager of the target system controlling access to the resource, the context including an authenticated identifier of the principal and one or more attributes associated with the principal;
  
  apply, independently of the principal requesting access to the resource, an authorization policy to the context to determine whether the principal is permitted to access the resource; and
  
  determine, at the target system based on the applying, whether the principal is permitted to access the resource;
  
  provide, to an administrator, an indication of whether the principal is permitted to access the resource;
  
  modify the context;
  
  apply, at the target system, the authorization policy to the modified context;
  
  determine, at the target system based on the applying of the authorization policy to the modified context, whether a principal having the modified context is permitted to access the resource; and
  
  provide, to an administrator and based on the determining of whether a principal having the modified context is permitted to access the resource, an indication of whether the principal having the modified context is permitted to access the resource.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The one or more computer storage devices as recited in claim 10, the instructions causing the one or more processors to provide an indication of whether the principal is permitted to access the resource including instructions causing the one or more processors to provide the indication, via a remote device, to the administrator.
  - 12. The one or more computer storage devices as recited in claim 10, a first one or more of the attributes being modified by a device of a first realm through which a path from a requesting device associated with the principal to the target system passes, and a second one or more of the attributes being modified by a device of a second realm through which the path passes.
  - 13. The one or more computer storage devices as recited in claim 12, an attribute being modified comprising an attribute being added to a context of the principal or removed from the context of the principal by a device of a realm.
  - 14. The one or more computer storage devices as recited in claim 10, the principal comprising a user associated with a requesting device from which the principal would request access to the resource.

15. A system comprising:
- at least one processor;
  
  a memory, operatively connected to the at least one processor and containing instructions that, when executed by the at least one processor, cause the at least one processor to perform a method, the method comprising;
  
  building, at a target system controlling access to a resource, a context of a principal independently of the principal requesting access to the resource, the context including an authenticated identifier of the principal and one or more attributes associated with the principal;
  
  applying, at the target system and independently of the principal requesting access to the resource, an authorization policy to the context;
  
  determining, at the target system based on the applying, whether the principal is permitted to access the resource;
  
  providing, based on the determining, an indication of whether the principal is permitted to access the resource;
  
  modifying the context;
  
  applying, at the target system, the authorization policy to the modified context;
  
  determining, at the target system based on the applying of the authorization policy to the modified context, whether a principal having the modified context is permitted to access the resource; and
  
  providing, to an administrator and based on the determining of whether a principal having the modified context is permitted to access the resource, an indication of whether the principal having the modified context is permitted to access the resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system as recited in claim 15, a first one or more of the attributes being modified by a device of a first realm through which a path from a requesting device associated with the principal to the target computing system passes, and a second one or more of the attributes being modified by a device of a second realm through which the path passes.
  - 17. The system as recited in claim 16, an attribute being modified comprising an attribute being added to a context of the principal or removed from the context of the principal by a device of a realm.
  - 18. The system as recited in claim 15, the context including one or more attributes of a requesting device associated with the principal.
  - 19. The system as recited in claim 15, the context including one or more attributes that include static information.
  - 20. The system as recited in claim 15, the context including one or more attributes that include contextual information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Novak, Mark F., Singh, Karanbir, McPherson, David M., Popov, Andrey, Tang, Ming
Primary Examiner(s)
Mehedi, Morshed

Application Number

US13/109,530
Publication Number

US 20120297455A1
Time in Patent Office

882 Days
Field of Search

726/1, 726/4
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Target-based access check independent of access request

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Target-based access check independent of access request

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links