Join
today

Boliven PRO is more than just patent search

  • Build and save lists using the powerful Lists feature
  • Analyze and download your search results
  • Share patent search results with your clients

Patents »

US20050021977: Expression-based access control

Share

Filing Information

Inventor(s) Shawn Oberst ·
Assignee(s) Microsoft Corporation ·
Correspondent CHRISTENSEN, O'CONNOR, JOHNSON, KINDNESS, PLLC ·
Application Number US10607370
Filing date 06/25/2003
Publication date 01/27/2005
Predicted expiration date 06/25/2023
U.S. Classifications 713/182  ·
International Classifications --
Kind CodeA1
44 Claims, 25 Drawings


Abstract

An access control technique assigns permission to a user without permission explosion, thereby facilitating the system administration of user access to a piece of content in a computer system. Permissions are granted to pieces of content through expressions rather than explicitly coupled between a piece of content and a user. Each expression defines an access scope for either a user or a piece of content. An expression defining the access scope for a user can be created and maintained independently of an expression defining the access scope to a piece of content, hence simplifying management information system implementation and administration.

Independent Claims | See all claims (44)

  1. 1. A computer-readable medium having a data structure stored thereon for use by a computing system to evaluate an access request of a user, the data structure comprising: a content class that is indicative of a piece of content; a permission class that is indicative of access privileges to the piece of content; and an expressed role class associated with the permission class, the expressed role class having one attribute representing an expression of the access scope of the expressed role class and another attribute representing a type of the expression, the type of the expression including a set of elements.
  2. 6. A computer-readable medium having a data structure stored thereon for use by a computing system to evaluate an access request of a user, the data structure comprising: a permission class that is indicative of access privileges to a piece of content; and an accessor class associated with the permission class, the accessor class representing an access scope of the piece of content.
  3. 11. A networked system for evaluating an access request of a user, comprising: a user account representing the user accessing the networked system, the user account including a user access scope expressed by a first expression for a security space; and a piece of content including a content access scope defined by a second expression for the security space, the user being granted access to the piece of content when the user access scope overlaps with the content access scope.
  4. 16. A computer-executable method for forming an access scope of a user or a piece of content, the method comprising: forming a security space with dimensions, each including a set of members; representing a dimension extent as a dimension with a subset of the set of members; and representing the access scope by a number of dimension extents, each dimension extent being logically conjoined or disjoined with another dimension extent.
  5. 21. A computer-readable medium having computer-readable instructions that implement a method for forming an access scope of a user or a piece of content, the method comprising: forming a security space with dimensions, each including a set of members; representing a dimension extent as a dimension with a subset of the set of members; and representing the access scope by a number of dimension extents, each dimension extent being logically conjoined or disjoined with another dimension extent.
  6. 26. A computer system for evaluating an access request by a user, comprising: a sentence compiler for compiling textual sentences into binary sentences, each sentence including binary phrases; and an access evaluator for comparing two binary sentences by logically ANDing each binary phrase of a first binary sentence and each corresponding binary phrase of a second binary sentence, the access evaluator granting access when the access scope of the first binary sentence overlaps the access scope of the second binary sentence.
  7. 31. A computer-implemented method for evaluating the scope of a content access request by a user, the method comprising: expressing an access scope for a piece of content by a content sentence; expressing an access scope for the user by an accessor sentence; and evaluating whether to grant or deny the content access request of the user by comparing the access scope as expressed by the content sentence and the access scope as expressed by the accessor sentence to determine whether there is an overlap.
  8. 38. A computer-readable medium having computer-readable instructions that implement a method for evaluating the scope of a content access request by a user, the method comprising: expressing an access scope for a piece of content by a content sentence; expressing an access scope for the user by an accessor sentence; and evaluating whether to grant or deny the content access request of the user by comparing the access scope as expressed by the content sentence and the access scope as expressed by the accessor sentence to determine whether there is an overlap.

References Cited

The current document has no citations.

Patent Family

The current document is not in a family.