Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-09-21
2002-06-25
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S167000, C707S793000, C707S793000
Reexamination Certificate
active
06412070
ABSTRACT:
FIELD OF THE INVENTION
This invention relates generally to secure computing environments and, more particularly, to an extensible method and system for maintaining control access rights in a computing environment.
COPYRIGHT NOTICE/PERMISSION
A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawing hereto: Copyright© 1998, Microsoft Corporation, All Rights Reserved.
BACKGROUND OF THE INVENTION
In order to control the management, protection and distribution of sensitive information, an organization defines a security policy and implements the policy through various rules and practices. A security policy has several objectives. First, a security policy strives to maintain the confidentiality of the sensitive information by protecting the information from improper disclosure to unauthorized users. Second, a security policy seeks to maintain the integrity of the information by ensuring that users do not modify data to which they are not authorized and authorized users do not corrupt the information by improper operations. Finally, the policy seeks to minimize any burden on the availability and accessibility of the information to authorized users incurred as a result of the policy.
In an organization's computing environment, an operating system controls access to system objects such as files and network devices. The operating system enforces the organization's security policy based on configured permissions for accessing the resources. It is often difficult to fully implement an organization's security policy because conventional operating systems have a predefined set of access rights. Conventional systems employ a limited permissions mask. The permissions mask contains a fixed number of bits, such as 16 bits or 32 bits, where each bit corresponds to a unique access right. A system administrator is able to enforce the organization's security policy only to the extent the fixed permissions allow and is limited to granting or denying individual permissions. Thus, in conventional operating systems, a system administrator or software developer is confined to the operating system's predefined permissions and, therefore, is often unable to fully implement the organization's security policy.
For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for an extensible security system in which permissions can be dynamically created, granted and removed. There is a need for such a system in which unique control rights can be defined manually by a system administrator or programmatically by applications executing within the computing environment.
SUMMARY OF THE INVENTION
The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention that will be understood by reading and studying the following specification. To solve these problems, the invention provides an extensible security system and method that provides for controlling objects beyond traditional access rights such as read, write, create and delete. The methods and systems of the invention allow a system administrator or user application to dynamically create unique control rights. According to the invention, access rights can be created that do not necessarily relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the access right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
REFERENCES:
patent: 5504814 (1996-04-01), Miyahara
patent: 5675782 (1997-10-01), Montague et al.
patent: 5761669 (1998-06-01), Montague et al.
patent: 5787427 (1998-07-01), Benantar et al.
patent: 5905860 (1999-05-01), Olsen et al.
patent: 6189100 (2001-02-01), Barr et al.
patent: 6202066 (2001-03-01), Barkley et al.
patent: 6233576 (2001-05-01), Lewis
Brundrett Peter T.
Garg Praerit
Swift Michael M.
Van Dyke Clifford P.
Ward Richard B.
Hua Ly V.
Lee & Hayes PLLC
Microsoft Corporation
LandOfFree
Extensible security system and method for controlling access... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Extensible security system and method for controlling access..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Extensible security system and method for controlling access... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2894479