公开(公告)号：US07454483B2

公开(公告)日：2008-11-18

申请号：US10438290

申请日：2003-05-14

申请人： Kirk Soluk ,  Praerit Garg ,  Vishnu A. Patankar ,  Jin Huang ,  Xiaohong Wu

发明人： Kirk Soluk ,  Praerit Garg ,  Vishnu A. Patankar ,  Jin Huang ,  Xiaohong Wu

IPC分类号： G06F15/177

CPC分类号： H04L41/0893 ,  H04L41/0266 ,  H04L63/10 ,  H04L63/20

摘要： A process determines a role that a target server will perform. The process also identifies at least one security policy associated with the role. The target server is then configured to implement the identified security policies.

摘要翻译： 进程确定目标服务器将执行的角色。 该过程还标识与角色相关联的至少一个安全策略。 然后将目标服务器配置为实现所标识的安全策略。

公开(公告)号：US07434257B2

公开(公告)日：2008-10-07

申请号：US09849093

申请日：2001-05-04

申请人： Praerit Garg ,  Robert P. Reichel ,  Richard B. Ward ,  Kedarnath A. Dubhashi ,  Jeffrey B. Hamblin ,  Anne C. Hopkins

发明人： Praerit Garg ,  Robert P. Reichel ,  Richard B. Ward ,  Kedarnath A. Dubhashi ,  Jeffrey B. Hamblin ,  Anne C. Hopkins

IPC分类号： G06F21/00

CPC分类号： G06F21/6218 ,  G06F9/4488 ,  Y10S707/99939

摘要： A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.

摘要翻译： 提供了实现动态授权模型的动态授权回调机制。 因此，应用程序可以通过利用动态授权模型中固有的动态数据和灵活的策略算法实现任何授权策略。 动态数据，例如客户端操作参数值，存储在时变或可更新数据存储中的客户端属性，运行时间或环境因素（例如时间）以及任何其他静态或动态数据，由 可以结合访问控制决定来评估应用。 因此，应用程序可以定义和实现可以根据运行时操作和动态数据来表达的业务规则。 因此，应用程序在定义和实施自定义授权策略方面具有很大的灵活性，同时为此类动态数据和策略提供了标准定义。

公开(公告)号：US07200869B1

公开(公告)日：2007-04-03

申请号：US09663811

申请日：2000-09-15

申请人： Donald J. Hacherl ,  Praerit Garg ,  Murli D. Satagopan ,  Robert P. Reichel

发明人： Donald J. Hacherl ,  Praerit Garg ,  Murli D. Satagopan ,  Robert P. Reichel

IPC分类号： G06F7/04 ,  G06F17/30 ,  G06K9/00 ,  H03M1/68 ,  H04K1/00 ,  G06F15/16 ,  G06F11/30 ,  G06F12/14 ,  H04L9/32

CPC分类号： G06F12/1433 ,  G06F17/30289 ,  H04L63/105 ,  Y10S707/99952 ,  Y10S707/99953

摘要： Described is an invention for safeguarding against the modification of certain data associated with one domain of a distributed network by an entity (such as an administrator) within another domain of the distributed network while still allowing the entity to modify other data associated with the one domain. More particularly, security safeguards are applied by a directory replication service that operates to replicate the shared data to each domain in a domain “forest.” Those security safeguards allow a user to indicate that certain modifications of specified shared data may only be made within the domain in which the shared data was created. In that way, a shared data namespace may still be implemented in which trust relationships exist so that, for example, an administrator in one domain may alter a configuration of another domain within the forest. However, certain data may be restricted by these safeguards such that certain modifications of that data (e.g., taking ownership of the data) may only be done from the domain which currently owns the data.

摘要翻译： 描述了一种用于防止由分布式网络的另一个域内的实体（例如管理员）与分布式网络的一个域相关联的某些数据的修改的发明，同时仍允许该实体修改与该一个域相关联的其他数据 。 更具体地说，安全保护由应用于将共享数据复制到域“林”中的每个域的操作的目录复制服务应用。 这些安全保护措施允许用户指示指定共享数据的某些修改只能在共享数据创建的域内进行。 以这种方式，仍然可以实现共享数据命名空间，其中存在信任关系，以便例如一个域中的管理员可以改变林内另一个域的配置。 然而，某些数据可能受到这些保护措施的限制，使得该数据的某些修改（例如，获取数据的所有权）只能从当前拥有该数据的域完成。

公开(公告)号：US06289458B1

公开(公告)日：2001-09-11

申请号：US09157771

申请日：1998-09-21

申请人： Praerit Garg ,  Michael M. Swift ,  Clifford P. Van Dyke ,  Richard B. Ward ,  Peter T. Brundrett

发明人： Praerit Garg ,  Michael M. Swift ,  Clifford P. Van Dyke ,  Richard B. Ward ,  Peter T. Brundrett

IPC分类号： G96F1214

CPC分类号： G06F21/6281 ,  G06F2221/2141

摘要： Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.

摘要翻译： 描述对对象的各个属性的访问控制。 在一个实施例中，计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口，其操作以控制对对象的属性的访问。

公开(公告)号：US06279111B1

公开(公告)日：2001-08-21

申请号：US09096926

申请日：1998-06-12

申请人： Gregory Jensenworth ,  Praerit Garg ,  Michael M. Swift ,  Mario C. Goertzel ,  Shannon J. Chan

发明人： Gregory Jensenworth ,  Praerit Garg ,  Michael M. Swift ,  Mario C. Goertzel ,  Shannon J. Chan

IPC分类号： G06F1214

CPC分类号： H04L63/0807 ,  G06F21/335 ,  G06F21/604 ,  G06F21/6218 ,  G06F21/645 ,  G06F2221/2141 ,  G06F2221/2145 ,  G06F2221/2149

摘要： A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.

摘要翻译： 从现有令牌创建限制访问令牌，并提供比该令牌更少的访问权限。 可以通过改变一个或多个安全标识符的属性来创建限制令牌，该安全标识符允许父令牌中的访问被拒绝在受限令牌中的访问和/或从受限令牌相对于父令牌去除一个或多个特权的设置。 还可以通过向其中添加受限制的安全标识符来创建受限访问令牌。 一旦创建，进程将另一个进程与受限制的令牌相关联，以在受限上下文中启动另一个进程，该进程是其自己的权限和特权的一部分。 内核模式安全机制通过首先将限制令牌中的基于用户的安全标识符与预期的操作类型相对于与该资源相关联的标识符和动作的列表进行比较来确定受限制的进程是否可以访问资源。 如果没有受限制的令牌中的受限制的安全标识符，则通过该第一检查确定访问，否则第二访问检查进一步将受限安全标识符与与该资源相关联的标识符和动作的列表进行比较。 使用具有受限安全标识符的令牌，如果第一和第二访问检查都通过，则该进程被授予访问权限。 以这种方式，一个进程能够限制其可以执行的动作中的其他进程，例如可能不守规矩的代码。

公开(公告)号：US08533772B2

公开(公告)日：2013-09-10

申请号：US12477747

申请日：2009-06-03

申请人： Praerit Garg ,  Cliff Van Dyke ,  Dave M. McPherson ,  Everett McKay

发明人： Praerit Garg ,  Cliff Van Dyke ,  Dave M. McPherson ,  Everett McKay

IPC分类号： H04L29/06

CPC分类号： G06F21/6218 ,  G06F21/602 ,  G06F21/629 ,  G06F2221/2141 ,  G06F2221/2145 ,  G06F2221/2149 ,  H04L63/102

摘要： A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.

公开(公告)号：US20110246652A1

公开(公告)日：2011-10-06

申请号：US12977426

申请日：2010-12-23

申请人： Bassam Tabbara ,  Praerit Garg

发明人： Bassam Tabbara ,  Praerit Garg

IPC分类号： G06F15/173

CPC分类号： H04L47/70 ,  G06Q30/06 ,  H04L67/1097

摘要： A hardware and/or software facility for durably and securely storing data within a shared community storage network. A user may have a storage device that they intend to share with others in the network. All or a portion of the storage device is registered with the community storage network as a storage node. Once registered with the network, third party data may be stored on the storage node and remotely accessed by third parties. In addition, data stored on the storage device by the user may be stored in the shared community storage network by encrypting the data, adding redundancy, and distributing it to other storage nodes within the storage network. Data that is stored in the storage network is accessible to the user even if their storage device is inaccessible or fails.

摘要翻译： 用于在共享社区存储网络中持久和安全地存储数据的硬件和/或软件设施。 用户可以具有他们打算在网络中与他人共享的存储设备。 存储设备的全部或一部分作为存储节点向社区存储网络注册。 一旦向网络注册，第三方数据可能存储在存储节点上，并被第三方远程访问。 此外，用户存储在存储设备上的数据可以通过加密数据，添加冗余并将其分发到存储网络中的其他存储节点来存储在共享社区存储网络中。 即使存储设备无法访问或出现故障，用户也可以访问存储在存储网络中的数据。

公开(公告)号：US07546633B2

公开(公告)日：2009-06-09

申请号：US10281083

申请日：2002-10-25

申请人： Praerit Garg ,  Cliff Van Dyke ,  Dave McPherson ,  Everett McKay

发明人： Praerit Garg ,  Cliff Van Dyke ,  Dave McPherson ,  Everett McKay

IPC分类号： G06F17/30 ,  H04L9/32

CPC分类号： G06F21/6218 ,  G06F21/602 ,  G06F21/629 ,  G06F2221/2141 ,  G06F2221/2145 ,  G06F2221/2149 ,  H04L63/102

摘要： A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.

摘要翻译： 基于角色的授权管理系统维护授权策略存储，其代表用户授权以执行与应用相关联的操作。 当用户尝试执行与应用相关联的功能时，授权管理系统验证用户被授权执行所请求的功能。 授权管理系统还提供用于应用管理员更新与一个或多个应用相关联的基于角色的用户授权策略的接口。

公开(公告)号：US07543333B2

公开(公告)日：2009-06-02

申请号：US10118808

申请日：2002-04-08

申请人： Bhalchandra S. Pandit ,  Praerit Garg ,  Richard B. Ward ,  Paul J. Leach ,  Scott A. Field ,  Robert P. Reichel ,  John E. Brezak

发明人： Bhalchandra S. Pandit ,  Praerit Garg ,  Richard B. Ward ,  Paul J. Leach ,  Scott A. Field ,  Robert P. Reichel ,  John E. Brezak

IPC分类号： G06F21/06 ,  G06F21/20 ,  G06F21/22 ,  G06F21/24 ,  G08B23/00 ,  G06F15/173 ,  H04K1/00

CPC分类号： G06F21/31 ,  G06F2221/2101

摘要： Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

摘要翻译： 提供了改进的入侵检测和/或跟踪方法和系统，用于跨越各种计算设备和网络。 例如，某些方法在每个认证/登录过程期间形成基本唯一的审计标识符。 一种方法包括识别与认证/登录过程相关联的一个或多个基本上唯一的参数并将其加密以形成至少一个审核标识符，然后可以由认证/登录过程中涉及的每个设备生成和记录。 然后可以将生成的审核日志文件与来自其他设备的类似审核日志文件一起审核，以跨多个平台跟踪用户。

公开(公告)号：US07353535B2

公开(公告)日：2008-04-01

申请号：US10404733

申请日：2003-03-31

申请人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni M. Della-Libera ,  Praerit Garg ,  Brendan W. Dixon

发明人： Christopher G. Kaler ,  John P. Shewchuk ,  Giovanni M. Della-Libera ,  Praerit Garg ,  Brendan W. Dixon

IPC分类号： H04K1/00 ,  H04L9/00

CPC分类号： G06F21/64

摘要： A flexible way of expressing trust policies using, for example, XML. Multiple statement types may be expressed for a single authority type. Statement types may include less than all of the statements made by an authority type. Authority types may be defined using any manner interpretable by the computing system using the trust policy. In addition, trust policies may be updated as trust levels change. Even multiple trust policies may be used with reconciliation between the multiple trust policies being accomplished by using the more restrictive trust policy with respect to an assertion.

摘要翻译： 使用例如XML来表达信任策略的灵活方式。 单个授权类型可以表示多个语句类型。 语句类型可能包括少于由权限类型所做的全部语句。 可以使用使用信任策略的计算系统可解释的任何方式定义权限类型。 此外，信任策略可能随着信任级别的变化而更新。 甚至可以使用多个信任策略，以便通过使用关于断言的更严格的信任策略来实现多个信任策略之间的对帐。