Abstract: A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by roles allowed for each user. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions (if the user may assume the rule) for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions to the user's activities in a newly created virtual desktop.

Abstract: A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by roles allowed for each user. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions (if the user may assume the rule) for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions to the user's activities in a newly created virtual desktop.

Abstract: A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by the roles. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions in a newly created virtual desktop.

Abstract: A system and method for taking control of process token creation in the Windows operating system to create conditional process tokens that define access to system resources for process running on a Windows computer. The system includes an LSA shim layer that intercepts standard Windows requests for authentication and authorization and an authentication agent that determines context for each request. A custom authentication and authorization (A&A) store determines authentication success and the amount of authorization based on context and supplied credentials. Once the custom A&A store determines a successful log-on and defines authorization for the user, it passes the elements of authorization through the authentication agent to the LSA shim layer, which passes them on to the LSA module, which in turn uses them to request a Windows process token from the Windows kernel.

Abstract: A system and method for using a GSSAPI security token to transport additional non-GSSAPI data that includes authorization data used by third-party software. The system includes a hook that intercepts a client process's interactions with the GSSAPI. When a client process requests a security context from the GSSAPI, the hook intercepts the security token the GSSAPI provides for the client process. The hook checks to see if there is additional authorization data to transport, adds the additional data to the security token, then gives the token to the client process. The client process sends the security token to the server process, which submits the token to the GSSAPI for evaluation.

Abstract: A system and method for creating switchable desktops each with its own authorization. The system provides a custom authentication and authorization data store that defines permission sets called roles, and lists which roles each user may assume. The system also provides a custom virtual desktop manager that creates new virtual desktops using the permissions defined by roles allowed for each user. When a user requests a new virtual desktop and role from the desktop manager, the manager requests new virtual desktop components from the operating system. The desktop manager intercepts a request by the operating system to the Local Security Authority module for permissions to grant the new virtual desktop. The manager substitutes the user's requested role permissions (if the user may assume the rule) for the permissions granted by the LSA module. The LSA module and operating system grant those role permissions to the user's activities in a newly created virtual desktop.

Abstract: A system and method for using a GSSAPI security token to transport additional non-GSSAPI data that includes authorization data used by third-party software. The system includes a hook that intercepts a client process's interactions with the GSSAPI. When a client process requests a security context from the GSSAPI, the hook intercepts the security token the GSSAPI provides for the client process. The hook checks to see if there is additional authorization data to transport, adds the additional data to the security token, then gives the token to the client process. The client process sends the security token to the server process, which submits the token to the GSSAPI for evaluation.

Abstract: A system and method for taking control of process token creation in the Windows operating system to create conditional process tokens that define access to system resources for process running on a Windows computer. The system includes an LSA shim layer that intercepts standard Windows requests for authentication and authorization and an authentication agent that determines context for each request. A custom authentication and authorization (A&A) store determines authentication success and the amount of authorization based on context and supplied credentials. Once the custom A&A store determines a successful log-on and defines authorization for the user, it passes the elements of authorization through the authentication agent to the LSA shim layer, which passes them on to the LSA module, which in turn uses them to request a Windows process token from the Windows kernel.