Abstract: Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.

Abstract: A web service includes a protected resource. A requester requests access to the protected resource by sending a request to the web service. The web service prevents access to the web service until the request has been authorized by an authorizer. After the request has been authorized by the authorizer, the web service allows the requester to access the protected resource.

Abstract: The present invention extends to methods, systems, and computer program products for managing set membership. A set definition is translated into one or more membership conditions. Each membership condition includes statements about the attributes of a resource that are to be true if the resource is to be included in the set. For any given resource request, resources touched by the request are compared to membership conditions applicable to the touched resources. Thus, embodiments of the invention minimize the work that is done to determine which sets a resource may or may not belong to whenever a resource is modified. Accordingly, based on available resources, embodiments of the invention can scale to accommodate larger numbers of sets and larger numbers of potential members of sets.

Abstract: Managing data for an object, including managing data in the object itself and alternative data applicable to an object dependent on one or more locales. Locales may refer to languages, geographic locations or other user preferences. A first object is stored. The first object includes a first identifier for the first object and a first plurality of properties. The first plurality of properties includes locale invariant values for the first plurality of properties. One or more localized objects are stored. The localized objects are unique from the first object. The localized objects each include a specification of a locale, a related identifier related to the first identifier, and one or more related properties related to one or more of the properties in the first plurality of properties. The related properties store localized values, including one or more alternatives to the locale invariant values particular to the specified locale.

Abstract: Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed.

Abstract: Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.

Abstract: Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Abstract: A web service includes a protected resource. A requester requests access to the protected resource by sending a request to the web service. The web service prevents access to the web service until the request has been authorized by an authorizer. After the request has been authorized by the authorizer, the web service allows the requester to access the protected resource.

Abstract: Extending managed code framework configurations. A data structure may be implemented in a computing system implementing a managed code framework. A computer readable medium includes a number of data fields stored on the medium and representing a data structure facilitating the extension of configuration parameters used in configuring class types instantiations of class types in the managed code framework. The data structure includes a first data field including data representing an extensions section. The extensions section includes elements including name/class type pairs, the name describing a tagged element in a mark-up document correlated with an application class type. The data structure also includes a second data field containing configuration elements for configuring class types for instantiating class types in a managed code framework. The second data field consumes one or more name/class type pairs from the first data field.