Policy enforcement system
First Claim
1. A method, comprising:
- storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies;
intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;
forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;
receiving, by the policy enforcement system and from the first node, a redirect request comprising information specifying the second node;
encrypting, by the policy enforcement system, the first user credentials to provide encrypted user credentials;
appending, by the policy enforcement system, the encrypted user credentials to the redirect request to provide a custom redirect request;
sending, by the policy enforcement system, the custom redirect request to the second node;
intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device;
selecting, by the policy enforcement system and from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;
filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and
sending the filtered data to the client device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.
98 Citations
20 Claims
-
1. A method, comprising:
-
storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials; forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system; receiving, by the policy enforcement system and from the first node, a redirect request comprising information specifying the second node; encrypting, by the policy enforcement system, the first user credentials to provide encrypted user credentials; appending, by the policy enforcement system, the encrypted user credentials to the redirect request to provide a custom redirect request; sending, by the policy enforcement system, the custom redirect request to the second node; intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device; selecting, by the policy enforcement system and from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and sending the filtered data to the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a client device; a file system comprising a node; a policy enforcement system comprising; a processor; and a non-transitory computer-readable medium coupled to the processor and having instructions stored thereon, which, when executed by the processor, cause the processor to perform operations comprising; storing a plurality of policies and data associating a plurality of user credentials with the plurality of policies; intercepting a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials; forwarding the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system; receiving, from the first node, a redirect request comprising information specifying the second node; encrypting the first user credentials to provide encrypted user credentials; appending the encrypted user credentials to the redirect request to provide a custom redirect request; sending the custom redirect request to the second node; intercepting a response to the custom redirect request sent from the second node to the client device; selecting from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials; filtering the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and sending the filtered data to the client device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising:
-
storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials; forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system; receiving, from the first node, a redirect request comprising information specifying the second node; encrypting the first user credentials to provide encrypted user credentials; appending the encrypted user credentials to the redirect request to provide a custom redirect request; sending the custom redirect request to the second node; intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device; selecting from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and sending the filtered data to the client device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification