Enforcing control policies in an information management system with two or more interactive enforcement points
First Claim
1. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
using the interceptor code component, intercepting at least one low level file operation to be executed by the operating system of the first computer to complete a document access operation;
using the policy engine code component, evaluating the document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,the at least one rule is among a plurality of rules stored on the first computer, andthe at least one rule contains at least one expression used by the evaluating step to control document access operation;
communicating with a second computer as indicated by the at least one rule; and
confirming on the first computer that the second computer has an ability to interact with the evaluating step.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
-
Citations
21 Claims
-
1. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the interceptor code component, intercepting at least one low level file operation to be executed by the operating system of the first computer to complete a document access operation; using the policy engine code component, evaluating the document access operation on the first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, the at least one rule is among a plurality of rules stored on the first computer, and the at least one rule contains at least one expression used by the evaluating step to control document access operation; communicating with a second computer as indicated by the at least one rule; and confirming on the first computer that the second computer has an ability to interact with the evaluating step. - View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
5. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the interceptor code component, intercepting at least one low level file operation the interceptor code component may access within the operating system layer to complete a document access operation; preventing the at least one low level file operation from executing; using the policy engine code component, evaluating the document access operation on the first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer, the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component, the at least one rule is among a plurality of rules stored on the first computer, and the at least one rule contains at least one expression used by the evaluating step to control document access operation; for a first application program on the first computer, performing the evaluating step for an operation of the first application program; determining if the first computer contains a first piece of information required to evaluate the at least one rule; if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule; if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule; if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information; and confirming on the first computer that the second computer has an ability to interact with the evaluating step. - View Dependent Claims (6)
-
-
21. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; determining whether to intercept at least one low level file operation to be executed at the operating system layer of the first computer to complete a document access operation, wherein the at least one low level file operation is generated in response to the document access operation but before the at least one low level file operation has executed; using the interceptor code component, intercepting the at least one low level file operation; collecting at an application layer of the first computer data needed to determine whether to allow the document access operation, wherein the collected application layer data is not included with the at least one low level file operation; using the policy engine code component, evaluating the document access operation on the first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, the at least one rule is among a plurality of rules stored on the first computer, the at least one rule contains at least one expression used by the evaluating step to control document access operation, and evaluating the document access operation comprises evaluating data identifying the at least one low level file operation to be executed at the operating system layer and the collected application layer data; communicating with a second computer as indicated by the at least one rule; and confirming on the first computer that the second computer has an ability to interact with the evaluating step.
-
Specification