Method and apparatus for role-based security policy management
First Claim
1. A method for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising;
- creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points;
creating one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network;
controlling access to the templates and policy instances so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and corresponding tool are described for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point. The method, comprises creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points; creating one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network. Access to the templates and policy instances is controlled so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group.
-
Citations
14 Claims
-
1. A method for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising;
-
creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points;
creating one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, deploying the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network;
controlling access to the templates and policy instances so that the policy templates are only modifiable by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A tool for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, the tool comprising;
a policy creation environment for enabling a first predeterminable user group to create one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points and one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, and for enabling a second predeterminable user group to modify the policy instances; and
a deployment mechanism for enabling a third predeterminable user group to deploy the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network; and
an access control mechanism for controlling access to the templates and policy instances so that the policy templates are only modifiable by the first predeterminable user group, the policy instances are only modifiable by the second predeterminable user group and the policy instances are only deployable by the third predeterminable user group.- View Dependent Claims (8, 9, 10)
-
11. A method for security policy management in a partitioned network comprising a plurality of hosts and at least one configurable policy enforcement point, comprising;
-
creating one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points;
creating one or more policy instances, each based on one of the templates and instantiating the template for network partitions within the network to which the usage control model is to be applied, deploying the policy instances, including by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network by configuring access control lists on router interfaces;
controlling access to the templates and policy instances so that the policy templates are only modifiable, and can only be created, by a first predeterminable user group, the policy instances are only modifiable by the first or a second predeterminable user group and the policy instances are only deployable by a third predeterminable user group. - View Dependent Claims (12)
-
-
13. A tool for security policy management in a network comprising a plurality of hosts and at least one configurable policy enforcement point, the tool comprising;
a policy creation environment for enabling a first predeterminable user group to create one or more policy templates representing classes of usage control models within the network that are enforceable by configuration of the policy enforcement points and one or more policy instances, each based on one of the templates and instantiating the template for identified sets of hosts within the network to which the usage control model is to be applied, and for enabling a second predeterminable user group to modify the policy instances; and
a deployment mechanism for enabling a third predeterminable user group to deploy the policy instances by generating and providing one or more configuration files for provisioning corresponding policy enforcement points within the network by generating access control lists for configuration on router interfaces; and
an access control mechanism for controlling access to the templates and policy instances so that the policy templates are only modifiable and creatable by the first predeterminable user group, the policy instances are only modifiable by the second predeterminable user group and the policy instances are only deployable by the third predeterminable user group.- View Dependent Claims (14)
Specification