Policy managed objects
First Claim
1. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:
- each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;
each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;
each policy managed object is associated with a number of policy objects;
each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted, such as a policy in which access is permitted if a user has a license to access a policy managed object, a policy in which access is permitted if the user is using a secure viewer, and a policy in which access is permitted only during business hours;
when a user attempts to access the policy managed object or the payload, such as by invoking one of the interfaces, any policies pertaining to the type of access requested by the user are executed in order to determine whether the access is permitted; and
if the policies determine that the access is permitted, the user is allowed to access the policy managed object or the payload.
5 Assignments
0 Petitions
Accused Products
Abstract
System and method provides a mechanism to control access to a data object and to the data within the object. A policy managed object comprised policy objects, a payload container object for securely storing a payload with data, and a number of interfaces that provide access to the policy managed object and the payload. When a user invokes an interface in order to request the performance of an operation on the policy managed object or the payload, policies associated with the requested operation and the policy manage object are invoked. The policies determine, based on executable instructions, whether the requested operation can be allowed under the circumstances. If the policies determine that the operation can be allowed, the operation is performed. Otherwise, the operation is not performed and access to the policy managed object and payload is denied.
94 Citations
25 Claims
-
1. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:
-
each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;
each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;
each policy managed object is associated with a number of policy objects;
each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted, such as a policy in which access is permitted if a user has a license to access a policy managed object, a policy in which access is permitted if the user is using a secure viewer, and a policy in which access is permitted only during business hours;
when a user attempts to access the policy managed object or the payload, such as by invoking one of the interfaces, any policies pertaining to the type of access requested by the user are executed in order to determine whether the access is permitted; and
if the policies determine that the access is permitted, the user is allowed to access the policy managed object or the payload. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
2. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:
-
each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;
each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;
each policy managed object is associated with a number of policy objects;
each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted;
when a user attempts to access the policy managed object or the payload any policies pertaining to the type of access requested by the user are executed in order to determine whether the type of access is permitted; and
if the policies determine that the type of access is permitted, the user is allowed to access the policy managed object or the payload.
-
-
3. A method of accessing a policy managed object comprising:
-
receiving a request to access a policy managed object, wherein the policy managed object comprises a payload container object that securely stores a payload of data, a plurality of policy objects, and a plurality of interfaces;
executing at least one policy, wherein the policy is defined by executable instructions in one of the policy objects, in order to determine if, under the circumstances, the requested access of the policy managed object is permitted;
permitting the requested access to the policy managed object if the policies determine that, under the circumstances, the requested access of the policy managed object is permitted; and
denying the requested access to the policy managed object if the policies determine that, under the circumstances, the requested access of the policy managed object is not permitted.
-
-
4. A data object comprising:
-
at least one payload comprising data;
a number of interfaces, each interface configured to perform at least one operation on the data object, wherein no operation is allowed to be performed on the data object except by invocation of one of the interfaces; and
at least one policy object comprising executable instructions configured to make a determination as to whether at least one operation requested to be performed on the object is allowed.
-
-
14. An execution context for managing data objects, the execution context comprising:
-
a storage area configured to store a plurality of policy managed objects, each policy managed object comprising;
at least one payload container object that securely stores at least one payload comprising data;
a number of interfaces, each interface configured to perform at least one operation on the policy managed object, wherein no operation is allowed to be performed on the policy managed object except by invocation of one of the interfaces; and
at least one policy object comprising executable instructions configured to make a determination as to whether at least one operation requested to be performed on the policy managed object is allowed;
and a plurality of access tools, each access tool configured to cause at least one operation to be performed on at least one of the policy managed objects. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A method of controlling access to a data object, the method comprising:
-
receiving a request to perform an operation on a data object;
invoking a lifecycle occurrence method that corresponds to the operation to be performed on the data object;
executing at least one policy that corresponds to the lifecycle occurrence method;
determining, based on the execution of the at least one policy, whether performing the requested operation on the data object is allowed; and
performing the requested operation on the data object if the requested operation is allowed. - View Dependent Claims (22, 23, 24, 25)
-
Specification