Policy managed objects

US 20060059117A1
Filed: 09/17/2004
Published: 03/16/2006
Est. Priority Date: 09/14/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:

each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;

each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;

each policy managed object is associated with a number of policy objects;

each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted, such as a policy in which access is permitted if a user has a license to access a policy managed object, a policy in which access is permitted if the user is using a secure viewer, and a policy in which access is permitted only during business hours;

when a user attempts to access the policy managed object or the payload, such as by invoking one of the interfaces, any policies pertaining to the type of access requested by the user are executed in order to determine whether the access is permitted; and

if the policies determine that the access is permitted, the user is allowed to access the policy managed object or the payload.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method provides a mechanism to control access to a data object and to the data within the object. A policy managed object comprised policy objects, a payload container object for securely storing a payload with data, and a number of interfaces that provide access to the policy managed object and the payload. When a user invokes an interface in order to request the performance of an operation on the policy managed object or the payload, policies associated with the requested operation and the policy manage object are invoked. The policies determine, based on executable instructions, whether the requested operation can be allowed under the circumstances. If the policies determine that the operation can be allowed, the operation is performed. Otherwise, the operation is not performed and access to the policy managed object and payload is denied.

94 Citations

View as Search Results

25 Claims

1. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:
- each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;
  
  each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;
  
  each policy managed object is associated with a number of policy objects;
  
  each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted, such as a policy in which access is permitted if a user has a license to access a policy managed object, a policy in which access is permitted if the user is using a secure viewer, and a policy in which access is permitted only during business hours;
  
  when a user attempts to access the policy managed object or the payload, such as by invoking one of the interfaces, any policies pertaining to the type of access requested by the user are executed in order to determine whether the access is permitted; and
  
  if the policies determine that the access is permitted, the user is allowed to access the policy managed object or the payload.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The data object of claim 1, wherein the number of interfaces is one.
  - 6. The data object of claim 1, further comprising at least one payload container object configured to securely store the at least one payload such that the at least one payload cannot be operated upon without approval from the at least one payload container.
  - 7. The data object of claim 6, wherein the at least one payload container object securely stores the at least one payload by encrypting the at least one payload.
  - 8. The data object of claim 6, wherein, in response to a request to perform an operation upon the at least one payload, the at least one payload container object grants the request upon a determination from the at least one policy object that the requested operation is allowed.
  - 9. The data object of claim 7, wherein the at least one payload container object decrypts the at least one payload and approves a requested operation upon the at least one payload upon receipt, by the at least one payload container, of a valid authentication.
  - 10. The data object of claim 9, wherein the at least one payload container object receives a valid authentication from the at least one policy object when the at least one policy object determines that the requested operation is allowed.
  - 11. The data object of claim 1, wherein the determination made by the at least one policy object at least partially depends on whether conditions defined by the at least one policy object are satisfied.
  - 12. The data object of claim 11, wherein the at least one policy object is configured to receive input from at least one service, such input contributing at least partially to resolving whether conditions defined by the at least one policy object are satisfied.
  - 13. The data object of claim 1, wherein the at least one policy object comprises, within the at least one policy object, at least one other policy object.

2. A system for controlling access to policy managed objects by associating with the policy managed objects a number of policy objects that determine whether access to the policy managed object is permitted, the system configured such that:
- each policy managed object has a payload container object that securely stores a payload comprising arbitrary data;
  
  each policy managed object has a number of interfaces that define mechanisms for accessing the policy managed object or the payload;
  
  each policy managed object is associated with a number of policy objects;
  
  each policy object has executable instructions that define a policy for determining whether a type of access to an associated policy managed object is permitted;
  
  when a user attempts to access the policy managed object or the payload any policies pertaining to the type of access requested by the user are executed in order to determine whether the type of access is permitted; and
  
  if the policies determine that the type of access is permitted, the user is allowed to access the policy managed object or the payload.

3. A method of accessing a policy managed object comprising:
- receiving a request to access a policy managed object, wherein the policy managed object comprises a payload container object that securely stores a payload of data, a plurality of policy objects, and a plurality of interfaces;
  
  executing at least one policy, wherein the policy is defined by executable instructions in one of the policy objects, in order to determine if, under the circumstances, the requested access of the policy managed object is permitted;
  
  permitting the requested access to the policy managed object if the policies determine that, under the circumstances, the requested access of the policy managed object is permitted; and
  
  denying the requested access to the policy managed object if the policies determine that, under the circumstances, the requested access of the policy managed object is not permitted.

4. A data object comprising:
- at least one payload comprising data;
  
  a number of interfaces, each interface configured to perform at least one operation on the data object, wherein no operation is allowed to be performed on the data object except by invocation of one of the interfaces; and
  
  at least one policy object comprising executable instructions configured to make a determination as to whether at least one operation requested to be performed on the object is allowed.

14. An execution context for managing data objects, the execution context comprising:
- a storage area configured to store a plurality of policy managed objects, each policy managed object comprising;
  
  at least one payload container object that securely stores at least one payload comprising data;
  
  a number of interfaces, each interface configured to perform at least one operation on the policy managed object, wherein no operation is allowed to be performed on the policy managed object except by invocation of one of the interfaces; and
  
  at least one policy object comprising executable instructions configured to make a determination as to whether at least one operation requested to be performed on the policy managed object is allowed;
  
  and a plurality of access tools, each access tool configured to cause at least one operation to be performed on at least one of the policy managed objects.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The execution context of claim 14, wherein the access tools include a policy editor configured to create and modify policy objects, wherein creating and modifying policy objects includes composing or nesting multiple policy objects together so as to define a composed policy object.
  - 16. The execution context of claim 14, wherein the access tools include an object editor configured to create and modify policy managed objects, wherein creating and modifying policy managed objects includes loading data of arbitrary type into the at least one payload container object.
  - 17. The execution context of claim 14, wherein the access tools are further configured, in response to receipt of a request to perform an operation on an identified policy managed object, to invoke an interface of the identified policy managed object that is configured to perform the requested operation.
  - 18. The execution context of claim 14, wherein the execution context is configured to recognize lifecycle occurrences that happen to the policy managed objects and, in response to a lifecycle occurrence to cause policy objects associated with the policy managed objects to which the lifecycle occurrence happened and associated with the lifecycle occurrence that has happened to determine whether operations to be performed during the lifecycle occurrence are allowed.
  - 19. The execution context of claim 18, wherein the lifecycle occurrences comprise object connection, object activation, object serialization, object copy, and object delete.
  - 20. The execution context of claim 14, wherein the access tools include at least one communication interface configured to provide access to at least one service that is configured to return at least one input that influences the at least one policy object'"'"'s determination as to whether at least one operation requested to be performed on the policy managed object is allowed.

21. A method of controlling access to a data object, the method comprising:
- receiving a request to perform an operation on a data object;
  
  invoking a lifecycle occurrence method that corresponds to the operation to be performed on the data object;
  
  executing at least one policy that corresponds to the lifecycle occurrence method;
  
  determining, based on the execution of the at least one policy, whether performing the requested operation on the data object is allowed; and
  
  performing the requested operation on the data object if the requested operation is allowed.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein the at least one policy that is executed is defined at least in part by executable instructions included in at least one policy object.
  - 23. The method of claim 22, wherein the at least one policy object that defines the at least one policy that is executed resides within the data object upon which the operation is to be performed.
  - 24. The method of claim 21 wherein determining whether performing the requested operation on the data object is allowed comprises determining whether at least one condition defined by the at least one policy is satisfied.
  - 25. The method of claim 24, wherein determining whether performing the requested operation on the data object is allowed further comprises receiving input from a service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
H.E.B., LLC (VHGI Holdings, Inc.)
Original Assignee
H.E.B., LLC (VHGI Holdings, Inc.)
Inventors
Tolson, Michael, Dale, Andrew L.

Application Number

US10/944,441
Publication Number

US 20060059117A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6209 to a single file or object,...

Policy managed objects

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Policy managed objects

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others