Enforcing Control Policies in an Information Management System

US 20070156897A1
Filed: 05/12/2006
Published: 07/05/2007
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of controlling application usage in a plurality of computers using centrally managed rules, the method comprising the computer-implemented step of:

controlling usage of an application program on a computer system, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the computer system, and wherein the at least one rule contains at least one expression used by the controlling step to control application program operation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

409 Citations

71 Claims

1. A method of controlling application usage in a plurality of computers using centrally managed rules, the method comprising the computer-implemented step of:
- controlling usage of an application program on a computer system, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the computer system, and wherein the at least one rule contains at least one expression used by the controlling step to control application program operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method as recited in claim 1, further comprising:
    - detecting application program operation within the application program.
  - 3. A method as recited in claim 1, further comprising:
    - detecting application program operation within the computer system'"'"'s operating system.
  - 4. A method as recited in claim 1, wherein the computer system includes any of:
    - laptop computer, desktop computer, personal digital assistant (PDA), smart phone, thin client, an instance of a client operating environment running on a terminal server, a guest operating system running on a virtual machine, information kiosk, Internet kiosk, any computing device or computing environment that an application program operates within, a file server, a mail server, a Web server, a document management server, a content management server, a database server, a HTTP server, a portal server, or any application program that act as a server.
  - 5. A method as recited in claim 1, wherein the application program includes any of:
    - word processing application, spreadsheet application, graphics application, document viewer, e-mail client, Web browser, instant messenger, editor, photo browser, communication application, file browser, operating system utilities, a file server, a mail server, a Web server, a document management server, a content management server, enterprise resource planning application, customer relationship management application, human resource management application, financial application, a database server, a HTTP server, a portal server, or any computer software program running on a computer.
  - 6. A method as recited in claim 1, wherein the application program operation includes any of:
    - sending an e-mail message, forwarding an e-mail message, deleting an e-mail message, moving an e-mail message, attaching a file to an e-mail message, connecting to another user using instant messenger, viewing a Web page, copying data to a clipboard, pasting data from a clipboard, dragging and dropping a data object, editing a spreadsheet cell, modifying a spreadsheet cell formula, changing a document'"'"'s format, attaching a document to another document, connecting to a FTP server, copying a file, printing a file, opening a file, saving a file, deleting a file, moving a file, renaming a file, changing file attribute, editing a macro, editing a field in a human resource application, viewing a report in a sales forecast application, entering an order into an enterprise resource planning application, executing a payment settlement function in a financial application, or any operation an application program can perform as a result of a user action.
  - 7. A method as recited in claim 1, wherein the controlling step queries a user for input to obtain information for evaluating rules pertaining to a selected application program operation.
  - 8. A method as recited in claim 1, wherein the controlling step performs an action as specified in the evaluated at least one rule in response to a selected application program operation.
  - 9. A method as recited in claim 1, wherein a rule applies to at least one particular operation within the application program.
  - 10. A method as recited in claim 1, wherein the controlling step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographic location, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 11. A method as recited in claim 1, wherein the controlling step monitors operations of a plurality of application programs on the computer system.
  - 12. A method as recited in claim 1, wherein the controlling step operates autonomously if the computer system is not in communication with a central rule database.
  - 13. A method as recited in claim 1, wherein a set of default rules is installed on the computer system.
  - 14. A method as recited in claim 1, wherein at least a subset of rules stored on the computer system is preinstalled on the computer system.
  - 15. A method as recited in claim 1, wherein at least a subset of rules stored on the computer system is dynamically updated from a central rule database across a computer network.
  - 16. A method as recited in claim 1, further comprising:
    - automatically detecting if any component used in the controlling step has been tampered with or corrupted.

17. A method of controlling document access in a plurality of computers using centrally managed rules, the method comprising the computer-implemented step of:
- controlling, on a computer system, access to documents, wherein the controlling step limits the document access operation in accordance to at least one rule stored on the computer system, and wherein the at least one rule contains at least one expression used by the controlling step to control document access operation.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 18. A method as recited in claim 17, further comprising:
    - detecting document access operation within an application program.
  - 19. A method as recited in claim 17, further comprising:
    - detecting document access operation within the computer system'"'"'s operating system.
  - 20. A method as recited in claim 17, wherein the computer system includes any of:
    - laptop computer, desktop computer, personal digital assistant (PDA), smart phone, thin client, an instance of a client operating environment running on a terminal server, a guest operating system running on a virtual machine, information kiosk, Internet kiosk, or any computing device or computing environment that an application program operates within.
  - 21. A method as recited in claim 18, wherein the application program includes any of:
    - word processing application, spreadsheet application, graphics application, document viewer, e-mail client, Web browser, instant messenger, editor, photo browser, communication application, file browser, operating system utilities, a file server, a mail server, a Web server, a document management server, a content management server, enterprise resource planning application, customer relationship management application, human resource management application, financial application, a database server, a HTTP server, a portal server, or any computer software program running on a computer.
  - 22. A method as recited in claim 17, wherein the document access operation includes any of:
    - opening a file, writing a file, deleting a file, changing file permission, changing file attribute, opening an e-mail message in a mail store, deleting an e-mail message in a mail store, retrieving a document from a document management system, storing a document into a document management system, or any access operation to a document repository.
  - 23. A method as recited in claim 17, wherein the controlling step queries a user for input to obtain information for evaluating rules pertaining to a selected application program operation.
  - 24. A method as recited in claim 17, wherein the controlling step queries a user for input to obtain information for evaluating rules pertaining to a selected document access operation.
  - 25. A method as recited in claim 17, wherein the controlling step performs an action as specified in the evaluated at least one rule in response to a selected application program operation.
  - 26. A method as recited in claim 17, wherein the controlling step performs an action as specified in the evaluated at least one rule in response to a selected document access operation.
  - 27. A method as recited in claim 18, wherein a rule applies to at least one particular operation within the application program.
  - 28. A method as recited in claim 17, wherein a rule applies to at least one particular operation within the computer system'"'"'s operating system.
  - 29. A method as recited in claim 17, wherein the controlling step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographic location, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 30. A method as recited in claim 17, wherein the controlling step monitors operations of a plurality of application programs on the computer system.
  - 31. A method as recited in claim 17, wherein the controlling step monitors operations of an operating system on the computer system.
  - 32. A method as recited in claim 17, wherein the controlling step operates autonomously if the computer system is not in communication with a central rule database.
  - 33. A method as recited in claim 17, wherein a set of default rules is installed on the computer system.
  - 34. A method as recited in claim 17, wherein at least a subset of rules stored on the computer system is preinstalled on the computer system.
  - 35. A method as recited in claim 17, wherein at least a subset of rules stored on the computer system is dynamically updated from a central rule database across a computer network.
  - 36. A method as recited in claim 17, further comprising:
    - automatically detecting if any component used in the controlling step has been tampered with or corrupted.

37. A method comprising the computer-implemented steps of:
- controlling usage, at a client system, of an application program, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, and wherein the at least one rule contains at least one expression used by the controlling step to control application program operation; and
  
  controlling access, at a server, to documents, wherein the controlling step limits document access operation in accordance to at least one rule stored on the server, and wherein the at least one rule contains at least one expression used by the controlling step to control document access operation.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 38. A method as recited in claim 37, further comprising:
    - detecting application program operation within the application program.
  - 39. A method as recited in claim 37, further comprising:
    - detecting application program operation within the client system'"'"'s operating system.
  - 40. A method as recited in claim 37, wherein the client system includes any of:
    - laptop computer, desktop computer, personal digital assistant (PDA), smart phone, thin client, an instance of a client operating environment running on a terminal server, a guest operating system running on a virtual machine, information kiosk, Internet kiosk, or any computing device or computing environment that an application program operates within.
  - 41. A method as recited in claim 37, wherein the application program includes any of:
    - word processing application, spreadsheet application, graphics application, document viewer, e-mail client, Web browser, instant messenger, editor, photo browser, communication application, file browser, operating system utilities, enterprise resource planning application, customer relationship management application, human resource management application, financial application, or any computer software program running on a client computer.
  - 42. A method as recited in claim 37, wherein the application program operation includes any of:
    - sending an e-mail message, forwarding an e-mail message, deleting an e-mail message, moving an e-mail message, attaching a file to an e-mail message, connecting to another user using instant messenger, viewing a Web page, copying data to a clipboard, pasting data from a clipboard, dragging and dropping a data object, editing a spreadsheet cell, modifying a spreadsheet cell formula, changing a document'"'"'s format, attaching a document to another document, connecting to a FTP server, copying a file, printing a file, opening a file, saving a file, deleting a file, moving a file, renaming a file, changing file attribute, editing a macro, editing a field in a human resource application, viewing a report in a sales forecast application, entering an order into an enterprise resource planning application, executing a payment settlement function in a financial application, or any operation an application program can perform as a result of a user action.
  - 43. A method as recited in claim 37, wherein the controlling step at the client system queries a user for input to obtain information for evaluating rules pertaining to a selected application program operation.
  - 44. A method as recited in claim 37, wherein the controlling step at the client system performs an action as specified in the evaluated at least one rule in response to a selected application program operation.
  - 45. A method as recited in claim 37, wherein a rule applies to at least one particular operation within the application program.
  - 46. A method as recited in claim 37, wherein the controlling step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographic location, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 47. A method as recited in claim 37, wherein the controlling step at the client system monitors operations of a plurality of application programs on the client system.
  - 48. A method as recited in claim 37, wherein the controlling step at the client system monitors operations of an operating system on the client system.
  - 49. A method as recited in claim 37, wherein the controlling step at the client system operates autonomously if the client system is not in communication with a central rule database.
  - 50. A method as recited in claim 37, wherein a set of default rules is installed on the client system.
  - 51. A method as recited in claim 37, wherein at least a subset of rules stored on the client system is preinstalled on the client system.
  - 52. A method as recited in claim 37, wherein at least a subset of rules stored on the client system is dynamically updated from a central rule database across a computer network.
  - 53. A method as recited in claim 37, further comprising:
    - automatically detecting if any component used in the controlling step at the client system has been tampered with or corrupted.
  - 54. A method as recited in claim 37, further comprising:
    - detecting document access operation within an application program on the server.
  - 55. A method as recited in claim 37, further comprising:
    - detecting document access operation within the server'"'"'s operating system.
  - 56. A method as recited in claim 37, wherein the document access operation includes any of:
    - opening a file, writing a file, deleting a file, changing file permission, changing file attribute, opening an e-mail message in a mail store, deleting an e-mail message in a mail store, retrieving a document from a document management system, storing a document into a document management system, or any access operation to a document repository.
  - 57. A method as recited in claim 37, wherein the controlling step at the server performs an action as specified in the evaluated at least one rule in response to a selected document access operation.
  - 58. A method as recited in claim 37, wherein the controlling step at the server monitors operations of a plurality of application programs on the server.
  - 59. A method as recited in claim 37, wherein the controlling step at the server monitors operations of the server'"'"'s operating system.
  - 60. A method as recited in claim 37, wherein the controlling step at the server operates autonomously if the server is not in communication with a central rule database.
  - 61. A method as recited in claim 37, wherein a set of default rules is installed on the server.
  - 62. A method as recited in claim 37, wherein at least a subset of rules stored on the server is preinstalled on the server.
  - 63. A method as recited in claim 37, wherein at least a subset of rules stored on the server is dynamically updated from a central rule database across a computer network.
  - 64. A method as recited in claim 37, further comprising:
    - automatically detecting if any component used in the controlling step at the server has been tampered with or corrupted.

65. An apparatus for controlling application usage in a plurality of computers using centrally managed rules, comprising:
- a module for controlling usage of an application program on a computer system, wherein the controlling module limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the computer system, and wherein the at least one rule contains at least one expression used by the controlling module to control application program operation.

66. An apparatus for controlling document access in a plurality of computers using centrally managed rules, comprising:
- a module for controlling, on a computer system, access to documents, wherein the controlling module limits the document access operation in accordance to at least one rule stored on the computer system, and wherein the at least one rule contains at least one expression used by the controlling module to control document access operation.

67. An apparatus comprising:
- a module for controlling usage, at a client system, of an application program, wherein the controlling module limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, and wherein the at least one rule contains at least one expression used by the controlling module to control application program operation;
  
  a module for controlling access, at a server, to documents, wherein the controlling module limits document access operation in accordance to at least one rule stored on the server, and wherein the at least one rule contains at least one expression used by the controlling module to control document access operation.

68. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising the computer-implemented steps of:
- controlling usage of an application program on a computer system, wherein the controlling usage step limits the application program'"'"'s operational functionality in accordance with at least one rule stored on the computer system, and wherein the at least one rule comprises a first expression used by the controlling usage step to control application program operation; and
  
  controlling, on a computer system, access to documents, wherein the controlling access step limits the document access operation in accordance with the at least one rule stored on the computer system, and wherein the at least one rule comprises a second expression used by the controlling access step to control access to documents.
- View Dependent Claims (69, 70)
- - 69. The method of claim 68 wherein the at least one rule comprises a first rule comprising the first expression and a second rule comprising the second expression.
  - 70. The method of claim 68 wherein the at least one rule comprises a first rule comprising the first expression and the second expression.

71. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising the computer-implemented steps of:
- controlling usage of an application program on a computer system, wherein the controlling usage step limits the application program'"'"'s operational functionality in accordance with a rule stored on the computer system, and wherein the rule comprises an expression used by the controlling usage step to control application program operation; and
  
  controlling, on a computer system, access to documents, wherein the controlling access step limits the document access operation in accordance with the rule stored on the computer system, and wherein the expression of the rule is used by the controlling access step to control access to documents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Blue Jungle
Inventors
Lim, Keng

Granted Patent

US 8,621,549 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06Q 10/10   Office automation; Time man...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Enforcing Control Policies in an Information Management System

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

409 Citations

71 Claims

Specification

Use Cases

Quick Links

Others

Enforcing Control Policies in an Information Management System

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

409 Citations

71 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others