Techniques and System for Specifying Policies Using Abstractions

US 20070157287A1
Filed: 12/22/2006
Published: 07/05/2007
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing information comprising:

providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;

transferring the plurality of rules and abstractions to a target; and

for the target, controlling access to information based on the plurality of rules and abstractions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy language for an information management system allows specifying or more policies using policy abstractions. The policies and policy abstractions are decoupled from one another, so policies and policy abstractions may be specified and altered separately from each other. A policy may refer to any number of policy abstractions. Multiple policies may reference a single policy abstraction, and a change to that policy abstraction will result in multiple policies being changed. Further, policy abstractions may be nested, so one policy abstraction may reference another policy abstraction, and so forth.

Citations

54 Claims

1. A method of managing information comprising:
- providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;
  
  transferring the plurality of rules and abstractions to a target; and
  
  for the target, controlling access to information based on the plurality of rules and abstractions.
- View Dependent Claims (4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 21, 23, 25, 26, 34, 35, 36, 40, 41, 42)
- - 4. The method of claims 1 or 2 wherein the target comprises a device.
  - 5. The method of claim 1 wherein when the target is a computer, the computer comprises executable code controlling access to the information based on the rules and abstractions.
  - 7. The method of claims 1 or 2 wherein the first variable comprises a resource.
  - 8. The method of claim 7 wherein the resource comprises at least one of a file, an e-mail message, a Web page, a file system object, a portlet, a range of cells on a spreadsheet, a named region in a document, or an application data object.
  - 9. The method of claims 1 or 2 wherein the first variable comprises a resource name pattern.
  - 10. The method of claim 9 wherein the resource name pattern comprises regular expression representing a file path or an URI specification.
  - 11. The method of claims 1 or 2 wherein the first variable comprises a subject.
  - 12. The method of claim 11 wherein the subject comprises at least one of a user, user group, device, or application program.
  - 13. The method of claims 1 or 2 wherein the first variable comprises a policy context term.
  - 14. The method of claim 13 wherein the policy context term comprises at least one of a specific time, a time of the day, a time period, a location, or a type of connectivity.
  - 15. The method of claims 1 or 2 wherein the definition of the first variable in the first abstraction comprises a second variable defined in a second abstraction.
  - 16. The method of claims 1 or 2 wherein the first variable in the first abstraction is provided as an expression.
  - 17. The method of claims 1 or 2 wherein the first variable is an expression comprising at least one of a string, integer, floating point, character, or Boolean.
  - 18. The method of claims 1 or 2 wherein the expression is a Boolean expression.
  - 21. The method of claim 1 wherein the step of transferring the plurality of rules and abstractions to the target comprises:
    - storing the plurality of rules and abstractions in a memory of the target.
  - 23. The method of claim 1 wherein the transferring the plurality of rules and abstractions to the target comprises:
    - storing the rules and abstractions in a nonvolatile memory of the target.
  - 25. The method of claims 1 or 2 wherein the information comprises at least one of files, e-mail messages, web pages, discussion threads, results of database query, an electronic form, a file system object, cells on a spreadsheet, regions in a document a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, or a data object addressable by an universal resource locator (URL) that is served by a Web server, or units of information stored on a server.
  - 26. The method of claims 1 or 2 wherein the access comprises at least one of opening a file, editing a file, printing a file, saving a file, copying a file, changing file attributes, sending an e-mail message, forwarding an e-mail message, attaching a document to an e-mail message, editing a cell on a spreadsheet, modifying a formula associated with a cell on spreadsheet, cut and paste, drag and drop, connecting to a server, establishing a conversation with another user, viewing a web page, or viewing the results of a database query.
  - 34. The method of claim 1 wherein the for the target, controlling access to the information based on the plurality of rules and abstractions comprises:
    - when the target requests an operation and the operation is allowed by the relevant rules and abstractions, performing one or more tasks in addition to the operation.
  - 35. The method of claim 34 wherein the one or more tasks comprises altering a document or message which is a subject of the operation.
  - 36. The method of claim 34 wherein the one or more tasks comprises storing information about the requested operation in a storage location.
  - 40. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information during a particular time period.
  - 41. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information from a particular location.
  - 42. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information via a particular type of connectivity.

2. A method of managing information comprising:
- providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;
  
  determining a subset of the plurality of rules and abstractions relevant to a target;
  
  transferring the subset of rules and abstractions to the target; and
  
  for the target, controlling access to the information based on the subset of rules and abstractions.
- View Dependent Claims (6, 19, 20, 22, 24, 27, 28, 29, 30, 31, 32, 33, 37, 38, 39)
- - 6. The method of claim 2 wherein when the target is a computer, the computer comprises executable code controlling access to the information based on the subset of rules and abstractions.
  - 19. The method of claim 2 wherein the target has a target profile comprising a user attribute and the determining a subset of the plurality of rules and abstractions relevant to the target comprises:
    - finding the subset of the plurality of rules and abstractions applicable to the user attribute.
  - 20. The method of claim 2 wherein the target is a device and step of determining a subset of the plurality of rules and abstractions relevant to the target comprises:
    - finding the subset of the plurality of rules and abstractions applicable to the device.
  - 22. The method of claim 2 wherein the transferring the subset of rules and abstractions to the target comprises:
    - storing the subset of rules and abstractions in a memory of the target.
  - 24. The method of claim 2 wherein the transferring the subset of rules and abstractions to the target comprises:
    - storing the subset of rules and abstractions in a nonvolatile memory of the target.
  - 27. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of opening of a specific file, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  - 28. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of opening of a specific file, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  - 29. The method of claim 2 wherein the step of for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of opening an e-mail message, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  - 30. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of opening an e-mail message, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  - 31. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of sending an e-mail message, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  - 32. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of sending an e-mail message, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  - 33. The method of claim 2 wherein the step of for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation of sending an original e-mail message, encrypting at least a portion of the e-mail message and sending the encrypted e-mail message instead of the original e-mail message.
  - 37. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises:
    - when the target requests an operation and the operation is allowed by the relevant rules and abstractions, performing one or more tasks in addition to the operation.
  - 38. The method of claim 37 wherein the one or more tasks comprises altering a document or message which is a subject of the operation.
  - 39. The method of claim 37 wherein the one or more tasks comprises storing information about the requested operation in a storage location.

3. A method of managing information comprising:
- providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;
  
  transferring the plurality of rules and abstractions to a target; and
  
  for the target, controlling application usage based on the plurality of rules and abstractions.

43. An information management system comprising:
- a plurality of rule components and a plurality of abstraction components,wherein a rule component comprises an expression having a variable, and the variable is defined in an abstraction component;
  
  a policy server component, accessing the rule and abstraction components;
  
  a workstation component, coupled to the policy server component, the workstation comprising a code component;
  
  a deployment mode of operation in which the policy server determines a set of rule and abstraction components relevant to the workstation component, and transfers this set of rule and abstraction components to the workstation component; and
  
  an execution mode of operation in which the code component of the workstation manages access to information of the information management system based on the set of rule and abstraction components.
- View Dependent Claims (45, 46, 47)
- - 45. The information management system of claim 43 wherein the information of the information management system comprises at least one of a file, e-mail message, web page, discussion thread, results of database query, an electronic form, results of a financial application operation, results of an enterprise resource planning application operation, a file system object, a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, a data object managed by a financial application, a data object managed by an enterprise resource planning system, or a data object addressable by an universal resource locator (URL) that is served by a Web server, or units of information stored on a server.
  - 46. The information management system of claim 43 wherein the execution mode of operation in which the code component of the workstation manages access to information of the information management system based on the set of rule and abstraction components is replaced byan execution mode of operation in which the code component of the workstation manages access to devices of the information management system based on the set of rule and abstraction components.
  - 47. The information management system of claim 46 wherein the devices comprises at least one of computers, fixed disk drives, USB devices, servers, personal digital assistant devices, storage devices, network attached storage (NAS) devices, networking devices, or telephony devices.

44. An information management system comprising:
- a plurality of rule components and a plurality of abstraction components,wherein a rule component comprises an expression having a variable, and the variable is defined in an abstraction component;
  
  a policy server component, accessing the rule and abstraction components;
  
  a workstation component, coupled to the policy server component, the workstation comprising a code component;
  
  a deployment mode of operation in which the policy server determines a set of rule and abstraction components relevant to the workstation component, and transfers this set of rule and abstraction components to the workstation component; and
  
  an execution mode of operation in which the code component of the workstation manages application usage in the information management system based on the set of rule and abstraction components.

48. A method of operating an information management system comprising:
- providing a plurality of rule components, each rule component comprising an expression having at least one variable;
  
  providing a plurality of abstraction components, each abstraction component is separate from the rule components,an abstraction component defining variables of the plurality of rule components, wherein a first variable is found in two or more of the rule components;
  
  modifying the first variable; and
  
  controlling access to information of the information management system according to two or more of the rule components having the modified first variable.
- View Dependent Claims (49, 50, 51, 52, 53)
- - 49. The method of claim 48 wherein the at least one variable is not defined in the plurality of rule components.
  - 50. The method of claim 48 further comprising:
    - transferring a first rule referencing the first variable to a first target and a second target; and
      
      after modifying the first variable, enforcing the first rule using the modified first variable at the first target and second target.
  - 51. The method of claim 48 wherein the controlling access to information of the information management system according to two or more of the rule components having the modified first variable comprises at least one of tracking, logging, blocking, encrypting, or notifying.
  - 52. The method of claim 48 wherein when the information of the information management system comprises intellectual property, the controlling access to information of the information management system according to two or more of the rule components having the modified first variable is replaced bycontrolling distribution of the intellectual property based on the rules and abstractions according to two or more of the rule components having the modified first variable, wherein controlling comprises at least one of tracking, logging, blocking, encrypting, or notifying.
  - 53. The method of claim 52 wherein intellectual property comprises proprietary information of an organization.

54. A method of managing information comprising:
- providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction, and the definition of the first variable in the first abstraction comprises a second variable defined in a second abstraction; and
  
  for a target device, controlling sending of an e-mail message based on a subset of the rules and abstractions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blue Jungle, Blue Jungle Incorporated
Original Assignee
Blue Jungle
Inventors
Lim, Keng

Granted Patent

US 9,384,360 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Techniques and System for Specifying Policies Using Abstractions

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques and System for Specifying Policies Using Abstractions

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links