Policy enforcement via attestations

US 20070179802A1
Filed: 12/13/2006
Published: 08/02/2007
Est. Priority Date: 09/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting a principal operating within an environment;

identifying a condition within the environment;

obtaining an attestation in response to the condition; and

enforcing a policy in response to the attestation against the principal within the environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy enforcement via attestations is provided. A principal operates within an environment and assumes roles having certain access rights to resources and the principal takes actions while assuming those roles. The roles and actions are monitored and attestations are raised under the proper set of circumstances. The attestations trigger policy restrictions that are enforced against the principal. The policy restrictions circumscribe the access rights to the resources.

Citations

29 Claims

1. A method, comprising:
- detecting a principal operating within an environment;
  
  identifying a condition within the environment;
  
  obtaining an attestation in response to the condition; and
  
  enforcing a policy in response to the attestation against the principal within the environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - obtaining another attestation in response to the condition associated with a resource within the environment; and
      
      enforcing another policy in response to that attestation against the resource within the environment.
  - 3. The method of claim 1, wherein detecting further includes recognizing the principal as operating under a crafted identity within the environment.
  - 4. The method of claim 3 further comprising, associating one or more roles with the crafted identity, wherein each role includes one or more of the following:
    - access permissions for resources accessible from the environment, other policies, and rights.
  - 5. The method of claim 1, wherein identifying further includes determining as the condition that one or more predefined roles are activated by the principal operating within the environment.
  - 6. The method of claim 1, wherein identifying further includes determining as the condition that one or more predefined activities are engaged in by the principal operating within the environment.
  - 7. The method of claim 1, wherein identifying further includes determining as the condition that predefined roles, activities, or events occur within a predefined period of time.
  - 8. The method of claim 1, wherein obtaining further includes generating the attestation or receiving the attestation from an attester who is notified in response to the condition.
  - 9. The method of claim 1 further comprising one or more of the following:
    - removing the policy in response to a time-to-live attribute associated with the policy expiring;
      
      removing the policy in response to an event;
      
      removing the policy in response to another different policy disposition; and
      
      removing the policy in response to a revocation of the policy by an attester that initially supplied the attestation.
  - 10. The method of claim 1, wherein enforcing further includes enforcing the policy for a defined period of time to restrict access to resources available to the principal within the environment.

11. A method, comprising:
- monitoring actions of a principal within an environment;
  
  dynamically applying an attestation against resource access permissions or resource policies associated with the principal in response to one or more of the actions or dynamic conditions occurring within the environment; and
  
  circumscribing a number of the resource access permissions assigned to the principal in response to policy associated with the dynamically applied attestation.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 further comprising, dynamically applying a different attestation against access to a resource that the principal is attempting to access within the environment.
  - 13. The method of claim 11, wherein monitoring further includes detecting at least some actions as role activations exercised by the principal within the environment to activate one or more roles that the principal assumes within the environment.
  - 14. The method of claim 11, wherein dynamically applying further includes generating the attestation using a global policy that is triggered in response to the one or more actions or the dynamic conditions occurring within the environment.
  - 15. The method of claim 11, wherein dynamically applying further includes receiving the attestation from a second principal in response to notifications sent to the second principal for the one or more actions or the dynamic conditions occurring within the environment.
  - 16. The method of claim 11, wherein circumscribing further includes temporarily enforcing the policy until one or more of the following occurs:
    - a time period passes, a revocation is received from an attester who originally supplied the attestation, or an event is detected that warrants no longer enforcing the policy.

17. A system, comprising:
- an attestation implemented in a machine-accessible medium; and
  
  a monitoring service, wherein the monitoring service is to dynamically monitor actions being taking against a resource within an environment and is to dynamically monitor conditions occurring within the environment and in response thereto the monitoring service is to dynamically apply the attestation to enforce a policy restriction that circumscribes access permissions or roles acceptable for accessing the resource.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17, wherein the monitoring service is to dynamically generate the attestation in response to global policy associated with the environment, the resource, or one or more principals operating within the environment.
  - 19. The system of claim 17, wherein the monitoring service is to dynamically receive the attestation from a principal that is different from another principal attempting to access the resource.
  - 20. The system of claim 17, wherein that actions include role activations made by principals within the environment to assume one or more of the roles, wherein each role includes its own set of access rights to the resource within the environment.
  - 21. The system of claim 17, wherein the monitoring service is to remove the policy restriction in response to a satisfied condition.
  - 22. The system of claim 17, wherein the monitoring service is to recognize a principal as operating within the environment using a crafted or attested identity and attempting to access the resource.

23. A system, comprising:
- a first principal service; and
  
  a policy service, wherein the policy service is to dynamically supply policy restrictions to enforce against roles activated by a second principal, and wherein the policy restrictions are to be triggered by attestations dynamically issued by the first principal service to the policy service while the second principal operates within an environment and attempts to access resources of that environment.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system of claim 23, wherein the policy service is to dynamically issue additional attestations to enforce against the one or more of the resources.
  - 25. The system of claim 23, wherein the first principal service is to issue the attestations in response to the roles activated by the second principal within the environment.
  - 26. The system of claim 23, wherein the policy restrictions are removed by the policy service in response to a satisfied time-to-live attribute associated with the attestations.
  - 27. The system of claim 23, wherein the policy restrictions are removed by the policy service when instructed to do so by the first principal service.
  - 28. The system of claim 23, wherein a number of the attestations are issued by the first principal service in response to access actions taken by the second principal for a given activated one of the roles.
  - 29. The system of claim 23, wherein a number of the attestations are issued by the first principal service in response to conditions occurring within the environment that are independent of the second principal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Carter, Stephen, Buss, Duane

Granted Patent

US 10,275,723 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06Q 10/00   Administration; Management

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

Policy enforcement via attestations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement via attestations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links