POLICY RESOLUTION IN AN ENTITLEMENT MANAGEMENT SYSTEM
First Claim
1. A data processing apparatus, comprising:
- a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates;
one or more policy decision points that are coupled to the policy administration point over a network;
one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points;
one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.
1 Assignment
0 Petitions
Accused Products
Abstract
An externalized entitlement management system comprises a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates; one or more policy decision points that are coupled to the policy administration point over a network; one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; and one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.
-
Citations
26 Claims
-
1. A data processing apparatus, comprising:
-
a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates; one or more policy decision points that are coupled to the policy administration point over a network; one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium encoded with one or more sequences of instructions which when executed by one or more processors cause the one or more processors to perform:
-
receiving, at a policy administration point, one or more definitions or updates of entitlement policies specifying subjects, actions, and resources; creating one or more policy decision points that are coupled to the policy administration point over a network; creating one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; in response to receiving the definitions or updates, updating a first entitlement repository coupled to the policy administration point with the definitions or updates; determining a type of action represented in one of the received definitions or updates; invoking one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-implemented method, comprising:
-
receiving, at a policy administration point, one or more definitions or updates of entitlement policies specifying subjects, actions, and resources; creating one or more policy decision points that are coupled to the policy administration point over a network; creating one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; in response to receiving the definitions or updates, updating a first entitlement repository coupled to the policy administration point with the definitions or updates; determining a type of action represented in one of the received definitions or updates; invoking one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification