Enforcing Universal Access Control in an Information Management System

US 20080301760A1
Filed: 10/30/2007
Published: 12/04/2008
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of controlling document access using centrally managed rules, the method comprising:

distributing a first plurality of rules to a client system from a central rule database,wherein the first plurality of rules distributed to the client system contain at least one expression used by the client system to perform access control for documents accessed by the client system, andwherein the client system rule distributing step dynamically selects the first plurality of rules for the client system;

distributing a second plurality of rules to a server from the central rule database,wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server,wherein the server rule distributing step dynamically selects the second plurality of rules for the server, andwherein rules in the central rule database are maintained by a central rule server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

228 Citations

25 Claims

1. A method of controlling document access using centrally managed rules, the method comprising:
- distributing a first plurality of rules to a client system from a central rule database,wherein the first plurality of rules distributed to the client system contain at least one expression used by the client system to perform access control for documents accessed by the client system, andwherein the client system rule distributing step dynamically selects the first plurality of rules for the client system;
  
  distributing a second plurality of rules to a server from the central rule database,wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server,wherein the server rule distributing step dynamically selects the second plurality of rules for the server, andwherein rules in the central rule database are maintained by a central rule server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. A method of claim 1 further comprising:
    - detecting a document access operation attempted by an application program on the client system;
      
      evaluating at least one rule from the first plurality of rules on the client system that pertains to the document being accessed; and
      
      wherein the evaluating step allows access to the document based on the evaluated at least one rule pertaining to the document.
  - 3. A method of claim 2 wherein the detecting step is integrated into the client system'"'"'s operating system.
  - 4. A method of claim 2 wherein the detecting step is integrated into the application program.
  - 5. A method of claim 2 wherein the client system evaluating step performs an action as specified in the evaluated at least one rule in response to the document access operation.
  - 6. A method of claim 2 wherein the client system evaluating step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, user role, host, type of computer, group of computers, application program, type of application program, application module, geographic location, access mechanism, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, database query, database query result set, or metadata.
  - 7. A method of claim 2 wherein the document includes any of:
    - a discussion thread, an on-line report, results of a database query, an electronic form, a file system object, a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, a data object in a product life cycle management system, a data object in an enterprise resource planning system, or a data object addressable by an universal resource locator (URL) that is served by a Web server.
  - 8. A method of claim 2 wherein the client system rule evaluating step queries a user for input to obtain information for evaluation of rules pertaining to the document being accessed.
  - 9. A method of claim 2 wherein the client system rule evaluating step operates autonomously if the client system is not in communication with the central rule database.
  - 10. A method of claim 1 wherein a set of default rules is installed on the client system.
  - 11. A method of claim 1 wherein at least a subset of rules stored on the client system is preinstalled on the client system.
  - 12. A method of claim 1 wherein at least a subset of rules stored on the client system is dynamically updated from the central rule database.
  - 13. A method of claim 2 further comprising:
    - automatically detecting if any component used in the detecting or client system rule evaluating steps has been tampered with or corrupted.
  - 14. A method of claim 1 further comprising:
    - detecting, on the server, a document access operation for a document on the server;
      
      evaluating at least one rule from the second plurality of rules on the server that pertains to the document being accessed; and
      
      wherein the evaluating step allows access to the document based on the evaluated at least one rule pertaining to the document.
  - 15. A method of claim 14 wherein the detecting step is integrated into the server'"'"'s operating system.
  - 16. A method of claim 14 wherein the detecting step is integrated into a server application program running on the server.
  - 17. A method of claim 14 wherein a server application program includes any of:
    - a file server, a mail server, a Web server, a document management server, a content management server, a database server, or a portal server.
  - 18. A method of claim 1 wherein a server includes any of:
    - a file server, a HTTP server, a file gateway acting as a proxy to a file server, a network attached storage (NAS) device, a distributed file system, or a virtual NAS.
  - 19. A method of claim 14 wherein the server rule evaluating step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, user role, host, type of computer, group of computers, application program, type of application program, application module, geographic location, access mechanism, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, database query, database query result set, or metadata.
  - 20. A method of claim 14 wherein the document includes any of:
    - a discussion thread, an on-line report, results of a database query, an electronic form, a file system object, a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, a data object in a product life cycle management system, a data object in an enterprise resource planning system, or a data object addressable by an universal resource locator (URL) that is served by a Web server.
  - 21. A method of claim 14 wherein the server rule evaluating step queries the system accessing the document to obtain information for evaluating rules pertaining to the document being accessed.
  - 22. A method of claim 14 wherein the server rule evaluating step operates autonomously if the server is not in communication with the central rule database.
  - 23. A method of claim 1 wherein a set of default rules is installed on the server.
  - 24. A method of claim 1 wherein at least a subset of rules stored on the server are preinstalled on the server.
  - 25. A method of claim 1 wherein at least a subset of rules stored on the server is dynamically updated from the central rule database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Blue Jungle
Inventors
Lim, Keng

Granted Patent

US 7,877,781 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

Enforcing Universal Access Control in an Information Management System

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing Universal Access Control in an Information Management System

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links