COMPUTER SYSTEM, MANAGEMENT SYSTEM AND RECORDING MEDIUM

US 20120017258A1
Filed: 11/19/2009
Published: 01/19/2012
Est. Priority Date: 11/19/2009
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a client computer;

a first management computer coupled to the client computer; and

a second management computer coupled to the client computer and the first management computer,wherein the first management computer sends, to the client computer, first security policy information for controlling the operation of a security management program of the client computer, and rule information denoting a rule for creating second security policy information from a plurality of pieces of the first security policy information,wherein the second management computer sends, to the client computer, other first security policy information in which the control operation differs from that of the first security policy information sent to the client computer from the first management computer, andwherein the client computer creates, on the basis of the rule information received from the first management computer, the second security policy information from the first security policy information received from the first management computer and the other first security policy information received from the second management computer, and controls the operation of the security management program based on the second security policy information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention prevents the deterioration of security while maintaining usability in a case where a plurality of policies are applied to a client computer. Policies created by respective management servers 10 (Ma through Md) and by a highest-level management server 10 (Msa) are set in a client computer 20. The highest-level management server delivers, to the client computer, a merge rule for creating one policy from a plurality of policies. The client computer creates a new policy from a plurality of policies and the merge rule, and manages a security function.

69 Citations

View as Search Results

15 Claims

1. A computer system comprising:
- a client computer;
  
  a first management computer coupled to the client computer; and
  
  a second management computer coupled to the client computer and the first management computer,wherein the first management computer sends, to the client computer, first security policy information for controlling the operation of a security management program of the client computer, and rule information denoting a rule for creating second security policy information from a plurality of pieces of the first security policy information,wherein the second management computer sends, to the client computer, other first security policy information in which the control operation differs from that of the first security policy information sent to the client computer from the first management computer, andwherein the client computer creates, on the basis of the rule information received from the first management computer, the second security policy information from the first security policy information received from the first management computer and the other first security policy information received from the second management computer, and controls the operation of the security management program based on the second security policy information.
- View Dependent Claims (2, 3, 4, 5, 9, 10)
- - 2. A computer system according to claim 1, wherein the client computer respectively detects a difference between the second security policy information and the first security policy information sent to the client computer from the first management computer, and a difference between the second security policy information and the other first security policy information sent to the client computer from the second management computer, and outputs the detected differences.
  - 3. A computer system according to claim 1, wherein the rule information is configured to create the second security policy information to execute an intermediate operation which is preset as an operation that is intermediate between the control operation and the other control operation, in a case where the control operation of the first security policy information received from the first management computer and another control operation of the other first security policy information received from the second management computer are incompatible.
  - 4. A computer system according to claim 1, wherein the rule information is configured so as to permit, with a prescribed condition, the operation of a prescribed computer program that is executed on the client computer, in a case where either one of the first security policy information or the other first security policy information prohibits an operation and the remaining other allows the operation with respect to the prescribed computer program.
  - 5. A computer system according to claim 1,wherein the first management computer is operated by a plurality of first users and is configured to be able to create the first security policy information for each of the first users,wherein the second management computer is operated by a plurality of second users and is configured to be able to create the other first security policy information for each of the second users, andwherein only a preset prescribed first user from among the respective first users is able to create the rule information.
  - 9. A management system according to claim 1, wherein the rule information is configured so as to permit, with a prescribed condition, the operation of a prescribed computer program that is executed on the client computer, in a case where either one of the first security policy information or the other first security policy information prohibits an operation and the remaining other allows the operation with respect to the prescribed computer program.
  - 10. A management system according to claim 1,wherein the first management computer is operated by a plurality of first users and is configured to be able to create the first security policy information for each of the first users,wherein the second management computer is operated by a plurality of second users and is configured to be able to create the other first security policy information for each of the second users, andwherein only a preset prescribed first user from among the respective first users is able to create the rule information.

6. A management system for managing a client computer, comprising:
- a first management computer coupled to the client computer; and
  
  a second management computer coupled to the client computer,wherein the first management computer sends, to the client computer, first security policy information for controlling the operation of a security management program of the client computer, and rule information denoting a rule for creating second security policy information from a plurality of pieces of the first security policy information,wherein the second management computer sends, to the client computer, other first security policy information in which the control operation differs from that of the first security policy information sent to the client computer from the first management computer, andwherein inside the client computer, the management system creates, on the basis of the rule information received from the first management computer, the second security policy information from the first security policy information received from the first management computer and the other first security policy information received from the second management computer, and controls the operation of the security management program based on the created second security policy information.
- View Dependent Claims (7, 8)
- - 7. A management system according to claim 6, wherein the first management computer:
    - acquires the other first security policy information from the second management computer;
      
      acquires the second security policy information from the client computer; and
      
      respectively detects a difference between the second security policy information and the first security policy information sent to the client computer from the first management computer, and a difference between the second security policy information and the other first security policy information sent to the client computer from the second management computer, and outputs the detected differences.
  - 8. A management system according to claim 6, wherein, the rule information is configured so as to create the second security policy information to execute an intermediate operation which is preset as an operation that is intermediate between the control operation and the other control operation, in a case where the control operation of the first security policy information received from the first management computer and another control operation of the other first security policy information received from the second management computer are incompatible.

11. A recording medium, which records a computer program for causing a computer that is communicably coupled to a client computer to function as a management computer, this computer-readable recording medium recording a computer program for realizing:
- a function to create a plurality of pieces of first security policy information for controlling the operation of a security management program of the client computer;
  
  a function to create rule information denoting a rule for creating second security policy information from the respective pieces of first security policy information; and
  
  a function to send the respective pieces of first security policy information and the rule information to the client computer, to thereby create the second security policy information from the respective pieces of first security policy information based on the rule information inside the client computer, and to control the operation of the security management program based on the created second security policy information.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A computer-readable recording medium according to claim 11, wherein the computer program further realizes a function to acquire the second security policy information from the client computer, to respectively detect differences between the respective pieces of first security policy information and the second security policy information, and to output the detected respective differences.
  - 13. A computer-readable recording medium according to claim 11, wherein the rule information is configured so as to create the second security policy information to execute an intermediate operation which is preset as an operation that is intermediate between the incompatible plurality of control operations, in a case where the control operations of the respective pieces of first security policy information are incompatible.
  - 14. A computer-readable recording medium according to claim 11, wherein the rule information is configured so as to permit, with a prescribed condition, the operation of a prescribed computer program that is executed on the client computer, in a case where either one of the respective pieces of first security policy information prohibits an operation and the remaining other allows the operation with respect to the prescribed computer program.
  - 15. A computer-readable recording medium according to claim 11,wherein each of a pre-registered plurality of first users is able to create the first security policy information, andwherein only a preset prescribed first user from among the respective first users is able to create the rule information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Suzuki, Yoshiyuki

Granted Patent

US 9,071,614 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/104   Grouping of entities

COMPUTER SYSTEM, MANAGEMENT SYSTEM AND RECORDING MEDIUM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER SYSTEM, MANAGEMENT SYSTEM AND RECORDING MEDIUM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links