Enforcing Control Policies in an Information Management System with Two or More Interactive Enforcement Points
First Claim
1. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
using the policy engine code component, evaluating a document access operation on a first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;
communicating with a second computer as indicated by the at least one rule; and
confirming on the first computer that the second computer has an ability to interact with the evaluating step.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
-
Citations
20 Claims
-
1. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the policy engine code component, evaluating a document access operation on a first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, wherein the at least one rule is among a plurality of rules stored on the first computer, and wherein the at least one rule contains at least one expression used by the evaluating step to control document access operation; communicating with a second computer as indicated by the at least one rule; and confirming on the first computer that the second computer has an ability to interact with the evaluating step. - View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
5. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the policy engine code component, evaluating a document access operation on the first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer, wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component, wherein the at least one rule is among a plurality of rules stored on the first computer, and wherein the at least one rule contains at least one expression used by the evaluating step to control document access operation; for a first application program on the first computer, performing the evaluating step for an operation of the first application program; determining if the first computer contains a first piece of information required to evaluate the at least one rule; if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule; if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule; if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information; and confirming on the first computer that the second computer has an ability to interact with the evaluating step. - View Dependent Claims (6)
-
Specification