ENFORCING LABEL-BASED RULES ON A PER-USER BASIS IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM
First Claim
Patent Images
1. A method of managing security of services executing on servers in a network domain, the method comprising:
- receiving information describing one or more user groups, each user group containing one or more users associated with the network domain;
receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set;
determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set;
generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and
sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.
1 Assignment
0 Petitions
Accused Products
Abstract
State information is received from a server indicating an identity of a user logged into the server. An administrative domain wide policy is determined that specifies a relationship between user a group and services or servers accessible to users belonging to the user group. Relevant servers are sent updated management instructions corresponding to rules of the administrative domain wide policy. Such rules provide access to a service or server to users belonging to user groups related to the service. As a result, the servers allow communications that provide access to users based on the specified relationships.
-
Citations
20 Claims
-
1. A method of managing security of services executing on servers in a network domain, the method comprising:
-
receiving information describing one or more user groups, each user group containing one or more users associated with the network domain; receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set; determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set; generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer readable storage medium storing executable instructions for:
-
receiving information describing one or more user groups, each user group containing one or more users associated with the network domain; receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set; determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set; generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy. - View Dependent Claims (17, 18, 19)
-
-
20. A computer system comprising:
-
one or more processors; a computer readable non-transitory storage medium storing executable instructions for execution by the one or more processors, wherein the stored instructions comprise instructions for; receiving information describing one or more user groups, each user group containing one or more users associated with the network domain; receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set; determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set; generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.
-
Specification