System and method for implementing a hierarchical policy for computer system administration

US 5,797,128 A
Filed: 05/14/1997
Issued: 08/18/1998
Est. Priority Date: 07/03/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method for implementing a hierarchical policy for administration of a computer system having at least one computer, an associated database and a user interface for inputting data to said database, said method comprising the steps of:

providing for storing of a number of policies in said database, said policies each having an associated policy class name and policy attribute;

providing for organizing of said policies into policy groups;

providing for inputting of characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;

providing for searching of certain of said policy groups pertinent to said input managed object to determine policies within said policy groups having a policy class name and policy attribute corresponding to said input object class name and input object attribute;

providing for returning of a matching subset of policies from said policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute;

providing for analyzing of said proposed value of said input object attribute of said input managed object with respect to said matching subset of policies; and

providing for allowing of entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said matching subset of policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for implementing a hierarchical policy for computer system administration which is extremely flexible in assigning policies to managed objects. Policies are defined to be rules for the values of the attributes of managed objects. Policy groups comprise the basic building blocks and they associate a set of policies with a set of managed objects. Policy groups can also be members of other policy groups and a policy group inherits the policies of its parent policy groups supporting the hierarchical specification of policy. A given policy group may have multiple parents which allows the "mix-in" of policies from the parents. Cloning and templates in conjunction with validation policies and policy groups provide standardization and a concomitant reduction in system administration complexity.

Citations

51 Claims

1. A method for implementing a hierarchical policy for administration of a computer system having at least one computer, an associated database and a user interface for inputting data to said database, said method comprising the steps of:
- providing for storing of a number of policies in said database, said policies each having an associated policy class name and policy attribute;
  
  providing for organizing of said policies into policy groups;
  
  providing for inputting of characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;
  
  providing for searching of certain of said policy groups pertinent to said input managed object to determine policies within said policy groups having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  providing for returning of a matching subset of policies from said policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  providing for analyzing of said proposed value of said input object attribute of said input managed object with respect to said matching subset of policies; and
  
  providing for allowing of entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said matching subset of policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein said step of providing for searching further comprises the steps of:
    - providing for recursively searching of said policy groups to determine parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
      
      providing for additionally returning of an additional subset of said policies from said parent policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      providing for adding of said additional subset of said policies to said matching subset of policies prior to said step of providing for returning.
  - 3. The method of claim 2 wherein said step of providing for recursive searching is carried out by the steps of:
    - providing for initially searching said certain policy groups to identify said policies having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      providing for secondarily searching of policies of said parent policy groups to identify policies of said parent policy groups having a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 4. The method of claim 1 wherein said step of providing for storing is carried out by means of a computer mass storage device operatively coupled to said computer system.
  - 5. The method of claim 1 wherein said step of providing for organizing is carried out by the steps of:
    - providing for determining of common applicabilities of said policies to various of said managed object class names and said object attributes;
      
      providing for grouping of said policies in said policy groups according to said common applicabilities.
  - 6. The method of claim 1 wherein said step of providing for inputting is carried out by providing for entry of said input object class name and proposed value of said input object attribute to said computer system.
  - 7. The method of claim 1 further comprising the steps of:
    - providing an additional computer coupled to said computer system, said additional computer functioning as a server with respect to said at least one computer functioning as a client, said additional computer operative for controlling said database.
  - 8. The method of claim 7 wherein said steps of providing for storing, searching and returning are carried out by said additional computer.
  - 9. The method of claim 7 wherein said steps of providing for analyzing and allowing are carried out by said at least one computer.
  - 10. The method of claim 1 further comprising the steps of:
    - providing for cloning of an associated object class name and an associated object attribute of a previously input managed object; and
      
      providing for the utilization of said associated object class name and said associated object attribute to produce a modifiable initial representation of said input object class name and said input object attribute of said input managed object.
  - 11. The method of claim 1 further comprising the step of:
    - providing for creating a template to establish an initial value for said input object attribute of said input managed object.
  - 12. The method of claim 1 further comprising the step of:
    - providing for disallowing of entry of said proposed value of said input object attribute if said proposed value fails any one of said policies in said matching subset of policies.
  - 13. The method of claim 1 further comprising the step of:
    - providing for conditionally allowing of entry of said proposed value of said input object attribute if said proposed value fails an advisory one of said policies in said matching subset of policies.

14. A computer program product comprising:
- a computer usable medium having computer readable code embodied therein for implementing a hierarchical policy for administration of a computer system having at least one computer, an associated database and a user interface for inputting data to said database, the computer program product comprising;
  
  computer readable program code devices configured to cause a computer to effect storing a number of policies in said database, said policies each having an associated policy class name and an associated policy attribute;
  
  computer readable program code devices configured to cause a computer to effect organizing said policies into policy groups;
  
  computer readable program code devices configured to cause a computer to effect inputting characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;
  
  computer readable program code devices configured to cause a computer to effect searching certain of said policy groups pertinent to said input managed object to determine policies thereof having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  computer readable program code devices configured to cause a computer to effect returning a matching subset of said policies from said policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  computer readable program code devices configured to cause a computer to effect analyzing said proposed value of said input object attribute with respect to said matching subset of said policies; and
  
  computer readable program code devices configured to cause a computer to effect allowing entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said matching subset of said policies.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The computer program product of claim 14 further comprising:
    - computer readable program code devices configured to cause a computer to effect recursively searching said policy groups to determine parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
      
      computer readable program code devices configured to cause a computer to effect additionally returning an additional subset of said policies from said parent policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      computer readable program code devices configured to cause a computer to effect adding said additional subset of said policies to said matching subset of policies prior to said step of returning.
  - 16. The computer program product of claim 15 wherein said computer readable program code devices are configured to cause a computer to effect said searching of said policies is carried out by:
    - computer readable program code devices configured to cause a computer to effect initially searching said policies of said certain policy groups to identify said policies having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      computer readable program code devices configured to cause a computer to effect secondarily searching said policies of said parent policy groups to identify policies of said parent policy groups of said managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 17. The computer program product of claim 14 wherein said computer readable program code devices are configures to cause a computer to effect said organizing of said policies is carried out by:
    - computer readable program code devices configured to cause a computer to effect determining common applicabilities of said policies to various of said managed object class names and said object attributes;
      
      computer readable program code devices configured to cause a computer to effect providing for grouping of said policies in said policy groups according to said common applicabilities.
  - 18. The computer program product of claim 14 further comprising:
    - computer readable program code devices configured to cause a computer to effect cloning of an associated object class name and an associated object attribute of a previously input managed object; and
      
      computer readable program code devices configured to cause a computer to effect utilization of said associated object class name and said associated object attribute to produce a modifiable initial representation of said input object class name and said input object attribute.
  - 19. The computer program product of claim 14 further comprising:
    - computer readable program code devices configured to cause a computer to effect creating a template to establish an initial value for said input object attribute.
  - 20. The computer program product of claim 14 further comprising:
    - computer readable program code devices configured to cause a computer to effect disallowing entry of said proposed value of said input object attribute if said proposed value fails any one of said policies in said matching subset of said policies.
  - 21. The computer program product of claim 14 further comprising:
    - computer readable program code devices configured to cause a computer to effect providing for conditionally allowing of entry of said proposed value of said input object attribute if said proposed value fails an advisory one of said policies in said matching subset of said policies.

22. A computer system capable of implementing a hierarchical policy administration, said computer system comprising:
- at least one computer;
  
  at least one database retained within a computer mass storage device operatively coupled to said computer, said database being capable of storing a number of policies having an associated policy class name and an associated policy attribute;
  
  a user interface operatively coupled to said at least one computer, said user interface capable of allowing input of characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;
  
  an associator operable in conjunction with said at least one computer and said database for organizing said policies into policy groups;
  
  an iterator operable in conjunction with said at least one computer and said database for searching certain of said policy groups pertinent to said input managed object to determine policies thereof having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  a matching subset of said policies from said policy groups returned by said iterator to said at least one computer which have a policy class name and policy attribute corresponding to said input object class name and input object attribute;
  
  an analyzer operable in conjunction with said at least one computer for testing said proposed value of said input object attribute with respect to said matching subset of said policies; and
  
  an input validator operable in conjunction with said at least one computer and said user interface and responsive to said analyzer, said input validator allowing entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said matching subset of said policies.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The computer system of claim 22 further comprising:
    - a recursive iterator operable in conjunction with said at least one computer and said database for searching said policy groups to determine parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
      
      an additional subset of said policies from said parent policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      a summer for adding said additional subset of said policies to said matching subset of said policies.
  - 24. The computer system of claim 22 further comprising an additional computer coupled to said computer system for operatively controlling said database and functioning as a server with respect to said at least one computer.
  - 25. The computer system of claim 22 further comprising a cloning implementor for utilizing an associated class name and associated object attribute of an associated managed object previously input to said computer system to produce a modifiable initial representation of said input object class name and said input object attribute.
  - 26. The computer system of claim 22 further comprising a template creator for establishing an initial value for said input object attribute.
  - 27. The computer system of claim 22 wherein said input validator further comprises an input disallower for disallowing entry of said proposed value of said input object attribute if said proposed value fails any one of said policies in said matching subset of policies.
  - 28. The computer system of claim 22 wherein said input validator further comprises a conditional input validator for conditionally allowing entry of said proposed value of said input object attribute if said proposed value fails an advisory one of said policies in said matching subset of policies.

29. A method for implementing a hierarchical policy for a computer system having at least one computer, an associated database and a user interface for inputting data to said computer system, said method comprising the steps of:
- providing for organizing of a number of policies in said database into policy groups, each of said policies having an associated policy class name and an associated policy attribute;
  
  providing for inputting of characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;
  
  providing for analyzing of said proposed value of said input object attribute with respect to policies in pertinent ones of said policy groups having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
  
  providing for allowing of entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said pertinent ones of said policy groups.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 30. The method of claim 29 wherein said step of analyzing further comprises the steps of:
    - providing for searching of said database for certain of said policy groups pertinent to said input managed object to determine policies thereof having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      providing for returning of a matching subset of said policies from said policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 31. The method of claim 30 wherein said step of providing for searching further comprises the steps of:
    - providing for recursively searching of said policy groups to determine parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
      
      providing for additionally returning of an additional subset of said policies from said parent policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      providing for adding of said additional subset of said policies to said policies from said pertinent ones of said policy groups prior to said step of providing for returning.
  - 32. The method of claim 30 wherein said step of providing for searching is carried out by the steps of:
    - providing for initially searching of said policies of said certain policy groups to identify said policies having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      providing for secondarily searching of said policies of said parent policy groups to identify policies of said parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 33. The method of claim 29 wherein said step of providing for organizing is carried out by the steps of:
    - providing for determining of common applicabilities of said policies to various of said managed object class names and said object attributes; and
      
      providing for grouping of said policies in said policy groups according to said common applicabilities.
  - 34. The method of claim 29 wherein said step of providing for inputting is carried out by providing for entry of said input object class name and proposed value of said input object attribute to said computer system.
  - 35. The method of claim 29 further comprising the steps of:
    - providing an additional computer coupled to said computer system, said additional computer functioning as a server with respect to said at least one computer functioning as a client, said additional computer operative for controlling said database.
  - 36. The method of claim 35 wherein said steps of providing for searching and returning are carried out by said additional computer.
  - 37. The method of claim 35 wherein said steps of providing for analyzing and allowing are carried out by said at least one computer.
  - 38. The method of claim 29 further comprising the steps of:
    - providing for cloning of an associated object class name and an associated object attribute of a previously input managed object; and
      
      providing for the utilization of said associated object class name and said associated object attribute to produce a modifiable initial representation of said input object class name and said input object attribute.
  - 39. The method of claim 29 further comprising the step of:
    - providing for creating a template to establish an initial value for said input object attribute.
  - 40. The method of claim 29 further comprising the step of:
    - providing for disallowing of entry of said proposed value of said input object attribute if said proposed value fails any one of said policies in said pertinent ones of said policy groups.
  - 41. The method of claim 29 further comprising the step of:
    - providing for conditionally allowing of entry of said proposed value of said input object attribute if said proposed value fails an advisory one of said policies in said pertinent ones of said policy groups.

42. A computer program product comprising:
- a computer usable medium having computer readable code embodied thereon for implementing a hierarchical policy for a computer system having at least one computer, an associated database and a user interface for inputting data to said computer system, the computer program product comprising;
  
  computer readable program code devices configured to cause a computer to effect organizing of a number of policies in said database into policy groups, each of said policies having an associated policy class name and an associated policy attribute;
  
  computer readable program code devices configured to cause a computer to effect inputting of characteristics of an input managed object to said computer system, said input managed object having an associated input object class name and an associated input object attribute having a proposed value;
  
  computer readable program code devices configured to cause a computer to effect analyzing of said proposed value of said input object attribute with respect to policies in pertinent ones of said policy groups having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
  
  computer readable program code devices configured to cause a computer to effect allowing of entry of said proposed value of said input object attribute if said proposed value passes each of said policies in said pertinent ones of said policy groups.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 43. The computer program product of claim 42 wherein said computer readable program code devices configured to cause a computer to effect analyzing is further carried out by:
    - computer readable program code devices configured to cause a computer to effect searching of said database for certain of said policy groups pertinent to said input managed object to determine policies thereof having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      computer readable program code devices configured to cause a computer to effect returning of a matching subset of said policies from said policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 44. The computer program product of claim 43 wherein said computer readable program code devices configured to cause a computer to effect analyzing is further carried out by:
    - computer readable program code devices configured to cause a computer to effect recursively searching of said policy groups to determine parent policy groups of said input managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute;
      
      computer readable program code devices configured to cause a computer to effect additionally returning of an additional subset of said policies from said parent policy groups which have a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      computer readable program code devices configured to cause a computer to effect adding of said additional subset of said policies to said policies in said pertinent ones of said policy groups prior to said step of providing for returning.
  - 45. The computer program product of claim 43 wherein said computer readable program code devices configured to cause a computer to effect searching is carried out by:
    - computer readable program code devices configured to cause a computer to effect initially searching of said policies of said certain policy groups to identify said policies having a policy class name and policy attribute corresponding to said input object class name and input object attribute; and
      
      computer readable program code devices configured to cause a computer to effect secondarily searching of said policies of said certain policy groups to identify policies of said parent policy groups of i said managed object having a policy class name and policy attribute corresponding to said input object class name and input object attribute.
  - 46. The computer program product of claim 42 wherein said computer readable program code devices configured to cause a computer to effect organizing is carried out by:
    - computer readable program code devices configured to cause a computer to effect determining of common applicabilities of said policies to various of said managed object class names and said object attributes; and
      
      computer readable program code devices configured to cause a computer to effect grouping of said policies in said policy groups according to said common applicabilities.
  - 47. The computer program product of claim 42 wherein said computer readable program code devices configured to cause a computer to effect inputting is carried out by:
    - computer readable program code devices configured to cause a computer to effect entry of said input object class name and proposed value of said input object attribute to said computer system.
  - 48. The computer program product of claim 42 further comprising:
    - computer readable program code devices configured to cause a computer to effect cloning of an associated object class name and an associated object attribute of a previously input managed object; and
      
      computer readable program code devices configured to cause a computer to effect utilization of said associated object class name and said associated object attribute to produce a modifiable initial representation of said input object class name and said input object attribute.
  - 49. The computer program product of claim 42 further comprising:
    - computer readable program code devices configured to cause a computer to effect creating a template to establish an initial value for said input object attribute.
  - 50. The computer program product of claim 42 further comprising:
    - computer readable program code devices configured to cause a computer to effect disallowing of entry of said proposed value of said input object attribute if said proposed value fails any one of said policies in said pertinent ones of said policy groups.
  - 51. The computer program product of claim 42 further comprising:
    - computer readable program code devices configured to cause a computer to effect conditionally allowing of entry of said proposed value of said input object attribute if said proposed value fails an advisory one of said policies in said pertinent ones of said policy groups.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Birnbaum, William C.
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
Corrielus, Jean M.

Application Number

US08/856,038
Time in Patent Office

461 Days
Field of Search

707/5, 707/3, 395/186, 395/726, 395/728, 711/163
US Class Current

1/1
CPC Class Codes

G06F 9/468 Specific access rights for ...

G06F 9/50 Allocation of resources, e....

System and method for implementing a hierarchical policy for computer system administration

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing a hierarchical policy for computer system administration

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links