Mechanism for merging multiple policies
First Claim
1. A method for processing a plurality of source policies to derive a resultant policy, each of the source policies comprising zero or more entries with each entry comprising an identifier and one or more limitations, said method comprising:
- selecting a current entry from a first source policy;
determining whether a second source policy comprises a corresponding entry which corresponds to said current entry;
in response to a determination that said second source policy comprises a corresponding entry, processing the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
creating in a resultant policy a new entry comprising said resultant limitations.
2 Assignments
0 Petitions
Accused Products
Abstract
A mechanism for merging multiple source policies to derive a resultant policy is disclosed. The source policies, which may represent sets of laws/regulations, and which may comprise zero or more entries with each entry comprising an identifier and a set of one or more limitations, are merged by first selecting a current entry in a first source policy. Then a determination is made as to whether there is an entry in a second source policy which corresponds to the current entry. If so, then the limitations in the current entry are processed with the limitations in the corresponding entry to derive a set of resultant limitations. The limitations are processed such that the resultant limitations comprise the most restrictive limitations of the current entry and the corresponding entry. By doing so, it is ensured that the resultant limitations comply with both the first and the second source policies. Once the resultant limitations are derived, a new entry is created in the resultant policy which comprises the resultant limitations. The resultant policy is thus populated.
-
Citations
49 Claims
-
1. A method for processing a plurality of source policies to derive a resultant policy, each of the source policies comprising zero or more entries with each entry comprising an identifier and one or more limitations, said method comprising:
-
selecting a current entry from a first source policy;
determining whether a second source policy comprises a corresponding entry which corresponds to said current entry;
in response to a determination that said second source policy comprises a corresponding entry, processing the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
creating in a resultant policy a new entry comprising said resultant limitations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
comparing the identifier of said current entry with the identifier of at least one entry in said second source policy.
-
-
3. The method of claim 2, wherein the identifier of each entry comprises an encryption algorithm identifier.
-
4. The method of claim 2, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
-
5. The method of claim 1, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
-
6. The method of claim 5, wherein said encryption limitations comprise a maximum encryption key size.
-
7. The method of claim 6, wherein said encryption limitations further comprise a maximum number of encryption rounds.
-
8. The method of claim 1, wherein said resultant limitations are derived on a limitation by limitation basis.
-
9. The method of claim 1, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
-
10. The method of claim 9, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
-
11. The method of claim 1, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
-
12. The method of claim 1, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
-
13. The method of claim 1, further comprising:
-
in response to a determination that said second source policy does not comprise a corresponding entry, determining whether said second source policy comprises a wildcard entry;
in response to a determination that said second source policy comprises a wildcard entry, processing the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
creating in said resultant policy a new entry comprising said alternative resultant limitations.
-
-
14. The method of claim 13, further comprising:
-
determining whether said first source policy comprises a wildcard entry; and
in response to a determination that said first source policy does not comprise a wildcard entry, terminating processing of said first and second source policies.
-
-
15. The method of claim 14, further comprising:
-
in response to a determination that said first source policy comprises a wildcard entry, selecting a next entry in said second source policy;
determining whether said resultant policy comprises an entry which corresponds to said next entry;
in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, processing the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
creating in said resultant policy a new entry comprising said second set of resultant limitations.
-
-
16. The method of claim 1, further comprising:
in response to a determination that said resultant policy comprises an entry corresponding to said next entry, selecting another entry in said second source policy to process.
-
17. A computer system, comprising:
-
a mechanism for processing multiple source policies to derive a set of specified limitations;
a mechanism for determining a set of restrictions based at least upon said set of specified limitations; and
a mechanism for enforcing said restrictions on an implementation of a service. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
a mechanism for selecting a current entry from a first source policy;
a mechanism for determining whether a second source policy comprises a corresponding entry which corresponds to said current entry;
a mechanism for processing, in response to a determination that said second source policy comprises a corresponding entry, the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
a mechanism for creating in a resultant policy a new entry comprising said resultant limitations, said resultant policy representing said set of specified limitations.
-
-
19. The system of claim 18, wherein the mechanism for determining whether a second source policy comprises a corresponding entry comprises:
a mechanism for comparing the identifier of said current entry with the identifier of at least one entry in said second source policy.
-
20. The system of claim 19, wherein the identifier of each entry comprises an encryption algorithm identifier.
-
21. The system of claim 19, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
-
22. The system of claim 18, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
-
23. The system of claim 22, wherein said encryption limitations comprise a maximum encryption key size.
-
24. The system of claim 23, wherein said encryption limitations further comprise a maximum number of encryption rounds.
-
25. The system of claim 18, wherein said resultant limitations are derived on a limitation by limitation basis.
-
26. The system of claim 18, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
-
27. The system of claim 26, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
-
28. The system of claim 18, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
-
29. The system of claim 18, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
-
30. The system of claim 18, wherein the mechanism for processing multiple source policies further comprises:
-
a mechanism for determining, in response to a determination that said second source policy does not comprise a corresponding entry, whether said second source policy comprises a wildcard entry;
a mechanism for processing, in response to a determination that said second source policy comprises a wildcard entry, the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
a mechanism for creating in said resultant policy a new entry comprising said alternative resultant limitations.
-
-
31. The system of claim 30, wherein the mechanism for processing multiple source policies further comprises:
-
a mechanism for determining whether said first source policy comprises a wildcard entry; and
a mechanism for terminating, in response to a determination that said first source policy does not comprise a wildcard entry, processing of said first and second source policies.
-
-
32. The system of claim 31, wherein the mechanism for processing multiple source policies further comprises:
-
a mechanism for selecting, in response to a determination that said first source policy comprises a wildcard entry, a next entry in said second source policy;
a mechanism for determining whether said resultant policy comprises an entry which corresponds to said next entry;
a mechanism for processing, in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
a mechanism for creating in said resultant policy a new entry comprising said second set of resultant limitations.
-
-
33. The system of claim 32, wherein the mechanism for processing multiple source policies further comprises:
a mechanism for selecting, in response to a determination that said resultant policy comprises an entry corresponding to said next entry, another entry in said second source policy to process.
-
34. A computer readable medium having stored thereon instructions which, when executed by one or more processors, cause the one or more processors to process a plurality of source policies to derive a resultant policy, wherein each of the source policies comprises zero or more entries with each entry comprising an identifier and one or more limitations, said computer readable medium comprising:
-
instructions for causing one or more processors to select a current entry from a first source policy;
instructions for causing one or more processors to determine whether a second source policy comprises a corresponding entry which corresponds to said current entry;
instructions for causing one or more processors to process, in response to a determination that said second source policy comprises a corresponding entry, the limitations in said current entry and the limitations in said corresponding entry to derive a set of resultant limitations, said resultant limitations comprising the limitations of said current entry and said corresponding entry which are most restrictive; and
instructions for causing one or more processors to create in a resultant policy a new entry comprising said resultant limitations. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
instructions for causing one or more processors to compare the identifier of said current entry with the identifier of at least one entry in said second source policy.
-
-
36. The computer readable medium of claim 35, wherein the identifier of each entry comprises an encryption algorithm identifier.
-
37. The computer readable medium of claim 35, wherein the identifier of each entry comprises an encryption algorithm identifier and an exemption mechanism identifier.
-
38. The computer readable medium of claim 34, wherein the limitations of each entry comprises encryption limitations to be imposed on one or more encryption algorithms.
-
39. The computer readable medium of claim 38, wherein said encryption limitations comprise a maximum encryption key size.
-
40. The computer readable medium of claim 39, wherein said encryption limitations further comprise a maximum number of encryption rounds.
-
41. The computer readable medium of claim 34, wherein said resultant limitations are derived on a limitation by limitation basis.
-
42. The computer readable medium of claim 34, wherein said first source policy represents a first set of laws/regulations, and said second source policy represents a second and different set of laws/regulations.
-
43. The computer readable medium of claim 42, wherein said first set of laws/regulations is export laws/regulations, and wherein said second set of laws/regulations is local import laws/regulations.
-
44. The computer readable medium of claim 34, wherein each of said source policies comprises a default component which specifies default limitations to impose on one or more encryption algorithms.
-
45. The computer readable medium of claim 34, wherein each of said source policies comprises an exempt component which specifies limitations to impose on one or more encryption algorithms when one or more exemption mechanisms are enforced.
-
46. The computer readable medium of claim 34, further comprising:
-
instructions for causing one or more processors to determine, in response to a determination that said second source policy does not comprise a corresponding entry, whether said second source policy comprises a wildcard entry;
instructions for causing one or more processors to process, in response to a determination that said second source policy comprises a wildcard entry, the limitations in said current entry and the limitations in said wildcard entry to derive a set of alternative resultant limitations, said alternative resultant limitations comprising the limitations of said current entry and said wildcard entry which are most restrictive; and
instructions for causing one or more processors to create in said resultant policy a new entry comprising said alternative resultant limitations.
-
-
47. The computer readable medium of claim 46, further comprising:
-
instructions for causing one or more processors to determine whether said first source policy comprises a wildcard entry; and
instructions for causing one or more processors to terminate, in response to a determination that said first source policy does not comprise a wildcard entry, processing of said first and second source policies.
-
-
48. The computer readable medium of claim 47, further comprising:
-
instructions for causing one or more processors to select, in response to a determination that said first source policy comprises a wildcard entry, a next entry in said second source policy;
instructions for causing one or more processors to determine whether said resultant policy comprises an entry which corresponds to said next entry;
instructions for causing one or more processors to process, in response to a determination that said resultant policy does not comprise an entry corresponding to said next entry, the limitations in said next entry and the limitations in the wildcard entry of said first source policy to derive a second set of alternative resultant limitations, said second set of alternative resultant limitations comprising the limitations of said next entry and the wildcard entry of said first source policy which are most restrictive; and
instructions for causing one or more processors to create in said resultant policy a new entry comprising said second set of resultant limitations.
-
-
49. The computer readable medium of claim 48, further comprising:
instructions for causing one or more processors to select, in response to a determination that said resultant policy comprises an entry corresponding to said next entry, another entry in said second source policy to process.
Specification