Method of enforcing a policy on a computer network

US 6,941,465 B1
Filed: 07/26/1999
Issued: 09/06/2005
Est. Priority Date: 07/26/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for enforcing a selected policy from a set of polices maintained by a policy server to be applied to a user interconnected to a network through a communication path, wherein the network includes a gateway and one or more resources, comprising:

receiving, by the gateway, a request from the user to access the one or more resources on the network;

selecting a user object from a plurality of stored objects, wherein the user object corresponds to the user and includes a set of attributes comprising a group to which the user belongs, a user name, password, and an override attribute;

determining whether to grant or deny access to the network based upon the user name and password;

identifying a profile that applies to the user based on the set of attributes, including the group to which the user belongs, wherein the profile includes an authorization parameter and a communication parameter;

determining, by the gateway, whether to grant or deny access to the resources on the network based upon the authorization parameter; and

configuring the communication path, including setting quality of service (QOS) based upon the communication parameter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy server program evaluates one or more policy statements based on the group or groups to which a user belongs as well as other conditions. Each policy statement expresses an implementation of the access policy of the network, and is associated with a profile. The profile contains one or more actions that are to be applied to the user. The policy server program determines the identity of the group or groups to which the user belongs by referencing one or more group attributes contained in a user object which is located in a directory on the network. The user object and its group parameters are established when the user is added to the directory, while a policy statement for a group can be created at any time.

107 Citations

View as Search Results

23 Claims

1. A method for enforcing a selected policy from a set of polices maintained by a policy server to be applied to a user interconnected to a network through a communication path, wherein the network includes a gateway and one or more resources, comprising:
- receiving, by the gateway, a request from the user to access the one or more resources on the network;
  
  selecting a user object from a plurality of stored objects, wherein the user object corresponds to the user and includes a set of attributes comprising a group to which the user belongs, a user name, password, and an override attribute;
  
  determining whether to grant or deny access to the network based upon the user name and password;
  
  identifying a profile that applies to the user based on the set of attributes, including the group to which the user belongs, wherein the profile includes an authorization parameter and a communication parameter;
  
  determining, by the gateway, whether to grant or deny access to the resources on the network based upon the authorization parameter; and
  
  configuring the communication path, including setting quality of service (QOS) based upon the communication parameter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the network is a virtual network.
  - 3. The method of claim 1, further comprising:
    - determining a characteristic of the communication path between the user and the gateway; and
      
      determining, at the gateway, whether to grant or deny access to the one or more resources on the network based on the determined characteristic.
  - 4. The method of claim 3, wherein the characteristic of the communication path is a call-back number.
  - 5. The method of claim 3, wherein the characteristic is a medium type.
  - 6. The method of claim 1, wherein the gateway is interposed between the user and each of the resources on the network.
  - 7. The method of claim 1, further comprising:
    - replacing the authorization parameter with the override attribute.
  - 8. The method of claim 1, further comprising:
    - replacing the communication parameter with the override attribute.
  - 9. The method of claim 1, wherein the communication parameter includes an authentication type and the step of configuring the communication path comprises setting the authentication type to be applied to the user.
  - 10. The method of claim 1, wherein the step of configuring the communication path comprises setting a bandwidth.
  - 11. The method of claim 1, wherein the step of configuring the communication path comprises establishing a network address assigned to the user.
  - 12. The method of claim 1, wherein the step of configuring the communication path comprises establishing an encryption level to be applied to communications between the user and the network.
  - 13. The method of claim 1, wherein the authorization parameter represents a time of day during which the user is permitted to access the network.
  - 14. The method of claim 1, wherein the authorization parameter represents a phone number from which the user is permitted to call and access the network.

15. A computer-readable medium having computer-readable instructions for a method for enforcing a selected policy from a set of polices maintained by a policy server to be applied to a user interconnected to a network through a communication path, wherein the network includes a gateway and one or more resources, comprising:
- receiving, by the gateway, a request from the user to access the one or more resources on the network;
  
  selecting a user object from a plurality of stored objects, wherein the user object corresponds to the user and includes a set of attributes comprising a group to which the user belongs, a user name, password, and an override attribute;
  
  determining whether to grant or deny access to the network based upon the user name and password;
  
  identifying a profile that applies to the user based on the set of attributes, including the group to which the user belongs, wherein the profile includes an authorization parameter and a communication parameter;
  
  determining, by the gateway, whether to grant or deny access to the resources on the network based upon the authorization parameter; and
  
  configuring the communication path, including setting quality of service (QOS), based upon the communication parameter.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The computer-readable medium of claim 15, wherein the network is a virtual network.
  - 17. The computer-readable medium of claim 15, further comprising:
    - determining a characteristic of the communication path between the user and the gateway; and
      
      determining, at the gateway, whether to grant or deny access to the one or more resources on the network based upon the determined characteristic.
  - 18. The computer-readable medium of claim 15, further comprising:
    - replacing the authorization parameter with the override attribute.
  - 19. The computer-readable medium of claim 15, further comprising:
    - replacing the communication parameter with the override attribute.
  - 20. The computer-readable medium of claim 15, wherein the communication parameter includes an authentication type and the step of configuring the communication path comprises setting the authentication type to be applied to the user.
  - 21. The computer-readable medium of claim 15, wherein the step of configuring the communication path comprises setting a bandwidth.
  - 22. The computer-readable medium of claim 15, wherein the step of configuring the communication path comprises establishing a network address assigned to the user.
  - 23. The computer-readable medium of claim 15, wherein the step of configuring the communication path comprises establishing an encryption level to be applied to communications between the user and the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Palekar, Ashwin, Guittet, Michel, Aboba, Bernard D., Gidwani, Narendra C., Paul, Todd L., Bensley, Stephen E., Eitelbach, David L.
Primary Examiner(s)
Song, Hosuk

Application Number

US09/360,912
Time in Patent Office

2,234 Days
Field of Search

713200-202, 713/150, 713153-155, 713/162, 713166-167, 713/1, 713/100, 709217-219, 709223-225, 707/9, 707/10
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Method of enforcing a policy on a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method of enforcing a policy on a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links