Resource policy management using a centralized policy data structure

US 6,957,261 B2
Filed: 07/17/2001
Issued: 10/18/2005
Est. Priority Date: 07/17/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving first policy data associated with a particular resource from a first principal, wherein the first principal is an entity authorized to access a centralized policy data structure associated with the particular resource;

authenticating the first principal;

modifying the centralized policy data structure associated with the particular resource based on the received first policy data if the first principal is authenticated;

receiving second policy data associated with the particular resource from a second different principal, wherein the second different principal is a different entity authorized to access the centralized policy data structure associated with the particular resource; and

modifying the centralized policy data structure associated with the particular resource based on the received second policy data if the second principal is authenticated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing policies includes receiving policy data associated with a resource from a resource owner over a network, authenticating the resource owner to determine whether to accept the received policy data, and storing the received policy data in a centralized data structure if the resource owner is authenticated.

212 Citations

19 Claims

1. A method comprising:
- receiving first policy data associated with a particular resource from a first principal, wherein the first principal is an entity authorized to access a centralized policy data structure associated with the particular resource;
  
  authenticating the first principal;
  
  modifying the centralized policy data structure associated with the particular resource based on the received first policy data if the first principal is authenticated;
  
  receiving second policy data associated with the particular resource from a second different principal, wherein the second different principal is a different entity authorized to access the centralized policy data structure associated with the particular resource; and
  
  modifying the centralized policy data structure associated with the particular resource based on the received second policy data if the second principal is authenticated.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein receiving first policy data includes receiving a first data portion which includes credentials for authenticating access to the particular resource and a second data portion which includes an access control list specifying access permission levels for controlling access to data and operations associated with the particular resource.
  - 3. The method of claim 1 wherein the second principal is an entity separate from the resource owner of the particular resource, and wherein receiving second policy data includes receiving user policy data indicative of allowing supplementary conditional access to the particular resource.
  - 4. The method of claim 1, wherein authenticating the first principal comprises authenticating the first principal using public key cryptography.

5. A method comprising:
- receiving from a resource owner a policy query associated with a resource, the policy query including a policy identifier, a resource name, an access control level, and client credentials associated with a client seeking to access the resource;
  
  authenticating the resource owner;
  
  searching for policy data based on the policy identifier;
  
  determining a policy query result indicative of whether the policy data grants the client access to the resource based on the client credentials and the access control level; and
  
  returning to the resource owner the policy query result.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 wherein determining the policy query result comprises determining whether the policy data grants the client access to the resource based on an access inheritance at least at the access control level.
  - 7. The method of claim 5 wherein determining the policy query result comprises determining whether the policy data grants the client access to the resource based on the client credentials at least at the access control level.
  - 8. The method of claim 5, wherein authenticating the resource owner comprises including authenticating the resource owner using public key cryptography.

9. An apparatus comprising:
- a centralized data structure associated with a particular resource; and
  
  a policy manager to receive policy data associated with the particular resource from a plurality of principals authorized to modify the centralized data structure associated with the particular resource, authenticate the plurality of principals, and in response to receiving first policy data from a first principal of the plurality of principals, modify the centralized data structure associated with the particular resource based on the first policy data.
- View Dependent Claims (10, 11)
- - 10. The apparatus of claim 9 wherein the centralized data structure associated with the particular resource includes a first data portion including information indicative of authentication credentials of the plurality of principals authorized to access the centralized data structure associated with the particular resource and a second data portion which includes an access control list including data indicative of access permission levels for controlling access to data and operations associated with the particular resource.
  - 11. The apparatus of claim 9 wherein the centralized data structure associated with the particular resource stores policy data including policy data that grants supplementary conditional access to the particular resource.

12. An apparatus comprising:
- a centralized data structure including a plurality of device data structures; and
  
  a processor configured to;
  
  receive from a resource owner of a particular resource a policy query associated with the particular resource, the policy query including a policy identifier, a resource name, an access control level, and client credentials associated with a client seeking to access the particular resource, authenticate the resource owner to determine whether to accept the policy query, search the centralized data structure for a device data structure associated with the particular resource based on the policy identifier, determine a policy query result indicative of whether the policy data grants the client access to the particular resource based on the client credentials and the access control level, and return to the resource owner the policy query result.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12 wherein the processor is configured to:
    - search the centralized data structure for a device data structure including user policy data for the particular resource associated with the resource name; and
      
      determine whether the user policy data grants the client access to the particular resource based on an access inheritance at least at the access control level.
  - 14. The apparatus of claim 12 wherein the processor is configured to:
    - search the centralized data structure for a device data structure including user policy data for the particular resource associated with the resource name; and
      
      determine whether the user policy data grants the client access to the particular resource based on the client credentials at least at the access control level.

15. An article comprising a computer-readable medium that stores computer-executable instructions for causing a computer system to:
- authenticate a first principal to determine whether to accept first policy data associated with a particular resource, in response to receiving the first policy data from the first principal; and
  
  modify a centralized device data structure associated with the particular resource using the first policy data, if the first principal is authenticated;
  
  authenticate a second different principal to determine whether to accept second policy data associated with the particular resource, in response to receiving the second policy data from the second principal; and
  
  modify the centralized device data structure associated with the particular resource using the first policy data, if the second principal is authenticated.
- View Dependent Claims (16)
- - 16. The article of claim 15, wherein the instructions to authenticate the first principle includes instructions for causing the computer system to authenticate the first principal using public key cryptography.

17. An article comprising a computer-readable medium that stores computer-executable instructions for causing a computer system to:
- forward a client request to access a resource associated with a resource owner to a policy manager over a network, in response to receiving the client request from a client;
  
  evaluate policy data received from the policy manager over the network;
  
  determine a policy query result indicative of whether to grant the client access to the resource based on evaluating the policy data; and
  
  return to the resource owner the policy query result.
- View Dependent Claims (18, 19)
- - 18. The article of claim 17 wherein the instructions for causing the computer system to determine a policy query result comprise instructions for causing the computer system to determine whether to grant the client access to the resource based on a signal from the policy manager indicating whether to grant access to the client.
  - 19. The article of claim 17 wherein the instructions for causing the computer system to determine a policy query result comprise instructions for causing the computer system to determine whether to grant the client access to the resource based on evaluating local policy data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Lortz, Victor B.
Primary Examiner(s)
Harrell, Robert B.

Application Number

US09/908,437
Publication Number

US 20030018786A1
Time in Patent Office

1,554 Days
Field of Search

709/223, 709/226, 713/150, 713/156
US Class Current

709/226
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/28   Restricting access to netwo...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Resource policy management using a centralized policy data structure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

212 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Resource policy management using a centralized policy data structure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

212 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links