Distributed policy model for access control

US 7,013,332 B2
Filed: 01/09/2001
Issued: 03/14/2006
Est. Priority Date: 01/09/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

creating an enterprise policy object providing an enterprise-wide policy governing at least one of resource access and protocol use for a plurality of nodes within a networking environment organized within a plurality of arrays;

creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array;

for each of one or more of the at least one array policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy if each array policy object is at least initially set to the enterprise-wide policy;

for each of one of more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy;

wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one access and use and the negative rule type explicitly denying at least one of access and use; and

wherein each array-wide policy includes a plurality of array rules, the plurality of array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed policy model for access control is disclosed. In an enterprise-only mode, each node within a networking environment has its resource access governed by the same enterprise-wide policy. The enterprise-wide policy is set through creation of one or more enterprise policy objects. In an integrated mode, nodes are organized in a number of arrays. Each array has an array-wide policy set through creation of an array policy object. Each array-wide policy initially inherits the enterprise-wide policy. Additional resource access and protocol use restrictions can be added to the individual array-wide policies. In an array-only mode, each array has an array-wide policy also set through creation of an array policy object, but the policy does not necessarily initially inherit an enterprise-wide policy. In a stand-alone mode, a single server has its own policy.

Citations

21 Claims

1. A method comprising:
- creating an enterprise policy object providing an enterprise-wide policy governing at least one of resource access and protocol use for a plurality of nodes within a networking environment organized within a plurality of arrays;
  
  creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array;
  
  for each of one or more of the at least one array policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy if each array policy object is at least initially set to the enterprise-wide policy;
  
  for each of one of more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy;
  
  wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one access and use and the negative rule type explicitly denying at least one of access and use; and
  
  wherein each array-wide policy includes a plurality of array rules, the plurality of array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising, for a requested access via a requested protocol by a node organized within one of the plurality of arrays,applying the array-wide policy of the policy object corresponding to the one of the plurality of arrays to determine whether to allow the requested access via the requested protocol, such that the requested access via the requested protocol is allowed only where the requested access via the requested protocol is explicitly allowed by the plurality of rules and not explicitly denied by the plurality of rules;
    - allowing the requested access via the requested protocol in response to determining that the requested access via the requested protocol is allowed; and
      
      ,denying the requested access via the requested protocol in response to determining that the requested access via the requested protocol is not allowed.
  - 3. The method of claim 1, wherein adjusting the array-wide policy comprises adding one or more new array rules to the plurality of array rules, each of the new array rules having a negative rule type explicitly denying one of access to a particular resource and use of a particular protocol.
  - 4. The method of claim 3, further comprising, for a requested access via a requested protocol by a node organized within one of the plurality of arrays,applying the array-wide policy of the policy object corresponding to the one of the plurality of arrays to determine whether to allow the requested access via the requested protocol, such that the requested access via the requested protocol is allowed only where the requested access via the requested protocol is explicitly allowed by the plurality of rules and not explicitly denied by the plurality of rules;
    - allowing the requested access via the requested protocol in response to determining that the requested access via the requested protocol is allowed; and
      
      ,denying the requested access via the requested protocol in response to determining that the requested access via the requested protocol is not allowed.
  - 5. A computer-readable medium having stored thereon a computer program executable by a processor to perform the method of claim 1.
  - 6. The method of claim 1, wherein the enterprise-wide policy and the array-wide policy are overseen according to one of the plurality of modes comprising:
    - an enterprise-only mode;
      
      an integrated mode;
      
      an array-only mode; and
      
      a stand-alone mode.
  - 7. The method of claim 6 wherein, when overseen according to the integrated mode, each array rule added to the array-wide policy beyond those inherited from the enterprise-wide policy is of the negative rule type.
  - 8. The method of claim 1, wherein the enterprise-wide policy is capable of governing both resource access and protocol use.
  - 9. The method of claim 8, wherein governing protocol use comprises:
    - allowing the use of at least one protocol; and
      
      denying the use of at least one protocol.
  - 10. The method of claim 1, wherein:
    - the enterprise policy object is secured with a first set of security permissions; and
      
      the array policy object is secured with a second set of security permissions.
  - 11. The method of claim 10, wherein each set of policy object security permissions comprises:
    - a read permission;
      
      a write permission; and
      
      a change permission.
  - 12. The method of claim 11, wherein each set of policy object security permissions further comprises:
    - a write owner permission;
      
      a write discretionary access control permission; and
      
      a change system access control list permission.

13. A method comprising:
- creating an enterprise policy object providing an enterprise-wide policy governing resource access of a plurality of nodes within a networking environment organized within a plurality of arrays;
  
  creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array;
  
  for each policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy of each array policy object is initially set to the enterprise-wide policy;
  
  for each one or more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy;
  
  wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule govering at least one of access to a particular resource and user of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule time explicitly allowing at least one of access and use and the negative rule type explicitly denying at least one of access and use; and
  
  ,wherein each array-wide policy includes a plurality of array rules, the plurality of array rules initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein adjusting the array-wide policy comprises adding one or more new array rules to the plurality of array rules, each of the new array rules having the negative rule type.
  - 15. The method of claim 14, further comprising, for a requested access via a requested protocol by a node organized within one of the plurality of arrays,applying the array-wide policy of the policy object corresponding to the one of the plurality of arrays to determine whether to allow the requested access via the requested protocol, such that the requested access via the requested protocol is allowed only where the requested access via the requested protocol explicitly allowed byte plurality of rules and not explicitly denied by the plurality of rules;
    - allowing the requested access via the requested protocol in response to determining that the requested access via the requested protocol is allowed; and
      
      ,denying the requested access via the requested protocol in response to determining that the requested access via the requested protocol is not allowed.
  - 16. A computer-readable medium having stored thereon a computer program executable by a processor to perform the method of claim 13.

17. A system for governing resource access among a plurality of nodes within a networking environment, at least some of the plurality of nodes organized within a plurality of arrays, the system comprising:
- an enterprise-policy object providing an enterprise-wide policy governing resource access for nodes organized within at least one of the plurality of arrays; and
  
  ,at least one array policy object, each array policy object providing an array-wide policy governing resource access for nodes organized within the corresponding array, one or more of the at least one array policy object inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy is at least initially set to the enterprise-wide policy;
  
  wherein the array-wide policy provided by each of the at least one array policy object other than the one or more of the at least one array policy object inheriting the enterprise-wide policy does not inherit the enterprise-wide policy;
  
  wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one of access and use and the negative rule type explicitly denying at least one of access and use;
  
  wherein the array-wide policy provided by each of the one or more of the least one array policy object includes a plurality of first array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy; and
  
  ,wherein the array-wide policy provided by each of the at least one array policy object other than the one or more of the at least one array policy object inheriting the enterprise-wide policy includes a plurality of second array rules not initially equal to the plurality of enterprise rules, each second array rule having a rule type selected from the positive rule type and the negative rule type.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the array-wide policy provided by each of the one or more of the at least one array policy object includes a plurality of array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy.
  - 19. The system of claim 17, where the array-wide policy provided by each of the one or more of the at least one array policy object further includes one or more other first array rules, each of the one or more other first may rules having the negative rule type.
  - 20. The system of claim 17, further comprising at least one node policy object, each node policy object providing a node policy governing resource access for a corresponding node of the plurality of nodes other than the one or more of the plurality of nodes organized within the plurality of arrays.
  - 21. The system of claim 20, wherein the node policy includes a plurality of node rules, each node rule governing at least one of access to a particular resource and use of a particular protocol, each node rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one of access and use and the negative rule type explicitly denying at least one of access and use.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Katz, Ariel, Shamir, Yaron, Nathan, Abraham, Friedel, Guy
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
JACOBS, LASHONDA T

Application Number

US09/681,106
Publication Number

US 20020138631A1
Time in Patent Office

1,890 Days
Field of Search

709223-225, 709/229, 713/201, 707/3, 707/10, 707/200
US Class Current

709/223
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/20 for managing network securi...

Distributed policy model for access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed policy model for access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links