Distributed policy model for access control
First Claim
1. A method comprising:
- creating an enterprise policy object providing an enterprise-wide policy governing at least one of resource access and protocol use for a plurality of nodes within a networking environment organized within a plurality of arrays;
creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array;
for each of one or more of the at least one array policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy if each array policy object is at least initially set to the enterprise-wide policy;
for each of one of more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy;
wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one access and use and the negative rule type explicitly denying at least one of access and use; and
wherein each array-wide policy includes a plurality of array rules, the plurality of array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy.
2 Assignments
0 Petitions
Accused Products
Abstract
A distributed policy model for access control is disclosed. In an enterprise-only mode, each node within a networking environment has its resource access governed by the same enterprise-wide policy. The enterprise-wide policy is set through creation of one or more enterprise policy objects. In an integrated mode, nodes are organized in a number of arrays. Each array has an array-wide policy set through creation of an array policy object. Each array-wide policy initially inherits the enterprise-wide policy. Additional resource access and protocol use restrictions can be added to the individual array-wide policies. In an array-only mode, each array has an array-wide policy also set through creation of an array policy object, but the policy does not necessarily initially inherit an enterprise-wide policy. In a stand-alone mode, a single server has its own policy.
-
Citations
21 Claims
-
1. A method comprising:
-
creating an enterprise policy object providing an enterprise-wide policy governing at least one of resource access and protocol use for a plurality of nodes within a networking environment organized within a plurality of arrays; creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array; for each of one or more of the at least one array policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy if each array policy object is at least initially set to the enterprise-wide policy; for each of one of more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy; wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one access and use and the negative rule type explicitly denying at least one of access and use; and wherein each array-wide policy includes a plurality of array rules, the plurality of array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
creating an enterprise policy object providing an enterprise-wide policy governing resource access of a plurality of nodes within a networking environment organized within a plurality of arrays; creating at least one array policy object, each array policy object providing an array-wide policy governing resource access for one or more of the plurality of nodes organized within a corresponding array; for each policy object, inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy of each array policy object is initially set to the enterprise-wide policy; for each one or more of the at least one array policy object, adjusting the array-wide policy after the array-wide policy has inherited the enterprise-wide policy; wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule govering at least one of access to a particular resource and user of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule time explicitly allowing at least one of access and use and the negative rule type explicitly denying at least one of access and use; and
,wherein each array-wide policy includes a plurality of array rules, the plurality of array rules initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy. - View Dependent Claims (14, 15, 16)
-
-
17. A system for governing resource access among a plurality of nodes within a networking environment, at least some of the plurality of nodes organized within a plurality of arrays, the system comprising:
-
an enterprise-policy object providing an enterprise-wide policy governing resource access for nodes organized within at least one of the plurality of arrays; and
,at least one array policy object, each array policy object providing an array-wide policy governing resource access for nodes organized within the corresponding array, one or more of the at least one array policy object inheriting an instance of the enterprise-wide policy as the array-wide policy such that the array-wide policy is at least initially set to the enterprise-wide policy; wherein the array-wide policy provided by each of the at least one array policy object other than the one or more of the at least one array policy object inheriting the enterprise-wide policy does not inherit the enterprise-wide policy; wherein the enterprise-wide policy includes a plurality of enterprise rules, each enterprise rule governing at least one of access to a particular resource and use of a particular protocol, each enterprise rule having a rule type selected from a positive rule type and a negative rule type, the positive rule type explicitly allowing at least one of access and use and the negative rule type explicitly denying at least one of access and use; wherein the array-wide policy provided by each of the one or more of the least one array policy object includes a plurality of first array rules at least initially equal to the plurality of enterprise rules upon the enterprise-wide policy inherited as each array-wide policy; and
,wherein the array-wide policy provided by each of the at least one array policy object other than the one or more of the at least one array policy object inheriting the enterprise-wide policy includes a plurality of second array rules not initially equal to the plurality of enterprise rules, each second array rule having a rule type selected from the positive rule type and the negative rule type. - View Dependent Claims (18, 19, 20, 21)
-
Specification