Policy representations and mechanisms for the control of software
First Claim
1. A multi-agent for managing system policies on a site operating in one of a plurality of system modes within a virtual network, wherein said system policies include authorization policies for controlling one of either permission or interdiction of actions by an agent, and obligation policies for specifying said actions said agent is responsible for performing, comprising:
- a plurality of service and device agents, at least one of which functions as a requester agent defined by at least one obligation policy, and another of which functions as an executor agent for performing an action requested by said requester agent in order to fulfil said at least one obligation policy;
an authorization server operating in accordance with said authorization policies for receiving and authenticating requests from said requester agent and in response returning one of either (i) a permission authorization to said requester agent, which in response forwards said permission authorization to said executor agent for performing said action, or (ii) an interdiction to said requester agent for prohibiting said action;
a policy server for (i) receiving and downloading said obligation policies into said plurality of service and device agents, (ii) for distributing said authorization policies to said authorization server, and (iii) for managing said system policies in accordance with changes in said system modes; and
an event server for effecting shared communication between plurality of service and device agents.
28 Assignments
0 Petitions
Accused Products
Abstract
According to the present invention, an architecture of multiple agents is provided for setting up and enforcing policies within each site of a virtual network. A policy server represents the global policies of the site and each agent manages its own policies. Policies are dynamically downloaded from the policy server into agents that carry the responsibility to enforce them. Agents propagate their policies to the policy server to detect any conflict that may rise between agents during dynamic mapping and resource reservation. A negotiation mechanism is provided to resolve such conflicts. An authorization-based mechanism is also provided such that agents must request authorization before performing any action, in response to which a ticket is delivered to the requesting agent for accountability and security reasons.
-
Citations
14 Claims
-
1. A multi-agent for managing system policies on a site operating in one of a plurality of system modes within a virtual network, wherein said system policies include authorization policies for controlling one of either permission or interdiction of actions by an agent, and obligation policies for specifying said actions said agent is responsible for performing, comprising:
-
a plurality of service and device agents, at least one of which functions as a requester agent defined by at least one obligation policy, and another of which functions as an executor agent for performing an action requested by said requester agent in order to fulfil said at least one obligation policy; an authorization server operating in accordance with said authorization policies for receiving and authenticating requests from said requester agent and in response returning one of either (i) a permission authorization to said requester agent, which in response forwards said permission authorization to said executor agent for performing said action, or (ii) an interdiction to said requester agent for prohibiting said action; a policy server for (i) receiving and downloading said obligation policies into said plurality of service and device agents, (ii) for distributing said authorization policies to said authorization server, and (iii) for managing said system policies in accordance with changes in said system modes; and an event server for effecting shared communication between plurality of service and device agents. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 13, 14)
-
-
9. In a multi-agent system having a requester agent defined by at least one obligation policy, an executor defined by at least one authorization policy for performing an action requested by said requester agent in order to fulfil said at least one obligation policy, and an authorization server in communication with said requester agent and said executor agent, an action authorization method comprising the steps of:
-
sending a request from said requester agent to said authorization server for execution of said action; receiving and authenticating said request within said authorization server and in response to generating and returning one of either (i) a permission authorization to said requester agent in the event that said obligation policy of said requester agent does not conflict with the authorization policy of said executor agent, or (ii) an interdiction to said requester agent for prohibiting said action in the event that said obligation policy of said requester agent conflicts with the authorization policy of said executor agent; and modifying said request within said requester and sending a resultant modified request to said authorization server in the event that said authorization server previously returned said interdiction;
orsending said permission authorization to said executor agent for performing said action in the event said authorization server previously returned said permission authorization, and thereafter sending a confirmation from said executor agent to said requester agent confirming execution of said action. - View Dependent Claims (10, 11)
-
Specification