Policy representations and mechanisms for the control of software

US 7,240,015 B1
Filed: 09/15/2000
Issued: 07/03/2007
Est. Priority Date: 09/17/1999
Status: Expired due to Term

First Claim

Patent Images

1. A multi-agent for managing system policies on a site operating in one of a plurality of system modes within a virtual network, wherein said system policies include authorization policies for controlling one of either permission or interdiction of actions by an agent, and obligation policies for specifying said actions said agent is responsible for performing, comprising:

a plurality of service and device agents, at least one of which functions as a requester agent defined by at least one obligation policy, and another of which functions as an executor agent for performing an action requested by said requester agent in order to fulfil said at least one obligation policy;

an authorization server operating in accordance with said authorization policies for receiving and authenticating requests from said requester agent and in response returning one of either (i) a permission authorization to said requester agent, which in response forwards said permission authorization to said executor agent for performing said action, or (ii) an interdiction to said requester agent for prohibiting said action;

a policy server for (i) receiving and downloading said obligation policies into said plurality of service and device agents, (ii) for distributing said authorization policies to said authorization server, and (iii) for managing said system policies in accordance with changes in said system modes; and

an event server for effecting shared communication between plurality of service and device agents.

View all claims

28 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to the present invention, an architecture of multiple agents is provided for setting up and enforcing policies within each site of a virtual network. A policy server represents the global policies of the site and each agent manages its own policies. Policies are dynamically downloaded from the policy server into agents that carry the responsibility to enforce them. Agents propagate their policies to the policy server to detect any conflict that may rise between agents during dynamic mapping and resource reservation. A negotiation mechanism is provided to resolve such conflicts. An authorization-based mechanism is also provided such that agents must request authorization before performing any action, in response to which a ticket is delivered to the requesting agent for accountability and security reasons.

Citations

14 Claims

1. A multi-agent for managing system policies on a site operating in one of a plurality of system modes within a virtual network, wherein said system policies include authorization policies for controlling one of either permission or interdiction of actions by an agent, and obligation policies for specifying said actions said agent is responsible for performing, comprising:
- a plurality of service and device agents, at least one of which functions as a requester agent defined by at least one obligation policy, and another of which functions as an executor agent for performing an action requested by said requester agent in order to fulfil said at least one obligation policy;
  
  an authorization server operating in accordance with said authorization policies for receiving and authenticating requests from said requester agent and in response returning one of either (i) a permission authorization to said requester agent, which in response forwards said permission authorization to said executor agent for performing said action, or (ii) an interdiction to said requester agent for prohibiting said action;
  
  a policy server for (i) receiving and downloading said obligation policies into said plurality of service and device agents, (ii) for distributing said authorization policies to said authorization server, and (iii) for managing said system policies in accordance with changes in said system modes; and
  
  an event server for effecting shared communication between plurality of service and device agents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 12, 13, 14)
- - 2. The multi-agent system according to claim 1, wherein said authorization policy is an objection characterized by the following attributes:
    - a Mode attribute which is one of either said permission authorization or said interdiction;
      
      a Subject attribute which specifies which of said agents said authorization policy applies to;
      
      an Action attribute which specifies a set of operations that said requester agent is authorized to or prohibited from performing, depending on said Mode;
      
      a Target attribute which specifies said executor agent;
      
      a Constraint attribute which prohibits return of said permission authorization unless predetermined conditions are verified;
      
      a Priority attribute which specifies an authority level of said authorization policy relative to other ones of said policies;
      
      a Class attribute which classifies policies according to a plurality of predetermined system activities to which said authorization policy relates;
      
      a System mode attribute which represents a predetermined state of said system modes and;
      
      a Creator attribute which specifies a creator of said authorization responsible for having added said authorization policy to the system.
  - 3. The multi-agent system according to claim 1, wherein said obligation policy is an object characterized by the following attributes:
    - a Trigger attribute which specifies one of either an internal or external event for triggering said obligation policy;
      
      a Subject attribute which specifies which of said agents said obligation policy applies to;
      
      an Action attribute which specifies a set of operations that said requester agent is authorized to or prohibited from performing, depending on said Mode;
      
      a Target attribute which specifies said executor agent;
      
      a Constraint attribute which prohibits return of said permission authorization unless predetermined conditions are verified;
      
      a Class attribute which classifies policies according to a plurality of predetermined system activities to which said authorization policy relates;
      
      a System mode attribute which represents a predetermined state of said system modes; and
      
      ;
      
      an Exception attribute which specifies an action that said Subject must perform in the event said Subject fails to accomplish said Action.
  - 4. The multi-agent system according to either claim 2 or 3, wherein said plurality of service and device agents further include:
    - a site logon agent for authenticating users and opening sessions for said users at said site;
      
      a coordinator agent for managing inter-agent communications via said event server;
      
      a site profile agent for mapping user preferences to said obligation policies; and
      
      a resource agent for managing system resources provided by said plurality of service and device agents.
  - 5. The multi-agent system according to claim 4, wherein said Class attribute defines one of either (i) a class of securities policies which are applied to said coordinator agent, (ii) a class of admission control policies which are applied to said site logon agent, (iii) a class of user profile policies which are applied to said site profile agent, or (iv) a class of resource reservation policies which are applied to said resource agent.
  - 6. The multi-agent system according either one of claim 2 or 3, wherein said Class attribute defines a plurality of classes of policies which are enabled in response to respective ones of said system modes as defined by said System mode attribute.
  - 7. The multi-agent system according to claim 1, further comprising:
    - means within at least one of said requester agent and said executor agent for issuing notifications in response to events relating to at least one of an associated service or device; and
      
      means within said policy server for (i) receiving subscriptions from predetermined ones of said service and device agents to predetermined ones of said events, (ii) receiving said notifications from said at least one of said requester agent and said executor agent, and in response (iii) distributing said notifications to said predetermined ones of said service and device agents.
  - 8. The multi-agent system according to claim 7, wherein said policy server further includes means for enabling and disabling predetermined ones of said system policies upon receiving said notifications from said at least one of said requester agent and said executor agent.
  - 12. The multi-agent system according to claim 1, wherein said policy server and authorization server are stand-alone servers accessible to each of said agents within said site.
  - 13. The multi-agent system according to claim 1, wherein each of said agents incorporates its own authorization server and policy server.
  - 14. The multi-agent system of claim 1, wherein said site is a hotel.

9. In a multi-agent system having a requester agent defined by at least one obligation policy, an executor defined by at least one authorization policy for performing an action requested by said requester agent in order to fulfil said at least one obligation policy, and an authorization server in communication with said requester agent and said executor agent, an action authorization method comprising the steps of:
- sending a request from said requester agent to said authorization server for execution of said action;
  
  receiving and authenticating said request within said authorization server and in response to generating and returning one of either (i) a permission authorization to said requester agent in the event that said obligation policy of said requester agent does not conflict with the authorization policy of said executor agent, or (ii) an interdiction to said requester agent for prohibiting said action in the event that said obligation policy of said requester agent conflicts with the authorization policy of said executor agent; and
  
  modifying said request within said requester and sending a resultant modified request to said authorization server in the event that said authorization server previously returned said interdiction;
  
  orsending said permission authorization to said executor agent for performing said action in the event said authorization server previously returned said permission authorization, and thereafter sending a confirmation from said executor agent to said requester agent confirming execution of said action.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, further comprising the steps of comparing said request to respective regions of belief of said obligation policy and said authorization policy and in the event that said request is within each of said regions of belief then returning said permission authorization and in the event that said request is outside of as least one of said respective regions of belief then returning said interdiction to said requester along with information indicating reasons for prohibition of said action.
  - 11. The method of claim 10, wherein said step of modifying said request within said requester further comprises interpreting said information and formulating said modified request to more likely be within each of said regions of belief.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RingCentral Incorporated, University Of The Ottawa
Original Assignee
MITEL NETWORKS CORPORATION AND THE UNIVERSITY OF OTTAWA
Inventors
Karmouch, Ahmed, Gray, Tom, Mankovskii, Serge, Guennoun, Mouheine
Primary Examiner(s)
Florian; Zeender Ryan
Assistant Examiner(s)
Frenel; Vanel

Application Number

US09/663,026
Time in Patent Office

2,482 Days
Field of Search

705/11, 705/4, 709/202, 709/207, 709/203, 709/217, 709/224
US Class Current

705/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/4875   with migration policy, e.g....

G06Q 40/08   Insurance

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Policy representations and mechanisms for the control of software

First Claim

28 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Policy representations and mechanisms for the control of software

First Claim

28 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links