Associative policy model
First Claim
1. A method for implementing an associative policy, the method comprising:
- providing a policy on a policy server, the policy having a plurality of service definitions, wherein each service definition contains first and second relational components;
providing first and second network entities;
operatively coupling the first and second network entities to the policy server;
dynamically associating the first network entity with the second network entity from within the policy server, wherein associating includes;
selecting a service definition from the plurality of service definitions to apply to the first and second network entities;
sending a message from the policy server to the first network entity binding the first relational component of the selected service definition in the policy to the first network entity, andsending a message from the policy server to the second network entity binding the second relational component of the selected service definition in the policy to the second network entity; and
enforcing the policy on the first and second network entities.
18 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for an associative policy model are provided. One embodiment of the present invention provides a method for implementing an associative policy. In this embodiment, the method includes providing a policy on a policy server, the policy having a service definition that contains first and second relational components, providing first and second network entities, operatively coupling the first and second network entities to the policy server, dynamically associating the first network entity with the second network entity (wherein such associating includes binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity), and enforcing the policy on the first and second network entities.
-
Citations
47 Claims
-
1. A method for implementing an associative policy, the method comprising:
-
providing a policy on a policy server, the policy having a plurality of service definitions, wherein each service definition contains first and second relational components; providing first and second network entities; operatively coupling the first and second network entities to the policy server; dynamically associating the first network entity with the second network entity from within the policy server, wherein associating includes; selecting a service definition from the plurality of service definitions to apply to the first and second network entities; sending a message from the policy server to the first network entity binding the first relational component of the selected service definition in the policy to the first network entity, and sending a message from the policy server to the second network entity binding the second relational component of the selected service definition in the policy to the second network entity; and enforcing the policy on the first and second network entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for managing an associative policy on a policy server, the method comprising:
-
providing a policy having a service definition, wherein the service definition has one or more rulesets that each contain one or more placeholders; specifying a role associated with each ruleset; operatively coupling one or more devices to the policy server; and upon such coupling, receiving boot and role information from the coupled devices; converting the policy into one or more device policies by inserting device information into the placeholders for rulesets corresponding to each of the coupled devices, and distributing the device policies to the corresponding devices. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-implemented method on a policy server, the method comprising:
-
providing a master policy on the policy server, the master policy having a first component and a second component; binding the policy server to a first device to obtain information about the first device; binding the policy server to a second device to obtain information about the second device; creating a first policy on the policy server using the first component of the master policy and the information about the second device; creating a second policy on the policy server using the second component of the master policy and the information about the first device; sending the first policy to the first device; and sending the second policy to the second device. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A computer-implemented method on a client, the method comprising:
-
obtaining boot information for the client; obtaining role information for a user on the client; sending the boot information and the role information to a policy server; obtaining a client-specific security policy from the policy server; and enforcing the client-specific security policy on the client, wherein the client-specific security policy includes security information about a server that is associated with the client, and wherein the security information is based on boot information and role information for the server. - View Dependent Claims (29, 30, 31)
-
-
32. A policy server, comprising:
-
a master security policy having a client component and a server component; an interface to couple the policy server with a server device and a client device; and wherein the policy server is operable to; obtain server information about the server device; obtain client information about the client device; create a client policy using the client component of the master security policy and the server information; create a server policy using the server component of the master security policy and the client information; send the client policy to the client device; and send the server policy to the server device.
-
-
33. A computer-implemented method on a server, the method comprising:
-
obtaining boot information for the server; obtaining role information for the services provided by the server; sending the boot information and the role information to a policy server; obtaining a server-specific security policy from the policy server; and enforcing the server-specific security policy on the server, wherein the server-specific security policy includes security information about one or more clients that are associated with the server, and wherein the security information is based on boot information and role information for the one or more clients. - View Dependent Claims (34, 35, 36, 37)
-
-
38. A computer-implemented method on a policy server, the method comprising:
-
receiving boot information for a server; receiving role information for the services provided by the server; receiving boot information for one or more clients associated with the server; receiving role information for a user on one or more of the clients; creating a server-specific security policy from a master security policy wherein the server-specific security policy includes security information about one or more of the clients that are associated with the server, and wherein the security information is based on boot information and role information for each client; creating a client-specific security policy form a master security policy wherein the client-specific security policy includes security information about the server, and wherein the security information is based on boot information and role information for the server; sending the server-specific security policy to the server; and sending the client-specific security policy to each client. - View Dependent Claims (39, 40)
-
-
41. A system, comprising:
-
a network; a first network entity coupled to the network; a second network entity coupled to the network; and a policy server coupled to the network, the policy server having a associative policy; wherein the policy server is operable to; receive boot and role information from the first network entity; receive boot and role information from the second network entity; create a first network entity specific policy utilizing the received boot and role information from the first and second network entities; create a second network entity specific policy utilizing the received boot and role information from the first and second network entities; send the first entity policy to the first network entity; and send the second entity policy to the second network entity. - View Dependent Claims (42, 43, 44, 45, 46, 47)
-
Specification