System and method for maintaining security in a distributed computer network

US 7,318,237 B2
Filed: 06/30/2005
Issued: 01/08/2008
Est. Priority Date: 10/28/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A system for controlling access to a software application in accordance with enterprise and local security policies, comprising:

a server that includes a policy manager to manage an enterprise set of security policies, and to distribute to each of a plurality of clients a subset of said enterprise set of security policies; and

a plurality of clients, each client including an application guard, wherein the client receives the subset of security policies from the server and stores them locally on the client, and wherein the application guard then uses the local security policies to manage access by a user of the client to a software application;

wherein said policy manager further includes;

an optimizer component that determines, for each application guard, which subset of the enterprise set of security policies said each application guard should receive; and

a differ component that computes a difference between the subset and any previous local security policy of said each application guard, such that the policy manager distributes only changed portions of the local security policy, which are applicable to said each application guard as determined by the optimizer element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.

Citations

21 Claims

1. A system for controlling access to a software application in accordance with enterprise and local security policies, comprising:
- a server that includes a policy manager to manage an enterprise set of security policies, and to distribute to each of a plurality of clients a subset of said enterprise set of security policies; and
  
  a plurality of clients, each client including an application guard, wherein the client receives the subset of security policies from the server and stores them locally on the client, and wherein the application guard then uses the local security policies to manage access by a user of the client to a software application;
  
  wherein said policy manager further includes;
  
  an optimizer component that determines, for each application guard, which subset of the enterprise set of security policies said each application guard should receive; and
  
  a differ component that computes a difference between the subset and any previous local security policy of said each application guard, such that the policy manager distributes only changed portions of the local security policy, which are applicable to said each application guard as determined by the optimizer element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the server distributes to each of said plurality of clients only those security policies that are relevant to that client.
  - 3. The system of claim 1, wherein the software application is installed locally on one or more of the clients.
  - 4. The system of claim 1, wherein the software application is installed on the server.
  - 5. The system of claim 1, wherein the application guard assigns the user of the client a particular role to use with the software application.
  - 6. The system of claim 5, wherein the application guard manages access by the user to a particular function of the software application.
  - 7. The system of claim 6, wherein the assigned role includes a set of privileges to use the particular function of the software application.
  - 8. The system of claim 7, wherein the particular software application is organized into a role hierarchy such that if a user is granted a certain role, then that user is automatically granted any children roles.
  - 9. The system of claim 7, wherein the particular function of the software application is organized into a function hierarchy such that if a user is granted a privilege to a parent function, then that user is automatically granted the privilege to any children functions.
  - 10. The system of claim 1, wherein the application guard runs as a service that allows the software application to make a request for authorization.

11. A method for controlling access to a software application in accordance with enterprise and local security policies, comprising the steps of:
- providing a server that includes a policy manager to manage an enterprise set of security policies, and distributing to each of a plurality of clients a subset of said enterprise set of security policies; and
  
  providing a plurality of clients, each client including an application guard, wherein the client receives the subset of security policies from the server and stores them locally on the client, and wherein the application guard then uses the local security policies to manage access by a user of the client to a software application;
  
  wherein said policy manager further includes;
  
  an optimizer component that determines, for each application guard, which subset of the enterprise set of security policies said each application guard should receive; and
  
  a differ component that computes a difference between the subset and any previous local security policy of said each application guard, such that the policy manager distributes only changed portions of the local security policy, which are applicable to said each application guard as determined by the optimizer element.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the server distributes to each of said plurality of clients only those security policies that are relevant to that client.
  - 13. The method of claim 11, wherein the software application is installed locally on one or more of the clients.
  - 14. The method of claim 11, wherein the software application is installed on the server.
  - 15. The method of claim 11, wherein the application guard assigns the user of the client a particular role to use with the software application.
  - 16. The method of claim 15, wherein the application guard manages access by the user to a particular function of the software application.
  - 17. The method of claim 16, wherein the assigned role includes a set of privileges to use the particular function of the software application.
  - 18. The method of claim 17, wherein the particular software application is organized into a role hierarchy such that if a user is granted a certain role, then that user is automatically granted any children roles.
  - 19. The method of claim 17, wherein the particular function of the software application is organized into a function hierarchy such that if a user is granted a privilege to a parent function, then that user is automatically granted the privilege to any children functions.
  - 20. The method of claim 11, wherein the application guard runs as a service that allows the software application to make a request for authorization.

21. A computer readable medium, including instructions stored thereon, which when executed by a computer causes the computer to perform the steps of:
- providing a server that includes a policy manager to manage an enterprise set of security policies and a plurality of clients for enforcing the set of enterprise security policies;
  
  determining, for an application guard residing on a client, a subset of the enterprise set of security policies that is applicable to the application guard, said determining performed by an optimizer component of the policy manager;
  
  computing a difference between the subset and any previous local security policy of said application guard, said computing performed by a differ component of the policy manager; and
  
  distributing to each of the plurality of clients a changed portions of the subset of said enterprise set of security policies, wherein the client receives the changed portions of the subset of security policies from the server and stores them locally on the client, and wherein the application guard then uses the local security policies to manage access by a user of the client to a software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Moriconi, Mark, Qian, Shelly
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Hoffman; Brandon S

Application Number

US11/171,104
Publication Number

US 20050257247A1
Time in Patent Office

922 Days
Field of Search

726/27
US Class Current

726/27
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Y10S 707/99939   Privileged access

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links