System and method for analyzing security policies in a distributed computer network
First Claim
Patent Images
1. A system for analyzing security in a distributed computing environment, comprising:
- a policy manager, includingan enterprise policy data file containing a global security policy, comprised of a plurality of rules for granting or denying users privileges to securable objects; and
a policy analysis engine for constructing a policy verification query, executing the policy verification query against the global security policy and providing a result set containing policy inconsistencies within the global security policy;
wherein executing the policy verification query includes generating a first request for users that have a first privilege to a first object and generating a second request for users that have a second privilege to a second object wherein the first and second request are inconsistent and generating said result set containing the policy inconsistencies based on users that match said first request and said second request.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for analyzing a global security policy in a distributed computing environment. In one embodiment the security policy is a global security policy which is stored in, and managed by, a policy manager located on a server. In another embodiment the security policy is a local client security policy stored in an application guard located on a client server which manages access to various securable components of the distributed computing environment.
323 Citations
32 Claims
-
1. A system for analyzing security in a distributed computing environment, comprising:
-
a policy manager, including an enterprise policy data file containing a global security policy, comprised of a plurality of rules for granting or denying users privileges to securable objects; and a policy analysis engine for constructing a policy verification query, executing the policy verification query against the global security policy and providing a result set containing policy inconsistencies within the global security policy; wherein executing the policy verification query includes generating a first request for users that have a first privilege to a first object and generating a second request for users that have a second privilege to a second object wherein the first and second request are inconsistent and generating said result set containing the policy inconsistencies based on users that match said first request and said second request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for analyzing security in a distributed computing environment, comprising:
-
an application guard, including a local client policy data file containing a local client security policy comprised of a plurality of rules for granting or denying users privileges to securable objects on the client; and a local policy analysis engine for constructing a policy verification query, executing a policy verification query against the local client security policy and providing a result set containing policy inconsistencies within the local client security policy; wherein executing the policy verification query includes generating a first request for users that have a first privilege to a first object and generating a second request for users that have a second privilege to a second object wherein the first and second request are inconsistent and generating said result set containing the policy inconsistencies based on users that match said first request and said second request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer implemented method for analyzing a global client security policy in a distributed computing environment, comprising:
-
storing a global security policy in a policy manager, the global security policy including a plurality of rules for granting or denying users privileges to securable objects; receiving one or more parameters including at least one of a privilege, an object, a subject and an access type; constructing a policy analysis query based on the parameters; executing the policy analysis query against the global security policy by evaluating the rules in the global security policy including rule inheritance and object hierarchy; and providing a result set that matches the constructed policy analysis query, the result set embodied in a computer readable medium. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A computer implemented method for analyzing a local client security policy in a distributed computing environment, comprising:
-
storing a local client security policy in an application guard, the local security policy including a plurality of rules for granting or denying users privileges to securable objects on the client; receiving one or more parameters including at least one of a privilege, an object, a subject and an access type; constructing a policy analysis query based on the parameters; executing the policy analysis query against the local security policy by evaluating the rules in the local security policy including rule inheritance and object hierarchy; and providing a result set that matches the constructed policy analysis query, the result set embodied in a computer-readable medium. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
Specification