Systems and processes for managing policy change in a distributed enterprise

US 7,607,164 B2
Filed: 12/23/2004
Issued: 10/20/2009
Est. Priority Date: 12/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for managing system policies in a distributed enterprise, the method comprising:

receiving a systems policy change request to change a systems policy that implements a published enterprise policy in the distributed enterprise, wherein the published enterprise policy comprises;

defined boundaries of allowable password constructions;

defined boundaries of password retention duration;

a definition of allowed application program licenses;

defined boundaries of anti-virus software configuration and operation; and

defined boundaries of privileged and entitled access permissions to resources in the distributed enterprise; and

wherein the systems policy presents a mechanism for implementing the published enterprise policy into enforceable system and user configurations;

determining whether the requested systems policy change complies with the published enterprise policy and is not rendered unnecessary by another systems policy in the distributed enterprise; and

updating the systems policy according to the requested systems policy change if the requested system policy change complies with the published enterprise policy and is not rendered unnecessary by another systems policy in the distributed enterprise,wherein the systems policy is stored in a memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for managing changes to policies in an enterprise includes receiving a systems policy change request to change a systems policy that implements a published enterprise policy, determining whether the requested systems policy change complies with the published enterprise policy, and updating the systems policy according to the requested systems policy change if the requested systems policy change complies with the published enterprise policy. A system for managing policies in an enterprise includes a policy management module configured for receiving published policies and generating corresponding systems policies having data for implementing the published policies, and a policy library storing the published policies and the systems policies.

184 Citations

19 Claims

1. A method for managing system policies in a distributed enterprise, the method comprising:
- receiving a systems policy change request to change a systems policy that implements a published enterprise policy in the distributed enterprise, wherein the published enterprise policy comprises;
  
  defined boundaries of allowable password constructions;
  
  defined boundaries of password retention duration;
  
  a definition of allowed application program licenses;
  
  defined boundaries of anti-virus software configuration and operation; and
  
  defined boundaries of privileged and entitled access permissions to resources in the distributed enterprise; and
  
  wherein the systems policy presents a mechanism for implementing the published enterprise policy into enforceable system and user configurations;
  
  determining whether the requested systems policy change complies with the published enterprise policy and is not rendered unnecessary by another systems policy in the distributed enterprise; and
  
  updating the systems policy according to the requested systems policy change if the requested system policy change complies with the published enterprise policy and is not rendered unnecessary by another systems policy in the distributed enterprise,wherein the systems policy is stored in a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1 further comprising:
    - assessing a business justification for the requested systems policy change; and
      
      issuing an approval or a denial notification for the requested systems policy change.
  - 3. A method as recited in claim 1 further comprising:
    - determining whether a systems policy will be flagged as a result of a change to the systems policy; and
      
      investigating flagged systems policies.
  - 4. A method as recited in claim 1 further comprising:
    - determining whether a policy exception is approved if the requested systems policy change does not comply with the published enterprise policy; and
      
      generating a policy exception associated with the requested systems policy change if the policy exception is approved.
  - 5. A method as recited in claim 4 further comprising:
    - associating a time duration with the policy exception; and
      
      prior to expiration of the time duration, alerting a user to an imminent expiration of the policy exception.
  - 6. A method as recited in claim 1 further comprising:
    - determining whether the requested systems policy change is an emergency;
      
      implementing the requested systems policy change in an expedited time period if the requested systems policy change is an emergency; and
      
      implementing the requested systems policy change in a standard time period if the requested systems policy change is not an emergency.
  - 7. A method as recited in claim 1 further comprising deploying a Group Policy Object (GPO) in a container in a predetermined format, the GPO comprising the updated systems policy.
  - 8. A method as recited in claim 1 further comprising:
    - storing the published enterprise policy and the systems policy in a policy library; and
      
      storing policy attributes and one or more policy exceptions in the policy library, wherein one of the policy attributes is an expiration date specifying when one of the policy exceptions will expire.
  - 9. A method as recited in claim 1 further comprising linking one or more systems policies to each of multiple published enterprise policies.
  - 10. A method as recited in claim 1, wherein the determining operation further comprises analyzing policy criteria related to the published enterprise policy, the policy criteria comprising one or more of the following:
    - a business need;
      
      urgency of the requested systems policy change;
      
      responsibility of the requestor; and
      
      impact of the requested systems policy change on the published enterprise policy.
  - 11. A method as recited in claim 1 wherein the receiving operation comprises receiving the systems policy change request in one of the following forms:
    - an email message;
      
      a web page submission;
      
      a printer paper form.

12. One or more computer storage media having computer-executable instructions that, when executed, cause a computer to perform a process comprising:
- receiving one or more published policies setting forth enterprise guidelines in a distributed enterprise, wherein the enterprise guidelines of the one or more published policies comprise;
  
  defined boundaries of allowable password constructions;
  
  defined boundaries of password retention duration;
  
  a definition of allowed application program licenses;
  
  defined boundaries of anti-virus software configuration and operation;
  
  defined boundaries on secure access configurations; and
  
  defined boundaries of privileged and entitled access permissions; and
  
  for each published policy, generating one or more corresponding systems policies containing configuration settings for implementing the published policy, wherein the one or more corresponding systems policies present a mechanism for implementing the one or more published policies into enforceable system and user configurations in the distributed enterprise;
  
  applying the one or more systems policies to an entity in the distributed enterprise;
  
  receiving a policy change request requesting to change a systems policy;
  
  identifying when;
  
  the policy change request does not violate a published policy;
  
  the policy change request is rendered unnecessary by another systems policy; and
  
  another systems policy is rendered obsolete by implementing the policy change request; and
  
  processing the policy change request based on the identifying, the processing comprising;
  
  implementing the requested change to the systems policy when the requested change does not violate a published policy and the requested change is not rendered unnecessary by another systems policy.
- View Dependent Claims (13, 14, 15, 16)
- - 13. One or more computer storage media as recited in claim 12, the process further comprising generating a policy exception corresponding to one of the systems policies.
  - 14. One or more computer storage media as recited in claim 12 the process further comprising:
    - generating a policy exception if the requested change to the systems policy violates a published policy, and the requested change is allowable;
      
      associating the policy exception with the systems policy; and
      
      implementing the systems policy with the requested change.
  - 15. One or more computer storage media as recited in claim 12, the process further comprising:
    - generating a policy exception associated with a system policy;
      
      storing an expiration date associated with the policy exception; and
      
      alerting a user on or before the expiration date that the policy exception will imminently expire.
  - 16. One or more computer storage media as recited in claim 12, the process further comprising:
    - determining whether the systems policy change request is an emergency;
      
      implementing the systems policy change in an expedited manner if the systems policy change is an emergency; and
      
      implementing the systems policy change in a standard manner if the systems policy change is not an emergency.

17. A system for managing policies in an enterprise, the system comprising:
- a policy management module configured for creating a reference between a published policy and a corresponding systems policy having data for implementing the published policy, wherein the policy management module is further configured to;
  
  identify when the corresponding systems policy conflicts with the published policy;
  
  identify when the corresponding systems policy is rendered unnecessary by another systems policy; and
  
  identify when another systems policy is rendered obsolete by the corresponding systems policy; and
  
  a policy library storing the published policy and the systems policy, andwherein the published policy comprises;
  
  defined boundaries of allowable password constructions;
  
  defined boundaries of password retention duration;
  
  a definition of allowed application program licenses;
  
  defined boundaries of anti-virus software configuration and operation; and
  
  defined boundaries of privileged and entitled access permissions to resources in the enterprise; and
  
  wherein the systems policy presents a mechanism for implementing the published policy into enforceable system and user configurations.
- View Dependent Claims (18, 19)
- - 18. A system as recited in claim 17, wherein the policy management module is further configured to receive a policy change request and enable user editing of a systems policy based on the policy change request.
  - 19. A system as recited in claim 18, wherein the policy management module is further configured to generate a policy exception corresponding to the systems policy, the policy exception generated corresponding to the systems policy that is not associated with the published policy, the policy exception being stored in the policy library and having an expiration date stored in the policy library and the policy management module alerting a user of the expiration of the policy exception based on the expiration date.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Leibmann, Matthias, Brown, Laurie A., Lawrence, Mark David, Hunter, Kimberley Ann, Vasishth, Karan
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US11/021,746
Publication Number

US 20060143685A1
Time in Patent Office

1,762 Days
Field of Search

726/1, 705/1
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/62   Protecting access to data v...

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

Systems and processes for managing policy change in a distributed enterprise

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Systems and processes for managing policy change in a distributed enterprise

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others