Policy inheritance through nested groups
First Claim
Patent Images
1. A computer-implemented method for policy inheritance, comprising:
- providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon;
defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group;
organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource;
defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups;
provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise;
sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM;
wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems;
wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource;
wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group;
inheriting the first policy by the second group;
inheriting each policy associated with the at least one parent resource by the at least one child resource; and
assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.
-
Citations
26 Claims
-
1. A computer-implemented method for policy inheritance, comprising:
-
providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon; defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group; organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource; defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups; provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise; sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM; wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems; wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource; wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group; inheriting the first policy by the second group; inheriting each policy associated with the at least one parent resource by the at least one child resource; and assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for policy inheritance, comprising:
-
providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon; defining a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and a second group nested within the first group; organizing a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource; defining a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups; provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise; sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM; wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems; wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource; wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group; inheriting the first policy by the second group; inheriting each policy associated with the at least one parent resource by the at least one child resource; assigning policies to the at least one child resource wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource; and wherein the resource hierarchy represents an application. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer readable medium having instructions stored thereon to cause a system to:
-
provide a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon; define a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user, and second group nested within the first group; organize a plurality of resources in a resource hierarchy including at least one parent resource and at least one child resource; define a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups; provision the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise; send a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM; wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems; wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource; wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group; inherit the first policy by the second group; inherit each policy associated with the at least one parent resource by the at least one child resource; and assign policies to the at least one child resource wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for policy inheritance, comprising:
-
providing a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon; defining a plurality of groups, organized in a group hierarchy; organizing a plurality of resources in a resource hierarchy, including first parent resource, a first child resource that is a child of the first parent resource, and a second child resource that is a child of the first child resource; defining a plurality of policies, including a first policy, a second policy, and a third policy, wherein the policies are used to control access to at least one resource from the plurality of resources and wherein each policy is associated with at least one group; provisioning the plurality of policies from an administrative server to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise; sending a subset of the plurality of policies from the SCM to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM; wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems; associating the first policy with the first parent resource; associating the second policy with the first child resource; associating the third policy with the second child resource; inheriting the first policy by the first child resource and the second child resource where the first policy is for a different control of access from either the second policy or the third policy; inheriting the second policy by the second child resource where the second policy is for a different control of access from the third policy; overriding the first policy by the second policy at the first child resource where the first policy and second policy are for the same control of access and subsequently inheriting the second policy by the second child resource; overriding the second policy at the second child resource where the second policy and the third policy are for the same control of access.
-
-
26. A distributed enterprise security system with policy inheritance comprising:
-
a plurality of servers, wherein one or more of the plurality of servers execute on at least one server computer in an enterprise and wherein the at least one server computer includes a computer readable medium and processor operating thereon; a plurality of groups, organized in a group hierarchy, including a first group wherein the first group includes at least one user; a second group wherein the second group is nested within the first group; a plurality of resources organized in a resource hierarchy including at least one parent resource and at least one child resource; a plurality of policies, including a first policy, wherein the policies are used to control access to at least one resource of the plurality of resources and wherein each policy is associated with at least one group of the plurality of groups; an administrative server that provisions the plurality of policies to at least one security control manager (SCM) on the at least one server computer wherein each SCM executes on a different server computer in the enterprise; wherein the SCM sends a subset of the plurality of policies to a plurality of security service modules (SSMs) wherein the SCM sends each policy to a relevant SSM executing on the server computer with the SCM; wherein the plurality of SSMs are distributed to a plurality of systems, including applications and servers, on the at least one server computer in the enterprise and wherein each SSM is embedded with and uses the policies to control access to resources in one of the plurality of systems; wherein each policy definition indicates the at least one resource and the at least one group associated with the policy and wherein each policy definition also indicates an action which the at least one group may perform on the at least one resource; wherein the first policy controls access to a first parent resource and wherein the first policy is associated with the first group; wherein the first policy is inherited by the second group and wherein each policy associated with the at least one parent resource is inherited by the at least one child resource; assigning policies to the at least one child resource, wherein the assigned policies override inherited policies from the at least one parent resource, and wherein the assigned policies are then inherited by child resources of the at least one child resource; wherein the SSM intercepts a request from a client to perform an action on a resource at a server, wherein the client belongs to the at least one group; and determines, using the policies, whether the client can perform the action on the resource, and granting or denying access to the client based on the determination.
-
Specification