Method and system for dynamically implementing an enterprise resource policy

US 7,779,247 B2
Filed: 01/09/2004
Issued: 08/17/2010
Est. Priority Date: 01/09/2003
Status: Active Grant

First Claim

Patent Images

1. A centralized system to process authenticated user requests to perform actions on resources, comprising:

a policy enforcement point operable to receive a user request to perform an action upon a resource, wherein user request is from a user with an authenticated identity;

a server in communication with the policy enforcement point, wherein the server is operable to;

receive the user request from the policy enforcement point;

implement a plurality of connectors, wherein each of the plurality of connectors interfaces with one of a plurality of remote data sources, wherein each of the plurality of remote data sources comprises attribute values, and wherein at least one of the plurality of remote data sources is accessible by the server and not accessible by the policy enforcement point;

retrieve a rule associated with the action, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein each rule is evaluated based on a value of at least one of the attributes stored at the plurality of data sources;

determine all attribute values required to evaluate the rule;

group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector;

for each connector;

for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server;

for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request;

request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and

evaluate the user request in real time to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute value.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Citations

26 Claims

1. A centralized system to process authenticated user requests to perform actions on resources, comprising:
- a policy enforcement point operable to receive a user request to perform an action upon a resource, wherein user request is from a user with an authenticated identity;
  
  a server in communication with the policy enforcement point, wherein the server is operable to;
  
  receive the user request from the policy enforcement point;
  
  implement a plurality of connectors, wherein each of the plurality of connectors interfaces with one of a plurality of remote data sources, wherein each of the plurality of remote data sources comprises attribute values, and wherein at least one of the plurality of remote data sources is accessible by the server and not accessible by the policy enforcement point;
  
  retrieve a rule associated with the action, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein each rule is evaluated based on a value of at least one of the attributes stored at the plurality of data sources;
  
  determine all attribute values required to evaluate the rule;
  
  group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector;
  
  for each connector;
  
  for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server;
  
  for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request;
  
  request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and
  
  evaluate the user request in real time to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the server is further operable to log and track each user request.
  - 3. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the server is further operable to:
    - determine additional attribute values required to complete the rule evaluation;
      
      identify connectors corresponding to remote data sources comprising the additional attribute values, wherein the connectors are selected from the plurality of connectors; and
      
      retrieve the additional attributes via the identified connectors.
  - 4. The centralized system to process authenticated user requests to perform actions on resources of claim 3, wherein the server is further operable to evaluate the user request in real time with the additional attribute values.
  - 5. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the rule associated with the action is operable to be updated and immediately activated.
  - 6. The centralized system to process authenticated user requests to perform actions on resources of claim 5, wherein ownership of the rule associated with the action has distributed administrative ownership and control.
  - 7. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the server is further operable to generate an alarm based upon the evaluate the user request in real time, wherein the alarm is sent to an appropriate location.
  - 8. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the resources are accessed physically.
  - 9. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the resources are accessed electronically.
  - 10. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the resources are selected from the group consisting of:
    - physical resources;
      
      information resources; and
      
      online resources.
  - 11. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the rule is stored within a rule repository.
  - 12. The centralized system to process authenticated user requests to perform actions on resources of claim 1, wherein the evaluating further comprises applying the rule considering all attribute values required by the rule.
  - 13. The system of claim 1, wherein the resource is a part of a resource hierarchy, and wherein the rule associated with the action is inherited from an ancestor of the resource within the resource hierarchy.
  - 14. The system of claim 1, wherein the policy enforcement point is also operable to authenticate an identity of the user.

15. A method to process an authenticated user request to perform an action on a resource, comprising:
- receiving at a policy enforcement point a user request to perform one of a plurality of actions associated with the resource, wherein each action associated with the resource has an associated rule that is evaluated based on a value of at least one attribute, and wherein the user request is from a user with an authenticated identity;
  
  retrieving with a server a rule associated with the action;
  
  determining attributes required to evaluate the rule;
  
  with the server, grouping the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector, wherein at least one of the remote data sources is accessible to the server, but not accessible to the policy enforcement point;
  
  for each connector;
  
  for each attribute grouped under the connector, determining with the server whether an attribute value for the attribute is present at the server;
  
  for each attribute grouped under the connector and lacking an attribute value at the server, adding with server the attribute to a connector request;
  
  requesting with the server from the remote data source associated with the connector, attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and
  
  receiving at the server the requested attribute values from the remote data source associated with the connector; and
  
  evaluating the user request in real time with the server to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute values.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further comprising logging and tracking each user request.
  - 17. The method of claim 15, further comprising:
    - determining additional attribute values required, to complete the evaluation; and
      
      retrieving the additional attribute values.
  - 18. The method of claim 17, further comprising evaluating the user request in real time with the additional attribute values.
  - 19. The method of claim 15, wherein the rule associated with the action is operable to be updated and immediately activated.
  - 20. The method of claim 19, wherein ownership of the rule associated with the action has distributed administrative ownership and control.
  - 21. The method of claim 15, further comprising generating an alarm based upon the evaluation of the user request in real time, wherein the alarm is sent to an appropriate location.
  - 22. The method of claim 15, wherein the resources are accessed physically or are accessed electronically.
  - 23. The method of claim 15, wherein the resources are selected from the group consisting of:
    - physical resources;
      
      information resources; and
      
      online resources.
  - 24. The method of claim 15, wherein the resource is a part of a resource hierarchy, and wherein the rule associated with the action is inherited from an ancestor of the resource within the resource hierarchy.
  - 25. The method of claim 15, further comprising authenticating an identity of the user.

26. A method to process authenticated user requests to access resources, the method comprising:
- receiving a user request to perform an action on a resource, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein the user request is from a user with an authenticated identity;
  
  retrieving a rule associated with the action;
  
  determining a plurality of attributes required to evaluate the rule;
  
  group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector;
  
  for each connector;
  
  for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server;
  
  for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request;
  
  request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector, andevaluating the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Jericho Systems Corporation
Inventors
Roegner, Michael W.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Ho; Virginia

Application Number

US10/755,173
Publication Number

US 20040205342A1
Time in Patent Office

2,412 Days
Field of Search

None
US Class Current

713/155
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/6218   to a system of files or obj...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Method and system for dynamically implementing an enterprise resource policy

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamically implementing an enterprise resource policy

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links