Method and system for dynamically implementing an enterprise resource policy
First Claim
Patent Images
1. A centralized system to process authenticated user requests to perform actions on resources, comprising:
- a policy enforcement point operable to receive a user request to perform an action upon a resource, wherein user request is from a user with an authenticated identity;
a server in communication with the policy enforcement point, wherein the server is operable to;
receive the user request from the policy enforcement point;
implement a plurality of connectors, wherein each of the plurality of connectors interfaces with one of a plurality of remote data sources, wherein each of the plurality of remote data sources comprises attribute values, and wherein at least one of the plurality of remote data sources is accessible by the server and not accessible by the policy enforcement point;
retrieve a rule associated with the action, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein each rule is evaluated based on a value of at least one of the attributes stored at the plurality of data sources;
determine all attribute values required to evaluate the rule;
group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector;
for each connector;
for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server;
for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request;
request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and
evaluate the user request in real time to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute value.
5 Assignments
0 Petitions
Accused Products
Abstract
A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.
-
Citations
26 Claims
-
1. A centralized system to process authenticated user requests to perform actions on resources, comprising:
-
a policy enforcement point operable to receive a user request to perform an action upon a resource, wherein user request is from a user with an authenticated identity; a server in communication with the policy enforcement point, wherein the server is operable to; receive the user request from the policy enforcement point; implement a plurality of connectors, wherein each of the plurality of connectors interfaces with one of a plurality of remote data sources, wherein each of the plurality of remote data sources comprises attribute values, and wherein at least one of the plurality of remote data sources is accessible by the server and not accessible by the policy enforcement point; retrieve a rule associated with the action, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein each rule is evaluated based on a value of at least one of the attributes stored at the plurality of data sources; determine all attribute values required to evaluate the rule; group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector; for each connector; for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server; for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request; request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and evaluate the user request in real time to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method to process an authenticated user request to perform an action on a resource, comprising:
-
receiving at a policy enforcement point a user request to perform one of a plurality of actions associated with the resource, wherein each action associated with the resource has an associated rule that is evaluated based on a value of at least one attribute, and wherein the user request is from a user with an authenticated identity; retrieving with a server a rule associated with the action; determining attributes required to evaluate the rule; with the server, grouping the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector, wherein at least one of the remote data sources is accessible to the server, but not accessible to the policy enforcement point; for each connector; for each attribute grouped under the connector, determining with the server whether an attribute value for the attribute is present at the server; for each attribute grouped under the connector and lacking an attribute value at the server, adding with server the attribute to a connector request; requesting with the server from the remote data source associated with the connector, attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector; and receiving at the server the requested attribute values from the remote data source associated with the connector; and evaluating the user request in real time with the server to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the attribute values. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method to process authenticated user requests to access resources, the method comprising:
-
receiving a user request to perform an action on a resource, wherein there are a plurality of actions associated with the resource, wherein each action has at least one associated rule, and wherein the user request is from a user with an authenticated identity; retrieving a rule associated with the action; determining a plurality of attributes required to evaluate the rule; group the required attributes by connector, wherein each connector corresponds to a remote data source having values for attributes grouped under that connector; for each connector; for each attribute grouped under the connector, determine whether an attribute value for the attribute is present at the server; for each attribute grouped under the connector and lacking an attribute value at the server, add the attribute to a connector request; request from the data source associated with the connector attribute values for each attribute included in the connector request, wherein the requesting is performed via the connector, and evaluating the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes.
-
Specification