Methods and systems for assigning access control levels in providing access to resources via virtual machines

US 7,954,150 B2
Filed: 01/18/2007
Issued: 05/31/2011
Est. Priority Date: 01/24/2006
Status: Active Grant

First Claim

Patent Images

1. A system for granting levels of access to a resource according to information gathered about client machines comprising:

a policy engine thati) receives a first request for access to a resource from a user at a first client machine,ii) directs a first collection agent to gather information about the first client machine,iii) grants the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access; and

a broker machine thati) selects a first virtual machine that can providea) a first desktop computing environment with the resource according to the first granted level of access, andb) a first operating system in which to execute the first desktop computing environment,ii) selects a first execution machine executing a first hypervisor providing access to hardware resources required by the first virtual machine,iii) launches the first virtual machine into the first execution machine, the first virtual machine executing the first operating system,iv) launches the first desktop computing environment with the resource according to the first granted level of access into the first executing operating system on the first execution machine;

v) establishes a first connection between the client machine and the first desktop computing environment with the resource according to the first granted level of access;

whereinthe policy enginei) receives a second request for access to the resource from the user at a second client machine,ii) directs a second collection agent to gather information about the second client machine, andiii) grants the second client machine a second level of access to the resource responsive to application of the policy to the information about the second client machine, the second level chosen from the plurality of levels of access; and

the broker machinei) selects a second virtual machine that can providea) a second desktop computing environment with the resource according to the second granted level of access, andb) a second operating system in which to execute the second desktop computing environment,ii) selects a second execution machine executing a second hypervisor providing access to hardware resources required by the second virtual machine,iii) launches the second virtual machine into the second execution machine, the second virtual machine executing the second operating system,iv) launches the second desktop computing environment with the resource according to the second granted level of access into the second executing operating system on the second execution machine;

v) establishes a second connection between the client machine and the second desktop computing environment with the resource according to the second granted level of access.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for granting access to resources includes a client machine, a collection agent, a policy engine, and a broker server. The client machine requests access to a resource. The collection agent gathers information about the client machine. The policy engine receives the gathered information and assigns one of a plurality of levels of access responsive to application of a policy to the received information. The broker server establishes, responsive to the assigned level of access, a connection between the client machine and a computing environment providing the requested resource, the computing environment provided by a virtual machine.

Citations

33 Claims

1. A system for granting levels of access to a resource according to information gathered about client machines comprising:
- a policy engine thati) receives a first request for access to a resource from a user at a first client machine,ii) directs a first collection agent to gather information about the first client machine,iii) grants the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access; and
  
  a broker machine thati) selects a first virtual machine that can providea) a first desktop computing environment with the resource according to the first granted level of access, andb) a first operating system in which to execute the first desktop computing environment,ii) selects a first execution machine executing a first hypervisor providing access to hardware resources required by the first virtual machine,iii) launches the first virtual machine into the first execution machine, the first virtual machine executing the first operating system,iv) launches the first desktop computing environment with the resource according to the first granted level of access into the first executing operating system on the first execution machine;
  
  v) establishes a first connection between the client machine and the first desktop computing environment with the resource according to the first granted level of access;
  
  whereinthe policy enginei) receives a second request for access to the resource from the user at a second client machine,ii) directs a second collection agent to gather information about the second client machine, andiii) grants the second client machine a second level of access to the resource responsive to application of the policy to the information about the second client machine, the second level chosen from the plurality of levels of access; and
  
  the broker machinei) selects a second virtual machine that can providea) a second desktop computing environment with the resource according to the second granted level of access, andb) a second operating system in which to execute the second desktop computing environment,ii) selects a second execution machine executing a second hypervisor providing access to hardware resources required by the second virtual machine,iii) launches the second virtual machine into the second execution machine, the second virtual machine executing the second operating system,iv) launches the second desktop computing environment with the resource according to the second granted level of access into the second executing operating system on the second execution machine;
  
  v) establishes a second connection between the client machine and the second desktop computing environment with the resource according to the second granted level of access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The system of claim 1 wherein the policy engine comprises a database storing configurable policies.
  - 3. The system of claim 2 wherein the policies in the policy engine can be configured by a system administrator.
  - 4. The system of claim 1 wherein the policy engine directs the first or second collection agent to gather a type of information.
  - 5. The system of claim 1 wherein the policy engine comprises a logon agent.
  - 6. The system of claim 5 wherein the logon agent receives the information from the first or second collection agent.
  - 7. The system of claim 5 wherein the logon agent identifies for the policy engine authentication information received from the first or second collection agent.
  - 8. The system of claim 1 wherein the policy engine comprises a plurality of logon agents.
  - 9. The system of claim 8 wherein each network domain from which the first or second client machine may transmit the first or second request includes at least one of the plurality of logon agents.
  - 10. The system of claim 9 wherein the first or second client machine transmits the first or second request to a logon agent of the plurality of logon agents.
  - 11. The system of claim 10 where the logon agent identifies for the policy engine the network domain from which the first or second client machine transmits the request.
  - 12. The system of claim 1 wherein the first collection agent executes on the first client machine.
  - 13. The system of claim 1 wherein the policy engine transmits the first collection agent to the first client machine.
  - 14. The system of claim 1 wherein the first collection agent comprises at least one script.
  - 15. The system of claim 1 wherein the first collection agent comprises bytecode.
  - 16. The system of claim 1 wherein the first collection agent gathers the information about the first client machine by running at least one script on the first client machine.
  - 17. The system of claim 1 wherein the information includes a network zone of the first client machine.
  - 18. The system of claim 1 wherein the information includes a method of authentication used by the first client machine.
  - 19. The system of claim 1 wherein the information includes a machine ID of the first client machine.
  - 20. The system of claim 1 wherein the information includes a type of operating system on the first client machine.
  - 21. The system of claim 1 wherein the information includes an existence of a patch to an operating system.
  - 22. The system of claim 1 wherein the information includes MAC addresses of installed network cards.
  - 23. The system of claim 1 wherein the information includes a watermark on the first client machine.
  - 24. The system of claim 1 wherein the information includes membership in an Active Directory.
  - 25. The system of claim 1 wherein the information includes an existence of a virus scanner.
  - 26. The system of claim 1 wherein the information includes an existence of a firewall.
  - 27. The system of claim 1 wherein the information includes an HTTP header.

28. A method for granting levels of access to a resource according to information gathered about client machines, the method comprising:
- receiving, by a policy engine, a first request for access to a resource from a user at a first client machine;
  
  directing, by the policy engine, a first collection agent to gather information about the first client machine;
  
  granting, by the policy engine, the first client machine a first level of access to the resource responsive to application of a policy to the information about the first client machine, the first level chosen from a plurality of levels of access;
  
  selecting, by a broker machine, a first virtual machine that can provide a first desktop computing environment with the resource according to the first granted level of access and a first operating system in which to execute the first desktop computing environment;
  
  selecting, by the broker machine, a first execution machine executing a first hypervisor providing access to hardware resources required by the first virtual machine;
  
  launching, by the broker machine, the first virtual machine into the first execution machine, the first virtual machine executing the first operating system;
  
  launching, by the broker machine, the first desktop computing environment with the resource according to the first granted level of access into the first executing operating system on the first execution machine;
  
  establishing, by the broker machine, a first connection between the client machine and the first desktop computing environment with the resource according to the first granted level of access;
  
  receiving, by the policy engine, a second request for access to the resource from the user at a second client machine;
  
  directing, by the policy engine, a second collection agent to gather information about the second client machine;
  
  granting, by the policy engine, the second client machine a second level of access to the resource responsive to application of the policy to the information about the second client machine, the second level chosen from the plurality of levels of accessselecting, by the broker machine, a second virtual machine that can provide a second desktop computing environment with the resource according to the second granted level of access and a second operating system in which to execute the second desktop computing environment;
  
  selecting, by the broker machine, a second execution machine executing a second hypervisor providing access to hardware resources required by the second virtual machine;
  
  launching, by the broker machine, the second virtual machine into the second execution machine, the second virtual machine executing the second operating system;
  
  launching, by the broker machine, the second desktop computing environment with the resource according to the second granted level of access into the second executing operating system on the second execution machine; and
  
  establishing, by the broker machine, a second connection between the client machine and the second desktop computing environment with the resource according to the second granted level of access.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28 wherein receiving the first or second request further comprises receiving the first or second request over a network connection.
  - 30. The method of claim 28 further comprising receiving, by the policy engine, the information about the first or second client machine over a network connection.
  - 31. The method of claim 28 wherein granting the first or second level of access further comprises determining if the information about the first or second client machine satisfies a condition.
  - 32. The method of claim 31 wherein granting the first or second level of access further comprises granting the first or second level of access responsive to application of the policy to the condition.
  - 33. The method of claim 28, wherein selecting the first or second virtual machine further comprises selecting the first or second virtual machine responsive to the grant of the first or second level of access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Robinson, David N., Croft, Richard Jason, Mazzaferri, Richard James, Low, Anthony Edward, Pedersen, Bradley J.
Primary Examiner(s)
Simitoski; Michael J

Application Number

US11/624,396
Publication Number

US 20070180493A1
Time in Patent Office

1,594 Days
Field of Search

726/4, 726/12, 726/21, 726/26, 718/104, 713/164
US Class Current

726/21
CPC Class Codes

G06F 16/748   Hypervideo linking data to ...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 2209/541   Client-server

G06F 2221/2149   Restricted operating enviro...

G06F 3/1415   with means for detecting di...

G06F 3/1438   using more than one graphic...

G06F 3/1462   with means for detecting di...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/485   Task life-cycle, e.g. stopp...

G06F 9/5027   the resource being a machin...

G06F 9/5055   considering software capabi...

G06F 9/5077   Logical partitioning of res...

G06F 9/5088   involving task migration

G06F 9/54   Interprogram communication

G09G 2354/00   Aspects of interface with d...

G09G 2370/16   Use of wireless transmissio...

G09G 2370/22   Detection of presence or ab...

G09G 5/006   Details of the interface to...

G09G 5/14 : Display of multiple viewports

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0428 : wherein the data content is...

H04L 63/06 : for supporting key manageme...

H04L 63/08 : for authentication of entit...

H04L 63/10 : for controlling access to d...

H04L 63/102 : Entity profiles

H04L 63/105 : Multiple levels of security

H04L 67/02 : based on web technology, e....

H04L 67/08 : specially adapted for termi...

H04L 67/14 : Session management for real...

H04L 67/141 : Setup of application sessio...

H04L 67/303 : Terminal profiles

H04L 67/51 : Discovery or management the...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/563 : Data redirection of data ne...

H04L 67/564 : Enhancement of application ...

H04L 67/568 : Storing data temporarily at...

H04L 67/59 : Providing operational suppo...

H04L 69/24 : Negotiation of communicatio...

View All

Methods and systems for assigning access control levels in providing access to resources via virtual machines

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for assigning access control levels in providing access to resources via virtual machines

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links