Policy resolution in an entitlement management system

US 8,010,991 B2
Filed: 01/22/2008
Issued: 08/30/2011
Est. Priority Date: 01/29/2007
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates;

one or more policy decision points that are coupled to the policy administration point over a network;

one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points;

one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An externalized entitlement management system comprises a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates; one or more policy decision points that are coupled to the policy administration point over a network; one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points; and one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.

39 Citations

View as Search Results

26 Claims

1. A data processing apparatus, comprising:
- a policy administration point that is configured to receive one or more definitions or updates of entitlement policies specifying subjects, actions, and resources, and to update a first entitlement repository coupled to the policy administration point with the definitions or updates in response to receiving the definitions or updates;
  
  one or more policy decision points that are coupled to the policy administration point over a network;
  
  one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points;
  
  one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the policy administration point is further configured to provide the action represented in an update to one or more of the policy decision points, and wherein each of the policy decision points is configured to perform policy resolution based on the action and to transform the action into enforcement data that the policy enforcement points can use to enforce the entitlement policy in the first application programs.
  - 3. The apparatus of claim 2, wherein one of the policy decision points and an associated one of the policy enforcement points is configured within a server process of an application server of one of the first application programs.
  - 4. The apparatus of claim 2, wherein one of the policy decision points is configured outside a server process of an application server of one of the first application programs and wherein an associated one of the policy enforcement points is configured within the server process.
  - 5. The apparatus of claim 1, wherein a first one of the policy decision points and the policy administration point are coupled to the first entitlement repository, and wherein a second one of the policy decision points and the policy administration point are coupled to a second entitlement repository.
  - 6. The apparatus of claim 1, wherein the action handlers are coupled using a messaging infrastructure to one of the policy decision points, and wherein that one of the policy decision points is coupled to a second entitlement repository.
  - 7. The apparatus of claim 1, wherein one or more of the policy decision points comprises a PDP decision cache that stores policy resolution decisions, wherein the PDP decision cache is coupled to a PEP decision cache at one of the policy enforcement points.
  - 8. The apparatus of claim 1, wherein one or more of the policy enforcement points comprises an administrative interface that is configured to issue one or more administrative calls to the policy administration point and a decision interface that is configured to issue one or more decision queries to an associated one of the policy decision points.
  - 9. The apparatus of claim 1, wherein policy administration point is further configured to receive the one or more definitions or updates of entitlement policies in an XACML file received on a SOAP interface of the policy administration point.

10. A non-transitory computer-readable storage medium encoded with one or more sequences of instructions which when executed by one or more processors cause the one or more processors to perform:
- receiving, at a policy administration point, one or more definitions or updates of entitlement policies specifying subjects, actions, and resources;
  
  creating one or more policy decision points that are coupled to the policy administration point over a network;
  
  creating one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points;
  
  in response to receiving the definitions or updates, updating a first entitlement repository coupled to the policy administration point with the definitions or updates;
  
  determining a type of action represented in one of the received definitions or updates;
  
  invoking one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause providing the action represented in an update to one or more of the policy decision points;
    - performing, at each of the policy decision points, policy resolution based on the action; and
      
      transforming the action into enforcement data that the policy enforcement points can use to enforce the entitlement policy in the first application programs.
  - 12. The non-transitory computer-readable storage medium of claim 11, further comprising instructions which when executed cause creating one of the policy decision points and an associated one of the policy enforcement points within a server process of an application server of one of the first application programs.
  - 13. The non-transitory computer-readable storage medium of claim 11, further comprising instructions which when executed cause creating one of the policy decision points outside a server process of an application server of one of the first application programs and creating an associated one of the policy enforcement points within the server process.
  - 14. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause creating a first one of the policy decision points and the policy administration point in a configuration coupled to the first entitlement repository, and creating a second one of the policy decision points and the policy administration point in a configuration coupled to a second entitlement repository.
  - 15. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause coupling the action handlers using a messaging infrastructure to one of the policy decision points, and coupling one of the policy decision points to a second entitlement repository.
  - 16. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause creating one or more of the policy decision points with a PDP decision cache that stores policy resolution decisions, and coupling the PDP decision cache to a PEP decision cache at one of the policy enforcement points.
  - 17. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause creating in one or more of the policy enforcement points an administrative interface that is configured to issue one or more administrative calls to the policy administration point, and creating a decision interface that is configured to issue one or more decision queries to an associated one or the policy decision points.
  - 18. The non-transitory computer-readable storage medium of claim 10, further comprising instructions which when executed cause configuring the policy administration point to receive the one or more definitions or updates of entitlement policies in an XACML file received on a SOAP interface of the policy administration point.

19. A computer-implemented method, comprising:
- receiving, at a policy administration point, one or more definitions or updates of entitlement policies specifying subjects, actions, and resources;
  
  creating one or more policy decision points that are coupled to the policy administration point over a network;
  
  creating one or more policy enforcement points that are integrated into one or more respective first application programs, wherein each of the policy enforcement points is coupled to one of the policy decision points;
  
  in response to receiving the definitions or updates, updating a first entitlement repository coupled to the policy administration point with the definitions or updates;
  
  determining a type of action represented in one of the received definitions or updates;
  
  invoking one or more action handlers in the policy administration point, wherein each of the action handlers is configured to intercept a particular action represented in an update to an entitlement policy, to transform the action into an entitlement update in a form compatible with a native entitlement mechanism of a second application program that does not have one of the policy enforcement points, to send the transformed entitlement update to the second application program, and to cause a rollback of the update of the first entitlement repository if the second application program fails to implement the entitlement update in the native entitlement mechanism.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer-implemented method of claim 19, further comprising providing the action represented in an update to one or more of the policy decision points;
    - performing, at each of the policy decision points, policy resolution based on the action; and
      
      transforming the action into enforcement data that the policy enforcement points can use to enforce the entitlement policy in the first application programs.
  - 21. The computer-implemented method of claim 20, further comprising creating one of the policy decision points and an associated one of the policy enforcement points within a server process of an application server of one of the first application programs.
  - 22. The computer-implemented method of claim 20, further comprising creating one of the policy decision points outside a server process of an application server of one of the first application programs and creating an associated one of the policy enforcement points within the server process.
  - 23. The computer-implemented method of claim 19, further comprising creating a first one of the policy decision points and the policy administration point in a configuration coupled to the first entitlement repository, and creating a second one of the policy decision points and the policy administration point in a configuration coupled to a second entitlement repository.
  - 24. The computer-implemented method of claim 19, further comprising coupling the action handlers using a messaging infrastructure to one of the policy decision points, and coupling one of the policy decision points to a second entitlement repository.
  - 25. The computer-implemented method of claim 19, further comprising creating one or more of the policy decision points with a PDP decision cache that stores policy resolution decisions, and coupling the PDP decision cache to a PEP decision cache at one of the policy enforcement points.
  - 26. The computer-implemented method of claim 19, further comprising creating in one or more of the policy enforcement points an administrative interface that is configured to issue one or more administrative calls to the policy administration point, and creating a decision interface that is configured to issue one or more decision queries to an associated one or the policy decision points.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Prasad, Raghavendra, Sarukkai, Sekhar, Gupta, Rajiv
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US12/018,103
Publication Number

US 20080184336A1
Time in Patent Office

1,316 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6236   between heterogeneous systems

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Policy resolution in an entitlement management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Policy resolution in an entitlement management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links