Network management using hierarchical domains

US 8,078,707 B1
Filed: 11/12/2004
Issued: 12/13/2011
Est. Priority Date: 11/12/2004
Status: Active Grant

First Claim

Patent Images

1. A method, performed by one or more devices, in a network including network devices, administrators, and objects, the method comprising:

forming, by the one or more devices, a hierarchical tree of domains that semantically organize the network, each of the domains including logical groupings of the network devices, the administrators, or the objects;

managing, by the one or more devices, the network based on the hierarchical tree of domains, where managing the network includes;

determining that a first administrator, of the administrators, is attempting to perform an activity within a first domain of the domains in the hierarchical tree,performing a first determination of whether a first permission assigned to the first administrator in the first domain identifies the attempted activity,performing a second determination, when a result of the first determination does not identify the attempted activity, whether a second permission, assigned to the first administrator in a first parent domain to the first domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, andpermitting, when a result of the second determination identifies the attempted activity, the first administrator to perform the identified activity within the first domain in the hierarchical tree, where a network device within the first domain includes a set of rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity; and

permitting, by the one or more devices, execution in order, by the network device within the first domain, of the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system manages a network that includes devices, administrators, and objects. The system forms a hierarchical tree of domains that semantically organize the network, where each of the domains includes logical groupings of the devices, the administrators, or the objects. The system manages the network based on the hierarchical tree of domains.

Citations

24 Claims

1. A method, performed by one or more devices, in a network including network devices, administrators, and objects, the method comprising:
- forming, by the one or more devices, a hierarchical tree of domains that semantically organize the network, each of the domains including logical groupings of the network devices, the administrators, or the objects;
  
  managing, by the one or more devices, the network based on the hierarchical tree of domains, where managing the network includes;
  
  determining that a first administrator, of the administrators, is attempting to perform an activity within a first domain of the domains in the hierarchical tree,performing a first determination of whether a first permission assigned to the first administrator in the first domain identifies the attempted activity,performing a second determination, when a result of the first determination does not identify the attempted activity, whether a second permission, assigned to the first administrator in a first parent domain to the first domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, andpermitting, when a result of the second determination identifies the attempted activity, the first administrator to perform the identified activity within the first domain in the hierarchical tree, where a network device within the first domain includes a set of rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity; and
  
  permitting, by the one or more devices, execution in order, by the network device within the first domain, of the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, where the network devices are associated with a plurality of independent companies, each of the companies being associated with at least one of the domains in the hierarchical tree.
  - 3. The method of claim 1, where the network devices are associated with a single company with offices in different geographic locations, at least some of the offices being associated with different ones of the domains in the hierarchical tree.
  - 4. The method of claim 1, where managing the network further comprises:
    - declaring one of the objects, defined at a second one of the domains, as shared, andpermitting any child domain related to the second domain in the hierarchical tree to access the object.
  - 5. The method of claim 4, where managing the network further comprises:
    - changing the object in the second domain, andreflecting the change to the object in any child domain related to the second domain in the hierarchical tree.
  - 6. The method of claim 1, where at least some of the objects are declared as shared as defined at the domains, an object that is declared as shared as defined at a second domain, of the domains, being made available within the second domain and any child domain related to the second domain in the hierarchical tree.
  - 7. The method of claim 1, where managing the network further comprises:
    - identifying an expression within at least one of the domains in the hierarchical tree, andimposing the expression on any child domain related to the at least one domain in the hierarchical tree.
  - 8. The method of claim 7, where the expression includes at least one of a rule, a configuration parameter, a login control, or a constraint.
  - 9. The method of claim 1, where at least some of the expressions provided by the second parent domain is imposed within the first parent domain and any child domain related to the first domain in the hierarchical tree.

10. A management system, comprising:
- a memory device to store a hierarchical tree of domains that represent a structure of an entity, the domains including information regarding groups of devices, administrators, and objects associated with the entity, where each of the domains includes at least one of the devices, at least one of the administrators, or at least one of the objects; and
  
  a processor to manage the devices, administrators, and objects, based on the hierarchical tree of domains, by;
  
  determining that an activity, that one of the administrators is attempting to perform within a first one of the domains, is not identified in a first permission assigned to the one administrator for the first domain,determining that the attempted activity is identified in a second permission assigned to the one administrator for a first parent domain of the first domain, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, andpermitting the one administrator to perform the identified activity, using the at least one of the devices within the first domain in the hierarchical tree, where the at least one of the devices includes a set of rules associated with the identified activity, where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity, and where the at least one of the devices executes, in order, the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The management system of claim 10, where semantic relationships exist between ones of the domains in a same branch of the hierarchical tree.
  - 12. The management system of claim 10, where the entity is one of a plurality of entities associated with a plurality of independent companies, each of the companies being associated with at least one of the domains in the hierarchical tree.
  - 13. The management system of claim 10, where the entity is associated with a single company with offices in different geographic locations, at least some of the offices being associated with different ones of the domains in the hierarchical tree.
  - 14. The management system of claim 10, where the processor further:
    - determines that one of the objects is defined at a second one of the domains as shared, andpermits any child domain related to the domain in the hierarchical tree to access the object.
  - 15. The management system of claim 14, where the processor further:
    - receives a change to the object in the second domain, andreflects the change to the object in any child domain related to the second domain in the hierarchical tree.
  - 16. The management system of claim 10, where at least some of the objects are declared as shared as defined at the domains, an object that is declared as shared as defined at a second one of the domains being made available within the second domain and any child domain related to the second domain in the hierarchical tree.
  - 17. The management system of claim 10, where the processor is configured further:
    - identifies an expression within at least one of the domains in the hierarchical tree, andimposes the expression on any child domain related to the at least one domain in the hierarchical tree.
  - 18. The management system of claim 17, where the expression includes at least one of a rule, a configuration parameter, a login control, or a constraint.
  - 19. The management system of claim 10, where at least some of the expressions provided by the second parent domain is imposed within the first parent domain and any child domain related to the first domain in the hierarchical tree.

20. A management system, comprising:
- a memory device to store a hierarchical tree of domains that represent a structure of an entity, the domains including information regarding logical groupings of devices, administrators, and objects associated with the entity; and
  
  a processor to;
  
  determine that an administrator is attempting to perform an activity using a particular device within a domain, where the particular device includes a set of rules associated with the attempted activity,perform a first determination of whether a first permission, assigned to the administrator in the domain, identifies the attempted activity, the domain being related to a parent domain in the hierarchical tree,perform a second determination, when a result of the first determination does not identify the attempted activity, of whether a second permission, assigned to the administrator in the first parent domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity, andpermit, when a result of the second determination identifies the attempted activity, the administrator to perform the identified activity using the particular device to execute, in order, the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules, within the domain.
- View Dependent Claims (21, 22, 23)
- - 21. The management system of claim 20, where the domain is also related to a grandchild domain in the hierarchical tree, andwhere the processor is further to permit the administrator to also perform the activity in the grandchild domain.
  - 22. The management system of claim 20, where the activity is related to one of fault management, configuration management, accounting management, performance management, or security management.
  - 23. The management system of claim 20, where the activity is related to one of fault management, assurance management, billing management, or security management.

24. A management system, comprising:
- a memory device to store a hierarchical tree of domains that represent a structure of a network, the domains including information regarding groups of security devices that connect together in the network to control access to the network, administrators who manage or monitor the security devices, and objects that provide reusable information for the security devices, one of the domains including a plurality of the security devices, a plurality of the administrators, or a plurality of the objects; and
  
  a processor to manage the network based on the hierarchical tree of domains, where the processor is to;
  
  determine that one administrator, of the administrators, is attempting to perform an activity using a particular security device within the one domain, where the particular security device includes a set of rules associated with the attempted activity, and where a first parent domain, to which the second parent domain is a child, provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity,determine whether a first permission assigned to the one administrator in the one domain identifies the attempted activity,determine, upon the determination that the first permission does not identify the attempted activity, whether a second permission assigned to the one administrator in the second parent domain of the one domain, identifies the attempted activity, where the second parent domain provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity,permit, upon the determination that the second permission identifies the attempted activity, the one administrator to perform the identified activity, using the particular security device to execute, in order, the second pre-rules, the pre-rules, the set of rules, and the post-rules, and the second post rules, andnot permit, upon the determination that the second permission does not identify the attempted activity, the one administrator to perform the attempted activity within the one domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Watsen, Kent Andrew, Sancheti, Ajit
Primary Examiner(s)
Avellino, Joseph
Assistant Examiner(s)
BARON, JAMES T

Application Number

US10/986,159
Time in Patent Office

2,587 Days
Field of Search

709/223, 709/224, 709/225, 709/226, 709/229, 726/4
US Class Current

709/223
CPC Class Codes

H04L 41/28 Restricting access to netwo...

Network management using hierarchical domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network management using hierarchical domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links