Network management using hierarchical domains
First Claim
Patent Images
1. A method, performed by one or more devices, in a network including network devices, administrators, and objects, the method comprising:
- forming, by the one or more devices, a hierarchical tree of domains that semantically organize the network, each of the domains including logical groupings of the network devices, the administrators, or the objects;
managing, by the one or more devices, the network based on the hierarchical tree of domains, where managing the network includes;
determining that a first administrator, of the administrators, is attempting to perform an activity within a first domain of the domains in the hierarchical tree,performing a first determination of whether a first permission assigned to the first administrator in the first domain identifies the attempted activity,performing a second determination, when a result of the first determination does not identify the attempted activity, whether a second permission, assigned to the first administrator in a first parent domain to the first domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, andpermitting, when a result of the second determination identifies the attempted activity, the first administrator to perform the identified activity within the first domain in the hierarchical tree, where a network device within the first domain includes a set of rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity; and
permitting, by the one or more devices, execution in order, by the network device within the first domain, of the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules.
1 Assignment
0 Petitions
Accused Products
Abstract
A system manages a network that includes devices, administrators, and objects. The system forms a hierarchical tree of domains that semantically organize the network, where each of the domains includes logical groupings of the devices, the administrators, or the objects. The system manages the network based on the hierarchical tree of domains.
-
Citations
24 Claims
-
1. A method, performed by one or more devices, in a network including network devices, administrators, and objects, the method comprising:
-
forming, by the one or more devices, a hierarchical tree of domains that semantically organize the network, each of the domains including logical groupings of the network devices, the administrators, or the objects; managing, by the one or more devices, the network based on the hierarchical tree of domains, where managing the network includes; determining that a first administrator, of the administrators, is attempting to perform an activity within a first domain of the domains in the hierarchical tree, performing a first determination of whether a first permission assigned to the first administrator in the first domain identifies the attempted activity, performing a second determination, when a result of the first determination does not identify the attempted activity, whether a second permission, assigned to the first administrator in a first parent domain to the first domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, and permitting, when a result of the second determination identifies the attempted activity, the first administrator to perform the identified activity within the first domain in the hierarchical tree, where a network device within the first domain includes a set of rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity; and permitting, by the one or more devices, execution in order, by the network device within the first domain, of the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A management system, comprising:
-
a memory device to store a hierarchical tree of domains that represent a structure of an entity, the domains including information regarding groups of devices, administrators, and objects associated with the entity, where each of the domains includes at least one of the devices, at least one of the administrators, or at least one of the objects; and a processor to manage the devices, administrators, and objects, based on the hierarchical tree of domains, by; determining that an activity, that one of the administrators is attempting to perform within a first one of the domains, is not identified in a first permission assigned to the one administrator for the first domain, determining that the attempted activity is identified in a second permission assigned to the one administrator for a first parent domain of the first domain, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, and permitting the one administrator to perform the identified activity, using the at least one of the devices within the first domain in the hierarchical tree, where the at least one of the devices includes a set of rules associated with the identified activity, where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity, and where the at least one of the devices executes, in order, the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A management system, comprising:
-
a memory device to store a hierarchical tree of domains that represent a structure of an entity, the domains including information regarding logical groupings of devices, administrators, and objects associated with the entity; and a processor to; determine that an administrator is attempting to perform an activity using a particular device within a domain, where the particular device includes a set of rules associated with the attempted activity, perform a first determination of whether a first permission, assigned to the administrator in the domain, identifies the attempted activity, the domain being related to a parent domain in the hierarchical tree, perform a second determination, when a result of the first determination does not identify the attempted activity, of whether a second permission, assigned to the administrator in the first parent domain, identifies the attempted activity, where the first parent domain provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, and where a second parent domain, to which the first parent domain is a child, provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity, and permit, when a result of the second determination identifies the attempted activity, the administrator to perform the identified activity using the particular device to execute, in order, the second pre-rules, the first pre-rules, the set of rules, the first post-rules, and the second post rules, within the domain. - View Dependent Claims (21, 22, 23)
-
-
24. A management system, comprising:
-
a memory device to store a hierarchical tree of domains that represent a structure of a network, the domains including information regarding groups of security devices that connect together in the network to control access to the network, administrators who manage or monitor the security devices, and objects that provide reusable information for the security devices, one of the domains including a plurality of the security devices, a plurality of the administrators, or a plurality of the objects; and a processor to manage the network based on the hierarchical tree of domains, where the processor is to; determine that one administrator, of the administrators, is attempting to perform an activity using a particular security device within the one domain, where the particular security device includes a set of rules associated with the attempted activity, and where a first parent domain, to which the second parent domain is a child, provides expressions corresponding to first pre-rules and first post-rules associated with the identified activity, determine whether a first permission assigned to the one administrator in the one domain identifies the attempted activity, determine, upon the determination that the first permission does not identify the attempted activity, whether a second permission assigned to the one administrator in the second parent domain of the one domain, identifies the attempted activity, where the second parent domain provides expressions corresponding to second pre-rules and second post-rules associated with the identified activity, permit, upon the determination that the second permission identifies the attempted activity, the one administrator to perform the identified activity, using the particular security device to execute, in order, the second pre-rules, the pre-rules, the set of rules, and the post-rules, and the second post rules, and not permit, upon the determination that the second permission does not identify the attempted activity, the one administrator to perform the attempted activity within the one domain.
-
Specification