Associating code to a target through code inspection

US 8,156,566 B2
Filed: 12/22/2006
Issued: 04/10/2012
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a database comprising a plurality of policies, wherein the policies are applicable to a plurality of target profiles, each target profile having a set of target attributes, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;

a plurality of devices, each having a target profile of the plurality of target profiles;

a device information engine comprising executable code to detect the plurality of devices, and executable code to retrieve a list of device attributes from the plurality of devices;

an inspection engine comprising executable code to cause inspection of each of the policies, executable code to determine based on the result of the inspection and the profiles of the devices which of the devices each of the policies will be associated with, and executable code to modify one or more of these associated policies before these associated policies are transferred to the devices;

a policy engine comprising executable code to determine which of the devices each of the policies will be associated with without inspection of each of the policies and without calling the inspection engine; and

a deployment engine, coupled to the inspection and policy engines, comprising executable code to transfer policies to the devices as determined by the at least one of inspection engine or the policy engine, wherein the policies that have been modified by the inspection engine are transferred in their modified form to their associated devices, andwherein the deployment engine transfers the policies determined by the policy engine to the devices without modification and without inspection by the inspection engine.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target'"'"'s profile. A code component may be a policy of an information management system.

78 Citations

View as Search Results

20 Claims

1. A system comprising:
- a database comprising a plurality of policies, wherein the policies are applicable to a plurality of target profiles, each target profile having a set of target attributes, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;
  
  a plurality of devices, each having a target profile of the plurality of target profiles;
  
  a device information engine comprising executable code to detect the plurality of devices, and executable code to retrieve a list of device attributes from the plurality of devices;
  
  an inspection engine comprising executable code to cause inspection of each of the policies, executable code to determine based on the result of the inspection and the profiles of the devices which of the devices each of the policies will be associated with, and executable code to modify one or more of these associated policies before these associated policies are transferred to the devices;
  
  a policy engine comprising executable code to determine which of the devices each of the policies will be associated with without inspection of each of the policies and without calling the inspection engine; and
  
  a deployment engine, coupled to the inspection and policy engines, comprising executable code to transfer policies to the devices as determined by the at least one of inspection engine or the policy engine, wherein the policies that have been modified by the inspection engine are transferred in their modified form to their associated devices, andwherein the deployment engine transfers the policies determined by the policy engine to the devices without modification and without inspection by the inspection engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the policy engine determines a first set of policies to be associated, the inspection engine inspects the first set of policies from the policy engine and determines a second of policies, and the deployment engine transfers the second set of policies to the devices while the first set of policies is not transferred to the devices.
  - 3. The system of claim 2 wherein the inspection engine modifies one or more of the policies in the second set of policies, and the deployment engine transfers these one or more modified policies to the devices.
  - 4. The system of claim 1 wherein the deployment engine transfers the policies determined by the inspection engine to the devices with any modifications made by the inspection engine and transfers the policies determined by the policy engine to the devices without any modification.
  - 5. The system of claim 1 wherein the deployment engine is coupled to the policy engine through the inspection engine, whereby an output of the policy engine passes through the inspection engine before appearing at an input of the deployment engine.
  - 6. The system of claim 1 wherein the deployment engine is coupled to the policy engine, whereby an output of the policy engine does not pass through the inspection engine before appearing at an input of the deployment engine.
  - 7. The system of claim 1 wherein the definition statement of a first policy is stored in a separate database from the first policy.
  - 8. The system of claim 1 comprising:
    - a first device of the plurality of devices, having a first target profile and a first policy corresponding to the first target profile;
      
      when a first user logs onto the first device, the deployment engine transfers a second policy corresponding to the first user, wherein the first and second policies have at least one different conditional expression; and
      
      a processing engine comprising executable code that reconciles the first and second policies.
  - 9. The system of claim 8 comprising:
    - when a second user logs onto the first device, the deployment engine transfers a third policy corresponding to the second user, wherein the first and third policies have at least one different conditional expression;
      
      the processing engine comprising executable code that reconciles the first and third policies; and
      
      a policy enforcer at the first device, comprising executable code that allows the first user to perform a first action and denies the second user to perform the first action.

10. A method comprising:
- providing a plurality of policies stored at a server, wherein the policies are applicable to a plurality of target profiles, each target profile having a set of target attributes, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;
  
  at the server, analyzing a first policy of the plurality of policies to determine whether the first policy is relevant or irrelevant to a first specific target profile with a first set of specific target attributes without inspecting a first code component of the first policy;
  
  at the server, upon determining the first policy is relevant to the first specific target profile, inspecting the first code component of the first policy, otherwise when the first policy is determined not to be relevant to the first specific target profile, not inspecting the first code component of the first policy;
  
  at the server, when the first policy is determined to be relevant to the first specific target profile, based upon the inspecting of the first code component of the first policy, altering the first code component of the first policy by changing the conditional expression to obtain a modified first code component of the first policy;
  
  when the first policy is determined to be relevant to the first specific target profile, transferring the first policy to a first specific target with the first specific target profile by transferring the modified first code component, not the first code component, to the first specific target; and
  
  when the first policy is determined not to be relevant to the first specific target profile, not transferring the first policy to the first specific target,wherein the modified first code component that is transferred to the first specific target provides a rule input for a first program executing at the first specific target, and the first program determines whether a second program, executing at the first specific target, can access a file on a document server, andwherein the rule for the first program disallows access if the user has successfully accessed the file more than N times during a Y time period.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 comprising:
    - after the modified first component has been transferred to the first target, altering the first policy stored at the server to obtain an altered first policy;
      
      analyzing the altered first policy to determine whether the altered first policy is relevant or irrelevant to the first specific target profile; and
      
      when the altered first policy is determined not to be relevant to the first specific target profile, causing the modified first component to be deleted from the first specific target.
  - 12. The method of claim 10 wherein the transferring the modified first code component, not the first code component, to the first specific target is a result of:
    - executing a push of the first policy to a first specific target without seeking preapproval for the push from a user of the first specific target.
  - 13. The method of claim 10 wherein the transferring the modified first code component, not the first code component, to the first specific target is a result of:
    - executing a pull of the first policy from the server by the first specific target without seeking preapproval from a user of the first specific target.
  - 14. The method of claim 10 wherein the transferring the first policy to the first specific target is a result of a push operation by the server, wherein the push operation occurs without a user at the first specific target sending a request for the transferring and causes the modified first code component, not the first code component, to be transferred to the first specific target.
  - 15. The method of claim 10 wherein the modified first code component that is transferred to the first specific target provides rules for the first program executing at the first specific target, and the first program determines whether the second program can access the file on the document server.
  - 16. The method of claim 10 comprising:
    - at the first specific target, evaluating the modified first code component which results in allowing performing of the corresponding action of the first policy at the first specific target;
      
      after the corresponding action of the first policy is allowed to be performed at the first specific target by the modified first code component, altering the conditional expression at the server and without retransferring the first policy to the first specific target; and
      
      after altering the conditional expression at the server and without retransferring the first policy to the first specific target, evaluating the modified first code component which results in not allowing performing of the corresponding action at the first specific target.
  - 17. The method of claim 10 wherein the first code component is provided in a first format and the altering the first code component of the first policy to obtain a modified first code component method comprises:
    - transforming the first code component into a second code component having a second format, different from the first format, wherein the second code component is the modified first code component.
  - 18. The method of claim 10 comprising:
    - providing the first policy having a first variable defined in a first policy abstraction, wherein the first policy abstraction has a second variable defined in a second policy abstraction;
      
      evaluating the second variable, wherein the second variable evaluates to a constant; and
      
      removing the second variable from the first policy abstraction.

19. A system comprising:
- a database comprising a plurality of policies, wherein the policies are applicable to a plurality of target profiles, each target profile having a set of target attributes, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;
  
  a plurality of devices, each having a target profile of the plurality of target profiles;
  
  a device information engine comprising executable code to detect the plurality of devices, and executable code to retrieve a list of device attributes from the plurality of devices;
  
  an inspection engine comprising executable code to cause inspection of each of the policies, executable code to determine based on the result of the inspection and the profiles of the devices which of the devices each of the policies will be associated with, and executable code to modify one or more of these associated policies before these associated policies are transferred to the devices;
  
  a policy engine comprising executable code to determine which of the devices each of the policies will be associated with without inspection of each of the policies and without calling the inspection engine; and
  
  a deployment engine, coupled to the inspection and policy engines, comprising executable code to transfer policies to the devices as determined by the at least one of inspection engine or the policy engine, wherein the policies that have been modified by the inspection engine are transferred in their modified form to their associated devices, andwherein the deployment engine transfers the policies determined by the policy engine to the devices without modification and without inspection by the inspection engine, andthe plurality of polices comprise;
  
  a first policy comprising an action comprising preventing a cut-and paste operation from occurring for a first document while allowing cut-and paste for a second document, different from the first document,a second policy comprising an action comprising preventing opening of a third document while allow opening of fourth second document, different from the third document,a third policy comprising an action comprising preventing sending an e-mail to a first e-mail address during a period starting at T1 and ending at T2, and allowing sending of an e-mail to the first e-mail address before T1 or after T2.
- View Dependent Claims (20)
- - 20. The system of claim 19 comprising:
    - a fourth policy comprising an action comprising preventing sending of an e-mail to a second e-mail address while allowing sending to a third e-mail address, different from the second e-mail address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US11/615,757
Publication Number

US 20070156727A1
Time in Patent Office

1,936 Days
Field of Search

726/30
US Class Current

726/30
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Associating code to a target through code inspection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Associating code to a target through code inspection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links