Locally adaptable central security management in a heterogeneous network environment

US 8,181,222 B2
Filed: 10/31/2007
Issued: 05/15/2012
Est. Priority Date: 12/02/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a networked computer system having a workflow management system and a central policy management system, a method of operating the networked computer system to control workflow, comprising:

creating, by the workflow management system, a workflow class definition;

exporting, by the workflow management system, the workflow class definition to the central policy management system;

creating, within the central policy management system, an access control policy for the workflow class;

binding resources and roles to steps within the central policy management system, including;

encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;

combining keys to form at least portions of policy as key chains in one or more semantic policy layers;

associating workflow steps with the key chains;

encapsulating key chains as keys and passing the key chain keys from a first semantic policy layer to a second semantic policy layer;

importing a key chain from the second semantic policy layer to a local access policy layer; and

enforcing the access control policy on the computer via the security mechanisms;

creating, by the workflow management system, a workflow instance in both the workflow management system and the central policy management system; and

executing the workflow instance within a computer.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

44 Citations

View as Search Results

15 Claims

1. In a networked computer system having a workflow management system and a central policy management system, a method of operating the networked computer system to control workflow, comprising:
- creating, by the workflow management system, a workflow class definition;
  
  exporting, by the workflow management system, the workflow class definition to the central policy management system;
  
  creating, within the central policy management system, an access control policy for the workflow class;
  
  binding resources and roles to steps within the central policy management system, including;
  
  encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
  
  combining keys to form at least portions of policy as key chains in one or more semantic policy layers;
  
  associating workflow steps with the key chains;
  
  encapsulating key chains as keys and passing the key chain keys from a first semantic policy layer to a second semantic policy layer;
  
  importing a key chain from the second semantic policy layer to a local access policy layer; and
  
  enforcing the access control policy on the computer via the security mechanisms;
  
  creating, by the workflow management system, a workflow instance in both the workflow management system and the central policy management system; and
  
  executing the workflow instance within a computer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein creating a workflow instance includes determining an appropriate workflow in response to a triggering event and generating the appropriate workflow instance in both the workflow management system and the central policy management system.
  - 3. The method of claim 2, wherein creating a workflow instance includes:
    - generating a workflow instance policy that identifies specific objects that can be accessed and specific users that may access the objects; and
      
      storing the workflow instance policy in the workflow management system.
  - 4. The method of claim 1, wherein executing the workflow instance includes activating a workflow step according to the workflow management system and granting access control for the workflow step according to the central policy management system.
  - 5. The method of claim 4, wherein executing the workflow instance includes deactivating a workflow step according to the workflow management system and revoking access control for the workflow step according to the central policy management system.

6. An article comprising a non-transitory computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method comprising:
- creating a workflow class definition;
  
  exporting the workflow class definition to the central policy management system;
  
  binding resources and roles to steps within the central policy management system;
  
  encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
  
  combining keys to form key chains;
  
  associating workflow steps with the key chains;
  
  encapsulating key chains as keys and passing the key chain keys from a first semantic layer to a second semantic layer;
  
  importing a key chain from the second semantic layer to a local access policy layer; and
  
  enforcing the access control policy on the computer via the security mechanisms;
  
  creating a workflow instance in both the workflow management system and the central policy management system; and
  
  executing the workflow instance.

7. A workflow control system, comprising:
- a workflow management system; and
  
  a central policy management system;
  
  wherein the workflow management system is configured to create a workflow class definition and export the workflow class definition to the central policy management system; and
  
  wherein the central policy management system is configured to;
  
  encapsulate security mechanism application specific information for each security mechanism, including forming a key for each security mechanism;
  
  combine keys into key chains to form at least portions of policy as key chains in one or more semantic policy layers;
  
  associate workflow steps with the key chains; and
  
  assign roles to the workflow steps;
  
  encapsulate key chains as keys and pass the key chain keys from a first semantic policy layer to a second semantic policy layer;
  
  import a key chain from the second semantic policy layer to a local access policy layer; and
  
  enforce the local access policy via the security mechanisms.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7, wherein the workflow management system is configured to:
    - receive a trigger for workflow;
      
      determine an appropriate workflow in response to the trigger; and
      
      generate an instance of the appropriate workflow in both the workflow management system and the central policy management system.
  - 9. The system of claim 8, wherein the workflow management system is configured to:
    - generate a workflow instance policy that identifies specific objects that can be accessed and identifies specific users that may access the objects; and
      
      store the workflow instance policy in a memory of the workflow management system.
  - 10. The system of claim 7, wherein the workflow management system is configured to activate a workflow step to execute a workflow instance, andwherein the central policy management system is configured to grant access control for the workflow step.
  - 11. The system of claim 7, wherein the workflow management system is configured to deactivate a workflow step, and wherein the central policy management system is configured to revoke access control for the workflow step when the workflow is completed.

12. An apparatus comprising:
- a network interface;
  
  a first processing unit communicatively coupled to the interface, wherein the first processing unit is configured to implement a workflow manager; and
  
  a second processing unit communicatively coupled to the interface and remote from the workflow manager, wherein the second processing unit is configured to implement a central policy management system,wherein the workflow manager creates a workflow class definition and exports the workflow class definition to the remote central policy management system that is configured to bind resources and roles to workflow steps, andwherein the central policy management system is configured to;
  
  encapsulate security mechanism application specific information for each security mechanism, including forming a key for each security mechanism;
  
  combine keys into key chains to form at least portions of policy as key chains in one or more semantic policy layers;
  
  associate workflow steps with the key chains; and
  
  assign roles to the workflow steps;
  
  encapsulate key chains as keys and pass the key chain keys from a first semantic policy layer to a second semantic policy layer;
  
  import a key chain from the second semantic policy layer to a local access policy layer; and
  
  enforce the local access policy via the security mechanisms.
- View Dependent Claims (13, 14, 15)
- - 13. The apparatus of claim 12, including a memory coupled to the processing unit, wherein the processing unit is configured to:
    - generate a workflow instance that includes a workflow instance policy that identifies specific objects that can be accessed and specific users that may access the objects;
      
      store the workflow instance policy in the memory; and
      
      activate a workflow step according to the workflow instance, wherein access to a resource needed for the workflow step is granted by the central policy management system.
  - 14. The apparatus of claim 12, including an input configured to receive a trigger for workflow, and wherein the processing unit is configured to:
    - determine an appropriate workflow in response to the trigger;
      
      generate a workflow instance of the appropriate workflow; and
      
      export the workflow instance to the central policy management system.
  - 15. The apparatus of claim 14, wherein the processing unit is configured to:
    - activate a workflow step according to the triggered workflow, wherein access to a resource needed for the workflow step is granted by the central policy management system;
      
      deactivate the workflow step when the workflow step is completed, wherein the central policy management system is configured to revoke the access to the resource, andactivate a subsequent workflow step according to the workflow instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Thomsen, Daniel Jay, O'Brien, Richard, Bogle, Jessica, Payne, Charles
Primary Examiner(s)
LOUIE, OSCAR A

Application Number

US11/981,333
Publication Number

US 20080066151A1
Time in Patent Office

1,658 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Locally adaptable central security management in a heterogeneous network environment

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Locally adaptable central security management in a heterogeneous network environment

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links