Locally adaptable central security management in a heterogeneous network environment
First Claim
1. In a networked computer system having a workflow management system and a central policy management system, a method of operating the networked computer system to control workflow, comprising:
- creating, by the workflow management system, a workflow class definition;
exporting, by the workflow management system, the workflow class definition to the central policy management system;
creating, within the central policy management system, an access control policy for the workflow class;
binding resources and roles to steps within the central policy management system, including;
encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
combining keys to form at least portions of policy as key chains in one or more semantic policy layers;
associating workflow steps with the key chains;
encapsulating key chains as keys and passing the key chain keys from a first semantic policy layer to a second semantic policy layer;
importing a key chain from the second semantic policy layer to a local access policy layer; and
enforcing the access control policy on the computer via the security mechanisms;
creating, by the workflow management system, a workflow instance in both the workflow management system and the central policy management system; and
executing the workflow instance within a computer.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.
44 Citations
15 Claims
-
1. In a networked computer system having a workflow management system and a central policy management system, a method of operating the networked computer system to control workflow, comprising:
-
creating, by the workflow management system, a workflow class definition; exporting, by the workflow management system, the workflow class definition to the central policy management system; creating, within the central policy management system, an access control policy for the workflow class; binding resources and roles to steps within the central policy management system, including; encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism; combining keys to form at least portions of policy as key chains in one or more semantic policy layers; associating workflow steps with the key chains; encapsulating key chains as keys and passing the key chain keys from a first semantic policy layer to a second semantic policy layer; importing a key chain from the second semantic policy layer to a local access policy layer; and enforcing the access control policy on the computer via the security mechanisms; creating, by the workflow management system, a workflow instance in both the workflow management system and the central policy management system; and executing the workflow instance within a computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An article comprising a non-transitory computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method comprising:
-
creating a workflow class definition; exporting the workflow class definition to the central policy management system; binding resources and roles to steps within the central policy management system; encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism; combining keys to form key chains; associating workflow steps with the key chains; encapsulating key chains as keys and passing the key chain keys from a first semantic layer to a second semantic layer; importing a key chain from the second semantic layer to a local access policy layer; and
enforcing the access control policy on the computer via the security mechanisms;creating a workflow instance in both the workflow management system and the central policy management system; and executing the workflow instance.
-
-
7. A workflow control system, comprising:
-
a workflow management system; and a central policy management system; wherein the workflow management system is configured to create a workflow class definition and export the workflow class definition to the central policy management system; and wherein the central policy management system is configured to; encapsulate security mechanism application specific information for each security mechanism, including forming a key for each security mechanism; combine keys into key chains to form at least portions of policy as key chains in one or more semantic policy layers; associate workflow steps with the key chains; and assign roles to the workflow steps; encapsulate key chains as keys and pass the key chain keys from a first semantic policy layer to a second semantic policy layer; import a key chain from the second semantic policy layer to a local access policy layer; and enforce the local access policy via the security mechanisms. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus comprising:
-
a network interface; a first processing unit communicatively coupled to the interface, wherein the first processing unit is configured to implement a workflow manager; and a second processing unit communicatively coupled to the interface and remote from the workflow manager, wherein the second processing unit is configured to implement a central policy management system, wherein the workflow manager creates a workflow class definition and exports the workflow class definition to the remote central policy management system that is configured to bind resources and roles to workflow steps, and wherein the central policy management system is configured to; encapsulate security mechanism application specific information for each security mechanism, including forming a key for each security mechanism; combine keys into key chains to form at least portions of policy as key chains in one or more semantic policy layers; associate workflow steps with the key chains; and assign roles to the workflow steps; encapsulate key chains as keys and pass the key chain keys from a first semantic policy layer to a second semantic policy layer; import a key chain from the second semantic policy layer to a local access policy layer; and enforce the local access policy via the security mechanisms. - View Dependent Claims (13, 14, 15)
-
Specification