Method and system for assigning access control levels in providing access to networked content files

US 8,352,606 B2
Filed: 09/23/2011
Issued: 01/08/2013
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. An intermediary device between a server and a client node, for granting the client node access to resources, the intermediary device comprising:

a first module initiating information gathering on a client node via a collection agent responsive to a request from the client node to access a resource;

a first component of a policy engine receiving the gathered information and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information;

a second component of the policy engine granting one of a plurality of levels of access to the client node for accessing the resource, responsive to application of a policy to the generated dataset; and

a transformation server receiving the request for the resource from the policy engine, and in response to the one of the plurality of levels of access granted, transforming the contents of the resource from a native format to a second format, and presenting the transformed contents of the resource to the client node.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for assigning access control levels when granting access to resources includes a client node, a collection agent, and a policy engine. The client node requests access to a resource. The collection agent gathers information about the client node. The policy engine receives the gathered information and assigns one of a plurality of levels of access responsive to application of a policy to the received information and transmits the information.

332 Citations

34 Claims

1. An intermediary device between a server and a client node, for granting the client node access to resources, the intermediary device comprising:
- a first module initiating information gathering on a client node via a collection agent responsive to a request from the client node to access a resource;
  
  a first component of a policy engine receiving the gathered information and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information;
  
  a second component of the policy engine granting one of a plurality of levels of access to the client node for accessing the resource, responsive to application of a policy to the generated dataset; and
  
  a transformation server receiving the request for the resource from the policy engine, and in response to the one of the plurality of levels of access granted, transforming the contents of the resource from a native format to a second format, and presenting the transformed contents of the resource to the client node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The intermediary device of claim 1, wherein the policy engine further comprises a database storing configurable policies.
  - 3. The intermediary device of claim 1, wherein the policy engine determines that the client node does not satisfy a condition responsive to the application of a condition policy to the received information, and updates the client node to allow a level of access to the resource responsive to the determination.
  - 4. The intermediary device of claim 1, wherein the intermediary resides on a firewall.
  - 5. The intermediary device of claim 1, wherein a system administrator configures policies in the intermediary to provide a level of access control rights to the client node.
  - 6. The intermediary device of claim 1 wherein the first module communicates instructions to the collection agent determining the type of information the collection agent gathers.
  - 7. The intermediary device of claim 1, wherein the policy engine communicates a policy determination to a firewall.
  - 8. The intermediary device of claim 1, wherein the policy engine communicates the assigned level of access to a firewall to provide the assigned level of access to the client node.
  - 9. The intermediary device of claim 1, further comprising an access control server providing authentication and authorization services for the request to access a resource.
  - 10. The intermediary device of claim 1, wherein the intermediary communicates with an access control server providing authentication and authorization services for the request to access a resource.
  - 11. The intermediary device of claim 9, wherein the access control server provides the assigned level of access to the client node.
  - 12. The intermediary device of claim 1, wherein the first module transmits the collection agent to the client node.
  - 13. The intermediary device of claim 12, wherein the first module transmits the collection agent for execution on the client node.
  - 14. The intermediary device of claim 12, wherein the first module transmits the collection agent as at least one script.
  - 15. The intermediary device of claim 12, wherein the first module transmits the collection agent as bytecode.
  - 16. The intermediary device of claim 12, wherein the policy engine communicates the assigned level of access to a proxy to provide the assigned level of access to the client node.
  - 17. The intermediary device of claim 12, wherein the first module receives, from the collection agent, a request for instructions to identify the type of information the collection agent gathers.
  - 18. The intermediary device of claim 12, wherein the first module receives information about the client node, said information residing on a server.
  - 19. The intermediary device of claim 18, wherein the first module receives information comprising HTTP headers, a network zone of the client node, or a method of authentication used by the client node.
  - 20. The intermediary device of claim 12, wherein the first module receives information comprising a machine ID of the client node, MAC addresses of installed network cards, an operating system type, existence of a patch to an operating system, existence of a virus scanner, or existence of a firewall.
  - 21. The intermediary device of claim 1, wherein the first module receives information comprising an HTTP header, a watermark on the client device, or membership in an Active Directory.

22. A method of granting, by an intermediary between a server and a client node, access to resources, the method comprising:
- (a) initiating, by an intermediary device, information gathering on a client node by a collection agent in response to a request from the client node for access to a resource;
  
  (b) receiving, by a first component of a policy engine of the intermediary device, the gathered information about the client node;
  
  (c) generating, by the first component, a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information(d) granting, by a second component of the policy engine, one of a plurality of levels of access to the client node for accessing the resource, responsive to application of a policy to the generated dataset; and
  
  (e) transforming, by a transformation server of the intermediary device in response to the one of the plurality of levels of access granted, the contents of the resource from a native format to a second format for presentation to the client node.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 23. The method of claim 22, wherein step (a) further comprises initiating the information gathering over a network connection.
  - 24. The method of claim 22, wherein step (b) further comprises receiving the information over a network connection.
  - 25. The method of claim 22, wherein step (a) further comprises initiating the information gathering by transmitting a collection agent to the client node.
  - 26. The method of claim 22, wherein step (d) further comprises determining if the received information satisfies a condition.
  - 27. The method of claim 26, further comprising authenticating credentials included in the received information.
  - 28. The method of claim 26, wherein step (d) further comprises making an access control decision by applying a policy to the condition.
  - 29. The method of claim 22, wherein step (b) comprises receiving, by an access control server in communication with the intermediary, the gathered information.
  - 30. The method of claim 22, further comprising determining that the client node does not satisfy a condition, and updating the client node to allow a level of access to the resource responsive to the determination.
  - 31. The method of claim 22, wherein step (d) further comprises communicating the assigned level of access to a firewall for providing the assigned level of access to the client node.
  - 32. The method of claim 22, wherein step (d) further comprises communicating the assigned level of access to a proxy for providing the assigned level of access to the client node.
  - 33. The method of claim 22, wherein step (d) further comprises communicating, via an SSL VPN, the assigned level of access to one of a firewall and a proxy.
  - 34. The method of claim 22, wherein step (d) further comprises providing authentication and authorization services, via an access control server in communication with the intermediary device, for the request to access the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Braddy, Ricky Gene, Simmons, Timothy Ernest, Cockerill, Aaron David
Primary Examiner(s)
WINDER, PATRICE L

Application Number

US13/243,402
Publication Number

US 20120017001A1
Time in Patent Office

473 Days
Field of Search

709217-219, 709/225, 709/229, 709/246
US Class Current

709/225
CPC Class Codes

G06F 16/88   Mark-up to mark-up conversi...

G06F 16/9535   Search customisation based ...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06Q 30/0601   Electronic shopping [e-shop...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04W 4/18   Information format or conte...

Method and system for assigning access control levels in providing access to networked content files

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

332 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Method and system for assigning access control levels in providing access to networked content files

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

332 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others