Policy based, delegated limited network access management

US 8,453,198 B2
Filed: 12/27/2007
Issued: 05/28/2013
Est. Priority Date: 12/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method of policy-based, delegated network access management, comprising:

for each discovered access control entry (ACE) sequence of a plurality of discovered ACE sequences, during a discovery process;

determining whether the discovered ACE sequence is stored in a legacy profile or associated with legacy profiles by an access control list (ACL) reference;

assigning to the discovered ACE sequence a network access role (NAR) determined by whether the discovered ACE sequence matches, either exactly, partially, or not at all, an existing NAR, and whether the discovered ACE sequence is a valid expression;

during a policy establishment process;

establishing one or more policies to manage one or more user groups based upon the NARs discovered and assigned to ACE sequences during the discovery process;

a network access administrator delegating management of the one or more user groups and the one or more established policies to one or more resource access administrators responsible for administering the one or more user groups and the one or more policies; and

during a delegated provisioning process;

the one or more resource access administrators administering network access by allocating NARs that have been approved by the network access administrator.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy-based, delegated limited network access management places day-to-day control of network access in the hands of authorized users, referred to as resource access administrators, selected for their business knowledge and ability to respond quickly to business events. Resource access administrators have the ability to respond, in the form of access decisions proposed by individuals with knowledge or, or responsibility for business processes and business partner relationships and shaped and pre-approved by network security specialists, referred to as network access administrators. This approach, therefore, reduces the cost, complexity, and delay (latency) associated with managing external network access without compromising network security.

75 Citations

View as Search Results

14 Claims

1. A method of policy-based, delegated network access management, comprising:
- for each discovered access control entry (ACE) sequence of a plurality of discovered ACE sequences, during a discovery process;
  
  determining whether the discovered ACE sequence is stored in a legacy profile or associated with legacy profiles by an access control list (ACL) reference;
  
  assigning to the discovered ACE sequence a network access role (NAR) determined by whether the discovered ACE sequence matches, either exactly, partially, or not at all, an existing NAR, and whether the discovered ACE sequence is a valid expression;
  
  during a policy establishment process;
  
  establishing one or more policies to manage one or more user groups based upon the NARs discovered and assigned to ACE sequences during the discovery process;
  
  a network access administrator delegating management of the one or more user groups and the one or more established policies to one or more resource access administrators responsible for administering the one or more user groups and the one or more policies; and
  
  during a delegated provisioning process;
  
  the one or more resource access administrators administering network access by allocating NARs that have been approved by the network access administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the NARS approved by the network access administrator are stored within a network access manager (NAM).
  - 3. The method of claim 1, further comprising updating stored ACLs to reflect changes made to the NARs, the one or more policies, and the one or more user groups by the resource access administrator.
  - 4. The method of claim 3, further comprising the NAM storing the updated stored ACLs in user profiles stored in a firewall.
  - 5. The method of claim 1, for the discovery process further comprising:
    - determining for each discovered access control entry (ACE) sequence of the plurality of discovered ACE sequences whether the discovered ACE sequence matches an existing NAR;
      
      if the discovered ACE sequence matches the existing NAR, assigning the existing NAR to one or more users having a profile that contains the discovered ACE sequence;
      
      if the discovered ACE sequence does not match the existing NAR, further comprising;
      
      determining whether the discovered ACE sequence at least partially matches the existing NAR;
      
      if the discovered ACE sequence at least partially matches the existing NAR, presenting to the network access administrator the partial match and the network access administrator performing a partial match action;
      
      if the discovered ACE sequence does not at least partially match the existing NAR, performing one or more of proposing to the network access administrator a new NAR and determining whether the discovered ACE sequence is a valid expression.
  - 6. The method of claim 5, further comprising storing results of the discovery process in a workspace.
  - 7. The method of claim 6, further comprising generating an audit record from the results stored in the workspace of the NAM.
  - 8. The method of claim 5, wherein if the discovered ACE sequence at least partially matches the existing NAR, the discovered ACE sequence is a partial match and further comprising presenting to the network access administrator a match ratio and a number of profiles in which the discovered ACE sequence occurs.
  - 9. The method of claim 5, wherein the partial match action comprising one or more of creating a new NAR using the partial match, standardizing permissions associated with an existing NAR by assigning the partial match to all users having profiles comprising the partial match, and taking no action with the partial match.
  - 10. The method of claim 5, wherein if the discovered ACE sequence does not at least partially match the existing NAR, communicating to the network access administrator the number of times the new NAR occurs within user profiles of the one or more user groups.
  - 11. The method of claim 5, wherein if the discovered ACE sequence does not at least partially match the existing NAR, further comprising the network access administrator performing a no match action.
  - 12. The method of claim 1, wherein during the policy establishment process further comprising:
    - determining whether members of a user group, of the one or more user groups, each having a profile, share a NAR assignment and a NAR as reflected in their profiles;
      
      if members of the user group do not share a NAR assignment and a NAR, the network access manager performing an exception action;
      
      creating a new directory group corresponding to the user group;
      
      establishing one or more policies capable of managing the new directory group based upon the NARs discovered and assigned to users of the user group during the discovery process;
      
      the network access manager delegating management of the user group to the one or more resource access administrators.
  - 13. The method of claim 1, wherein the one or more resource access administrators comprise one or more group administrators and one or more policy administrators and wherein during the delegated provisioning process further comprise:
    - the one or more group administrators providing group membership updates to a management tool to administer the one or more user groups;
      
      the one or more policy administrators providing access policy updates to a network access manager (NAM) to create and maintain policies of the one or more user groups;
      
      the management tool and the NAM sending group membership and access policy updates to a repository;
      
      the repository sending user and group data to the NAM;
      
      the NAM sending profiles having ACL references of the plurality of user of the one or more user groups to the repository.
  - 14. The method of claim 13, the NAM sending ACL updates to a firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Band, Iver E., Rao, Prasad V., Huang, Peter An-Ping, Howe, William G.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US11/965,262
Publication Number

US 20090172789A1
Time in Patent Office

1,979 Days
Field of Search

726/1, 726/2, 726 4- 6, 726/12, 726/17, 726/18, 726 27- 30, 713/154, 713/159, 713/164, 713/166, 713/185, 711/100, 711/163, 705/53, 705/56, 707/609, 707/672, 707/673, 707/705, 707/741, 707/758, 707783-785, 707/830, 709/202, 709/223, 709/225, 709/229
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/10 for controlling access to d...

Policy based, delegated limited network access management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Policy based, delegated limited network access management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others