Enforcing universal access control in an information management system
First Claim
1. A method of controlling document access using managed rules, the method comprising:
- distributing a first plurality of rules to a client system from a rule database, wherein rules of the rule database comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the rule,wherein the first plurality of rules distributed to the client system contain at least one expression used by the client system to perform access control for documents accessed by the client system and the at least one expression results in an allow, deny, or delegate consequence, andwherein the client system rule distributing step dynamically selects the first plurality of rules for the client system, wherein the dynamically selecting the first plurality of rules is based on a document accessible at the client system; and
distributing a second plurality of rules to a server from the rule database,wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server,wherein the server rule distributing step dynamically selects the second plurality of rules for the server, andwherein rules in the rule database are maintained by a rule server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
-
Citations
20 Claims
-
1. A method of controlling document access using managed rules, the method comprising:
-
distributing a first plurality of rules to a client system from a rule database, wherein rules of the rule database comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the rule, wherein the first plurality of rules distributed to the client system contain at least one expression used by the client system to perform access control for documents accessed by the client system and the at least one expression results in an allow, deny, or delegate consequence, and wherein the client system rule distributing step dynamically selects the first plurality of rules for the client system, wherein the dynamically selecting the first plurality of rules is based on a document accessible at the client system; and distributing a second plurality of rules to a server from the rule database, wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server, wherein the server rule distributing step dynamically selects the second plurality of rules for the server, and wherein rules in the rule database are maintained by a rule server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of controlling document access comprising:
-
providing a first server comprising a plurality of rules stored in a server rule database, wherein each rule comprises a logical expression having a rule element and a corresponding action that will be performed when the logical expression is satisfied; distributing a first subset of the plurality of rules to a first client from the server rule database, wherein the first subset of the plurality of rules distributed to the first client contain at least one logical expression having a rule element and a corresponding action used by the first client to perform access control for documents accessed by the first client; distributing a second subset of the plurality of rules to a second client from the server rule database, wherein the second subset is different from the first subset, and the second subset of the plurality of rules distributed to the second client contain at least one logical expression having a rule element and a corresponding action used by the second client to perform access control for documents accessed by the second client; receiving an indication that a policy enforcer program is not active on the second client; detecting an attempt by an application program on the second client to access a first document; based on the received indication that the policy enforcer program is not active on the second client, at the first server, evaluating at least one rule from the second subset of the plurality of rules distributed to the second client to determine whether or not to allow the access attempt of a first document; when the at least one rule from the second subset is satisfied, allowing the access attempt; when the at least one rule from the second subset is not satisfied, disallowing the access attempt; receiving an indication from the first client that a policy enforcer program is active on the first client; detecting an attempt by an application program on the first client to access a second document; and based on the received indication from the first client that the policy enforcer program is active on the first client, at the first client, evaluating at least one rule from the first subset of the plurality of rules distributed to the first client to determine whether or not to allow the access attempt of the second document; when the at least one rule from the first subset is satisfied, allowing the access attempt; and when the at least one rule from the first subset is not satisfied, disallowing the access attempt. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method of controlling document access comprising:
-
providing a first server comprising a plurality of rules stored in a server rule database, wherein each rule comprises a logical expression having a rule element and a corresponding action that will be performed when the logical expression is satisfied; distributing a first subset of the plurality of rules to a first client from the server rule database, wherein the first subset of the plurality of rules distributed to the first client contain at least one logical expression having a rule element and a corresponding action used by the first client to perform access control for documents accessed by the first client; distributing a second subset of the plurality of rules to a second client from the server rule database, wherein the second subset of the plurality of rules distributed to the second client contain at least one logical expression having a rule element and a corresponding action used by the second client to perform access control for documents accessed by the second client; receiving an indication from the second client that a policy enforcer program is not active on the second client; detecting an attempt by an application program on the second client to access a first document; based on the received indication from the second client that the policy enforcer program is not active on the second client, disallowing the access attempt; receiving an indication from the first client that a policy enforcer program is active on the first client; detecting an attempt by an application program on the first client to access a second document; and based on the received indication from the first client that the policy enforcer program is active on the first client, at the first client, evaluating at least one rule from the first subset of the plurality of rules distributed to the first client to determine whether or not to allow the access attempt of the second document; when the at least one rule from the first subset is satisfied, allowing the access attempt; and when the at least one rule from the first subset is not satisfied, disallowing the access attempt. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification