Enforcing security policies across heterogeneous systems
First Claim
1. A method for enforcing a universal security policy across a plurality of data management systems, the universal security policy comprising a plurality of universal security rules describing relationships among users and resources, each of the plurality of data management systems having a security component for enforcing local security rules in the associated data management system, comprising:
- receiving information about the security components of the plurality of data management systems;
for each of the plurality of data management systems;
translating at least one of the universal security rules into local security rules based on the received information, the local security rules being compatible with the security component of the data management system, the local security rules being equivalent to the at least one of the universal security rules, andtransmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system;
monitoring, by a computer, user activities occurring in the plurality of data management systems;
responsive to a determination that an activity occurred in one of the plurality of data management systems changing a local security rule to permit a user to access a first resource that the user was restricted from accessing, modifying one or more of the plurality of universal security rules to reflect the change to the local security rule, wherein the change to the one or more universal security rules permits the user to access the first resource that the user was restricted from accessing prior to the change to the local security rule;
following modification of the one or more universal security rules to permit the user to access the first resource, identifying a second resource, wherein a user having access to the first resource is restricted from accessing the second resource;
modifying at least one of the plurality of universal security rules to restrict the user from accessing the second resource based at least in part on the modification of the one or more universal security rules permitting the user to access the first resource; and
for each of the plurality of data management systems;
translating the modified one or more universal security rules permitting the user to access the first resource and the modified at least one universal security rule restricting the user from accessing the second resource into modified local security rules; and
transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system.
5 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and computer program product enforce a universal security policy across several systems. In one embodiment, the system comprises a translation module that translates the universal security policy into local security rules enforceable by the security components of the several systems. The system also comprises a policy pushing module that transmits the translated local security rules to each of the several systems. Further, the system can include an analysis module for detecting local security rules in the several systems that are inconsistent with the universal security policy.
100 Citations
18 Claims
-
1. A method for enforcing a universal security policy across a plurality of data management systems, the universal security policy comprising a plurality of universal security rules describing relationships among users and resources, each of the plurality of data management systems having a security component for enforcing local security rules in the associated data management system, comprising:
-
receiving information about the security components of the plurality of data management systems; for each of the plurality of data management systems; translating at least one of the universal security rules into local security rules based on the received information, the local security rules being compatible with the security component of the data management system, the local security rules being equivalent to the at least one of the universal security rules, and transmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system; monitoring, by a computer, user activities occurring in the plurality of data management systems; responsive to a determination that an activity occurred in one of the plurality of data management systems changing a local security rule to permit a user to access a first resource that the user was restricted from accessing, modifying one or more of the plurality of universal security rules to reflect the change to the local security rule, wherein the change to the one or more universal security rules permits the user to access the first resource that the user was restricted from accessing prior to the change to the local security rule; following modification of the one or more universal security rules to permit the user to access the first resource, identifying a second resource, wherein a user having access to the first resource is restricted from accessing the second resource; modifying at least one of the plurality of universal security rules to restrict the user from accessing the second resource based at least in part on the modification of the one or more universal security rules permitting the user to access the first resource; and for each of the plurality of data management systems; translating the modified one or more universal security rules permitting the user to access the first resource and the modified at least one universal security rule restricting the user from accessing the second resource into modified local security rules; and transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for enforcing a universal security policy across a plurality of data management systems, the universal security policy describing access rights of entities to resources, each of the plurality of data management systems having a security component for enforcing local security rules consistent with the universal security policy in the associated data management system, comprising:
-
receiving information about the security components of the plurality of data management systems; for each of the plurality of data management systems; translating the universal security policy into local security rules based on the received information, the local security rules being compatible with the security component of the data management system and consistent with the universal security policy, and transmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system; identifying a modification of local security rules of a data management system of the plurality of data management systems, the modification permitting a user to access a first resource; determining, by a computer, whether the modified local security rules are consistent with the universal security policy; responsive to determining that the modified local security rules are inconsistent with the universal security policy, undoing the identified modification; and responsive to determining that the modified local security rules are consistent with the universal security policy; modifying the universal security policy based on the modified local security rules, wherein the modification to the universal security policy permits the user to access the first resource; following modification of the universal security policy to permit the user to access the first resource, identifying a second resource, wherein a user having access to the first resource is restricted from accessing the second resource; modifying the universal security policy to restrict the user from accessing the second resource based at least in part on the modification of the universal security policy permitting the user to access the first resource; and for each of the plurality of data management systems; translating the modified universal security policy into local security rules permitting the user to access the first resource and restricting the user from accessing the second resource; and transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer program product for use in conjunction with a computer system, the computer program product comprising a non-transitory computer readable storage medium and a computer program mechanism embedded therein for enforcing a universal security policy across a plurality of data management systems, the universal security policy comprising a plurality of universal security rules describing relationships among users and resources, each of the plurality of data management systems having a security component for enforcing local security rules in the associated data management system, the computer program mechanism comprising instructions for:
-
receiving information about the security components of the plurality of data management systems; for each of the plurality of data management systems; translating at least one of the universal security rules into local security rules based on the received information, the local security rules being compatible with the security component of the data management system and consistent with the universal security policy, and transmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system; monitoring user activities and local security rule modifications occurring in the plurality of data management systems; responsive to a determination that an activity occurred in one of the plurality of data management systems changing a local security rule to permit a user to access a first resource that the user was restricted from accessing, modifying one or more of the plurality of universal security rules to reflect the change to the local security rule, wherein the change to the one or more universal security rules permits the user to access the first resource; following modification of the one or more universal security rules to permit the user to access the first resource, identifying a second resource, wherein a user having access to the first resource is restricted from accessing the second resource; modifying at least one of the plurality of universal security rules to restrict the user from accessing the second resource based at least in part on the modification of the one or more universal security rules permitting the user to access the first resource; and for each of the plurality of data management systems; translating the modified one or more universal security rules permitting the user to access the first resource and the modified at least one universal security rule restricting the user from accessing the second resource into modified local security rules; and transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system.
-
-
17. A method for enforcing a universal security policy across a plurality of data management systems, the universal security policy comprising a plurality of universal security rules describing relationships among users and resources, each of the plurality of data management systems having a security component for enforcing local security rules in the associated data management system, comprising:
-
receiving information about the security components of the plurality of data management systems; for each of the plurality of data management systems; translating at least one of the universal security rules into local security rules based on the received information, the local security rules being compatible with the security component of the data management system and consistent with the universal security policy, and transmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system; monitoring user activities and local security rule modifications occurring in the plurality of data management systems; responsive to a determination that a modified local security rule is inconsistent with the universal security policy, restoring the modified local security rule to a prior state; and responsive to a determination that an activity occurred in one of the plurality of data management systems changing a local security rule to permit a user to access a first resource that the user was restricted from accessing; modifying one or more of the plurality of universal security rules to reflect the change to the local security rule, wherein the change to the one or more universal security rules permits the user to access the first resource; following modification of the one or more universal security rules to permit the user to access the first resource, identifying second resource, wherein a user having access to the first resource is restricted from accessing the second resource; modifying at least one of the plurality of universal security rules to restrict the user from accessing the second resource based at least in part on the modification of the one or more universal security rules permitting the user to access the first resource; and for each of the plurality of data management systems; translating the modified one or more universal security rules permitting the user to access the first resource and the modified at least one universal security rule restricting the user from accessing the second resource into modified local security rules; and transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system.
-
-
18. A non-transitory computer-readable storage medium storing executable computer program instructions for enforcing a universal security policy across a plurality of data management systems, the universal security policy comprising a plurality of universal security rules describing relationships among users and resources, each of the plurality of data management systems having a security component for enforcing local security rules in the associated data management system, the executable computer program instructions comprising:
-
instructions for receiving information about the security components of the plurality of data management systems; instructions for translating, for each of the plurality of data management systems, at least one of the universal security rules into local security rules based on the received information, the local security rules being compatible with the security component of the data management system and consistent with the universal security policy, and transmitting the local security rules to the data management system, wherein the security component of the data management system enforces the local security rules in the data management system to restrict users from accessing resources available in the data management system; instructions for monitoring user activities and local security rule modifications occurring in the plurality of data management systems; instructions for restoring, responsive to a determination that a modified local security rule is inconsistent with the universal security policy, the modified local security rule to a prior state; and instructions for, responsive to a determination that an activity occurred in one of the plurality of data management systems changing a local security rule to permit a user to access a first resource that the user was restricted from accessing; modifying one or more of the plurality of universal security rules to reflect the change to the local security rule, wherein the change to the one or more universal security rules permits the user to access the first resource; following modification of the one or more universal security rules to permit the user to access the first resource, identifying a second resource, wherein a user having access to the first resource is restricted from accessing the second resource; modifying at least one of the plurality of universal security rules to restrict the user from accessing the second resource based at least in part on the modification of the one or more universal security rules permitting the user to access the first resource; and for each of the plurality of data management systems; translating the modified one or more universal security rules permitting the user to access the first resource and the modified at least one universal security rule restricting the user from accessing the second resource into modified local security rules; and transmitting the modified local security rules to the data management system, wherein the security component of the data management system enforces the modified local security rules in the data management system.
-
Specification