Method and system for dynamically implementing an enterprise resource policy

DC CAFC

US 8,560,836 B2
Filed: 02/11/2010
Issued: 10/15/2013
Est. Priority Date: 01/09/2003
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A method to process authenticated user requests to access resources, the method comprising:

receiving from a user a request to perform an action on a resource;

receiving, by a server, a rule associated with the action, wherein the server comprises a processor and operatively associated memory, and wherein the rule indicates conditions under which a request to perform the action on the resource should be granted;

determining a plurality of attributes required to evaluate the rule;

classifying at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector;

for a first portion of the plurality of attributes classified with a first connector;

for each of the first portion of the plurality of attributes, determining whether an attribute value for the attribute is present at the server;

generating a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and

requesting attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector;

evaluating, by the server, the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and

returning an authorization decision.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

177 Citations

24 Claims

1. A method to process authenticated user requests to access resources, the method comprising:
- receiving from a user a request to perform an action on a resource;
  
  receiving, by a server, a rule associated with the action, wherein the server comprises a processor and operatively associated memory, and wherein the rule indicates conditions under which a request to perform the action on the resource should be granted;
  
  determining a plurality of attributes required to evaluate the rule;
  
  classifying at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector;
  
  for a first portion of the plurality of attributes classified with a first connector;
  
  for each of the first portion of the plurality of attributes, determining whether an attribute value for the attribute is present at the server;
  
  generating a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and
  
  requesting attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector;
  
  evaluating, by the server, the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and
  
  returning an authorization decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising, for a second portion of the plurality of attributes classified with a second connector:
    - for each of the second portion of the plurality of attributes, determining whether an attribute value for the attribute is present at the server;
      
      generating a second connector request wherein the second connector request comprises each of the second portion of the plurality of attributes that lacks an attribute value at the server; and
      
      requesting attribute values for each attribute included in the second connector request, wherein the requesting takes place via the second connector and is directed to the remote data source associated with the second connector.
  - 3. The method of claim 1, further comprising tracking each user request.
  - 4. The method of claim 1, wherein the resource is a part of a resource hierarchy, and wherein the rule associated with the action is inherited from an ancestor of the resource within the resource hierarchy.
  - 5. The method of claim 1, further comprising authenticating an identity of the user.
  - 6. The method of claim 1, wherein the evaluating further comprises applying the rule considering all attribute values required by the rule.
  - 7. The method of claim 1, wherein the rule is expressed in a machine-independent rules modeling language.
  - 8. The method of claim 1, wherein a value for at least one of the first portion of the plurality of attributes is present at the server.
  - 9. The method of claim 1, further comprising logging the request to perform an action on a resource.
  - 10. The method of claim 1, further comprising generating an alarm upon the occurrence of an alarm event.
  - 11. The method of claim 1, wherein the resources are selected from the group consisting of physical resources, information resources and online resources.

12. A computer system to process authenticated user requests to access resources, the system comprising at least one computer device comprising a processor and operatively associated memory, wherein the memory comprises instructions that, when executed by the at least one computer device, cause the at least one computer device to:
- receive from a user a request to perform an action on a resource;
  
  receive a rule associated with the action, wherein the rule indicates conditions under which a request to perform the action on the resource should be granted;
  
  determine a plurality of attributes required to evaluate the rule;
  
  classify at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector;
  
  for a first portion of the plurality of attributes classified with a first connector;
  
  for each of the first portion of the plurality of attributes, determine whether an attribute value for the attribute is present at a server;
  
  generate a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and
  
  request attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector;
  
  evaluate the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and
  
  return an authorization decision.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the memory further comprises instructions that, when executed by the at least one computer device, cause the at least one computer device to:
    - for each of the second portion of the plurality of attributes, determine whether an attribute value for the attribute is present at the server;
      
      generate a second connector request, wherein the second connector request comprises each of the second portion of the plurality of attributes that lacks an attribute value at the server; and
      
      request attribute values for each attribute included in the second connector request, wherein the requesting takes place via the second connector and is directed to the remote data source associated with the second connector.
  - 14. The system of claim 12, wherein the memory further comprises instructions that, when executed by the at least one computer device, cause the at least one computer device to log each user request.
  - 15. The system of claim 12, wherein the resource is a part of a resource hierarchy, and wherein the rule associated with the action is inherited from an ancestor of the resource within the resource hierarchy.
  - 16. The system of claim 12, wherein the memory further comprises instructions that, when executed by the at least one computer device, cause the at least one computer device to authenticate an identity of the user.
  - 17. The system of claim 12, wherein the evaluating further comprises applying the rule considering all attribute values required by the rule.
  - 18. The system of claim 12, wherein the rule is expressed in a machine-independent rules modeling language.
  - 19. The system of claim 12, wherein a value for at least one of the first portion of the plurality of attributes is present at the server.
  - 20. The system of claim 12, wherein the resources are selected from the group consisting of physical resources, information resources and online resources.

21. A method to process authenticated user requests to access resources, the method comprising:
- receiving from a user a request to perform an action on a resource;
  
  receiving a rule associated with the action, wherein the rule indicates conditions under which a request to perform the action on the resource should be granted;
  
  determining a plurality of attributes required to evaluate the rule;
  
  for each of the plurality of attributes, determining whether an attribute value for the attribute must be requested;
  
  generating a request for at least a portion of the attribute values that must be requested, wherein the at least a portion of the attribute values that must be requested are associated with a remote data source comprising values for each of the at least a portion of the attribute values that must be requested;
  
  requesting attribute values included in the request for at least a portion of the attribute values that must be requested, wherein the requesting is directed to the remote data source comprising values for each of the at least a portion of the attribute values that must be requested;
  
  evaluating, by a server, the user request to perform an action on a resource to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and
  
  returning an authorization decision.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, further comprising:
    - classifying, by connector, the at least a portion of the plurality of attributes for which attribute values must be requested, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector, andwherein the request for at least a portion of the attribute values that must be requested is a first connector request associated with the at least a portion of the attribute values that must be requested classified with a first connector.
  - 23. The method of claim 21, wherein the requesting takes place via a first connector request and is directed to the remote data source associated with the first connector.
  - 24. The method of claim 22, further comprising, for a second portion of the plurality of attributes for which attribute values must be requested classified with a second connector:
    - for each of the second portion of the plurality of attributes, determining whether an attribute value for the attribute must be requested;
      
      generating a second connector request wherein the second connector request comprises at least a portion of the second attribute values that must be requested; and
      
      requesting attribute values for each second attribute values included in the second connector request, wherein the requesting takes place via the second connector and is directed to the remote data source associated with the second connector.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Jericho Systems Corporation
Inventors
Roegner, Michael W.
Primary Examiner(s)
ARMOUCHE, HADI S

Application Number

US12/658,421
Publication Number

US 20100161967A1
Time in Patent Office

1,342 Days
Field of Search

726/1, 726/4
US Class Current

713/155
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/6218   to a system of files or obj...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Method and system for dynamically implementing an enterprise resource policy

First Claim

2 Assignments

Litigations

0 Petitions

Accused Products

Abstract

177 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamically implementing an enterprise resource policy

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

177 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links