Method and system for dynamically implementing an enterprise resource policy
DC CAFCFirst Claim
Patent Images
1. A method to process authenticated user requests to access resources, the method comprising:
- receiving from a user a request to perform an action on a resource;
receiving, by a server, a rule associated with the action, wherein the server comprises a processor and operatively associated memory, and wherein the rule indicates conditions under which a request to perform the action on the resource should be granted;
determining a plurality of attributes required to evaluate the rule;
classifying at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector;
for a first portion of the plurality of attributes classified with a first connector;
for each of the first portion of the plurality of attributes, determining whether an attribute value for the attribute is present at the server;
generating a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and
requesting attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector;
evaluating, by the server, the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and
returning an authorization decision.
2 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.
177 Citations
24 Claims
-
1. A method to process authenticated user requests to access resources, the method comprising:
-
receiving from a user a request to perform an action on a resource; receiving, by a server, a rule associated with the action, wherein the server comprises a processor and operatively associated memory, and wherein the rule indicates conditions under which a request to perform the action on the resource should be granted; determining a plurality of attributes required to evaluate the rule; classifying at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector; for a first portion of the plurality of attributes classified with a first connector; for each of the first portion of the plurality of attributes, determining whether an attribute value for the attribute is present at the server; generating a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and requesting attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector; evaluating, by the server, the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and returning an authorization decision. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system to process authenticated user requests to access resources, the system comprising at least one computer device comprising a processor and operatively associated memory, wherein the memory comprises instructions that, when executed by the at least one computer device, cause the at least one computer device to:
-
receive from a user a request to perform an action on a resource; receive a rule associated with the action, wherein the rule indicates conditions under which a request to perform the action on the resource should be granted; determine a plurality of attributes required to evaluate the rule; classify at least a portion of the plurality of attributes by connector, wherein each connector is in communication with an associated remote data source comprising values for attributes classified with the connector; for a first portion of the plurality of attributes classified with a first connector; for each of the first portion of the plurality of attributes, determine whether an attribute value for the attribute is present at a server; generate a first connector request, wherein the first connector request comprises each of the first portion of the plurality of attributes that lacks an attribute value at the server; and request attribute values for each attribute included in the first connector request, wherein the requesting takes place via the first connector and is directed to the remote data source associated with the first connector; evaluate the user request to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and return an authorization decision. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method to process authenticated user requests to access resources, the method comprising:
-
receiving from a user a request to perform an action on a resource; receiving a rule associated with the action, wherein the rule indicates conditions under which a request to perform the action on the resource should be granted; determining a plurality of attributes required to evaluate the rule; for each of the plurality of attributes, determining whether an attribute value for the attribute must be requested; generating a request for at least a portion of the attribute values that must be requested, wherein the at least a portion of the attribute values that must be requested are associated with a remote data source comprising values for each of the at least a portion of the attribute values that must be requested; requesting attribute values included in the request for at least a portion of the attribute values that must be requested, wherein the requesting is directed to the remote data source comprising values for each of the at least a portion of the attribute values that must be requested; evaluating, by a server, the user request to perform an action on a resource to determine whether the user is authorized to perform the action on the resource, wherein the evaluating comprises applying the rule considering the values for the plurality of attributes; and returning an authorization decision. - View Dependent Claims (22, 23, 24)
-
Specification