Enforcing policy-based application and access control in an information management system

US 8,595,788 B2
Filed: 10/30/2007
Issued: 11/26/2013
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

controlling usage, at a client system, of an application program, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, andwherein the at least one rule contains at least one expression used by the controlling step to control application program operation;

controlling access, at a server, to documents,wherein the controlling step limits document access operation in accordance to at least one rule stored on the server, andwherein the at least one rule contains at least one expression used by the controlling step to control document access operation;

detecting at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system;

intercepting the at least one low-level operation to prevent the at least one low-level operation from executing;

collecting at the client system information on the first application program operation;

receiving at the server collected information on the first application executing on the client system;

evaluating at the server whether to allow the first application program operation at the client system based on the collected information on the first application and the first application program operation;

receiving a first indication at the client system, to allow the intercepted at least one low-level operation; and

after receiving the first indication, releasing at the client system the intercepted at least one low-level operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Citations

44 Claims

1. A method comprising:
- controlling usage, at a client system, of an application program, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, andwherein the at least one rule contains at least one expression used by the controlling step to control application program operation;
  
  controlling access, at a server, to documents,wherein the controlling step limits document access operation in accordance to at least one rule stored on the server, andwherein the at least one rule contains at least one expression used by the controlling step to control document access operation;
  
  detecting at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system;
  
  intercepting the at least one low-level operation to prevent the at least one low-level operation from executing;
  
  collecting at the client system information on the first application program operation;
  
  receiving at the server collected information on the first application executing on the client system;
  
  evaluating at the server whether to allow the first application program operation at the client system based on the collected information on the first application and the first application program operation;
  
  receiving a first indication at the client system, to allow the intercepted at least one low-level operation; and
  
  after receiving the first indication, releasing at the client system the intercepted at least one low-level operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 2. A method of claim 1 further comprising:
    - detecting application program operation within the application program.
  - 3. A method of claim 1 further comprising:
    - detecting application program operation within the client system'"'"'s operating system.
  - 4. A method of claim 1 wherein the controlling step at the client system queries a user for input to obtain information for evaluating rules pertaining to a selected application program operation.
  - 5. A method of claim 1 wherein the controlling step at the client system performs an action as specified in the evaluated at least one rule in response to a selected application program operation.
  - 6. A method of claim 1 wherein a rule applies to at least one particular operation within the application program.
  - 7. A method of claim 1 wherein the controlling step evaluates rules using information based on any combination of:
    - type of or computing environment, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographic location, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document timestamp, document owner, document properties, historical data from previous or computing environments, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 8. A method of claim 1 wherein the controlling step at the client system monitors operations of a plurality of application programs on the client system.
  - 9. A method of claim 1 wherein the controlling step at the client system monitors operations of an operating system on the client system.
  - 10. A method of claim 1 wherein a set of default rules is installed on the client system.
  - 11. A method of claim 1 wherein at least a subset of rules stored on the client system is preinstalled on the client system.
  - 12. A method of claim 1 wherein at least a subset of rules stored on the client system is dynamically updated from a central rule database across a computer network.
  - 13. A method of claim 1 further comprising:
    - detecting document access operation within an application program on the server.
  - 14. A method of claim 1 further comprising:
    - detecting document access operation within the server'"'"'s operating system.
  - 15. A method of claim 1 wherein the document access operation includes any of:
    - opening a file, writing a file, deleting a file, changing file permission, changing file attribute, opening an e-mail message in a mail store, deleting an e-mail message in a mail store, retrieving a document from a document management system, storing a document into a document management system, or any access operation to a document repository.
  - 16. A method of claim 1 wherein the controlling step at the server performs an action as specified in the evaluated at least one rule in response to a selected document access operation.
  - 17. A method of claim 1 wherein the controlling step at the server monitors operations of a plurality of application programs on the server.
  - 18. A method of claim 1 wherein the controlling step at the server monitors operations of the server'"'"'s operating system.
  - 19. A method of claim 1 wherein at least a subset of rules stored on the server is preinstalled on the server.
  - 20. A method of claim 1 wherein at least a subset of rules stored on the server is dynamically updated from a central rule database across a computer network.
  - 21. The method of claim 1 wherein the at least one rule stored on the client system includes a policy abstraction that has a corresponding definition statement stored separately from the at least one rule.
  - 22. The method of claim 21 wherein the controlling usage, at a client system, of an application program, comprises receiving the policy abstraction evaluated by the at least one rule stored on the client system.
  - 23. The method of claim 1 wherein the controlling usage, at a client system, of an application program is executed as a module on the client system, separate from the application program.
  - 24. The method of claim 23 wherein the module is executing on the client system before the application program executes on the client system program.
  - 25. The method of claim 23 wherein the module is executing on the client system after the application program has completed execution on the client system.
  - 26. The method of claim 1 wherein the at least one rule stored on the server includes a policy abstraction that has a corresponding definition statement stored separately from the at least one rule.
  - 27. The method of claim 26 wherein the controlling access, at a server, to documents, comprises receiving a policy abstraction evaluated by the at least one rule stored on the server.
  - 28. The method of claim 1 wherein the controlling step is transparent to the application program.
  - 29. The method of claim 1 wherein the collected information on the first application executing on the client system is a file identifier based on the first document.
  - 30. The method of claim 1 wherein the collected information on the first application executing on the client system is an application program identifier.
  - 31. The method of claim 1 wherein the collecting at the client system information is executed after the intercepting the at least one low-level operation.
  - 32. The method of claim 1 wherein before the detecting, the first application program operation is on the first document stored at the client.
  - 33. The method of claim 1 wherein before the detecting, the first application program operation is on the first document stored at the server, not at the client.
  - 34. The method of claim 1 comprising:
    - intercepting a second application program operation at the client system; and
      
      preventing the second application program operation at the client system.
  - 35. The method of claim 34 wherein the first application program operation comprises an open operation for the first document and the second application program operation comprises an edit operation for the first document.
  - 36. The method of claim 1 comprising:
    - preventing the first application program operation from executing the at least one low-level operation; and
      
      generating an error status indication at the client system.

37. An apparatus comprising:
- a module for controlling usage, at a client system, of an application program, wherein the module is stored in a hardware memory,wherein the controlling module limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, andwherein the at least one rule contains at least one expression used by the controlling module to control application program operation;
  
  a module for controlling access, at a server, to documents,wherein the controlling module limits document access operation in accordance to at least one rule stored on the server, andwherein the at least one rule contains at least one expression used by the controlling module to control document access operation; and
  
  a module for applying consequences on the client system,wherein at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system,wherein the client system collects information on the first application program operation,wherein the consequence module receives the collected information on the first application executing on the client system,wherein the consequence module evaluates whether to allow the first application program operation at the client system based on the collected information on the first application;
  
  wherein the client system receives a first indication to allow the at least one low-level operation, andwherein the at least one low-level operation is released.
- View Dependent Claims (38, 39)
- - 38. The apparatus of claim 37 wherein the detecting at least one low-level operation occurs at the computer system.
  - 39. The apparatus of claim 37 wherein the detecting at least one low-level operation occurs at a server.

40. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising:
- controlling usage of an application program on a computer system,wherein the at least one rule comprises a first expression used by the controlling usage step to control application program operation;
  
  controlling, on a computer system, access to documents,wherein the controlling access step limits the document access operation in accordance with the at least one rule stored on the computer system,wherein the at least one rule comprises a second expression used by the controlling access step to control access to documents, andwherein when a user requests access to a selected document, the computer system evaluates the at least one rule stored at the computer system to allow or deny access to the selected document;
  
  at the computer system, detecting at least one low-level operation on a first document associated with a first application program operation from a first application executing on the computer system;
  
  intercepting the at least one low-level operation to prevent the at least one low-level operation from executing;
  
  collecting at the computer system information on the first application program operation;
  
  evaluating whether to allow the first application program operation at the computer system based on the collected information on the first application;
  
  receiving a first indication at the computer system, to allow the intercepted at least one low-level operation; and
  
  after receiving the first indication, releasing at the computer system the intercepted at least one low-level operation.
- View Dependent Claims (41, 42, 43)
- - 41. The method of claim 40 wherein the at least one rule comprises a first rule comprising the first expression and a second rule comprising the second expression.
  - 42. The method of claim 40 wherein the at least one rule comprises a first rule comprising the first expression and the second expression.
  - 43. The method of claim 40 wherein the first application program operation is a save operation.

44. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising:
- controlling usage of an application program on a computer system,wherein the controlling usage step limits the application program'"'"'s operational functionality in accordance with a rule stored on the computer system,andwherein the rule comprises an expression used by the controlling usage step to control application program operation;
  
  controlling, on a computer system, access to documents,wherein the controlling access step limits the document access operation in accordance with the rule stored on the computer system, andwherein the expression of the rule is used by the controlling access step to control access to documents;
  
  detecting at least one low-level operation on a first document associated with a first application program operation from a first application executing on a first computer system;
  
  intercepting the at least one low-level operation to prevent the at least one low-level operation from executing;
  
  collecting at the first computer system information on the first application program operation;
  
  evaluating whether to allow the first application program operation at the first computer system based on the collected information on the first application;
  
  receiving a first indication at the first computer system to allow the intercepted at least one low-level operation; and
  
  after receiving the first indication, releasing at the first computer system the intercepted at least one low-level operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
To, Baotran N

Application Number

US11/928,493
Publication Number

US 20080066148A1
Time in Patent Office

2,219 Days
Field of Search

726/1, 726/2, 726/26, 726/27, 726/29, 707/999.009, 707/783
US Class Current

726/1
CPC Class Codes

G06Q 10/10   Office automation; Time man...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Enforcing policy-based application and access control in an information management system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing policy-based application and access control in an information management system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links