Enforcing policy-based application and access control in an information management system
First Claim
1. A method comprising:
- controlling usage, at a client system, of an application program, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, andwherein the at least one rule contains at least one expression used by the controlling step to control application program operation;
controlling access, at a server, to documents,wherein the controlling step limits document access operation in accordance to at least one rule stored on the server, andwherein the at least one rule contains at least one expression used by the controlling step to control document access operation;
detecting at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system;
intercepting the at least one low-level operation to prevent the at least one low-level operation from executing;
collecting at the client system information on the first application program operation;
receiving at the server collected information on the first application executing on the client system;
evaluating at the server whether to allow the first application program operation at the client system based on the collected information on the first application and the first application program operation;
receiving a first indication at the client system, to allow the intercepted at least one low-level operation; and
after receiving the first indication, releasing at the client system the intercepted at least one low-level operation.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
-
Citations
44 Claims
-
1. A method comprising:
-
controlling usage, at a client system, of an application program, wherein the controlling step limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, and wherein the at least one rule contains at least one expression used by the controlling step to control application program operation; controlling access, at a server, to documents, wherein the controlling step limits document access operation in accordance to at least one rule stored on the server, and wherein the at least one rule contains at least one expression used by the controlling step to control document access operation; detecting at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system; intercepting the at least one low-level operation to prevent the at least one low-level operation from executing; collecting at the client system information on the first application program operation; receiving at the server collected information on the first application executing on the client system; evaluating at the server whether to allow the first application program operation at the client system based on the collected information on the first application and the first application program operation; receiving a first indication at the client system, to allow the intercepted at least one low-level operation; and after receiving the first indication, releasing at the client system the intercepted at least one low-level operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. An apparatus comprising:
-
a module for controlling usage, at a client system, of an application program, wherein the module is stored in a hardware memory, wherein the controlling module limits the application program'"'"'s operational functionality in accordance to at least one rule stored on the client system, and wherein the at least one rule contains at least one expression used by the controlling module to control application program operation; a module for controlling access, at a server, to documents, wherein the controlling module limits document access operation in accordance to at least one rule stored on the server, and wherein the at least one rule contains at least one expression used by the controlling module to control document access operation; and a module for applying consequences on the client system, wherein at least one low-level operation on a first document managed by the server associated with a first application program operation from a first application executing on the client system, wherein the client system collects information on the first application program operation, wherein the consequence module receives the collected information on the first application executing on the client system, wherein the consequence module evaluates whether to allow the first application program operation at the client system based on the collected information on the first application; wherein the client system receives a first indication to allow the at least one low-level operation, and wherein the at least one low-level operation is released. - View Dependent Claims (38, 39)
-
-
40. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising:
-
controlling usage of an application program on a computer system, wherein the at least one rule comprises a first expression used by the controlling usage step to control application program operation; controlling, on a computer system, access to documents, wherein the controlling access step limits the document access operation in accordance with the at least one rule stored on the computer system, wherein the at least one rule comprises a second expression used by the controlling access step to control access to documents, and wherein when a user requests access to a selected document, the computer system evaluates the at least one rule stored at the computer system to allow or deny access to the selected document; at the computer system, detecting at least one low-level operation on a first document associated with a first application program operation from a first application executing on the computer system; intercepting the at least one low-level operation to prevent the at least one low-level operation from executing; collecting at the computer system information on the first application program operation; evaluating whether to allow the first application program operation at the computer system based on the collected information on the first application; receiving a first indication at the computer system, to allow the intercepted at least one low-level operation; and after receiving the first indication, releasing at the computer system the intercepted at least one low-level operation. - View Dependent Claims (41, 42, 43)
-
-
44. A method of controlling application usage and document access in a plurality of computers using centrally managed rules, the method comprising:
-
controlling usage of an application program on a computer system, wherein the controlling usage step limits the application program'"'"'s operational functionality in accordance with a rule stored on the computer system, and wherein the rule comprises an expression used by the controlling usage step to control application program operation; controlling, on a computer system, access to documents, wherein the controlling access step limits the document access operation in accordance with the rule stored on the computer system, and wherein the expression of the rule is used by the controlling access step to control access to documents; detecting at least one low-level operation on a first document associated with a first application program operation from a first application executing on a first computer system; intercepting the at least one low-level operation to prevent the at least one low-level operation from executing; collecting at the first computer system information on the first application program operation; evaluating whether to allow the first application program operation at the first computer system based on the collected information on the first application; receiving a first indication at the first computer system to allow the intercepted at least one low-level operation; and after receiving the first indication, releasing at the first computer system the intercepted at least one low-level operation.
-
Specification