Method and apparatus for policy-based network access control with arbitrary network access control frameworks
First Claim
Patent Images
1. A system comprising:
- at least one device including a hardware processor;
the system being configured to perform operations comprising;
receiving a first request;
determining a first set of one or more attributes in a first framework-specific representation based on the first request;
translating the first set of attributes from the first framework-specific representation to a canonical representation;
applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request;
receiving a second request;
determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation;
wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server;
translating the second set of attributes from the second framework-specific representation to the canonical representation;
applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.
36 Citations
10 Claims
-
1. A system comprising:
-
at least one device including a hardware processor; the system being configured to perform operations comprising; receiving a first request; determining a first set of one or more attributes in a first framework-specific representation based on the first request; translating the first set of attributes from the first framework-specific representation to a canonical representation; applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request; receiving a second request; determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation; wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server; translating the second set of attributes from the second framework-specific representation to the canonical representation; applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer readable medium comprising instructions which when executed by one or more processors causes performance of:
-
receiving a first request; determining a first set of one or more attributes in a first framework-specific representation based on the first request; translating the first set of attributes from the first framework-specific representation to a canonical representation; applying policy rules to the first set of attributes in the canonical representation to determine whether to grant the first request; receiving a second request; determining a second set of one or more attributes in a second framework-specific representation based on the second request, the second framework-specific representation being different than the first framework-specific representation; wherein at least one of the second set of one or more attributes is associated with a backend service and/or a backend server; translating the second set of attributes from the second framework-specific representation to the canonical representation; applying policy rules to the second set of attributes in the canonical representation to determine whether to grant the second request. - View Dependent Claims (7, 8, 9, 10)
-
Specification