Systems and methods for centralized management of policies and access controls

US 8,732,800 B1
Filed: 03/26/2008
Issued: 05/20/2014
Est. Priority Date: 03/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method of centralized policy control comprising:

reading information, by a processor, from a database including a plurality of directives, the plurality of directives including criteria, wherein the plurality of directives include conflicting directives;

selecting, by the processor, at least one resource based on the criteria, wherein the at least one resource is identified by the criteria, wherein the plurality of directives includes a list of principals who can access the at least one resource;

resolving, by the processor, the plurality of directives that are conflicting directives by applying a function to obtain at least one action that is free of conflicts, wherein the function applies set arithmetic including at least one of intersect function, union function, and subtraction function, wherein the at least one action that is free of conflicts includes access controls that are free of conflicts; and

performing, in accordance with the plurality of directives, the at least one action by the processor on the at least one resource or on a metadata associated with the at least one resource,wherein performing, in accordance with the plurality of directives, the at least one action comprises applying the access controls that are free of conflicts to the metadata associated with the at least one resource, the metadata having access controls that are free of conflicts applied thereon blocking anyone other than the principals on the list from accessing the at least one resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for centralized management of policies and access controls which provide for the storing and managing of business rules and elements of policy, and for implementing the rules and policy across heterogeneous business systems. Where rules and policies may conflict in certain cases, mechanisms for reconciling such conflicts may be provided.

26 Citations

View as Search Results

89 Claims

1. A method of centralized policy control comprising:
- reading information, by a processor, from a database including a plurality of directives, the plurality of directives including criteria, wherein the plurality of directives include conflicting directives;
  
  selecting, by the processor, at least one resource based on the criteria, wherein the at least one resource is identified by the criteria, wherein the plurality of directives includes a list of principals who can access the at least one resource;
  
  resolving, by the processor, the plurality of directives that are conflicting directives by applying a function to obtain at least one action that is free of conflicts, wherein the function applies set arithmetic including at least one of intersect function, union function, and subtraction function, wherein the at least one action that is free of conflicts includes access controls that are free of conflicts; and
  
  performing, in accordance with the plurality of directives, the at least one action by the processor on the at least one resource or on a metadata associated with the at least one resource,wherein performing, in accordance with the plurality of directives, the at least one action comprises applying the access controls that are free of conflicts to the metadata associated with the at least one resource, the metadata having access controls that are free of conflicts applied thereon blocking anyone other than the principals on the list from accessing the at least one resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, wherein the at least one action is performed upon or within an application.
  - 3. The method of claim 1, wherein the at least one action performed on the at least one resource is one of:
    - creation, deletion, destruction, relocation and change.
  - 4. The method of claim 1 wherein the at least one action performed on the metadata of the at least one resource is one of:
    - creation, deletion and change.
  - 5. The method of claim 1, further comprising:
    - providing a notification to a person of the at least one action being performed.
  - 6. The method of claim 1, further comprising:
    - providing a notification that signals a violation of one of the plurality of directives has occurred.
  - 7. The method of claim 1, further comprising:
    - providing a notification to an application to invoke a process or procedure.
  - 8. The method of claim 1, wherein the at least one action being to record a log entry.
  - 9. The method of claim 1, further comprising:
    - performing at least one action based on the metadata of the at least one resource, on a plurality of resources associated with the at least one resource.
  - 10. The method of claim 1, further comprising scheduling at least one subsequent action to occur at a future date.
  - 11. The method of claim 10, wherein the at least one subsequent action performed includes at least one of:
    - creating, deleting, destroying, disposing, relocating and changing the at least one resource.
  - 12. The method of claim 1, further comprising:
    - selecting a subset of the plurality of directives.
  - 13. The method of claim 12, further comprising:
    - selecting a subset of the plurality of directives based on at least one of;
      
      current date and current time.
  - 14. The method of claim 12, further comprising:
    - selecting a subset of the plurality of directives based on a current state of the metadata of the at least one resource.
  - 15. The method of claim 1, wherein the at least one action performed is a minimal set of access control actions, wherein performing the minimal set changes an access control setting of each of the at least one resources to be less restrictive than that specified by the plurality of directives, the minimal set being one or more access control actions.
  - 16. The method of claim 1, wherein the access control action permits or restricts the ability to change or delete the at least one resource or the metadata associated with the at least one resource.
  - 17. The method of claim 1, wherein the method is initiated on a periodic basis.
  - 18. The method of claim 1, wherein the method is initiated when a change is made to the database.
  - 19. The method of claim 1, wherein the method is initiated when the at least one resource or the metadata associated with the at least one resource is added, removed or changed.
  - 20. The method of claim 1, further comprising:
    - providing a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 21. The method of claim 1, whereinperforming, in accordance with the plurality of directives, the at least one action comprises removing or inactivating documents containing confidential information.
  - 22. The method of claim 21, further comprising:
    - providing a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 23. The method of claim 1, further comprising:
    - the plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource, andperforming, in accordance with the plurality of directives, the at least one action comprises deleting the at least one resource at the time for destruction.
  - 24. The method of claim 1, further comprising:
    - providing a notification that signals that a destruction of the at least one resource is required and the notification to arrange for the destruction of the at least one resource,wherein the plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource.
  - 25. The method of claim 1, wherein performing the at least one action is in accordance with the plurality of directives and a defined behavior.
  - 26. The method of claim 1, wherein, if the at least one action includes conflicting actions, the conflicting actions are resolved based on priorities associated the plurality of directives.
  - 27. The method of claim 1, wherein the metadata associated with the at least one resource comprises a record of activity for the at least one resource.
  - 28. The method of claim 1, wherein the metadata associated with the at least one resource comprises an aggregate of metadata from a plurality of systems, said systems include heterogeneous systems, homogeneous systems or a mixture of both heterogeneous systems and homogeneous systems.
  - 29. The method of claim 1, wherein the criteria includes a plurality of conditions upon one or more items of metadata.
  - 30. The method of claim 1, wherein the criteria includes a statistical operation upon one or more items of metadata.

31. A method of centralized policy control comprising:
- reading information, by a processor, from a database including a plurality of directives, the plurality of directives including criteria, wherein the plurality of directives include conflicting directives;
  
  selecting, by the processor, at least one resource based on the criteria, wherein the at least one resource is identified by the criteria, wherein the plurality of directives includes a list of principals who cannot access the at least one resource;
  
  resolving, by the processor, the plurality of directives that are conflicting directives by applying a function to obtain at least one action that is free of conflicts, wherein the function applies set arithmetic including at least one of intersect function, union function, and subtraction function, wherein the at least one action that is free of conflicts includes access controls that are free of conflicts; and
  
  performing, in accordance with the plurality of directives, at least one action by the processor on the at least one resource or on a metadata associated with the at least one resource, wherein performing, in accordance with the plurality of directives, the at least one action comprises applying the access controls that are free of conflicts to the metadata associated with the at least one resource, the metadata having access controls that are free of conflicts applied thereon blocking principals on the list of principals from accessing the at least one resource.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 32. The method of claim 31, wherein the at least one action is performed upon or within an application.
  - 33. The method of claim 31, wherein the at least one action performed on the at least one resource is one of:
    - creation, deletion, destruction, relocation and change.
  - 34. The method of claim 31, wherein the at least one action performed on the metadata of the at least one resource is one of:
    - creation, deletion and change.
  - 35. The method of claim 31, further comprising providing a notification to a person of the at least one action being performed.
  - 36. The method of claim 31, further comprising providing a notification that signals a violation of one of the plurality of directives has occurred.
  - 37. The method of claim 31, further comprising providing a notification to an application to invoke a process or procedure.
  - 38. The method of claim 31, wherein the at least one action being to record a log entry.
  - 39. The method of claim 31, further comprising providing at least one action based on the metadata of the at least one resource, on a plurality of resources associated with the at least one resource.
  - 40. The method of claim 31, further comprising scheduling at least one subsequent action to occur at a future date.
  - 41. The method of claim 40, wherein the at least one subsequent action performed includes at least one of:
    - creating, deleting, destroying, disposing, relocating and changing the at least one resource.
  - 42. The method of claim 31, further comprising selecting a subset of the plurality of directives.
  - 43. The method of claim 31, further comprising selecting a subset of the plurality of directives based on at least one of:
    - a current date and a current time.
  - 44. The method of claim 31, further comprising selecting a subset of the plurality of directives based on a current state of the metadata of the at least one resource.
  - 45. The method of claim 31, wherein the at least one action performed is a minimal set of access control actions, wherein performing the minimal set changes an access control setting of each of the at least one resources to be less restrictive than that specified by the plurality of directives, the minimal set being one or more access control actions.
  - 46. The method of claim 31, wherein the access control action permits or restricts the ability to change or delete the at least one resource or the metadata associated with the at least one resource.
  - 47. The method of claim 31, further comprising initiating the method on a periodic basis.
  - 48. The method of claim 31, further comprising initiating the method when a change is made to the database.
  - 49. The method of claim 31, further comprising initiating the method when the at least one resource or the metadata associated with the at least one resource is added, removed or changed.
  - 50. The method of claim 31, further comprisingproviding a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 51. The method of claim 31, whereinperforming, in accordance with the plurality of directives, the at least one action comprises removing or inactivating documents containing confidential information.
  - 52. The method of claim 51, further comprisingproviding a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 53. The method of claim 31, whereinthe plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource, andwherein performing, in accordance with the plurality of directives, the at least one action comprises deleting the at least one resource at the time for destruction.
  - 54. The method of claim 31, further comprisingproviding a notification that signals that a destruction of the at least one resource is required and the notification to arrange for the destruction of the at least one resource,wherein the plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource.
  - 55. The method of claim 31, further comprising performing the at least one action is in accordance with the plurality of directives and a defined behavior.
  - 56. The method of claim 31, wherein, if the at least one action includes conflicting actions, the conflicting actions are resolved based on priorities associated the plurality of directives.
  - 57. The method of claim 31, wherein the metadata associated with the at least one resource comprises a record of activity for the at least one resource.
  - 58. The method of claim 31, wherein the metadata associated with the at least one resource comprises an aggregate of metadata from a plurality of systems, said systems include heterogeneous systems, homogeneous systems or a mixture of both heterogeneous systems and homogeneous systems.
  - 59. The method of claim 31, wherein the criteria includes a plurality of conditions upon one or more items of metadata.
  - 60. The method of claim 31, wherein the criteria includes a statistical operation upon one or more items of metadata.

61. A non-transitory computer-readable storage medium having instructions stored thereon, which when executed by a computer, causes the computer to perform operations comprising:
- reading information from a database including a plurality of directives, the plurality of directives including criteria, wherein the plurality of directives include conflicting directives;
  
  selecting at least one resource based on the criteria, wherein the at least one resource is identified by the criteria, wherein the plurality of directives includes a list of principals who can access the at least one resource;
  
  resolving the plurality of directives that are conflicting directives by applying a function to obtain at least one action that is free of conflicts, wherein the function applies set arithmetic including at least one of intersect function, union function, and subtraction function, wherein the at least one action that is free of conflicts includes access controls that are free of conflicts; and
  
  performing, in accordance with the plurality of directives, at least one action on the at least one resource or on a metadata associated with the at least one resource,wherein performing, in accordance with the plurality of directives, the at least one action comprises applying the access controls that are free of conflicts to the metadata associated with the at least one resource, the metadata having access controls that are free of conflicts applied thereon blocking anyone other than the principals on the list from accessing the at least one resource.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89)
- - 62. The non-transitory computer-readable storage medium of claim 61, wherein the at least one action is performed upon or within an application.
  - 63. The non-transitory computer-readable storage medium of claim 61, wherein the at least one action performed on the at least one resource is one of:
    - creation, deletion, destruction, relocation and change.
  - 64. The non-transitory computer-readable storage medium of claim 61 wherein the at least one action performed on the metadata of the at least one resource is one of:
    - creation, deletion and change.
  - 65. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - providing a notification to a person of the at least one action being performed.
  - 66. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - providing a notification that signals a violation of one of the plurality of directives has occurred.
  - 67. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - providing a notification to an application to invoke a process or procedure.
  - 68. The non-transitory computer-readable storage medium of claim 61, wherein the at least one action being to record a log entry.
  - 69. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - performing at least one action based on the metadata of the at least one resource, on a plurality of resources associated with the at least one resource.
  - 70. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - scheduling at least one subsequent action to occur at a future date.
  - 71. The non-transitory computer-readable storage medium of claim 70, wherein the at least one subsequent action performed includes at least one of:
    - creating, deleting, destroying, disposing, relocating and changing the at least one resource.
  - 72. The non-transitory computer-readable storage medium of claim 61, the computer to perform operations further comprising:
    - selecting a subset of the plurality of directives.
  - 73. The non-transitory computer-readable storage medium of claim 72, the computer to perform operations further comprising:
    - selecting a subset of the plurality of directives based on at least one of;
      
      a current date and a current time.
  - 74. The non-transitory computer-readable storage medium of claim 73, the computer to perform operations further comprising:
    - selecting a subset of the plurality of directives based on a current state of the metadata of the at least one resource.
  - 75. The non-transitory computer-readable storage medium of claim 61, wherein the at least one action performed is a minimal set of access control actions, wherein performing the minimal set changes an access control setting of each of the at least one resources to be less restrictive than that specified by the plurality of directives, the minimal set being one or more access control actions.
  - 76. The non-transitory computer-readable storage medium of claim 61, wherein the access control action permits or restricts the ability to change or delete the at least one resource or the metadata associated with the at least one resource.
  - 77. The non-transitory computer-readable storage medium of claim 61, further comprising:
    - providing a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 78. The non-transitory computer-readable storage medium of claim 61, whereinperforming, in accordance with the plurality of directives, the at least one action comprises removing or inactivating documents containing confidential information.
  - 79. The non-transitory computer-readable storage medium of claim 78, the computer to perform operations further comprising:
    - providing a first notification that signals a violation of one of the plurality of directives has occurred, orproviding a second notification to an application to invoke a process or procedure.
  - 80. The non-transitory computer-readable storage medium of claim 61, further comprising:
    - the plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource, andperforming, in accordance with the plurality of directives, the at least one action comprises deleting the at least one resource at the time for destruction.
  - 81. The non-transitory computer-readable storage medium of claim 61, further comprising:
    - providing a notification that signals that a destruction of the at least one resource is required and the notification to arrange for the destruction of the at least one resource,wherein the plurality of directives includes retention directives for the at least one resource, wherein retention directives include a time for destruction of the at least one resource.
  - 82. The non-transitory computer-readable storage medium of claim 61, wherein performing the at least one action is in accordance with the plurality of directives and a defined behavior.
  - 83. The non-transitory computer-readable storage medium of claim 61, wherein, if the at least one action includes conflicting actions, the conflicting actions are resolved based on priorities associated the plurality of directives.
  - 84. The non-transitory computer-readable storage medium of claim 61, wherein the metadata associated with the at least one resource comprises a record of activity for the at least one resource.
  - 85. The non-transitory computer-readable storage medium of claim 61, wherein the metadata associated with the at least one resource comprises an aggregate of metadata from a plurality of systems, said systems include heterogeneous systems, homogeneous systems or a mixture of both heterogeneous systems and homogeneous systems.
  - 86. The non-transitory computer-readable storage medium of claim 61, wherein the criteria includes a plurality of conditions upon one or more items of metadata.
  - 87. The non-transitory computer-readable storage medium of claim 61, wherein the criteria includes a statistical operation upon one or more items of metadata.
  - 88. The non-transitory computer-readable storage medium of claim 61, wherein the computer is caused to perform the operations on a periodic basis.
  - 89. The non-transitory computer-readable storage medium of claim 61, wherein the computer is caused to perform the operations when a change is made to the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jerry Askew
Original Assignee
Jerry Askew
Inventors
Askew, Jerry
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US12/056,168
Time in Patent Office

2,246 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06Q 10/10 Office automation; Time man...

Systems and methods for centralized management of policies and access controls

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

89 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for centralized management of policies and access controls

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

89 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others