Deploying policies and allowing off-line policy evaluations

US 8,875,218 B2
Filed: 12/22/2006
Issued: 10/28/2014
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method of operating an information management system comprising:

providing a server having access to a policy database storing a first set of policies;

providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;

providing a first abstraction, referenced by at least one policy of the first set of policies;

storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;

in the policy database, storing a second set of policies;

connecting of the device to a network with the server having access to the policy database;

via the server, sending the device the second set of policies to replace the first set of policies stored at the device;

after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and

using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network, comprising;

allowing access to a first document by a first policy of the second set of policies, wherein the first policy references the first abstraction stored at the device; and

when access to the first document is granted according to the first policy, determining whether an action operation is allowable according to a second policy of the second set of policies.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.

73 Citations

View as Search Results

54 Claims

1. A method of operating an information management system comprising:
- providing a server having access to a policy database storing a first set of policies;
  
  providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;
  
  providing a first abstraction, referenced by at least one policy of the first set of policies;
  
  storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;
  
  in the policy database, storing a second set of policies;
  
  connecting of the device to a network with the server having access to the policy database;
  
  via the server, sending the device the second set of policies to replace the first set of policies stored at the device;
  
  after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and
  
  using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network, comprising;
  
  allowing access to a first document by a first policy of the second set of policies, wherein the first policy references the first abstraction stored at the device; and
  
  when access to the first document is granted according to the first policy, determining whether an action operation is allowable according to a second policy of the second set of policies.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 8. The method of claim 1, 2, or 5 wherein the second set of policies comprises at least one of binary data, configuration setting, look-up table, tables, or text.
  - 9. The method of claim 1, 2, or 5 wherein the policies in the policy database are stored in a first format and sent to the device using a second format.
  - 10. The method of claim 1, 2, or 5 wherein the policies in the policy database are stored in a first format and sent to the device using a second format, wherein the second format is based on a characteristic of the decision engine of the device.
  - 11. The method of claim 1, 2, or 5 wherein the policies in the policy database are stored in a first format and sent to the device using a second format, wherein the second format is based on the device type.
  - 12. The method of claim 1, 2, or 5 wherein the via the server, sending the device comprises:
    - optimizing the policies by replacing common subexpressions with a variable.
  - 13. The method of claim 1, 2, or 5 wherein the via the server, sending the device comprises:
    - optimizing the policies by reordering a first expression to obtain a second expression, wherein the second expression is functionally equivalent to the first expression.
  - 14. The method of claim 13 wherein the reordering comprises logically reducing the first expression.
  - 15. The method of claim 13 wherein the reordering comprises logically expanding the first expression.
  - 16. The method of claim 1, 2, or 5 wherein the via the server, sending the device comprises:
    - optimizing the policies by evaluating a less time-consuming comparison operation before a more time-consuming comparison operation.
  - 17. The method of claim 1, 2, or 5 wherein the first set of policies comprises policy abstractions.
  - 33. The method of claim 1 wherein the replacing the first set of policies stored at the device with the received second set of policies comprises deleting the first set of policies from the device.
  - 34. The method of claim 1 comprising:
    - after the replacing the first set of policies stored at the device with the received second set of policies, at the device, enforcing a policy of the received second set of policies, wherein during the enforcing a policy the device is disconnected from the network.
  - 35. The method of claim 1 wherein the first and second policies are different policies.
  - 36. The method of claim 1 wherein the first and second policies are the same policy.
  - 37. The method of claim 1 wherein the action operation on the first document is a cut-and-paste operation of information from the first document.
  - 38. The method of claim 1 wherein the first policy comprises an abstraction component stored separately from the first policy.
  - 39. The method of claim 38 wherein the abstraction component of the first policy includes a first plurality of users.
  - 40. The method of claim 39 wherein a modified abstraction component of the first policy comprises removing a user of the first plurality of users.
  - 41. The method of claim 39 wherein a modified abstraction component of the first policy comprises adding a user to the first plurality of users.
  - 42. The method of claim 38 wherein the abstraction component of the first policy includes a resource location.
  - 43. The method of claim 1 wherein the action operation relates to the first document.
  - 44. The method of claim 1 wherein the sending the device the second set of policies to replace the first set of policies stored at the device does not include sending the device an updated first abstraction.
  - 45. The method of claim 1 further comprising:
    - at a first time, evaluating the at least one policy of the first set of policies referencing the first abstraction by retrieving the definition statement of the first abstraction stored at the device; and
      
      at a second time after the first time and after the sending the device the second set of policies, evaluating the first policy of the second set of policies referencing the first abstraction by retrieving the definition statement of the first abstraction stored at the device.
  - 46. The method of claim 1 wherein the storing the first abstraction at the device occurs before the using the decision engine to manage information accessible via the device according to the second set of policies.
  - 47. The method of claim 1 wherein the second policy references the first abstraction.
  - 48. The method of claim 1 wherein the second policy references a second abstraction.
  - 49. The method of claim 1 wherein the first abstraction evaluates to a constant and, when evaluating the first policy, the first abstraction is replaced by the constant.
  - 50. The method of claim 49 wherein the constant is a Boolean true.
  - 51. The method of claim 1 wherein the first abstraction evaluates to a constant and, when evaluating the first policy, the first abstraction is removed from the first policy.

2. A method of operating an information management system comprising:
- providing a device comprising a decision engine, embodied using machine executable code, to manage information accessible via the device according to a first set of policies stored on the device;
  
  controlling access to information at the device according to at least one policy of the first set of policies, wherein the at least one policy references a first abstraction stored at the device;
  
  connecting of the device to a network with a server having access to a policy database;
  
  via the server, sending the device a second set of policies; and
  
  after receiving the second set of policies at the device, using the decision engine to manage information accessible via the device according to a combination of the first and second set of policies comprising;
  
  after evaluating a first policy at the device opening a first document, wherein the first policy references the first abstraction stored at the device; and
  
  determining whether a document editing operation is allowable,wherein each policy comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy.
- View Dependent Claims (3)
- - 3. The method of claim 2 wherein at least one of the policies in the first set of policies is replaced by at least one policy in the second set of policies.

4. A method of operating an information management system comprising:
- providing a device comprising a decision engine, comprising code executable by the device, to manage information accessible via the device according to a first set of policies stored on the device, wherein the managed information comprises at least one policy of the first set of policies that references a first abstraction;
  
  storing the first abstraction at the device;
  
  connecting of the device to a network with a server having access to a policy database;
  
  via the server, sending the device a second set of policies;
  
  after receiving the second set of policies at the device, using the decision engine to control application operation on the device according to a combination of the first and second set of policies, whether the device is connected or disconnected from the network, wherein the second set of policy comprises at least one policy of the second set of policies that reference the first abstraction;
  
  via the server, sending the device a third set of policies;
  
  after receiving the third set of policies at the device, replacing the second set of policies with the third set of policies; and
  
  using the decision engine to control application operation on the device according to a combination of the first and third set of policies, whether the device is connected or disconnected from the network comprising;
  
  allowing access to a first document by a first policy at the device, wherein evaluating the first policy includes the first abstraction; and
  
  after access to the first document is granted, determining whether to allow editing the first document according to a second policy.

5. A method of operating an information management system comprising:
- providing a device comprising a decision engine, in computer code, to manage information accessible via the device according to a first set of policies stored on the device;
  
  connecting of the device to a network with a server having access to a policy database;
  
  via the server, sending the device a set of policy alterations;
  
  on the device, altering the first set of policies stored on the device based on the set of policy alterations to obtain a second set of policies, wherein the first set of policies and the second set of policies include at least one policy referencing a first abstraction, stored at the device;
  
  after altering the first set of policies, using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network;
  
  via the server, sending the device a third set of policies; and
  
  after receiving the third set of policies at the device, using the decision engine to control application operation on the device according to a combination of the second and third set of policies, whether the device is connected or disconnected from the network comprising;
  
  allowing access to a first document by a first policy, referencing the first abstraction, at the device; and
  
  when access to the first document is granted according to the first policy, determining whether an action operation is allowable.
- View Dependent Claims (6)
- - 6. The method of claim 5 comprising:
    - at the device, permitting access to a document based on a policy of the second set of policies, the policy being an altered policy of the first set of policies; and
      
      at the device, restricting access to the altered policy stored at the device.

7. A method of operating an information management system comprising:
- providing a device comprising a decision engine, implemented using executable code, to control application operation on the device according to a first set of policies stored on the device, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, at least two policies of the first set of policies reference a first abstraction, and each policy abstraction has a corresponding definition statement stored separately from the policy;
  
  connecting of the device to a network with a server having access to a policy database;
  
  via the server, sending the device a set of policy alterations;
  
  on the device, altering the first set of policies stored on the device based on the set of policy alterations to obtain a second set of policies, wherein the altering comprises replacing a first conditional expression in the first set of policies with a second conditional expression but not the definitions of abstractions referenced by the first set of policies; and
  
  after altering the first set of policies, using the decision engine to control application operation on the device according to the second set of policies comprising;
  
  allowing access to a first document by a first policy at the device, wherein the first policy comprises the second expression and a third expression and evaluating the first policy comprises;
  
  retrieving a definition of the first abstraction, stored at the device;
  
  evaluating the second expression, referencing the first abstraction, to produce a first result, wherein the definition of the first abstraction is used to determine a Boolean true or a Boolean false;
  
  evaluating the third expression to produce a second result; and
  
  based on the first and second results, determine whether to grant access to the first document; and
  
  when access to the first document is granted according to the first policy, determining whether an action operation is allowable.

18. A method of managing information of a network comprising:
- providing a plurality of rules, wherein a rule comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy;
  
  providing a device having a target profile;
  
  determining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates applications available on the device;
  
  transferring the subset of rules to the device having the target profile;
  
  causing storing in a memory of the first device a first conditional statement having a first abstraction and a first action of a first policy; and
  
  controlling access to the information based on the subset of rules comprising evaluating the first conditional statement which results in allowing performing of the first action at the first specific target comprising;
  
  allowing access to a first document by a first policy at the device comprising;
  
  retrieving the first abstraction referenced by the first policy;
  
  evaluating the first conditional statement including the first abstraction;
  
  evaluating a second conditional statement of the first policy; and
  
  determining whether to grant access to the first document according to the first policy comprises the evaluated first conditional statement and the evaluated second conditional statement; and
  
  when access to the first document is granted according to the first policy, determining whether an action operation is allowable.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18 wherein the access comprises opening a file.
  - 20. The method of claim 18 wherein the access comprises editing a formula in a cell of a spreadsheet.
  - 21. The method of claim 18 wherein the determining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates applications available on the device is replaced by determining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates a device type.
  - 22. The method of claim 18 wherein the determining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates applications available on the device is replaced bydetermining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates a user name.

23. A method of managing information of a network comprising:
- providing a plurality of policies on a server, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy and the plurality of policies comprises;
  
  a first policy referencing a first policy abstraction defined separately from the first policy and a second policy referencing the first policy abstraction defined separately from the second policy;
  
  selecting a subset of policies of the server to transfer to a device based on attributes associated with the device;
  
  transferring the subset of policies to the device;
  
  storing the policies at the device;
  
  controlling access of information by the device using the subset of policies comprising;
  
  allowing access to a first document by a first policy at the device; and
  
  when access to the first document is granted according to the first policy, determining whether an action operation is allowable; and
  
  prohibiting editing of the subset of the policies stored at the device by a user of the device.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23 wherein the attributes comprise at least one of applications available on the device, a user logged onto the device, a type of device, or a bandwidth of a connection of the device to the network.
  - 25. The method of claim 23 wherein the selecting the subset of policies of the server to transfer to the device based on attributes associated with the device further comprises:
    - providing a profile of the device; and
      
      determining the subset of the one or more policies of the server relevant to the profile of the device, wherein a policy is relevant to the profile when the device is capable of supporting a syntax format of the policy.
  - 26. The method of claim 25 further comprising:
    - determining a second policy of the subset of polices of the server is in a first syntax format not supported by the device;
      
      converting the second policy into a second syntax format to produce a translated second policy, wherein the device supports the second syntax format but not the first syntax format; and
      
      transferring the translated second policy to the device, without transferring the second policy.

27. A method comprising:
- providing a first policy having an expression where an evaluation of the expression requires information provided by a first device of a network, wherein the first policy references a first abstraction;
  
  when a second device is connected to a network, deploying the first policy on the second device comprising;
  
  altering the first policy to obtain a second policy by removing a reference in the expression to the information provided by the first device of the network; and
  
  transferring the second policy to the second device; and
  
  enforcing the second policy on the second device, where enforcement of the second policy does not request information from the first device further comprising;
  
  allowing access to a first document by the second policy, including referencing the first abstraction stored at the first device but defined separately from the first and second policies, at the device; and
  
  when access to the first document is granted according to the second policy, determining whether an action operation is allowable.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27 where the enforcing of the second policy on the second device occurs when the second device is disconnected from the network.
  - 29. The method of claim 27 wherein enforcement of the second policy on the second device is functionally equivalent to enforcement of the first policy on the second device, when the second device is connected to the network.
  - 30. The method of claim 27 wherein enforcement of the second policy on the second device is functionally equivalent to enforcement of the first policy on the second device, when the second device has access to the information provided by the first device.

31. A method comprising:
- providing a first policy having an expression where an evaluation of the expression requires information provided by a first device of a network, wherein the first policy includes a reference to a first abstraction;
  
  when a user logs onto a second device, which is connected to a network, deploying the first policy on the second device comprising;
  
  altering the first policy to obtain a second policy by removing a reference in the expression to the information provided by the first device of the network; and
  
  transferring the second policy to the second device; and
  
  enforcing the second policy on the second device, where enforcement of the second policy does not request information from the first device further comprising;
  
  allowing access to a first document by the second policy at the device including retrieving the first abstraction defined separately from the first and second policies; and
  
  when access to the first document is granted according to the second policy, determining whether an action operation is allowable.
- View Dependent Claims (32)
- - 32. The method of claim 31 where the enforcing of the second policy on the second device occurs when the second device is disconnected from the network.

52. A method of operating an information management system comprising:
- providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device;
  
  connecting of the device to a network with a server having access to a policy database;
  
  via the server, sending the device a second set of policies to replace the first set of policies stored at the device;
  
  before the sending the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and
  
  after receiving the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising;
  
  allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and
  
  when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable.
- View Dependent Claims (53, 54)
- - 53. The method of claim 52 further comprising:
    - determining a low-level file operation to be executed if the access by the first application to the first document is allowed;
      
      if evaluating the first policy to determine whether to allow access by the first application to the first document results in a Boolean true, allowing the low-level file operation to execute; and
      
      if evaluating the first policy to determine whether to allow access by the first application to the first document results in a Boolean false, disallowing the low-level file operation from executing.
  - 54. The method of claim 53 wherein before retrieving the first abstraction referenced by at least one policy, determining the decision engine is executing on the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
Powers, William S.
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US11/615,781
Publication Number

US 20070157288A1
Time in Patent Office

2,867 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Deploying policies and allowing off-line policy evaluations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Deploying policies and allowing off-line policy evaluations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links