Deploying policies and allowing off-line policy evaluations
First Claim
Patent Images
1. A method of operating an information management system comprising:
- providing a server having access to a policy database storing a first set of policies;
providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;
providing a first abstraction, referenced by at least one policy of the first set of policies;
storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;
in the policy database, storing a second set of policies;
connecting of the device to a network with the server having access to the policy database;
via the server, sending the device the second set of policies to replace the first set of policies stored at the device;
after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and
using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network, comprising;
allowing access to a first document by a first policy of the second set of policies, wherein the first policy references the first abstraction stored at the device; and
when access to the first document is granted according to the first policy, determining whether an action operation is allowable according to a second policy of the second set of policies.
3 Assignments
0 Petitions
Accused Products
Abstract
In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.
73 Citations
54 Claims
-
1. A method of operating an information management system comprising:
-
providing a server having access to a policy database storing a first set of policies; providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device; providing a first abstraction, referenced by at least one policy of the first set of policies; storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies; in the policy database, storing a second set of policies; connecting of the device to a network with the server having access to the policy database; via the server, sending the device the second set of policies to replace the first set of policies stored at the device; after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network, comprising; allowing access to a first document by a first policy of the second set of policies, wherein the first policy references the first abstraction stored at the device; and when access to the first document is granted according to the first policy, determining whether an action operation is allowable according to a second policy of the second set of policies. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
2. A method of operating an information management system comprising:
-
providing a device comprising a decision engine, embodied using machine executable code, to manage information accessible via the device according to a first set of policies stored on the device; controlling access to information at the device according to at least one policy of the first set of policies, wherein the at least one policy references a first abstraction stored at the device; connecting of the device to a network with a server having access to a policy database; via the server, sending the device a second set of policies; and after receiving the second set of policies at the device, using the decision engine to manage information accessible via the device according to a combination of the first and second set of policies comprising; after evaluating a first policy at the device opening a first document, wherein the first policy references the first abstraction stored at the device; and determining whether a document editing operation is allowable, wherein each policy comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy. - View Dependent Claims (3)
-
-
4. A method of operating an information management system comprising:
-
providing a device comprising a decision engine, comprising code executable by the device, to manage information accessible via the device according to a first set of policies stored on the device, wherein the managed information comprises at least one policy of the first set of policies that references a first abstraction; storing the first abstraction at the device; connecting of the device to a network with a server having access to a policy database; via the server, sending the device a second set of policies; after receiving the second set of policies at the device, using the decision engine to control application operation on the device according to a combination of the first and second set of policies, whether the device is connected or disconnected from the network, wherein the second set of policy comprises at least one policy of the second set of policies that reference the first abstraction; via the server, sending the device a third set of policies; after receiving the third set of policies at the device, replacing the second set of policies with the third set of policies; and using the decision engine to control application operation on the device according to a combination of the first and third set of policies, whether the device is connected or disconnected from the network comprising; allowing access to a first document by a first policy at the device, wherein evaluating the first policy includes the first abstraction; and after access to the first document is granted, determining whether to allow editing the first document according to a second policy.
-
-
5. A method of operating an information management system comprising:
-
providing a device comprising a decision engine, in computer code, to manage information accessible via the device according to a first set of policies stored on the device; connecting of the device to a network with a server having access to a policy database; via the server, sending the device a set of policy alterations; on the device, altering the first set of policies stored on the device based on the set of policy alterations to obtain a second set of policies, wherein the first set of policies and the second set of policies include at least one policy referencing a first abstraction, stored at the device; after altering the first set of policies, using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network; via the server, sending the device a third set of policies; and after receiving the third set of policies at the device, using the decision engine to control application operation on the device according to a combination of the second and third set of policies, whether the device is connected or disconnected from the network comprising; allowing access to a first document by a first policy, referencing the first abstraction, at the device; and when access to the first document is granted according to the first policy, determining whether an action operation is allowable. - View Dependent Claims (6)
-
-
7. A method of operating an information management system comprising:
-
providing a device comprising a decision engine, implemented using executable code, to control application operation on the device according to a first set of policies stored on the device, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, at least two policies of the first set of policies reference a first abstraction, and each policy abstraction has a corresponding definition statement stored separately from the policy; connecting of the device to a network with a server having access to a policy database; via the server, sending the device a set of policy alterations; on the device, altering the first set of policies stored on the device based on the set of policy alterations to obtain a second set of policies, wherein the altering comprises replacing a first conditional expression in the first set of policies with a second conditional expression but not the definitions of abstractions referenced by the first set of policies; and after altering the first set of policies, using the decision engine to control application operation on the device according to the second set of policies comprising; allowing access to a first document by a first policy at the device, wherein the first policy comprises the second expression and a third expression and evaluating the first policy comprises; retrieving a definition of the first abstraction, stored at the device; evaluating the second expression, referencing the first abstraction, to produce a first result, wherein the definition of the first abstraction is used to determine a Boolean true or a Boolean false; evaluating the third expression to produce a second result; and based on the first and second results, determine whether to grant access to the first document; and when access to the first document is granted according to the first policy, determining whether an action operation is allowable.
-
-
18. A method of managing information of a network comprising:
-
providing a plurality of rules, wherein a rule comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy; providing a device having a target profile; determining a subset of the plurality of rules relevant to the target profile, wherein the target profile indicates applications available on the device; transferring the subset of rules to the device having the target profile; causing storing in a memory of the first device a first conditional statement having a first abstraction and a first action of a first policy; and controlling access to the information based on the subset of rules comprising evaluating the first conditional statement which results in allowing performing of the first action at the first specific target comprising; allowing access to a first document by a first policy at the device comprising; retrieving the first abstraction referenced by the first policy; evaluating the first conditional statement including the first abstraction; evaluating a second conditional statement of the first policy; and determining whether to grant access to the first document according to the first policy comprises the evaluated first conditional statement and the evaluated second conditional statement; and when access to the first document is granted according to the first policy, determining whether an action operation is allowable. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A method of managing information of a network comprising:
-
providing a plurality of policies on a server, wherein each policy comprises a code component comprising a conditional expression having a policy abstraction and a corresponding action that will be performed when the conditional expression is satisfied, and each policy abstraction has a corresponding definition statement stored separately from the policy and the plurality of policies comprises; a first policy referencing a first policy abstraction defined separately from the first policy and a second policy referencing the first policy abstraction defined separately from the second policy; selecting a subset of policies of the server to transfer to a device based on attributes associated with the device; transferring the subset of policies to the device; storing the policies at the device; controlling access of information by the device using the subset of policies comprising; allowing access to a first document by a first policy at the device; and when access to the first document is granted according to the first policy, determining whether an action operation is allowable; and prohibiting editing of the subset of the policies stored at the device by a user of the device. - View Dependent Claims (24, 25, 26)
-
-
27. A method comprising:
-
providing a first policy having an expression where an evaluation of the expression requires information provided by a first device of a network, wherein the first policy references a first abstraction; when a second device is connected to a network, deploying the first policy on the second device comprising; altering the first policy to obtain a second policy by removing a reference in the expression to the information provided by the first device of the network; and transferring the second policy to the second device; and enforcing the second policy on the second device, where enforcement of the second policy does not request information from the first device further comprising; allowing access to a first document by the second policy, including referencing the first abstraction stored at the first device but defined separately from the first and second policies, at the device; and when access to the first document is granted according to the second policy, determining whether an action operation is allowable. - View Dependent Claims (28, 29, 30)
-
-
31. A method comprising:
-
providing a first policy having an expression where an evaluation of the expression requires information provided by a first device of a network, wherein the first policy includes a reference to a first abstraction; when a user logs onto a second device, which is connected to a network, deploying the first policy on the second device comprising; altering the first policy to obtain a second policy by removing a reference in the expression to the information provided by the first device of the network; and transferring the second policy to the second device; and enforcing the second policy on the second device, where enforcement of the second policy does not request information from the first device further comprising; allowing access to a first document by the second policy at the device including retrieving the first abstraction defined separately from the first and second policies; and when access to the first document is granted according to the second policy, determining whether an action operation is allowable. - View Dependent Claims (32)
-
-
52. A method of operating an information management system comprising:
-
providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device; connecting of the device to a network with a server having access to a policy database; via the server, sending the device a second set of policies to replace the first set of policies stored at the device; before the sending the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and after receiving the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising; allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable. - View Dependent Claims (53, 54)
-
Specification