Method and apparatus for providing distributed policy management

US 8,893,215 B2
Filed: 10/29/2010
Issued: 11/18/2014
Est. Priority Date: 10/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

facilitating, by a processor, a creation and/or a modification of at least one device user interface element, at least one device user interface functionality, or a combination thereof, of a user device based, at least in part, on information, data, and/or a signal resulting from;

a local and/or remote determination of one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and

in response to an input at the user device by a user other than administrators of the information system, a local and/or remote generation of one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination, at least in part, of access to the respective subsets, the one or more resources, or a combination thereof,wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies,wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, andwherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas.

Citations

20 Claims

1. A method comprising:
- facilitating, by a processor, a creation and/or a modification of at least one device user interface element, at least one device user interface functionality, or a combination thereof, of a user device based, at least in part, on information, data, and/or a signal resulting from;
  
  a local and/or remote determination of one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and
  
  in response to an input at the user device by a user other than administrators of the information system, a local and/or remote generation of one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination, at least in part, of access to the respective subsets, the one or more resources, or a combination thereof,wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies,wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, andwherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 17, 18, 19, 20)
- - 2. A method of claim 1,wherein one or more of boundaries are defined by the user, andthe one or more respective access policies are applicable at a boundary of the one or more domains and the one or more other access policies are applicable at another boundary greater than the one or more domains.
  - 3. A method of claim 1, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote determination of one or more types of the one or more resources in the respective subsets,wherein the one or more respective access policies are based, at least in part, on the one or more types, andwherein the one or more domains are defined, in response to a user request, by specifying one or more criteria and then evaluating one or more candidate resources against the criteria for inclusion of the respective subsets of one or more resources of the information system into the one or more domains.
  - 4. A method of claim 1, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote determination of one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and
      
      a local and/or remote determination to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies.
  - 5. A method of claim 4, wherein the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof are associated with the one or more respective access policies, the one or more domains, the respective subsets, the one or more resources, or a combination thereof as metadata.
  - 6. A method of claim 1, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote reception of a request by the user for access to at least one of the one or more resources;
      
      a local and/or remote determination of whether the at least one resource is associated with at least one of the one or more respective access policies; and
      
      a local and/or remote determination to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.
  - 7. A method of claim 6, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote determination to retrieve one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries, or a combination thereof associated with the at least one respective access policy, the at least one resource, or a combination thereof, wherein the one or more attributes include traffic and/or load on the network, traffic and/or load on a host server, or a combination thereof,wherein the determining to grant the access is further based, at least in part, on the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof.
  - 8. A method of claim 7, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote determination to initiate a generation, a compilation, or a combination thereof of the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof on the receiving of the request by the user.
  - 9. A method of claim 7, wherein the information, the data, and/or the signal further results from:
    - a local and/or remote determination to store the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof in a cache,wherein one or more subsequent requests by the user for access to the at least one resource is based, at least in part, on the cache.
  - 10. A method of claim 7, wherein the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof are parsed from metadata associated with the at least one respective schema, the at least one resource, or a combination thereof, andwherein at least some of the schemas of the one or more attributes, the one or more rules, or a combination thereof, are normalized, andthe one or more attributes, the one or more rules, or a combination thereof, are evaluated based on the at least some of the schemas.
  - 17. A method of claim 6, wherein the information, the data, and/or the signal further results from:
    - an identification or generation of source code, binary code, and/or other implementation libraries to enable implementation of the access policies for controlling access to the respective subsets of one or more resources of the information system via a plurality of boundary points, on the receiving of the request by the user; and
      
      a coordination of the boundary points for the implementation of the access policies.
  - 18. A method of claim 2, further comprising:
    - obtaining one or more resource attributes at each of the boundaries for making a resource access decision, wherein the one or more resource attributes include metadata of schemas, attributes, rules, source codes, binary codes, libraries, network operation information, or a combination thereof.
  - 19. A method of claim 18, further comprising:
    - determining one or more replaceable tokens referenced upon at least the one or more resource attributes; and
      
      defining policy implementation code based, at least in part, on the one or more replaceable tokens.
  - 20. A method of claim 19, further comprising:
    - defining one or more policy rules based on a unary operation, a descriptive language-defined binary string-equals operation, or a combination thereof; and
      
      associating the one or more policy rules as the one or more resource attributes.

11. A method comprising facilitating access to at least one interface, the interface allowing access to at least one service, the service configured to perform the method of:
- determining, by a processor, one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and
  
  in response to an input at a user device by a user other than administrators of the information system, generating by the processor one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof,wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies,wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, andwherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
- View Dependent Claims (12, 13)
- - 12. A method of claim 11, wherein the service is further configured to:
    - determine one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and
      
      determine to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies,wherein one or more of the boundaries are defined by the user as surrounding at least one identical subset of the resources, andthe one or more respective access policies are more restrictive than the one or more other access policies for accessing the subset, while implemented via a different mechanism.
  - 13. A method of claim 11, wherein the service is further configured to:
    - receive a request for access to at least one of the one or more resources;
      
      determine whether the at least one resource is associated with at least one of the one or more respective access policies; and
      
      determine to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.

14. A method comprising:
- determining, by a processor, one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and
  
  in response to an input at a user device by a user other than administrators of the information system, generating by the processor one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof,wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies,wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, andwherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
- View Dependent Claims (15, 16)
- - 15. A method of claim 14, further comprising:
    - determining one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and
      
      determining to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies.
  - 16. A method of claim 14, further comprising:
    - receiving a request for access to at least one of the one or more resources;
      
      determining whether the at least one resource is associated with at least one of the one or more respective access policies; and
      
      determining to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Burghart, Theodore Robert
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US12/915,969
Publication Number

US 20120110632A1
Time in Patent Office

1,481 Days
Field of Search

726/1, 709223-225, 709/229, 710 39- 40, 370/236
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0861   using biometrical features,...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04W 4/00   Services specially adapted ...

Method and apparatus for providing distributed policy management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing distributed policy management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links