Dynamic generation of policy enforcement rules and actions from policy attachment semantics
First Claim
1. A system, comprising:
- a memory; and
a processor operating at a policy enforcement point (PEP) programmed to;
obtain from the memory at least one defined service level policy to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement;
parse the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and
transform each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement.
1 Assignment
0 Petitions
Accused Products
Abstract
At least one defined service policy to be enforced by a policy enforcement point (PEP) is obtained. The obtained at least one defined service policy is parsed to identify at least one set of enforceable policy provisions and the at least one set of enforceable policy provisions is identified. Each set of enforceable policy provisions includes a policy subject, a policy domain, and at least one assertion as the enforceable policy provisions within the at least one defined service policy. At least one runtime processing rule including at least one processing action usable by the PEP is created to enforce the policy subject, the policy domain, and the at least one assertion of each identified at least one set of enforceable policy provisions.
-
Citations
16 Claims
-
1. A system, comprising:
-
a memory; and a processor operating at a policy enforcement point (PEP) programmed to; obtain from the memory at least one defined service level policy to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement; parse the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and transform each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product, comprising:
a non-transitory computer readable storage medium having computer readable program code embodied therewith, where the computer readable program code when executed on a computer operating at a policy enforcement point (PEP) causes the computer to; obtain at least one defined service level policy, to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement; parse the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and transform each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
Specification