Dynamic generation of policy enforcement rules and actions from policy attachment semantics

US 9,270,541 B2
Filed: 03/25/2014
Issued: 02/23/2016
Est. Priority Date: 02/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

by a processor operating at a policy enforcement point (PEP);

obtaining at least one defined service level policy to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement;

parsing the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and

transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At least one defined service policy to be enforced by a policy enforcement point (PEP) is obtained. The obtained at least one defined service policy is parsed to identify at least one set of enforceable policy provisions and the at least one set of enforceable policy provisions is identified. Each set of enforceable policy provisions includes a policy subject, a policy domain, and at least one assertion as the enforceable policy provisions within the at least one defined service policy. At least one runtime processing rule including at least one processing action usable by the PEP is created to enforce the policy subject, the policy domain, and the at least one assertion of each identified at least one set of enforceable policy provisions.

55 Citations

View as Search Results

8 Claims

1. A method, comprising:
- by a processor operating at a policy enforcement point (PEP);
  
  obtaining at least one defined service level policy to be enforced during runtime by the PEP, that each specifies at least one set of enforceable policy provisions that each comprises a policy subject that represents a policy entity with which the defined service level policy is associated, a reference to a policy domain that specifies service level semantics of an area of runtime policy enforcement, and at least one assertion that each specifies a policy enforcement constraint to be applied to runtime objects associated with the policy subject within the area of runtime policy enforcement;
  
  parsing the obtained at least one defined service level policy to identify the specified at least one set of enforceable policy provisions; and
  
  transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into at least one runtime-executable processing rule that each comprises at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into the at least one runtime-executable processing rule that each comprises the at least one PEP processing action that each represents the atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement comprises:
    - generating at least one local intermediate proxy policy object that represents and encapsulates the at least one assertion that each specifies the respective policy enforcement constraint of the at least one defined service level policy being transformed; and
      
      transforming the generated at least one local intermediate proxy policy object into the at least one PEP processing action that implements the at least one runtime-executable processing rule.
  - 3. The method of claim 1, where transforming each identified set of enforceable policy provisions of the obtained at least one defined service level policy into the at least one runtime-executable processing rule that each comprises the at least one PEP processing action that each represents the atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against the runtime objects associated with the policy subject within the area of runtime policy enforcement comprises creating, for each identified set of enforceable policy provisions, at least one PEP processing action to be executed in response to a match of the policy subject, the policy domain, and the at least one assertion within a runtime object.
  - 4. The method of claim 1, further comprising by the processor operating at the PEP:
    - receiving a runtime object in a policy framework;
      
      identifying a defined policy enforcement rule that comprises the at least one runtime-executable processing rule applicable to enforce the at least one defined service level policy against the runtime object during the runtime; and
      
      enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime.
  - 5. The method of claim 4, where enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises:
    - determining a first service level agreement (SLA) runtime-executable processing rule associated with a first user credential and a second SLA runtime-executable processing rule associated with a second user credential; and
      
      dynamically adjusting the at least one PEP processing action of the at least one runtime-executable processing rule according to the first SLA runtime-executable processing rule of the first user credential and according to the second SLA runtime-executable processing rule for the second user credential.
  - 6. The method of claim 4, where:
    - the at least one defined service level policy comprises a service level agreement (SLA);
      
      the at least one runtime-executable processing rule comprises at least one SLA runtime-executable processing rule; and
      
      enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises;
      
      performing an SLA check action on the runtime object;
      
      determining whether the SLA check action has identified any matching SLA runtime-executable processing rules to be enforced against the runtime object; and
      
      for each matching SLA runtime-executable processing rule, processing the runtime object using the matching SLA runtime-executable processing rule.
  - 7. The method of claim 6, where:
    - the at least one defined service level policy further comprises a service level definition (SLD);
      
      the at least one runtime-executable processing rule comprises at least one SLD runtime-executable processing rule; and
      
      enforcing the at least one defined service level policy on the runtime object using the at least one runtime-executable processing rule within the policy framework during the runtime comprises;
      
      processing the at least one SLD runtime-executable processing rule last on the runtime object after processing each matching SLA runtime-executable processing rule on the runtime object.
  - 8. The method of claim 4, where the runtime object is selected from a group consisting of a transaction, a web request, a database request, a representational state transfer (REST) service, a web application, and a message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Burke, Thomas C., De Armas, Mario E., Gago, Oswaldo, Shah, Gaurang, Smith, Maria E.
Primary Examiner(s)
Cheema, Umar
Assistant Examiner(s)
Tolchinsky, Gregory P

Application Number

US14/224,456
Publication Number

US 20140229596A1
Time in Patent Office

700 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5019   Ensuring fulfilment of SLA

H04L 47/20   Traffic policing

H04L 47/805   QOS or priority aware

H04L 63/0281   Proxies

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Dynamic generation of policy enforcement rules and actions from policy attachment semantics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

8 Claims

Specification

Use Cases

Quick Links

Others

Dynamic generation of policy enforcement rules and actions from policy attachment semantics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

8 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others