Deploying policies and allowing off-line policy evaluations
First Claim
Patent Images
1. A method comprising:
- providing a server having access to a policy database storing a first set of policies;
providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;
providing a first abstraction, referenced by at least one policy of the first set of policies;
storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;
in the policy database, storing a second set of policies;
connecting of the device to a network with the server having access to the policy database;
via the server, receiving at the device the second set of policies to replace the first set of policies stored at the device;
after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and
using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network.
1 Assignment
0 Petitions
Accused Products
Abstract
In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.
63 Citations
23 Claims
-
1. A method comprising:
-
providing a server having access to a policy database storing a first set of policies; providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device; providing a first abstraction, referenced by at least one policy of the first set of policies; storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies; in the policy database, storing a second set of policies; connecting of the device to a network with the server having access to the policy database; via the server, receiving at the device the second set of policies to replace the first set of policies stored at the device; after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device; connecting the device to a network with a server having access to a policy database; via the server, receiving at the device a second set of policies to replace the first set of policies stored at the device; before the receiving at the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and after the receiving of the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising; allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A method comprising:
-
providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device, and the first set of policies comprises policy abstractions; connecting the device to a network with a server having access to a policy database; via the server, receiving at the device a second set of policies to replace the first set of policies stored at the device; before the receiving at the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and after the receiving of the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising; allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable.
-
Specification