Deploying policies and allowing off-line policy evaluations

US 9,384,363 B2
Filed: 10/28/2014
Issued: 07/05/2016
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a server having access to a policy database storing a first set of policies;

providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;

providing a first abstraction, referenced by at least one policy of the first set of policies;

storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;

in the policy database, storing a second set of policies;

connecting of the device to a network with the server having access to the policy database;

via the server, receiving at the device the second set of policies to replace the first set of policies stored at the device;

after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and

using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.

63 Citations

View as Search Results

23 Claims

1. A method comprising:
- providing a server having access to a policy database storing a first set of policies;
  
  providing a device, separate from the server, comprising a decision engine, implemented using executable code, to manage information accessible via the device according to the first set of policies stored on the device;
  
  providing a first abstraction, referenced by at least one policy of the first set of policies;
  
  storing the first abstraction at the device, wherein the first abstraction includes a definition statement used by the device when evaluating the at least one policy of the first set of policies;
  
  in the policy database, storing a second set of policies;
  
  connecting of the device to a network with the server having access to the policy database;
  
  via the server, receiving at the device the second set of policies to replace the first set of policies stored at the device;
  
  after receiving the second set of policies at the device, replacing the first set of policies stored at the device with the received second set of policies; and
  
  using the decision engine to manage information accessible via the device according to the second set of policies, whether the device is connected or disconnected from the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 comprising:
    - allowing access to a first document by a first policy of the second set of policies, wherein the first policy references the first abstraction stored at the device.
  - 3. The method of claim 2 comprising:
    - when access to the first document is granted according to the first policy, determining whether an action operation is allowable according to a second policy of the second set of policies.
  - 4. The method of claim 1 wherein at least one of the policies in the first set of policies is replaced by at least one policy in the second set of policies.
  - 5. The method of claim 1 wherein the second set of policies comprises at least one of binary data, configuration setting, look-up table, tables, or text.
  - 6. The method of claim 1 wherein the policies in the policy database are stored in a first format and sent to the device using a second format.
  - 7. The method of claim 1 wherein the policies in the policy database are stored in a first format and sent to the device using a second format, wherein the second format is based on a characteristic of the decision engine of the device.
  - 8. The method of claim 1 wherein the policies in the policy database are stored in a first format and sent to the device using a second format, wherein the second format is based on the device type.
  - 9. The method of claim 1 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by replacing common subexpressions with a variable.
  - 10. The method of claim 1 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by reordering a first expression to obtain a second expression, wherein the second expression is functionally equivalent to the first expression.
  - 11. The method of claim 10 wherein the reordering comprises logically reducing the first expression.
  - 12. The method of claim 10 wherein the reordering comprises logically expanding the first expression.
  - 13. The method of claim 1 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by evaluating a less time-consuming comparison operation before a more time-consuming comparison operation.
  - 14. The method of claim 1 wherein the first set of policies comprises policy abstractions.

15. A method comprising:
- providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device;
  
  connecting the device to a network with a server having access to a policy database;
  
  via the server, receiving at the device a second set of policies to replace the first set of policies stored at the device;
  
  before the receiving at the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and
  
  after the receiving of the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising;
  
  allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and
  
  when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15 wherein at least one of the policies in the first set of policies is replaced by at least one policy in the second set of policies.
  - 17. The method of claim 15 wherein the second set of policies comprises at least one of binary data, configuration setting, look-up table, tables, or text.
  - 18. The method of claim 15 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by replacing common subexpressions with a variable.
  - 19. The method of claim 15 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by reordering a first expression to obtain a second expression, wherein the second expression is functionally equivalent to the first expression.
  - 20. The method of claim 15 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by reordering a first expression to obtain a second expression, wherein the second expression is functionally equivalent to the first expression, and the reordering comprises logically reducing the first expression.
  - 21. The method of claim 15 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by reordering a first expression to obtain a second expression, wherein the second expression is functionally equivalent to the first expression, and the reordering comprises logically expanding the first expression.
  - 22. The method of claim 15 wherein the via the server, receiving at the device comprises:
    - optimizing the policies by evaluating a less time-consuming comparison operation before a more time-consuming comparison operation.

23. A method comprising:
- providing a device comprising a decision engine, implemented using at least one code module, to control application operation on the device according to a first set of policies stored on the device, and the first set of policies comprises policy abstractions;
  
  connecting the device to a network with a server having access to a policy database;
  
  via the server, receiving at the device a second set of policies to replace the first set of policies stored at the device;
  
  before the receiving at the device the second set of policies to replace the first set of policies stored at the device, retrieving a first abstraction referenced by at least one policy of the first set of policies; and
  
  after the receiving of the second set of policies at the device, using the decision engine to control application operation on the device according to the second set of policies comprising;
  
  allowing access by a first application to a first document at the device, wherein a first policy of the second set of policies is evaluated to determine whether to allow access by the first application and the first policy references the retrieved first abstraction; and
  
  when access by the first application to the first document is granted according to the first policy, determining whether a document operation is allowable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
BAYOU, YONAS A

Application Number

US14/526,360
Publication Number

US 20150052577A1
Time in Patent Office

616 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3438   monitoring of user actions ...

G06F 16/122   using management policies b...

G06F 16/13   File access structures, e.g...

G06F 16/176   Support for shared access t...

G06F 16/93   Document management systems

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Deploying policies and allowing off-line policy evaluations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Deploying policies and allowing off-line policy evaluations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others