System for managing access to protected resources
First Claim
Patent Images
1. A system for managing requests from at least one external network, the system comprising:
- a firewall configured to determine one or more resources a requestor is attempting to access;
a policy repository;
one or more security policy management servers configured to;
receive an authorization request from the firewall, wherein the request comprises information about the requestor and a resource name;
retrieve, from the policy repository, a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted;
determine at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource;
for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource, determine whether an attribute value must be requested from a remote data source;
request at least one of the attribute values required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource that must be requested from the remote data source;
retrieve from the remote data source the at least one of the attribute values;
evaluate the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource using the at least one of the attribute values from the remote data source; and
return an authorization decision to the firewall.
2 Assignments
0 Petitions
Accused Products
Abstract
A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.
176 Citations
15 Claims
-
1. A system for managing requests from at least one external network, the system comprising:
-
a firewall configured to determine one or more resources a requestor is attempting to access; a policy repository; one or more security policy management servers configured to; receive an authorization request from the firewall, wherein the request comprises information about the requestor and a resource name; retrieve, from the policy repository, a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted; determine at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource; for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource, determine whether an attribute value must be requested from a remote data source; request at least one of the attribute values required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource that must be requested from the remote data source; retrieve from the remote data source the at least one of the attribute values;
evaluate the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource using the at least one of the attribute values from the remote data source; andreturn an authorization decision to the firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 14)
-
-
8. A method to process requests from at least one external network, the method comprising:
-
receiving an authorization request from a firewall configured to determine one or more resources a requestor is attempting to access, wherein the request comprises information about the requestor and a resource name; retrieving from a policy repository a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted; determining at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource; determining, for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource, whether an attribute value must be requested from a remote data source; requesting at least one of the attribute values that must be requested from the remote data source; retrieving from the remote data source the at least one of the attribute values;
evaluating, by a security policy management server, the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource using the at least one of the attribute values from the remote data; andreturning an authorization decision to the firewall. - View Dependent Claims (9, 10, 11, 12, 13, 15)
-
Specification