Enforcing control policies in an information management system with two or more interactive enforcement points
First Claim
1. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
using the policy engine code component, evaluating a document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;
for a first application program on the first computer, performing the evaluating step for an operation of the first application program;
for a second application program on the first computer, performing the evaluating step for an operation of the second application program;
determining if the first computer contains a first piece of information required to evaluate the at least one rule;
if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;
if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;
if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information;
confirming on the first computer that the second computer has an ability to interact with the evaluating step;
determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;
designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;
accessing the first piece of information by the second computer;
evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer;
determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule;
designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer;
accessing the second piece of information by the first computer;
evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer;
based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program;
when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and
based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
-
Citations
45 Claims
-
1. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the policy engine code component, evaluating a document access operation on the first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer, wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component, wherein the at least one rule is among a plurality of rules stored on the first computer, and wherein the at least one rule contains at least one expression used by the evaluating step to control document access operation; for a first application program on the first computer, performing the evaluating step for an operation of the first application program; for a second application program on the first computer, performing the evaluating step for an operation of the second application program; determining if the first computer contains a first piece of information required to evaluate the at least one rule; if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule; if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule; if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information; confirming on the first computer that the second computer has an ability to interact with the evaluating step; determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule; designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer; accessing the first piece of information by the second computer; evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer; determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule; designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer; accessing the second piece of information by the first computer; evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer; based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program; when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and based on the indication, determining at the helper decision point that the second computer has access to the first piece of information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 45)
-
-
39. A method comprising:
-
providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer; using the policy engine code component, evaluating a document access operation on a first computer, wherein the evaluating step evaluates at least one rule pertaining to the document access operation, wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer, wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component, wherein the at least one rule is among a plurality of rules stored on the first computer, and wherein the at least one rule contains at least one expression used by the evaluating step to control document access operation; determining if the first computer has access to a first piece of information required to evaluate the at least one rule; if a first location contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule; if the first location does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule; determining a portion of the at least one rule to be evaluated at a remote computer, accessible to the first computer over a network comprising; at the remote computer, determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information; designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by a second computer, accessible to the first computer over a network; accessing the first piece of information by the second computer; transmitting information on the second portion of the at least one rule to the second computer; at the remote computer, evaluating the first portion of the at least one rule; at the remote computer, evaluating the second portion of the at least one rule with the accessed first piece of information by the second computer; and based on the evaluated first portion by the remote computer and the evaluated second portion by the second computer, determining at the remote computer whether to allow or deny the operation of the first application program; at the first computer, receiving from the remote computer through the network an evaluated result by the remote computer from the portion of the at least one rule; if the evaluated result by the remote computer is a Boolean true, permitting the document access operation on the first computer; if the evaluated result by the remote computer is a Boolean false, denying the document access operation on the first computer; when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and based on the indication, determining at the helper decision point that the second computer has access to the first piece of information. - View Dependent Claims (40, 41, 42, 43, 44)
-
Specification