×

Enforcing control policies in an information management system with two or more interactive enforcement points

  • US 9,497,219 B2
  • Filed: 10/30/2007
  • Issued: 11/15/2016
  • Est. Priority Date: 12/29/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;

    using the policy engine code component, evaluating a document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;

    for a first application program on the first computer, performing the evaluating step for an operation of the first application program;

    for a second application program on the first computer, performing the evaluating step for an operation of the second application program;

    determining if the first computer contains a first piece of information required to evaluate the at least one rule;

    if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;

    if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;

    if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information;

    confirming on the first computer that the second computer has an ability to interact with the evaluating step;

    determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;

    designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;

    accessing the first piece of information by the second computer;

    evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer;

    determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule;

    designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer;

    accessing the second piece of information by the first computer;

    evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer;

    based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program;

    when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and

    based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.

View all claims
  • 0 Assignments
Timeline View
Assignment View
    ×
    ×