Attaching web service policies to a group of policy subjects
First Claim
1. A method for enforcing policies in an enterprise, the method comprising:
- receiving, by a computer system, a reference to a first service policy;
receiving, by the computer system, a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise;
generating, by the computer system, a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope;
receiving, by the computer system, a request to access a resource, wherein the resource is the type of resource identified in the first policy attachment scope;
determining, by the computer system, an effective set of policies for the resource using the first global policy attachment metadata based at least in part on determining that the first service policy is in the effective set of policies for the resource;
controlling, by the computer system, access to the resource responsive to the request using the determined effective set of policies at least in part by granting, by the computer system, the request to access the resource based upon the effective set of policies,wherein the type of resource identified by the first policy attachment scope corresponds to a first level in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first type of resource associated with a broader level contains one or more types of resources associated with a narrower level,wherein the first policy attachment scope contains additional types of resources if the type of resource identified by the first policy attachment scope corresponds to a level that is broader than the level that corresponds with the additional types of resources, andwherein the requested resource corresponds to a level that is narrower than the level corresponding to the first policy attachment scope.
1 Assignment
0 Petitions
Accused Products
Abstract
In one set of embodiments, methods, systems, and apparatus are provided to attach one or more quality of service policies to resources in an enterprise system by receiving a first global policy attachment that references an attachment attribute value and a first service policy, receiving a request to access a policy subject associated with a subject attribute value, identifying an effective policy set referenced by the first global policy attachment, the effective policy set including the first service policy if the attachment attribute value equals the subject attribute value, and granting the request to access based upon the at least one effective policy. The at least one effective policy may further include a first service policy referenced by the first global policy attachment if a first policy attachment scope referenced by the first global policy attachment matches or contains a subject scope associated with the policy subject.
167 Citations
19 Claims
-
1. A method for enforcing policies in an enterprise, the method comprising:
-
receiving, by a computer system, a reference to a first service policy;
receiving, by the computer system, a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise;generating, by the computer system, a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope; receiving, by the computer system, a request to access a resource, wherein the resource is the type of resource identified in the first policy attachment scope; determining, by the computer system, an effective set of policies for the resource using the first global policy attachment metadata based at least in part on determining that the first service policy is in the effective set of policies for the resource; controlling, by the computer system, access to the resource responsive to the request using the determined effective set of policies at least in part by granting, by the computer system, the request to access the resource based upon the effective set of policies, wherein the type of resource identified by the first policy attachment scope corresponds to a first level in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first type of resource associated with a broader level contains one or more types of resources associated with a narrower level, wherein the first policy attachment scope contains additional types of resources if the type of resource identified by the first policy attachment scope corresponds to a level that is broader than the level that corresponds with the additional types of resources, and wherein the requested resource corresponds to a level that is narrower than the level corresponding to the first policy attachment scope. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a hardware processor; and a memory storing a set of instructions which when executed by the processor configure the processor to; receive a first global policy attachment metadata that references an attachment attribute value and a first service policy, the first global policy attachment metadata defining an attachment of the first service policy to resources having the attachment attribute value, and the first global policy attachment metadata referencing a first policy attachment scope that indicates a first scope of policy subjects to which the first service policy applies; receive a request to access a policy subject, the policy subject associated with a subject attribute value and a subject scope; identify at least one effective policy referenced by the first global policy attachment metadata in response to determining that the attachment attribute value of the first global policy attachment metadata satisfies the subject attribute value, wherein the at least one effective policy includes the first service policy referenced by the first global policy attachment metadata if the attachment attribute value is equal to the subject attribute value and the first policy attachment scope matches or contains the subject scope; and grant the request to access the policy subject based upon the at least one effective policy, wherein the first policy attachment scope and the subject scope each correspond to respective levels in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first entity associated with a broader level contains one or more entities associated with a narrower level, and wherein the first policy attachment scope contains the subject scope if the first policy attachment scope is broader than the subject scope. - View Dependent Claims (11, 12, 13)
-
-
14. A non-transitory machine-readable medium for a computer system, the non-transitory machine-readable medium having stored thereon a series of instructions which, when executed by a processor, cause the processor to:
-
receive a reference to a first service policy; receive a first policy attachment scope, the first policy attachment scope identifying a type of resource in the enterprise; generate a first global policy attachment metadata using the first service policy and the first policy attachment scope, the first global policy attachment metadata defining an attachment of the first service policy to the type of resource identified in the first policy attachment scope; receive a request to access a resource; determine an effective set of policies for the resource using the first global policy attachment metadata at least in part by identifying at least one effective policy referenced by at least one global policy attachment to determine the effective set of policies for the resource, wherein the at least one effective policy includes the first service policy referenced by the first global policy attachment metadata if the first policy attachment scope matches or contains a subject scope associated with the resource, wherein the first policy attachment scope and the subject scope each correspond to respective levels in an enterprise containment hierarchy, the levels are ordered by breadth from a broad level to a narrow level, a first entity associated with a broader level contains one or more entities associated with a narrower level, and wherein the first policy attachment scope contains the subject scope if the first policy attachment scope is broader than the subject scope; and control access to the resource responsive to the request using the determined effective set of policies at least in part by granting the request to access the resource based upon the at least one effective policy. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification