Managing cross perimeter access
First Claim
Patent Images
1. A method of managing access to resources in a device, comprising:
- receiving, by a hardware data processing apparatus on the device, from a first resource associated with a first plurality of resources defined on the device, a request to access a second resource associated with a second plurality of resources, wherein the device includes the first plurality of resources, the first resource, the second plurality of resources, and the second resource, and wherein the first plurality of resources and the second plurality of resources are logically separated and access between the first plurality of resources and the second plurality of resources is determined based on one or more management policies, the first plurality of resources including a first network connection profile and a first encryption certificate for the first plurality of resources, and the second plurality of resources including a second network connection profile and a second encryption certificate for the second plurality of resources, and wherein the request to access the second resource comprises a request to make a network connection by the first resource using the second network connection profile;
determining, by a hardware data processing apparatus on the device, whether the request to make the network connection is prohibited based on a first management policy for the first plurality of resources and a second management policy for the second plurality of resources, the first management policy defining one or more rules for the first plurality of resources for accessing resources associated with the second plurality of resources including the second resource, the second management policy defining one or more rules for the second plurality of resources for allowing access to resources associated with the second plurality of resources including the second resource, and the determination comprises;
if the first management policy prohibits the first resource to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; and
if the second management policy prohibits the resources outside of the second plurality of resources to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection;
when the request to make the network connection is granted, enabling the first resource associated with the first plurality of resources to use the second network connection profile to make the network connection.
9 Assignments
0 Petitions
Accused Products
Abstract
In some implementations, a method of managing access to resources in a single device including receiving, from a first resource assigned to a first perimeter, a request to access a second resource assigned to a second perimeter different from the first perimeter. The single device includes the first perimeter and the second perimeter. Whether access to the second resource is prohibited is determined based on a management policy for the first perimeter. The management policy defining one or more rules for accessing resources assigned to the second perimeter including the second resource.
155 Citations
18 Claims
-
1. A method of managing access to resources in a device, comprising:
-
receiving, by a hardware data processing apparatus on the device, from a first resource associated with a first plurality of resources defined on the device, a request to access a second resource associated with a second plurality of resources, wherein the device includes the first plurality of resources, the first resource, the second plurality of resources, and the second resource, and wherein the first plurality of resources and the second plurality of resources are logically separated and access between the first plurality of resources and the second plurality of resources is determined based on one or more management policies, the first plurality of resources including a first network connection profile and a first encryption certificate for the first plurality of resources, and the second plurality of resources including a second network connection profile and a second encryption certificate for the second plurality of resources, and wherein the request to access the second resource comprises a request to make a network connection by the first resource using the second network connection profile; determining, by a hardware data processing apparatus on the device, whether the request to make the network connection is prohibited based on a first management policy for the first plurality of resources and a second management policy for the second plurality of resources, the first management policy defining one or more rules for the first plurality of resources for accessing resources associated with the second plurality of resources including the second resource, the second management policy defining one or more rules for the second plurality of resources for allowing access to resources associated with the second plurality of resources including the second resource, and the determination comprises; if the first management policy prohibits the first resource to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; and if the second management policy prohibits the resources outside of the second plurality of resources to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; when the request to make the network connection is granted, enabling the first resource associated with the first plurality of resources to use the second network connection profile to make the network connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A device, comprising:
-
a first plurality of resources associated with a first resource and a first management policy, the first management policy defining one or more rules for accessing resources associated with the second plurality of resources including the second resource, wherein the first plurality of resources including a first network connection profile and a first encryption certificate for the first plurality of resources; a second plurality of resources associated with a second resource and a second management policy, the second management policy defining one or more rules for allowing access to resources associated with the second plurality of resources including the second resource, wherein the second plurality of resources including a second network connection profile and a second encryption certificate for the second plurality of resources, the first plurality of resources and the second plurality of resources being logically separated; and one or more hardware processors operable to; receive, from the first resource associated with the first plurality of resources on the device a request to access the second resource associated with the second plurality of resources, wherein the device includes the first plurality of resources, the first resource, the second plurality of resources, and the second resource, wherein the request to access the second resource comprises a request to make a network connection by the first resource using the second network connection profile; determine whether the request to make the network connection is prohibited based on the first management policy for the first plurality of resources and the second management policy for the second plurality of resources, wherein the determination comprises; if the first management policy prohibits the first resource to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; and if the second management policy prohibits the resources outside of the second plurality of resources to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; when the request to make the network connection is granted, enable the first resource associated with the first plurality of resources to use the second network connection profile to make the network connection. - View Dependent Claims (12, 13, 14)
-
-
15. A computer program product encoded on a tangible, non-transitory storage medium, the product comprising computer readable instructions for causing one or more processors to perform operations comprising:
-
receiving, by a hardware data processing apparatus on the device, from a first resource associated with a first plurality of resources defined on the device, a request to access a second resource associated with a second plurality of resources, wherein the device includes the first plurality of resources, the first resource, the second plurality of resources, and the second resource, and wherein the first plurality of resources and the second plurality of resources are logically separated and access between the first plurality of resources and the second plurality of resources is determined based on one or more management policies, the first plurality of resources including a first network connection profile and a first encryption certificate for the first plurality of resources, and the second plurality of resources including a second network connection profile and a second encryption certificate for the second plurality of resources, and wherein the request to access the second resource comprises a request to make a network connection by the first resource using the second network connection profile; determining, by a hardware data processing apparatus on the device, whether the request to make the network connection is prohibited based on a first management policy for the first plurality of resources and a second management policy for the second plurality of resources, the first management policy defining one or more rules for the first plurality of resources for accessing resources associated with the second plurality of resources including the second resource, the second management policy defining one or more rules for the second plurality of resources for allowing access to resources associated with the second plurality of resources including the second resource, and the determination comprises; if the first management policy prohibits the first resource to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; and if the second management policy prohibits the resources outside of the second plurality of resources to use any network connection profiles included in the second plurality of resources to make the network connection, prohibiting the request to make the network connection; when the request to make the network connection is granted, enabling the first resource associated with the first plurality of resources to use the second network connection profile to make the network connection. - View Dependent Claims (16, 17, 18)
-
Specification