Providing a policy hierarchy in an enterprise data processing system
First Claim
Patent Images
1. A method for processing requests for a resource in an enterprise system having a plurality of computer clusters, the method comprising:
- registering with a jurisdictional authority having jurisdictional rules embedded within for managing requests for the resource, by a computer of the enterprise system, disparate policy engines comprising a plurality of policy engines to form a hierarchy in which the jurisdictional authority manages the plurality of policy engines for the enterprise system;
intercepting, by the computer using the jurisdictional authority, the requests for the resource that is a member of a free resource pool, managed by a provisioning manager, from the plurality of policy engines to add the resource to the plurality of computer clusters in the enterprise system;
intercepting, by the computer, policy requests associated with the requests for the resource from the provisioning manager for the jurisdictional authority;
selectively modifying, by the computer, the jurisdictional rules according to predetermined criteria including time of day to manage invocation and execution of policies for the plurality of policy engines;
identifying, by the computer using the jurisdictional authority, a jurisdictional ranking encoded into a respective policy associated with the requests;
determining, by the computer using the jurisdictional authority that mediates between two or more of the requests for the resource using the jurisdictional rules and the jurisdictional ranking in a context of the two or more of the requests for the resource, whether to perform an action associated with the requests selected from a group of actions consisting of permit, deny and alter;
in response to the computer determining to permit the requests for the resource, determining, by the computer using the jurisdictional authority, a highest priority computer cluster in the plurality of computer clusters to add the resource using the jurisdictional rules that identify priorities for assigning the resource, the jurisdictional ranking of the respective policy, and an assignment of the plurality of computer clusters to organizations associated with the plurality of policy engines;
in response to the computer determining the highest priority computer cluster in the plurality of computer clusters, adding, by the computer, the resource requested from the free resource pool by the provisioning manager to only the highest priority computer cluster and not adding the resource requested to another computer cluster of the plurality of computer clusters; and
in response to the computer determining to deny the requests for the resource, capturing, by the computer using the jurisdictional authority, patterns of the requests for the resource and reporting a potentially erroneous policy to respective policy engines of the plurality of policy engines associated with the requests.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and program product for providing a policy hierarchy usable in an enterprise system having at least one computer cluster. A request is sent to a jurisdictional authority for requesting that a resource be added to the computer cluster of the enterprise system. Following predetermined rules, the jurisdictional authority determines if the addition of said requested resource to said computer cluster is to be allowed. If the addition is determined to be allowed by the jurisdictional authority, the requested resource is added to the computer cluster by a computer cluster manager.
-
Citations
18 Claims
-
1. A method for processing requests for a resource in an enterprise system having a plurality of computer clusters, the method comprising:
-
registering with a jurisdictional authority having jurisdictional rules embedded within for managing requests for the resource, by a computer of the enterprise system, disparate policy engines comprising a plurality of policy engines to form a hierarchy in which the jurisdictional authority manages the plurality of policy engines for the enterprise system; intercepting, by the computer using the jurisdictional authority, the requests for the resource that is a member of a free resource pool, managed by a provisioning manager, from the plurality of policy engines to add the resource to the plurality of computer clusters in the enterprise system; intercepting, by the computer, policy requests associated with the requests for the resource from the provisioning manager for the jurisdictional authority; selectively modifying, by the computer, the jurisdictional rules according to predetermined criteria including time of day to manage invocation and execution of policies for the plurality of policy engines; identifying, by the computer using the jurisdictional authority, a jurisdictional ranking encoded into a respective policy associated with the requests; determining, by the computer using the jurisdictional authority that mediates between two or more of the requests for the resource using the jurisdictional rules and the jurisdictional ranking in a context of the two or more of the requests for the resource, whether to perform an action associated with the requests selected from a group of actions consisting of permit, deny and alter; in response to the computer determining to permit the requests for the resource, determining, by the computer using the jurisdictional authority, a highest priority computer cluster in the plurality of computer clusters to add the resource using the jurisdictional rules that identify priorities for assigning the resource, the jurisdictional ranking of the respective policy, and an assignment of the plurality of computer clusters to organizations associated with the plurality of policy engines; in response to the computer determining the highest priority computer cluster in the plurality of computer clusters, adding, by the computer, the resource requested from the free resource pool by the provisioning manager to only the highest priority computer cluster and not adding the resource requested to another computer cluster of the plurality of computer clusters; and in response to the computer determining to deny the requests for the resource, capturing, by the computer using the jurisdictional authority, patterns of the requests for the resource and reporting a potentially erroneous policy to respective policy engines of the plurality of policy engines associated with the requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for processing requests for a resource in an enterprise system having a plurality of computer clusters, the apparatus comprising:
-
a computer, a non-transitory computer-readable storage device, a computer-readable memory, and program instructions stored on the non-transitory computer-readable storage device for execution by the computer via the computer-readable memory to; register with a jurisdictional authority having jurisdictional rules embedded within for managing requests for the resource, by the computer of the enterprise system, disparate policy engines comprising a plurality of policy engines to form a hierarchy in which the jurisdictional authority manages the plurality of policy engines for the enterprise system; intercept, by the computer using the jurisdictional authority, the requests for the resource that is a member of a free resource pool managed by a provisioning manager from the plurality of policy engines to add the resource to the plurality of computer clusters in the enterprise system; intercept, by the computer using the jurisdictional authority, policy requests associated with the requests for the resource from the provisioning manager for the jurisdictional authority; selectively modify, by the computer, the jurisdictional rules according to predetermined criteria including time of day, to manage invocation and execution of policies for the plurality of policy engines; identify, by the computer using the jurisdictional authority, a jurisdictional ranking encoded into a respective policy associated with the requests; determine, by the computer using the jurisdictional authority that mediates between two or more of the requests for the resource using the jurisdictional rules and the jurisdictional ranking in a context of the two or more of the requests for the resource, whether to perform an action associated with the requests selected from a group of actions consisting of permit, deny and alter; determine, by the computer using the jurisdictional authority and using the jurisdictional rules that identify priorities for assigning the resource, the jurisdictional ranking of the respective policy, and an assignment of the plurality of computer clusters to organizations associated with the plurality of policy engines, a highest priority computer cluster in the plurality of computer clusters to add the resource, in response to the computer using determining to permit the requests; add the resource requested from the free resource pool by the provisioning manager to only the highest priority computer cluster identified and not add the resource requested to another computer cluster of the plurality of computer clusters, in response to the computer determining the highest priority computer cluster in the plurality of computer clusters; and capture, by the computer using the jurisdictional authority, patterns of the requests and report a potentially erroneous policy to respective policy engines of the plurality of policy engines associated with the requests, in response to the computer determining to deny the requests. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer program product for processing requests for a resource in an enterprise system having a plurality of computer clusters, the computer program product comprising:
-
a non-transitory computer-readable storage device having program instructions stored on the non-transitory computer-readable storage device for execution by a computer, the program instructions comprising; first program instructions for registering with a jurisdictional authority having jurisdictional rules embedded within for managing requests, by the computer of the enterprise system, disparate policy engines comprising a plurality of policy engines to form a hierarchy in which the jurisdictional authority manages the plurality of policy engines for the enterprise system; second program instructions for intercepting requests for the resource that is a member of a free resource pool managed by a provisioning manager from the plurality of policy engines to add the resource to the plurality of computer clusters in the enterprise system; third program instructions for intercepting policy requests associated with the requests for the resource from the provisioning manager for the jurisdictional authority; fourth program instructions for selectively modifying the jurisdictional rules according to predetermined criteria including time of day to manage invocation and execution of policies for the plurality of policy engines; fifth program instructions for identifying, using the jurisdictional authority, a jurisdictional ranking encoded into a respective policy associated with the requests; sixth program instructions for determining, using the jurisdictional authority that mediates between two or more of the requests for the resource using the jurisdictional rules and the jurisdictional ranking in a context of the two or more of the requests for the resource, whether to perform an action associated with the requests selected from a group of actions consisting of permit, deny and alter; seventh program instructions for determining, using the jurisdictional authority, the jurisdictional rules that identify priorities for assigning the resource, the jurisdictional ranking of the respective policy, and an assignment of the plurality of computer clusters to organizations associated with the plurality of policy engines, a highest priority computer cluster, in the plurality of computer clusters, to add the resource in response to the jurisdictional authority determining to permit the requests; eighth program instructions for adding the resource requested from the free resource pool by the provisioning manager to only the highest priority computer cluster identified and not adding the resource requested to another computer cluster of the plurality of computer clusters, respectively, in response to determining the highest priority computer cluster in the plurality of computer clusters; and ninth program instructions for using the jurisdictional authority to capture patterns of the requests for the resource and report a potentially erroneous policy to respective policy engines of the plurality of policy engines associated with the requests, in response to determining to deny the requests, wherein the first program instructions, the second program instructions, the third program instructions, the fourth program instructions, the fifth program instructions, the sixth program instructions, the seventh program instructions, the eighth program instructions and the ninth program instructions are stored on the non-transitory computer-readable storage device. - View Dependent Claims (15, 16, 17, 18)
-
Specification