System for managing access to protected resources

US 9,807,097 B1
Filed: 08/25/2016
Issued: 10/31/2017
Est. Priority Date: 01/09/2003
Status: Expired due to Term

First Claim

Patent Images

1. A computer program product comprising non-transitory computer readable storage medium, said computer program product for controlling authorization of access to a resource, said computer program product comprising:

computer readable program code embodied at the non-transitory computer readable storage medium for retrieving an indication of a request for access to the resource from a policy enforcement point;

computer readable program code embodied at the non-transitory computer readable storage medium for obtaining from a policy repository a dynamically-loadable security policy associated with the resource, the dynamically-loadable security policy comprising at least one rule;

computer readable program code embodied at the non-transitory computer readable storage medium for examining the at least one rule of the dynamically-loadable security policy to determine at least one attribute required by the rule to evaluate the policy associated with the resource and comprising the at least one rule;

computer readable program code embodied at the non-transitory computer readable storage medium for invoking a connector to a data source that contains the at least one attribute required by the rule needed to evaluate the policy;

computer readable program code embodied at the non-transitory computer readable storage medium for retrieving the at least one attribute required by the rule to evaluate the policy;

computer readable program code embodied at the non-transitory computer readable storage medium for evaluating the policy using a value of the at least one attribute; and

return an authorization decision to the policy enforcement point.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

2 Citations

7 Claims

1. A computer program product comprising non-transitory computer readable storage medium, said computer program product for controlling authorization of access to a resource, said computer program product comprising:
- computer readable program code embodied at the non-transitory computer readable storage medium for retrieving an indication of a request for access to the resource from a policy enforcement point;
  
  computer readable program code embodied at the non-transitory computer readable storage medium for obtaining from a policy repository a dynamically-loadable security policy associated with the resource, the dynamically-loadable security policy comprising at least one rule;
  
  computer readable program code embodied at the non-transitory computer readable storage medium for examining the at least one rule of the dynamically-loadable security policy to determine at least one attribute required by the rule to evaluate the policy associated with the resource and comprising the at least one rule;
  
  computer readable program code embodied at the non-transitory computer readable storage medium for invoking a connector to a data source that contains the at least one attribute required by the rule needed to evaluate the policy;
  
  computer readable program code embodied at the non-transitory computer readable storage medium for retrieving the at least one attribute required by the rule to evaluate the policy;
  
  computer readable program code embodied at the non-transitory computer readable storage medium for evaluating the policy using a value of the at least one attribute; and
  
  return an authorization decision to the policy enforcement point.
- View Dependent Claims (2, 3)
- - 2. The computer program product apparatus of claim 1 wherein the request for access to the resource comprises a client-generated request.
  - 3. The computer program product apparatus of claim 2 wherein the client generated request is generated by a client module and wherein the client module is prohibited from accessing the data source that contains the additional information.

4. A method for controlling authorization of access to a resource, said method comprising:
- retrieving an indication of a request for access to the resource from a policy enforcement point;
  
  obtaining a dynamically-loadable security policy associated with the resource, the dynamically-loadable security policy comprising at least one rule from a policy repository;
  
  examining the at least one rule of the dynamically-loadable security policy to determine at least one attribute required by the rule to evaluate the dynamically-loadable policy associated with the resource and comprising the at least one rule;
  
  invoking a connector to a data source that contains the at least one attribute required by the rule to evaluate the policy;
  
  retrieving the at least one attribute required by the rule to evaluate the policy;
  
  evaluating the policy using a value of the at least one attribute; and
  
  returning an authorization decision to the policy enforcement point.
- View Dependent Claims (5, 6, 7)
- - 5. The method of claim 4 wherein the request for access to the resource comprises a client-generated request.
  - 6. The method of claim 5 wherein the client generated request is generated by a client module and wherein the client module is prohibited from accessing the data source that contains the additional information.
  - 7. The method of claim 4 wherein the at least one attribute retrieved during said retrieving is of a value current when retrieved, subsequent to retrieval of the indication of the request for access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Jericho Systems Corporation
Inventors
Roegner, Michael W.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Holmes, Angela

Application Number

US15/247,041
Time in Patent Office

432 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/6218   to a system of files or obj...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System for managing access to protected resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

2 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System for managing access to protected resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

2 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links