Generalized policy server
First Claim
1. A method for controlling access to network information comprising:
- receiving a request from a user concerning access to information in a network;
consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and
determining whether the user is authorized to access the information based on at least the local copy of the one or more policies.
28 Assignments
0 Petitions
Accused Products
Abstract
A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control database to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource. If necessary, the access filter automatically encrypts the request with an encryption method whose trust level is sufficient. The first access filter in the path performs the access check and encrypts and authenticates the request; the other access filters in the path do not repeat the access check. A policy server component of the access filter has been separated from the access filter and the policies have been generalized to permit administrators of the policy server to define new types of actions and new types of entities for which policies can be made. Policies may now further have specifications for time intervals during which the policies are in force and the entities may be associated with attributes that specify how the entity is to be used when the policy applies.
218 Citations
28 Claims
-
1. A method for controlling access to network information comprising:
-
receiving a request from a user concerning access to information in a network;
consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and
determining whether the user is authorized to access the information based on at least the local copy of the one or more policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for controlling access to network information comprising:
-
a policy database configured to store one or more policies limiting access to network information;
a local server configured to provide network information to authorized users; and
an access filter associated with the one or more policies and configured to determine whether a user is authorized to receive access to information from the local server based on at least the one or more policies. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer-readable storage medium having stored thereupon a program, the program being executable by a processor to perform a method for controlling access to network information, the method comprising:
-
receiving a request from a user concerning access to information in a network;
consulting a local copy of one or more policies, the one or more policies limiting access to the network information; and
determining whether the user is authorized to access the information based on at least the local copy of the one or more policies. - View Dependent Claims (27, 28)
-
Specification