Generalized policy server
First Claim
1. A data storage device accessible to a processor for implementation in a policy database, the policy database comprising:
- at least one policy, the at least one policy defined in terms of sets of first entities, sets of second entities, and. actions, whereto a given policy defines a given action that an entity belonging to a given set of the first entities may perform on an entity belong to a given set of the second entities, the at least One policy subject to association with a further condition and,the policy database configured to provide the processor, in response to a request to the processor, with policy information reflecting whether a particular entity belongs to the set of first entities to which the given policy applies to may perform the given action or a particular entity belong to the set of second entities to which the given policy applies by determining that the particular entity may not perform the given action if the further condition is not satisfied at the time the processor responds to the request.
29 Assignments
0 Petitions
Accused Products
Abstract
A policy system includes the policy server (2617); a policy database (2619) which located at policy decision point (2723); the access/response entity (2603); resource server (2711); policy message (2725) and policy enforcement point (2721). System connected through public network (2702) or internal network (103). The access filter (107, 203, 403) control access by use a local copy of an access control data base to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Access is permitted or denied according to of access policies (307) which define access in terms of the user groups (FIGS. 9-12) and information sets (FIGS. 13A-18). The rights of administrators are similarly determined by administrative policies (FIGS. 23A-C). Access is further permitted only if the trust levels of the network by which is made by the sufficient access (FIGS. 25-29). A policy server component of the access filter has been separated from the access filter and the policies have been generalized to permit administrators of the policy server to define new types of actions and new types of entities. Policies may now further have specifications for time intervals during which the policies are in force and the entities may be associated with attributes that specify how the entity is to be used when the policy applies.
408 Citations
5 Claims
-
1. A data storage device accessible to a processor for implementation in a policy database, the policy database comprising:
-
at least one policy, the at least one policy defined in terms of sets of first entities, sets of second entities, and. actions, whereto a given policy defines a given action that an entity belonging to a given set of the first entities may perform on an entity belong to a given set of the second entities, the at least One policy subject to association with a further condition and, the policy database configured to provide the processor, in response to a request to the processor, with policy information reflecting whether a particular entity belongs to the set of first entities to which the given policy applies to may perform the given action or a particular entity belong to the set of second entities to which the given policy applies by determining that the particular entity may not perform the given action if the further condition is not satisfied at the time the processor responds to the request. - View Dependent Claims (2)
-
-
3. A data storage device accessible to a processor for implementation in a policy database, the policy database comprising:
-
at least one policy, the at least one policy defined in terms of sets of first entities, sets of second entities, and actions, wherein a given policy defines a given action that an entity belonging to a given set of the first entities may perform on an entity belonging to a given set of the second entities, the given set of first entities and/or the given set of second entities subject to an association with on action attribute, the action attribute specifying a manner in which the given action specified in the given policy is to be performed and, the policy database configured to provide the processor, in response to a request to the processor, with policy information reflecting whether a particular entity may perform an action to which the given policy applies in a particular manner by determining that the requesting entity may not perform the action unless the particular manner is the manner specified by the action attribute. - View Dependent Claims (4, 5)
-
Specification