Computer system security service

US 7,757,271 B2
Filed: 01/15/2008
Issued: 07/13/2010
Est. Priority Date: 04/19/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computer security service for a computer network accessible by users and comprising services and resources, the computer security service comprising,a policy builder component, comprisinga network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, anda policy definition component for defining access policies for the computer network users, services and resources, wherein the policy definition component comprises a policy definition plug-in integration component for registering one or more policy definition plug-in components for use in defining the access policies,a database component for maintaining user, services and resources data, and access policies, and for providing a set of selected access policies in response to a database query, anda validator component, comprisinga request parser for receiving a policy query for service or resource access originated by a network user and for generating a corresponding database query for submission to the database component, anda policy parser for receiving the set of access policies provided by the database component in response to the corresponding database query and for generating a policy decision for communication to the network user based on the set of access policies provided by the database component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security service of computer networks having a policy builder, an LDAP-compliant database, a validator and an API. The policy builder component provides a graphical user interface to be used by a policy manager to define access policies for users seeking to access network services and resources. The graphical user interface has a grid of nodes representing access policies. The grid is arranged to correspond to a defined tree structure representing services and resources and a business relationship tree structure representing users. The graphical user interface permits the policy manager to define policy builder plug-ins for access policy customization. The LDAP-compliant database maintains the policy builder plug-ins. The validator component receives requests from users and queries the LDAP-compliant database to obtain relevant access policies as defined by the policy manager. The system provides for double inheritance of access policies such that where there is no express definition of an access policy for a node, the access policies are propagated according to the hierarchical structures of the data. The validator includes validator plug-ins for carrying out access policies corresponding to the access policies defined by policy builder plug-ins.

81 Citations

View as Search Results

19 Claims

1. A computer security service for a computer network accessible by users and comprising services and resources, the computer security service comprising,a policy builder component, comprisinga network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, anda policy definition component for defining access policies for the computer network users, services and resources, wherein the policy definition component comprises a policy definition plug-in integration component for registering one or more policy definition plug-in components for use in defining the access policies,a database component for maintaining user, services and resources data, and access policies, and for providing a set of selected access policies in response to a database query, anda validator component, comprisinga request parser for receiving a policy query for service or resource access originated by a network user and for generating a corresponding database query for submission to the database component, anda policy parser for receiving the set of access policies provided by the database component in response to the corresponding database query and for generating a policy decision for communication to the network user based on the set of access policies provided by the database component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The security service of claim 1 further comprising an API component for receiving an access request for service or resource access originated by a network user and for passing a corresponding policy query to the validator component, the API component further receiving the policy decision from the validator and accordingly permitting or denying access to the network user.
  - 3. The security service of claim 1 in which the database component maintains the user, services and resources data, and the access policies in an LDAP compliant format.
  - 4. The security service of claim 1 in which the validator component comprises an authenticator component for authenticating one or more of the network users.
  - 5. The security service of claim 4 in which the authenticator component comprises an authenticator plug-in integration component for registering plug-ins used in the authentication of the network user.
  - 6. The security service of claim 4 in which the authenticator component comprises a non-interactive authentication component for the authentication of one or more network users without requiring the one or more network users to interact with the security service.
  - 7. The security service of claim 4 further comprising a desktop component for installation on the computer of a network user for use in the authentication of the user.
  - 8. The security service of claim 1 in which the access policies are stored as XML documents and in which the validator component comprises an XML parser.
  - 9. The security service of claim 1 in which the policy builder component comprises a graphical user interface for displayinga grid having nodes, laid out on a first and on a second axis,user labels corresponding to the user data, each user label labelling nodes aligned relative to the first axis of the grid, andresource labels corresponding to the services and resources data, each resource label labelling nodes aligned relative to the second axis of the grid,the nodes in the grid corresponding to the access policies for users and services and resources, as defined by the user and resource labels.
  - 10. The security service of claim 9, in which the grid comprises a defined set of nodes, aligned relative to the first axis of the grid, each of the defined set of nodes representing the non-interactive authentication characteristic for a unique one of the defined services and resources displayed in the grid.
  - 11. The security service of claim 9, in which the grid comprises a defined set of nodes, aligned relative to the first axis of the grid, each of the defined set of nodes representing the access policy for an unknown user for a unique one of the defined services and resources displayed in the grid.
  - 12. The security service of claim 9, further comprising an access policy editor for defining the nodes in the grid, the access policy editor comprising means for graphically assembling icons representing policy rules to define an access policy for a user-specified node.
  - 13. The security service of claim 1 in which the network constituent definition component further comprises a resource discovery component to poll the computer network and to generate a resource tree data structure corresponding to resources in the computer network.
  - 14. The security service of claim 13, in which the resource discovery component further comprises a resource discovery plug-in specification component to specify resource discovery plug-in components for carrying out the process of discovery of the resources for a defined service in the network.
  - 15. The security service of claim 1 in which the network constituent definition component further comprises a user discovery component to poll the computer network and to generate a business relationship tree data structure corresponding to users defined for the computer network.

16. A policy builder for a security service of a computer network accessible by users and comprising services and resources, the policy builder comprising,a network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, anda policy definition component for defining access policies for the computer network users, services and resources, the policy definition component comprising,a plug-in integration component to permit a policy manager to register one or more plug-in components for use in defining manager-defined access policies,a defined access rule component for providing a set of pre-defined access rules to a policy manager for use in creating access policies.
- View Dependent Claims (17)
- - 17. The policy builder of claim 16 further comprising an access policy editor for defining the access policies, the access policy editor comprising means for graphically assembling icons representing the pre-defined access rules and manager-defined access policies.

18. A method for providing computer network security, the network being accessible by users and comprising services and resources, the method comprising the steps of:
- using a policy builder to define user data and services and resources data corresponding to the computer network users, services and resources, and to define access policies for the computer network users, services and resources,registering one or more policy definition plug-in components for use in defining the access policies,maintaining user, services and resources data, and access policies, in a database,providing a set of selected access policies in response to a database query,receiving, in a validator, a policy query for service or resource access originated by a network user and generating a corresponding database query for submission to the database component, andreceiving, in a validator, the set of access policies provided by the database component in response to the corresponding database query and generating a policy decision for communication to the network user based on the set of access policies provided by the database component.
- View Dependent Claims (19)
- - 19. The method of claim 18 further comprising the steps of:
    - displaying, on a computer display unit, a grid having nodes, laid out on a first and on a second axis,displaying, on the grid, unit user labels corresponding to the user data, each user label labelling nodes aligned relative to the first axis of the grid, anddisplaying on the grid, resource labels corresponding to the services and resources data, each resource label labelling nodes aligned relative to the second axis of the grid,whereby the nodes in the grid correspond to the access policies for users and services and resources, as defined by the user and resource labels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Flint, Andrew, Szyszkowski, Andrzej, Kotsopoulos, Steve, Amdur, Eugene, Reid, Irving, Fernandes, Laryn-Joe, Koch, C. Harald, Lamb, Steven
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US12/014,612
Publication Number

US 20080134286A1
Time in Patent Office

910 Days
Field of Search

726/1, 726/2, 726/15
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/20   for managing network securi...

Computer system security service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Computer system security service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others