Computer system security service
First Claim
1. A computer security service for a computer network accessible by users and comprising services and resources, the computer security service comprising,a policy builder component, comprisinga network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, anda policy definition component for defining access policies for the computer network users, services and resources, wherein the policy definition component comprises a policy definition plug-in integration component for registering one or more policy definition plug-in components for use in defining the access policies,a database component for maintaining user, services and resources data, and access policies, and for providing a set of selected access policies in response to a database query, anda validator component, comprisinga request parser for receiving a policy query for service or resource access originated by a network user and for generating a corresponding database query for submission to the database component, anda policy parser for receiving the set of access policies provided by the database component in response to the corresponding database query and for generating a policy decision for communication to the network user based on the set of access policies provided by the database component.
2 Assignments
0 Petitions
Accused Products
Abstract
A security service of computer networks having a policy builder, an LDAP-compliant database, a validator and an API. The policy builder component provides a graphical user interface to be used by a policy manager to define access policies for users seeking to access network services and resources. The graphical user interface has a grid of nodes representing access policies. The grid is arranged to correspond to a defined tree structure representing services and resources and a business relationship tree structure representing users. The graphical user interface permits the policy manager to define policy builder plug-ins for access policy customization. The LDAP-compliant database maintains the policy builder plug-ins. The validator component receives requests from users and queries the LDAP-compliant database to obtain relevant access policies as defined by the policy manager. The system provides for double inheritance of access policies such that where there is no express definition of an access policy for a node, the access policies are propagated according to the hierarchical structures of the data. The validator includes validator plug-ins for carrying out access policies corresponding to the access policies defined by policy builder plug-ins.
81 Citations
19 Claims
-
1. A computer security service for a computer network accessible by users and comprising services and resources, the computer security service comprising,
a policy builder component, comprising a network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, and a policy definition component for defining access policies for the computer network users, services and resources, wherein the policy definition component comprises a policy definition plug-in integration component for registering one or more policy definition plug-in components for use in defining the access policies, a database component for maintaining user, services and resources data, and access policies, and for providing a set of selected access policies in response to a database query, and a validator component, comprising a request parser for receiving a policy query for service or resource access originated by a network user and for generating a corresponding database query for submission to the database component, and a policy parser for receiving the set of access policies provided by the database component in response to the corresponding database query and for generating a policy decision for communication to the network user based on the set of access policies provided by the database component.
-
16. A policy builder for a security service of a computer network accessible by users and comprising services and resources, the policy builder comprising,
a network constituent definition component, for defining user data and services and resources data corresponding to the computer network users, services and resources, and a policy definition component for defining access policies for the computer network users, services and resources, the policy definition component comprising, a plug-in integration component to permit a policy manager to register one or more plug-in components for use in defining manager-defined access policies, a defined access rule component for providing a set of pre-defined access rules to a policy manager for use in creating access policies.
-
18. A method for providing computer network security, the network being accessible by users and comprising services and resources, the method comprising the steps of:
-
using a policy builder to define user data and services and resources data corresponding to the computer network users, services and resources, and to define access policies for the computer network users, services and resources, registering one or more policy definition plug-in components for use in defining the access policies, maintaining user, services and resources data, and access policies, in a database, providing a set of selected access policies in response to a database query, receiving, in a validator, a policy query for service or resource access originated by a network user and generating a corresponding database query for submission to the database component, and receiving, in a validator, the set of access policies provided by the database component in response to the corresponding database query and generating a policy decision for communication to the network user based on the set of access policies provided by the database component. - View Dependent Claims (19)
-
Specification