Associating Code To a Target Through Code Inspection

Abstract

Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a diagram of distributed computing network connecting a server and clients.

FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.

FIG. 3 shows a system block diagram of a computer system.

FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.

FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.

FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.

FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.

FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.

FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.

FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.

FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.

FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.

FIG. 13 shows a layer description of an implementation of a policy language system of the invention.

FIG. 14 shows the functional modes of an information system of the invention.

FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.

FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.

FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.

FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.

FIG. 19 shows blocking sending of a confidential document outside the company.

FIG. 20 shows encrypting a confidential document when copying to a removable device.

FIG. 21 shows sending of a confidential document between users who should observe separation of duties.

FIG. 22 shows an example of a deployment operation to a workstation of an information management system.

FIG. 23 shows an example of a deployment operation of rules associated with a user.

FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.

FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).

FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.

Claims

1. A method comprising: providing a plurality of code components;providing a plurality of devices having device profiles;inspecting contents of the plurality of code components; andbased on a result of the inspection of the contents of the code components and the device profiles, determining which of the devices to associate a code component with.

2. The method of claim 1 wherein each code component comprises a policy.

3. The method of claim 1 wherein each code component comprises a policy abstraction.

4. The method of claim 1 where a code component comprises at least one of a statement, a statement having at least one expression, a statement having at least one variable, a script, an uncompiled C language file, an uncompiled high-level programming language file, an ASCII file, an expression, an expression having at least one variable, a binary file, or an executable file.

5. The method of claim 1 further comprising: for a first device, transferring at least one code component associated with the first device to the first device.

6. The method of claim 1 further comprising: for a first device, altering at least one code component associated with the first device; andtransferring the altered at least one code component to the first device.

7. The method of claim 1 wherein a first code component associated with a first device is provided in a first format and the method further comprises: transforming the first code component into a second code component having a second format, different from the first format; andtransferring the second code component to the first device.

8. The method of claim 1 wherein a first set of code components associated with a first device is provided in a first format and the method further comprises: transforming the first set of code components into a second set of code components having a second format, different from the first format; andtransferring the second set of code components to the first device.

9. The method of claim 8 wherein the second set has fewer code components than the first set.

10. The method of claim 8 wherein the second set has a greater number of code components than the first set.

11. The method of claim 8 wherein the first set and second set have the same number of code components.

12. The method of claim 1 further wherein the plurality of devices comprise the first device and a second device and the method further comprises: for the first device, transferring at least a first code component associated with the first device to the first device;for the second device, transferring at least a second code component associated with the second device to the second device;after the transferring the at least a first code component and the transferring the at least a second code component, providing a third device having a third device profile;after providing the third device, inspecting the contents of the plurality of code components;after providing the third device, based on a result of the inspection of the contents of the code components and the third device profile, determining which of the code components to associate with the third device; andfor the third device, transferring at least a third code component associated with the third device to the third device.

13. A system comprising: a database comprising a plurality of policies;a plurality of devices, each having a profile; andan inspection engine comprising executable code to cause inspection of each of the policies and executable code to determine based on the result of the inspection and the profiles of the devices which of the devices each of the policies will be associated with.

14. The system of claim 13 wherein a policy comprises at least one of a statement, a statement having at least one expression, a statement having at least one variable, a script, an uncompiled C language file, an uncompiled high-level programming language file, an ASCII file, a code file, an expression, an expression having at least one variable, a binary file, or an executable file.

15. The system of claim 13 wherein a database comprises a plurality of files.

16. The system of claim 13 wherein a database comprises a plurality of policy files.

17. The system of claim 13 wherein the executable code causes inspection on at least a portion of each of the policies.

18. A system comprising: a plurality of code files;a plurality of devices, each having a profile; andan inspection engine comprising executable code to cause inspection of each of the code files and executable code to determine based on the result of the inspection and the profiles of the devices which of the devices each of the code files will be associated with.