TREA

DYNAMICALLY CONFIGURED CLIENT ACCESS CONTROL NETWORK

Follow

Information

  • Patent Application
  • 20160294623
  • Publication Number
    20160294623
  • Date Filed
    October 26, 2015
    9 years ago
  • Date Published
    October 06, 2016
    8 years ago
Information
Abstract
A dynamically configured access control network is disclosed. Any given node on such a network can function as a client, a controller, an agent, an access control component, a server, and/or any other component to enable the network. That is, the given node can be configured to function as a first combination of the above-mentioned components at a first point of time to enable the network and can function as a second combination of the above-mentioned components at a second point of time to enable the network. In some examples, the configuration of the given node can be determined based one or more predetermined rules. In some examples, the configuration of the given node can be determined by an administrator via a monitoring system included in or coupled to the network.
Description
FIELD OF THE INVENTION

The invention generally relates to dynamic configuration of client access control network, which, in particular, may comprise one or more controller, agent, access control and/or server components.


BACKGROUND OF THE INVENTION

Client-server architecture (client/server) is a network architecture in which a device or process on the network is either a client or a server. In the client-server architecture, a server provides one or more services, which may be defined by the provider(s), to a client device. For example, an appliance with network capability, such as a smart refrigerator, may provide various services to a client device, such as a smartphone. For instance, the smart refrigerator may allow the smartphone to remotely read and/or control the temperature of the smart refrigerator via a wireless network. In that context, the smart refrigerator is a server. As another example, a networked computer may provide a data service to a client device such that the client device may send and/or receive data to and/or from a data store, such as file storage, coupled to the networked computer. In that context, the networked computer is a server. To facilitate a user to use the services provided by the server in the client-server architecture, the client device typically provides an interface to allow a user to request the services provided by the server and to display the results the server returns. The server typically waits for requests to arrive from client device and then responds to them.


Peer to peer (P2P) network is a network architecture in which a node on the network may simultaneously function as both “clients” and “servers” to the other nodes (peers). A P2P network typically does not impose a particular structure as to what roles each individual nodes should serve at any given point of time, but rather are formed by nodes that randomly (from a topology point of view) establish connections to each other. For example, a client computer may initially join the P2P network as a client node to receive P2P services from other server nodes in the P2P network and later may become a server node that provides P2P services to other client nodes.


SUMMARY OF THE INVENTION

In accordance with one aspect of the disclosure, system and method for facilitating configuration of dynamic client access control network are disclosed. In U.S. patent application Ser. No. 62/142,457, entitled “Real Time Dynamic Client Access Control”, a client access control network comprising one or more client devices, controllers, agents, access control components and servers are disclosed. The present disclosure discloses mechanism and exemplary implementations for dynamically configuring the client access control network disclosed in U.S. patent application Ser. No. 62/142,457, entitled “Real Time Dynamic Client Access Control”. In a client access control network in accordance with the present disclosure, a given client computing platform (node) may be configured to function as a client, a controller, an agent, an access control component, and/or a server. That is, the given node may be configured to serve as a combination of the above-mentioned elements on the client access control network in accordance with the present disclosure at any given point of time. In some implementations, the configuration of the given node may be facilitated by an administration/monitoring system included in or operatively coupled to the client access control network. In some implementations, the configuration of the given node may be dynamically and automatically facilitated in accordance with one or more predetermined rules. In some implementations, the configuration of the given node may be performed by a user.


In accordance with another aspect of the disclosure, a dynamically configured client access control network in accordance with the disclosure may comprise one or more client devices, one or more controllers, one or more agents, one or more access control components, and/or one or more servers is disclosed. A given controller in such a network may be adapted to connect to one or more client devices and one or more agents. For example, the given controller may be configured to connect to a first client device and a first agent; to authenticate the first client device upon an request to access a first service provided by a first server being received by the first controller; and to generate an instruction to the first agent to facilitate the access as requested by the first client device. In that example, the first service may be provided by a first server whose secured access is controlled by the first agent directly or via a first access control component. As another example, the given controller may be configured to connect to the first client device and a second agent; to authenticate the first client device upon an request to access a second service provided by a second server being received by the first controller; and to generate an instruction to the second agent to facilitate the access as requested by the first client device. In those implementations, the second service may be provided by the second server whose secured access is controlled by the second agent directly or via a second access control component. Still as another example, the given controller may be configured to connected a second client and the first agent; to authenticate the second client device upon an request to access the first service being received by the first controller; and to generate an instruction to the first agent to facilitate the access as requested by the second client device


A given agent in such a network may be adapted to connect to one or more controllers, one or more access control components and/or one or more servers. The given agent may be configured such that it is capable of dynamically configuring the access control components or the servers to administer client access to the servers. For example, the given agent may be configured to connect to a first controller and a first access control component associated with the first server; to receive an instruction from the first controller to administer access to the first server by the first client device; and to configure the first access control component accordingly upon the instruction from the first controller being received by the first agent. As another example, the given agent may be configured to connect to a first controller and a second access control component associated with the second server; to receive an instruction from the first controller to administer access to the second server by the first client device; and to configure the second access control component accordingly upon the instruction from the first controller being received by the first agent. Still as another example, the given agent may be configured to connect to a second controller and the first access control component associated with the first server; to receive an instruction from the first controller to administer access to the first server by the second client device; and to configure the first access control component accordingly upon the instruction from the first controller being received by the first agent.


In some implementations, a given node on the access control network in accordance with the present disclosure may be configured to function as a client device, a controller, an access control component and/or a server at any given point of time. For example, at a first point of time T, the given client computing platform may be configured to function as a client device receiving a service from a server via an access control network in accordance with the present disclosure. Still in that example, at a second point of time T+1, the given client computing platform may be configured to function as the client device, and as well as to function as a controller connected to one or more client devices and agents to facilitate client access to one or more servers. Still in that example, at a third point of time T+2, the given client computing platform may be configured to function as the controller only. Still in that example, at a fourth point of time T+3, the given client computing platform may be configured to function as the controller and an access control component connected to one or more servers, and so on.


In some implementations, the configuration of a given node on an client access control network in accordance with the present disclosure may be facilitated by an administration/monitoring system, which may comprise one or more monitoring displays, one or more administration servers, user database, data storage, policy servers, and/or any other elements. In those implementations, an interface may be implemented and provided to a user (e.g., an administrator of an access control network in accordance with the present disclosure) on a given monitoring system (e.g., a client computer) for configuring the client computing platform. The interface may enable the user to configure the client computing platform as a client device, a controller, an agent, an access control component, and/or a server.


In some implementations, a given administration server included in the administration system may be configured to manage an access matrix indicating a state of connections among particular client devices, controllers, agents, access control components, and/or servers on an access control network in accordance with the present disclosure. In those implementation, such an access matrix may be displayed to the user (e.g., an administrator of the access control network) to provide a snapshot or a dynamic view of a state (e.g., topology) of the access control network in real time. This may enable the user to determine desired configuration of one or more client computing platforms (nodes) on the access control network.


In some implementations, a given rule server include in the administration system may be configured to manage a set of one or more predetermined rules that specify certain requirements of the configuration of access control network. For example, the rules may specify that a first set of one or more particular client computing platforms may never be configured to function as a controller; may specify that a second set of one or more particular client computing platforms may only be configured to function as a controller and/or a client device; may specify that a third set of one or more particular client computing platforms may be configured to function as access control components that controls client access for a particular server; and/or any other policies. In some examples, such policies may be employed to facilitate workload management or network expansion such that one or more client devices may be additionally configured to function as controllers, agents, access control components, and/or servers. In some examples, such policies may be enforced to facilitate consistency and/or predetermined network characteristics as desired by the provider, administrator, and/or any other entities related to the access control network.


Other objects and advantages of the invention will be apparent to those skilled in the art based on the following drawings and detailed description.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1A illustrates a configuration of the access control network 100 at a time point T.



FIG. 1B illustrates the access control network dynamically configured at a time point T+1.



FIG. 2 illustrates dynamic configuration of a node shown in FIGS. 1A-B to function as a controller in accordance with the disclosure.



FIG. 3 illustrates dynamical configuration of a node shown in FIGS. 1A-B to function as an agent in accordance with the disclosure.



FIG. 4 illustrates an example state of the access control network shown in FIG. 1 at a given point of time.



FIG. 5 illustrates exemplary tables that may be used to track components provided by nodes on the access control network at a given time.



FIG. 6 illustrates an exemplary interface provided by a monitoring/administration system 600 configured to manage the access control network.



FIG. 7 illustrates an exemplary interface for configuring a given controller provided by a node.



FIG. 8 illustrates an exemplary interface for configuring an agent provided by a node.



FIG. 9 is a flow diagram showing an exemplary method for facilitating a user to configure a controller in accordance with disclosure.



FIG. 10 is a flow diagram showing an exemplary method for configuring a node as a client, a controller, an agent, and/or a server in accordance with disclosure.





DETAILED DESCRIPTION


FIG. 1A-B illustrates one example of a dynamically configured access control network 100 comprising several member nodes 102 in accordance with the disclosure. FIG. 1A illustrates a configuration of the access control network 100 at a time point T. FIG. 1B illustrate a configuration of the access control network 100 at a time point T+1. The individual nodes shown in FIGS. 1A-B, i.e., nodes 102a-d, may include individual client computing platforms that are separate and independent from other nodes. A given node 102 on the access control network 100, such as the node 102a, may include a server system comprising one or more servers and/or data store, a desktop computer, a laptop computer, a tablet, a smart device such as a smartphone or a smart appliance (e.g., a smart refrigerator), a printer, a media console, and/or any other type of client computing platform. As shown, a given node 102 may comprise a constituent processor 104 configured to execute computer program components.


In U.S. application Ser. No. 62/142,457, entitled “Real Time Dynamic Client Access Control”, components facilitating client/server access mechanism of the access control network 100 are described in detail. As described and illustrated therein, such components may include client 106, controller 108, agent 110, access control component 112, and/or server 114, for example such as those illustrated in FIGS. 1A-1B. Briefly, a client 106 on the access control network 100 may request access to one or more services, such as web services, file services, media services, remote control services, and/or any other type of services; a controller 108 on the access control network 100 may authenticate a client 102 connected to the controller 108, receive or intercept the service access request from the client 106, and generate and forward an instruction to the agent 110 for the agent 110 to administer (e.g., grant) access to the client 106 in accordance with the service access request; the agent 110 on the access control network 100 may generate and forward an instruction to the access control component 112 for the access control component 112 to execute one or more access administration commands as instructed by the controller 110; and the server 114 may contact the client 102 and initiate the provision of the services to the client 102 as requested by the client 102.


In the present disclosure, mechanism facilitating dynamic configuration and formation of the access control network 100 is disclosed. Essential to the dynamic configuration and formation of the access control network 100 in accordance with the present disclosure is that any given node 102 on the access control network 100 shown in FIG. 1 may be configured to function as one or more of a client 106, a controller 108, an agent 110, an access control component 112, and a server 114, as however desired by the administrator, provider, moderator, user of the access control network 100 and/or any other entities related to the access control network 100. That is, the processor 104 included in the given node 102, for example the processor 104a included in the node 102a, may be configured to execute computer program components including a client 106, a controller 108, an agent 110, an access control component 112, a server 114, and/or other components.


As can be seen in FIG. 1A, on the access control network 100, at time T, node 102a is configured to function as a client 106b and a controller 108a. As indicated by the dotted line 116a, client 106b may be connected to the controller 108b, which is provided by node 102c. As also can be seen, node 102c in this example is configured to function as the controller 108b only. As mentioned above, node 102c is, however, capable of being configured to function as a client 106, an agent 110, an access control component 112, and/or a server 114 as however desired by the administrator, provider, user of the access control network 100 and/or other entities related to access control network 100. As also indicated by the dotted line 116, the controller 108b provided by the node 102c may be connected to the client 106c on the node 102b. That is, controller 118b in this example is configured to be discoverable by client 106b and client 106c. In this example, node 102b is also configured to function as the client 106c, agent 110a, access control component 112a, and the server 114b. As indicated by the dotted line 116b, the controller 108b may be connected to agent 110b provided by node 102e; and as indicated by the dotted line 116c, agent 110b may be connected to access control component 112b, which administers client access to server 114d. In this example, node 102f is configured to provide access control component 112b and server 114d. The access control component 112, such as the access control component 112b, may include a firewall, a hardware switch, an access filter, and/or any other type of access control component that may be used to control the client access to server 114d. In other words, the access request by the client 106b to the server 114d may be facilitated through the dotted lines 116 shown in FIG. 1A.


As still can be seen in FIG. 1A, node 102d in this example is configured to function as a client 106a and a server 114a. As indicated by the dotted line 118a, the client 106a may be connected to the controller 108a provided by node 102a. The controller 108a in this example, as indicated by the dotted line 118b, may be connected to the agent 110a. The agent 110a in this example is configured to issue instruction(s) to access control component 112a, which controls client access to the server 114b. In other words, the access request by the client 116a to the server 114b may be facilitated through the dotted lines 118 shown in FIG. 1A.



FIG. 1B illustrates the access control network 100 dynamically configured at a time point T+1. It will be described with reference to FIG. 1A. As shown, at time T+1, compared with that in FIG. 1A, node 102a is configured to function as an agent 110c in addition the client 106b and controller 108a provided by node 102a; and agent 110a and server 114b are disabled (or removed) from node 102b. Also compared with FIG. 1A, the controller 108a on the node 102a is configured to connect to agent 110c, which may be connected to the access control component 112a provided by node 102b. Still compared with FIG. 1A, the access control component 112a is configured in FIG. 1B to connect to control server 114a provided by node 102d. In this way, as shown in FIG. 1B, client access by client 106 to the server 114a may be facilitated by node 102a and node 102b.



FIG. 2 illustrates dynamic configuration of a node 102 to function as a controller in accordance with the disclosure. In FIGS. 1A-1B, the nodes 102 illustrated therein are shown to be dynamically configurable to function as one or more of a client 106, a controller 108, an agent 110, an access control component 112, and a server 114. In FIG. 2, it is shown that a given controller 108 provided by a given node 102 on the access control network 100 may be dynamically configured to connect to one or more clients 106, and may be dynamically configured to connect to one or more agents 110, as however desired by the administrator, provider, user, manufacturer, moderator of the access control network 100, and/or any other entities related to the access control network 100. As illustration, at time T, controller 108 on node 102 as shown in FIG. 2 may be configured to connect to client #1 and agent #1 such that an access request from client #1 for a service provided by a server whose client access is administered by agent #1 may be received or intercepted by controller 108, and the controller 108 may generate and forward an instruction to agent #1 to administer the access by client #1 as requested. Still as illustration, at time T, controller 108 on node 102 shown in FIG. 2 may be configured to connect to client #2 and agent #2 such that an access request from client #2 for a service provided by a server whose client access is administered by agent #2 may be received or intercepted by controller 108, and the controller 108 may generate and forward an instruction to agent #2 to administer the access by client #2 as requested. Still as illustration, at the time point T+1, the controller 108 may be configured to connect to client #1 and client #2, and agent #1 such that an access request for a service provided by a server whose client access is administered by agent #1 may be received or intercepted by controller 108 from client #1 or client #2, and the controller 108 may generate and forward an instruction to agent #1 to administer the access by client #1 as requested.



FIG. 3 illustrates dynamical configuration of a node 102 to function as an agent in accordance with the disclosure. As shown in FIG. 3, a given controller 108 provided by a given node 102 on the access control network 100 may be dynamically configured to connect to one or more controllers 108, and may be dynamically configured to connect to one or more access control components 112 and/or one or more servers 114, as however desired by the administrator, provider, user, manufacturer, moderator of the access control network 100, and/or any other entities related to the access control network 100. As illustration, at time point T, agent 110 on node 102 shown in FIG. 3 may be configured to connect to controller #1, and access control component #1 and/or server #1 such that the agent 110 may issue an instruction to the access control component #1 and/or server #1 to administer client access in accordance with the instruction received from controller #1. Still as illustration, at time T, agent 110 on node 102 shown in FIG. 3 may be configured to connect to controller #2, and access control component #2 and/or server #2 such that the agent 110 may issue an instruction to the access control component #2 and/or server #2 to administer client access in accordance with the instruction received from controller #2. Still as illustration, at the time point T+1, agent 110 on node 102 shown in FIG. 3 may be configured to connect to controller #1 and controller #2, and access control component #1 and/or server #1 such that the agent 110 may issue an instruction to the access control component #1 and/or server #1 to administer client access in accordance with the instruction received from controller #1 or controller #2.



FIG. 4 illustrates an example state of the access control network 100 at a given point of time. As shown, in some implementations, table 400 may be used to keep track of connections among the clients, controllers, agents, access control components, and servers on the access control network 100. In this example, the content of table 400 represents a snapshot view of the connections in the access control network 100 at the given point of time. For example, as shown by row 402a of table 400, at the given time, client #1 is connected to controller #1, which is connected to agent #3, which is connected to access control component #1, which is connected to server #2 that provides a service to client #1. As illustration, client #1 may be a media player on a client computing platform (i.e., a node 102) on the access control network 100 and server #2 may be a media server that provides streaming service to client #1. As another example, as shown by row 402b of table 4000, at the given time, client #2 is also connected to controller #1 and is receiving the service from server #2 similarly to client #1. For instance, client #2 may be another media player on a client computing platform separate and independent from the client computing platform client #1 is on. In contrast, as indicated by row 402c, client #3 is connected to controller #3, which is connected to agent #1 for a service provided by server #1 whose access is controlled by the access control component #2. Other rows of table 400, such as rows 402d and 402e are self-explanatory.



FIG. 5 illustrates exemplary tables 502 that may be used to track components provided by nodes on the access control network 100 at a given time. As shown, a table 502a may be used to record client computing platforms that are functioning as the controllers on the access control network 100 at the given time. As also shown, a table 502b may be used to record client computing platforms that are functioning as the agents on the access control network 100 at the given time. As still shown, table 502c may be used to record client computing platform that are functioning as access control components for corresponding servers at the given time. For example, as shown, at the given time, client computing platform #8 is functioning as a firewall for server #1, client computing platform #2 is functioning as a firewall for server #2, client computing platform #6 is functioning as a secured switch for server #3 and so on. As yet shown, table 502d may be used to record client computing platforms that are functioning as servers providing corresponding services.


In some implementations, the configuration of a node on the client access control network 100 in accordance with the present disclosure may be facilitated by an administration/monitoring system, which may comprise one or more monitoring systems, one or more administration servers, user database, data storage, policy servers, and/or any other elements. In those implementations, the administration system may be configured to store information regarding network connection state at any given point of time, status of individual nodes on the access control network 100, error logs, and/or any other status information regarding the access control network 100. In some implementations, a given administration server included in the administration/monitoring system may be configured to manage an access matrix indicating a state of connections among particular client devices, controllers, agents, access control components, and/or servers on an access control network in accordance with the present disclosure. In those implementations, such an access matrix may be displayed to the user (e.g., an administrator of the access control network) to provide a snapshot or a dynamic view of a state (e.g., topology) of the access control network in real time. This may enable the user to determine desired configuration of one or more client computing platforms (nodes) on the access control network.


In some implementations, a given rule server include in the administration/monitoring system may be configured to manage a set of one or more predetermined rules that specify certain requirements of the configuration of access control network. For example, the rules may specify that a first set of one or more particular client computing platforms may never be configured to function as a controller; may specify that a second set of one or more particular client computing platforms may only be configured to function as a controller and/or a client device; may specify that a third set of one or more particular client computing platforms may be configured to function as access control components that controls client access for a particular server; and/or any other policies. In some examples, such policies may be employed to facilitate workload management or network expansion such that one or more client devices may be additionally configured to function as controllers, agents, access control components, and/or servers. In some examples, such policies may be enforced to facilitate consistency and/or predetermined network characteristics as desired by the provider, administrator, and/or any other entities related to the access control network.



FIG. 6 illustrates an exemplary interface 604 provided by a monitoring or administration system 600 configured to manage the access control network 100. As shown, the interface 604 may present graphical information indicating a state of connections among individual nodes on the access control network 100 at any given point of time. As also show, the interface 604 provided by the monitoring or administration system may also indicate configuration of individual nodes 102, i.e., corresponding components on the access control network 100 provided by the individual nodes 102. The interface 604 may enable an administrator or a provider of the access control network 100 to acquire information regarding topology and configuration of the access control network 100 at any given point of time.



FIG. 7 illustrates an exemplary interface 702 for configuring a given controller provided by a node. As already shown in FIG. 2, a controller may be configured to connect to a plurality of clients and a plurality of agents. In some implementations, the interface 702 shown in FIG. 2 may be provided by the monitoring/administration system 602 to facilitate the configuration of the controller. For example, the interface 702 may be used to facilitate a user, e.g., an administrator of the access control network 100, to remove an agent already connected to the controller. As shown in this example, a list of agents 703 that are already connected to the controller may be shown in the interface. As also shown, field controls 704 may be presented in the interface 702 corresponding to a connected agent to facilitate the user to remove the corresponding agent; and field controls 706 may be presented in the interface 702 to facilitate the user to initiate a request to configure the corresponding agent. After a removal of an agent is effectuated through the interface 702 via the field controls 704, the removed agent may be prevented from communicating with the given controller. After a request is effectuated through the interface 702 via the field controls 706, an interface that facilitates the user to configure the corresponding agent may be shown. An example of such an interface is shown in FIG. 8.


As also shown, field controls may be presented in the interface 702 to facilitate the user, to add an agent. That is, through the interface 702, the user may configure the given controller to be discoverable by an agent by adding the agent to the controller. As shown, a list 710 of one or more agents that may be added to the controller may be presented in a pull down list. Field control 708 may be presented in the interface 702 so that the user may add a corresponding agent to the controller. After a connection between the controller and the agent is added through interface 702, the controller may communicate with the added agent in manners consistent with the network access control mechanism disclosed herein.


In some examples, the interface 702 may be used to remove or configure one or more clients already connected to the given controller. As shown in this example, a list 712 of clients already connected to the controller may be presented in the interface 702. As shown, similar field controls to 704 and 706 may be provided in the interface 702 to facilitate the user to remove or configure an already connected client. After a client is removed through the interface 702, the removed client is prevented from communicating with the controller. That is, the controller may not be discovered by the removed client and/or may deny a request from the removed client to access a service administered by the controller.


As also shown, a list 714 of one or more clients may be presented in the interface 702 to facilitate the user to select and add a client to the controller. That is, the user may be enabled to select a client from the list 714 to be connected to the controller. After the user adds the client, for example client #N as shown in this example, the added client may communicate with the controller to request access to a service administered by the controller in accordance with the access control mechanism described herein.



FIG. 8 illustrates an exemplary interface 802 for configuring an agent provided by a node. As already shown in FIG. 3, a given agent in accordance with the present disclosure may be configured to connect to a plurality of access control components/servers and a plurality of controllers. In some implementations, the interface 802 as shown in FIG. 8 may be provided by the monitoring/administration system 602 to facilitate the configuration of the given agent. For example, the interface 802 may be used to facilitate a user, e.g., an administrator of the access control network 100, to remove an access component already connected to the given agent. In this example, the access control components are firewall components on corresponding servers. As shown, a list of firewall/servers 803 that are already connected to the agent may be shown in the interface 802. As also shown, field controls 804 may be presented in the interface 802 corresponding to a connected firewall/server to facilitate the user to remove the corresponding firewall/agent; and field controls 806 may be presented in the interface 802 to facilitate the user to initiate a request to configure the corresponding firewall/server. After a removal of a firewall/server is effectuated through the interface 802 via the field controls 804, the given agent may be prevented from communicating with the removed firewall/server. After a request is effectuated through the interface 802 via the field controls 806, an interface that facilitates the user to configure the corresponding firewall/server may be shown.


As also shown, field controls may be presented in the interface 802 to facilitate the user, to add a firewall/server. That is, through the interface 802, the user may configure the corresponding firewall/server to communicate with the given agent in accordance the access control mechanism described herein. As shown, a list 810 of one or more firewalls/severs that may be added to the given agent may be presented in a pull down list. Field control 808 may be presented in the interface 802 so that the user may add a corresponding firewall/server to the given agent. After a connection between the controller and the given agent is added through interface 802, the given agent may communicate with the added firewall/server the access control mechanism described herein.


In some examples, the interface 802 may be used to remove or configure one or more controller already connected to the given agent. As shown in this example, a list 812 of controllers already connected to the given agent may be presented in the interface 802. As shown, similar field controls to 804 and 806 may be provided in the interface 802 to facilitate the user to remove or configure an already connected controller. After a controller is removed through the interface 802, the removed controller is prevented from communicating with the given agent. That is, the given agent may not be discovered by the removed controller and/or may deny a request from the removed controller for a service whose access is controlled by the given agent.


As also shown, a list 814 of one or more clients may be presented in the interface 802 to facilitate the user to select and add a controller to the given agent. That is, the user may be enabled to select a controller from the list 814 to be connected to the given agent. After the user adds the controller, for example controller #N as shown in this example, the added controller may communicate with the given agent for a service whose access is controlled by the given agent in accordance with the access control mechanism described herein.


In some examples, the configuration of a given controller, a given agent, a given access control component, and/or a given server in the client access control network, as described and illustrated herein, may be effectuated using on one or more predetermined rules managed by one or more rules server included in the administration/monitoring system 602. For example, the predetermined rules may include a rule specifying that the given controller is available for access only by one or more specific clients. For instance, without limitation, a predetermined rule may be configured into the administration/monitoring system 602 such that the given controller may only facilitate service access requests from a clients within a specified intranet. In implementations, the given controller may be configured by the administration/monitoring system 602 to listen to access request by clients from the specified intranet only such that any request from a client outside the specified intranet is denied. As illustration, at a first time point, the given controller may be provided by a first node, which may be configured by the administration/monitoring server 602 to receive client access requests from the specified intranet; and at a second time point after the first time point, the given controller might migrate to a second node in accordance with the present disclosure, and the administration/monitoring system 602 may nevertheless configure the given controller to receive client access request from the specified intranet in accordance with the afore-discussed predetermined rule.


As another example, a predetermined rule may managed by the administration/monitoring system 602 may specify the given agent may be configured to control access to services provided by one or more specified servers. For example, the given agent may be configured to control access to a first server. At a first time point, the first server may provide a data service, at a second time point after the first time point, the first server may provide a web service instead of the data service, and at a third time point after the second time point, the first server may provide both the data service and the web service. In that example. The administrator/monitoring system 602 may dynamically configure the given agent to control the different services provided by the first server at those time points.


In some examples, a predetermined rule managed by the administration/monitoring system 602 may specify how a given node may be configured in the access control network 100. For example, the predetermined rule may be workload based such that various thresholds may be specified for configuring the given node. For instance, without limitation, the predetermined rule may specify that when the given node's CPU usage is more than 80%, the given node may not be configured as controller; when the given node's CPU usage is more than 50%, the given node may not be configured as a server; and when the give node's CPU usage is more than 85%, the given node may not be configured as an agent. As another example, the predetermined rule may be time based such that various time periods may be specified for configuring the given node. For instance, without limitation, the predetermined rule may specify that the given node may not be configured as a server in a first time period; may not be configured as a controller in a second time period; may be configured only as an agent in a third time period; and so on.



FIG. 9 is a flow diagram showing an exemplary method 900 for facilitating a user to configure a controller in accordance with disclosure. The operations of method 900 presented below are intended to be illustrative. In some embodiments, method 900 may be accomplished with one or more additional operations not described and/or without one or more of the operations discussed. Additionally, the order in which the operations of method 900 are illustrated in FIG. 9 and described below is not intended to be limiting.


In some embodiments, method 900 may be implemented in one or more processing devices (e.g., a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information). The one or more processing devices may include one or more devices executing some or all of the operations of method 900 in response to instructions stored electronically on an electronic storage medium. The one or more processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for execution of one or more of the operations of method 900.


At an operation 902, a request to configure a controller in a access control network may be received. For example, the request may be received at the administration/monitoring system 602. In some implementations, the request may include information indicating a specific controller provided by a specific node on the access control network.


At an operation 904, a state of the access control network may be obtained. For example, as illustrated in FIGS. 4-5, the state of the access control network may be captured in forms described therein. At operation 904, the state of the access control network may be obtained, for example, by selecting the specific node from the tables shown in FIG. 5.


At an operation 906, one or more clients that are already connected to the controller may be identified. In implementations, the one or more clients may be identified from the table shown in FIG. 4. In FIG. 7, the one or more clients identified at operation 906 are shown in the list 714.


At an operation 908, one or more clients that may be connected to the controller may be identified. In implementations, the identification at operation 908 may be performed using a predetermined rule that specifies a set of clients that may be connected to the controller. For example, such a predetermined rule may specify that the controller may be connected to any client in a specified intranet. Based on this predetermined rule, operation 908 may identify the clients that are in the specified intranet but that are not yet connected to the controller as the clients that may be connected to the controller.


At an operation 910, one or more agents that are already connected to the controller may be identified. In implementations, the one or more clients may be identified from the table shown in FIG. 4. In FIG. 7, the one or more clients identified at operation 906 are shown in the list 703.


At an operation 912, one or more clients that may be connected to the controller may be identified. In implementations, the identification at operation 908 may be performed using a predetermined rule that specifies a set of agents that may be connected to the controller. For example, such a predetermined rule may specify that the controller may be connected to a specific set of agents. Based on this predetermined rule, operation 908 may identify the agents that are in the specified set but that are not yet connected to the controller as the agents that may be connected to the controller.


At an operation 914, a user, e.g., an administrator of access control network, may be facilitate to remove or configure the clients that are identified in operation 906. An example of the operation 914 is illustrated in FIG. 7.


At an operation 916, the user may be facilitated to add one or more clients identified in operation 908 to the controller. An example of this operation is also illustrated in FIG. 7.


At an operation 918, the user may be facilitate to remove or configure the agents that are identified in operation 910. An example of the operation 918 is illustrated in FIG. 7.


At an operation 920, the user may be facilitated to add one or more clients identified in operation 912 to the controller. An example of this operation is also illustrated in FIG. 7.



FIG. 10 is a flow diagram showing an exemplary method 1000 for configuring a node as a client, a controller, an agent, and/or a server in accordance with disclosure. The operations of method 1000 presented below are intended to be illustrative. In some embodiments, method 1000 may be accomplished with one or more additional operations not described and/or without one or more of the operations discussed. Additionally, the order in which the operations of method 1000 are illustrated in FIG. 10 and described below is not intended to be limiting.


In some embodiments, method 1000 may be implemented in one or more processing devices (e.g., a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information). The one or more processing devices may include one or more devices executing some or all of the operations of method 1000 in response to instructions stored electronically on an electronic storage medium. The one or more processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for execution of one or more of the operations of method 1000.


At an operation 1002, one or more predetermined rules may be retrieved. In some examples, operation 1002 may be performed by the administration/monitoring system 602. The predetermined rules retrieved at operation 1002 may include the workload based rules, time period based rules described above, and/or any other predetermined rules configured to facilitate configuration of roles (i.e., client, controller, agent, and/or server) of a given node in the access control network.


At an operation 1004, a node may be identified based on the predetermined rules retrieved at operation 1002. For example, the predetermined rules may specify that a first node should be configured as a controller in a first time period. In that example, the first controller is identified at operation 1004. In some examples, operation 1004 may be performed by the administration/monitoring system 602.


At an operation 1006, the node identified at operation 1004 may be configured as a client, a controller, an agent, an access control component, and/or a server in accordance with the predetermined rules retrieved at operation 1002. In some examples, operation 1006 may be performed by the administration/monitoring system 602.


Implementations of the invention may be made in hardware, firmware, software, or various combinations thereof. The invention may also be implemented as instructions stored on a machine-readable medium, which may be read and executed using one or more processing devices. In one implementation, machine-readable media may include various mechanisms for storing and/or transmitting information in a form that can be read by a machine (e.g., a computing device). For example, machine-readable storage media may include read-only memory, random access memory, magnetic disk storage media, optical storage media, flash memory devices, and other media for storing information, and machine-readable transmission media may include forms of propagated signals, including carrier waves, infrared signals, digital signals, and other media for transmitting information. While firmware, software, routines, or instructions may be described in the above disclosure in terms of specific exemplary aspects and implementations performing certain actions, it will be apparent that such descriptions are merely for the sake of convenience and that such actions in fact result from computing devices, processing devices, processors, controllers, or other devices or machines executing the firmware, software, routines, or instructions.


Furthermore, aspects and implementations may be described in the above disclosure as including particular features, structures, or characteristics, but it will be apparent that every aspect or implementation may or may not necessarily include the particular features, structures, or characteristics. Further, where particular features, structures, or characteristics have been described in connection with a specific aspect or implementation, it will be understood that such features, structures, or characteristics may be included with other aspects or implementations, whether or not explicitly described. Thus, various changes and modifications may be made to the preceding disclosure without departing from the scope or spirit of the invention, and the specification and drawings should therefore be regarded as exemplary only, with the scope of the invention determined solely by the appended claims.

Claims
  • 1. A system configured to enable a client access control network, the system comprising: one or more physical processors configured by machine-readable instructions to:facilitate configuration of one or more computing platforms to enable the client access control network such that configuration of a first computing platform as a controller, an agent, an access control component, and/or a server in the client access control network is facilitated, whereinwhen configured as a controller in the client access control network, the first computing platform is adapted to authenticate one or more client devices operatively connected to the first computing platform and to instruct one or more agents to administer access by the one or more client devices to one or more servers in the client access control network,when configured as an agent in the client access control network, the first computing platform is adapted to generate instructions for one or more access control components in the client access control network to administer access by client devices to one or more servers controlled by the access control components in response to the instructions received from one or more controllers operatively connected to the first computing platform,when configured as a access control component in the client access control network, the first computing platform is adapted to grant or remove access by one or more client devices to one or more servers controlled by the access control component in response to instructions received from one or more agents operatively connected to the first computing platform, andwhen configured as a sever in the client access control network, the first computing platform is adapted to provide one or more data services for access by one or more client devices operatively connected to the first computing platform; anddetermine information for presenting, on a terminal display, a graphical representation of the client access control network, the graphical representation illustrating one or more connections between controllers and agents in the client access control network, one or more connections between agents and access control components in the client access control network, one or more connections between access control components and servers in the client access control network, and/or one or more connections between agents and servers in the client access control network.
  • 2. The system of claim 1, wherein facilitating configuring one or more computing platforms to enable the client access control network includes facilitating configuration of a second computing platform as a controller, an agent, a access control component, and/or a server in the client access control network.
  • 3. The system of claim 1, wherein the configuration of the first computing platform as a controller, an agent, a access control component, and/or a server in the client access control network is based on one or more predetermined rules.
  • 4. The system of claim 3, wherein the rules include a rule specifying that the first client computing platform is available for access only by one or more specific client devices when the first computing platform is configured as a controller.
  • 5. The system of claim 3, wherein the rules include a rule specifying that the first client computing platform can administer access to one or more specific servers when the first computing platform is configured as an agent.
  • 6. The system of claim 3, wherein the rules include a rule specifying that the first client computing platform provides data services to one or more specific client devices when the first computing platform is configured as a server.
  • 7. The system of claim 1, wherein the graphical representation of the client access control network reflects a state of the client access control network at a given time.
  • 8. The system of claim 1, wherein the configuration of the one or more computing platforms to enable the client access control network is facilitated through a graphical user interface in which the graphical representation of the client access control network is presented.
  • 9. The system of claim 1, wherein facilitating the configuration of the one or more computing platforms to enable the client access control network includes generating information for implementing a graphical user interface on the terminal display such that the graphical user interface includes actionable objects representing the one or more computing platforms, wherein upon user interaction with the individual actionable objects in the graphical user interface, the configuration of the one or more computing platforms is facilitated.
  • 10. A method for enabling a client access control network, the method comprising: facilitating configuration of one or more computing platforms to enable the client access control network such that configuration of a first computing platform as a controller, an agent, an access control component, and/or a server in the client access control network is facilitated, whereinwhen configured as a controller in the client access control network, the first computing platform is adapted to authenticate one or more client devices operatively connected to the first computing platform and to instruct one or more agents to administer access by the one or more client devices to one or more servers in the client access control network,when configured as an agent in the client access control network, the first computing platform is adapted to generate instructions for one or more access control components in the client access control network to administer access by client devices to one or more servers controlled by the access control components in response to the instructions received from one or more controllers operatively connected to the first computing platform,when configured as a access control component in the client access control network, the first computing platform is adapted to grant or remove access by one or more client devices to one or more servers controlled by the access control component in response to instructions received from one or more agents operatively connected to the first computing platform, andwhen configured as a sever in the client access control network, the first computing platform is adapted to provide one or more data services for access by one or more client devices operatively connected to the first computing platform; anddetermining information for presenting, on a terminal display, a graphical representation of the client access control network, the graphical representation illustrating one or more connections between controllers and agents in the client access control network, one or more connections between agents and access control components in the client access control network, one or more connections between access control components and servers in the client access control network, and/or one or more connections between agents and servers in the client access control network.
  • 11. The method of claim 10, wherein facilitating configuring one or more computing platforms to enable the client access control network includes facilitating configuration of a second computing platform as a controller, an agent, a access control component, and/or a server in the client access control network.
  • 12. The method of claim 10, wherein the configuration of the first computing platform as a controller, an agent, a access control component, and/or a server in the client access control network is based on one or more predetermined rules.
  • 13. The method of claim 12, wherein the rules include a rule specifying that the first client computing platform is available for access only by one or more specific client devices when the first computing platform is configured as a controller.
  • 14. The method of claim 13, wherein the rules include a rule specifying that the first client computing platform can administer access to one or more specific servers when the first computing platform is configured as an agent.
  • 15. The method of claim 13, wherein the rules include a rule specifying that the first client computing platform provides data services to one or more specific client devices when the first computing platform is configured as a server.
  • 16. The method of claim 10, wherein the graphical representation of the client access control network reflects a state of the client access control network at a given time.
  • 17. The method of claim 10, wherein the configuration of the one or more computing platforms to enable the client access control network is facilitated through a graphical user interface in which the graphical representation of the client access control network is presented.
  • 18. The method of claim 10, wherein facilitating the configuration of the one or more computing platforms to enable the client access control network includes generating information for implementing a graphical user interface on the terminal display such that the graphical user interface includes actionable objects representing the one or more computing platforms, wherein upon user interaction with the individual actionable objects in the graphical user interface, the configuration of the one or more computing platforms is facilitated.
RELATED APPLICATION

This application relates to U.S. application Ser. No. 62/142,457, entitled “Real Time Dynamic Client Access Control”, filed Apr. 2, 2015, which is incorporated by reference herein in its entirety.

Provisional Applications (1)
Number Date Country
62142457 Apr 2015 US