Method and system for dynamically associating access rights with a resource

Description

FIELD OF THE INVENTION

The present invention relates to methods and systems for associating access rights with resources. In particular, the present invention relates to methods and systems for dynamically associating access rights with a resource.

BACKGROUND OF THE INVENTION

Rights management languages, such as the extensible rights markup language (XRML) standard or the Open Digital Rights Language (ODRL) standard, typically provide functionality for identifying attributes associated with digital resources. Attributes in conventional systems typically comprise a set of rights or conditions associated with a resource. Rights markup languages typically provide benefits including flexibility in defining attributes for varying business models, interoperability between trust environments using similar markup languages, and extendible language schema that are customizable by administrators.

However, conventional systems typically require processing of individual resources to associate the resources with the appropriate rights or conditions. Processing resources may include identifying a set of attributes to associate with a resource, digitally signing the resource with an identification of the identified attributes, and publishing the digitally signed resource, for example, by uploading the resource to a shared server. Typically, individual resources are processed one at a time and resources must be associated with attributes before the resources are made available to users. The processing of each resource in an organization may create a significant administrative task.

Additionally, once processed, the attributes are typically permanently associated with the resources. The same attributes are typically enforced regardless of differences between the clients requesting the access. However, different policies, and therefore different access right attributes, may apply to different clients, or to a single client at different times. For example, one client may satisfy a policy and be authorized for a particular level or type of access to a resource, while another client fails to satisfy the policy and is not authorized for any access to the same resource. In another example, a client making a request at one point in time may satisfy an applicable policy but may no longer satisfy the applicable policy at the time of a later request, for example when the client makes the request from a different network. Alternatively, an administrator may wish to change an attribute associated with a resource, or a policy identifying the attributes associated with a resource, without wishing to re-process all the resources in an organization.

A dynamic method for assigning attributes to a resource at the time of the request for access to a resource, instead of before, would be desirable. Additionally, a flexible method for assigning varying attributes based on real-time evaluations of clients, and information associated with the clients, at the time the clients make the request.

SUMMARY OF THE INVENTION

In one aspect, a method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision.

In one embodiment, information is gathered about the client. In another embodiment, a policy is applied to the gathered information. In still another embodiment, the policy engine applies a policy to the gathered information to make an access control decision.

In one embodiment, the server receives an identification of a plurality of access rights including a right to retrieve a file. In another embodiment, the server receives an identification of a plurality of access rights including a right to view a version of a file displayed using Hypertext Markup Language (HTML). In still another embodiment, the server receives an identification of a plurality of access rights including a right to receive output data generated by an execution of the resource on an application server.

In one embodiment, the server receives an identification of a plurality of access rights including a right to print a copy of the resource. In another embodiment, the server receives an identification of a plurality of access rights including a right to save a local copy of the resource. In still another embodiment, the server receives an identification of a plurality of access rights including a right to transmit, via electronic mail, a copy of the resource.

In one embodiment, the application program denies a request to retrieve the resource. In another embodiment, the application program allows a request to retrieve the resource. In still another embodiment, the application program denies a request to modify the resource.

In one embodiment, the application program denies a request to receive output data generated by an execution of the resource. In another embodiment, the application program displays a version of the resource displayed using the Hypertext Markup Language (HTML), responsive to a request to retrieve the resource. In still another embodiment, the application program allows a request to receive output data generated by an execution of the resource on an application server.

In one embodiment, the server transmits the resource and the associated plurality of access rights to an application program executing on a second server. In another embodiment, the application program executing on the second server makes an access control decision responsive to the identified at least one access right. In still another embodiment, the application program executing on the second server provides restricted access to the resource responsive to the access control decision.

In one embodiment, a system for dynamically associating access rights with a resource comprises a server, a policy engine, and an application program. The server receives a request for access to a resource from a client. The policy engine receives a request from the server for an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The application program receives, from the server, a copy of the resource associated with the identified plurality of access rights via a rights markup language, and an identification of the associated plurality of access rights.

In one embodiment, the policy engine includes a collection agent gathering information about the client. In another embodiment, the policy engine includes a policy database, the policy engine applying a policy from the policy database to the gathered information. In still another embodiment, the server includes a means for transmitting a collection agent to a client.

In one embodiment, the server includes a means for associating the resource with an access right using an extensible rights markup language (XRML). In another embodiment, the server includes a means for signing the resource using an extensible rights markup language (XRML). In still another embodiment, the server includes a means for associating a resource with a requirement to view a version of the file displayed using the Hypertext Markup Language (HTML).

In one embodiment, the server includes a means for associating the resource with a right to receive output data generated by an execution of the resource on an application server. In another embodiment, the server includes a means for associating the resource with a right to print a copy of the resource. In still another embodiment, the server includes a means for associating the resource with a right to save a local copy of the resource. In yet another embodiment, the server includes a means for associating the resource with a right to transmit via electronic mail a copy of the resource.

In one embodiment, the application program is configured to make an access control decision responsive to the identification of the associated plurality of access rights. In another embodiment, the application program includes a component for applying an access right in the associated plurality of access rights to the request for the resource. In still another embodiment, the application program further comprises a means for denying a request to retrieve the resource. In yet another embodiment, the application program includes a means for viewing a version of the resource displayed using the Hypertext Markup Language (HTML). In a further embodiment, the application program includes a connection to a client agent displaying on the client received output data generated by an execution of the resource on an application server.

In one embodiment, the server comprises a transmitter sending the resource and the identification of the associated plurality of access rights to an application program executing on a second server. In another embodiment, the application program executing on the second server includes a means for making an access control decision responsive to an access right in the associated plurality of access rights. In still another embodiment, the application program executing on the second server includes a means for providing restricted access to the resource responsive to the access control decision. In yet another embodiment, the application program executing on the second server includes an agent for transmitting output data generated by the application program to the client and providing restricted access to the output data responsive to the access control decision.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent and better understood by referring to the following description taken in conjunction with the accompanying drawings, in which:

FIG. 1A is a block diagram depicting an embodiment of a network environment comprising client machines in communication with remote machines;

FIGS. 1B and 1C are block diagrams depicting embodiments of computers useful in connection with the methods and systems described herein;

FIG. 2A is a block diagram depicting one embodiment of a network including a policy engine;

FIG. 2B is a block diagram depicting one embodiment of a policy engine, including a first component comprising a condition database and a logon agent, and including a second component comprising a policy database;

FIG. 2C is a flow diagram depicting one embodiment of the steps taken by the policy engine to make an access control decision based upon information received about a client;

FIG. 3A is a block diagram depicting one embodiment of a system for dynamically associating access rights with a resource;

FIG. 3B is a block diagram depicting one embodiment of a system for dynamically associating access rights in which a server 106 sends a resource and an identification of an associated plurality of access rights to an application program executing on a second server; and

FIG. 4 is a flow diagram depicting one embodiment of the steps taken in a method for dynamically associating, by a server, access rights with a resource.

DETAILED DESCRIPTION OF THE INVENTION

Referring now to FIG. 1A, an embodiment of a network environment is depicted. In brief overview, the network environment comprises one or more clients 102a-102n (also generally referred to as local machine(s) 102, or client(s) 102) in communication with one or more servers 106a-106n (also generally referred to as server(s) 106, or remote machine(s) 106) via one or more networks 104.

Although FIG. 1A shows a network 104 between the clients 102 and the servers 106, the clients 102 and the servers 106 may be on the same network 104. The network 104 can be a local-area network (LAN), such as a company Intranet, a metropolitan area network (MAN), or a wide area network (WAN), such as the Internet or the World Wide Web. In some embodiments, there are multiple networks 104 between the clients 102 and the servers 106. In one of these embodiments, a network 104′ may be a private network and a network 104 may be a public network. In another of these embodiments, a network 104 may be a private network and a network 104′ a public network. In still another embodiment, networks 104 and 104′ may both be private networks.

The network 104 may be any type and/or form of network and may include any of the following: a point to point network, a broadcast network, a wide area network, a local area network, a telecommunications network, a data communication network, a computer network, an ATM (Asynchronous Transfer Mode) network, a SONET (Synchronous Optical Network) network, a SDH (Synchronous Digital Hierarchy) network, a wireless network and a wireline network. In some embodiments, the network 104 may comprise a wireless link, such as an infrared channel or satellite band. The topology of the network 104 may be a bus, star, or ring network topology. The network 104 and network topology may be of any such network or network topology as known to those ordinarily skilled in the art capable of supporting the operations described herein. The network may comprise mobile telephone networks utilizing any protocol or protocols used to communicate among mobile devices, including AMPS, TDMA, CDMA, GSM, GPRS or UMTS. In some embodiments, different types of data may be transmitted via different protocols. In other embodiments, the same types of data may be transmitted via different protocols.

In one embodiment, the system may include multiple, logically-grouped servers 106. In these embodiments, the logical group of servers may be referred to as a server farm 38. In some of these embodiments, the servers 106 may be geographically dispersed. In some cases, a farm 38 may be administered as a single entity. In other embodiments, the server farm 38 comprises a plurality of server farms 38. In one embodiment, the server farm executes one or more applications on behalf of one or more clients 102.

The servers 106 within each farm 38 can be heterogeneous. One or more of the servers 106 can operate according to one type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash.), while one or more of the other servers 106 can operate on according to another type of operating system platform (e.g., Unix or Linux). The servers 106 of each farm 38 do not need to be physically proximate to another server 106 in the same farm 38. Thus, the group of servers 106 logically grouped as a farm 38 may be interconnected using a wide-area network (WAN) connection or a metropolitan-area network (MAN) connection. For example, a farm 38 may include servers 106 physically located in different continents or different regions of a continent, country, state, city, campus, or room. Data transmission speeds between servers 106 in the farm 38 can be increased if the servers 106 are connected using a local-area network (LAN) connection or some form of direct connection.

Server 106 may be a file server, application server, web server, proxy server, appliance, network appliance, gateway, application gateway, gateway server, virtualization server, deployment server, SSL VPN server, or firewall. In some embodiments, a server 106 may have the capacity to function as either an application server or as a master application server. In one embodiment, a server 106 may include an Active Directory. The remote machine may be an application acceleration appliance. For embodiments in which the remote machine is an application acceleration appliance, the remote machine may provide functionality including firewall functionality, application firewall functionality, or load balancing functionality. In some embodiments, the remote machine comprises an appliance such as one of the line of appliances manufactured by the Citrix Application Networking Group, of San Jose, Calif., or Silver Peak Systems, Inc., of Mountain View, Calif., or of Riverbed Technology, Inc., of San Francisco, Calif., or of FS Networks, Inc., of Seattle, Wash., or of Juniper Networks, Inc., of Sunnyvale, Calif.

The clients 102 may also be referred to as client nodes, client machines, endpoint nodes, or endpoints. In some embodiments, a client 102 has the capacity to function as both a client node seeking access to resources provided by a server and as a server providing access to hosted resources for other clients 102a-102n.

In some embodiments, a client 102 communicates with a server 106. In one embodiment, the client 102 communicates directly with one of the servers 106 in a farm 38. In another embodiment, the client 102 executes a program neighborhood application to communicate with a server 106 in a farm 38. In still another embodiment, the server 106 provides the functionality of a master node. In some embodiments, the client 102 communicates with the server 106 in the farm 38 through a network 104. Over the network 104, the client 102 can, for example, request execution of various applications hosted by the servers 106a-106n in the farm 38 and receive output of the results of the application execution for display. In some embodiments, only the master node provides the functionality required to identify and provide address information associated with a server 106b hosting a requested application.

In one embodiment, the server 106 provides functionality of a web server. In another embodiment, the server 106a receives requests from the client 102, forwards the requests to a second server 106b and responds to the request by the client 102 with a response to the request from the server 106b. In still another embodiment, the server 106 acquires an enumeration of applications available to the client 102 and address information associated with a server 106 hosting an application identified by the enumeration of applications. In yet another embodiment, the server 106 presents the response to the request to the client 102 using a web interface. In one embodiment, the client 102 communicates directly with the server 106 to access the identified application. In another embodiment, the client 102 receives output data, such as display data, generated by an execution of the identified application on the server 106.

In some embodiments, the server 106 or a server farm 38 may be running one or more applications, such as an application providing a thin-client computing or remote display presentation application. In one embodiment, the server 106 or server farm 38 executes as an application, any portion of the Citrix Access Suite™ by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation Server™, and/or any of the MICROSOFT WINDOWS Terminal Services manufactured by the Microsoft Corporation. In another embodiment, the application is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla. In still another embodiment, the server 106 may run an application, which for example, may be an application server providing email services such as MICROSOFT EXCHANGE manufactured by the Microsoft Corporation of Redmond, Wash., a web or Internet server, or a desktop sharing server, or a collaboration server. In yet another embodiment, any of the applications may comprise any type of hosted service or products, such as GOTOMEETING provided by Citrix Online Division, Inc. of Santa Barbara, Calif., WEBEX provided by WebEx, Inc. of Santa Clara, Calif., or Microsoft Office LIVE MEETING provided by Microsoft Corporation of Redmond, Wash.

In one embodiment, the server 106 includes a policy engine for controlling and managing the access to, selection of application execution methods and the delivery of applications. In another embodiment, the server 106 communicates with a policy engine. In some embodiments, the policy engine determines the one or more applications a user or client 102 may access. In other embodiments, the policy engine determines how the application should be delivered to the user or client 102, e.g., the method of execution. In still other embodiments, the server 106 provides a plurality of delivery techniques from which to select a method of application execution, such as a server-based computing, application streaming, or delivering the application locally to the client 102 for local execution.

In one embodiment, a client 102 requests execution of an application program and a server 106 selects a method of executing the application program. In another embodiment, the server 106 receives credentials from the client 102. In still another embodiment, the server 106 receives a request for an enumeration of available applications from the client 102. In yet another embodiment, in response to the request or receipt of credentials, the server 106 enumerates a plurality of application programs available to the client 102.

In some embodiments, the server 106 selects one of a predetermined number of methods for executing an enumerated application, for example, responsive to a policy of a policy engine. In one of these embodiments, an application delivery system on the server 106 makes the selection. In another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to receive output data generated by execution of the application program on a server 106b. In still another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to execute the application program locally after retrieving a plurality of application files comprising the application. In yet another of these embodiments, the server 106 may select a method of execution of the application to stream the application via the network 104 to the client 102.

A client 102 may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client 102. In some embodiments, the application may be a server-based or a remote-based application executed on behalf of the client 102 on a server 106. In one embodiments the server 106 may display output to the client 102 using any thin-client or remote-display protocol, such as the Independent Computing Architecture (ICA) protocol manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla. or the Remote Desktop Protocol (RDP) manufactured by the Microsoft Corporation of Redmond, Wash. The application can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In other embodiments, the application comprises any type of software related to voice over internet protocol (VoIP) communications, such as a soft IP telephone. In further embodiments, the application comprises any application related to real-time data communications, such as applications for streaming video and/or audio.

The client 102 and server 106 may be deployed as and/or executed on any type and form of computing device, such as a computer, network device or appliance capable of communicating on any type and form of network and performing the operations described herein. FIGS. 1B and 1C depict block diagrams of a computing device 100 useful for practicing an embodiment of the client 102 or a server 106. As shown in FIGS. 1B and 1C, each computing device 100 includes a central processing unit 121, and a main memory unit 122. As shown in FIG. 1B, a computing device 100 may include a visual display device 124, a keyboard 126 and/or a pointing device 127, such as a mouse. As shown in FIG. 1C, each computing device 100 may also include additional optional elements, such as one or more input/output devices 130a-130b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 121.

The central processing unit 121 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 122. In many embodiments, the central processing unit is provided by a microprocessor unit, such as: those manufactured by Intel Corporation of Mountain View, Calif.; those manufactured by Motorola Corporation of Schaumburg, Ill.; those manufactured by Transmeta Corporation of Santa Clara, Calif.; the RS/6000 processor, those manufactured by International Business Machines of White Plains, N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale, Calif. The computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.

Main memory unit 122 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 121, such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC SRAM, PC 100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM). The main memory 122 may be based on any of the above described memory chips, or any other available memory chips capable of operating as described herein. In the embodiment shown in FIG. 1B, the processor 121 communicates with main memory 122 via a system bus 150 (described in more detail below). FIG. 1C depicts an embodiment in which the processor communicates directly with main memory 122 via a memory port 103. For example, in FIG. 1C the main memory 122 may be DRDRAM.

FIG. 1C depicts an embodiment in which the main processor 121 communicates directly with cache memory 140 via a secondary bus, sometimes referred to as a backside bus. In other embodiments, the main processor 121 communicates with cache memory 140 using the system bus 150. Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In the embodiment shown in FIG. 1C, the processor 121 communicates with various I/O devices 130 via a local system bus 150. Various buses may be used to connect the central processing unit 121 to any of the I/O devices 130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display 124, the processor 121 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1C depicts an embodiment of a computer 100 in which the main processor 121 communicates directly with I/O device 130b via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1C also depicts an embodiment in which local busses and direct communication are mixed: the processor 121 communicates with I/O device 130a using a local interconnect bus while communicating with I/O device 130b directly.

The computing device 100 may support any suitable installation device 116, such as a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB device, hard-drive or any other device suitable for installing software and programs such as any client agent 120, or portion thereof. The computing device 100 may further comprise a storage device 170, such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs such as any program related to the client agent 120. Optionally, any of the installation devices 116 could also be used as the storage device. Additionally, the operating system and the software can be run from a bootable medium, for example, a bootable CD, such as KNOPPIX®, a bootable CD for GNU/Linux that is available as a GNU/Linux distribution from knoppix.net.

Furthermore, the computing device 100 may include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay, ATM), wireless connections, or some combination of any or all of the above. The network interface 118 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein.

A wide variety of I/O devices 130a-130n may be present in the computing device 100. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers. The I/O devices may be controlled by an I/O controller 123 as shown in FIG. 1B. The I/O controller may control one or more I/O devices such as a keyboard 126 and a pointing device 127, e.g., a mouse or optical pen. Furthermore, an I/O device may also provide storage and/or an installation medium 116 for the computing device 100. In still other embodiments, the computing device 100 may provide USB connections to receive handheld USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, Calif.

In some embodiments, the computing device 100 may comprise or be connected to multiple display devices 124a-124n, which each may be of the same or different type and/or form. As such, any of the I/O devices 130a-130n and/or the I/O controller 123 may comprise any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices 124a-124n by the computing device 100. For example, the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library to interface, communicate, connect or otherwise use the display devices 124a-124n. In one embodiment, a video adapter may comprise multiple connectors to interface to multiple display devices 124a-124n. In other embodiments, the computing device 100 may include multiple video adapters, with each video adapter connected to one or more of the display devices 124a-124n. In some embodiments, any portion of the operating system of the computing device 100 may be configured for using multiple displays 124a-124n. In other embodiments, one or more of the display devices 124a-124n may be provided by one or more other computing devices, such as computing devices 100a and 100b connected to the computing device 100, for example, via a network. These embodiments may include any type of software designed and constructed to use another computer's display device as a second display device 124a for the computing device 100. One ordinarily skilled in the art will recognize and appreciate the various ways and embodiments that a computing device 100 may be configured to have multiple display devices 124a-124n.

In further embodiments, an I/O device 130 may be a bridge 128 between the system bus 150 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a Fire Wire bus, a Fire Wire 800 bus, an Ethernet bus, an Apple Talk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.

A computing device 100 of the sort depicted in FIGS. 1B and 1C typically operates under the control of operating systems, which control scheduling of tasks and access to system resources. The computing device 100 can be running any operating system such as any of the versions of the MICROSOFT WINDOWS operating systems, the different releases of the Unix and Linux operating systems, any version of the MAC OS for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein. Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE, and WINDOWS XP, all of which are manufactured by Microsoft Corporation of Redmond, Wash.; MacOS, manufactured by Apple Computer of Cupertino, Calif.; OS/2, manufactured by International Business Machines of Armonk, N.Y.; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, or any type and/or form of a Unix operating system, among others.

In some embodiments, the computing device 100 may have different processors, operating systems, and input devices consistent with the device. For example, in one embodiment the computing device 100 is a Treo 180, 270, 600, 650, 680, 700p or 700w smart phone manufactured by Palm, Inc. In some of these embodiments, the Treo smart phone is operated under the control of the PalmOS operating system and includes a stylus input device as well as a five-way navigator device.

In other embodiments the computing device 100 is a mobile device, such as a JAVA-enabled cellular telephone or personal digital assistant (PDA), such as the i55sr, i58sr, i85s, i88s, i90c, i95cl, or the im11000, all of which are manufactured by Motorola Corp. of Schaumburg, Ill., the 6035 or the 7135, manufactured by Kyocera of Kyoto, Japan, or the i300 or i330, manufactured by Samsung Electronics Co., Ltd., of Seoul, Korea.

In still other embodiments, the computing device 100 is a Blackberry handheld or smart phone, such as the devices manufactured by Research In Motion Limited, including the Blackberry 7100 series, 8700 series, 7700 series, 7200 series, the Blackberry 7520, or the Blackberry Pearl 8100. In yet other embodiments, the computing device 100 is a smart phone, Pocket PC, Pocket PC Phone, or other handheld mobile device supporting Microsoft Windows Mobile Software. Moreover, the computing device 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone, any other computer, or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein.

In some embodiments, a server 106 communicates with a policy engine to determine whether a client 102 may access a requested resource. In one of these embodiments, the server 106 collects information about the client 102 and transmits the information to the policy engine for use in making an access control decision. In another of these embodiments, the policy engine collects the information about the client 102. In still another of these embodiments, a collection agent gathers the information about the client 102 and transmits the information to the policy engine, which makes an access control decision.

Referring now to FIG. 2A, a block diagram depicts one embodiment of a network including a policy engine 220. In one embodiment, the network includes a client 102, a collection agent 204, a policy engine 220, a policy database 208, a farm 38, and an application server 106a. In another embodiment, the policy engine 220 is a server 106b. Although only one client 102, collection agent 304, policy engine 220, farm 38, and application server 106a are depicted in the embodiment shown in FIG. 2A, it should be understood that the system may provide multiple ones of any or each of those components.

In brief overview, when the client 102 transmits a request 210 to the policy engine 220 for access to an application, the collection agent 204 communicates with client 102, retrieving information about the client 102, and transmits the client information 212 to the policy engine 220. The policy engine 220 makes an access control decision by applying a policy from the policy database 208 to the received information 212.

In more detail, the client 102 transmits a request 210 for a resource to the policy engine 220. In one embodiment, the policy engine 220 resides on a server 106b. In another embodiment, the policy engine 220 is a server 106b. In still another embodiment, a server 106 receives the request 210 from the client 102 and transmits the request 210 to the policy engine 220. In a further embodiment, the client 102 transmits a request 210 for a resource to a server 106c, which transmits the request 210 to the policy engine 220.

Upon receiving the request, the policy engine 220 initiates information gathering by the collection agent 204. The collection agent 204 gathers information regarding the client 102 and transmits the information 212 to the policy engine 220.

In some embodiments, the collection agent 204 gathers and transmits the information 212 over a network connection. In some embodiments, the collection agent 204 comprises bytecode, such as an application written in the bytecode programming language JAVA. In some embodiments, the collection agent 204 comprises at least one script. In those embodiments, the collection agent 204 gathers information by running at least one script on the client 102. In some embodiments, the collection agent comprises an Active X control on the client 102. An Active X control is a specialized Component Object Model (COM) object that implements a set of interfaces that enable it to look and act like a control.

In one embodiment, the policy engine 220 transmits the collection agent 204 to the client 102. In another embodiment, a server 106 may store or cache the collection agent 204. The server 106 may then transmit the collection agent 204 to a client 102. In one embodiment, the policy engine 220 requires a second execution of the collection agent 204 after the collection agent 204 has transmitted information 212 to the policy engine 220. In this embodiment, the policy engine 220 may have insufficient information 212 to determine whether the client 102 satisfies a particular condition. In other embodiments, the policy engine 220 requires a plurality of executions of the collection agent 204 in response to received information 212.

In some embodiments, the policy engine 220 transmits instructions to the collection agent 204 determining the type of information the collection agent 204 gathers. In those embodiments, a system administrator may configure the instructions transmitted to the collection agent 204 from the policy engine 220. This provides greater control over the type of information collected. This also expands the types of access control decisions that the policy engine 220 can make, due to the greater control over the type of information collected. The collection agent 204 gathers information 212 including, without limitation, machine ID of the client 102, operating system type, existence of a patch to an operating system, MAC addresses of installed network cards, a digital watermark on the client device, membership in an Active Directory, existence of a virus scanner, existence of a personal firewall, an HTTP header, browser type, device type, network connection information such as internet protocol address or range of addresses, machine ID of the server 106, date or time of access request including adjustments for varying time zones, and authorization credentials. In some embodiments, a collection agent gathers information to determine whether an application can be accelerated on the client using an acceleration program.

In some embodiments, the device type is a personal digital assistant. In other embodiments, the device type is a cellular telephone. In other embodiments, the device type is a laptop computer. In other embodiments, the device type is a desktop computer. In other embodiments, the device type is an Internet kiosk.

In some embodiments, the digital watermark includes data embedding. In some embodiments, the watermark comprises a pattern of data inserted into a file to provide source information about the file. In other embodiments, the watermark comprises data hashing files to provide tamper detection. In other embodiments, the watermark provides copyright information about the file.

In some embodiments, the network connection information pertains to bandwidth capabilities. In other embodiments, the network connection information pertains to Internet Protocol address. In still other embodiments, the network connection information consists of an Internet Protocol address. In one embodiment, the network connection information comprises a network zone identifying the logon agent to which the client 102 provided authentication credentials.

In some embodiments, the authorization credentials include a number of types of authentication information, including without limitation, user names, client names, client addresses, passwords, PINs, voice samples, one-time passcodes, biometric data, digital certificates, tickets, etc. and combinations thereof. After receiving the gathered information 212, the policy engine 220 makes an access control decision based on the received information 212.

Referring now to FIG. 2B, a block diagram depicts one embodiment of a policy engine 220, including a first component 222 comprising a condition database 224 and a logon agent 226, and including a second component 230 comprising a policy database 232. The first component 222 applies a condition from the condition database 224 to information received about client 102 and determines whether the received information satisfies the condition.

In some embodiments, a condition may require that the client 102 execute a particular operating system to satisfy the condition. In some embodiments, a condition may require that the client 102 execute a particular operating system patch to satisfy the condition. In still other embodiments, a condition may require that the client 102 provide a MAC address for each installed network card to satisfy the condition. In some embodiments, a condition may require that the client 102 indicate membership in a particular Active Directory to satisfy the condition. In another embodiment, a condition may require that the client 102 execute a virus scanner to satisfy the condition. In other embodiments, a condition may require that the client 102 execute a personal firewall to satisfy the condition. In some embodiments, a condition may require that the client 102 comprise a particular device type to satisfy the condition. In other embodiments, a condition may require that the client 102 establish a particular type of network connection to satisfy the condition.

If the received information satisfies a condition, the first component 222 stores an identifier for that condition in a data set 228. In one embodiment, the received information satisfies a condition if the information makes the condition true. For example, a condition may require that a particular operating system be installed. If the client 102 has that operating system, the condition is true and satisfied. In another embodiment, the received information satisfies a condition if the information makes the condition false. For example, a condition may address whether spyware exists on the client 102. If the client 102 does not contain spyware, the condition is false and satisfied.

In some embodiments, the logon agent 226 resides outside of the policy engine 220. In other embodiments, the logon agent 226 resides on the policy engine 220. In one embodiment, the first component 222 includes a logon agent 226, which initiates the information gathering about client 102. In some embodiments, the logon agent 226 further comprises a data store. In these embodiments, the data store includes the conditions for which the collection agent may gather information. This data store is distinct from the condition database 224.

In some embodiments, the logon agent 226 initiates information gathering by executing the collection agent 204. In other embodiments, the logon agent 226 initiates information gathering by transmitting the collection agent 204 to the client 102 for execution on the client 102. In still other embodiments, the logon agent 226 initiates additional information gathering after receiving information 212. In one embodiment, the logon agent 226 also receives the information 212. In this embodiment, the logon agent 226 generates the data set 228 based upon the received information 212. In some embodiments, the logon agent 226 generates the data set 228 by applying a condition from the database 224 to the information received from the collection agent 204.

In another embodiment, the first component 222 includes a plurality of logon agents 226. In this embodiment, at least one of the plurality of logon agents 226 resides on each network domain from which a client 102 may transmit a resource request. In this embodiment, the client 102 transmits the resource request to a particular logon agent 226. In some embodiments, the logon agent 226 transmits to the policy engine 220 the network domain from which the client 102 accessed the logon agent 226. In one embodiment, the network domain from which the client 102 accesses a logon agent 226 is referred to as the network zone of the client 102.

The condition database 224 stores the conditions that the first component 222 applies to received information. The policy database 232 stores the policies that the second component 230 applies to the received data set 228. In some embodiments, the condition database 224 and the policy database 232 store data in an ODBC-compliant database. For example, the condition database 224 and the policy database 232 may be provided as an ORACLE database, manufactured by Oracle Corporation of Redwood Shores, Calif. In other embodiments, the condition database 224 and the policy database 232 can be a MICROSOFT ACCESS database or a MICROSOFT SQL server database, manufactured by Microsoft Corporation of Redmond, Wash.

After the first component 222 applies the received information to each condition in the condition database 224, the first component transmits the data set 228 to second component 230. In one embodiment, the first component 222 transmits only the data set 228 to the second component 230. Therefore, in this embodiment, the second component 230 does not receive information 212, only identifiers for satisfied conditions. The second component 230 receives the data set 228 and makes an access control decision by applying a policy from the policy database 232 based upon the conditions identified within data set 228.

In one embodiment, policy database 232 stores the policies applied to the received information 212. In one embodiment, the policies stored in the policy database 232 are specified at least in part by the system administrator. In another embodiment, a user specifies at least some of the policies stored in the policy database 232. The user-specified policy or policies are stored as preferences. The policy database 232 can be stored in volatile or non-volatile memory or, for example, distributed through multiple servers.

In one embodiment, a policy allows access to a resource only if one or more conditions are satisfied. In another embodiment, a policy allows access to a resource but prohibits transmission of the resource to the client 102. Another policy might make connection contingent on the client 102 that requests access being within a secure network. In some embodiments, the resource is an application program and the client 102 has requested execution of the application program. In one of these embodiments, a policy may allow execution of the application program on the client 102. In another of these embodiments, a policy may enable the client 102 to receive a stream of files comprising the application program. In this embodiment, the stream of files may be stored and executed in an isolation environment. In still another of these embodiments, a policy may allow only execution of the application program on a server 106, such as an application server, and require the server 106 to transmit output data to the client 102.

Referring now to FIG. 2C, a flow diagram depicts one embodiment of the steps taken by the policy engine 220 to make an access control decision based upon information received about a client 102. Upon receiving gathered information about the client 102 (step 250), the policy engine 220 generates a data set based upon the information (step 252). The data set 228 contains identifiers for each condition satisfied by the received information 212. The policy engine 220 applies a policy to each identified condition within the data set 228. That application yields an enumeration of resources which the client 102 may access (step 254). The policy engine 220 then presents that enumeration to the client 102. In some embodiments, the policy engine 220 creates a Hypertext Markup Language (HTML) document used to present the enumeration to the client.

In some embodiments, a determination is made as to a type of connection to establish when granting access to a resource responsive to a determination by a policy engine such as the policy engine 220 described above in FIG. 2A, FIG. 2B and FIG. 2C. In other embodiments, a determination is made as to a method for granting access to a resource, such as a method for execution, responsive to a determination by a policy engine such as the policy engine 220 described above in connection with FIG. 2A, FIG. 2B and FIG. 2C. In still other embodiments, the server 106 receiving the credentials and the request to execute the resource further comprises such a policy engine 220.

In some embodiments, one of a plurality of access rights is identified, responsive to a policy. In one of these embodiments, the identification is made responsive to an application of a policy to information associated with the client 102. In another of these embodiments, the selection is made by a policy engine such as the policy engine 220 described above in FIG. 2A, FIG. 2B and FIG. 2C. In still another of these embodiments, the types of access rights include, without limitation, rights to read, write, modify, download, save local copies, execute, print, and email a requested resource.

Referring now to FIG. 3A, a block diagram depicts one embodiment of a system for dynamically associating access rights with a resource. In brief overview, the system includes a server 106, a policy engine 220, and an application program 350. The server receives a request for access to a resource from a client 102. The policy engine 220 receives a request from the server 106 for an identification of a plurality of access rights to associate with the resources, the plurality of access rights identified responsive to an application of a policy to the client 102. The application program 350 receives, from the server, a copy of the resource associated with the identified plurality of access rights via a rights markup language, and an identification of the associated plurality of access rights.

The server 106 receives a request for access to a resource from a client 102. In some embodiments, the server 106 is a web proxy server. In one embodiment, the client 102 requests access to a file, such as a document. In another embodiment, the client 102 requests access to a resource for processing by an application program 350 that is XRML-aware.

In one embodiment, the server 106 comprises a collection agent gathering information from the client 102. In another embodiment, the server 106 comprises a means for transmitting the collection agent to the client 102. In another embodiment, the server 106 comprises a policy engine 220. In still another embodiment, the server 106 is in communication with the policy engine 220. In some embodiments, the requested resource resides on the server 106. In other embodiments, the requested resource resides on a server 106b.

In some embodiments, the server 106 comprises a means for associating access rights with the requested resource. In one of these embodiments, the server 106 retrieves a copy of the requested resource. In another of these embodiments, the server 106 associates an access right with a copy of the requested resource by signing the copy. In still another of these embodiments, the server 106 comprises a means for signing the resource using an extensible rights markup language (XRML). In other embodiments, the server 106 configures the rights management attributes of a document requested by a client 102. In one of these embodiments, the server configures the rights management attributes based on policies defined by an administrator.

In one embodiment, the server associates an access right with a resource using a rights management language, a rights expression language, or other language for managing digital rights. In another embodiment, the server generates an XrML assertion grant according to the XrML 2.0 standard developed by ContentGuard, Inc., of El Segundo, Calif., and maintained by the Motion Picture Experts Group (MPEG). In still another embodiment, the server generates an expression of terms and conditions applicable to the resource, according to the Open Digital Rights Language (ODRL) standard submitted by IPR Systems Pty Ltd to the World Wide Web Consortium and maintained by the World Wide Web Consortium.

In some embodiments, the server generates an identification of the client, an identification of a resource, an identification of one more rights granted to the client when the client requests access to the resource. In other embodiments, the server associates the resource an access right with a resource by using technology to persist rights management information, the access right enforceable by an application program processing the resource for a user of the client.

In one embodiment, the server 106 comprises a means for associating the resource with a right to retrieve the resource. In another embodiment, the server 106 comprises a means for associating the resource with a requirement to view a version of the file displayed using the Hypertext Markup Language (HTML). In still another embodiment, the server 106 comprises a means for associating the resource with a right to receive output data generated by an execution of the resource on an application server. In even still another embodiment, the server 106 comprises a means for associating the resource with a right to print a copy of the resource. In yet another embodiment, the server 106 comprises a means for associating the resource with a right to save a local copy of the resource. In a further embodiment, the server 106 comprises a means for associating the resource with a right to transmit, via electronic mail, a copy of the resource.

In one embodiment, the server 106 comprises a transmitter. In another embodiment, the transmitter sends the request for access to the resource to the policy engine 220. In still another embodiment, the transmitter sends, to the client 102, a copy of the resource associated with a plurality of access rights identified by the policy engine 220. In yet another embodiment, the transmitter sends, to a server 106b, a copy of the resource digitally signed by the server, an identification of the plurality of access rights identified by the policy engine 220 included in the digital signature.

The policy engine 220 receives a request from the server 106 for an identification of a plurality of access rights to associate with the resources, the plurality of access rights identified responsive to an application of a policy to the client 102. In some embodiments, the policy engine 220 provides the functionality described above in connection with FIG. 2A, FIG. 2B, and FIG. 2C. In one embodiment, the policy engine 220 comprises a collection agent gathering information about the client 102. In another embodiment, the policy engine 220 transmits the collection agent to the client 102. In still another embodiment, the policy engine 220 transmits the collection agent to the server 106 for transmission to the client 102.

In one embodiment, the policy engine 220 comprises a policy database. In another embodiment, the policy engine 220 applies a policy from the policy database to information gathered about the client 102. In still another embodiment, the policy engine 220 receives gathered information from the server 106. In yet another embodiment, the policy engine 220 receives gathered information from a collection agent. In some embodiments, the policy engine 220 provides the functionality of the policy engine described below in connection with FIGS. 2A, 2B, and 2C.

In some embodiments, the policy engine identifies one or more access rights for association with the requested resource, responsive to an application of a policy to the client requesting the access. In one of these embodiments, the policy engine determines that the client may view a requested resource. In another of these embodiments, the policy engine determines that the client may modify a requested resource. In still another of these embodiments, the policy engine determines that the client may retrieve a copy of the requested resource. In yet another of these embodiments, the policy engine determines that the client may store a copy of a requested resource. In another of these embodiments, the policy engine determines that a viewer of the resource may copy content from the resource. In still another of these embodiments, the policy engine determines that a viewer of the resource may paste content into the resource.

In another of these embodiments, the policy engine determines that the client may not access the resource as requested. In still another of these embodiments, the policy engine identifies an alternate method for accessing the resource. For example, the policy engine may allow the client to view a read-only copy of a resource and deny the client the ability to modify the resource. In another example, the policy engine may allow the client to receive output data generated by an execution of the resource on a remote server and deny the client the ability to execute the resource locally. In still another example, the policy engine may allow or deny a client request to copy content from the resource, paste content into the resource, print, email or save a local copy of the resource.

The server 106 receives the identification of the plurality of access rights from the policy engine 220. The server 106 associates the identification of the plurality of access rights with the requested resource. The application program 350 receives, from the server 106, a copy of the resource associated with the identified plurality of access rights via a rights markup language (such as XRML), and an identification of the associated plurality of access rights.

In one embodiment, the application program 350 comprises a means for making an access control decision responsive to the identification of the associated plurality of access rights. In another embodiment, the application program 350 comprises a component for applying an access right in the associated plurality of access rights to the request for the resource. In still another embodiment, the application program 350 comprises a means for denying a request to retrieve the resource. In yet another embodiment, the application program 350 comprises a means for allowing a request to retrieve the resource.

In one embodiment, the application program 350 parses an XrML assertion grant generated according to the XrML 2.0 standard developed by ContentGuard, Inc., of El Segundo, Calif., and maintained by the Motion Picture Experts Group (MPEG). In another embodiment, the application program 350 parses an expression of terms and conditions applicable to the resource, generated according to the Open Digital Rights Language (ODRL) standard submitted by IPR Systems Pty Ltd to the World Wide Web Consortium and maintained by the World Wide Web Consortium.

In one embodiment, the application program 350 includes a component for parsing an identification of a plurality of access rights associated with a resource. In another embodiment, the application program 350 is configured to identify an access right associated with a resource. In still another embodiment, the application program 350 is configured to identify an access right enumerated within a digital signature. In yet another embodiment, the application program 350 accesses a file, such as an XML manifest file identifying the plurality of access rights, associated with the resource to make the access control decision.

In some embodiments, the application program 350 comprises a word processing or spreadsheet application program. In other embodiments, the application program 350 comprises a client agent on the client 102. In one of these embodiments, the client agent comprises an agent using a presentation layer protocol to communicate with the server 106, such as an ICA client, an RDP client, or an X11 client. In still other embodiments, the application program 350 comprises a rights management agent enforcing digital rights policies on the client 102. In one of these embodiments, the application program 350 comprises an application program enforcing a network access policy. In another of these embodiments, the application program 350 comprises a collection agent as described above in connection with FIGS. 2A, 2B, and 2C, and transmits information associated with the client to the policy engine, directly or via the server 106.

In one embodiment, the application program 350 supports technology persisting rights management information and is able to enforce the associated access rights. The application program 350 may be, for example, a word processing document, a spreadsheet processing application, or any other common application program. In another embodiment, the application program 350 may be any type of program supporting technology persisting rights management information and able to enforce the associated access rights.

In some embodiments, the application program 350 provides restricted access to the resource according to the rights markup language (such as XRML). In one embodiment, the application program 350 grants a request for access to the resource, responsive to the identified plurality of access rights. In another of these embodiments, the application program 350 denies the requested access and provides an alternate method for accessing the resource. In still another of these embodiments, the application program 350 denies the request for access to the resource, responsive to the identified plurality of access rights.

In one embodiment, the application program 350 comprises a means for viewing a version of the resource displayed using the Hypertext Markup Language (HTML). In another embodiment, the application program 350 comprises a connection to a client agent on the client 102 receiving output data generated by an execution of the resource on an application server 106, 106b. In still another embodiment, the application program 350 denies a request to retrieve and execute a resource on the client 102. In yet another embodiment, the application program 350 provides an alternate means for accessing the resource by providing the output data generated by the execution of the resource on the application server 106. In a further embodiment, the application program 350 restricts the use of the output data. For example, the application program 350 may allow or deny a request to print, email, or store locally the received output data.

Referring now to FIG. 3B, in one embodiment a transmitter on the server 106a sends the resource and the identification of the associated plurality of access rights to an application program 350′ executing on a second server 106b. In another embodiment, the application program 350′ executing on the second server 106b comprises a means for making an access control decision responsive to an access right in the associated plurality of access rights. In still another embodiment, the application program 350′ executing on the second server 106b comprises a means for providing restricted access to the resource responsive to the access control decision. In yet another embodiment, the application program 350′ executing on the second server 106b further comprises an agent for transmitting output data generated by the application program 350′ to the client and providing restricted access to the output data responsive to the access control decision.

In one embodiment, the application program 350′ denies a request to retrieve and execute a resource on the client 102. In another embodiment, the application program 350′ provides an alternate means for accessing the resource by providing the output data generated by the execution of the resource on the application server 106. In still another embodiment, the application program 350′ restricts the use of the output data. For example, the application program 350′ may allow or deny a request to print, email, or store locally the received output data.

In some embodiments, the server 106 provides the functionality described above in connection with FIG. 3A. In other embodiments, the application program 350′ provides the functionality described above in connection with the application program 350 of FIG. 3A.

In some embodiments, the client requests access to a resource not previously associated with an access right. In one of these embodiments, the server determines that the resource is not yet associated with an access right. In another of these embodiments, the server requests an identification of a plurality of access rights from a policy engine. In still another of these embodiments, the policy engine applies a policy to the client, or to information associated with the client, to determine what access, if any, the server should grant to the client. In still another of these embodiments, the policy engine transmits an identification of the plurality of access rights to the server. In yet another of these embodiments, the server associates the plurality of access rights with the resource.

Referring now to FIG. 4, a flow diagram depicts one embodiment of the steps taken in a method for dynamically associating, by a server, access rights with a resource. In brief overview, a server receives a request for a resource from a client (step 402). The server requests from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client (step 404). The server associates the resource with the plurality of access rights via a rights markup language (step 406). The server transmits the resource to the client with an identification of the associated plurality of access rights (step 408). An application program on the client makes an access control decision responsive to the associated plurality of access rights (step 410). The application program provides restricted access to the resource, responsive to the access control decision (step 412).

A server receives a request for a resource from a client (step 402). In one embodiment, a server 106 receives the request for the resource from the client 102. In another embodiment, the client 102 requests access to a file, such as a document.

The server requests from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client (step 404). In one embodiment, information is gathered about the client. In another embodiment, the policy engine gathers the information about the client to make access control decision. In still another embodiment, the server gathers the information about the client. In yet another embodiment, the server transmits the gathered information about the client to the policy engine. In some embodiments, the application program gathers the information about the client and transmits the gathered information to the policy engine, directly or via the server.

In one embodiment, the server receives an identification of a plurality of access rights to associate with the requested resource. In another embodiment, the server receives an identification of a plurality of access rights including a right to retrieve a file. In still another embodiment, the server receives an identification of a plurality of access rights including a right to view a version of a file displayed using the Hypertext Markup Language (HTML). In yet another embodiment, the server receives an identification of a plurality of access rights including a right to receive output data generated by an execution of the resource on an application server.

The server associates the resource with the plurality of access rights via a rights markup language (step 406). In one embodiment, the server uses an extensible rights management language (XRML) to associate the resource with the plurality of access rights. In another embodiment, the server retrieves a copy of the resource and signs the copy using XRML. In still another embodiment, the server generates an XrML assertion grant according to the XrML 2.0 standard developed by ContentGuard, Inc., of El Segundo, Calif., and maintained by the Motion Picture Experts Group (MPEG). In yet another embodiment, the server generates an expression of terms and conditions applicable to the resource, according to the Open Digital Rights Language (ODRL) standard submitted by IPR Systems Pty Ltd to the World Wide Web Consortium and maintained by the World Wide Web Consortium.

In some embodiments, the server 106 generates a copy of the requested resource. In one of these embodiments, the server 106 creates an encrypted copy of a requested document. In another of these embodiments, the server 106 acquires a license authorizing the client for access to the encrypted copy. In still another of these embodiments, the server 106 acquires a license identifying a plurality of access rights. In yet another of these embodiments, the server 106 generates a file, such as an XML manifest file, identifying the plurality of access rights. In other embodiments, the server 106 associates a copy of the resource with the generated file. In still other embodiments, the server 106 generates a digital certificate identifying the plurality of access rights and transmits the digital certificate with the copy of the requested resource. In yet other embodiments, the server 106 creates a copy of the file which contains rights management information within it. In one of these embodiments, once the application validates the file with the server, it is able to enforce those rights at runtime.

The server transmits the resource to the client with an identification of the associated plurality of access rights (step 408). In one embodiment, the server 106 transmits the resource to an application program on the client 102. In another embodiment, the server transmits a signed copy of the resource to the client, the signature identifying the associated plurality of access rights. In other embodiments, the server 106 transmits the resource to an application program executing on a second server 106b with the identification of the associated plurality of access rights, as described above in connection with FIG. 3B.

An application program on the client makes an access control decision responsive to the associated plurality of access rights (step 410). In one embodiment, the application program identifies an access right enumerated within a digital signature. In another embodiment, the application program accesses a file associated with the resource, such as an XML manifest file identifying the plurality of access rights, to make the access control decision. In still another embodiment, the application program decrypts the received resource. In yet another embodiment, the application program identifies the associated plurality of access rights upon decryption of the received resource.

In one embodiment, the server creates a copy of the file which contains the rights management information within it. In another embodiment, the application program identifies the associated plurality of access rights. In still another embodiment, the application validates the file with the server. In yet another embodiment, the application program determines which features to enable or disable for a user of the application program, responsive to the identified plurality of access rights. In a further embodiment, the application program enforces those rights at runtime.

The application program provides restricted access to the resource, responsive to the access control decision (step 412). In some embodiments, the application program allows the requested access to the resource. In other embodiments, the application program allows an alternate, restricted method of accessing the resource. In still other embodiments, the application program denies the request for access to the resource.

In one embodiment, the application program denies a request to retrieve the resource. In another embodiment, the application program displays a version of the resource using the Hypertext Markup Language (HTML), responsive to a request to retrieve the resource. In still another embodiment, the application program allows a request to retrieve the resource.

In one embodiment, the application program denies a request to modify the resource. Modification of the resource may include pasting content into the resource. In another embodiment, the application program denies a request to copy content from the resource. In still another embodiment, the application program denies a request to receive output data generated by an execution of the resource on an application server. In still another embodiment, the application program allows a request to receive output data generated by an execution of the resource on an application server. In yet another embodiment, the application program allows the client to receive output data generated by an execution of the resource on an application server, responsive to a request to retrieve the resource.

In some embodiments, the server transmits the resource and the associated plurality of access rights to an application program executing on a second server. In one of these embodiments, the server 106 transmits the resource to a server 106b. In another of these embodiments, the application program executing on the second server makes an access control decision responsive to the identified at least one access right. In still another of these embodiments, the application program executing on the second server provides restricted access to the resource responsive to the access control decision. In yet another of these embodiments, the second server 106b transmits output data generated by executing the application program, access to the output data restricted responsive to the access control decision.

In some embodiments, the server 106 may associate a different plurality of access rights to the resource upon receiving a request from a second client 102b. In other embodiments, the server 106 may associate a different plurality of access rights to the resource upon receiving a second request from the client 102 for access. In some embodiments, the functionality described above enables a server 106 to dynamically associate access rights with a requested resource responsive to an application of a policy to a client 102 requesting access to the resource. In other embodiments, the server 106 may dynamically associate levels of access with a requested resource responsive to an application of a policy to a client 102 requesting access to the resource.

The systems and methods described above may be provided as one or more computer-readable programs embodied on or in one or more articles of manufacture. The article of manufacture may be a floppy disk, a hard disk, a CD-ROM, a flash memory card, a PROM, a RAM, a ROM, or a magnetic tape. In general, the computer-readable programs may be implemented in any programming language, LISP, PERL, C, C++, PROLOG, or any byte code language such as JAVA. The software programs may be stored on or in one or more articles of manufacture as object code.

Having described certain embodiments of methods and systems for dynamically associating access rights with resources, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the invention may be used. Therefore, the invention should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims.

Claims

1. A method for dynamically associating, by a server, access rights with a resource, the method comprising steps of: (a) receiving, by a server, a request for a resource from a client;(b) generating, by a first component of a policy engine, a dataset responsive to an application of a first policy to the client;(c) transmitting, by the first component of the policy engine to a second component of the policy engine, the dataset;(d) applying, by the second component of the policy engine, a second policy to the dataset to identify a plurality of levels of access rights associated with the resource;(e) requesting, by the server, from the second component of the policy engine, the plurality of levels of access rights to associate with the resource;(f) signing, by the server, the resource with the plurality of levels of access rights via an extensible rights markup language;(g) transmitting, by the server, the resource signed with the plurality of levels of access rights to the client;(h) making, by an application program responsive to receiving from the server the signed resource, an access control decision using the plurality of levels of access rights, the application program executing on the client; and(i) providing, by the application program, restricted access to the resource responsive to the access control decision.
2. The method of claim 1, wherein the client is a mobile device.
3. The method of claim 1, wherein step (a) further comprises receiving via a wireless connection.
4. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to retrieve a file.
5. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to view a version of a file displayed using a version of the Hypertext Markup Language (HTML) standard.
6. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to receive output data generated by an execution of the resource on an application server.
7. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to print a copy of the resource.
8. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to save a local copy of the resource.
9. The method of claim 1, wherein step (b) further comprises receiving, by the server, an identification of the plurality of levels of access rights including a right to transmit via electronic mail a copy of the resource.
10. The method of claim 1, wherein step (i) further comprises denying, by the application program, a request to retrieve the resource.
11. The method of claim 1, wherein step (i) further comprises denying, by the application program, a request to modify the resource.
12. The method of claim 1, wherein step (i) further comprises the step of denying, by the application program, a request to receive output data generated by an execution of the resource on an application server.
13. The method of claim 1, wherein step (i) further comprises allowing, by the application program, a request to retrieve the resource.
14. The method of claim 1, wherein step (i) further comprises displaying, by the application program, a version of the resource displayed using a version of the Hypertext Markup Language (HTML) standard, responsive to a request to retrieve the resource.
15. The method of claim 1, wherein step (i), comprises providing, by the application program executing on a second server, restricted access to the resource responsive to the access control decision.
16. The method of claim 1, wherein step (i) further comprises transmitting, by a second server, output data generated by executing the application program, access to the output data restricted responsive to the access control decision.
17. A system for dynamically associating access rights with a resource comprising: a server comprising a microprocessor that receives a request for access to a resource from a client;a first component of a policy engine that executes on the microprocessor of the server to cause the microprocessor to: generate a dataset responsive to an application of a first policy to the client;transmit the dataset to a second component of the policy engine;the second component of the policy engine that executes on one or more microprocessors of the server to: apply a second policy to the dataset to identify a plurality of levels of access rights associated with the resource;wherein the server requests from the second component of the policy engine the plurality of levels of access rights to associate with the resource, signs the resource with the plurality of levels of access rights via an extensible rights markup language, and transmits the resource signed with the plurality of levels of access rights to the client; andan application program that executes on at least one microprocessor of the client to: receive, from the server, a copy of the resource signed with the plurality of levels of access rights,make an access control decision in response to receiving the resource signed with the plurality of levels of access rights using the plurality of levels of access rights, andprovide restricted access to the resource responsive to the access control decision.
18. The system of claim 17, wherein the client is a mobile device.
19. The system of claim 17, wherein the policy engine further comprises a collection agent to gather information about the client.
20. The system of claim 19, wherein the policy engine further comprises a policy database, wherein the policy engine applies a policy from the policy database to the gathered information.

RELATED APPLICATIONS

This present application is a continuation of U.S. patent application Ser. No. 11/557,683, titled “Method and System for Dynamically Associating Access Rights With A Resource” filed Nov. 8, 2006, now allowed, which is incorporated by reference in its entirety.

US Referenced Citations (338)

Number	Name	Date	Kind
4779189	Legvold et al.	Oct 1988	A
5057996	Cutler et al.	Oct 1991	A
5129084	Kelly et al.	Jul 1992	A
5175852	Johnson et al.	Dec 1992	A
5187790	East et al.	Feb 1993	A
5202971	Henson et al.	Apr 1993	A
5249290	Heizer	Sep 1993	A
5297283	Kelly et al.	Mar 1994	A
5321841	East et al.	Jun 1994	A
5341478	Travis et al.	Aug 1994	A
5418964	Conner et al.	May 1995	A
5437025	Bale et al.	Jul 1995	A
5461608	Yoshiyama	Oct 1995	A
5473599	Li et al.	Dec 1995	A
5499343	Pettus	Mar 1996	A
5504677	Pollin	Apr 1996	A
5504814	Miyahara	Apr 1996	A
5511208	Boyles et al.	Apr 1996	A
5515508	Pettus et al.	May 1996	A
5553242	Russell et al.	Sep 1996	A
5557346	Lipner et al.	Sep 1996	A
5557748	Norris	Sep 1996	A
5557765	Lipner et al.	Sep 1996	A
5561769	Kumar et al.	Oct 1996	A
5586312	Johnson et al.	Dec 1996	A
5590199	Krajewski et al.	Dec 1996	A
5596745	Lai et al.	Jan 1997	A
5606668	Shwed	Feb 1997	A
5633929	Kaliski, Jr.	May 1997	A
5640454	Lipner et al.	Jun 1997	A
5657390	Elgamal et al.	Aug 1997	A
5701484	Artsy	Dec 1997	A
5706437	Kirchner et al.	Jan 1998	A
5727249	Pollin	Mar 1998	A
5729734	Parker et al.	Mar 1998	A
5734865	Yu	Mar 1998	A
5737622	Rogers et al.	Apr 1998	A
5745573	Lipner et al.	Apr 1998	A
5757795	Schnell	May 1998	A
5761662	Dasan	Jun 1998	A
5764915	Heimsoth et al.	Jun 1998	A
5794207	Walker et al.	Aug 1998	A
5802306	Hunt	Sep 1998	A
5828840	Cowan et al.	Oct 1998	A
5835726	Shwed et al.	Nov 1998	A
5838910	Domenikos et al.	Nov 1998	A
5838916	Domenikos et al.	Nov 1998	A
5844553	Hao et al.	Dec 1998	A
5848410	Walls et al.	Dec 1998	A
5860068	Cook	Jan 1999	A
5867494	Krishnaswamy et al.	Feb 1999	A
5884046	Antonov	Mar 1999	A
5928363	Ruvolo	Jul 1999	A
5938733	Heimsoth et al.	Aug 1999	A
5951694	Choquier et al.	Sep 1999	A
5956403	Lipner et al.	Sep 1999	A
5960170	Chen et al.	Sep 1999	A
5968176	Nessett et al.	Oct 1999	A
5983190	Trower et al.	Nov 1999	A
5983268	Freivald et al.	Nov 1999	A
5987611	Freund	Nov 1999	A
5991406	Lipner et al.	Nov 1999	A
5999179	Kekic et al.	Dec 1999	A
5999525	Krishnaswamy et al.	Dec 1999	A
6003030	Kenner et al.	Dec 1999	A
6026440	Shrader et al.	Feb 2000	A
6032260	Sasmazel et al.	Feb 2000	A
6058431	Srisuresh et al.	May 2000	A
6085247	Parsons et al.	Jul 2000	A
6088728	Bellemore et al.	Jul 2000	A
6092114	Shaffer et al.	Jul 2000	A
6108712	Hayes, Jr.	Aug 2000	A
6151599	Shrader et al.	Nov 2000	A
6157953	Chang et al.	Dec 2000	A
6158007	Moreh et al.	Dec 2000	A
6161126	Wies et al.	Dec 2000	A
6199753	Tracy et al.	Mar 2001	B1
6215487	Barrett et al.	Apr 2001	B1
6219669	Haff et al.	Apr 2001	B1
6223288	Byrne	Apr 2001	B1
6272556	Gish	Aug 2001	B1
6272632	Carman et al.	Aug 2001	B1
6275942	Bernhard et al.	Aug 2001	B1
6321337	Reshef et al.	Nov 2001	B1
6335927	Elliott et al.	Jan 2002	B1
6339595	Rekhter et al.	Jan 2002	B1
6345239	Bowman-Amuah	Feb 2002	B1
6377952	Inohara et al.	Apr 2002	B1
6383478	Prokop et al.	May 2002	B1
6405219	Saether et al.	Jun 2002	B2
6405252	Gupta et al.	Jun 2002	B1
6412007	Bui et al.	Jun 2002	B1
6415329	Gelman et al.	Jul 2002	B1
6421726	Kenner et al.	Jul 2002	B1
6427132	Bowman-Amuah	Jul 2002	B1
6442571	Haff et al.	Aug 2002	B1
6452915	Jorgensen	Sep 2002	B1
6463470	Mohaban et al.	Oct 2002	B1
6463474	Fuh et al.	Oct 2002	B1
6466984	Naveh et al.	Oct 2002	B1
6470453	Vilhuber	Oct 2002	B1
6496935	Fink et al.	Dec 2002	B1
6502125	Kenner et al.	Dec 2002	B1
6502131	Vaid et al.	Dec 2002	B1
6516315	Gupta	Feb 2003	B1
6519581	Hofmann et al.	Feb 2003	B1
6519643	Foulkes et al.	Feb 2003	B1
6526056	Rekhter et al.	Feb 2003	B1
6550012	Villa et al.	Apr 2003	B1
6553377	Eschelbeck et al.	Apr 2003	B1
6584569	Reshef et al.	Jun 2003	B2
6587878	Merriam	Jul 2003	B1
6591367	Kobata	Jul 2003	B1
6606744	Mikurak	Aug 2003	B1
6609154	Fuh et al.	Aug 2003	B1
6609198	Wood et al.	Aug 2003	B1
6611522	Zheng et al.	Aug 2003	B1
6611867	Bowman-Amuah	Aug 2003	B1
6625643	Colby et al.	Sep 2003	B1
6625645	Van Horne et al.	Sep 2003	B1
6640240	Hoffman et al.	Oct 2003	B1
6640248	Jorgensen	Oct 2003	B1
6643774	McGarvey	Nov 2003	B1
6658021	Bromley et al.	Dec 2003	B1
6665706	Kenner et al.	Dec 2003	B2
6671818	Mikurak	Dec 2003	B1
6691232	Wood et al.	Feb 2004	B1
6697849	Carlson	Feb 2004	B1
6701432	Deng et al.	Mar 2004	B1
6718380	Mohaban et al.	Apr 2004	B1
6731625	Eastep et al.	May 2004	B1
6741853	Jiang et al.	May 2004	B1
6754181	Elliott et al.	Jun 2004	B1
6766454	Riggins	Jul 2004	B1
6766457	Baisley	Jul 2004	B1
6772203	Feiertag et al.	Aug 2004	B1
6772347	Xie et al.	Aug 2004	B1
6772350	Belani et al.	Aug 2004	B1
6799221	Kenner et al.	Sep 2004	B1
6850943	Teixeira et al.	Feb 2005	B2
6856651	Singh	Feb 2005	B2
6868451	Peacock	Mar 2005	B1
6871346	Kumbalimutt et al.	Mar 2005	B1
6873988	Herrmann et al.	Mar 2005	B2
6880005	Bell et al.	Apr 2005	B1
6892201	Brown et al.	May 2005	B2
6901072	Wong	May 2005	B1
6901075	Baron	May 2005	B1
6909708	Krishnaswamy et al.	Jun 2005	B1
6914886	Peles et al.	Jul 2005	B2
6920502	Araujo et al.	Jul 2005	B2
6963981	Bailey et al.	Nov 2005	B1
6993016	Liva et al.	Jan 2006	B1
7036051	Fernandes	Apr 2006	B1
7069434	Ilnicki et al.	Jun 2006	B1
7072672	Vanska et al.	Jul 2006	B1
7092370	Jiang et al.	Aug 2006	B2
7100054	Wenisch et al.	Aug 2006	B2
7100195	Underwood	Aug 2006	B1
7102996	Amdahl et al.	Sep 2006	B1
7113962	Kee et al.	Sep 2006	B1
7114180	DeCaprio	Sep 2006	B1
7117359	Wood et al.	Oct 2006	B2
7117504	Smith et al.	Oct 2006	B2
7120666	McCanne et al.	Oct 2006	B2
7124101	Mikurak	Oct 2006	B1
7130807	Mikurak	Oct 2006	B1
7136645	Hanson et al.	Nov 2006	B2
7145898	Elliott	Dec 2006	B1
7164885	Jonsson et al.	Jan 2007	B2
7165222	Suzuki	Jan 2007	B1
7178166	Taylor et al.	Feb 2007	B1
7246230	Stanko	Jul 2007	B2
7260840	Swander et al.	Aug 2007	B2
7269664	Hutsch et al.	Sep 2007	B2
7277953	Wils et al.	Oct 2007	B2
7293099	Kalajan	Nov 2007	B1
7353533	Wright et al.	Apr 2008	B2
7363347	Thomas	Apr 2008	B2
7522732	Whitehead	Apr 2009	B2
7631089	Knauerhase et al.	Dec 2009	B2
7676675	Billharz et al.	Mar 2010	B2
8104077	Gauvin	Jan 2012	B1
20010023421	Numao et al.	Sep 2001	A1
20010037387	Gilde et al.	Nov 2001	A1
20010047406	Araujo et al.	Nov 2001	A1
20010049713	Arnold et al.	Dec 2001	A1
20020032725	Araujo et al.	Mar 2002	A1
20020035451	Rothermel	Mar 2002	A1
20020049608	Hartsell et al.	Apr 2002	A1
20020049841	Johnson et al.	Apr 2002	A1
20020059274	Hartsell et al.	May 2002	A1
20020065864	Hartsell et al.	May 2002	A1
20020095400	Johnson et al.	Jul 2002	A1
20020105972	Richter et al.	Aug 2002	A1
20020107903	Richter et al.	Aug 2002	A1
20020107962	Richter et al.	Aug 2002	A1
20020107971	Bailey et al.	Aug 2002	A1
20020107989	Johnson et al.	Aug 2002	A1
20020107990	Johnson et al.	Aug 2002	A1
20020108059	Canion et al.	Aug 2002	A1
20020111972	Lynch et al.	Aug 2002	A1
20020116452	Johnson et al.	Aug 2002	A1
20020133593	Johnson et al.	Sep 2002	A1
20020133723	Tait	Sep 2002	A1
20020138618	Szabo	Sep 2002	A1
20020147927	Tait	Oct 2002	A1
20020152373	Sun et al.	Oct 2002	A1
20020165971	Baron	Nov 2002	A1
20020169887	MeLampy et al.	Nov 2002	A1
20020174010	Rice, III	Nov 2002	A1
20020174215	Schaefer	Nov 2002	A1
20020174227	Hartsell et al.	Nov 2002	A1
20020184224	Haff et al.	Dec 2002	A1
20030004950	Wils et al.	Jan 2003	A1
20030046578	Brown et al.	Mar 2003	A1
20030046586	Bheemarasetti et al.	Mar 2003	A1
20030046587	Bheemarasetti et al.	Mar 2003	A1
20030051130	MeLampy et al.	Mar 2003	A1
20030055962	Freund et al.	Mar 2003	A1
20030067874	See et al.	Apr 2003	A1
20030069923	Peart	Apr 2003	A1
20030084165	Kjellberg et al.	May 2003	A1
20030084436	Berger et al.	May 2003	A1
20030105604	Ash et al.	Jun 2003	A1
20030110192	Valente et al.	Jun 2003	A1
20030120601	Ouye	Jun 2003	A1
20030131079	Neale et al.	Jul 2003	A1
20030131100	Godon et al.	Jul 2003	A1
20030135626	Ray et al.	Jul 2003	A1
20030145222	Gittler et al.	Jul 2003	A1
20030154239	Davis et al.	Aug 2003	A1
20030163693	Medvinsky	Aug 2003	A1
20030163787	Hay et al.	Aug 2003	A1
20030172138	McCormack et al.	Sep 2003	A1
20030177248	Brown et al.	Sep 2003	A1
20030177389	Albert et al.	Sep 2003	A1
20030182423	Shafir et al.	Sep 2003	A1
20030182431	Sturniolo et al.	Sep 2003	A1
20030188001	Eisenberg et al.	Oct 2003	A1
20030188193	Venkataramappa	Oct 2003	A1
20030191799	Araujo et al.	Oct 2003	A1
20030191971	Klensin et al.	Oct 2003	A1
20030195759	Glassco et al.	Oct 2003	A1
20030198189	Roberts et al.	Oct 2003	A1
20030200234	Koppich et al.	Oct 2003	A1
20030202480	Swami	Oct 2003	A1
20030212776	Roberts et al.	Nov 2003	A1
20030212817	Matthews et al.	Nov 2003	A1
20030217105	Zircher et al.	Nov 2003	A1
20030223361	Hussain et al.	Dec 2003	A1
20030229718	Tock et al.	Dec 2003	A1
20030233541	Fowler et al.	Dec 2003	A1
20030233581	Reshef et al.	Dec 2003	A1
20030236837	Johnson et al.	Dec 2003	A1
20030236861	Johnson et al.	Dec 2003	A1
20030236919	Johnson et al.	Dec 2003	A1
20040003959	Koizumi et al.	Jan 2004	A1
20040006542	Gilliam	Jan 2004	A1
20040010601	Afergan et al.	Jan 2004	A1
20040010621	Afergan et al.	Jan 2004	A1
20040039594	Narasimhan	Feb 2004	A1
20040039827	Thomas et al.	Feb 2004	A1
20040049515	Haff et al.	Mar 2004	A1
20040073512	Maung	Apr 2004	A1
20040078621	Talaugon et al.	Apr 2004	A1
20040078772	Balay et al.	Apr 2004	A1
20040095934	Cheng et al.	May 2004	A1
20040107360	Herrmann et al.	Jun 2004	A1
20040111642	Peles	Jun 2004	A1
20040125756	Lepore et al.	Jul 2004	A1
20040131042	Lillie et al.	Jul 2004	A1
20040139178	Mendez et al.	Jul 2004	A1
20040148292	Clemens	Jul 2004	A1
20040148514	Fee	Jul 2004	A1
20040153606	Schott	Aug 2004	A1
20040158429	Bary et al.	Aug 2004	A1
20040162876	Kohavi	Aug 2004	A1
20040167984	Herrmann	Aug 2004	A1
20040177247	Peles	Sep 2004	A1
20040210320	Pandya	Oct 2004	A1
20040210771	Wood et al.	Oct 2004	A1
20040215826	Pfitzner	Oct 2004	A1
20040250124	Chesla et al.	Dec 2004	A1
20040250130	Billharz et al.	Dec 2004	A1
20040255154	Kwan et al.	Dec 2004	A1
20040258003	Kokot et al.	Dec 2004	A1
20040268361	Schaefer	Dec 2004	A1
20050004942	Madsen et al.	Jan 2005	A1
20050015601	Tabi	Jan 2005	A1
20050025125	Kwan	Feb 2005	A1
20050044089	Wu et al.	Feb 2005	A1
20050044108	Shah et al.	Feb 2005	A1
20050050053	Thompson	Mar 2005	A1
20050050362	Peles	Mar 2005	A1
20050055570	Kwan et al.	Mar 2005	A1
20050063083	Dart et al.	Mar 2005	A1
20050063519	James	Mar 2005	A1
20050066163	Ikenoya	Mar 2005	A1
20050071652	de Jong	Mar 2005	A1
20050074126	Stanko	Apr 2005	A1
20050086206	Balasubramanian et al.	Apr 2005	A1
20050097441	Herbach	May 2005	A1
20050120054	Shulman et al.	Jun 2005	A1
20050125663	Funk	Jun 2005	A1
20050125684	Schmidt	Jun 2005	A1
20050132030	Hopen et al.	Jun 2005	A1
20050144481	Hopen et al.	Jun 2005	A1
20050165928	Shu et al.	Jul 2005	A1
20050172335	Aday	Aug 2005	A1
20050188215	Shulman et al.	Aug 2005	A1
20050195835	Savage et al.	Sep 2005	A1
20050234852	Coramutla	Oct 2005	A1
20050246282	Naslund	Nov 2005	A1
20050251573	Merkow	Nov 2005	A1
20050254652	Engler et al.	Nov 2005	A1
20050262063	Conboy et al.	Nov 2005	A1
20050289110	Giampaolo et al.	Dec 2005	A1
20060004662	Nadalin et al.	Jan 2006	A1
20060015570	Khemani et al.	Jan 2006	A1
20060020937	Schaefer	Jan 2006	A1
20060029016	Peles	Feb 2006	A1
20060036570	Schaefer et al.	Feb 2006	A1
20060041635	Alexander et al.	Feb 2006	A1
20060050703	Foss	Mar 2006	A1
20060069912	Zheng et al.	Mar 2006	A1
20060070131	Braddy et al.	Mar 2006	A1
20060072755	Oskari	Apr 2006	A1
20060075463	Braddy et al.	Apr 2006	A1
20060190455	Braddy et al.	Aug 2006	A1
20060200859	England et al.	Sep 2006	A1
20060206931	Dillaway et al.	Sep 2006	A1
20060230282	Hausler	Oct 2006	A1
20060287982	Sheldon et al.	Dec 2006	A1
20070061871	Simpkins et al.	Mar 2007	A1
20070100768	Boccon-Gibod et al.	May 2007	A1
20070101418	Wood et al.	May 2007	A1
20080086564	Putman et al.	Apr 2008	A1

Foreign Referenced Citations (70)

Number	Date	Country
3403602	May 2002	AU
2307008	Oct 2000	CA
2421609	Mar 2002	CA
0 442 839	Aug 1991	EP
0 643 514	Mar 1995	EP
0 863 453	Sep 1998	EP
0 927 921	Jul 1999	EP
1 047 239	Oct 2000	EP
1 049 306	Nov 2000	EP
1 059 216	Dec 2000	EP
1 289 225	Mar 2003	EP
1 330 705	Jul 2003	EP
1 364 296	Nov 2003	EP
1 388 812	Feb 2004	EP
2670100	Jun 1992	FR
06-332782	Dec 1994	JP
10-191063	Jul 1998	JP
2000-307650	Nov 2000	JP
2002-513961	May 2002	JP
2002-259346	Sep 2002	JP
2002-328831	Nov 2002	JP
2002-366525	Dec 2002	JP
2004-021341	Jan 2004	JP
2004-509539	Mar 2004	JP
WO-9960462	Nov 1999	WO
WO-0051290	Aug 2000	WO
WO-0062507	Oct 2000	WO
WO-0137517	May 2001	WO
WO-0175632	Oct 2001	WO
WO-0223362	Mar 2002	WO
WO-0237267	May 2002	WO
WO-0239221	May 2002	WO
WO-0239260	May 2002	WO
WO-0239261	May 2002	WO
WO-0239262	May 2002	WO
WO-0239263	May 2002	WO
WO-0239264	May 2002	WO
WO-0239275	May 2002	WO
WO-0239276	May 2002	WO
WO-0239301	May 2002	WO
WO-0239666	May 2002	WO
WO-0239693	May 2002	WO
WO-0239695	May 2002	WO
WO-0241575	May 2002	WO
WO-0242922	May 2002	WO
WO-0243320	May 2002	WO
WO-0243364	May 2002	WO
WO-0246925	Jun 2002	WO
WO-0246944	Jun 2002	WO
WO-0246945	Jun 2002	WO
WO-02058349	Jul 2002	WO
WO-02069604	Sep 2002	WO
WO-02093369	Nov 2002	WO
WO-02103521	Dec 2002	WO
WO-2004003879	Jan 2004	WO
WO-2004006041	Jan 2004	WO
WO-2004017601	Feb 2004	WO
WO-2004049672	Jun 2004	WO
WO-2004051964	Jun 2004	WO
WO-2004066278	Aug 2004	WO
WO-2004090672	Oct 2004	WO
WO-2005024550	Mar 2005	WO
WO-2005024567	Mar 2005	WO
WO-2005024665	Mar 2005	WO
WO-2005029313	Mar 2005	WO
WO-2005029363	Mar 2005	WO
WO-2005074232	Aug 2005	WO
WO-2005084232	Sep 2005	WO
WO-2006012533	Feb 2006	WO
WO-2006017388	Feb 2006	WO

Non-Patent Literature Citations (164)

Entry
Administrator's Guide, Citrix NFuse Classic. Version 1.7, Citrix Systems Inc.
Advisory Action for U.S. Appl. No. 11/255,311 dated Dec. 21, 2010.
Advisory action for U.S. Appl. No. 10/711,731 dated Jan. 21, 2009.
Allison, Bridget et al., “File System Security: Secure Network Data Sharing for NT and UNIX,” in Network Appliance, Inc. Tech Library pp. 16 pgs. Jan. 1, 1998.
Anonymous, “Health Canada Takes Its Network Pulse,” Communications News, 48, Oct. 2001, available at http://www.findarticles.com/p/articles/mi—m0DUD/is—5—23/ai—86039142/.
Anonymous, “Multiple Platforms Bring Multiple Challenges,” Communications News, 56, Oct. 2001, available at http://www.findarticles.com/p/articles/mi—m0CMN/is—10—38/ai—79370488.
Anonymous, “Remote Access,” Secure Computing, 47-60, Oct. 1997.
Anonymous: “Citrix Metaframe 1.8—Backgrounder”, Internet Publication, Apr. 24, 1999 (1999-04-240, XP002217973.
Antonoff, M., “Writing in a Spreadsheet,” Personal Computing, 51-54, 1987.
Ao et al., “A Hierarchical Policy Specification Language, and Enforcement Mechanism, for Governing Digital Enterprises”, 3rd IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2002), 38-49, IEEE CS Press, 2002, available at http://www.cs.rutgers.edu/˜tdnguyen/pubs/ao-policy-2002.pdf.
Back et al., “Contracts, Games and Refinement,” TUCS Technical Report No. 138, Turku Centre for Computer Science, 1-15, Nov. 1997.
Beers, C., “McAfee Shores Up Your Defenses,” Network Computing, 38, Jun. 2003, available at http://www.networkcomputing.com/1412/1412sp3.html.
Bird, T., “Reduce the Threat from Computers,” Communications News, 36, 38-39, Mar. 2005, available at http://www.comnews.com/stories/articles/0305/0305reduce—threat.htm.
Brekne, T., “Mobile Agents and (In-)Security,” Telektronikk, 34-46, 2000.
Carvalho et al., “Supporting Flexible Data Feeds in Dynamic Sensor Grids Through Mobile Agents,” Lecture Notes in Computer Science vol. 2535, Proc. 6th International Conference on Mobile Agents (MA 2002), 171-185, Springer-Verlag, Germany, 2002.
Cheng et al., “Adjusting the Autonomy of Collections of Agents in Multiagent Systems,” Lecture Notes in Computer Science vol. 3501, 33-37, Advances in Artificial Intelligence: Proc. 18th Conference of the Canadian Society for Computational Studies of Intelligence (Canadian AI 2005), Springer-Verlag, Germany, 2005.
Chinese Office Action for 200580041052.2 dated Apr. 25, 2011.
Chinese Office Action for 200580041061.1 dated Jul. 27, 2011.
Chinese Office Action on 200580041061.1 dated Mar. 12, 2012.
Chinese Office Action on 200580041061.1 dated Apr. 9, 2013.
Citrix MetaFrame XP Security Standards and Deployment Scenarios. MetaFrame XP Server for Windows with Feature Release 3. Citrix Systems Inc.
Citrix Metaframe XPa for windows 2002.
Corradi et al., “Policy-Driven Management of Agent Systems,” Lecture Notes in Computer Science vol. 1995, Policies for Distributed Systems and Networks: Proc. International Workshop (Policy 2001), 214-229, Springer-Verlag, Germany, 2001.
Dulay et al., “A Policy Deployment Model for the Ponder Language,” Proc. IEEE/IFIP—International Symposium on Integrated network Management (IM 2001) 529-543 Seattle.
EP examination report for appl 07115385.9 dated May 23, 2008.
Esposito, A. et al., “Integrating Concurrency Control and Distributed Data into Workflow Frameworks: An Actor Model Perspective,” 2000 IEEE International Conference on Systems, Man, and Cybernetics, vol. 3, 2110-2114, IEEE Press, 2000.
European Patent Office Examination Report dated Aug. 17, 2007 for Application No. 05798714. 3 pages.
European Second Exam Report on 07115382.9 dated Mar. 9, 2012.
European Second Examination Report on 05785370.7 dated Feb. 14, 2012.
Exam Report for EP appln 05798714.1 dated May 19, 2009.
Feldman, M., “Enterprise Wrappers for Information Assurance,” Proc. DARPA Information Survivability Conference and Exposition (DISCEX '03), IEEE Press, 2003.
First Indian Examination Report on 1377/KOLNP/2007 dated Mar. 12, 2013.
Fratto, M., “Hammering Out a Secure Framework,” Network Computing, 79-80, 82, 84-87, 2000, available at http://www.networkcomputing.com/1101/1101f3.html.
Funk Software, “Funk Software's Endpoint Assurance Solution. The Secure Product Foundation for Endpoint Integrity,” 2005, available at: http://www.juniper.net/ welcome—funk.html.
Graniero, P.A. et al. “Investigating the Role of Fuzzy Sets in a Spatial Modeling Framework,” Proc. 9th IFSA World Congress and 20th NAFIPS Intemational Conference, 2370-2375, IEEE Press 2001.
Guy III, E.T., “An Introduction to the CAD Framework Initiative,” Electro 1992 Conference Record, 78-83, Massachusetts, May 1992.
International Searching Authority, “International Search Report,” PCT Application No. PCT/US05/028606, mailed Feb. 24, 2006, 5 pgs.
International Searching Authority, “International Search Report,” PCT Application No. PCT/US05/028607, mailed on Mar. 31, 2006, 10 pgs.
International Searching Authority, “Partial International Annexed to Invitation to Pay fees,” PCT Application No. PCT/ US05/028607, mailed on Dec. 14, 2005, 7 pgs.
International Searching Authority, “Written Opinion,” PCT Application No. PCT/ US05/028605, mailed on Jan. 18, 2006, 7 pgs.
International Searching Authority, “Written Opinion,” PCT Application No. PCT/ US05/028607, mailed on Mar. 31, 2006, 11 pgs.
International Searching Authority, “International Search Report,” PCT Application No. PCT/US05/028605, mailed on Jan. 18, 2006, 7 pgs.
International Searching Authority, International Preliminary Report on patentability to PCT/US05/028606, issued Apr. 3, 2007 (10 pages).
Japanese Office Action on 2007-534586 dated Jan. 20, 2012.
Japanese Official Action for 2007-534586 dated Jun. 7, 2011.
Japanese Official Action for 2007-534586 dated Sep. 27, 2011.
Jin, H. et al., “A Distributed Dynamic μFirewall Architecture With Mobile Agents and KeyNote Trust Management System,” Lecture Notes in Computer Science, vol. 2513, Proc. 4th International Conference on Information and Communications Security, (ICICS 2002), 13-24, Springer-Verlag, Germany, 2002.
Jun, M. et al., “Application of Mobile Scanning Agent in the Network Security,” J. of Systems Engineering and Electronics, 15(3): 371-376, 2004.
Juniper Networks NetScreen-SA 5000 Series. Spec Sheet Access Appliances, Juniper Networks, Sunnyvale, CA., 4 pages.
Juniper Networks, “Juniper Networks Infranet Controllers Provide Unified Access Control for all Users throughout Your Network,” (Oct. 2005), available at: http://www.juniper.nel/products/ua/dsheet/100137.pdf.
Keromytis, A.D. et al., “Transparent Network Security Policy Enforcement,” Proc. USENIX Technical Conference, 215-225, San Diego, CA, USA, 2000.
Kim, S.C. et al., “Study of Security Management System Based on Client/Server Model,” 1403-1408, IEEE Press, 1999.
Klein, D., “Developing Applications with a UIMS,” Proc. USENIX Applications Development Symposium, 37-56, 1994.
Kohl and Neuman, The Kerberos Network Authentication Service (V5), Internet Draft, Sep. 1993.
Kosar, T. et al., “A Framework for Reliable and Efficient Data Placement in Distributed Computing Systems,” Journal of Parallel and Distributed Computing, vol. 65 (10), 1146-1157, Academic Press, Inc., Orlando, FL, USA, 2005.
Krief, F. et al., “An Intelligent Policy-Based Networking Environment for Dynamic Negotiation, Provisioning and Control of QoS,” IFIP TC6/WG6.2 & WG6.7 Conference on Network Control and Engineering for QoS, Security and Mobility, (Net-Con 2002), 285-290, Kluwer Academic Publishers, 2002.
Law, K.L.E. et al., “Policy-Based Management With Active Networks,” IFIP TC6/WG6.2 &WG6.7 Conference on Network Control and Engineering for QoS, Security and Mobility, (Net-Con 2002), 129-140, Kluwer Academic Publishers 2002.
Law, K.L.E. et al., “UPM: Unified Policy-Based Network Management,” Proc. SPIE, (ITCom 2001), vol. 4523, 326-337, Denver, CO, USA, 2001.
Law, K.L.E. et al., “Performance of a Multi-Tiered Policy-Based Management System,” IFIP TC6/WG6.2 & WG6.7 Conference on Network Control and Engineering for QoS, Security and Mobility, (Net-Con 2002), 203-214, Kluwer Academic Publishers, 2002.
Lee, D.W. et al., “Managing Fault Tolerance Information in Multi-Agents Based Distributed Systems,” Lecture Notes in Computer Science, vol. 2690, Intelligent Data Engineering and Automated Learning, (IDEAL 2003), 104-108, Springer-Verlag, Germany, 2003.
Maes, S. et al., “Identifiability of Causal Effects in a Multi-Agent Causal Model,” IEEE/WIC International Conference on Intelligent Agent Technology, (IAT'03), 605, IEEE Press, 2003.
Mahler, R.P. et al. “Technologies for Unified Collection and Control of UCAVs,” Proc. of SPIE vol. 4729, 90-101, 2002.
Matsuura, S. et al., “An Extension of ECA Architecture and its Application to HTML Document Browsing,” IEEE International Conference on Systems, Man, and Cybernetics, vol. 1, 738-743, IEEE Press 1999.
Maxim, M. and Venugopal, A., “Securing Agent Based Architectures,” Lecture Notes in Computer Science vol. 2480, Proc. First International Conference on Engineering and Deployment of Cooperative Information Systems, 220-231, Springer-Verlag, Germany, 2002.
McAfee System Protection Solutions, “Enforcing Endpoint Policies for Network Access with Policy Enforcer: Selecting the Right Solution for your Environment,” 2005, available at http:/mcafee.com/us/local content/white papers/wp—mpe securingyounetwork.pdf.
McAfee System Protection Solutions, “McAfee Policy Enforcer,” 2005, available at: http://www.mcafee.com/us/local content/datasheets/ds policy enforcer.pdf.
Meyer, B. et al., “Towards Implementing Policy-Based Systems Management,” Distrib. Syst. Engng vol. 3, 78-85, The Institution of Electrical Engineers and IOP Publishing, Ltd., 1996, available at http://www.mobile.ifi.lmu.de/common/Literatur/MNMPub/Publikationen/map96/PDF-Version/map96.pdf.
Molta, D., “Odyssey Makes Wireless LANs a Safe Trip,” Networking Computing, 24, 26, 2002, available at <http://www.networkcomoutina.com/1311/1311so2.html>.
Montananri R. et al, “Context-Based Security Management for Multi-Agent Systems,” Proc. Second IEEE Symposium on Multi-Agent Security and Survivability (MAS&S 2005), IEEE Press, 2005.
Neuman et al., The Kerberos Network Authentication Service (V5), Internet draft, work in progress, Sep. 2004.
Non Final Office Action dated Jun. 6, 2008. U.S. Appl. No. 10/711,729.
Notice of Allowance for U.S. Appl. No. 10/956,764 dated Sep. 21, 2010.
Notice of Allowance for U.S. Appl. No. 10/711,729 dated Feb. 19, 2010.
Notice of Allowance for U.S. Appl. No. 10/711,730 dated Dec. 29, 2009.
Notice of Allowance for U.S. Appl. No. 10/956,832 dated Sep. 21, 2010.
Notice of Allowance for U.S. Appl. No. 11/365,355 dated Apr. 13, 2011.
Notice of Allowance on U.S. Appl. No. 11/365,355 dated Jul. 22, 2011.
Notice of Allowance on U.S. Appl. No. 12/783,266 dated Jun. 12, 2012.
Notice of Allowance on U.S. Appl. No. 13/208,970 dated Jul. 18, 2012.
Notice of Allowance on U.S. Appl. No. 13/243,402 dated Oct. 3, 2012.
Notice of Allowance U.S. Appl. No. 11/255,311 dated May 20, 2011.
Notice of Reasons for Rejection for JP 2007-534587 dated Dec. 10, 2010.
Office action for U.S. Appl. No. 10/711,731 dated Apr. 17, 2009.
Office action for U.S. Appl. No. 10/711,731 dated Jun. 17, 2008.
Office action for U.S. Appl. No. 10/711,731 dated Oct. 20, 2008.
Office Action for U.S. Appl. No. 10/711,730 dated Apr. 28, 2009.
Office Action for U.S. Appl. No. 10/711,730 dated Jun. 27, 2008.
Office Action for U.S. Appl. No. 10/711,730 dated Dec. 11, 2008.
Office Action for U.S. Appl. No. 10/956,764 dated Oct. 8, 2008.
Office action for U.S. Appl. No. 11/272,598 dated Oct. 7, 2008.
Office Action for U.S. Appl. No. 11/365,355 dated Dec. 28, 2010.
Office Action for AU appln 2005292566 dated May 6, 2009.
Office Action for AU appln 2005292566 dated Jun. 23, 2010.
Office Action for AU appln 2005292568 dated Apr. 27, 2010.
Office Action for CN appln 20050041052.2 dated Nov. 27, 2009.
Office Action for CN appln 2005800470611 dated Jul. 17, 2009.
Office Action for CN appln 2005800470611 dated Jul. 1, 2010.
Office Action for U.S. Appl. No. 10/711,731 dated Jun. 29, 2011.
Office Action for U.S. Appl. No. 10/711,731 dated Jan. 6, 2010.
Office Action for U.S. Appl. No. 10/956,764 dated Mar. 4, 2010.
Office Action for U.S. Appl. No. 10/956,835 dated Feb. 18, 2010.
Office Action for U.S. Appl. No. 10/711,729 dated Sep. 4, 2009.
Office Action for U.S. Appl. No. 10/711,731 dated Sep. 21, 2009.
Office Action for U.S. Appl. No. 10/956,764 dated Jul. 7, 2009.
Office Action for U.S. Appl. No. 10/956,835 dated Sep. 1, 2009.
Office Action for U.S. Appl. No. 11/255,311 dated Jun. 23, 2009.
Office Action for U.S. Appl. No. 11/255,311 dated Sep. 30, 2010.
Office Action for U.S. Appl. No. 11/272,598 dated Jul. 23, 2009.
Office Action on U.S. Appl. No. 10/711,731 dated Feb. 1, 2011.
Office Action on U.S. Appl. No. 10/711,731 dated Apr. 5, 2013.
Office Action on U.S. Appl. No. 10/711,731 dated Jun. 15, 2012.
Office Action on U.S. Appl. No. 11/557,683 dated Jan. 19, 2011.
Office Action on U.S. Appl. No. 11/557,683 dated Nov. 2, 2009.
Office Action on U.S. Appl. No. 11/557,683 dated Apr. 30, 2010.
Office Action on U.S. Appl. No. 11/557,683 dated Jun. 7, 2012.
Office Action on U.S. Appl. No. 11/557,683 dated Jul. 22, 2011.
Office Action on U.S. Appl. No. 12/783,266 dated Jan. 4, 2012.
Office Action on U.S. Appl. No. 13/208,970 dated Apr. 6, 2012.
Office Action on U.S. Appl. No. 13/243,402 dated Jun. 6, 2012.
TCG Published, “TCG Trusted Network Connect TNC Architecture for Interoperability,” 2005, available at: https://www.trustedcomputinggroup.org/ groups/network/TNC—Architecture—v1—0—r4.pdf.
Tierling, E.: “Gezaehmtes Monster”, CT Magazin Fuer Computer TEchnik, Verlag Heinz Heise GMBH., Hannover, DE, No. 10, 1998, pp. 226-228, 230, 23, XP000740851, ISSN: 0724-8679.
Trusted Computing Group, “Trusted Network Connect Open Standards for Integrity-Based Network Access Control,” 2005, available at: https://www.trustedcomputinggroup.org/groups/network/Open—Standard—for—IntegrityBased—AccessControl.pdf.
Trusted Computing Group, “Trusted Network Connect to Ensure Endpoint Integrity,” 2005, available at: https://www.trustedcomputinggroup.org/groups/network/TNC—NI-collateral—10—may—(2).pdf.
Uszok, A. et al., “KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement,” Proc. 4th International Workshop on Policies for Distributed Systems and Networks, (Policy '03), 93, IEEE Press, 2003.
Wang, D. et al., “Study on SOAP-Based Mobile Agent Techniques,” Lecture Notes in Computer Science, vol. 2480, Proc. First International Conference on Engineering and Deployment of Cooperative Information Systems, 208-219, Springer-Verlag, Germany, 2002.
Wittner, O., and Helvik, B.E., “Distributed Soft Policy Enforcement by Swarm Intelligence; Application to Loadsharing and Protection,” Ann. Telecommun., vol. 59, No. 1-2, 10-24, 2004.
Xia, H. et al., “Using Secure Coprocessors to Protect Access to Enterprise Networks,” Lecture Notes in Computer Science, vol. 3462, Proc. International IFIP-TC6 Networking Conference, (Networking 2005), Springer-Verlag, Germany, 2005, available at http://www.cs.pittedu/-jcb/papers/net2005.pdf.
Xu, Y. et al., “An Agent-Based Data Collection Architecture for Distributed Simulations,” Intl J. of Modeling and Simulation, 24(2), 55-64, 2004.
Yang, K. et al, “Service and Network Management Middleware for Cooperative Information Systems through Policies and Mobile Agents,” Lecture Notes in Computer Science, vol. 2480,Proc. First International Conference on Engineering and Deployment of CooperativeInformation Systems, 232-246, Springer-Verlag, Germany, 2002.
Yang, S., “Setting up a Secure Public Workstation,” “lols '99: Proceedings of the 14th Integrated Online Library Systems Meeting May 19-20, 1999,”, May 1998.
Yocom, B., et al., “A First Look at Wireless Security Products,” Business Comm. Review, 36-48, Oct. 2003.
Yu, Y. et al., “Quality of Service Policy Control in Virtual Private Networks,” Proc. of SPIE, vol. 5282, 1055-1060, 2003.
Official Action for Israeli Patent Application No. 182286 dated Dec. 23, 2010 (including translation).
Page, S.E., “Self Organization and Coordination,” Computational Economics, vol. 18, 25-48, Kluwer Academic Publishers, 2001.
Palmer, D. et al., “Decentralized Cooperative Auction for Multiple Agent Task Allocation Using Synchronized Random Number Generators,” Proc. IEEE/RSJ International Conference on Intelligent Robots and Systems, 1963-1968, IEEE Press, 2003.
Patwardhan, A. et al., “Enforcing Policies in Pervasive Environments,” First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, (MobiQuitous '04), 299-308, IEEE Press, 2004.
Perkins et al., “Route Optimization in Mobile IP,” Internet draft, work in progress, Sep. 2001.
Randic, M. et al., “Object by Value Transfer Mechanisms for Obligation Policy Enforcement Object Loading,” Proc. 12th IEEE Mediterranean Electrotechnical Conference, (Melecon 2004), IEEE Press, 2004.
Restriction requirement for U.S. Appl. No. 10/956,764 dated Apr. 1, 2009.
Sapuntzakis, Constantine, “Optimizing the Migration of Virtual Computers”, USENIX Association, 5th Symposium on Operating Systems Design and Implementation, pp. 1-14.
Simon et al., “A Cryptographic Protocol to Obtain Secure Communications in Extended Ethernet Environment,” Proc. 17th Conf. on Local Computer Networks, 254-261, IEEE CS Press, 1992.
Sirbu, et al., “Distributed Authentication in Kerberos Using Public Key Cryptograph,” Proc. 1997 Symposium on Network and Distributed Systems Security (SNDSS'97), 134-141, IEEE CS Press, 1997.
Suri, N. et al., “DAML-based Policy Enforcement for Semantic Data Transformation and Filtering in Multi-agent Systems,” Lecture Notes in Computer Science, vol. 2691, Proc. 2nd International Joint Conference on Autonomous Agents and Multi-Agent Systems, (AAMAS 2003), 1132-1133, ACM Press, New York, USA, 2003.
Suri, N. et al., “Enforcement of Communications Policies in Software Agent Systems through Mobile Code,” Proc. 4th International Workshop on Policies for Distributed Systems and Networks, (Policy '03), 247, IEEE Press, 2003.
Takahashi, K. et al., “Integrating Heterogeneous and Distributed Information by Linking it to Structured Information as an ‘Information Integration Directory’,” J81-D-I(5): 443-450, 1998.
Zhang, Y. and You, J., “An RBAC Based Policy Enforcement Coordination Model in Internet Environment,” Lecture Notes in Computer Science, vol. 2480, Proc. First International Conference on Engineering and Deployment of Cooperative Information Systems, 466-477, Springer-Verlag, Germany, 2002.
U.S. Appl. No. 11/255,311, filed Oct. 21, 2005.
U.S. Appl. No. 13/208,970, filed Aug. 12, 2011.
U.S. Appl. No. 11/365,355, filed Mar. 1, 2006.
U.S. Appl. No. 13/243,402, filed Sep. 23, 2011.
U.S. Appl. No. 13/735,550, filed Jan. 7, 2013.
U.S. Appl. No. 10/956,832, filed Oct. 1, 2004.
U.S. Appl. No. 11/272,598, filed Nov. 14, 2005.
U.S. Appl. No. 10/711,730, filed Sep. 30, 2004.
U.S. Appl. No. 10/956,764, filed Oct. 1, 2004.
U.S. Appl. No. 10/711,731, filed Sep. 30, 2004.
U.S. Appl. No. 10/711,729, filed Sep. 30, 2004.
U.S. Appl. No. 12/783,266, filed May 19, 2010.
U.S. Appl. No. 11/557,683, filed Nov. 8, 2006.
“Cisco Distributed Director,” Posted Feb. 21, 1997, 16 pages, [Online] [Retrieved on Dec. 4, 1997] Retrieved from the internet<URL:http://www.cisco.com/wart/public/751/distdir/dd—wp.htm>.
European Search Report for European Application No. 08009196.0 date of completion Oct. 23, 2008. (7 pages).
Examiner Comments for preparation of Oral Proceedings on Nov. 1, 2011 in EPO in Berlin for EP 05798714 dated Dec. 30, 2010.
Notice of Allowance on U.S. Appl. No. 11/557,683 dated May 15, 2013.
Office Action on U.S. Appl. No. 11/557,683 dated Oct. 2, 2012.

Related Publications (1)

	Number	Date	Country
	20130332991 A1	Dec 2013	US

Continuations (1)

	Number	Date	Country
Parent	11557683	Nov 2006	US
Child	13969796		US

Method and system for dynamically associating access rights with a resource

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Disclaimer

Term Extension

Abstract