TREA

Techniques and System for Specifying Policies Using Abstractions

Follow

Information

  • Patent Application
  • 20070157287
  • Publication Number
    20070157287
  • Date Filed
    December 22, 2006
    18 years ago
  • Date Published
    July 05, 2007
    17 years ago
Information
Abstract
A policy language for an information management system allows specifying or more policies using policy abstractions. The policies and policy abstractions are decoupled from one another, so policies and policy abstractions may be specified and altered separately from each other. A policy may refer to any number of policy abstractions. Multiple policies may reference a single policy abstraction, and a change to that policy abstraction will result in multiple policies being changed. Further, policy abstractions may be nested, so one policy abstraction may reference another policy abstraction, and so forth.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a diagram of distributed computing network connecting a server and clients.



FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.



FIG. 3 shows a system block diagram of a computer system.



FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.



FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.



FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.



FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.



FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.



FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.



FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.



FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.



FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.



FIG. 13 shows a layer description of an implementation of a policy language system of the invention.



FIG. 14 shows the functional modes of an information system of the invention.



FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.



FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.



FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.



FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.



FIG. 19 shows blocking sending of a confidential document outside the company.



FIG. 20 shows encrypting a confidential document when copying to a removable device.



FIG. 21 shows sending of a confidential document between users who should observe separation of duties.



FIG. 22 shows an example of a deployment operation to a workstation of an information management system.



FIG. 23 shows an example of a deployment operation of rules associated with a user.



FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.



FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).



FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.


Claims
  • 1. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;transferring the plurality of rules and abstractions to a target; andfor the target, controlling access to information based on the plurality of rules and abstractions.
  • 2. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;determining a subset of the plurality of rules and abstractions relevant to a target;transferring the subset of rules and abstractions to the target; andfor the target, controlling access to the information based on the subset of rules and abstractions.
  • 3. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction;transferring the plurality of rules and abstractions to a target; andfor the target, controlling application usage based on the plurality of rules and abstractions.
  • 4. The method of claims 1 or 2 wherein the target comprises a device.
  • 5. The method of claim 1 wherein when the target is a computer, the computer comprises executable code controlling access to the information based on the rules and abstractions.
  • 6. The method of claim 2 wherein when the target is a computer, the computer comprises executable code controlling access to the information based on the subset of rules and abstractions.
  • 7. The method of claims 1 or 2 wherein the first variable comprises a resource.
  • 8. The method of claim 7 wherein the resource comprises at least one of a file, an e-mail message, a Web page, a file system object, a portlet, a range of cells on a spreadsheet, a named region in a document, or an application data object.
  • 9. The method of claims 1 or 2 wherein the first variable comprises a resource name pattern.
  • 10. The method of claim 9 wherein the resource name pattern comprises regular expression representing a file path or an URI specification.
  • 11. The method of claims 1 or 2 wherein the first variable comprises a subject.
  • 12. The method of claim 11 wherein the subject comprises at least one of a user, user group, device, or application program.
  • 13. The method of claims 1 or 2 wherein the first variable comprises a policy context term.
  • 14. The method of claim 13 wherein the policy context term comprises at least one of a specific time, a time of the day, a time period, a location, or a type of connectivity.
  • 15. The method of claims 1 or 2 wherein the definition of the first variable in the first abstraction comprises a second variable defined in a second abstraction.
  • 16. The method of claims 1 or 2 wherein the first variable in the first abstraction is provided as an expression.
  • 17. The method of claims 1 or 2 wherein the first variable is an expression comprising at least one of a string, integer, floating point, character, or Boolean.
  • 18. The method of claims 1 or 2 wherein the expression is a Boolean expression.
  • 19. The method of claim 2 wherein the target has a target profile comprising a user attribute and the determining a subset of the plurality of rules and abstractions relevant to the target comprises: finding the subset of the plurality of rules and abstractions applicable to the user attribute.
  • 20. The method of claim 2 wherein the target is a device and step of determining a subset of the plurality of rules and abstractions relevant to the target comprises: finding the subset of the plurality of rules and abstractions applicable to the device.
  • 21. The method of claim 1 wherein the step of transferring the plurality of rules and abstractions to the target comprises: storing the plurality of rules and abstractions in a memory of the target.
  • 22. The method of claim 2 wherein the transferring the subset of rules and abstractions to the target comprises: storing the subset of rules and abstractions in a memory of the target.
  • 23. The method of claim 1 wherein the transferring the plurality of rules and abstractions to the target comprises: storing the rules and abstractions in a nonvolatile memory of the target.
  • 24. The method of claim 2 wherein the transferring the subset of rules and abstractions to the target comprises: storing the subset of rules and abstractions in a nonvolatile memory of the target.
  • 25. The method of claims 1 or 2 wherein the information comprises at least one of files, e-mail messages, web pages, discussion threads, results of database query, an electronic form, a file system object, cells on a spreadsheet, regions in a document a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, or a data object addressable by an universal resource locator (URL) that is served by a Web server, or units of information stored on a server.
  • 26. The method of claims 1 or 2 wherein the access comprises at least one of opening a file, editing a file, printing a file, saving a file, copying a file, changing file attributes, sending an e-mail message, forwarding an e-mail message, attaching a document to an e-mail message, editing a cell on a spreadsheet, modifying a formula associated with a cell on spreadsheet, cut and paste, drag and drop, connecting to a server, establishing a conversation with another user, viewing a web page, or viewing the results of a database query.
  • 27. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of opening of a specific file, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  • 28. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of opening of a specific file, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  • 29. The method of claim 2 wherein the step of for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of opening an e-mail message, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  • 30. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of opening an e-mail message, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  • 31. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of sending an e-mail message, allowing the operation only when there is no rule in the subset of rules and abstractions prohibiting the operation.
  • 32. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of sending an e-mail message, allowing the operation only when evaluating the subset of rules and abstractions does not prohibit the operation.
  • 33. The method of claim 2 wherein the step of for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation of sending an original e-mail message, encrypting at least a portion of the e-mail message and sending the encrypted e-mail message instead of the original e-mail message.
  • 34. The method of claim 1 wherein the for the target, controlling access to the information based on the plurality of rules and abstractions comprises: when the target requests an operation and the operation is allowed by the relevant rules and abstractions, performing one or more tasks in addition to the operation.
  • 35. The method of claim 34 wherein the one or more tasks comprises altering a document or message which is a subject of the operation.
  • 36. The method of claim 34 wherein the one or more tasks comprises storing information about the requested operation in a storage location.
  • 37. The method of claim 2 wherein the for the target, controlling access to the information based on the subset of rules and abstractions comprises: when the target requests an operation and the operation is allowed by the relevant rules and abstractions, performing one or more tasks in addition to the operation.
  • 38. The method of claim 37 wherein the one or more tasks comprises altering a document or message which is a subject of the operation.
  • 39. The method of claim 37 wherein the one or more tasks comprises storing information about the requested operation in a storage location.
  • 40. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information during a particular time period.
  • 41. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information from a particular location.
  • 42. The method of claims 1 or 2 wherein a rule comprises a context subexpression of the rule to allow access to information via a particular type of connectivity.
  • 43. An information management system comprising: a plurality of rule components and a plurality of abstraction components,wherein a rule component comprises an expression having a variable, and the variable is defined in an abstraction component;a policy server component, accessing the rule and abstraction components;a workstation component, coupled to the policy server component, the workstation comprising a code component;a deployment mode of operation in which the policy server determines a set of rule and abstraction components relevant to the workstation component, and transfers this set of rule and abstraction components to the workstation component; andan execution mode of operation in which the code component of the workstation manages access to information of the information management system based on the set of rule and abstraction components.
  • 44. An information management system comprising: a plurality of rule components and a plurality of abstraction components,wherein a rule component comprises an expression having a variable, and the variable is defined in an abstraction component;a policy server component, accessing the rule and abstraction components;a workstation component, coupled to the policy server component, the workstation comprising a code component;a deployment mode of operation in which the policy server determines a set of rule and abstraction components relevant to the workstation component, and transfers this set of rule and abstraction components to the workstation component; andan execution mode of operation in which the code component of the workstation manages application usage in the information management system based on the set of rule and abstraction components.
  • 45. The information management system of claim 43 wherein the information of the information management system comprises at least one of a file, e-mail message, web page, discussion thread, results of database query, an electronic form, results of a financial application operation, results of an enterprise resource planning application operation, a file system object, a data object managed by a messaging server, a data object managed by a collaboration server, a data object managed by a document management system, a data object managed by a content management system, a data object managed by a financial application, a data object managed by an enterprise resource planning system, or a data object addressable by an universal resource locator (URL) that is served by a Web server, or units of information stored on a server.
  • 46. The information management system of claim 43 wherein the execution mode of operation in which the code component of the workstation manages access to information of the information management system based on the set of rule and abstraction components is replaced by an execution mode of operation in which the code component of the workstation manages access to devices of the information management system based on the set of rule and abstraction components.
  • 47. The information management system of claim 46 wherein the devices comprises at least one of computers, fixed disk drives, USB devices, servers, personal digital assistant devices, storage devices, network attached storage (NAS) devices, networking devices, or telephony devices.
  • 48. A method of operating an information management system comprising: providing a plurality of rule components, each rule component comprising an expression having at least one variable;providing a plurality of abstraction components, each abstraction component is separate from the rule components,an abstraction component defining variables of the plurality of rule components, wherein a first variable is found in two or more of the rule components;modifying the first variable; andcontrolling access to information of the information management system according to two or more of the rule components having the modified first variable.
  • 49. The method of claim 48 wherein the at least one variable is not defined in the plurality of rule components.
  • 50. The method of claim 48 further comprising: transferring a first rule referencing the first variable to a first target and a second target; andafter modifying the first variable, enforcing the first rule using the modified first variable at the first target and second target.
  • 51. The method of claim 48 wherein the controlling access to information of the information management system according to two or more of the rule components having the modified first variable comprises at least one of tracking, logging, blocking, encrypting, or notifying.
  • 52. The method of claim 48 wherein when the information of the information management system comprises intellectual property, the controlling access to information of the information management system according to two or more of the rule components having the modified first variable is replaced by controlling distribution of the intellectual property based on the rules and abstractions according to two or more of the rule components having the modified first variable, wherein controlling comprises at least one of tracking, logging, blocking, encrypting, or notifying.
  • 53. The method of claim 52 wherein intellectual property comprises proprietary information of an organization.
  • 54. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a first variable, and the first variable is defined in a first abstraction, and the definition of the first variable in the first abstraction comprises a second variable defined in a second abstraction; andfor a target device, controlling sending of an e-mail message based on a subset of the rules and abstractions.
Provisional Applications (5)
Number Date Country
60755019 Dec 2005 US
60766036 Dec 2005 US
60743121 Jan 2006 US
60821050 Aug 2006 US
60870195 Dec 2006 US
Continuation in Parts (3)
Number Date Country
Parent 11383159 May 2006 US
Child 11615477 US
Parent 11383161 May 2006 US
Child 11383159 US
Parent 11383164 May 2006 US
Child 11383161 US