TECHNIQUES OF OPTIMIZING POLICIES IN AN INFORMATION MANAGEMENT SYSTEM

Abstract

In an information management system, policies are optimized before they are associated to a device in order to increase evaluation speed or reduce space requirements, or both. Optimization techniques may include common subexpression elimination, constant folding, constant propagation, comparison optimization, dead code or subexpression removal, map or lookup table generation, policy rewriting, redundant policy elimination, heuristic-based policy ordering, or policy-format transformation, and combinations of these.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a diagram of distributed computing network connecting a server and clients.

FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.

FIG. 3 shows a system block diagram of a computer system.

FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.

FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.

FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.

FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.

FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.

FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.

FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.

FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.

FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.

FIG. 13 shows a layer description of an implementation of a policy language system of the invention.

FIG. 14 shows the functional modes of an information system of the invention.

FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.

FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.

FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.

FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.

FIG. 19 shows blocking sending of a confidential document outside the company.

FIG. 20 shows encrypting a confidential document when copying to a removable device.

FIG. 21 shows sending of a confidential document between users who should observe separation of duties.

FIG. 22 shows an example of a deployment operation to a workstation of an information management system.

FIG. 23 shows an example of a deployment operation of rules associated with a user.

FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.

FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).

FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.

Claims

1. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression having a variable, and the variable is defined in a first abstraction;determining a subset of the plurality of rules and abstractions relevant to a target;modifying the subset of rules and abstractions, wherein the modified subset of rules and abstractions are logically equivalent to the subset of rules and abstractions;associating the modified subset of rules and abstractions to the target; andfor the target, controlling access to the information based on the modified subset of rules and abstractions.

2. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises: determining a characteristic of the target;removing a portion of at least one of the plurality of rules based on the characteristic of the target.

3. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises: determining a characteristic of the target; andremoving a portion of at least one of the plurality of abstractions based on the characteristic of the target.

4. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises removing constant subexpressions from the rules.

5. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises replacing a constant subexpression in a rule with a constant.

6. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises removing constant subexpressions from the abstractions.

7. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises replacing a constant subexpression in an abstraction with a constant.

8. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises removing a subexpression having a variable from a rule when the subexpression evaluates to a constant.

9. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises removing a subexpression of a rule when the subexpression evaluates to a Boolean true.

10. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises removing a subexpression from a rule when the subexpression evaluates to a Boolean false.

11. The method of claim 1 wherein the modifying the subset of rules and abstractions comprises replacing a variable in a rule with a constant when a value of the variable evaluates to a constant.

12. The method of claim 1 further comprising: providing a rule having a first variable defined in a first abstraction, wherein the first abstraction has a second variable defined in a second abstraction; andevaluating the second variable, wherein the second variable evaluates to a constant, and the modifying the subset of rules and abstractions comprises:removing the second variable from the first abstraction.

13. The method of claim 1 further comprising: providing a rule having a first variable defined in a first abstraction, wherein the first abstraction has a second variable defined in a second abstraction; andevaluating the second variable, wherein the second variable evaluates to a constant, and the modifying the subset of rules and abstractions comprises:replacing the second variable from the first abstraction with the constant.

14. The method of claim 2 wherein the characteristic of the target comprises at least one of a device type of the target, a user associated with the target, a group associated with the target, an application executing on the target, or a capability of the target.

15. A method of managing information comprising: providing a plurality of rules, wherein a rule comprises an expression;determining a subset of the plurality of rules relevant to a target;for the subset of the plurality of rules relevant to the target, modifying the subset of rules by removing portions of the expression not relevant to the target;associating the modified subset of rules to the target; andfor the target, controlling access to the information based on the modified subset of rules.

16. A method of managing information comprising: providing a plurality of rules, wherein a rule comprises an expression;determining a subset of the plurality of rules relevant to a target;for the subset of the plurality of rules relevant to the target, modifying the subset of rules by removing portions of the expression not relevant to the target;associating the modified subset of rules to the target; andfor the target, controlling application usage based on the modified subset of rules.

17. The method of claim 15 wherein the for the subset of the plurality of rules relevant to the target, modifying the subset of rules by removing portions of the expression not relevant to the target is replaced by for the subset of the plurality of rules relevant to the target, modifying the subset of rules by replacing a portion of the expression not relevant to the target with a constant.

18. A method of managing information comprising: providing a plurality of rules, wherein a rule comprises an expression;determining a subset of the plurality of rules relevant to a target;for the subset of the plurality of rules relevant to the target, identifying a common subexpression;assigning the common subexpression to a variable;in the subset of the plurality of rules, replacing the common subexpression with the variable;associating the modified subset of the plurality of rules to the target; andfor the target, controlling access to the information based on the modified subset of the plurality of rules.

19. The method of claim 18 wherein the access to the information comprises sending an e-mail message.

20. The method of claim 18 wherein the access to the information comprises editing a cell in a spreadsheet.

21. A method of managing information comprising: providing a plurality of rules and a plurality of abstractions, wherein a rule comprises an expression;determining a subset of the plurality of rules and a subset of the plurality of abstractions relevant to a target;for the subset of the plurality of rules and the subset of the plurality of abstractions relevant to the target, identifying a common subexpression;assigning the common subexpression to a variable;in the subset of the plurality of rules and the subset of the plurality of abstractions, replacing the common subexpression with the variable;associating the modified subset of the plurality of rules and the subset of the plurality of abstractions to the target; andfor the target, controlling access to the information based on the modified subset of the plurality of rules and the subset of the plurality of abstractions.

22. The method of claim 21 wherein the access to the information comprises forwarding an e-mail message.

23. The method of claim 21 wherein the access to the information comprises saving a document.