US2009178111A1PendingUtilityA1

System and method for maintaining security in a distributed computer network

54
Assignee: BEA SYSTEMS INCPriority: Oct 28, 1998Filed: Mar 10, 2009Published: Jul 9, 2009
Est. expiryOct 28, 2018(expired)· nominal 20-yr term from priority
H04L 63/102H04L 63/105H04L 63/0263G06F 2221/2145G06F 21/604H04L 63/1425H04L 63/1408G06F 2221/2111G06F 21/552G06F 2221/2151G06F 2221/2117G06F 21/6218G06F 2221/2141G06F 2221/2149Y10S707/99939
54
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system for maintaining security in a distributed computing environment comprises a policy manager located on a server to maintain policy data files and distribute local security policies to a plurality of clients, and a plurality of application guards, wherein each application guard is located at one of the plurality of clients to manage access by individual transactions to at least one application associated with the application guard, wherein the application guard controls access to the application based on a local security policy received from the policy manager.

Claims

exact text as granted — not AI-modified
1 . A system for maintaining security in a distributed computing environment, comprising:
 a policy manager located on a server to maintain policy data files and distribute local security policies to a plurality of clients; and   a plurality of application guards, wherein each application guard is located at one of the plurality of clients to manage access by individual transactions to at least one application associated with the application guard, wherein the application guard controls access to the application based on a local security policy received from the policy manager,   wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application associated with the application guard.   
   
   
       2 . The system of  claim 1  wherein:
 the policy manager derives local security policies from a global security policy, the global security policy includes a plurality of rules applicable to all application guards in the system.   
   
   
       3 . The system of  claim 2  wherein:
 the policy manager optimizes the global security policy into an optimized form, wherein the optimized form only distributes attributes relevant to a specific application guard.   
   
   
       4 . The system of  claim 1  wherein:
 the policy manager computes any differences caused by a modification on the security policy and commit only the changed portion of the security policy to an appropriate application guards.   
   
   
       5 . The system of  claim 1  wherein:
 the policy manager supports concurrent rule development by multiple users.   
   
   
       6 . The system of  claim 1  wherein:
 the policy manager tracks and record authorization requests.   
   
   
       7 . The system of  claim 1  wherein:
 the policy manager is associated with an application guard to allow only authorized administrator to access and operate the policy manager.   
   
   
       8 . The system of  claim 1  wherein:
 the policy manager reviews and reconstructs policy rules to make sure the policy rules are syntactically and semantically correct to a predefined policy language.   
   
   
       9 . The system of  claim 1  wherein:
 the policy manager determines which application guard needs to receive which policy rules.   
   
   
       10 . The system of  claim 1  wherein:
 the application guard is integrated into the application associated with the application guard.   
   
   
       11 . The system of  claim 1  wherein:
 the application guard evaluates the authorization request against a stored local security policy.   
   
   
       12 . The system of  claim 1  wherein:
 the application guard is associated with plug-ins to allow for additional capabilities to process and evaluate the authorization request based on customized code.   
   
   
       13 . The system of  claim 1  wherein:
 the application guard is implemented as a remote authorization service through a remote procedure call to another server.   
   
   
       14 . The system of  claim 1  wherein:
 the application guard uses multiple authorization engines to add performance and reliability.   
   
   
       15 . The system of  claim 1 , further comprising:
 an enterprise policy database that allows a user to enter policy rules one at a time.   
   
   
       16 . The system of  claim 16 , further comprising:
 a policy loader to bulk load a existing set of policy rules into the enterprise policy database.   
   
   
       17 . A system for maintaining security in a distributed computing environment, comprising:
 a policy manager located on a server to maintain policy data files and distribute local security policies to a plurality of clients, wherein the policy manager operates to   derive local security policies from a global security policy, the global security policy includes a plurality of rules applicable to one or more of the plurality of clients;   organize the global security policy into an optimized form, wherein the optimized form only distributes attributes relevant to a specific client;   compute any differences caused by a modification on the global security policy and commit only the changed portion of the global security policy to a specific client;   
   
   
       18 . A system for maintaining security in a distributed computing environment, comprising:
 a plurality of application guards, wherein each application guard is located at one of a plurality of clients to manage access by individual transactions to at least one application associated with the application guard, wherein the application guard controls access to the application based on a local security policy received from a policy manager,   wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application associated with the application guard.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.