Handling a query from a requestor by a digital assistant where results include a data portion restricted for the requestor
US-12182205-B2 · Dec 31, 2024 · US
Enforcing universal access control in an information management system
US9384358B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9384358-B2 |
| Application number | US-201313915323-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 11, 2013 |
| Priority date | Dec 29, 2005 |
| Publication date | Jul 5, 2016 |
| Grant date | Jul 5, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of controlling document access using rules, the method comprising: distributing a first plurality of rules to a client system from a rule database, wherein rules of the rule database comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction has a corresponding definition statement stored in a definition statement database, different than the rules database, wherein the first plurality of rules distributed to the client system contains at least one expression used by the client system to perform access control for documents accessed by the client system, and wherein the client system rule distributing step dynamically selects the first plurality of rules for the client system; and distributing a second plurality of rules to a server from the rule database, wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server, wherein the server rule distributing step dynamically selects the second plurality of rules for the server, and wherein rules in the rule database are maintained by a central rule server. 2. The method of claim 1 wherein the at least one expression results in an allow consequence. 3. The method of claim 1 wherein the at least one expression results in a deny consequence. 4. The method of claim 1 wherein the at least one expression results in a delegate consequence. 5. The method of claim 1 wherein the rules and definition statement databases are stored on different computers. 6. The method of claim 1 wherein the rules and definition statement databases are stored on different computers. 7. The method of claim 1 further comprising: detecting a first access of information for a first document on the client system; determining a first rule of the second plurality of rules is used to control access to the first document, wherein the first rule comprises a first abstraction corresponding to a first definition statement; retrieving the first definition statement; and evaluating whether to allow or deny the first access of information according to the first rule. 8. The method of claim 7 further comprising: before evaluating the first rule, substituting the first abstraction with the first definition statement. 9. The method of claim 7 wherein the first definition statement is stored in a cache memory of the client system before the evaluating whether to allow or deny the first access of information according to the first rule. 10. The method of claim 7 wherein the first definition statement is retrieved from a separate client system than the client system. 11. The method of claim 7 wherein the first access of information occurs on the server. 12. The method of claim 7 wherein the first access of information occurs on the client system, separate from the server. 13. A method of controlling document access using rules, the method comprising: distributing a first plurality of rules to a client system from a rule database, wherein rules of the rule database comprises a conditional statement having a policy abstraction and a corresponding action that will be performed when the conditional statement is satisfied, and each policy abstraction and has a corresponding definition statement stored in a definition statement database, different than the rules database, wherein the first plurality of rules distributed to the client system contains at least one expression used by the client system to perform access control for documents accessed by the client system, and wherein the client system rule distributing step dynamically selects the first plurality of rules for the client system; controlling access to a plurality of documents by the client system, wherein the plurality of documents are stored at a server; detecting access to the plurality of documents at the client system; and transferring a plurality of definition statements associated with the first plurality of rules to the client system. 14. The method of claim 13 further comprising: distributing a second plurality of rules to the server from the rule database, wherein the second plurality of rules distributed to the server contain at least one expression used by the server to perform access control for documents stored on the server, wherein the server rule distributing step dynamically selects the second plurality of rules for the server, and wherein rules in the rule database are maintained by a central rule server. 15. The method of claim 13 further comprising: invoking a classification engine, wherein the rules database is accessible by the classification engine; at the classification engine, receiving information on the document accessible by the client system; and using the classification engine, extracting at least one attribute value of the document, wherein the at least one attribute value is used in evaluating a first rule. 16. The method of claim 13 further comprising: altering at least one rule at the rule database; and after the altering the at least one rule at the rule database, distributing a subset of rules to the client system. 17. The method of claim 13 further comprising: altering at least one rule at the rule database; and after the altering the at least one rule at the rule database, removing at least one rule from the plurality of rules at the client system. 18. The method of claim 13 further comprising: altering at least one rule at the rule database; and after the altering the at least one rule at the rule database, adding at least one rule to the plurality of rules at the client system. 19. The method of claim 13 wherein the detecting step is integrated into the client system's operating system. 20. The method of claim 13 further comprising: detecting an attempt by an application program on the client system to access a first document stored on the server; and allowing the access attempt, wherein the disallowing the attempt by the application program on the client system comprises disabling at least two application program functions, and the allowing the access attempt by the application program on the client system to access the first document comprises not disabling the at least two application program functions.
Assignees
Inventors
Classifications
wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals · CPC title
- G06F21/62Primary
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
for controlling access to devices or network resources · CPC title
Grouping of entities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9384358B2 cover?
- A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application pro…
- Who is the assignee on this patent?
- Nextlabs Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/62. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 05 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).