CA2688271A1 - Methods and systems for interactive policy evaluation, access routing, and resource mapping using filters and for dynamic generation of filters - Google Patents
Methods and systems for interactive policy evaluation, access routing, and resource mapping using filters and for dynamic generation of filters Download PDFInfo
- Publication number
- CA2688271A1 CA2688271A1 CA2688271A CA2688271A CA2688271A1 CA 2688271 A1 CA2688271 A1 CA 2688271A1 CA 2688271 A CA2688271 A CA 2688271A CA 2688271 A CA2688271 A CA 2688271A CA 2688271 A1 CA2688271 A1 CA 2688271A1
- Authority
- CA
- Canada
- Prior art keywords
- client
- user interface
- resource
- graphical user
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/34—Graphical or visual programming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/38—Creation or generation of source code for implementing user interfaces
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
A method for filter generation includes a first clause of a filter described in a user interface. A filter is generated responsive to receiving a description of at least one of: i) a conjunctive clause of the filter, and ii) a disjunctive sub-clause of the first clause. In another aspect, a method for access routing includes determining whether to provide access to a resource by a server according to a requested method, responsive to a rule. In another aspect, a method for interactive policy evaluation includes displaying a result of applying a policy to at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a requested access method. In another aspect, a user interface displays a result of an application of a policy to a client responsive to a received identification of a client characteristic.
Description
METHODS AND SYSTEMS FOR INTERACTIVE POLICY
EVALUATION, ACCESS ROUTING, AND RESOURCE MAPPING
USING FILTERS AND FOR DYNAMIC GENERATION OF FILTERS
FIELD OF THE INVENTION
The present disclosure relates to methods and systems for generating and using filters. In particular, the present disclosure relates to methods and systems for dynamic generation of complex filters using a graphical user interface and for interactive policy evaluation, access routing and resource mapping using filters.
BACKGROUND OF THE INVENTION
Administrators granting users access to resources may need to manage complex filters defining user access rights. An administrator may use a filter editor to generate Boolean expressions defining a filter. Typically, many administrative tools avoid giving the administrator complete freedom in defining filters, as there is a danger of confusing the administrator or, worse, creating filters that are difficult for the administrator to understand and manage. Typical administrative tools force the administrator to create filters of a fixed structure, for example, a list of conditions all of which must apply (implicit AND) or a list of conditions at least one of which must apply (implicit OR).
However, limiting an administrator's ability to define filters may make it harder for the administrator to specify complex but valid conditions. For example, in the Windows file system, it is possible to indicate that a user may read a file if they are a member of either group A or group B. It is not typically possible to specify that a user may read the file only if they are a member of both groups A and B, or only if the user belongs to group A
but not group B.
Administrators granting users access to resources may need to manage complex policies defining user access rights. One challenge administrators typically face is determining the impact of applying a complex policy to requests from a group of users.
Additionally, an administrator may set an access control policy for a group of users but not know how that access control policy will impact users in the group who may belong to other groups having additional or conflicting requirements. One solution is to manually log in as each user with the created access control policy in place and determine the impact of the policies on the user. This is an unrealistic solution for administrators managing complex access control policies for large groups of users. Another solution is for the administrator to use a tool allowing the administrator to preview the results of applying a rule to one or more user requests for access, conventionally referred to as a Resultant Set of Policy (RSOP) tool. RSOP tools typically provide the administrator with a list of resources available to one or more users after the application of the rule.
However, RSOP tools are typically limited in functionality and scope. Not all resources that are available to users are necessarily supported by any one tool and an administrator may need several RSOP tools to determine the true impact of a policy on a set of users. Additionally, RSOP tools do not conventionally provide all of the information an administrator needs to understand a resultant set. For example, these tools typically list one or more resources to which access is allowed or denied for one or more users but do not typically explain how the tool made that determination or what the administrator would have to change in order to allow or deny additional resources or
EVALUATION, ACCESS ROUTING, AND RESOURCE MAPPING
USING FILTERS AND FOR DYNAMIC GENERATION OF FILTERS
FIELD OF THE INVENTION
The present disclosure relates to methods and systems for generating and using filters. In particular, the present disclosure relates to methods and systems for dynamic generation of complex filters using a graphical user interface and for interactive policy evaluation, access routing and resource mapping using filters.
BACKGROUND OF THE INVENTION
Administrators granting users access to resources may need to manage complex filters defining user access rights. An administrator may use a filter editor to generate Boolean expressions defining a filter. Typically, many administrative tools avoid giving the administrator complete freedom in defining filters, as there is a danger of confusing the administrator or, worse, creating filters that are difficult for the administrator to understand and manage. Typical administrative tools force the administrator to create filters of a fixed structure, for example, a list of conditions all of which must apply (implicit AND) or a list of conditions at least one of which must apply (implicit OR).
However, limiting an administrator's ability to define filters may make it harder for the administrator to specify complex but valid conditions. For example, in the Windows file system, it is possible to indicate that a user may read a file if they are a member of either group A or group B. It is not typically possible to specify that a user may read the file only if they are a member of both groups A and B, or only if the user belongs to group A
but not group B.
Administrators granting users access to resources may need to manage complex policies defining user access rights. One challenge administrators typically face is determining the impact of applying a complex policy to requests from a group of users.
Additionally, an administrator may set an access control policy for a group of users but not know how that access control policy will impact users in the group who may belong to other groups having additional or conflicting requirements. One solution is to manually log in as each user with the created access control policy in place and determine the impact of the policies on the user. This is an unrealistic solution for administrators managing complex access control policies for large groups of users. Another solution is for the administrator to use a tool allowing the administrator to preview the results of applying a rule to one or more user requests for access, conventionally referred to as a Resultant Set of Policy (RSOP) tool. RSOP tools typically provide the administrator with a list of resources available to one or more users after the application of the rule.
However, RSOP tools are typically limited in functionality and scope. Not all resources that are available to users are necessarily supported by any one tool and an administrator may need several RSOP tools to determine the true impact of a policy on a set of users. Additionally, RSOP tools do not conventionally provide all of the information an administrator needs to understand a resultant set. For example, these tools typically list one or more resources to which access is allowed or denied for one or more users but do not typically explain how the tool made that determination or what the administrator would have to change in order to allow or deny additional resources or
2 make exceptions for particular users. Furthermore, these tools typically do not allow for interactive use by an administrator or for the dynamic generation of a resultant set.
BRIEF SUMMARY OF THE INVENTION
In one aspect, a method for dynamic generation of filters using a graphical user interface includes the step of describing a first clause of a filter in a first graphical user interface element. At least one of: i) a conjunctive clause of the filter in a second graphical user interface element, and ii) a disjunctive sub-clause of the first clause of the filter in the first graphical user interface element, are described. A filter is generated, responsive to the contents of the first graphical user interface element and the second graphical user interface element.
In one embodiment, the first clause comprises a second filter. In another embodiment, the description of the first clause is received from a user via a third graphical user interface element. In still another embodiment, the first clause of the filter is described using a non-algebraic language.
In one embodiment, at least one of: i) a disjunctive clause of the filter in a second graphical user interface element, and ii) a conjunctive sub-clause of the first clause of the filter in the first graphical user interface element are described. In another embodiment, a conjunctive clause of the filter is described using a non-algebraic language.
In still another embodiment, a disjunctive sub-clause of the first clause of the filter is described using a non-algebraic language. In even still another embodiment, conjunctive or disjunctive sub-clauses of conjunctive or disjunctive sub-clauses are described. In yet another embodiment, a plurality of clauses of the filter is described.
BRIEF SUMMARY OF THE INVENTION
In one aspect, a method for dynamic generation of filters using a graphical user interface includes the step of describing a first clause of a filter in a first graphical user interface element. At least one of: i) a conjunctive clause of the filter in a second graphical user interface element, and ii) a disjunctive sub-clause of the first clause of the filter in the first graphical user interface element, are described. A filter is generated, responsive to the contents of the first graphical user interface element and the second graphical user interface element.
In one embodiment, the first clause comprises a second filter. In another embodiment, the description of the first clause is received from a user via a third graphical user interface element. In still another embodiment, the first clause of the filter is described using a non-algebraic language.
In one embodiment, at least one of: i) a disjunctive clause of the filter in a second graphical user interface element, and ii) a conjunctive sub-clause of the first clause of the filter in the first graphical user interface element are described. In another embodiment, a conjunctive clause of the filter is described using a non-algebraic language.
In still another embodiment, a disjunctive sub-clause of the first clause of the filter is described using a non-algebraic language. In even still another embodiment, conjunctive or disjunctive sub-clauses of conjunctive or disjunctive sub-clauses are described. In yet another embodiment, a plurality of clauses of the filter is described.
3 In another aspect, a system for dynamic generation of filters using a graphical user interface includes a graphical user interface element and a filter. The graphical user interface element comprises a description of a first clause of a filter. The system includes one of a second graphical user interface element comprising a description of at least one conjunctive clause of the filter, and ii) a description in the first graphical user interface element of a disjunctive sub-clause of the first clause of the filter. The filter is generated responsive to the contents of the first graphical user interface element and the second graphical user interface element.
In still another aspect, a method for access routing and resource mapping using filters includes the step of receiving a request from a client for access to a resource. A
rule is identified, the rule having a rule priority level and associated with:
i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers. The filter is applied, the filter identifying at least one pre-requisite to accessing the resource. A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter. A determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource. The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource.
In yet another aspect, a system for access routing and resource mapping using filters includes a rule, a policy engine, and a server in a plurality of servers. The rule has a first rule priority level and includes i) an identification of a filter identifying at least one pre-requisite to accessing the resource, ii) an identification of at least one method for
In still another aspect, a method for access routing and resource mapping using filters includes the step of receiving a request from a client for access to a resource. A
rule is identified, the rule having a rule priority level and associated with:
i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers. The filter is applied, the filter identifying at least one pre-requisite to accessing the resource. A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter. A determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource. The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource.
In yet another aspect, a system for access routing and resource mapping using filters includes a rule, a policy engine, and a server in a plurality of servers. The rule has a first rule priority level and includes i) an identification of a filter identifying at least one pre-requisite to accessing the resource, ii) an identification of at least one method for
4 providing access to a resource, and iii) an identification of a server in a plurality of servers. The policy engine includes a means for identifying the rule, a means for applying the filter to a client requesting access to the resource, a means for determining that the client satisfies the at least one pre-requisite, responsive to applying the filter, and a means for determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource. The server in the plurality of servers provides access to the resource according to the at least one method for providing access.
In one aspect, a method for interactive policy evaluation using dynamically generated, interactive resultant sets of policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. The method includes the step of displaying, by the graphical user interface, at least one policy applicable to the at least one received description. The method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one policy to the at least one received description. In some embodiments, the method includes the step of simulating, by a policy simulation engine, an application of the at least one policy to the at least one received description.
In one embodiment, the graphical user interface receives, in the description of the client, a user identifier. In another embodiment, the graphical user interface receives, in the description of the client, a client internet protocol address. In still another embodiment, the graphical user interface receives, in the description of the resource, an identifier of the resource. In still even another embodiment, the graphical user interface receives, in the description of the resource, a file type of the resource. In yet another embodiment, the graphical user interface receives, in the description of the resource, identification of a server on which the resource resides.
In one embodiment, a configuration file is retrieved from a database, the configuration file identifying a property of the resource, such as a server on which the resource resides or an operating system executed by a server on which the resource resides. In another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a presentation layer protocol. In still another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a type of client agent. In still even another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a request to retrieve the resource. In yet another embodiment, the graphical user interface receives, in the description of the requested method of access, a request to remotely access the resource.
In one embodiment, a modification of a displayed filter is received. In another embodiment, a decision identified by the modified filter is displayed, responsive to the modification of the displayed filter. In still another embodiment, a modification of a displayed policy is received. In another embodiment, a decision identified by the modified policy is displayed, responsive to the modification of the displayed policy. In still another embodiment, a determination is made to apply at least one inapplicable policy to a client request for access to a resource. In yet another embodiment, a decision identified by the inapplicable policy is displayed.
In one embodiment, a modification of a displayed description of a user is received. In another embodiment, a decision identified by an application of the at least one policy to the modified description of the user is displayed. In still another embodiment, a modification of a displayed description of a requested resource is received. In yet another embodiment, a decision identified by an application of the at least one policy to the modified description of the resource request is displayed.
In one embodiment, the graphical user interface displays a decision made by applying the at least one policy to the at least one received description. In another embodiment, the graphical user interface displays an auditing decision made by applying the at least one policy to the at least one received description. In still another embodiment, the graphical user interface displays a load balancing decision made by applying the at least one policy to the at least one received description. In yet another embodiment, the graphical user interface displays a caching decision made by applying the at least one policy to the at least one received description.
In another aspect, a system for interactive policy evaluation using dynamically generated, interactive resultant sets of policies includes a graphical user interface, an interactive element in the graphical user interface, and a second element in the graphical user interface. The graphical user interface receives at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. The interactive element in the graphical user interface displays at least one policy applicable to the received description.
The second element in the graphical user interface displays a decision made by applying the at least one policy to the received description. In some embodiments, the system includes a policy simulation engine simulating an application of the at least one policy to the received description.
In one embodiment, the graphical user interface includes a text box element displaying the received description of the client requesting access to the resource. In another embodiment, the graphical user interface includes a text box element displaying the received description of the resource. In still another embodiment, the graphical user interface includes a text box element displaying the received description of the method of access requested by the client. In yet another embodiment, the graphical user interface includes a user interface element that is one of a text box, an element enumerating available resources, an element enumerating Uniform Resource Locaters associated with available resources, a drop-down menu, and graphical depiction of a directory structure.
In still another aspect, a method for interactive evaluation of policies using a graphical user interface includes the step of displaying an identification of at least one resource. The method includes the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource. The method includes the step of displaying a result of applying the at least one policy associated with the at least one resource to the at least one client requesting access to the least one resource, responsive to the at least one received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of simulating, by a policy simulation engine, an application of the at least one policy to the at least one client requesting access to the at least one resource.
In one embodiment, the method includes the step of receiving an identification of a filter in the at least one policy, the filter satisfied by the at least one client. In another embodiment, the method includes the step of receiving an identification of a filter in the at least one policy, the filter not satisfied by the at least one client. In still another embodiment, the method includes the step of identifying, by a policy simulation engine, a characteristic of the at least one client responsive to an evaluation of at least one filter in the at least one policy.
In one embodiment, the method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In another embodiment, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client. In still another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a denial of access to the at least one resource by the at least one client. In still even another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in an authorization of access to the at least one resource by the at least one client. In yet another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
In another aspect, a method for interactive evaluation of policies using a graphical user interface includes the step of displaying an identification of at least one resource and the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource. The method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. The method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In one embodiment, the method includes the step of receiving an identification of a type of application executed on the at least one client. In another embodiment, the method includes the step of determining that at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In still another embodiment, the method includes the step of determining that at least one policy does not apply to the at least one client, responsive to the received identification of the characteristic. In still even another embodiment, the method includes the step of determining that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In yet another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
In still another aspect, a system for interactive evaluation of policies using a graphical user interface includes a first graphical user interface element and a second graphical user interface element. The first graphical user interface element displays at least one resource. The second graphical user interface element receives an identification of a characteristic of at least one client and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. In some embodiments, the system includes a policy simulation engine simulating application of the at least one policy associated with the at least one resource to the at least one client.
In some embodiments, the first graphical user interface element includes a display of a characteristic of the at least one client. In one embodiment, the first graphical user interface element includes a display of an identification of a type of application executed by the at least one client. In another embodiment, the second graphical user interface element includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the client. In still another embodiment, the second graphical user interface element includes an interface element indicating that an application of the at least one policy to the at least one client results in an allowance of access to the at least one resource by the client. In yet another embodiment, the second graphical user interface element includes an interface element indicating that additional information associated with the at least one client is needed to identify a result of an application of the at least one policy to the at least one client. In some embodiments, the second graphical user interface element includes an interface element displaying a filter of the at least one policy.
In one embodiment, the second graphical user interface element displays a decision made by applying at least one access control policy associated with the at least one resource to the at least one client. In another embodiment, the second graphical user interface element displays an auditing decision made by applying at least one auditing policy associated with the at least one resource to the at least one client.
In still another embodiment, the second graphical user interface element displays a load-balancing decision made by applying at least one load-balancing policy associated with the at least one resource to the at least one client. In yet another embodiment, the second graphical user interface displays a caching decision made by applying at least one caching policy associated with the at least one resource to the at least one client.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other objects, aspects, features, and advantages of the disclosure will become more apparent and better understood by referring to the following description taken in conjunction with the accompanying drawings, in which:
FIG. lA is a block diagram depicting an embodiment of a network environment comprising client machines in communication with remote machines;
FIGs. lB and 1C are block diagrams depicting embodiments of computers useful in connection with the methods and systems described herein;
FIG. 2A is a block diagram depicting one embodiment of a network including a policy engine;
FIG. 2B is a block diagram depicting one embodiment of a policy engine, including a first component comprising a condition database and a logon agent, and including a second component comprising a policy database;
FIG. 3A is a block diagram depicting one embodiment of a system for dynamic generation of filters using a graphical user interface;
FIG. 3B is a screen shot of one embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3C is a screen shot of an embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3D is a screen shot of an embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3E is a screen shot of an embodiment of a graphical user interface for adding a condition to a filter;
FIG. 3F is a screen shot depicting an embodiment of a graphical user interface for displaying a first filter included as a term in a second filter;
FIG. 3G is a screen shot of an embodiment of a graphical user interface for customizing a clause of a filter;
FIG. 4 is a flow diagram depicting one embodiment of the steps taken in a method for dynamic generation of filters using a graphical user interface;
FIG. 5A is a block diagram depicting one embodiment of a system for access routing and resource mapping using filters;
FIG. 5B is a screen shot depicting one embodiment of a subset of rules in a resource mapping policy;
FIG. 6 is a flow diagram depicting one embodiment of the steps taken in a method for access routing and resource mapping using filters;
FIG. 7A is a block diagram depicting one embodiment of a system for interactive policy evaluation using resultant sets of policies;
FIG. 7B is a screen shot depicting one embodiment of a graphical user interface element receiving and displaying a description of a client requesting access to a resource;
FIG. 7C is a screen shot depicting one embodiment of a graphical user interface element for displaying a description of a resource requested by the client;
FIG. 7D is a screen shot depicting one embodiment of a graphical user interface element for displaying a description of a method of access requested by the client;
FIG. 7E is a screen shot depicting one embodiment of a user interface element displaying a decision;
FIG. 8A is a flow diagram depicting one embodiment of the steps taken in a method for interactive policy evaluation using resultant sets of policies;
FIG. 8B is a screen shot depicting one embodiment of a graphical user interface displaying a decision generated responsive to an automatic inference;
FIG. 8C is a screen shot depicting one embodiment of a graphical user interface displaying a condition that is used in a policy;
FIG. 8D is a screen shot depicting one embodiment of a graphical user interface displaying an access routing decision;
FIG. 9A is a block diagram depicting one embodiment of a system for interactive evaluation of policies using a graphical user interface;
FIG. 9B is a screen shot depicting an embodiment of a user interface for interactive evaluation of policies;
FIG. 9C is a screen shot depicting an embodiment of a user interface for interactive evaluation of policies;
FIG. 10 is a flow diagram depicting one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface; and FIG. 11 is a flow diagram depicting an embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
DETAILED DESCRIPTION OF THE INVENTION
Referring now to Figure lA, an embodiment of a network environment is depicted. In brief overview, the network environment comprises one or more clients 102a-102n (also generally referred to as local machine(s) 102, or client(s) 102) in communication with one or more servers 106a-106n (also generally referred to as server(s) 106, or remote machine(s) 106) via one or more networks 104.
Although FIG. lA shows a network 104 between the clients 102 and the servers 106, the clients 102 and the servers 106 may be on the same network 104. The network 104 can be a local-area network (LAN), such as a company Intranet, a metropolitan area network (MAN), or a wide area network (WAN), such as the Internet or the World Wide Web. In some embodiments, there are multiple networks 104 between the clients and the servers 106. In one of these embodiments, a network 104' may be a private network and a network 104 may be a public network. In another of these embodiments, a network 104 may be a private network and a network 104' a public network. In still another embodiment, networks 104 and 104' may both be private networks.
The network 104 may be any type and/or form of network and may include any of the following: a point to point network, a broadcast network, a wide area network, a local area network, a telecommunications network, a data communication network, a computer network, an ATM (Asynchronous Transfer Mode) network, a SONET (Synchronous Optical Network) network, a SDH (Synchronous Digital Hierarchy) network, a wireless network and a wireline network. In some embodiments, the network 104 may comprise a wireless link, such as an infrared channel or satellite band. The topology of the network 104 may be a bus, star, or ring network topology. The network 104 and network topology may be of any such network or network topology as known to those ordinarily skilled in the art capable of supporting the operations described herein. The network may comprise mobile telephone networks utilizing any protocol or protocols used to communicate among mobile devices, including AMPS, TDMA, CDMA, GSM, GPRS or UMTS. In some embodiments, different types of data may be transmitted via different protocols. In other embodiments, the same types of data may be transmitted via different protocols.
In one embodiment, the system may include multiple, logically-grouped servers 106. In these embodiments, the logical group of servers may be referred to as a server farm 38. In some of these embodiments, the servers 106 may be geographically dispersed. In some cases, a farm 38 may be administered as a single entity. In other embodiments, the server farm 38 comprises a plurality of server farms 38. In one embodiment, the server farm executes one or more applications on behalf of one or more clients 102.
The servers 106 within each farm 38 can be heterogeneous. One or more of the servers 106 can operate according to one type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Washington), while one or more of the other servers 106 can operate on according to another type of operating system platform (e.g., Unix or Linux). The servers 106 of each farm 38 do not need to be physically proximate to another server 106 in the same farm 38. Thus, the group of servers 106 logically grouped as a farm 38 may be interconnected using a wide-area network (WAN) connection or a metropolitan-area network (MAN) connection. For example, a farm 38 may include servers 106 physically located in different continents or different regions of a continent, country, state, city, campus, or room. Data transmission speeds between servers 106 in the farm 38 can be increased if the servers 106 are connected using a local-area network (LAN) connection or some form of direct connection.
Server 106 may be a file server, application server, web server, proxy server, appliance, network appliance, gateway, application gateway, gateway server, virtualization server, deployment server, SSL VPN server, or firewall. In some embodiments, a server 106 provides a remote authentication dial-in user service, and is referred to as a RADIUS server. In other embodiments, a server 106 may have the capacity to function as either an application server or as a master application server. In one embodiment, a server 106 may include an Active Directory. The remote machine 30 may be an application acceleration appliance. For embodiments in which the remote machine 30 is an application acceleration appliance, the remote machine 30 may provide functionality including firewall functionality, application firewall functionality, or load balancing functionality. In some embodiments, the remote machine 30 comprises an appliance such as one of the line of appliances manufactured by the Citrix Application Networking Group, of San Jose, CA, or Silver Peak Systems, Inc., of Mountain View, CA, or of Riverbed Technology, Inc., of San Francisco, CA, or of F5 Networks, Inc., of Seattle, WA, or of Juniper Networks, Inc., of Sunnyvale, CA.
The clients 102 may also be referred to as client nodes, client machines, endpoint nodes, or endpoints. In some embodiments, a client 102 has the capacity to function as both a client node seeking access to resources provided by a server and as a server providing access to hosted resources for other clients 102a-102n.
In some embodiments, a client 102 communicates with a server 106. In one embodiment, the client 102 communicates directly with one of the servers 106 in a farm 38. In another embodiment, the client 102 executes a program neighborhood application to communicate with a server 106 in a farm 38. In still another embodiment, the server 106 provides the functionality of a master node. In some embodiments, the client 102 communicates with the server 106 in the farm 38 through a network 104. Over the network 104, the client 102 can, for example, request execution of various applications hosted by the servers 106a-106n in the farm 38 and receive output of the results of the application execution for display. In some embodiments, only the master node provides the functionality required to identify and provide address information associated with a server 106b hosting a requested application.
In one embodiment, the server 106 provides the functionality of a web server.
In another embodiment, the server 106a receives requests from the client 102, forwards the requests to a second server 106b and responds to the request by the client 102 with a response to the request from the server 106b. In still another embodiment, the server 106 acquires an enumeration of applications available to the client 102 and address information associated with a server 106 hosting an application identified by the enumeration of applications. In yet another embodiment, the server 106 presents the response to the request to the client 102 using a web interface. In one embodiment, the client 102 communicates directly with the server 106 to access the identified application.
In another embodiment, the client 102 receives output data, such as display data, generated by an execution of the identified application on the server 106.
In some embodiments, the server 106 or a server farm 38 may be running one or more applications, such as an application providing a thin-client computing or remote display presentation application. In one embodiment, the server 106 or server farm 38 executes as an application any portion of the Citrix Access SuiteTM by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation ServerTM, and/or any of the MICROSOFT WINDOWS Terminal Services manufactured by the Microsoft Corporation. In another embodiment, the application is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Florida. In still another embodiment, the server 106 may run an application, which, for example, may be an application server providing email services such as MICROSOFT EXCHANGE manufactured by the Microsoft Corporation of Redmond, Washington, a web or Internet server, or a desktop sharing server, or a collaboration server. In yet another embodiment, any of the applications may comprise any type of hosted service or products, such as GOTOMEETING provided by Citrix Online Division, Inc. of Santa Barbara, California, WEBEX provided by WebEx, Inc. of Santa Clara, California, or Microsoft Office LIVE MEETING provided by Microsoft Corporation of Redmond, Washington.
A client 102 may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client 102. In some embodiments, the application may be a server-based or a remote-based application executed on behalf of the client 102 on a server 106. In one embodiments the server 106 may display output to the client 102 using any thin-client or remote-display protocol, such as the Independent Computing Architecture (ICA) protocol manufactured by Citrix Systems, Inc. of Ft.
Lauderdale, Florida or the Remote Desktop Protocol (RDP) manufactured by the Microsoft Corporation of Redmond, Washington. The application can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In other embodiments, the application comprises any type of software related to voice over internet protocol (VoIP) communications, such as a soft IP
telephone. In further embodiments, the application comprises any application related to real-time data communications, such as applications for streaming video and/or audio.
The client 102 and server 106 may be deployed as and/or executed on any type and form of computing device, such as a computer, network device or appliance capable of communicating on any type and form of network and performing the operations described herein. FIGs. lB and 1C depict block diagrams of a computing device useful for practicing an embodiment of the client 102 or a server 106. As shown in FIGs.
lB and 1C, each computing device 100 includes a central processing unit 121, and a main memory unit 122. As shown in FIG. 1B, a computing device 100 may include a visual display device 124, a keyboard 126 and/or a pointing device 127, such as a mouse. As shown in FIG. 1 C, each computing device 100 may also include additional optional elements, such as one or more input/output devices 130a-130b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 121.
The central processing unit 121 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 122. In many embodiments, the central processing unit is provided by a microprocessor unit, such as:
those manufactured by Intel Corporation of Mountain View, California; those manufactured by Motorola Corporation of Schaumburg, Illinois; those manufactured by Transmeta Corporation of Santa Clara, California; the RS/6000 processor, those manufactured by International Business Machines of White Plains, New York; or those manufactured by Advanced Micro Devices of Sunnyvale, California. The computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.
Main memory unit 122 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 121 , such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM
(BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM
DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM
(BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC
SRAM, PC 100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM
(DRDRAM), or Ferroelectric RAM (FRAM). The main memory 122 may be based on any of the above described memory chips, or any other available memory chips capable of operating as described herein. In the embodiment shown in FIG. 1B, the processor 121 communicates with main memory 122 via a system bus 150 (described in more detail below). FIG. 1 C depicts an embodiment of a computing device 100 in which the processor communicates directly with main memory 122 via a memory port 103.
For example, in FIG. 1 C the main memory 122 may be DRDRAM.
FIG. 1 C depicts an embodiment in which the main processor 121 communicates directly with cache memory 140 via a secondary bus, sometimes referred to as a backside bus. In other embodiments, the main processor 121 communicates with cache memory 140 using the system bus 150. Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In the embodiment shown in FIG. 1 C, the processor 121 communicates with various I/O
devices 130 via a local system bus 150. Various buses may be used to connect the central processing unit 121 to any of the I/O devices 130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display 124, the processor 121 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1 C depicts an embodiment of a computer 100 in which the main processor 121 communicates directly with I/O device 130b via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1 C also depicts an embodiment in which local busses and direct communication are mixed: the processor 121 communicates with I/O device 130a using a local interconnect bus while communicating with I/O device 130b directly.
The computing device 100 may support any suitable installation device 116, such as a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP
disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB device, hard-drive or any other device suitable for installing software and programs such as any client agent 120, or portion thereof. The computing device 100 may further comprise a storage device, such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs such as any program related to the client agent 120. Optionally, any of the installation devices 116 could also be used as the storage device. Additionally, the operating system and the software can be run from a bootable medium, for example, a bootable CD, such as KNOPPIX , a bootable CD
for GNU/Linux that is available as a GNU/Linux distribution from knoppix.net.
Furthermore, the computing device 100 may include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, Tl, T3, 56kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above.
Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). In one embodiment, the computing device 100 communicates with other computing devices 100' via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS), or the Citrix Gateway Protocol manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Florida. The network interface 118 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein.
A wide variety of I/O devices 130a-130n may be present in the computing device 100. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers. The I/O devices may be controlled by an I/O
controller 123 as shown in FIG. lB. The I/O controller may control one or more I/O
devices such as a keyboard 126 and a pointing device 127, e.g., a mouse or optical pen.
Furthermore, an I/O device may also provide storage and/or an installation medium 116 for the computing device 100. In still other embodiments, the computing device may provide USB connections to receive handheld USB storage devices such as the USB
Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, California.
In some embodiments, the computing device 100 may comprise or be connected to multiple display devices 124a-124n, which each may be of the same or different type and/or form. As such, any of the I/O devices 130a-130n and/or the I/O
controller 123 may comprise any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices 124a-124n by the computing device 100. For example, the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library to interface, communicate, connect or otherwise use the display devices 124a-124n. In one embodiment, a video adapter may comprise multiple connectors to interface to multiple display devices 124a-124n. In other embodiments, the computing device 100 may include multiple video adapters, with each video adapter connected to one or more of the display devices 124a-124n. In some embodiments, any portion of the operating system of the computing device 100 may be configured for using multiple displays 124a-124n. In other embodiments, one or more of the display devices 124a-124n may be provided by one or more other computing devices, such as computing devices 100a and 100b connected to the computing device 100, for example, via a network. These embodiments may include any type of software designed and constructed to use another computer's display device as a second display device 124a for the computing device 100. One ordinarily skilled in the art will recognize and appreciate the various ways and embodiments that a computing device 100 may be configured to have multiple display devices 124a-124n.
In further embodiments, an I/O device 130 may be a bridge between the system bus 150 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.
A computing device 100 of the sort depicted in FIGs. l B and 1 C typically operates under the control of operating systems, which control scheduling of tasks and access to system resources. The computing device 100 can be running any operating system such as any of the versions of the MICROSOFT WINDOWS operating systems, the different releases of the Unix and Linux operating systems, any version of the MAC
OS for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein.
Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE, WINDOWS XP, and WINDOWS VISTA, all of which are manufactured by Microsoft Corporation of Redmond, Washington; MacOS, manufactured by Apple Computer of Cupertino, California; OS/2, manufactured by International Business Machines of Armonk, New York; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, or any type and/or form of a Unix operating system, among others.
The computer system 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone or other portable telecommunication device, media playing device, a gaming system, mobile computing device, or any other type and/or form of computing, telecommunications or media device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. For example, the computer system 100 may comprise a device of the IPOD family of devices manufactured by Apple Computer of Cupertino, California, a PLAYSTATION 2, PLAYSTATION 3, or PERSONAL PLAYSTATION PORTABLE (PSP) device manufactured by the Sony Corporation of Tokyo, Japan, a NINTENDO DS, NINTENDO GAMEBOY, NINTENDO GAMEBOY ADVANCED or NINTENDO REVOLUTION device manufactured by Nintendo Co., Ltd., of Kyoto, Japan, or an XBOX or XBOX 360TM
device manufactured by the Microsoft Corporation of Redmond, Washington.
In some embodiments, the computing device 100 may have different processors, operating systems, and input devices consistent with the device. For example, in one embodiment, the computing device 100 is a Treo 180, 270, 600, 650, 680, 700p, 700w, or 750 smart phone manufactured by Palm, Inc. In some of these embodiments, the Treo smart phone is operated under the control of the PalmOS operating system and includes a stylus input device as well as a five-way navigator device.
In other embodiments the computing device 100 is a mobile device, such as a JAVA-enabled cellular telephone or personal digital assistant (PDA), such as the i55sr, i58sr, i85s, i88s, i90c, i95c1, or the iml 100, all of which are manufactured by Motorola Corp. of Schaumburg, Illinois, the 6035 or the 7135, manufactured by Kyocera of Kyoto, Japan, or the i300 or i330, manufactured by Samsung Electronics Co., Ltd., of Seoul, Korea.
In still other embodiments, the computing device 100 is a Blackberry handheld or smart phone, such as the devices manufactured by Research In Motion Limited, including the Blackberry 7100 series, 8700 series, 7700 series, 7200 series, the Blackberry 7520, or the Blackberry Pear18100. In yet other embodiments, the computing device 100 is a smart phone, Pocket PC, Pocket PC Phone, or other handheld mobile device supporting Microsoft Windows Mobile Software. Moreover, the computing device 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone, any other computer, or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein.
In one embodiment, the server 106 includes a policy engine for controlling and managing the access to a resource, selection of an execution method for accessing the resource, and the delivery of resources. In another embodiment, the server 106 communicates with a policy engine. In some embodiments, the policy engine determines the one or more resources a user or client 102 may access. In other embodiments, the policy engine determines how the resource should be delivered to the user or client 102, e.g., the method of execution. In still other embodiments, the server 106 provides a plurality of delivery techniques from which to select a method of execution, such as a server-based computing, application streaming, or delivering the application locally to the client 102 for local execution.
In one embodiment, a client 102 requests execution of an application program and a server 106 selects a method of executing the application program. In another embodiment, the server 106 receives credentials from the client 102. In still another embodiment, the server 106 receives a request for an enumeration of available applications from the client 102. In yet another embodiment, in response to the request or receipt of credentials, the server 106 enumerates a plurality of application programs available to the client 102.
In some embodiments, the server 106 selects one of a predetermined number of methods for executing an enumerated application, for example, responsive to a policy of a policy engine. In one of these embodiments, an application delivery system on the server 106 makes the selection. In another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to receive output data generated by execution of the application program on a server 106b. In still another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to execute the application program locally after retrieving a plurality of application files comprising the application. In yet another of these embodiments, the server 106 may select a method of execution of the application to stream the application via the network 104 to the client 102. In this embodiment, a first plurality of files in a stream of files comprising the application may be stored and executed on the client 102 while the server 106 transmits a second plurality of files in the stream of files to the client. This process may be referred to as "application streaming."
Referring now to FIG. 2A, a block diagram depicts one embodiment of a network including a policy engine 220. In one embodiment, the network includes a client 102, a collection agent 204, a policy engine 220, a policy database 208, a farm 38, and a server 106a. In another embodiment, the policy engine 220 is a server 106b. Although only one client 102, collection agent 304, policy engine 220, farm 38, and server 106a are depicted in the embodiment shown in Figure 2A, it should be understood that the system may provide multiple ones of any or each of those components.
In brief overview, when the client 102 transmits a request 210 to the policy engine 220 for access to a resource, the collection agent 204 communicates with client 102, retrieving information about the client 102, and transmits the client information 212 to the policy engine 220. The policy engine 220 makes an access control decision by applying a policy from the policy database 208 to the received information 212.
In more detail, the client 102 transmits a request 210 for a resource to the policy engine 220. In one embodiment, the policy engine 220 resides on a server 106b.
In another embodiment, the policy engine 220 is a server 106b. In still another embodiment, a server 106 receives the request 210 from the client 102 and transmits the request 210 to the policy engine 220. In a further embodiment, the client 102 transmits a request 210 for a resource to a server 106c, which transmits the request 210 to the policy engine 220.
Upon receiving the request, the policy engine 220 initiates information gathering by the collection agent 204. The collection agent 204 gathers information regarding the client 102 and transmits the information 212 to the policy engine 220.
In some embodiments, the collection agent 204 gathers and transmits the information 212 over a network connection. In some embodiments, the collection agent 204 comprises bytecode, such as an application written in the bytecode programming language JAVA. In some embodiments, the collection agent 204 comprises at least one script. In those embodiments, the collection agent 204 gathers information by running at least one script on the client 102. In some embodiments, the collection agent comprises an Active X control on the client 102. An Active X control is a specialized Component Object Model (COM) object that implements a set of interfaces that enable it to look and act like a control.
In one embodiment, the policy engine 220 transmits the collection agent 204 to the client 102. In another embodiment, a server 106 may store or cache the collection agent 204. The server 106 may then transmit the collection agent 204 to a client 102. In one embodiment, the policy engine 220 requires a second execution of the collection agent 204 after the collection agent 204 has transmitted information 212 to the policy engine 220. In this embodiment, the policy engine 220 may have insufficient information 212 to determine whether the client 102 satisfies a particular condition. In other embodiments, the policy engine 220 requires a plurality of executions of the collection agent 204 in response to received information 212.
In some embodiments, the policy engine 220 transmits instructions to the collection agent 204 determining the type of information the collection agent 204 gathers.
In those embodiments, a system administrator may configure the instructions transmitted to the collection agent 204 from the policy engine 220. This provides greater control over the type of information collected. This also expands the types of access control decisions that the policy engine 220 can make, due to the greater control over the type of information collected. The collection agent 204 gathers information 212 including, without limitation, machine ID of the client 102, operating system type, existence of a patch to an operating system, MAC addresses of installed network cards, a digital watermark on the client device, membership in an Active Directory, existence of a virus scanner, existence of a personal firewall, an HTTP header, browser type, device type, network connection information such as internet protocol address or range of addresses, machine ID of the server 106, date or time of access request including adjustments for varying time zones, and authorization credentials. In some embodiments, a collection agent gathers information to determine whether access to a resource can be accelerated on the client using an acceleration program.
In some embodiments, the device type is a personal digital assistant. In other embodiments, the device type is a cellular telephone. In other embodiments, the device type is a laptop computer. In other embodiments, the device type is a desktop computer.
In other embodiments, the device type is an Internet kiosk.
In some embodiments, the digital watermark includes data embedding. In some embodiments, the watermark comprises a pattern of data inserted into a file to provide source information about the file. In other embodiments, the watermark comprises data hashing files to provide tamper detection. In other embodiments, the watermark provides copyright information about the file.
In some embodiments, the network connection information pertains to bandwidth capabilities. In other embodiments, the network connection information pertains to Internet Protocol address. In still other embodiments, the network connection information consists of an Internet Protocol address. In one embodiment, the network connection information comprises a network zone identifying the logon agent to which the client 102 provided authentication credentials.
In some embodiments, the authorization credentials include a number of types of authentication information, including without limitation, user names, client names, client addresses, passwords, PINs, voice samples, one-time passcodes, biometric data, digital certificates, tickets, etc. and combinations thereof. After receiving the gathered information 212, the policy engine 220 makes an access control decision based on the received information 212.
Referring now to FIG. 2B, a block diagram depicts one embodiment of a policy engine 220, including a first component 222 comprising a condition database 224 and a logon agent 226, and including a second component 230 comprising a policy database 232. The first component 222 applies a condition from the condition database 224 to information received about client 102 and determines whether the received information satisfies the condition. In some embodiments, the condition database 224 stores filters, which are applied to information associated with a user or the user's client device.
In some embodiments, a condition or filter may require that the client 102 execute a particular operating system to satisfy the condition. In some embodiments, a condition or filter may require that the client 102 execute a particular operating system patch to satisfy the condition. In still other embodiments, a condition or filter may require that the client 102 provide a MAC address for each installed network card to satisfy the condition or filter. In some embodiments, a condition or filter may require that the client 102 indicate membership in a particular Active Directory to satisfy the condition.
In another embodiment, a condition or filter may require that the client 102 execute a virus scanner to satisfy the condition. In other embodiments, a condition or filter may require that the client 102 execute a personal firewall to satisfy the condition. In some embodiments, a condition or filter may require that the client 102 comprise a particular device type to satisfy the condition or filter. In other embodiments, a condition or filter may require that the client 102 establish a particular type of network connection to satisfy the condition or filter.
In some embodiments, a logon agent 226 resides outside of the policy engine 220.
In other embodiments, the logon agent 226 resides on the policy engine 220. In one embodiment, the first component 222 includes a logon agent 226, which initiates the information gathering about client 102. In some embodiments, the logon agent further comprises a data store. In these embodiments, the data store includes the conditions for which the collection agent may gather information. In one of these embodiments, the data store is distinct from the condition database 224.
In some embodiments, the logon agent 226 initiates information gathering by executing the collection agent 204. In other embodiments, the logon agent 226 initiates information gathering by transmitting the collection agent 204 to the client 102 for execution on the client 102. In still other embodiments, the logon agent 226 initiates additional information gathering after receiving information 212. In one embodiment, the logon agent 226 also receives the information 212. In this embodiment, the logon agent 226 generates the data set 228 based upon the received information 212.
In some embodiments, the logon agent 226 generates the data set 228 by applying a condition from the database 224 to the information received from the collection agent 204.
In another embodiment, the first component 222 includes a plurality of logon agents 226. In this embodiment, at least one of the plurality of logon agents 226 resides on each network domain from which a client 102 may transmit a resource request. In this embodiment, the client 102 transmits the resource request to a particular logon agent 226.
In some embodiments, the logon agent 226 transmits to the policy engine 220 the network domain from which the client 102 accessed the logon agent 226. In one embodiment, the network domain from which the client 102 accesses a logon agent 226 is referred to as the network zone of the client 102.
In some embodiments, the condition database 224 stores the conditions or filters that the first component 222 applies to received information. The policy database 232 stores the policies that the second component 230 applies to the received data set 228. In some embodiments, the condition database 224 and the policy database 232 store data in an ODBC-compliant database. For example, the condition database 224 and the policy database 232 may be provided as an ORACLE database, manufactured by Oracle Corporation of Redwood Shores, Calif. In other embodiments, the condition database 224 and the policy database 232 can be a MICROSOFT ACCESS database or a MICROSOFT SQL server database, manufactured by Microsoft Corporation of Redmond, Wash.
In some embodiments, if the received information satisfies a condition, the first component 222 stores an identifier for that condition in a data set 228 and the second component applies a policy from the policy database to the data set. In other embodiments, after the first component 222 applies the received information to each condition in the condition database 224, the first component transmits the data set 228 to second component 230. In one embodiment, the first component 222 transmits only the data set 228 to the second component 230. Therefore, in this embodiment, the second component 230 does not receive information 212, only identifiers for satisfied conditions.
The second component 230 receives the data set 228 and makes an access control decision by applying a policy from the policy database 232 based upon the conditions identified within data set 228.
In some embodiments, the policy engine determines whether the user and the client device satisfy the requirements expressed in a filter. In one of these embodiments, the policy engine accesses an enumeration of filters to make the determination. The enumeration of filters may be stored in a condition database. In another of these embodiments, the use of the filter replaces the need for the data set and the policy database. In still another of these embodiments, the policy engine includes a condition database co-located with a policy database. In yet another of these embodiments, where the condition database and the policy database are collocated, the policy engine does not generate a data set to determine whether the user and the client device satisfy the requirements expressed in the filter.
In one embodiment, policy database 232 stores the policies applied to the received information 212. In one embodiment, the policies stored in the policy database 232 are specified at least in part by the system administrator. In another embodiment, a user specifies at least some of the policies stored in the policy database 232. The user-specified policy or policies are stored as preferences. The policy database 232 can be stored in volatile or non-volatile memory or, for example, distributed through multiple servers.
In one embodiment, a policy allows access to a resource only if one or more conditions are satisfied. In another embodiment, a policy allows access to a resource but prohibits transmission of the resource to the client 102. Another policy might make connection contingent on the client 102 that requests access being within a secure network. In some embodiments, the resource is an application program and the client 102 has requested execution of the application program. In one of these embodiments, a policy may allow execution of the application program on the client 102. In another of these embodiments, a policy may enable the client 102 to receive a stream of files comprising the application program. In still another of these embodiments, a policy may allow only execution of the application program on a server 106, such as an application server, and require the server 106 to transmit output data to the client 102.
In some embodiments, a determination is made as to a type of connection to establish when granting access to a resource responsive to a determination by a policy engine such as the policy engine 220 described above in FIG. 2A and FIG. 2B.
In other embodiments, a determination is made as to a method for granting access to a resource, such as a method for execution, responsive to a determination by a policy engine such as the policy engine 220 described above in connection with FIG. 2A and FIG. 2B.
In still other embodiments, the server 106 receiving the credentials and the request to execute the resource further comprises such a policy engine 220. In yet other embodiments, the server 106 applies an access control policy to determine whether or not to grant access to the resource.
In some embodiments, filters are used in conjunction with policy engines as described above. In other embodiments, filters are used within policies, including, but not limited to, access control policies, auditing policies, network routing policies, load balancing policies, policies relating to error reporting, and failure handling policies. In still other embodiments, policy engines other than those described above use filters to evaluate an action to take with respect to a particular user or resource. In yet other embodiments, customized graphical user interfaces improve the ability of an administrator to generate filters.
Referring now to FIG. 3A, a block diagram depicts one embodiments of a system for dynamic generation of filters using a graphical user interface. In brief overview, the system includes a graphical user interface 300, a graphical user interface element 310, and a filter 350. The graphical user interface element 310 includes a description of a first clause 315 of the filter 350. The system includes one of: i) a second graphical user interface element 330 comprising a description 335 of at least one conjunctive clause of the filter 350, and ii) a description 320 in the graphical user interface element 310 of a disjunctive sub-clause of the first clause of the filter 350. The filter 350 is generated responsive to the contents of the first graphical user interface element 310 and the second graphical user interface element 330. Although only one graphical user interface 300, a graphical user interface element 310, and a filter 350 are depicted in the embodiment shown in FIG. 3A, it should be understood that the system may provide multiple ones of any or each of those components.
In one embodiment, an access control list maps at least one filter to an allowed or denied permission setting included in the access control list. In another embodiment, a filter is a simple or compound condition that may or may not be met by a client requesting access to a resource. In still another embodiment, simple conditions include group membership, role membership, IP range membership, and a characteristic of a client device requesting access to a resource, such as whether the client device executes a particular application or has access to a particular hardware resource. In yet another embodiment, compound conditions are combinations of simple conditions that may be defined using a filter editor.
In some embodiments, a filter is used to describe at least one characteristic for evaluation. In one of these embodiments, the at least one characteristic is associated with a resource. In another of these embodiments, the at least one characteristic is associated with a user. In still another of these embodiments, the at least one characteristic is associated with a combination of users or resources. In yet another of these embodiments, the at least one characteristic is evaluated to make a policy decision, such as an access control decision. In other embodiments, filters are used to determine whether at least one entity matches at least one specified condition.
In one embodiment, a filter describes at least one characteristic of a resource. In another embodiment, a filter may specify a group of resources to which a particular resource should belong to satisfy the filter, such as, for example, specifying a particular named group of resources (such as, "office applications"), and specifying an operating system from which the resource is accessed (the WINDOWS VISTA operating system), and specifying a display capability supported by a system from which the resource is accessed. In still another embodiment, and for example, a filter may include a"leaf' condition specifying at least one of the following: a group of resources to which the resource should belong, a sub-directory which should enumerate the resource, an operating system capable of supporting the resource, a computing capability provided by a system from which the resource is accessed (such as a display capability or computing functionality), a required network characteristic (such as a per-application IP address), an environment in which the resource should execute (for example, an isolation environment), or a licensing requirement (for example, requiring a license for a specific user or for a specific type of request).
In one embodiment, a filter describes a characteristic associated with a combination of a user and a resource. In another embodiment, the filter may specify a first condition associated with a user and a second condition associated with a resource, and to satisfy the filter, the user and the filter must each satisfy the specified conditions.
In still another embodiment, the filter specifies that a user be authorized to access a resource - for example, that the use own the resource, be licensed to use the resource, or have permission from an external policy system to access the resource. In yet another embodiment, for example, a filter specifies that a user satisfy a first filter and that the resource satisfy a second filter.
In one embodiment, a filter applies to a plurality of users. In another embodiment, a filter may specify a condition that a group of users involved in a collaborative application must all satisfy in order to satisfy the filter, for example, that all users belong to a particular group, or that at least one of the plurality of users has a particular role. In still another embodiment, a filter applies to a plurality of resources. In still even another embodiment, a filter applies to a plurality of users and to a resource. In yet another embodiment, a filter applies to a plurality of resources and to a user.
In some embodiments, a filter defines a dynamic group. In one of these embodiments, the filter identifies a user belonging to the dynamic group. In another of these embodiments, the filter identifies a user excluded from the dynamic group. In still another of these embodiments, a member of the dynamic group satisfies a requirement specified by the filter.
In one embodiment, compound conditions are stored as `named filters'. In another embodiment, a named filter can be edited later or reused in other filters. For example, and in still another embodiment, an administrator might specify a filter called `Trusted Users' to be matched by users in a specific group, when requesting access to a resource from a client in a specific IP range, and provided that a particular virus checker is installed on the client with a specific version number. Once the filter `Trusted Users' is defined, it can be used in multiple access control lists or policies, in an analogous way to group membership.
Referring now to FIG. 3A, and in greater detail, a system for dynamic generation of filters using a graphical user interface 300 includes a graphical user interface element 310, which includes a description of a first clause 315 of a filter 350. In some embodiments, the graphical user interface 300 is a filter editor. In other embodiments, the graphical user interface 300 is a Boolean expression editor. In one of these embodiments, the graphical user interface 300 is a Boolean-expression generator, creating Boolean expressions from descriptions of clauses that are not written as Boolean expressions. In still other embodiments, the graphical user interface 300 allows an administrator to define or edit a filter. In one of these embodiments, the graphical user interface 300 allows an administrator to define or edit a compound condition required of a client. In another of these embodiments, the graphical user interface 300 allows a user to describe a clause without expressing the clause as a Boolean expression. In still another of these embodiments, the graphical user interface 300 allows an administrator to define `leaf conditions, such as conditions requiring that a user be a member of a group or request access from a certain network segment. In yet another of these embodiments, the graphical user interface 300 allows an administrator to specify a combination of these conditions using `and,' `or,' and `not,' combinations - for example: "User in group Administrator and not on an untrusted machine." In yet other embodiments, the system receives descriptions of filters and generates filters written as Boolean expressions.
In one embodiment, the system uses data entered into the graphical user interface to generate clauses expressed in Conjunctive Normal Form (CNF). Expressions in CNF
may be of the form "X and Y and Z. .." where each of X, Y and Z are themselves expressions of the form "Q or W or E" and each of Q, W, and E are either leaf conditions (also referred to as "atomic terms") or negated atomic terms. In another embodiment, the system uses data entered into the graphical user interface 300 to generate clauses composed in an extended version of CNF where Q, W, and E may also be named references to other compound expressions, or named sub-expressions that are themselves composed in the extended version of CNF, which may be referred to as Extended Conjunctive Normal Form (ECNF). In still another embodiment, the use of ECNF
simplifies the task of representing expressions. For example, the expression "A or (B and C)" can be represented in CNF as "(A or B) and (A or C)" but in ECNF can also be represented as "A or D, where D is further defined as `B and C' ".
In some embodiments, the graphical user interface element 310 is an interface element such as a text box, a drop-down menu, or a hyperlink. In one of these embodiments, the graphical user interface element 310 displays a description of the first clause 315 of the filter 350. In another of these embodiments, the graphical user interface element 310 displays a filter name associated with the description of the disjunctive sub-clause of the first clause 315 of the filter 350. In still another of these embodiments, the text box displays a description of a first clause 315 of a filter 350, the first clause comprising a second filter. In other embodiments, a user of the graphical user interface 300 enters the description of the first clause 315 using a set of controls, including, but not limited to, text boxes, drop down lists, and graphical depictions of directories.
In some embodiments, a description of the first clause 315 includes an identification of a property of a client that satisfies the first clause 315.
In other embodiments, disjunctive (or) clauses represent like items and conjunctive (and) clauses represent unlike items. For example, and in one of these embodiments, a filter for users in groups A and B indicates that a user must match either group (i.e. `A or B'), whereas a filter testing IP address and group membership tends to mean that both should match (i.e.
`A and B'). In another of these embodiments, a union (or) of terms is represented as a box containing those terms. In still another of these embodiments, a conjunction (and) of terms is represented as a set of boxes. In still even another of these embodiments, the graphical user interface element 310 displays a description of a disjunctive sub-clause of the first clause of the access filter. In yet another of these embodiments, a second graphical user interface element 330 displays a description of a conjunctive clause 335 of the first clause 315 in the access filter 350. In still other embodiments, a full expression is satisfied if one term from each box is satisfied.
In some embodiments, the graphical user interface element 310 displays a filter name associated with the description of the first clause 315 of the filter 350. In one of these embodiments, the filter name is the name of a stored description of the first clause 315. In another of these embodiments, the graphical user interface element 310 displays a drop-down menu listing the filter name. In still another of these embodiments, the graphical user interface element 310 displays a list of filter names.
In other embodiments, the graphical user interface element 310 displays a name associated with a category of access control tests. In still other embodiments, atomic terms are classified as belonging to a category, the categories including, but not limited to, endpoint, network, user, server or mixed. In one of these embodiments, a term in the "endpoint" category describes a condition to be satisfied by a client device of a user requesting access to a resource. In another of these embodiments, a term in the "network" category describes a condition regarding a network from which a client device requesting access connects. In still another of these embodiments, a term in the "user"
category describes a condition regarding a group in which the user is a member. In even still another of these embodiments, a term in the "server" category describes a condition to be satisfied by a server providing access to the requested resource. In yet another embodiment, a category includes terms from different categories.
The graphical user interface 300 includes one of: i) a second graphical user interface element 330 comprising a description 335 of at least one conjunctive clause of the filter 350, and ii) a description 320 in the graphical user interface element 310 of a disjunctive sub-clause of the first clause of the filter 350. In one embodiment, the graphical user interface 300 includes both the second graphical user interface element 330 and the description 320. In another embodiment, when a term is added to the filter editor, and the graphical user interface 300 already includes a box for a category associated with the term (such as graphical user interface element 310), then the term is added as a disjunctive term in the existing box. In still another embodiment, if there is no box for that category, a new box (graphical user interface element 330) is added to the graphical user interface 300.
In some embodiments, the second graphical user interface element 330 is an interface element such as a text box, a drop-down menu, or a hyperlink. In one of these embodiments, the second graphical user interface element 330 displays a description of the conjunctive clause of the filter 350. In another of these embodiments, the second graphical user interface element 330 displays a filter name associated with the description of the conjunctive clause of the filter 350. In still another of these embodiments, the second graphical user interface element 330 displays a filter name associated with a second category of access control tests. In other embodiments, the graphical user interface 300 includes one of: i) a second graphical user interface element 330 displaying a description of at least one disjunctive clause of the filter in, and ii) a description in the first graphical user interface element of a conjunctive sub-clause of the first clause of the filter.
For example, and in some of these embodiments, if a user adds two group membership tests to a filter, the terms defining each of the group membership tests will be placed in the same box (graphical user interface element 310), and if an IP
range test is then also added to the graphical user interface 300, the term defining the IP
range test will be placed in a separate box (graphical user interface 330).
The filter 350 is generated responsive to the contents of the first graphical user interface element 310 and the second graphical user interface element 330. In one embodiment, the filter 350 is displayed to the user in a readable format designed to avoid the inherent potential complexity of nested `and' and `or' operators. For example, a valid filter for `Trusted Users' might be (Client-observed IP in the range 10.70Ø0-10.70.255.255 or Client-observed IP in the range 10.30Ø0 - 10.30.255.255) and User in group Company\Domain Users and (Filter(Trend) or Filter(Norton)) and this filter may be displayed in a format designed to assist the user in parsing the clauses of the filter; for example, by displaying the filter in terms of component clauses:
Network Test: Client observed IP in the range 10.70Ø0-10.70.255.255 or Client observed IP in the range 10.30Ø0 - 10.30.255.255 User Test: User in group Company\Domain User Endpoint Test: Filter(Trend) or Filter(Norton) In this embodiment, the representation of the filter 350 is read with an `AND' between each type of test. In this embodiment, the test `Filter(Trend)' is classified as an endpoint test because all atomic tests in this filter are themselves endpoint tests. In an embodiment where the `Trend' filter contained a mixture of tests of different categories, it may have been given category of `Mixed' and displayed as `Other Tests'. In some embodiments, an administrator uses the filters to generate an access control list. In other embodiments, a system, such as a policy engine, determines whether a user requesting access to a resource satisfies the conditions in the filter to determine whether or not to grant access to the requested resource. In still other embodiments, a system determines whether a user satisfies a condition expressed in a filter to determine whether the user satisfies the requirements of a policy, such as an access control policy, an auditing policy, a network routing policy, a load balancing policy, a policy relating to error reporting, or a failure handling policy.
Referring now to FIG. 3B, a screen shot depicts one embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface. FIG. 3B provides a screen shot of a graphical user interface 300 representing the following filter: "IPRange(10.70Ø0-10.70.255.255) AND (Group(ABC-Company\admin) OR Group(ABC-Company\users))". The graphical user interface 300 includes a graphical user interface element 310, which includes both a filter name 360 and a description of a first clause 315 of the filter 350. The graphical user interface 300 also includes a graphical user interface element 330, which includes a filter name 370, a description of a second clause 335 of the filter 350, and a description of a disjunctive sub-clause 340 of the filter 350.
Referring now to FIG. 3C, a screen shot depicts another embodiment of a graphical user interface 300. In this embodiment, the graphical user interface explicitly specifies the logical relationship between the sub-clauses and clauses of the filter. Additionally, the graphical user interface 300 depicts a graphical user interface element shaded to indicate that graphical user interface element does not yet contain a description of a clause or sub-clause of the filter and is, instead, an inactive placeholder for an additional expression.
Referring now to FIG. 3D, a screen shot depicts another embodiment of a system for dynamic generation of filters using a graphical user interface. In some embodiments, the graphical user interface 300 receives a term from a user and applies a heuristic to automatically add the term to the appropriate graphical user interface element 310 or 330.
In one of these embodiments, and as depicted in FIG. 3D, the graphical user interface 300 may include a user interface element 375 to allow a user to move a term from one graphical user interface element to another. In FIG. 3D, graphical user interface element 375 is a pull-down menu that allows a user to move a term from graphical user interface 370 to graphical user interface 310 ("Move to Network Tests"), or to a new user interface element ("Move to an empty box"), or to remove the element, or to edit or negate the term.
FIG. 3D includes a graphical user interface element 380, labeled "Add Condition." In one embodiment, the graphical user interface element 380 is used to add new atomic tests to the filter. In another embodiment, the graphical user interface element 380 allows the addition of new filters (compound expressions) that are named and represented in the tool as if they were atomic tests. For example, if the user had previously defined a named filter (such as, "Client Machine has Trend installed"), then this filter could be added as an atomic test within the filter 350 generated by the graphical user interface 300.
Referring now to FIG. 3E, a screen shot depicts one embodiment of a graphical user interface for adding a condition to a filter. In one embodiment, selection of the graphical user interface element 380 depicted in FIG. 3D results in the display of graphical user interface 390 depicted in FIG. 3E. In another embodiment, the graphical user interface 390 is a menu listing at least one type of atomic test available for use in a filter 350, including, but not limited to sub-expressions, references to existing filters, property comparisons, IP Range tests, Group Membership tests, and time-of-day testing.
In still another embodiment, when a test is selected, a dialog box is provided to allow the administrator to fill in (or edit) details related to that test. In still even another embodiment, if the user selects a`property comparison' test, a dialog box is provided to allow the user to select which property of the client device is to be compared, and to which value the property should be compared. Client device-related properties may include User Id, IP Address, Call Time and endpoint information, such as the presence/absence of client features and/or the version number of client-installed software.
In yet another embodiment, a number of comparison operators are supported, such as equality, greater than, less than, uncased comparison (for strings) and `is-a' for enumerations.
Referring now to FIG. 3F, a screen shot depicts an embodiment of a graphical user interface for displaying a first filter included as a term in a second filter. The graphical user interface 392 depicts a first sub-clause 394 and a second sub-clause 396, each of which are named filters nested within the first clause of the filter described by graphical user interface 392. Sub-clause 396 is described in a graphical user interface element similar to those described above. Sub-clause 394 explicitly lists the clauses of the named filter "Trend 98", displaying to the user the clauses specified by the nested filter.
Referring now to FIG. 3G, a screen shot depicts one embodiment of a graphical user interface for customizing a clause of a filter. As depicted in FIG. 3G, properties provided by the graphical user interface 300 are extensible and customizable.
For example, and in one embodiment, an administrator might select an operating system from a plurality of pre-defined operating systems, for example by identifying a client operating system as a parameter to customize, selecting a type of comparison ("is") to associate with the parameter, and selecting a particular operating system from an enumeration of values (such as the different versions of the WINDOWS operating system listed in FIG.
3G). In one embodiment, an `is-a' comparison with the value "WINDOWS" would satisfy the condition if the client operating system had a name including the value "WINDOWS."
Referring now to FIG. 4, a flow diagram depicts one embodiment of the steps taken in a method for dynamic generation of filters using a graphical user interface. In brief overview, a first clause of a filter is described in a first graphical user interface element (step 402). At least one of a conjunctive clause of the filter, in a second graphical user interface element, and a disjunctive sub-clause of the first clause of a filter, in the first graphical user interface element, are described (step 404). A
filter is generated responsive to the contents of the first graphical user interface element and the second graphical user interface element (step 406).
Referring now to FIG. 4, in greater detail and in connection with FIG. 3A, a first clause of a filter is described in a first graphical user interface element (step 402). In one embodiment, a first clause of the filter is described, the first clause comprising a second filter. In another embodiment, a description of the first clause is received from a user via a third graphical user interface element. In still another embodiment, the first clause of the filter is described using a non-algebraic language.
At least one of a conjunctive clause of the filter, in a second graphical user interface element, and a disjunctive sub-clause of the first clause of a filter, in the first graphical user interface element, are described (step 404). In one embodiment, a description is provided of at least one of: i) a disjunctive clause of the filter in a second graphical user interface element, and ii) a conjunctive sub-clause of the first clause of the filter in the first graphical user interface element. In another embodiment, a description is provided of a conjunctive clause of the filter using a non-algebraic language.
In still another embodiment, a description is provided of a disjunctive sub-clause of the first clause of the filter using a non-algebraic language. In yet another embodiment, a description is provided of a disjunctive sub-clause of the one or more disjunctive sub-clauses.
In one embodiment, a description is provided of a conjunctive sub-clause of the disjunctive sub-clause. In another embodiment, a description is provided of a disjunctive sub-clause of the conjunctive clause. In still another embodiment, a description is provided of a conjunctive clause of the filter.
In one embodiment, a graphical user interface element is generated for each conjunctive clause in the plurality of conjunctive clauses, the generated graphical user interface element displaying a description of the conjunctive clause. In another embodiment, a description is provided of a second filter as a disjunctive sub-clause of the first clause of the filter. In still another embodiment, a description is provided of a second filter as a disjunctive sub-clause of the conjunctive clause of the filter.
A filter is generated responsive to the contents of the first graphical user interface element and the second graphical user interface element (step 406). In some embodiments, only a first clause is provided and the filter is generated using the first clause. In one embodiment, the filter is described using a non-algebraic language. In some embodiments, the filter is stored. In one of these embodiments, the filter is stored in memory. In another of these embodiments, the filter is stored in a database. In still another of these embodiments, the filter is stored on a server 106. In other embodiments, a policy engine, such as the policy engine described above in connection with FIG. 2A
and FIG. 2B, stores the filter. In one of these embodiments, the policy engine resides on a server 106.
In one embodiment, a clause in the filter is modified by using at least a third graphical user interface element to modify a description of the modified clause. In another embodiment, the modification to the clause in the filter includes converting a conjunctive clause of the clause to a disjunctive clause. In still another embodiment, the modification to the clause in the filter includes an addition of a description of the modified clause into the first graphical user interface element and deleting the description of the modified clause from the second graphical user interface element. In still another embodiment, the modification to the clause in the filter includes converting a disjunctive clause of the first clause to a conjunctive clause. In yet another embodiment, the modification to the clause in the filter includes generating a new graphical user interface element, adding the description of the modified clause into the generated graphical user interface element and deleting the description of the modified clause from the first graphical user interface element.
In some embodiments, an access control list is generated using the filter 350.
In one of these embodiments, an administrator specifies the access control list.
In another of these embodiments, a policy engine generates the access control list. In other embodiments, a policy engine uses a filter in determining whether or not to allow a user of a client device to access a resource. In still other embodiments, a policy engine uses a filter in selecting a method for execution of a resource when allowing a user of a client device to access a resource.
In some embodiments, a server 106 receives a request for access to a resource, such as execution of an application program, from a client device. In one of these embodiments, the requested resource is a file. In another of these embodiments, the requested resource is an application program. In still another of these embodiments, the requested resource is a computing environment. In still even another of these embodiments, the computing environment is a desktop environment from which the client device may execute application programs. In yet another of these embodiments, the computing environment provides access to one or more application programs.
Referring now to FIG. 5A, a system for access routing and resource mapping using filters includes a rule 510, a policy engine 550, and a server 106. In brief overview, the rule 510 has a first rule priority leve1512 and includes i) an identification 514 of a filter identifying at least one pre-requisite to accessing a resource 560, ii) an identification 516 of at least one method for providing access to a resource, and iii) an identification 518 of a server 106 in a plurality of servers. The policy engine 550 includes a rule identification component 552 and a policy application component 554. The rule identification component 552 includes means for identifying the rule 510. The policy application component 554 includes means for applying the filter to a client request for access to the resource, means for determining that the client satisfies the at least one pre-requisite, responsive to applying the filter, and means for determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource. The server 106 in the plurality of servers provides access to the resource 460 according to the at least one method for providing access.
In one embodiment, a filter 350 is generated as described above in connection with FIGs. 3-4. In another embodiment, the filter 350 is stored and applied to decisions regarding whether or not to grant access to a requested resource. In some embodiments, the filter 350 is used to define a resource mapping policy, which specifies whether and how a user of a client device may access a resource, and which server will provide access to the resource. In one of these embodiments, resources in a list of published resources represent all resources available to a user of a client, from the client's perspective. For example, the list of published resources may contain a single `Notepad' resource, although there may be a number of mechanisms available to provide the resource to the client - several copies of Notepad may reside on different resource providers, or one or more resource provider may be able to provide access to the resource using different mechanisms, including but not limited to downloading the resource to the client, executing the resource remotely and transmitting application-output data to the client. A
resource mapping policy specifies which resource to use, from which resource provider, and via which execution method.
Referring now to FIG. 5A, and in greater detail, the rule 510 has a first rule priority leve1512 and includes i) an identification 514 of a filter identifying at least one pre-requisite to accessing a resource 560, ii) an identification 516 of at least one method for providing access to a resource, and iii) an identification 518 of a server 106 in a plurality of servers. In one embodiment, a plurality of rules forms a resource mapping policy. In another embodiment, the first rule priority leve1512 is a numeric priority level.
In still another embodiment, a policy engine 550 consults a rule to determine whether to grant access to a requested resource. In yet another embodiment, the policy engine 550 selects a rule to consult based on the first rule priority leve1512.
In some embodiments, the identification 514 identifies a stored filter. In other embodiments, the identification 514 specifies a condition to be satisfied by a client requesting access to a resource. In one of these embodiments, the identified filter identifies a pre-requisite specifying a network address range required for access to the resource. In another of these embodiments, the identified filter identifies a pre-requisite specifying an operating system type required for access to the resource. In still another of these embodiments, the identified filter identifies a pre-requisite specifying an application type required for access to the resource. In yet another of these embodiments, the identified filter identifies a pre-requisite specifying a characteristic of the client device requesting access to the resource, such as an application to be installed on the client device or a hardware resource available to the client device. In still other embodiments, the identified filter specifies a condition. In one of these embodiments, if the condition is true for the client device, the client satisfies the identified filter. In another of these embodiments, if the condition is false for the client device, the client satisfies the identified filter.
In one embodiment, the identification 516 identifies a method for providing access to the resource 560 by streaming the resource to the client. In another embodiment, the identification 516 identifies a method for providing access to the resource 560 by executing the resource on a server 106 in a plurality of servers, such as a server in a server farm, and transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the identification 516 identifies a method for providing access to the resource 560 by executing the resource on a virtual machine executing on a server in the plurality of servers and transmitting application-output data to the client using a presentation layer protocol. In yet another embodiment, the identification 516 identifies a method for providing access to the resource 560 by transmitting the resource to the client requesting access.
In one embodiment, the identification 518 identifies a server 106 that provides access to the resource 560 by transmitting the resource 560 to the requesting client. In another embodiment, the identification 518 identifies a server 106 that provides access to the resource 560 by executing the resource 560 and transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the identification 518 specifies a plurality of servers, one of which may be selected to provide access to the requested resource.
In one embodiment, the rule 510 indicates that a specific resource provider and specific mechanism should be used to service a request. In another embodiment, the resource provider is a server 106. In another embodiment, the mechanism for servicing the request identifies a method for downloading a first portion of the requested resource to the client device, executing the first portion of the requested resource, and downloading a second portion of the requested resource to the client device, referred to, in some embodiments, as streaming the resource to the client device. In still another embodiment, the mechanism for servicing the request identifies a method for downloading the requested resource to the client device. In still even another embodiment, the mechanism for servicing the request identifies a method for executing the requested resource on a server and transmitting application-output data to the client device. In yet another embodiment, and for example, a rule 510 specifies:
Priority 90 Filter `Remote User' Provide access to all resources using ICA and the `EMEA' farm.
In this embodiment, the first rule priority level is 90, the identification 514 identifies a named filter stored as "remote user," and the identification 516 specifies that for this user, access should be provided to all resources by executing the requested resource on a machine in the "EMEA" farm and the application-output data generated by the executing resource should be transmitted to the client device using a presentation layer protocol such as the Independent Computing Architecture (ICA) protocol.
In one embodiment, when a request is received for access a resource, resource mapping policy rules are consulted in order from highest priority through lowest. In another embodiment, a policy engine 550 includes means for identifying a second rule having a lower rule priority level than the first rule priority leve1512, the second rule associated with a second method for providing access to the resource 560 and a second server 106b in the plurality of servers. In still another embodiment, if a user or the user's client device does not satisfy the requirements of the specified filter, the policy engine 550 identifies the second rule. In still even another embodiment, if the requested resource is not provided on the specified resource provider, using the specified mechanism, the policy engine 550 identifies the second rule. In yet another embodiment, if the client device is unable to support the use of the specified mechanism, or the resource provider is overloaded or has failed, the policy engine 550 identifies the second rule.
In one embodiment, a policy engine 550 determines that a user and the user's client device satisfy the requirements of the identified filter specified in the rule 510. In another embodiment, the policy engine 550 selects the resource provider and the mechanism identified in the rule 510 to provide the user with access to the resource. In still another embodiment, the policy engine 550 stops processing rules once a rule is identified that the client satisfies. In yet another embodiment, if there is a failure during execution of the requested resources, the policy engine identifies a second rule and begins processing rules to identify a rule satisfied by the client.
In one embodiment, the policy engine 550 includes means for determining whether to provide access to the resource 560 to the client by the second server 106b in the plurality of servers according to the second method for providing access to the resource 560. In another embodiment, the second server 106b in the plurality of servers provides access to the resource 560 according to the second method for providing access.
In still another embodiment, the second server 106b in the plurality of servers provides access to the resource 560 according to the first method for providing access.
In one embodiment, the policy engine 550 includes means for identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers. In another embodiment, the policy engine 550 includes means for determining that the client satisfies at least one pre-requisite associated with the second filter, responsive an application of the second filter. In still another embodiment, the policy engine 550 includes means for determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource. In yet another embodiment, the second server in the plurality of servers provides access to the resource according to the second method for providing access.
Referring now to FIG. 513, a screen shot depicts one embodiment of a subset of rules in a resource mapping policy. FIG. 5B depicts three rules 510, 510', and 510".
Rule 510 has a priority level of 80, identifies a named filter "true", identifies a resource provider "RedWing" and an access method that specifies the use of the ICA
presentation layer protocol. Rule 510' has a priority level of 90, identifies a named filter "Users in USA", identifies a plurality of resource providers (servers in the "USFarm"
server farm) and an access method that specifies the use of the RDP presentation layer protocol. Rule 510" has a priority level of 50, identifies a named filter "true", identifies a plurality of resource providers (servers in the "USFarm" server farm) and an access method that specifies the use of the RDP presentation layer protocol. In this embodiment, the filter "true" identifies a filter trivially matched by all clients.
In one embodiment, the policy engine 550 determines that the user requesting access to the requested resource (notepad) satisfies the requirements of the "Users in USA" filter in the rule 510', which has the highest priority level, and the policy engine 550 identifies a server in the "USFarm" server farm able to provide access to the notepad resource using the RDP presentation layer protocol. In another embodiment, the policy engine 550 determines that the user, or the user's client device, does not satisfy the requirements of the filter, or that the resource providers (servers in the server farm "USFarm") are unable to provide access to the notebook resource using the RDP
presentation layer protocol. In still another embodiment, the policy engine determines that the user and the user's client device satisfy the requirements of the filter named "true" and the policy engine identifies a server "RedWing" to provide access to the notebook resource using the ICA presentation layer protocol. In still even another embodiment, the policy engine 550 determines that the resource provider (the "RedWing" server) is unable to provide access to the notebook resource using the ICA
presentation layer protocol. In yet another embodiment, the policy engine 550 determines that the user and the user's client device satisfy the requirements of the filter named "True" and the policy engine 550 identifies a server in the "USFarm"
server farm to provide access to the notebook resource using the RDP presentation layer protocol.
In one embodiment, a subset of rules which may apply to a user or the user's client device is displayed to an administrator. In another embodiment, a subset of rules in a resource mapping policy which identify a particular resource provider is displayed. In still another embodiment, a subset of rules in a resource mapping policy which identify a particular mechanism for providing access to the resource is displayed.
Referring now to FIG. 6, a method for access routing and resource mapping using filters includes the step of receiving a request from a client for access to a resource (step 602). A rule is identified, the rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers (step 604). The filter is applied, the filter identifying at least one pre-requisite to accessing the resource (step 606). A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter (step 608). A
determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource (step 610). The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource (step 612).
Referring now to FIG. 6, and in greater detail, a request is received from a client for access to a resource (step 602). In one embodiment, a client 102 transmits the request 500 to a server 106a, requesting access to a resource 560 provided by a server 106b. In another embodiment, the policy engine 550 receives the request. In still another embodiment, a server 106a forwards the request to the policy engine 550.
A rule is identified, the rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers (step 604). In one embodiment, the rule 510 is associated with a method for providing access to the resource by streaming the resource to the client. In another embodiment, the rule 510 is associated with a method for providing access to the resource by transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the rule 510 is associated with a method for providing access to the resource by executing the resource on a virtual machine executing on the server in the plurality of servers and transmitting application-output data to the client from the virtual machine using a presentation layer protocol. In yet another embodiment, the rule 510 is associated with a method for transmitting the resource to the client.
The filter is applied, the filter identifying at least one pre-requisite to accessing the resource (step 606). In one embodiment, the filter is applied to the client. In another embodiment, the filter is applied to a user of the client. In still another embodiment, the filter is applied to information associated with the client or with the user of the client device. In yet another embodiment, the policy engine 550 applies the filter to determine whether and how to grant access to the requested resource.
A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter (step 608). In some embodiments, the policy engine 550 determines that the client satisfies the at least one prerequisite. In one of these embodiments, the policy engine 550 determines that the client executes a specified anti-virus program. In another of these embodiments, the policy engine 550 determines that the client is associated with a network address in a specified range of network addresses.
In still another of these embodiments, the policy engine 550 determines that the client executes a specified operating system program.
A determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource (step 610). In one embodiment, the policy engine 550 determines that the user and the user's client device satisfy the requirements specified by the identified filter. In another embodiment, the policy engine 550 identifies the server 106 and the at least one method for providing access to the resource and grants the user access to the resource via the at least one method for providing, by the server 106, the resource.
The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource (step 612). In one embodiment, the server 105 is a resource provider selected to provide access to the resource for the client. In another embodiment, the policy engine 550 selects the server 106 responsive to applying a filter to the client and the server. In still another embodiment, the policy engine 550 selects the server to provide the access according to a rule having a priority level.
In some embodiments, a first rule is identified and a determination is made as to whether the client satisfies the associated policy and as to whether the identified server is able to provide the client with access to the requested resource according to the specified method. In one of these embodiments, if the client does not satisfy the policy, a different rule is identified, the second rule associated with a second policy and specifying the same server and the same method. In another of these embodiments, if the client does not satisfy the policy, a different rule is identified, the second rule associated with a second policy and specifying a different server or method. In still another of these embodiments, if the client satisfies the policy, but is unable to access the resource according to the specified method, a different rule is identified, the second rule associated with a different method and the same policy and the same server. In yet another of these embodiments, if the client satisfies the policy, but is unable to access the resource according to the specified method, a different rule is identified, the second rule associated with a different method and a different policy or server.
In one embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with a second server in the plurality of servers. In some embodiments, a determination is made that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter to information associated with at least one of the client and the user of the client. In other embodiments, a determination is made that the client is unable to use the at least one method for providing access specified by the rule. In one of these embodiments, the client satisfies the policy associated with the resource but lacks a requirement necessary for using the method specified by the rule. In still other embodiments, a determination is made that the server in the plurality of servers by the rule is unable to provide the resource to the client via the at least one method for providing access. In one of these embodiments, the server lacks the resource. In another of these embodiments, the server is overloaded or unavailable. In still another of these embodiments, the server lacks the ability to provide access via the specified method.
In one embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second server in the plurality of servers and with the at least one method specified by the first rule having the first rule priority level. In another embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with the first server in the plurality of servers.
In some embodiments, a determination is made as to whether to access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource. In one of these embodiments, the second server in the plurality of servers provides access to the resource according to the second method for providing access. In another of these embodiments, a second filter is applied. In other embodiments, a determination is made as to whether to provide access to the resource to the client by the second server in the plurality of servers according to the at least one method for providing access to the resource. In one of these embodiments, the at least one method is the method specified by the first rule having the first rule priority level. In another of these embodiments, the second server in the plurality of servers provides access to the resource according to the at least one method for providing access.
In some embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers. In one of these embodiments, a determination is made that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter. In another of these embodiments, a determination is made that the client is unable to use the method for providing access specified by the rule. In still another of these embodiments, a determination is made that the server in the plurality of servers by the rule is unable to provide the resource to the client via the first method for providing access.
In other embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, the at least one method for providing access to the resource and a second server in the plurality of servers.
In still other embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource and the server in the plurality of servers. In one of these embodiments, a determination is made that the client satisfies at least one pre-requisite associated with the second filter, responsive to an application of the second filter. In another of these embodiments, a determination is made as to whether to access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource.
In still another of these embodiments, a determination is made that the client is able to use the second method for providing access specified by the second rule. In still even another of these embodiments, a determination is made that the second server in the plurality of servers by the rule is able to provide the resource to the client via the at least one method for providing access. In yet another of these embodiments, the second server in the plurality of servers provides access to the resource according to the second method for providing access.
In one embodiment, a determination is made as to whether to provide access to the resource to the client by the server in the plurality of servers according to a second method for providing access to the resource. In another embodiment, a determination is made as to whether the client satisfies a policy associated with a rule identifying the server and the second method. In still another embodiment, a determination is made as to whether to provide access to the resource to the client by a second server in the plurality of servers according to the at least one method for providing access to the resource. In still even another embodiment, a determination is made as to whether the client satisfies a policy associated with a rule identifying the second server and the first method. In yet another embodiment, a determination is made as to whether to provide access to the resource to the client by a second server in the plurality of servers according to a second method for providing access to the resource.
In some embodiments, the policy engine 550 identifies a rule applicable to a client request for access to a resource. In another embodiment, the policy engine 550 determines whether the client satisfies a policy associated with the rule. In still another embodiment, the policy engine 550 determines whether the client is able to access the resource according to the specified method for accessing the resource. In yet another embodiment, the policy engine 550 determines whether the identified resource provider is able to provide the requested resource according to the specified method for providing access. In other embodiments, the policy engine 550 continues to identify rules and apply the associated rules to the client until a rule is found that is associated with a policy the client satisfies and that identifies a server capable of providing the client with access to the requested rule according to a specified method.
Referring now to FIG. 7A, a block diagram depicts one embodiment of a system for interactive policy evaluation using resultant sets of policies. In brief overview, a graphical user interface 700 receives a description 710 and displays a description 715, an interactive element 720 and a second interface element 730. The interactive element 720 displays a description of a policy 725 and the second element 730 displays a description of a decision 735. In some embodiments, the system includes a policy simulation engine 702 and at least one stored policy 704.
In one embodiment, the graphical user interface 700 provides an interactive tool allowing a user - such as an administrator defining and managing policies - to specify the details of a request for access to a resource and to view the applicable policies and the resulting permissions and settings. In another embodiment, the graphical user interface 300 receives, from a user of the graphical user interface, the description 710, which includes at least one of a description of a user, a description of a resource, and of a description of a method of accessing a resource. In still another embodiment, the graphical user interface 700 displays a user interface element displaying policies applicable to any set of circumstances the user specifies, including theoretical circumstances. In yet another embodiment, the interactive tool simulates policy application to display, in the graphical user interface 700, an outcome of applying a policy to a set of characteristics associated with a user, a resource, or the user's request to access the resource. In some embodiments, the tool displays policies applied to previous requests. In one of these embodiments, the tool may use a session identifier to retrieve details associated with a previous request for access. In other embodiments, the interactive tool is a policy simulation engine 702.
Referring still to FIG. 7A, and in greater detail, a graphical user interface receives a description 710. The graphical user interface 700 receives, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In one embodiment, the graphical user interface 700 includes a text box element displaying the received description of the client requesting access to the resource. In another embodiment, the graphical user interface 700 includes a text box element displaying the received description of the resource. In still another embodiment, the graphical user interface 700 includes a text box element displaying the received description of the method of access requested by the client.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the client. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is a graphical depiction of a directory structure. In other embodiments, the description of the client includes, but is not limited to, at least one of user identity, client IP address, virus checker status, and time of day.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the resource. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is a graphical depiction of a directory structure. In still even another of these embodiments, the user interface element is an element enumerating available resources.
In yet another of these embodiments, the user interface element is an element enumerating Uniform Resource Locaters associated with available resources. In other embodiments, the description of the resource includes, but is not limited to, at least one of an identifier for the resource (e.g., a URI), a property of the resource (such as the file type or version), and an operating system executing on a machine providing access to the resource.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the method of access. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is an element enumerating available methods of access. In one embodiment, the interactive element 720 displays at least one policy applicable to the client request responsive to the received description. In other embodiments, the description of the method of access includes, but is not limited to, at least one of a type of access (download, view remotely, application streaming), a protocol (e.g., ICA, RDP, Xl l, VNC, etc.), and a software application executing on the client (e.g., an ICA client, an RDP client, an Xl 1 client, a VNC client, etc.).
In some embodiments, the graphical user interface 700 displays the description 715, generated responsive to the received description 710. In one of these embodiments, the description 715 is the description 710. In another of these embodiments, the description 715 includes information in addition to the description 710. For example, in still another of these embodiments, the description 710 describes a user and the description 715 describes the user and a default method of accessing resources.
In some embodiments, the system includes a policy simulation engine 702. In one of these embodiments, the policy simulation engine 702 is a policy engine as described above in connection with FIGs. 2A-2B. In another of these embodiments, the policy simulation engine 702 replaces the policy engine 220. In still another of these embodiments, the system includes both a policy engine - which may be the policy engine 220 or a different policy engine - and the policy simulation engine 702.
In some embodiments, filters are used in conjunction with the policy simulation engine 702. In other embodiments, filters are used within policies, including, but not limited to, access control policies, auditing policies, network routing policies, load balancing policies, policies relating to error reporting, and failure handling policies. In still other embodiments, policy engines other than those described above in connection with FIGs. 2A-2B use filters to evaluate an action to take with respect to a particular user or resource. In one of these embodiments, the policy engine is not an active policy engine; for example, a policy engine may operate in a system for interactive policy evaluation without providing decisions for active sessions, while a second policy engine makes decisions.
In some embodiments, a filter is used to describe at least one characteristic for evaluation when applying a policy. In one of these embodiments, the at least one characteristic is associated with a resource. In another of these embodiments, the at least one characteristic is associated with a user. In still another of these embodiments, the at least one characteristic is associated with a combination of users or resources. In yet another of these embodiments, the at least one characteristic is evaluated to make a policy decision, such as an access control decision. In other embodiments, filters are used to determine whether at least one entity matches at least one specified condition.
In some embodiments, the policy simulation engine 702 accesses at least one stored policy 704. In other embodiments, a policy includes, or is defined by, one or more filters. In still other embodiments, a policy includes, or is defined by, one or more access control lists. In still even other embodiments, a stored policy 704 is a stored list of filters.
In yet other embodiments, the stored policy 704 includes a plurality of files.
In one of these embodiments, a file in a file server environment has an access control list associated with the file but neither the file nor the access control list is separately stored.
In one embodiment, an access control list maps at least one filter to an allowed or denied permission setting included in the access control list. In another embodiment, a filter is a simple or compound condition that may or may not be met by a client requesting access to a resource. In still another embodiment, simple conditions include group membership, role membership, IP range membership, and a characteristic of a client device requesting access to a resource, such as whether the client device executes a particular application or has access to a particular hardware resource. In yet another embodiment, compound conditions are combinations of simple conditions that may be defined using a filter editor.
In one embodiment, a filter describes at least one characteristic of a resource. In another embodiment, a filter may specify a group of resources to which a particular resource should belong to satisfy the filter, such as, for example, specifying a particular named group of resources (such as, "office applications"), and specifying an operating system from which the resource is accessed (the WINDOWS VISTA operating system), and specifying a display capability supported by a system from which the resource is accessed. In still another embodiment, and for example, a filter may include a"leaf' condition specifying at least one of the following: a group of resources to which the resource should belong, a sub-directory which should enumerate the resource, an operating system capable of supporting the resource, a computing capability provided by a system from which the resource is accessed (such as a display capability or computing functionality), a required network characteristic (such as a per-application IP address), an environment in which the resource should execute (for example, an isolation environment), or a licensing requirement (for example, requiring a license for a specific user or for a specific type of request).
In one embodiment, a filter describes a characteristic associated with a combination of a user and a resource. In another embodiment, the filter may specify a first condition associated with a user and a second condition associated with a resource, and to satisfy the filter, the user and the resource must each satisfy the specified conditions. In still another embodiment, the filter specifies that a user be authorized to access a resource - for example, that the user own the resource, be licensed to use the resource, or have permission from an external policy system to access the resource. In yet another embodiment, for example, a filter specifies that a user satisfy a first filter and that the resource satisfy a second filter.
In one embodiment, a filter applies to a plurality of users. In another embodiment, a filter may specify a condition that a group of users involved in a collaborative application must all satisfy in order to satisfy the filter, for example, that all users belong to a particular group, or that at least one of the plurality of users has a particular role. In still another embodiment, a filter applies to a plurality of resources. In still even another embodiment, a filter applies to a plurality of users and to a resource. In still even another embodiment, a filter applies to a plurality of users and to a plurality of resources. In yet another embodiment, a filter applies to a plurality of resources and to a user.
In some embodiments, a filter is used in combination with a weight. In one of these embodiments, a weight is assigned to a condition and if the weight passes a threshold, the filter is satisfied. In other embodiments, weights are used in policies instead of filters. In still other embodiments, a policy specifies a requirement for a priority assigned to a particular resource or method of accessing the resource. In yet other embodiments, a policy is used in combination with a neural network.
In some embodiments, a filter defines a dynamic group. In one of these embodiments, the filter identifies a user belonging to the dynamic group. In another of these embodiments, the filter identifies a user excluded from the dynamic group. In still another of these embodiments, a member of the dynamic group satisfies a requirement specified by the filter. In some embodiments, the graphical user interface 700 provides an administrator with an improved method for generating filters and filter-based policies and simulating the result of applying the policy to a particular client or resource.
In one embodiment, the graphical user interface 700 allows an administrator to enter all details relating to a client, a resource, and an access method. In another embodiment, the graphical user interface 700 displays the access permissions and settings that result from simulating an application of a policy to the client, resource, or access method. In still another embodiment, only some details are entered, and the graphical user interface 7001ists the possible values for the other settings with the resulting access for each. For example, the graphical user interface 700 may allow the administrator to specify what type of access is required (access via presentation layer protocol connection to a server, access via downloading, access via application streaming, etc.) before displaying a description of whether access is allowed or denied and whether any alternatives are available.
In one embodiment, a server 106 displays the graphical user interface 700. In another embodiment, a client 102 displays the graphical user interface 700.
The graphical user interface 700 displays a plurality of interface elements providing a number of different views of actual or theoretical access requests and decisions.
Some or all of these interface elements may be optional, and some may not apply to certain access attempts. Each view may be presented as a window, tab, panel or other abstraction. Each view displays some details of the access attempt and may also allow modification of these details. In one embodiment, all views operate on the same underlying data, so that a change made by the administrator in one view leads to immediate changes to all other views. Although only certain views are described in connection with FIGs. 7A-7D, it should be understood that the system may provide multiple ones of any or each of those components and that other views representing different ways of viewing or manipulating the data displayed in the graphical user interface may be presented.
Referring now to FIG. 7B, a screen shot depicts one embodiment of a graphical user interface element for receiving and displaying a description of a client requesting access to a resource. FIG. 7B depicts the graphical user interface 700 and a description 715 generated from the received description 710. In the embodiment depicted by FIG.
7B, the graphical user interface 700 received a description of a client requesting access to the resource, the description including an identification of an operating system executing on a client, an identification of an anti-virus program executing on the client, a type of network to which the client connects, and an internet protocol address associated with the client.
In one embodiment, the description of the client includes information associated with a client - such as machine type, operating system version, software executing on the client, network configuration details, and information about a user of the client - and allows the administrator to enter or change the information. In another embodiment, the graphical user interface displays an interface element for loading the information saving the information to a file. In still another embodiment, the graphical user interface 700 displays a description generated from a list of applicable client data retrieved from a directory.
In some embodiments, the graphical user interface 700 includes an interface element for receiving and displaying a description of a client requesting access to a resource. In one of these embodiments, the interface element includes a text box, a drop-down menu, hyperlink, or a graphical depiction of a directory structure. For example, and as shown in FIG. 7B, the graphical user interface may include an interface element 705 into which a user, such as an administrator, can enter the description 710.
Referring now to FIG. 7C, a screen shot depicts one embodiment of a graphical user interface element for displaying a description of a resource requested by the client.
In one of these embodiments, the interface element may be a text box, an element enumerating available resources, an element enumerating Uniform Resource Locaters associated with available resources, a drop-down menu, or a graphical depiction of a directory structure. In still other embodiments, the graphical user interface 700 includes an interface element for displaying a description of a method for accessing a requested resource. In one of these embodiments, the interface element may be a text box, an element enumerating available methods of access, or a drop-down menu.
In one embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a resource. In another embodiment, the graphical user interface 700 may display an enumeration of resources retrieved from a resource directory. In still another embodiment, the description of the resource is an identifier of the resource, such as a uniform resource identifier. In still even another embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a policy. In yet another embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a filter.
Referring now to FIG. 7D, a screen shot depicts one embodiment of a graphical user interface element for displaying a description of a method of access requested by the client. The method of access indicates the type of access attempted by the client. In one embodiment, the description is of a method for retrieving a resource such as an application program. In another embodiment, the description is of a method for accessing a remotely-executing resource, for example, via a presentation layer protocol connection between the client and a machine remote to the client. In still another embodiment, the description is of a method for streaming the resource to the client from a machine remote to the client.
Referring back to FIG. 7A, the interactive element 720 displays a description of a policy 725 and the second element 730 displays a description of a decision 735. The interactive element 720 displays at least one policy applicable to the client request for access to the resource. In one embodiment, the interactive element 720 displays at least one policy applicable to the client request, the at least one policy identified responsive to the received description. In another embodiment, the interactive element 720 displays all the policies that have an effect on whether access is allowed or denied for the specified client/resource and access method described. In another embodiment, the interactive element 720 includes a user interface element for requesting an override of an aspect of the policy. In still another embodiment, the interactive element 720 includes a user interface element for viewing and modifying a filter, condition or sub-policy associated with the policy.
The second element 730 in the graphical user interface 700 displays a decision made by applying the at least one policy to the received description. In some embodiments, the second element 730 includes a user interface element displaying a decision made by applying a policy already in use by an administrator in determining access rights. In other embodiments, the second element 730 includes a user interface element displaying a second decision made by a applying a second policy to a second received description. In still other embodiments, the interactive element 720 includes a user interface element for requesting an override of an aspect of the policy.
Referring now to FIG. 7E, a screen shot depicts one embodiment of a user interface element displaying a decision. FIG. 7E includes the graphical user interface 700, an interactive element 720 including a description of at least one policy 725, and a second element 730 including a description of a decision 735. In some embodiments, and as depicted in FIG. 7E, the graphical user interface 700 displays the interactive element 720 and the second element 730 in a first interface element and displays the description 715 in a second interface element. In other embodiments, the graphical user interface 700 displays the interactive element 720, the second element 730, and the description 715 in a single interface element. In still other embodiments, and as shown in FIG. 7E, the graphical user interface 700 displays the interactive element 720 and the second element 730 in a single interface element. Alternatively, as shown in FIG. 7A, the graphical user interface 700 may display the interactive element 720 and the second element 730 as separate interface element.
In some embodiments, the description of the policy 725 includes an access control list. In one of these embodiments, for each entry in the access control list, the description of the policy 725 indicates whether the client satisfies the requirement in the access control list. In other embodiments, the description of the policy 725 includes a description of a level of auditing that would be applied if the policy 725 were applied to a request. In still other embodiments, the description of the policy 725 includes a description of a method of caching that would be applied if the policy 725 were applied to a request. In yet other embodiments, the description of the policy 725 includes a description of a method of load balancing that would be applied if the policy 725 were applied to a request.
In one embodiment, the description of the policy 725 lists all policies that have an effect on whether access is allowed or denied for the specified client, resource, or access method. In another embodiment, in which no access method is specified, the description of the policy 725 lists all policies that have an affect on any access method.
In still another embodiment, for each policy, the applicability to the client or resource is highlighted together with any intermediate results. Intermediate results display a summary of how the results from different applicable policies affect the final decision -for example, and as shown in FIG. 7E, a policy for trusted clients might allow a method of access but a policy for clients who are members of a particular group ("Sales" in FIG.
7E) might deny the same method and (in the example shown in FIG. 7E) this results in a summary indicating that combining those two policies would result in a denial of access for the specified client.
In some embodiments, the graphical user interface displays an interface element allowing a user to select some or all of the data used in the tool to be presented in report form. In one of these embodiments, the user can highlight data for inclusion in a standard multi-part report. In another of these embodiments, the user can install custom report templates for use in report generation. In still another of these embodiments, the user can request the output of all data into the report, including client and resource details, overrides, policies applied and resultant access, auditing, session and other settings.
Referring now to FIG. 8A, a flow diagram depicts one embodiment of the steps taken in a method for interactive policy evaluation using resultant sets of policies. In brief overview, a graphical user interface receives at least one: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client (step 802). The graphical user interface displays at least one policy applicable to the received description (step 804). The graphical user interface displays a decision made by applying the at least one policy to the received description (step 806).
Referring still to FIG. 8A, and in greater detail, a graphical user interface receives at least one: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client (step 802). In one embodiment, the graphical user interface displays a plurality of interactive elements, which form an interactive tool allowing an administrator to specify a circumstance (such as a scenario in which a user requests access to a resource) and to view which policies would be applied in the circumstance and the permissions that result from applying the policies to the circumstance. In another embodiment, the administrator may also use the interactive tool to view the policies that would be applied under theoretical circumstances. For example, an administrator may specify a type of client request for a type of access to determine whether a client or user will be impacted by a policy change, or to determine what access rights a user needs in order to access a particular resource. In still another embodiment, the user of the graphical user interface 700 enters data associated with either a client requesting access to a resource or associated with the requested resource or associated with a policy applicable to the client requesting access.
In some embodiments, the user provides data directly to the graphical user interface 700.
In other embodiments, the user provides data to the policy simulation engine 702.
In one embodiment, the graphical user interface 700 receives, in the description of the client, a user identifier. In another embodiment, the graphical user interface 700 receives, in the description of the client, a client internet protocol (IP) address. In still another embodiment, the graphical user interface 700 receives an identification of a virus-checking program on the client. In yet another embodiment, the graphical user interface 700 receives, in the description of the client, a time of day.
In one embodiment, the graphical user interface 700 receives, in the description of the resource, an identifier of the resource. In another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of a property of the resource. In still another embodiment, the graphical user interface 700 receives, in the description of the resource, a file type of the resource. In still even another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of a server on which the resource resides. In yet another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of an operating system executed by a server on which the resource resides.
In one embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying a file type of the resource. In another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying a server on which the resource resides. In still another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying an operating system executed by a server on which the resource resides. In yet another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file storing a description of the client. In some embodiments, the graphical user interface retrieves, from a database, a state file saved by an administrator. In other embodiments, the graphical user interface 700 retrieves, from a database, a state file generated responsive to a user error.
In one embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request to retrieve the resource. In another embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request to remotely access the resource. In still another embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request, a description of a presentation layer protocol. In still even another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a request, a description of a type of client agent. In yet another embodiment, the graphical user interface 700 displays a graphical user interface element displaying the at least one policy applicable to the client request for access to the resource.
The graphical user interface displays at least one policy applicable to the client request for access to the resource (step 804). In one embodiment, the graphical user interface displays a user interface element displaying the at least one policy. In some embodiments, the at least one policy is applicable to the received description of the client or the resource or the access method. In one of these embodiments, the description of the client includes information identifying a group of users to which a user of the client belongs and to which the at least one policy applies. In another of these embodiments, the description of the access method identifies a requested method to which the at least one policy applies. In still another of these embodiments, the description of the resource identifies a type of resource to which the at least one policy applies.
In one embodiment, the graphical user interface 700 displays the at least one policy responsive to receiving a request for information associated with the at least one policy. For example, the user may request additional information associated with a decision and receive a display of the at least one policy that affected the outcome of the decision. In another embodiment, the graphical user interface 700 displays at least one filter associated with the policy. For example, the user may request additional information associated with the at least one policy and receive the display of at least one filter which is a requirement for satisfaction of the policy. In some embodiments, the graphical user interface 700 displays a user interface element allowing a user to modify at least one filter associated with the policy. In other embodiments, the graphical user interface 700 displays a user interface element allowing a user to modify the policy.
The graphical user interface displays a decision made by applying the at least one policy to the received description (step 806). In some embodiments, the graphical user interface 700 displays a resultant set associated with the application of the at least one policy to the client request for access to the resource. In one embodiment, the graphical user interface 700 displays a result of simulating the application of a policy to a request, responsive to the received details in description 710. In some embodiments, the graphical user interface 700 displays a decision generated by a simulation component, such as a policy simulation engine 702. In other embodiments, the graphical user interface 700 displays a first decision inferred from a second decision. In one of these embodiments, a user provides a description of a client, a resource, or a method of access and a simulation tool - such as a policy simulation engine 702 - identifies a first decision from which the simulation tool infers a second decision and transmits the information to the graphical user interface 700 for display. For example, and in another of these embodiments, the first decision indicates that a client, a resource, or a method of access fails to satisfy a first filter. In this embodiment, if a second filter or a policy requires the satisfaction of the first filter, the simulation tool may infer that the second filter or policy will not be satisfied either. In another embodiment, the resulting second decision will indicate that the user of the client is not authorized to access the resource according to the method of access. In still another of these embodiments, a user of the graphical user interface 700 may indicate that a first filter is met or unmet and the simulation tool will determined that a second filter is defined in such a way that it is possible to infer the value of the second filter given the known value of the first filter. In still even another of these embodiments, the tool can signal that such a value is derived from other input values, rather than from that input explicitly.
In some embodiments, the graphical user interface 700 receives, from a simulation component, a decision made by applying the at least one policy to the received description. In one of these embodiments, for example, the simulation component receives the description from the graphical user interface 700, simulates the application of the at least one policy to the received description and transmits, to the graphical user interface 700, the decision. In another of these embodiments, the decision is transmitted to other tools, in addition to the graphical user interface. In still another of these embodiments, the simulation component is a policy simulation engine 702.
In some embodiments, a policy may be an expression, which may be evaluated in a context to determine the result. In one of these embodiments, the context describes some or all of the characteristics of a scenario in which the policy is applied. For example, the context may include the client name, the client's IP address, or the resource's name; however, the context need not specify all of the details of the scenario.
In another of these embodiments, where the policy is an access control policy, this determined result may be a decision to allow or deny a request. In still another of these embodiments, where the policy is an access routing policy, the determined result may specify a particular method of access - for example, specifying that the client may download, access remotely, or transform a requested resource from one format to another.
In some embodiments, a policy simulation engine 702 simulates an application of a policy to generate a result displayed by the graphical user interface 700.
In one of these embodiments, the policy simulation engine 702 is an actively used policy engine that makes decisions for active sessions. In other embodiments, a simulation policy engine, which is not an active policy engine making decisions for active sessions, simulates an application of a policy to generate a result displayed by the graphical user interface 700.
In some embodiments, the simulation takes place as it would in an active "run-time" environment. In one of these embodiments, if information is needed that is unknown then the same determination is made that would be taken if the information is unknown at run-time - typically this might be to assume the `default' or to raise an error.
In other embodiments, the simulation propagates any uncertainties and operations in the policy expression are explicitly extended to describe how uncertainty should be propagated. In one of these embodiments, for example, the expression (User=Fred) will return either `true' or `false' during runtime, but, during tristate simulation, the simulation may also return `unknown' if the user name is not known. Similarly, a combinatory operator such as `and' may be used in parts of the policy expression. For `normal' operation, this has the following transition table:
In uts Ou ut All inputs are `true' True Any input is `false' False During `tristate' evaluation the transition table is extended:
In uts Ou ut All inputs are `true' True Any input is `false' False At least one input is Unknown `unknown' and all other inputs are `true' Similarly the `not' and `or' operators are extended as follows:
"Or" Operator In uts Ou ut Any input is `true' True All inputs are `false' False At least one input is Unknown `unknown' and all other inputs are `false' "Not" Operator In uts Ou ut In ut is `True' False Input is `False' True Input is `Unknown' Unknown Any policy may be described using such an expression.
Referring now to FIG. 8B, a screen shot depicts one embodiment of a graphical user interface displaying a decision generated responsive to an automatic inference. As shown in FIG. 8B, an administrator has indicated, in a first interface element 810, that a first filter ("Trend") is not satisfied (by interacting with a second interface element 815).
The simulation tool identifies a second filter ("Trusted Users") as a compound filter, relying on the satisfaction of all of its sub-filters to reach a determination that a client request is authorized (identified in FIG. 8B by the "and" clause, which indicates that, in this embodiment, the second filter requires satisfaction of all the conjunctive sub-filters), and determines that the first filter is one of the sub-filters of the second filter; therefore, the simulation tool can infer that if the first filter is not met, the second filter will not be met, regardless of whether other sub-filters on which the satisfaction compound second filter relies are themselves satisfied. In some embodiments, a user of the graphical user interface 700 may interact with an interface element to request an override of an inference. In one of these embodiments, requesting an override results in the simulation tool generating a decision indicating that the overridden filter was met even if an analysis of related filters would have otherwise resulted in generation of a decision indicating that the overridden filter was not met (or vice versa, as appropriate). In other embodiments, the graphical user interface 700 displays an identification of an overridden filter, the filter override resulting from an evaluation of other data or filters. In still other embodiments, the graphical user interface 700 displays an identification of an overridden policy.
In some embodiments, the graphical user interface 700 displays an interface element displaying a summary of a decision. In one of these embodiments, the summary includes a description of how the interactive tool determined the decision. In another of these embodiments, the summary includes a description of at least one policy that affected the decision. In still another of these embodiments, the summary includes a description of a deficiency in the client, the request or the resource that resulted in a particular decision. In yet another of these embodiments, the summary includes a description of a characteristic of the client, the request, or the resource that satisfied a requirement of a policy, resulting in a particular decision. In yet another of these embodiments, the summary includes a description of an effect one policy had on a second policy that resulted in a particular decision. For example, the summary may include a description of a first policy that requires a client, a resource, or a request to satisfy a second policy where failure to meet the requirements of the second policy results in failure to satisfy the first policy.
In some embodiments, the graphical user interface 700 displays summaries for a plurality of decisions. In one of these embodiments, the graphical user interface 700 displays a given scenario (details regarding at least one of a client, a resource, and a request for access to the resource by the client) against multiple stored sets of policies. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first, existing policy to the scenario and also displays a decision resulting from an application of a second existing policy, which is a modified version of the first policy. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first, existing policy to the scenario and also displays a decision resulting from an application of a second theoretical policy, which is a modified version of the first policy. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first theoretical policy to the scenario and also displays a decision resulting from an application of a second theoretical policy, which is a modified version of the first policy.
In still another of these embodiments, the graphical user interface 700 displays the differences between the decisions resulting from an application of each of the policies to the scenario. In yet another of these embodiments, viewing multiple decisions together allows an administrator to view the effect of different policies on a number of scenarios before the administrator begins enforcing any of the policies.
Referring now to FIG. 8C, and in some embodiments, the graphical user interface 700 includes an interface element 820 that displays a filter, or condition, that is used in a policy. In one embodiment, the interactive tool provided by the graphical user interface 700 generates a decision by determining whether a client, a resource or an access request satisfies a policy defined by a filter. In another embodiment, the applicability of policies generally depends on whether the client and/or resource meet a number of conditions. In another of these embodiments, these conditions are separately named and classified - for example "Trusted Client", "Access from Partner Site" or "Has Trend Installed".
Such classifications may be referred to as `Named Filters'. The filters may also be referred to as `Dynamic Groups', as they act as a dynamic classification of clients into those clients who do or do not meet a certain set of criteria.
In one embodiment, the interface element 820 allows an administrator to view all or some of the defined named filters, and to view which filters the client or resource matches or does not match. In another embodiment, the interface element 820 allows a user to request the display of any sub-filters and conditions that make up a filter. In some embodiments, these sub-filters and conditions are defined as Boolean expressions - such as "Operating System is Windows AND Trend Version is greater than 5". In other embodiments, the tool also allows the administrator to override the definition of a filter and assume that the client does or does not match it (regardless of its original definition).
In one of these embodiments, the ability to override the definition of a filter allows a user to debug proposed changes to the filter, or to determine what access would be permitted if the system changes slightly (for example, if the client upgraded a virus checker). In another of these embodiments, the interface element 820 displays an indication for each filter of whether a described client currently satisfies a requirement of the displayed filter, and whether the user requested an override of this value. In still another of these embodiments, a user interface element in the graphical user interface 700 provides a link allowing a user to view a particular test or filter where overrides were requested. In still other embodiments, the interface element 820 may display all defined named filters, or only a selection - for example, only those used in a policy or only those requested by the user.
In some embodiments, the graphical user interface 700 receives a modification to at least one filter. In one of these embodiments, the graphical user interface 700 displays a decision identified by the modified filter. In another of these embodiments, a determination is made, responsive to the modification, not to apply the applicable at least one policy to the received description. In still another of these embodiments, a determination is made, responsive to the modification, to apply at least one inapplicable policy to the received description. In yet another of these embodiments, the determination is displayed in the graphical user interface 700.
In some embodiments, the graphical user interface 700 receives a modification to at least one policy. In one of these embodiments, the graphical user interface displays a decision identified by the modified policy. In another of these embodiments, a determination is made, responsive to the modification, not to apply the applicable the policy to the received description. In still another of these embodiments, a determination is made, responsive to the modification, to apply at least one inapplicable policy to the received description. In yet another of these embodiments, the determination is displayed in the graphical user interface 700.
In one embodiment, the graphical user interface 700 receives a modification of the description of the user. In another embodiment, the graphical user interface 700 displays a decision identified by an application of the at least one policy to the modified user. In still another embodiment, the graphical user interface 700 receives a modification of the description of the requested resource. In yet another embodiment, the graphical user interface 700 displays a decision identified by an application of the at least one policy to the modified resource request.
In some embodiments, in addition to displaying the policies and settings that would be used for the given circumstance, allowing a user to enter a modification to a description or a policy allows many aspects of policy configuration to be overridden. For example, if a description of a decision specified that a client did not pass a`Has Virus Checker Installed' test - then the administrator could override this setting, and determine whether, if the client did pass this test, the decision would change.
Similarly, the administrator may indicate that a particular policy should be ignored, or that a particular server/services should be considered as out of service. In one of these embodiments, these facilities (which may collectively be referred to as "overrides") allow the tool to be used by the administrator to perform this type of `what if analysis.
In one embodiment, allowing the value of an entire expression or any sub-expression to be overridden allows a policy simulation engine 702 to make an assumption. For example, a user might specify that, for the purposes of investigation, evaluation of an expression "User is member of group `sales"' should be treated as evaluating to `true' - or equally should be treated to evaluating to `false', regardless of whether this is actually the case. In another embodiment, an override may be used as a short hand or for `what if analyses. For example, a user may want to answer the question "if I modified policy I to disallow access for this group, what would the overall effect be". An example of a use of overrides as a short hand might be "I know this is a trusted user - so mark the `trusted users' filter as true"; this may be quicker and simpler than entering all the user's details to cause the evaluation to take place.
In some embodiments, rather than providing buttons or other user interface to allow the administrator to change between "no override", "override as true"
and "override as false", the graphical user interface 700 provides a toggle control to toggle between "evaluates to true" and "override as false" - for expressions that naturally evaluate to true, and a toggle between "evaluates to false" and "override to true" for expressions that naturally evaluated to false. In one of these embodiments, during tristate evaluation, a toggle can be used to cycle between three cases - true, false and unknown (one of which will be the natural evaluated value, the other two of which will be overrides). In another of these embodiments, where one policy references a second policy, or other reusable parts of a policy (such as named filters), then an override to a reusable part will apply to equally to all uses of that reusable part. For example, if Policy I is defined as "if(Filterl), return `red' else `blue"', and if Policy 2 is defined as "if(Filterl) return `orange' else `green"', then overriding Filterl will affect both policies - leading to either (Policyl=red, Policy2=orange) or (Policyl=blue, Policy2=green). In still another of these embodiments, it is also possible to override only one of these by overriding the reference to the shared element.
In one embodiment, the graphical user interface 700 provides an interface element for generating a display of these analyses indicating that the analyses are provided as a result of an override request and identifying the overridden filter, condition or policy. In other embodiments, the administrator may configure the tool to allow the tool to identify by inference a condition that the administrator could satisfy in order to satisfy an overridden or unsatisfied policy. In one of these embodiments, the tool may identify a valid set of values that would satisfy any of the terms in a compound condition.
The graphical user interface and the policy simulation engine provide functionality allowing users, such as administrators, to interactively evaluate a wide variety of policies using dynamically generated, interactive resultant sets of policies. In some embodiments, the graphical user interface displays a decision made by applying the at least one access control policy to the at least one received description;
in some of these embodiments, the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one access control policy. For example, FIGs. 7B-7E and 8B-8C depict some embodiments of scenarios involving the use of access control policies. In other embodiments, however, the graphical user interface displays a decision made by applying other policies to the at least one received description. In one of these embodiments, the graphical user interface displays a decision made by applying the at least one auditing policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one auditing policy. In another of these embodiments, the graphical user interface displays a decision made by applying the at least one alarm-triggering policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one alarm-triggering policy. In still another of these embodiments, the graphical user interface displays a decision made by applying the at least one load-balancing policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one load-balancing policy. In still even another of these embodiments, the graphical user interface displays a decision made by applying the at least one resource-provisioning policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one resource-provisioning policy. In yet another of these embodiments, the graphical user interface displays a decision made by applying the at least one caching policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one caching policy.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of auditing policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one auditing policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one auditing policy to the at least one received description. In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of auditing policies includes a graphical user interface displaying the decision of the application of the at least one auditing policy to the at least one received resource and a policy simulation engine simulating the application of the at least one auditing policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of caching policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one caching policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one caching policy to the at least one received description. In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of caching policies includes a graphical user interface displaying the decision of the application of the at least one caching policy to the at least one received resource and a policy simulation engine simulating the application of the at least one caching policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of access control policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one access control policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one access control policy to the at least one received description.
In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of access control policies includes a graphical user interface displaying the decision of the application of the at least one access control policy to the at least one received resource and a policy simulation engine simulating the application of the at least one access control policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above.
In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
Referring now to FIG. 8D, a screen shot depicts one embodiment of a graphical user interface including an interface element displaying an access routing decision. The graphical user interface receives at least one of a description of a client requesting access to a resource and a description of the resource, and the graphical user interface displays, in an interface element 830, at least one access routing policy applicable to the client request for access to the resource. In one embodiment, the graphical user interface 700 displays an access routing decision identified responsive to an application of an access routing policy to at least one of the description of the client requesting access to the resource and the description of the resource. In another embodiment, the graphical user interface 700 displays an identification of a service, or class of service, that will be authorized should the described client make the described request for access to the described resource.
In one embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to download the described resource. In another embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to receive application output data generated by an execution of the described resource on a remote machine 106 and transmitted to the client according to a presentation layer protocol. In still another embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to receive the described resource via a method for application streaming. In yet another embodiment, an access routing policy may determine both the type of access to be attempted (e.g., an applicable protocol) and the class or instance of service/server (a WINDOWS server or a server 106 providing access to a resource via a particular method or a server 106 belonging to a particular server farm 38). In some embodiments, a determination by an access routing policy can have a significant impact on other forms of policy, as it is in effect selecting a`concrete' access request (e.g. to use ICA to access server 53) rather than an abstract access request (e.g.
Run Word). In other embodiments, a simulation component with which the graphical user interface 700 interacts applies information relating to service load or server availability to the simulation of an application of an access routing policy to a described client or resource. In one of these embodiments, overrides are supported to allow an administrator to modify the information on which the simulation component relies. In another of these embodiments, the simulation component uses a session identifier to retrieve information relating to server load and availability for use in simulating application of a policy to an actual request. For example, an administrator may provide a description of a previously-made access request and request the display of what access routing determination would have been reached had a modified access routing policy been in effect at the time of the previous access request.
In some embodiments, the graphical user interface 700 displays additional information associated with the described resource responsive to an access routing decision. In one of these embodiments, the graphical user interface 700 displays an identification of a server farm 38 in which a server 106 resides, the server 106 providing access to the described resource. In another of these embodiments, the graphical user interface 700 displays an identification of a protocol for use in communicating with a server 106 providing access to the described resource. In still another of these embodiments, the graphical user interface 700 displays information associated with server load and availability of a server 106 providing access to the described resource. In still even another of these embodiments, the graphical user interface 700 displays information identifying a version of an application (such as an operating system) executed by a server 106 providing access to the described resource. In yet another of these embodiments, the graphical user interface 700 cannot display an identification of a server 106 providing access to the described resource until the access routing decision has been specified. For example, if the graphical user interface 700 receives a description of a resource that identifies a word processing application that is subject to an access routing policy, the graphical user interface 700 may delay the display of information associated with a server 106 providing access to the word processing application because the graphical user interface 700 may not have access to the information until the simulation of the application of the access routing policy identifies a type of access method and a level of service protocol and service.
In some embodiments, once the graphical user interface 700 displays information associated with the described resource and with an access routing policy decision, the graphical user interface 700 may display additional information associated with a session between a client 102 and a server 106. In one of these embodiments, there are a plurality of settings associated with a session between a client 102 and a server 106;
for example, client settings, network settings and server settings may be displayed. In another of these embodiments, these settings may be determined by a policy commonly referred to as a `session policy'. In still another of these embodiments, the session policy differs from an access policy in that it results in a number of settings - for example bandwidth limits, color depth, screen resolution, available optimization techniques, etc. - that are focused on the connection between the client and the server instead of on whether the client or a user of the client is authorized to access a resource provided by a server. In still even another of these embodiments, different session policies may apply to a given circumstance depending on client and/or resource properties. In yet another of these embodiments, a view of the information associated with the described resource displays the set of policies that may apply to a request for the resource, indicates which do apply in the given scenario, and may allow a user of the graphical user interface 700 to request and view additional information associated with the session policy.
In one embodiment, a method for interactive policy evaluation using dynamically generated interactive resultant sets of load-balancing policies includes the step of receiving, by a graphical user interface, a description of at least one resource. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one load-balancing policy applicable to the at least one resource. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one load-balancing policy to the at least one resource. In yet another embodiment, the method includes the step of simulating, by a policy simulation engine, the application of the at least one load-balancing policy to the at least one resource. In some embodiments, the graphical user interface displaying the decision of the application of the at least one load-balancing policy to the at least one received resource is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine simulating the application of the at least one load-balancing policy is a policy simulation engine 702. In some embodiments, the load-balancing policy determines whether the at least one resource will provide a user with access to a requested resource. In other embodiments, the load-balancing policy is applied independent of a user request for access.
In some embodiments, a policy need not solely govern a user's access control.
For example, in one of these embodiments, a policy controls a scheduling decision, such as determination regarding whether to perform a data back-up operation. In other embodiments, the methods and systems described herein may be used in a scenario in which a policy decision is made dependant on a set of circumstances, which may or may not include a client or a resource; for example, a policy might be applied whenever a fault is diagnosed in a network, in order to determine the severity of the fault and determine how to handle the fault.
In one embodiment, a method for interactive policy evaluation using dynamically generated interactive resultant sets of fault-detection policies includes the step of receiving, by a graphical user interface, a description of at least one resource. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one fault-detection policy applicable to the at least one resource.
In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one fault-detection policy to the at least one resource. In yet another embodiment, the method includes the step of simulating, by a policy simulation engine, the application of the at least one fault-detection policy to the at least one resource. In some embodiments, the graphical user interface displaying the decision of the application of the at least one fault-detection policy to the at least one resource is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine simulating the application of the at least one fault-detection policy is a policy simulation engine 702.
An example of a fault-detection policy might be:
if(faulty. source = `component A) severity= 100 action = shut down system In one of these embodiments, the methods and systems described herein may be used to analyze such policies. In another of these embodiments, rather than details being supplied about the client, resource and access methods, details are provided about the circumstance in which the policy is applied. For example, and in still another of these embodiments, if a policy can make decisions based on an attribute, then the attribute would be an input to the tool. In yet another of these embodiments, attributes may include, without limitation, a source of the fault raised, time of day of the fault, an identification of a number of similar faults raised within a time period, or an operating mode of the system on which the fault occurred.
In some embodiments, the methods and systems described herein provide a user with functionality for viewing a resultant set of policies given a particular scenario - a particular user or type of user requesting access to a particular resource via a particular access method. In one of these embodiments, the interactive tool and the graphical user interface with which the user interacts allows a user such as an administrator to view a specific circumstance and determine which policies would be applied and to view a resulting set of permissions. In another of these embodiments, the interactive tool allows the user to understand what effect a particular policy or policy change has on a particular user.
In other embodiments, methods and systems provide a user with the ability to view all resources under the control of the user and to view what classes of access are available to different classes of user for each resource or class of resource.
In one of these embodiments, therefore, rather than view a specific scenario, the user receives a higher level view focused instead on the classes of users and how the different classes may access each of a plurality of resources.
Referring now to FIG. 9A, a block diagram depicts one embodiment of a system for interactive evaluation of policies using a graphical user interface including a first graphical user interface element 910 and a second graphical user interface element 920.
The first graphical user interface element 910 enumerates at least one resource. The second graphical user interface element 920 receives an identification of a characteristic of at least one client and displays a result of an application of at least one policy associated with the at least one resource to the at least one client, the at least one policy applied responsive to the received identification of the characteristic. In one embodiment, a graphical user interface 900 displays the first graphical user interface element 910 and the second graphical user interface element 920 to a user. In another embodiment, the graphical user interface 900 is a web-based interface and displays information generated remotely. In still another embodiment, the graphical user interface 900 displays information generated locally.
Referring now to FIG. 9A, and in greater detail, the first graphical user interface element 910 displays at least one characteristic associated with at least one client. In one embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of anti-virus program executed by the at least one client. In another embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of operating system executed by the at least one client. In still another embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of application executed by the at least one client. In still even another embodiment, the first graphical user interface element 910 includes an interface element displaying an internet protocol (IP) address range, the at least one client assigned IP addresses in the IP address range. In yet another embodiment, the first graphical user interface element 910 includes an interface element receiving the at least one characteristic associated with the at least one client. For example, and in one embodiment, the first graphical user interface element 910 includes a text box, drop-down menu, radio button or checkmark box with which a user interacts to identify the at least one characteristic. In some embodiments, the first graphical user interface element 910 displays an identification of a filter matched by at least one client. In other embodiments, the first graphical user interface element 910 displays an identification of a filter unmatched by at least one client.
The second graphical user interface element 920 enumerates at least one resource and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. In one embodiment, the second graphical user interface element 920 includes an interface element displaying an enumeration of a plurality of resources under the control of a user. In another embodiment, the second graphical user interface element 920 includes an interface element displaying at least one policy. In still another embodiment, the second graphical user interface element 920 includes an interface element displaying a requirement of the at least one policy.
In one another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the at least one client. In another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the at least one client. In still another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in an allowance of access to the at least one resource by the client. In yet another embodiment, the second graphical user interface element 920 includes an interface element indicating that additional information associated with the at least one client is needed to identify a result of an application of the at least one policy to the at least one client.
In some embodiments, the first graphical user interface 910 and the second graphical user interface 920 display the results generated by a tool used in interactive evaluation of policies. In one embodiment, the display of the at least one characteristic associated with at least one client is a display of a list of criteria affecting the classification of users. In another embodiment, the display is a display of a list of group memberships or other information used by policies for one or more of the resources being examined by the tool. In still another embodiment, the list of criteria is an atomic list. In still even another embodiment, if the information in the list is not atomic (i.e., it is possible to break down the information in to smaller pieces), then the tool provides a user with the ability to expand the list to include a display of the atomic information. An example might be an item "Trusted Users" where "Trusted Users" is a classification used in policies, and that is itself defined as AND(Domain User, Virus OK). "Domain User"
and "Virus OK" may themselves be atomic conditions, or may be broken down in a similar way. In yet another embodiment, this part of the tool is used to identify the classes of user for which data is to be displayed in the second part of the tool.
In one embodiment, the second graphical user interface 920 displays a list of all resources evaluated by the interactive tool. In another embodiment, these resources are either automatically or manually classified according to the structure of the resource name (many resources have a hierarchical name such as A/B/C) and/or the access that is permitted for the identified class of user. For example, and in still another embodiment, the tool may use a single entry A/... to represent the resources A/B A/B/C and A/D. In still even another embodiment, a user may interact with the second graphical user interface 920 to expand this summary entry. In yet another embodiment, the interactive tool automatically expands the summary entry if the access permitted to the individual resources it represents is different from the access permitted for other resources in the class.
In one embodiment, the second graphical user interface 920 displays at least one policy that affects a particular resource or set of resources. In another embodiment, the user may select a resource or summary line in the second graphical user interface 920 and the policies that apply to this resource or resources will be displayed. In still another embodiment, for each policy that affects the class of client identified in the first graphical user interface 910 will be displayed to allow the user to view the effect of policy evaluation.
Referring now to FIG. 9B, a screen shot depicts one embodiment of a user interface for interactive evaluation of policies. The first graphical user interface element 910 displays an identification of a client. As depicted in FIG. 9B, the first graphical user interface element 910 displays a client that includes users in a domain, remote users, local users and a sub-category of users referred to as trusted users. In some embodiments, the first graphical user interface element 910 includes an interface element with which a user may identify a characteristic of the at least one client. As depicted in FIG.
9B, the user has indicated that the user wishes to view decisions for the at least one client satisfies the requirements of the filters "Local Users," "Trend," and "Trusted Users," and the group "Citrite\Domain Users."
The second graphical user interface 920 enumerates at least one resource and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. As shown in FIG. 9B (under the heading "Resource Node"), the displayed enumeration of resources may include, without limitation, local applications, remotely-executing applications, internet or intranet sites, and file shares.
In one embodiment, the display of the result of the application of the at least one policy may include a color-coded display. For example, and as shown in FIG. 9B, the second graphical user interface 920 may visually code, using a first color or pattern (horizontal lines in FIG. 9B), a displayed identification that the application of the policy will result in an allowance of a request for access to a particular resource and the second graphical user interface 920 may color code using a second color (vertical lines in FIG. 9B), a displayed identification that the application of the policy will result in a denial of a request for access to a particular resource.
Referring now to FIG. 9C, a screen shot depicts an embodiment of a user interface for interactive evaluation of policies. As shown in FIG. 9C (under the heading "Resource Node"), the displayed enumeration of resources may include, without limitation, local applications, remotely-executing applications, internet or intranet sites, and file shares.
In one embodiment, and as described in connection with FIG. 9B, the display of the result of the application of the at least one policy may include a color-coded display. For example, and as shown in FIG. 9C, the second graphical user interface 920 may visually code, using a first color or pattern (horizontal lines in FIG. 9C), a displayed identification that the application of the policy will result in a denial of a request for access to a particular resource and the second graphical user interface 920 may visually code using, a second color or pattern, (vertical lines in FIG. 9C), a displayed identification that the application of the policy will result in an indication that insufficient data exists to reach a determination.
In some embodiments an administrator wants to see the effect of a policy on a large number of classes of users. For example, and in one of these embodiments, if users are classified by group, IP address and virus check, then there may be a very large number of potential combinations of classification which might have to be manually checked in order to see the result of any policy change - even if the change affected only one aspect. In another embodiment, using tristate logic may reduce this burden for the administrator. In still another embodiment, using the methods and systems described herein allows an administrator to indicate that they wish to see the effect of policies for users meeting one classification, and to indicate that they wish to see this regardless as to whether the use also meets other classifications. This may also be achieved using TriState logic as described above.
For example, and as shown in FIG. 9C, an administrator may indicate that they wish to see: i) the resources available to users who do not meet the `Trend' classification;
and ii) the results if it is unknown whether the user meets the Local Users, Remote Users or AdProd classifications. In response, the tool has indicated that access to all the listed resources is denied, regardless of whether the user meets these other classifications; with the exception of RDP access to /CPS Applications/notepad and /Web Resources/Adtech Sites. For these resources, the user may be permitted access, depending on whether or not they meet one or more of the classifications marked as unknown. The administrator can therefore concentrate his attention on access to these resources, saving considerable time.
In one embodiment, a system for interactive evaluation of access control policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one access control policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one access control policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of auditing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one auditing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one auditing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of caching policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one caching policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one caching policy associated with the at least one resource to the at least one client.
In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of load-balancing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one load-balancing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one load-balancing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of access-routing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one access-routing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one access-routing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of fault-detection policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one resource. In still another embodiment, the second graphical user interface element displays a result of an application of at least one fault-detection policy associated with the at least one resource to the at least one resource. In yet another embodiment, the policy simulation engine simulates the application of the at least one fault-detection policy associated with the at least one resource to the at least one client.
In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
Referring now to FIG. 10, a flow diagram depicts one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
The method includes the step of displaying an identification of at least one resource (step 1002). The method includes the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource (step 1004). The method includes the step of displaying a result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client (step 1006).
In some embodiments, an administrator maintains polices for a large number of classes of user. For example, and in one of these embodiments, if rules are specified depending on user groups, internet protocol (IP) address range and virus protection level, then the number of classes of user will be (no. of available user groups) times (no. of IP
address ranges used in policies) times (no. of available virus protection levels). In another of these embodiments, an interactive tool makes use of tri-state logic in applying policies to classes of users, allowing administrators to manage the vast amount of information. In still another of these embodiments, the interactive tool reduces the number of different resource classes that must be considered - rather than using static classes of resources, the interactive tool dynamically classifies resources depending on the permitted access for a particular class of users to keep the amount of information to be displayed to a minimum.
Referring now to FIG. 10, and in greater detail, an identification of at least one resource is enumerated (step 1002). In one embodiment, the graphical user interface element 900 displays the identification of the at least one resource. In another embodiment, the graphical user interface element 910 displays a plurality of resources over which a user has administrative control. In still another embodiment, the identification of the at least one resource is retrieved from a configuration file identifying available resources.
In some embodiments, at least one category of clients is displayed. In one embodiment, the graphical user interface 900 displays the at least one category of clients.
In another embodiment, a user interacts with the graphical user interface 910 to add a category of clients to a display. In still another embodiment, the graphical user interface 910 displays a plurality of categories of clients. In yet another embodiment, clients are categorized according to characteristics including, but not limited to, internet protocol addresses, operating system types, applications executed on the client, types of internet access available to the clients, and authorization levels of the clients (trusted, untrusted, etc.).
An identification of a characteristic of at least one client requesting access to the at least one resource is received (step 1006). In one embodiment, an identification of a type of operating system executed on the at least one client is received. In another embodiment, an identification of a type of application executed on the at least one client is received. In still another embodiment, an identification of a group in which the at least one client are members is received. In yet another embodiment, an identification of a range of internet protocol addresses associated with the at least one client is received.
In some embodiments, a characteristic of a client includes an indication as to whether or not to consider that characteristic of the client in evaluating policies. In one of these embodiments, for example, as opposed to identifying a characteristic such as a range of IP addresses or a kind of operating system executed by a client, a user may indicate that the policy simulation engine should take the characteristic into consideration in simulating an application of a policy to the client. In another of these embodiments, the user may indicate that the policy simulation engine should not take the characteristic into consideration in simulating an application of a policy to the client -for example, if a policy includes a filter requiring that the client have a particular characteristic, the user may indicate that the policy simulation engine should attempt to simulate an application of a policy without determining whether the filter is satisfied.
In some embodiments, a characteristic of at least one client considered in evaluating policies is the negation of another characteristic - for example, a characteristic may indicate that the at least one client is not a member of a group (e.g., "a User not in Sales"). In other embodiments, a user of the system may chose not to specify certain characteristics even if those characteristics were identified by the tool or are used in one or more policies.
In one embodiment, the characteristic of the client is an indication that the client, or a characteristic of the client, satisfies a requirement of a filter. In another embodiment, the characteristic of the client is an indication that the client, or a characteristic of the client, does not satisfy a requirement of a filter.
In some embodiments, the policy simulation engine identifies a characteristic that may be associated with the at least one client. In one of these embodiments, the graphical user interface displays the characteristic identified by the policy simulation engine. In another of these embodiments, the graphical user interface receives, from a user, confirmation that the characteristic identified by the policy simulation engine is associated with the at least one client. In still another of these embodiments, the graphical user interface receives, from a user, an indication that the characteristic identified by the policy simulation engine is not associated with the at least one client.
In one embodiment, a determination is made as to whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In another embodiment, an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client is displayed. In still another embodiment, a determination is made that at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In some embodiments, at least one policy associated with the at least one resource is displayed.
A result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource is displayed, responsive to the received identification of the characteristic of the at least one client (step 1008). In one embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a denial of access to the at least one resource by the at least one client. In another embodiment, the graphical user interface 900 displays an identification of a requirement not satisfied by the at least one client. In still another embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in an authorization of access to the at least one resource by the at least one client. In still even another embodiment, the graphical user interface 900 displays an identification of a requirement satisfied by the at least one client. In yet another embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
Referring now to FIG. 11, a flow diagram depicts one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
The method includes the step of displaying an identification of at least one resource (step 1102). The method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource (step 1104). The method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic (step 1106). The method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access applies to the at least one client (step 1108).
Referring now to FIG. 11, and in greater detail, an identification of at least one resource is displayed (step 1102). In one embodiment, the graphical user interface element 900 displays the at least one resource. In another embodiment, the graphical user interface element 910 displays a plurality of resources over which a user has administrative control. In still another embodiment, the identification of the at least one resource is retrieved from a configuration file identifying available resources.
In some embodiments, an identification of at least one client is displayed. In one embodiment, the graphical user interface 900 displays the at least one client.
In another embodiment, a user interacts with the graphical user interface 910 to add a client to a display. In still another embodiment, the graphical user interface 910 displays a plurality of categories of clients. In yet another embodiment, clients are categorized according to characteristics including, but not limited to, internet protocol addresses, operating system types, applications executed on the client, types of internet access available to the clients, and authorization levels of the clients (trusted, untrusted, etc.).
An identification of a characteristic of the at least one client requesting access to the at least one resource is received (step 1104). In one embodiment, an identification of a type of operating system executed on the at least one client is received. In another embodiment, an identification of a type of application executed on the at least one client is received. In still another embodiment, an identification of a group in which the at least one client are members is received. In yet another embodiment, an identification of a range of internet protocol addresses associated with the at least one client is received.
In some embodiments, the policy simulation engine identifies a characteristic that may be associated with the at least one client. In one of these embodiments, the graphical user interface displays the characteristic identified by the policy simulation engine. In another of these embodiments, the graphical user interface receives, from a user, confirmation that the characteristic identified by the policy simulation engine is associated with the at least one client. In still another of these embodiments, the graphical user interface receives, from a user, an indication that the characteristic identified by the policy simulation engine is not associated with the at least one client. In yet another of these embodiments, the graphical user interface receives, from a user, an indication that a negation of the characteristic identified by the policy simulation engine is associated with the at least one client.
A determination is made as to whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic (step 1106). In one embodiment, a determination is made that at least one policy applies to the at least one client, responsive to the received identification of the characteristic.
In another embodiment, a determination is made that at least one policy does not apply to the at least one client, responsive to the received identification of the characteristic.
In still another embodiment, a determination is made that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In one embodiment, there is a plurality of conditions associated with a plurality of classifications of users. For example, in a scenario where there are three conditions (A, B, and C) used to classify users, there are eight sets of user classifications possible (None, A only, B only, C only, A and B, B and C, A and C, and all three). In some embodiments, and in many administrative scenarios, there are dozens of conditions evaluated to generate many more classifications of users. In one of these embodiments, the interactive tool uses tristate logic (as described above in connection with FIG. 9C) to limit the number of classifications that an administrator must consider in evaluating policies. In another of these embodiments, the tool allows an administrator to indicate that they do not know whether a user satisfies one of a plurality of characteristics; for example, the tool would allow an administrator to view, in a single classification, the access permitted to a user who meets filter A regardless of whether they meet filter B
and/or C rather than having to look separately at "A only", "A and B", "A and C" and "A, B and C".
In some embodiments, when tristate logic is used, it is not possible to always give a yes/no answer as to whether access to a resource will be permitted. For example, in one of these embodiments, if a resource has a single policy indicating access is allowed provided that conditions A and B are both met, then for the classification "A
is true, B
and C unknown", it is not possible to indicate if access will or will not be permitted. In another of these embodiments, to handle this situation, the graphical user interface may display a response including a`Maybe' answer. In still another of these embodiments, this is sufficient to indicate to an administrator that they have the option of more carefully examining a particular scenario if they require additional detail.
An indication is displayed that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client (step 1108). In one embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a request for additional information associated with the at least one client. In another embodiment, the graphical user interface 900 displays an identification of a requirement satisfied by the at least one client. In still another embodiment, the graphical user interface 900 displays an identification of a requirement not satisfied by the at least one client.
As described above, the methods and systems described herein provide functionality allowing users, such as administrators, to interactively evaluate a wide variety of policies using a graphical user interface. In some embodiments, the policy is an access control policy; for example, FIGs. 9B-9C depict some embodiments of scenarios involving the use of access control policies. In other embodiments, however, the graphical user interface displays a result of applying other policies.
In one embodiment, a method for interactive evaluation of auditing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one auditing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one auditing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of caching policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one caching policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one caching policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of access control policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one access control policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access control policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of load-balancing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one load-balancing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one load-balancing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of access-routing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one access-routing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access-routing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of fault-detection policies using a graphical user interface includes the step of displaying at least one category of resources. In another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one resource. In still another embodiment, the method includes the step of displaying a result of applying at least one fault-detection policy associated with the at least one resource to the at least one resource, responsive to the received identification of the characteristic of the at least one resource. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one fault-detection policy applies to the at least one resource.
The systems and methods described above may be provided as one or more computer-readable programs embodied on or in one or more articles of manufacture. The article of manufacture may be a floppy disk, a hard disk, a CD-ROM, a flash memory card, a PROM, a RAM, a ROM, or a magnetic tape. In general, the computer-readable programs may be implemented in any programming language, LISP, PERL, C, C++, PROLOG, or any byte code language such as JAVA. The software programs may be stored on or in one or more articles of manufacture as object code.
Having described certain embodiments of methods and systems for dynamic generation of complex filters using a graphical user interface and for interactive policy evaluation, access routing and resource mapping using filters, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the disclosure may be used. Therefore, the disclosure should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims.
In one aspect, a method for interactive policy evaluation using dynamically generated, interactive resultant sets of policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. The method includes the step of displaying, by the graphical user interface, at least one policy applicable to the at least one received description. The method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one policy to the at least one received description. In some embodiments, the method includes the step of simulating, by a policy simulation engine, an application of the at least one policy to the at least one received description.
In one embodiment, the graphical user interface receives, in the description of the client, a user identifier. In another embodiment, the graphical user interface receives, in the description of the client, a client internet protocol address. In still another embodiment, the graphical user interface receives, in the description of the resource, an identifier of the resource. In still even another embodiment, the graphical user interface receives, in the description of the resource, a file type of the resource. In yet another embodiment, the graphical user interface receives, in the description of the resource, identification of a server on which the resource resides.
In one embodiment, a configuration file is retrieved from a database, the configuration file identifying a property of the resource, such as a server on which the resource resides or an operating system executed by a server on which the resource resides. In another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a presentation layer protocol. In still another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a type of client agent. In still even another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a request to retrieve the resource. In yet another embodiment, the graphical user interface receives, in the description of the requested method of access, a request to remotely access the resource.
In one embodiment, a modification of a displayed filter is received. In another embodiment, a decision identified by the modified filter is displayed, responsive to the modification of the displayed filter. In still another embodiment, a modification of a displayed policy is received. In another embodiment, a decision identified by the modified policy is displayed, responsive to the modification of the displayed policy. In still another embodiment, a determination is made to apply at least one inapplicable policy to a client request for access to a resource. In yet another embodiment, a decision identified by the inapplicable policy is displayed.
In one embodiment, a modification of a displayed description of a user is received. In another embodiment, a decision identified by an application of the at least one policy to the modified description of the user is displayed. In still another embodiment, a modification of a displayed description of a requested resource is received. In yet another embodiment, a decision identified by an application of the at least one policy to the modified description of the resource request is displayed.
In one embodiment, the graphical user interface displays a decision made by applying the at least one policy to the at least one received description. In another embodiment, the graphical user interface displays an auditing decision made by applying the at least one policy to the at least one received description. In still another embodiment, the graphical user interface displays a load balancing decision made by applying the at least one policy to the at least one received description. In yet another embodiment, the graphical user interface displays a caching decision made by applying the at least one policy to the at least one received description.
In another aspect, a system for interactive policy evaluation using dynamically generated, interactive resultant sets of policies includes a graphical user interface, an interactive element in the graphical user interface, and a second element in the graphical user interface. The graphical user interface receives at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. The interactive element in the graphical user interface displays at least one policy applicable to the received description.
The second element in the graphical user interface displays a decision made by applying the at least one policy to the received description. In some embodiments, the system includes a policy simulation engine simulating an application of the at least one policy to the received description.
In one embodiment, the graphical user interface includes a text box element displaying the received description of the client requesting access to the resource. In another embodiment, the graphical user interface includes a text box element displaying the received description of the resource. In still another embodiment, the graphical user interface includes a text box element displaying the received description of the method of access requested by the client. In yet another embodiment, the graphical user interface includes a user interface element that is one of a text box, an element enumerating available resources, an element enumerating Uniform Resource Locaters associated with available resources, a drop-down menu, and graphical depiction of a directory structure.
In still another aspect, a method for interactive evaluation of policies using a graphical user interface includes the step of displaying an identification of at least one resource. The method includes the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource. The method includes the step of displaying a result of applying the at least one policy associated with the at least one resource to the at least one client requesting access to the least one resource, responsive to the at least one received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of simulating, by a policy simulation engine, an application of the at least one policy to the at least one client requesting access to the at least one resource.
In one embodiment, the method includes the step of receiving an identification of a filter in the at least one policy, the filter satisfied by the at least one client. In another embodiment, the method includes the step of receiving an identification of a filter in the at least one policy, the filter not satisfied by the at least one client. In still another embodiment, the method includes the step of identifying, by a policy simulation engine, a characteristic of the at least one client responsive to an evaluation of at least one filter in the at least one policy.
In one embodiment, the method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In another embodiment, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client. In still another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a denial of access to the at least one resource by the at least one client. In still even another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in an authorization of access to the at least one resource by the at least one client. In yet another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
In another aspect, a method for interactive evaluation of policies using a graphical user interface includes the step of displaying an identification of at least one resource and the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource. The method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. The method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In one embodiment, the method includes the step of receiving an identification of a type of application executed on the at least one client. In another embodiment, the method includes the step of determining that at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In still another embodiment, the method includes the step of determining that at least one policy does not apply to the at least one client, responsive to the received identification of the characteristic. In still even another embodiment, the method includes the step of determining that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In yet another embodiment, the method includes the step of displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
In still another aspect, a system for interactive evaluation of policies using a graphical user interface includes a first graphical user interface element and a second graphical user interface element. The first graphical user interface element displays at least one resource. The second graphical user interface element receives an identification of a characteristic of at least one client and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. In some embodiments, the system includes a policy simulation engine simulating application of the at least one policy associated with the at least one resource to the at least one client.
In some embodiments, the first graphical user interface element includes a display of a characteristic of the at least one client. In one embodiment, the first graphical user interface element includes a display of an identification of a type of application executed by the at least one client. In another embodiment, the second graphical user interface element includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the client. In still another embodiment, the second graphical user interface element includes an interface element indicating that an application of the at least one policy to the at least one client results in an allowance of access to the at least one resource by the client. In yet another embodiment, the second graphical user interface element includes an interface element indicating that additional information associated with the at least one client is needed to identify a result of an application of the at least one policy to the at least one client. In some embodiments, the second graphical user interface element includes an interface element displaying a filter of the at least one policy.
In one embodiment, the second graphical user interface element displays a decision made by applying at least one access control policy associated with the at least one resource to the at least one client. In another embodiment, the second graphical user interface element displays an auditing decision made by applying at least one auditing policy associated with the at least one resource to the at least one client.
In still another embodiment, the second graphical user interface element displays a load-balancing decision made by applying at least one load-balancing policy associated with the at least one resource to the at least one client. In yet another embodiment, the second graphical user interface displays a caching decision made by applying at least one caching policy associated with the at least one resource to the at least one client.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other objects, aspects, features, and advantages of the disclosure will become more apparent and better understood by referring to the following description taken in conjunction with the accompanying drawings, in which:
FIG. lA is a block diagram depicting an embodiment of a network environment comprising client machines in communication with remote machines;
FIGs. lB and 1C are block diagrams depicting embodiments of computers useful in connection with the methods and systems described herein;
FIG. 2A is a block diagram depicting one embodiment of a network including a policy engine;
FIG. 2B is a block diagram depicting one embodiment of a policy engine, including a first component comprising a condition database and a logon agent, and including a second component comprising a policy database;
FIG. 3A is a block diagram depicting one embodiment of a system for dynamic generation of filters using a graphical user interface;
FIG. 3B is a screen shot of one embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3C is a screen shot of an embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3D is a screen shot of an embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface;
FIG. 3E is a screen shot of an embodiment of a graphical user interface for adding a condition to a filter;
FIG. 3F is a screen shot depicting an embodiment of a graphical user interface for displaying a first filter included as a term in a second filter;
FIG. 3G is a screen shot of an embodiment of a graphical user interface for customizing a clause of a filter;
FIG. 4 is a flow diagram depicting one embodiment of the steps taken in a method for dynamic generation of filters using a graphical user interface;
FIG. 5A is a block diagram depicting one embodiment of a system for access routing and resource mapping using filters;
FIG. 5B is a screen shot depicting one embodiment of a subset of rules in a resource mapping policy;
FIG. 6 is a flow diagram depicting one embodiment of the steps taken in a method for access routing and resource mapping using filters;
FIG. 7A is a block diagram depicting one embodiment of a system for interactive policy evaluation using resultant sets of policies;
FIG. 7B is a screen shot depicting one embodiment of a graphical user interface element receiving and displaying a description of a client requesting access to a resource;
FIG. 7C is a screen shot depicting one embodiment of a graphical user interface element for displaying a description of a resource requested by the client;
FIG. 7D is a screen shot depicting one embodiment of a graphical user interface element for displaying a description of a method of access requested by the client;
FIG. 7E is a screen shot depicting one embodiment of a user interface element displaying a decision;
FIG. 8A is a flow diagram depicting one embodiment of the steps taken in a method for interactive policy evaluation using resultant sets of policies;
FIG. 8B is a screen shot depicting one embodiment of a graphical user interface displaying a decision generated responsive to an automatic inference;
FIG. 8C is a screen shot depicting one embodiment of a graphical user interface displaying a condition that is used in a policy;
FIG. 8D is a screen shot depicting one embodiment of a graphical user interface displaying an access routing decision;
FIG. 9A is a block diagram depicting one embodiment of a system for interactive evaluation of policies using a graphical user interface;
FIG. 9B is a screen shot depicting an embodiment of a user interface for interactive evaluation of policies;
FIG. 9C is a screen shot depicting an embodiment of a user interface for interactive evaluation of policies;
FIG. 10 is a flow diagram depicting one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface; and FIG. 11 is a flow diagram depicting an embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
DETAILED DESCRIPTION OF THE INVENTION
Referring now to Figure lA, an embodiment of a network environment is depicted. In brief overview, the network environment comprises one or more clients 102a-102n (also generally referred to as local machine(s) 102, or client(s) 102) in communication with one or more servers 106a-106n (also generally referred to as server(s) 106, or remote machine(s) 106) via one or more networks 104.
Although FIG. lA shows a network 104 between the clients 102 and the servers 106, the clients 102 and the servers 106 may be on the same network 104. The network 104 can be a local-area network (LAN), such as a company Intranet, a metropolitan area network (MAN), or a wide area network (WAN), such as the Internet or the World Wide Web. In some embodiments, there are multiple networks 104 between the clients and the servers 106. In one of these embodiments, a network 104' may be a private network and a network 104 may be a public network. In another of these embodiments, a network 104 may be a private network and a network 104' a public network. In still another embodiment, networks 104 and 104' may both be private networks.
The network 104 may be any type and/or form of network and may include any of the following: a point to point network, a broadcast network, a wide area network, a local area network, a telecommunications network, a data communication network, a computer network, an ATM (Asynchronous Transfer Mode) network, a SONET (Synchronous Optical Network) network, a SDH (Synchronous Digital Hierarchy) network, a wireless network and a wireline network. In some embodiments, the network 104 may comprise a wireless link, such as an infrared channel or satellite band. The topology of the network 104 may be a bus, star, or ring network topology. The network 104 and network topology may be of any such network or network topology as known to those ordinarily skilled in the art capable of supporting the operations described herein. The network may comprise mobile telephone networks utilizing any protocol or protocols used to communicate among mobile devices, including AMPS, TDMA, CDMA, GSM, GPRS or UMTS. In some embodiments, different types of data may be transmitted via different protocols. In other embodiments, the same types of data may be transmitted via different protocols.
In one embodiment, the system may include multiple, logically-grouped servers 106. In these embodiments, the logical group of servers may be referred to as a server farm 38. In some of these embodiments, the servers 106 may be geographically dispersed. In some cases, a farm 38 may be administered as a single entity. In other embodiments, the server farm 38 comprises a plurality of server farms 38. In one embodiment, the server farm executes one or more applications on behalf of one or more clients 102.
The servers 106 within each farm 38 can be heterogeneous. One or more of the servers 106 can operate according to one type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Washington), while one or more of the other servers 106 can operate on according to another type of operating system platform (e.g., Unix or Linux). The servers 106 of each farm 38 do not need to be physically proximate to another server 106 in the same farm 38. Thus, the group of servers 106 logically grouped as a farm 38 may be interconnected using a wide-area network (WAN) connection or a metropolitan-area network (MAN) connection. For example, a farm 38 may include servers 106 physically located in different continents or different regions of a continent, country, state, city, campus, or room. Data transmission speeds between servers 106 in the farm 38 can be increased if the servers 106 are connected using a local-area network (LAN) connection or some form of direct connection.
Server 106 may be a file server, application server, web server, proxy server, appliance, network appliance, gateway, application gateway, gateway server, virtualization server, deployment server, SSL VPN server, or firewall. In some embodiments, a server 106 provides a remote authentication dial-in user service, and is referred to as a RADIUS server. In other embodiments, a server 106 may have the capacity to function as either an application server or as a master application server. In one embodiment, a server 106 may include an Active Directory. The remote machine 30 may be an application acceleration appliance. For embodiments in which the remote machine 30 is an application acceleration appliance, the remote machine 30 may provide functionality including firewall functionality, application firewall functionality, or load balancing functionality. In some embodiments, the remote machine 30 comprises an appliance such as one of the line of appliances manufactured by the Citrix Application Networking Group, of San Jose, CA, or Silver Peak Systems, Inc., of Mountain View, CA, or of Riverbed Technology, Inc., of San Francisco, CA, or of F5 Networks, Inc., of Seattle, WA, or of Juniper Networks, Inc., of Sunnyvale, CA.
The clients 102 may also be referred to as client nodes, client machines, endpoint nodes, or endpoints. In some embodiments, a client 102 has the capacity to function as both a client node seeking access to resources provided by a server and as a server providing access to hosted resources for other clients 102a-102n.
In some embodiments, a client 102 communicates with a server 106. In one embodiment, the client 102 communicates directly with one of the servers 106 in a farm 38. In another embodiment, the client 102 executes a program neighborhood application to communicate with a server 106 in a farm 38. In still another embodiment, the server 106 provides the functionality of a master node. In some embodiments, the client 102 communicates with the server 106 in the farm 38 through a network 104. Over the network 104, the client 102 can, for example, request execution of various applications hosted by the servers 106a-106n in the farm 38 and receive output of the results of the application execution for display. In some embodiments, only the master node provides the functionality required to identify and provide address information associated with a server 106b hosting a requested application.
In one embodiment, the server 106 provides the functionality of a web server.
In another embodiment, the server 106a receives requests from the client 102, forwards the requests to a second server 106b and responds to the request by the client 102 with a response to the request from the server 106b. In still another embodiment, the server 106 acquires an enumeration of applications available to the client 102 and address information associated with a server 106 hosting an application identified by the enumeration of applications. In yet another embodiment, the server 106 presents the response to the request to the client 102 using a web interface. In one embodiment, the client 102 communicates directly with the server 106 to access the identified application.
In another embodiment, the client 102 receives output data, such as display data, generated by an execution of the identified application on the server 106.
In some embodiments, the server 106 or a server farm 38 may be running one or more applications, such as an application providing a thin-client computing or remote display presentation application. In one embodiment, the server 106 or server farm 38 executes as an application any portion of the Citrix Access SuiteTM by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation ServerTM, and/or any of the MICROSOFT WINDOWS Terminal Services manufactured by the Microsoft Corporation. In another embodiment, the application is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Florida. In still another embodiment, the server 106 may run an application, which, for example, may be an application server providing email services such as MICROSOFT EXCHANGE manufactured by the Microsoft Corporation of Redmond, Washington, a web or Internet server, or a desktop sharing server, or a collaboration server. In yet another embodiment, any of the applications may comprise any type of hosted service or products, such as GOTOMEETING provided by Citrix Online Division, Inc. of Santa Barbara, California, WEBEX provided by WebEx, Inc. of Santa Clara, California, or Microsoft Office LIVE MEETING provided by Microsoft Corporation of Redmond, Washington.
A client 102 may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client 102. In some embodiments, the application may be a server-based or a remote-based application executed on behalf of the client 102 on a server 106. In one embodiments the server 106 may display output to the client 102 using any thin-client or remote-display protocol, such as the Independent Computing Architecture (ICA) protocol manufactured by Citrix Systems, Inc. of Ft.
Lauderdale, Florida or the Remote Desktop Protocol (RDP) manufactured by the Microsoft Corporation of Redmond, Washington. The application can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In other embodiments, the application comprises any type of software related to voice over internet protocol (VoIP) communications, such as a soft IP
telephone. In further embodiments, the application comprises any application related to real-time data communications, such as applications for streaming video and/or audio.
The client 102 and server 106 may be deployed as and/or executed on any type and form of computing device, such as a computer, network device or appliance capable of communicating on any type and form of network and performing the operations described herein. FIGs. lB and 1C depict block diagrams of a computing device useful for practicing an embodiment of the client 102 or a server 106. As shown in FIGs.
lB and 1C, each computing device 100 includes a central processing unit 121, and a main memory unit 122. As shown in FIG. 1B, a computing device 100 may include a visual display device 124, a keyboard 126 and/or a pointing device 127, such as a mouse. As shown in FIG. 1 C, each computing device 100 may also include additional optional elements, such as one or more input/output devices 130a-130b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 121.
The central processing unit 121 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 122. In many embodiments, the central processing unit is provided by a microprocessor unit, such as:
those manufactured by Intel Corporation of Mountain View, California; those manufactured by Motorola Corporation of Schaumburg, Illinois; those manufactured by Transmeta Corporation of Santa Clara, California; the RS/6000 processor, those manufactured by International Business Machines of White Plains, New York; or those manufactured by Advanced Micro Devices of Sunnyvale, California. The computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.
Main memory unit 122 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 121 , such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM
(BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM
DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM
(BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC
SRAM, PC 100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM
(DRDRAM), or Ferroelectric RAM (FRAM). The main memory 122 may be based on any of the above described memory chips, or any other available memory chips capable of operating as described herein. In the embodiment shown in FIG. 1B, the processor 121 communicates with main memory 122 via a system bus 150 (described in more detail below). FIG. 1 C depicts an embodiment of a computing device 100 in which the processor communicates directly with main memory 122 via a memory port 103.
For example, in FIG. 1 C the main memory 122 may be DRDRAM.
FIG. 1 C depicts an embodiment in which the main processor 121 communicates directly with cache memory 140 via a secondary bus, sometimes referred to as a backside bus. In other embodiments, the main processor 121 communicates with cache memory 140 using the system bus 150. Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In the embodiment shown in FIG. 1 C, the processor 121 communicates with various I/O
devices 130 via a local system bus 150. Various buses may be used to connect the central processing unit 121 to any of the I/O devices 130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display 124, the processor 121 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1 C depicts an embodiment of a computer 100 in which the main processor 121 communicates directly with I/O device 130b via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1 C also depicts an embodiment in which local busses and direct communication are mixed: the processor 121 communicates with I/O device 130a using a local interconnect bus while communicating with I/O device 130b directly.
The computing device 100 may support any suitable installation device 116, such as a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP
disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB device, hard-drive or any other device suitable for installing software and programs such as any client agent 120, or portion thereof. The computing device 100 may further comprise a storage device, such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs such as any program related to the client agent 120. Optionally, any of the installation devices 116 could also be used as the storage device. Additionally, the operating system and the software can be run from a bootable medium, for example, a bootable CD, such as KNOPPIX , a bootable CD
for GNU/Linux that is available as a GNU/Linux distribution from knoppix.net.
Furthermore, the computing device 100 may include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, Tl, T3, 56kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above.
Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). In one embodiment, the computing device 100 communicates with other computing devices 100' via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS), or the Citrix Gateway Protocol manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Florida. The network interface 118 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein.
A wide variety of I/O devices 130a-130n may be present in the computing device 100. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers. The I/O devices may be controlled by an I/O
controller 123 as shown in FIG. lB. The I/O controller may control one or more I/O
devices such as a keyboard 126 and a pointing device 127, e.g., a mouse or optical pen.
Furthermore, an I/O device may also provide storage and/or an installation medium 116 for the computing device 100. In still other embodiments, the computing device may provide USB connections to receive handheld USB storage devices such as the USB
Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, California.
In some embodiments, the computing device 100 may comprise or be connected to multiple display devices 124a-124n, which each may be of the same or different type and/or form. As such, any of the I/O devices 130a-130n and/or the I/O
controller 123 may comprise any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices 124a-124n by the computing device 100. For example, the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library to interface, communicate, connect or otherwise use the display devices 124a-124n. In one embodiment, a video adapter may comprise multiple connectors to interface to multiple display devices 124a-124n. In other embodiments, the computing device 100 may include multiple video adapters, with each video adapter connected to one or more of the display devices 124a-124n. In some embodiments, any portion of the operating system of the computing device 100 may be configured for using multiple displays 124a-124n. In other embodiments, one or more of the display devices 124a-124n may be provided by one or more other computing devices, such as computing devices 100a and 100b connected to the computing device 100, for example, via a network. These embodiments may include any type of software designed and constructed to use another computer's display device as a second display device 124a for the computing device 100. One ordinarily skilled in the art will recognize and appreciate the various ways and embodiments that a computing device 100 may be configured to have multiple display devices 124a-124n.
In further embodiments, an I/O device 130 may be a bridge between the system bus 150 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.
A computing device 100 of the sort depicted in FIGs. l B and 1 C typically operates under the control of operating systems, which control scheduling of tasks and access to system resources. The computing device 100 can be running any operating system such as any of the versions of the MICROSOFT WINDOWS operating systems, the different releases of the Unix and Linux operating systems, any version of the MAC
OS for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein.
Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE, WINDOWS XP, and WINDOWS VISTA, all of which are manufactured by Microsoft Corporation of Redmond, Washington; MacOS, manufactured by Apple Computer of Cupertino, California; OS/2, manufactured by International Business Machines of Armonk, New York; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, or any type and/or form of a Unix operating system, among others.
The computer system 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone or other portable telecommunication device, media playing device, a gaming system, mobile computing device, or any other type and/or form of computing, telecommunications or media device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. For example, the computer system 100 may comprise a device of the IPOD family of devices manufactured by Apple Computer of Cupertino, California, a PLAYSTATION 2, PLAYSTATION 3, or PERSONAL PLAYSTATION PORTABLE (PSP) device manufactured by the Sony Corporation of Tokyo, Japan, a NINTENDO DS, NINTENDO GAMEBOY, NINTENDO GAMEBOY ADVANCED or NINTENDO REVOLUTION device manufactured by Nintendo Co., Ltd., of Kyoto, Japan, or an XBOX or XBOX 360TM
device manufactured by the Microsoft Corporation of Redmond, Washington.
In some embodiments, the computing device 100 may have different processors, operating systems, and input devices consistent with the device. For example, in one embodiment, the computing device 100 is a Treo 180, 270, 600, 650, 680, 700p, 700w, or 750 smart phone manufactured by Palm, Inc. In some of these embodiments, the Treo smart phone is operated under the control of the PalmOS operating system and includes a stylus input device as well as a five-way navigator device.
In other embodiments the computing device 100 is a mobile device, such as a JAVA-enabled cellular telephone or personal digital assistant (PDA), such as the i55sr, i58sr, i85s, i88s, i90c, i95c1, or the iml 100, all of which are manufactured by Motorola Corp. of Schaumburg, Illinois, the 6035 or the 7135, manufactured by Kyocera of Kyoto, Japan, or the i300 or i330, manufactured by Samsung Electronics Co., Ltd., of Seoul, Korea.
In still other embodiments, the computing device 100 is a Blackberry handheld or smart phone, such as the devices manufactured by Research In Motion Limited, including the Blackberry 7100 series, 8700 series, 7700 series, 7200 series, the Blackberry 7520, or the Blackberry Pear18100. In yet other embodiments, the computing device 100 is a smart phone, Pocket PC, Pocket PC Phone, or other handheld mobile device supporting Microsoft Windows Mobile Software. Moreover, the computing device 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone, any other computer, or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein.
In one embodiment, the server 106 includes a policy engine for controlling and managing the access to a resource, selection of an execution method for accessing the resource, and the delivery of resources. In another embodiment, the server 106 communicates with a policy engine. In some embodiments, the policy engine determines the one or more resources a user or client 102 may access. In other embodiments, the policy engine determines how the resource should be delivered to the user or client 102, e.g., the method of execution. In still other embodiments, the server 106 provides a plurality of delivery techniques from which to select a method of execution, such as a server-based computing, application streaming, or delivering the application locally to the client 102 for local execution.
In one embodiment, a client 102 requests execution of an application program and a server 106 selects a method of executing the application program. In another embodiment, the server 106 receives credentials from the client 102. In still another embodiment, the server 106 receives a request for an enumeration of available applications from the client 102. In yet another embodiment, in response to the request or receipt of credentials, the server 106 enumerates a plurality of application programs available to the client 102.
In some embodiments, the server 106 selects one of a predetermined number of methods for executing an enumerated application, for example, responsive to a policy of a policy engine. In one of these embodiments, an application delivery system on the server 106 makes the selection. In another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to receive output data generated by execution of the application program on a server 106b. In still another of these embodiments, the server 106 may select a method of execution of the application enabling the client 102 to execute the application program locally after retrieving a plurality of application files comprising the application. In yet another of these embodiments, the server 106 may select a method of execution of the application to stream the application via the network 104 to the client 102. In this embodiment, a first plurality of files in a stream of files comprising the application may be stored and executed on the client 102 while the server 106 transmits a second plurality of files in the stream of files to the client. This process may be referred to as "application streaming."
Referring now to FIG. 2A, a block diagram depicts one embodiment of a network including a policy engine 220. In one embodiment, the network includes a client 102, a collection agent 204, a policy engine 220, a policy database 208, a farm 38, and a server 106a. In another embodiment, the policy engine 220 is a server 106b. Although only one client 102, collection agent 304, policy engine 220, farm 38, and server 106a are depicted in the embodiment shown in Figure 2A, it should be understood that the system may provide multiple ones of any or each of those components.
In brief overview, when the client 102 transmits a request 210 to the policy engine 220 for access to a resource, the collection agent 204 communicates with client 102, retrieving information about the client 102, and transmits the client information 212 to the policy engine 220. The policy engine 220 makes an access control decision by applying a policy from the policy database 208 to the received information 212.
In more detail, the client 102 transmits a request 210 for a resource to the policy engine 220. In one embodiment, the policy engine 220 resides on a server 106b.
In another embodiment, the policy engine 220 is a server 106b. In still another embodiment, a server 106 receives the request 210 from the client 102 and transmits the request 210 to the policy engine 220. In a further embodiment, the client 102 transmits a request 210 for a resource to a server 106c, which transmits the request 210 to the policy engine 220.
Upon receiving the request, the policy engine 220 initiates information gathering by the collection agent 204. The collection agent 204 gathers information regarding the client 102 and transmits the information 212 to the policy engine 220.
In some embodiments, the collection agent 204 gathers and transmits the information 212 over a network connection. In some embodiments, the collection agent 204 comprises bytecode, such as an application written in the bytecode programming language JAVA. In some embodiments, the collection agent 204 comprises at least one script. In those embodiments, the collection agent 204 gathers information by running at least one script on the client 102. In some embodiments, the collection agent comprises an Active X control on the client 102. An Active X control is a specialized Component Object Model (COM) object that implements a set of interfaces that enable it to look and act like a control.
In one embodiment, the policy engine 220 transmits the collection agent 204 to the client 102. In another embodiment, a server 106 may store or cache the collection agent 204. The server 106 may then transmit the collection agent 204 to a client 102. In one embodiment, the policy engine 220 requires a second execution of the collection agent 204 after the collection agent 204 has transmitted information 212 to the policy engine 220. In this embodiment, the policy engine 220 may have insufficient information 212 to determine whether the client 102 satisfies a particular condition. In other embodiments, the policy engine 220 requires a plurality of executions of the collection agent 204 in response to received information 212.
In some embodiments, the policy engine 220 transmits instructions to the collection agent 204 determining the type of information the collection agent 204 gathers.
In those embodiments, a system administrator may configure the instructions transmitted to the collection agent 204 from the policy engine 220. This provides greater control over the type of information collected. This also expands the types of access control decisions that the policy engine 220 can make, due to the greater control over the type of information collected. The collection agent 204 gathers information 212 including, without limitation, machine ID of the client 102, operating system type, existence of a patch to an operating system, MAC addresses of installed network cards, a digital watermark on the client device, membership in an Active Directory, existence of a virus scanner, existence of a personal firewall, an HTTP header, browser type, device type, network connection information such as internet protocol address or range of addresses, machine ID of the server 106, date or time of access request including adjustments for varying time zones, and authorization credentials. In some embodiments, a collection agent gathers information to determine whether access to a resource can be accelerated on the client using an acceleration program.
In some embodiments, the device type is a personal digital assistant. In other embodiments, the device type is a cellular telephone. In other embodiments, the device type is a laptop computer. In other embodiments, the device type is a desktop computer.
In other embodiments, the device type is an Internet kiosk.
In some embodiments, the digital watermark includes data embedding. In some embodiments, the watermark comprises a pattern of data inserted into a file to provide source information about the file. In other embodiments, the watermark comprises data hashing files to provide tamper detection. In other embodiments, the watermark provides copyright information about the file.
In some embodiments, the network connection information pertains to bandwidth capabilities. In other embodiments, the network connection information pertains to Internet Protocol address. In still other embodiments, the network connection information consists of an Internet Protocol address. In one embodiment, the network connection information comprises a network zone identifying the logon agent to which the client 102 provided authentication credentials.
In some embodiments, the authorization credentials include a number of types of authentication information, including without limitation, user names, client names, client addresses, passwords, PINs, voice samples, one-time passcodes, biometric data, digital certificates, tickets, etc. and combinations thereof. After receiving the gathered information 212, the policy engine 220 makes an access control decision based on the received information 212.
Referring now to FIG. 2B, a block diagram depicts one embodiment of a policy engine 220, including a first component 222 comprising a condition database 224 and a logon agent 226, and including a second component 230 comprising a policy database 232. The first component 222 applies a condition from the condition database 224 to information received about client 102 and determines whether the received information satisfies the condition. In some embodiments, the condition database 224 stores filters, which are applied to information associated with a user or the user's client device.
In some embodiments, a condition or filter may require that the client 102 execute a particular operating system to satisfy the condition. In some embodiments, a condition or filter may require that the client 102 execute a particular operating system patch to satisfy the condition. In still other embodiments, a condition or filter may require that the client 102 provide a MAC address for each installed network card to satisfy the condition or filter. In some embodiments, a condition or filter may require that the client 102 indicate membership in a particular Active Directory to satisfy the condition.
In another embodiment, a condition or filter may require that the client 102 execute a virus scanner to satisfy the condition. In other embodiments, a condition or filter may require that the client 102 execute a personal firewall to satisfy the condition. In some embodiments, a condition or filter may require that the client 102 comprise a particular device type to satisfy the condition or filter. In other embodiments, a condition or filter may require that the client 102 establish a particular type of network connection to satisfy the condition or filter.
In some embodiments, a logon agent 226 resides outside of the policy engine 220.
In other embodiments, the logon agent 226 resides on the policy engine 220. In one embodiment, the first component 222 includes a logon agent 226, which initiates the information gathering about client 102. In some embodiments, the logon agent further comprises a data store. In these embodiments, the data store includes the conditions for which the collection agent may gather information. In one of these embodiments, the data store is distinct from the condition database 224.
In some embodiments, the logon agent 226 initiates information gathering by executing the collection agent 204. In other embodiments, the logon agent 226 initiates information gathering by transmitting the collection agent 204 to the client 102 for execution on the client 102. In still other embodiments, the logon agent 226 initiates additional information gathering after receiving information 212. In one embodiment, the logon agent 226 also receives the information 212. In this embodiment, the logon agent 226 generates the data set 228 based upon the received information 212.
In some embodiments, the logon agent 226 generates the data set 228 by applying a condition from the database 224 to the information received from the collection agent 204.
In another embodiment, the first component 222 includes a plurality of logon agents 226. In this embodiment, at least one of the plurality of logon agents 226 resides on each network domain from which a client 102 may transmit a resource request. In this embodiment, the client 102 transmits the resource request to a particular logon agent 226.
In some embodiments, the logon agent 226 transmits to the policy engine 220 the network domain from which the client 102 accessed the logon agent 226. In one embodiment, the network domain from which the client 102 accesses a logon agent 226 is referred to as the network zone of the client 102.
In some embodiments, the condition database 224 stores the conditions or filters that the first component 222 applies to received information. The policy database 232 stores the policies that the second component 230 applies to the received data set 228. In some embodiments, the condition database 224 and the policy database 232 store data in an ODBC-compliant database. For example, the condition database 224 and the policy database 232 may be provided as an ORACLE database, manufactured by Oracle Corporation of Redwood Shores, Calif. In other embodiments, the condition database 224 and the policy database 232 can be a MICROSOFT ACCESS database or a MICROSOFT SQL server database, manufactured by Microsoft Corporation of Redmond, Wash.
In some embodiments, if the received information satisfies a condition, the first component 222 stores an identifier for that condition in a data set 228 and the second component applies a policy from the policy database to the data set. In other embodiments, after the first component 222 applies the received information to each condition in the condition database 224, the first component transmits the data set 228 to second component 230. In one embodiment, the first component 222 transmits only the data set 228 to the second component 230. Therefore, in this embodiment, the second component 230 does not receive information 212, only identifiers for satisfied conditions.
The second component 230 receives the data set 228 and makes an access control decision by applying a policy from the policy database 232 based upon the conditions identified within data set 228.
In some embodiments, the policy engine determines whether the user and the client device satisfy the requirements expressed in a filter. In one of these embodiments, the policy engine accesses an enumeration of filters to make the determination. The enumeration of filters may be stored in a condition database. In another of these embodiments, the use of the filter replaces the need for the data set and the policy database. In still another of these embodiments, the policy engine includes a condition database co-located with a policy database. In yet another of these embodiments, where the condition database and the policy database are collocated, the policy engine does not generate a data set to determine whether the user and the client device satisfy the requirements expressed in the filter.
In one embodiment, policy database 232 stores the policies applied to the received information 212. In one embodiment, the policies stored in the policy database 232 are specified at least in part by the system administrator. In another embodiment, a user specifies at least some of the policies stored in the policy database 232. The user-specified policy or policies are stored as preferences. The policy database 232 can be stored in volatile or non-volatile memory or, for example, distributed through multiple servers.
In one embodiment, a policy allows access to a resource only if one or more conditions are satisfied. In another embodiment, a policy allows access to a resource but prohibits transmission of the resource to the client 102. Another policy might make connection contingent on the client 102 that requests access being within a secure network. In some embodiments, the resource is an application program and the client 102 has requested execution of the application program. In one of these embodiments, a policy may allow execution of the application program on the client 102. In another of these embodiments, a policy may enable the client 102 to receive a stream of files comprising the application program. In still another of these embodiments, a policy may allow only execution of the application program on a server 106, such as an application server, and require the server 106 to transmit output data to the client 102.
In some embodiments, a determination is made as to a type of connection to establish when granting access to a resource responsive to a determination by a policy engine such as the policy engine 220 described above in FIG. 2A and FIG. 2B.
In other embodiments, a determination is made as to a method for granting access to a resource, such as a method for execution, responsive to a determination by a policy engine such as the policy engine 220 described above in connection with FIG. 2A and FIG. 2B.
In still other embodiments, the server 106 receiving the credentials and the request to execute the resource further comprises such a policy engine 220. In yet other embodiments, the server 106 applies an access control policy to determine whether or not to grant access to the resource.
In some embodiments, filters are used in conjunction with policy engines as described above. In other embodiments, filters are used within policies, including, but not limited to, access control policies, auditing policies, network routing policies, load balancing policies, policies relating to error reporting, and failure handling policies. In still other embodiments, policy engines other than those described above use filters to evaluate an action to take with respect to a particular user or resource. In yet other embodiments, customized graphical user interfaces improve the ability of an administrator to generate filters.
Referring now to FIG. 3A, a block diagram depicts one embodiments of a system for dynamic generation of filters using a graphical user interface. In brief overview, the system includes a graphical user interface 300, a graphical user interface element 310, and a filter 350. The graphical user interface element 310 includes a description of a first clause 315 of the filter 350. The system includes one of: i) a second graphical user interface element 330 comprising a description 335 of at least one conjunctive clause of the filter 350, and ii) a description 320 in the graphical user interface element 310 of a disjunctive sub-clause of the first clause of the filter 350. The filter 350 is generated responsive to the contents of the first graphical user interface element 310 and the second graphical user interface element 330. Although only one graphical user interface 300, a graphical user interface element 310, and a filter 350 are depicted in the embodiment shown in FIG. 3A, it should be understood that the system may provide multiple ones of any or each of those components.
In one embodiment, an access control list maps at least one filter to an allowed or denied permission setting included in the access control list. In another embodiment, a filter is a simple or compound condition that may or may not be met by a client requesting access to a resource. In still another embodiment, simple conditions include group membership, role membership, IP range membership, and a characteristic of a client device requesting access to a resource, such as whether the client device executes a particular application or has access to a particular hardware resource. In yet another embodiment, compound conditions are combinations of simple conditions that may be defined using a filter editor.
In some embodiments, a filter is used to describe at least one characteristic for evaluation. In one of these embodiments, the at least one characteristic is associated with a resource. In another of these embodiments, the at least one characteristic is associated with a user. In still another of these embodiments, the at least one characteristic is associated with a combination of users or resources. In yet another of these embodiments, the at least one characteristic is evaluated to make a policy decision, such as an access control decision. In other embodiments, filters are used to determine whether at least one entity matches at least one specified condition.
In one embodiment, a filter describes at least one characteristic of a resource. In another embodiment, a filter may specify a group of resources to which a particular resource should belong to satisfy the filter, such as, for example, specifying a particular named group of resources (such as, "office applications"), and specifying an operating system from which the resource is accessed (the WINDOWS VISTA operating system), and specifying a display capability supported by a system from which the resource is accessed. In still another embodiment, and for example, a filter may include a"leaf' condition specifying at least one of the following: a group of resources to which the resource should belong, a sub-directory which should enumerate the resource, an operating system capable of supporting the resource, a computing capability provided by a system from which the resource is accessed (such as a display capability or computing functionality), a required network characteristic (such as a per-application IP address), an environment in which the resource should execute (for example, an isolation environment), or a licensing requirement (for example, requiring a license for a specific user or for a specific type of request).
In one embodiment, a filter describes a characteristic associated with a combination of a user and a resource. In another embodiment, the filter may specify a first condition associated with a user and a second condition associated with a resource, and to satisfy the filter, the user and the filter must each satisfy the specified conditions.
In still another embodiment, the filter specifies that a user be authorized to access a resource - for example, that the use own the resource, be licensed to use the resource, or have permission from an external policy system to access the resource. In yet another embodiment, for example, a filter specifies that a user satisfy a first filter and that the resource satisfy a second filter.
In one embodiment, a filter applies to a plurality of users. In another embodiment, a filter may specify a condition that a group of users involved in a collaborative application must all satisfy in order to satisfy the filter, for example, that all users belong to a particular group, or that at least one of the plurality of users has a particular role. In still another embodiment, a filter applies to a plurality of resources. In still even another embodiment, a filter applies to a plurality of users and to a resource. In yet another embodiment, a filter applies to a plurality of resources and to a user.
In some embodiments, a filter defines a dynamic group. In one of these embodiments, the filter identifies a user belonging to the dynamic group. In another of these embodiments, the filter identifies a user excluded from the dynamic group. In still another of these embodiments, a member of the dynamic group satisfies a requirement specified by the filter.
In one embodiment, compound conditions are stored as `named filters'. In another embodiment, a named filter can be edited later or reused in other filters. For example, and in still another embodiment, an administrator might specify a filter called `Trusted Users' to be matched by users in a specific group, when requesting access to a resource from a client in a specific IP range, and provided that a particular virus checker is installed on the client with a specific version number. Once the filter `Trusted Users' is defined, it can be used in multiple access control lists or policies, in an analogous way to group membership.
Referring now to FIG. 3A, and in greater detail, a system for dynamic generation of filters using a graphical user interface 300 includes a graphical user interface element 310, which includes a description of a first clause 315 of a filter 350. In some embodiments, the graphical user interface 300 is a filter editor. In other embodiments, the graphical user interface 300 is a Boolean expression editor. In one of these embodiments, the graphical user interface 300 is a Boolean-expression generator, creating Boolean expressions from descriptions of clauses that are not written as Boolean expressions. In still other embodiments, the graphical user interface 300 allows an administrator to define or edit a filter. In one of these embodiments, the graphical user interface 300 allows an administrator to define or edit a compound condition required of a client. In another of these embodiments, the graphical user interface 300 allows a user to describe a clause without expressing the clause as a Boolean expression. In still another of these embodiments, the graphical user interface 300 allows an administrator to define `leaf conditions, such as conditions requiring that a user be a member of a group or request access from a certain network segment. In yet another of these embodiments, the graphical user interface 300 allows an administrator to specify a combination of these conditions using `and,' `or,' and `not,' combinations - for example: "User in group Administrator and not on an untrusted machine." In yet other embodiments, the system receives descriptions of filters and generates filters written as Boolean expressions.
In one embodiment, the system uses data entered into the graphical user interface to generate clauses expressed in Conjunctive Normal Form (CNF). Expressions in CNF
may be of the form "X and Y and Z. .." where each of X, Y and Z are themselves expressions of the form "Q or W or E" and each of Q, W, and E are either leaf conditions (also referred to as "atomic terms") or negated atomic terms. In another embodiment, the system uses data entered into the graphical user interface 300 to generate clauses composed in an extended version of CNF where Q, W, and E may also be named references to other compound expressions, or named sub-expressions that are themselves composed in the extended version of CNF, which may be referred to as Extended Conjunctive Normal Form (ECNF). In still another embodiment, the use of ECNF
simplifies the task of representing expressions. For example, the expression "A or (B and C)" can be represented in CNF as "(A or B) and (A or C)" but in ECNF can also be represented as "A or D, where D is further defined as `B and C' ".
In some embodiments, the graphical user interface element 310 is an interface element such as a text box, a drop-down menu, or a hyperlink. In one of these embodiments, the graphical user interface element 310 displays a description of the first clause 315 of the filter 350. In another of these embodiments, the graphical user interface element 310 displays a filter name associated with the description of the disjunctive sub-clause of the first clause 315 of the filter 350. In still another of these embodiments, the text box displays a description of a first clause 315 of a filter 350, the first clause comprising a second filter. In other embodiments, a user of the graphical user interface 300 enters the description of the first clause 315 using a set of controls, including, but not limited to, text boxes, drop down lists, and graphical depictions of directories.
In some embodiments, a description of the first clause 315 includes an identification of a property of a client that satisfies the first clause 315.
In other embodiments, disjunctive (or) clauses represent like items and conjunctive (and) clauses represent unlike items. For example, and in one of these embodiments, a filter for users in groups A and B indicates that a user must match either group (i.e. `A or B'), whereas a filter testing IP address and group membership tends to mean that both should match (i.e.
`A and B'). In another of these embodiments, a union (or) of terms is represented as a box containing those terms. In still another of these embodiments, a conjunction (and) of terms is represented as a set of boxes. In still even another of these embodiments, the graphical user interface element 310 displays a description of a disjunctive sub-clause of the first clause of the access filter. In yet another of these embodiments, a second graphical user interface element 330 displays a description of a conjunctive clause 335 of the first clause 315 in the access filter 350. In still other embodiments, a full expression is satisfied if one term from each box is satisfied.
In some embodiments, the graphical user interface element 310 displays a filter name associated with the description of the first clause 315 of the filter 350. In one of these embodiments, the filter name is the name of a stored description of the first clause 315. In another of these embodiments, the graphical user interface element 310 displays a drop-down menu listing the filter name. In still another of these embodiments, the graphical user interface element 310 displays a list of filter names.
In other embodiments, the graphical user interface element 310 displays a name associated with a category of access control tests. In still other embodiments, atomic terms are classified as belonging to a category, the categories including, but not limited to, endpoint, network, user, server or mixed. In one of these embodiments, a term in the "endpoint" category describes a condition to be satisfied by a client device of a user requesting access to a resource. In another of these embodiments, a term in the "network" category describes a condition regarding a network from which a client device requesting access connects. In still another of these embodiments, a term in the "user"
category describes a condition regarding a group in which the user is a member. In even still another of these embodiments, a term in the "server" category describes a condition to be satisfied by a server providing access to the requested resource. In yet another embodiment, a category includes terms from different categories.
The graphical user interface 300 includes one of: i) a second graphical user interface element 330 comprising a description 335 of at least one conjunctive clause of the filter 350, and ii) a description 320 in the graphical user interface element 310 of a disjunctive sub-clause of the first clause of the filter 350. In one embodiment, the graphical user interface 300 includes both the second graphical user interface element 330 and the description 320. In another embodiment, when a term is added to the filter editor, and the graphical user interface 300 already includes a box for a category associated with the term (such as graphical user interface element 310), then the term is added as a disjunctive term in the existing box. In still another embodiment, if there is no box for that category, a new box (graphical user interface element 330) is added to the graphical user interface 300.
In some embodiments, the second graphical user interface element 330 is an interface element such as a text box, a drop-down menu, or a hyperlink. In one of these embodiments, the second graphical user interface element 330 displays a description of the conjunctive clause of the filter 350. In another of these embodiments, the second graphical user interface element 330 displays a filter name associated with the description of the conjunctive clause of the filter 350. In still another of these embodiments, the second graphical user interface element 330 displays a filter name associated with a second category of access control tests. In other embodiments, the graphical user interface 300 includes one of: i) a second graphical user interface element 330 displaying a description of at least one disjunctive clause of the filter in, and ii) a description in the first graphical user interface element of a conjunctive sub-clause of the first clause of the filter.
For example, and in some of these embodiments, if a user adds two group membership tests to a filter, the terms defining each of the group membership tests will be placed in the same box (graphical user interface element 310), and if an IP
range test is then also added to the graphical user interface 300, the term defining the IP
range test will be placed in a separate box (graphical user interface 330).
The filter 350 is generated responsive to the contents of the first graphical user interface element 310 and the second graphical user interface element 330. In one embodiment, the filter 350 is displayed to the user in a readable format designed to avoid the inherent potential complexity of nested `and' and `or' operators. For example, a valid filter for `Trusted Users' might be (Client-observed IP in the range 10.70Ø0-10.70.255.255 or Client-observed IP in the range 10.30Ø0 - 10.30.255.255) and User in group Company\Domain Users and (Filter(Trend) or Filter(Norton)) and this filter may be displayed in a format designed to assist the user in parsing the clauses of the filter; for example, by displaying the filter in terms of component clauses:
Network Test: Client observed IP in the range 10.70Ø0-10.70.255.255 or Client observed IP in the range 10.30Ø0 - 10.30.255.255 User Test: User in group Company\Domain User Endpoint Test: Filter(Trend) or Filter(Norton) In this embodiment, the representation of the filter 350 is read with an `AND' between each type of test. In this embodiment, the test `Filter(Trend)' is classified as an endpoint test because all atomic tests in this filter are themselves endpoint tests. In an embodiment where the `Trend' filter contained a mixture of tests of different categories, it may have been given category of `Mixed' and displayed as `Other Tests'. In some embodiments, an administrator uses the filters to generate an access control list. In other embodiments, a system, such as a policy engine, determines whether a user requesting access to a resource satisfies the conditions in the filter to determine whether or not to grant access to the requested resource. In still other embodiments, a system determines whether a user satisfies a condition expressed in a filter to determine whether the user satisfies the requirements of a policy, such as an access control policy, an auditing policy, a network routing policy, a load balancing policy, a policy relating to error reporting, or a failure handling policy.
Referring now to FIG. 3B, a screen shot depicts one embodiment of a graphical user interface in a system for dynamic generation of filters using a graphical user interface. FIG. 3B provides a screen shot of a graphical user interface 300 representing the following filter: "IPRange(10.70Ø0-10.70.255.255) AND (Group(ABC-Company\admin) OR Group(ABC-Company\users))". The graphical user interface 300 includes a graphical user interface element 310, which includes both a filter name 360 and a description of a first clause 315 of the filter 350. The graphical user interface 300 also includes a graphical user interface element 330, which includes a filter name 370, a description of a second clause 335 of the filter 350, and a description of a disjunctive sub-clause 340 of the filter 350.
Referring now to FIG. 3C, a screen shot depicts another embodiment of a graphical user interface 300. In this embodiment, the graphical user interface explicitly specifies the logical relationship between the sub-clauses and clauses of the filter. Additionally, the graphical user interface 300 depicts a graphical user interface element shaded to indicate that graphical user interface element does not yet contain a description of a clause or sub-clause of the filter and is, instead, an inactive placeholder for an additional expression.
Referring now to FIG. 3D, a screen shot depicts another embodiment of a system for dynamic generation of filters using a graphical user interface. In some embodiments, the graphical user interface 300 receives a term from a user and applies a heuristic to automatically add the term to the appropriate graphical user interface element 310 or 330.
In one of these embodiments, and as depicted in FIG. 3D, the graphical user interface 300 may include a user interface element 375 to allow a user to move a term from one graphical user interface element to another. In FIG. 3D, graphical user interface element 375 is a pull-down menu that allows a user to move a term from graphical user interface 370 to graphical user interface 310 ("Move to Network Tests"), or to a new user interface element ("Move to an empty box"), or to remove the element, or to edit or negate the term.
FIG. 3D includes a graphical user interface element 380, labeled "Add Condition." In one embodiment, the graphical user interface element 380 is used to add new atomic tests to the filter. In another embodiment, the graphical user interface element 380 allows the addition of new filters (compound expressions) that are named and represented in the tool as if they were atomic tests. For example, if the user had previously defined a named filter (such as, "Client Machine has Trend installed"), then this filter could be added as an atomic test within the filter 350 generated by the graphical user interface 300.
Referring now to FIG. 3E, a screen shot depicts one embodiment of a graphical user interface for adding a condition to a filter. In one embodiment, selection of the graphical user interface element 380 depicted in FIG. 3D results in the display of graphical user interface 390 depicted in FIG. 3E. In another embodiment, the graphical user interface 390 is a menu listing at least one type of atomic test available for use in a filter 350, including, but not limited to sub-expressions, references to existing filters, property comparisons, IP Range tests, Group Membership tests, and time-of-day testing.
In still another embodiment, when a test is selected, a dialog box is provided to allow the administrator to fill in (or edit) details related to that test. In still even another embodiment, if the user selects a`property comparison' test, a dialog box is provided to allow the user to select which property of the client device is to be compared, and to which value the property should be compared. Client device-related properties may include User Id, IP Address, Call Time and endpoint information, such as the presence/absence of client features and/or the version number of client-installed software.
In yet another embodiment, a number of comparison operators are supported, such as equality, greater than, less than, uncased comparison (for strings) and `is-a' for enumerations.
Referring now to FIG. 3F, a screen shot depicts an embodiment of a graphical user interface for displaying a first filter included as a term in a second filter. The graphical user interface 392 depicts a first sub-clause 394 and a second sub-clause 396, each of which are named filters nested within the first clause of the filter described by graphical user interface 392. Sub-clause 396 is described in a graphical user interface element similar to those described above. Sub-clause 394 explicitly lists the clauses of the named filter "Trend 98", displaying to the user the clauses specified by the nested filter.
Referring now to FIG. 3G, a screen shot depicts one embodiment of a graphical user interface for customizing a clause of a filter. As depicted in FIG. 3G, properties provided by the graphical user interface 300 are extensible and customizable.
For example, and in one embodiment, an administrator might select an operating system from a plurality of pre-defined operating systems, for example by identifying a client operating system as a parameter to customize, selecting a type of comparison ("is") to associate with the parameter, and selecting a particular operating system from an enumeration of values (such as the different versions of the WINDOWS operating system listed in FIG.
3G). In one embodiment, an `is-a' comparison with the value "WINDOWS" would satisfy the condition if the client operating system had a name including the value "WINDOWS."
Referring now to FIG. 4, a flow diagram depicts one embodiment of the steps taken in a method for dynamic generation of filters using a graphical user interface. In brief overview, a first clause of a filter is described in a first graphical user interface element (step 402). At least one of a conjunctive clause of the filter, in a second graphical user interface element, and a disjunctive sub-clause of the first clause of a filter, in the first graphical user interface element, are described (step 404). A
filter is generated responsive to the contents of the first graphical user interface element and the second graphical user interface element (step 406).
Referring now to FIG. 4, in greater detail and in connection with FIG. 3A, a first clause of a filter is described in a first graphical user interface element (step 402). In one embodiment, a first clause of the filter is described, the first clause comprising a second filter. In another embodiment, a description of the first clause is received from a user via a third graphical user interface element. In still another embodiment, the first clause of the filter is described using a non-algebraic language.
At least one of a conjunctive clause of the filter, in a second graphical user interface element, and a disjunctive sub-clause of the first clause of a filter, in the first graphical user interface element, are described (step 404). In one embodiment, a description is provided of at least one of: i) a disjunctive clause of the filter in a second graphical user interface element, and ii) a conjunctive sub-clause of the first clause of the filter in the first graphical user interface element. In another embodiment, a description is provided of a conjunctive clause of the filter using a non-algebraic language.
In still another embodiment, a description is provided of a disjunctive sub-clause of the first clause of the filter using a non-algebraic language. In yet another embodiment, a description is provided of a disjunctive sub-clause of the one or more disjunctive sub-clauses.
In one embodiment, a description is provided of a conjunctive sub-clause of the disjunctive sub-clause. In another embodiment, a description is provided of a disjunctive sub-clause of the conjunctive clause. In still another embodiment, a description is provided of a conjunctive clause of the filter.
In one embodiment, a graphical user interface element is generated for each conjunctive clause in the plurality of conjunctive clauses, the generated graphical user interface element displaying a description of the conjunctive clause. In another embodiment, a description is provided of a second filter as a disjunctive sub-clause of the first clause of the filter. In still another embodiment, a description is provided of a second filter as a disjunctive sub-clause of the conjunctive clause of the filter.
A filter is generated responsive to the contents of the first graphical user interface element and the second graphical user interface element (step 406). In some embodiments, only a first clause is provided and the filter is generated using the first clause. In one embodiment, the filter is described using a non-algebraic language. In some embodiments, the filter is stored. In one of these embodiments, the filter is stored in memory. In another of these embodiments, the filter is stored in a database. In still another of these embodiments, the filter is stored on a server 106. In other embodiments, a policy engine, such as the policy engine described above in connection with FIG. 2A
and FIG. 2B, stores the filter. In one of these embodiments, the policy engine resides on a server 106.
In one embodiment, a clause in the filter is modified by using at least a third graphical user interface element to modify a description of the modified clause. In another embodiment, the modification to the clause in the filter includes converting a conjunctive clause of the clause to a disjunctive clause. In still another embodiment, the modification to the clause in the filter includes an addition of a description of the modified clause into the first graphical user interface element and deleting the description of the modified clause from the second graphical user interface element. In still another embodiment, the modification to the clause in the filter includes converting a disjunctive clause of the first clause to a conjunctive clause. In yet another embodiment, the modification to the clause in the filter includes generating a new graphical user interface element, adding the description of the modified clause into the generated graphical user interface element and deleting the description of the modified clause from the first graphical user interface element.
In some embodiments, an access control list is generated using the filter 350.
In one of these embodiments, an administrator specifies the access control list.
In another of these embodiments, a policy engine generates the access control list. In other embodiments, a policy engine uses a filter in determining whether or not to allow a user of a client device to access a resource. In still other embodiments, a policy engine uses a filter in selecting a method for execution of a resource when allowing a user of a client device to access a resource.
In some embodiments, a server 106 receives a request for access to a resource, such as execution of an application program, from a client device. In one of these embodiments, the requested resource is a file. In another of these embodiments, the requested resource is an application program. In still another of these embodiments, the requested resource is a computing environment. In still even another of these embodiments, the computing environment is a desktop environment from which the client device may execute application programs. In yet another of these embodiments, the computing environment provides access to one or more application programs.
Referring now to FIG. 5A, a system for access routing and resource mapping using filters includes a rule 510, a policy engine 550, and a server 106. In brief overview, the rule 510 has a first rule priority leve1512 and includes i) an identification 514 of a filter identifying at least one pre-requisite to accessing a resource 560, ii) an identification 516 of at least one method for providing access to a resource, and iii) an identification 518 of a server 106 in a plurality of servers. The policy engine 550 includes a rule identification component 552 and a policy application component 554. The rule identification component 552 includes means for identifying the rule 510. The policy application component 554 includes means for applying the filter to a client request for access to the resource, means for determining that the client satisfies the at least one pre-requisite, responsive to applying the filter, and means for determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource. The server 106 in the plurality of servers provides access to the resource 460 according to the at least one method for providing access.
In one embodiment, a filter 350 is generated as described above in connection with FIGs. 3-4. In another embodiment, the filter 350 is stored and applied to decisions regarding whether or not to grant access to a requested resource. In some embodiments, the filter 350 is used to define a resource mapping policy, which specifies whether and how a user of a client device may access a resource, and which server will provide access to the resource. In one of these embodiments, resources in a list of published resources represent all resources available to a user of a client, from the client's perspective. For example, the list of published resources may contain a single `Notepad' resource, although there may be a number of mechanisms available to provide the resource to the client - several copies of Notepad may reside on different resource providers, or one or more resource provider may be able to provide access to the resource using different mechanisms, including but not limited to downloading the resource to the client, executing the resource remotely and transmitting application-output data to the client. A
resource mapping policy specifies which resource to use, from which resource provider, and via which execution method.
Referring now to FIG. 5A, and in greater detail, the rule 510 has a first rule priority leve1512 and includes i) an identification 514 of a filter identifying at least one pre-requisite to accessing a resource 560, ii) an identification 516 of at least one method for providing access to a resource, and iii) an identification 518 of a server 106 in a plurality of servers. In one embodiment, a plurality of rules forms a resource mapping policy. In another embodiment, the first rule priority leve1512 is a numeric priority level.
In still another embodiment, a policy engine 550 consults a rule to determine whether to grant access to a requested resource. In yet another embodiment, the policy engine 550 selects a rule to consult based on the first rule priority leve1512.
In some embodiments, the identification 514 identifies a stored filter. In other embodiments, the identification 514 specifies a condition to be satisfied by a client requesting access to a resource. In one of these embodiments, the identified filter identifies a pre-requisite specifying a network address range required for access to the resource. In another of these embodiments, the identified filter identifies a pre-requisite specifying an operating system type required for access to the resource. In still another of these embodiments, the identified filter identifies a pre-requisite specifying an application type required for access to the resource. In yet another of these embodiments, the identified filter identifies a pre-requisite specifying a characteristic of the client device requesting access to the resource, such as an application to be installed on the client device or a hardware resource available to the client device. In still other embodiments, the identified filter specifies a condition. In one of these embodiments, if the condition is true for the client device, the client satisfies the identified filter. In another of these embodiments, if the condition is false for the client device, the client satisfies the identified filter.
In one embodiment, the identification 516 identifies a method for providing access to the resource 560 by streaming the resource to the client. In another embodiment, the identification 516 identifies a method for providing access to the resource 560 by executing the resource on a server 106 in a plurality of servers, such as a server in a server farm, and transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the identification 516 identifies a method for providing access to the resource 560 by executing the resource on a virtual machine executing on a server in the plurality of servers and transmitting application-output data to the client using a presentation layer protocol. In yet another embodiment, the identification 516 identifies a method for providing access to the resource 560 by transmitting the resource to the client requesting access.
In one embodiment, the identification 518 identifies a server 106 that provides access to the resource 560 by transmitting the resource 560 to the requesting client. In another embodiment, the identification 518 identifies a server 106 that provides access to the resource 560 by executing the resource 560 and transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the identification 518 specifies a plurality of servers, one of which may be selected to provide access to the requested resource.
In one embodiment, the rule 510 indicates that a specific resource provider and specific mechanism should be used to service a request. In another embodiment, the resource provider is a server 106. In another embodiment, the mechanism for servicing the request identifies a method for downloading a first portion of the requested resource to the client device, executing the first portion of the requested resource, and downloading a second portion of the requested resource to the client device, referred to, in some embodiments, as streaming the resource to the client device. In still another embodiment, the mechanism for servicing the request identifies a method for downloading the requested resource to the client device. In still even another embodiment, the mechanism for servicing the request identifies a method for executing the requested resource on a server and transmitting application-output data to the client device. In yet another embodiment, and for example, a rule 510 specifies:
Priority 90 Filter `Remote User' Provide access to all resources using ICA and the `EMEA' farm.
In this embodiment, the first rule priority level is 90, the identification 514 identifies a named filter stored as "remote user," and the identification 516 specifies that for this user, access should be provided to all resources by executing the requested resource on a machine in the "EMEA" farm and the application-output data generated by the executing resource should be transmitted to the client device using a presentation layer protocol such as the Independent Computing Architecture (ICA) protocol.
In one embodiment, when a request is received for access a resource, resource mapping policy rules are consulted in order from highest priority through lowest. In another embodiment, a policy engine 550 includes means for identifying a second rule having a lower rule priority level than the first rule priority leve1512, the second rule associated with a second method for providing access to the resource 560 and a second server 106b in the plurality of servers. In still another embodiment, if a user or the user's client device does not satisfy the requirements of the specified filter, the policy engine 550 identifies the second rule. In still even another embodiment, if the requested resource is not provided on the specified resource provider, using the specified mechanism, the policy engine 550 identifies the second rule. In yet another embodiment, if the client device is unable to support the use of the specified mechanism, or the resource provider is overloaded or has failed, the policy engine 550 identifies the second rule.
In one embodiment, a policy engine 550 determines that a user and the user's client device satisfy the requirements of the identified filter specified in the rule 510. In another embodiment, the policy engine 550 selects the resource provider and the mechanism identified in the rule 510 to provide the user with access to the resource. In still another embodiment, the policy engine 550 stops processing rules once a rule is identified that the client satisfies. In yet another embodiment, if there is a failure during execution of the requested resources, the policy engine identifies a second rule and begins processing rules to identify a rule satisfied by the client.
In one embodiment, the policy engine 550 includes means for determining whether to provide access to the resource 560 to the client by the second server 106b in the plurality of servers according to the second method for providing access to the resource 560. In another embodiment, the second server 106b in the plurality of servers provides access to the resource 560 according to the second method for providing access.
In still another embodiment, the second server 106b in the plurality of servers provides access to the resource 560 according to the first method for providing access.
In one embodiment, the policy engine 550 includes means for identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers. In another embodiment, the policy engine 550 includes means for determining that the client satisfies at least one pre-requisite associated with the second filter, responsive an application of the second filter. In still another embodiment, the policy engine 550 includes means for determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource. In yet another embodiment, the second server in the plurality of servers provides access to the resource according to the second method for providing access.
Referring now to FIG. 513, a screen shot depicts one embodiment of a subset of rules in a resource mapping policy. FIG. 5B depicts three rules 510, 510', and 510".
Rule 510 has a priority level of 80, identifies a named filter "true", identifies a resource provider "RedWing" and an access method that specifies the use of the ICA
presentation layer protocol. Rule 510' has a priority level of 90, identifies a named filter "Users in USA", identifies a plurality of resource providers (servers in the "USFarm"
server farm) and an access method that specifies the use of the RDP presentation layer protocol. Rule 510" has a priority level of 50, identifies a named filter "true", identifies a plurality of resource providers (servers in the "USFarm" server farm) and an access method that specifies the use of the RDP presentation layer protocol. In this embodiment, the filter "true" identifies a filter trivially matched by all clients.
In one embodiment, the policy engine 550 determines that the user requesting access to the requested resource (notepad) satisfies the requirements of the "Users in USA" filter in the rule 510', which has the highest priority level, and the policy engine 550 identifies a server in the "USFarm" server farm able to provide access to the notepad resource using the RDP presentation layer protocol. In another embodiment, the policy engine 550 determines that the user, or the user's client device, does not satisfy the requirements of the filter, or that the resource providers (servers in the server farm "USFarm") are unable to provide access to the notebook resource using the RDP
presentation layer protocol. In still another embodiment, the policy engine determines that the user and the user's client device satisfy the requirements of the filter named "true" and the policy engine identifies a server "RedWing" to provide access to the notebook resource using the ICA presentation layer protocol. In still even another embodiment, the policy engine 550 determines that the resource provider (the "RedWing" server) is unable to provide access to the notebook resource using the ICA
presentation layer protocol. In yet another embodiment, the policy engine 550 determines that the user and the user's client device satisfy the requirements of the filter named "True" and the policy engine 550 identifies a server in the "USFarm"
server farm to provide access to the notebook resource using the RDP presentation layer protocol.
In one embodiment, a subset of rules which may apply to a user or the user's client device is displayed to an administrator. In another embodiment, a subset of rules in a resource mapping policy which identify a particular resource provider is displayed. In still another embodiment, a subset of rules in a resource mapping policy which identify a particular mechanism for providing access to the resource is displayed.
Referring now to FIG. 6, a method for access routing and resource mapping using filters includes the step of receiving a request from a client for access to a resource (step 602). A rule is identified, the rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers (step 604). The filter is applied, the filter identifying at least one pre-requisite to accessing the resource (step 606). A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter (step 608). A
determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource (step 610). The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource (step 612).
Referring now to FIG. 6, and in greater detail, a request is received from a client for access to a resource (step 602). In one embodiment, a client 102 transmits the request 500 to a server 106a, requesting access to a resource 560 provided by a server 106b. In another embodiment, the policy engine 550 receives the request. In still another embodiment, a server 106a forwards the request to the policy engine 550.
A rule is identified, the rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers (step 604). In one embodiment, the rule 510 is associated with a method for providing access to the resource by streaming the resource to the client. In another embodiment, the rule 510 is associated with a method for providing access to the resource by transmitting application-output data to the client using a presentation layer protocol. In still another embodiment, the rule 510 is associated with a method for providing access to the resource by executing the resource on a virtual machine executing on the server in the plurality of servers and transmitting application-output data to the client from the virtual machine using a presentation layer protocol. In yet another embodiment, the rule 510 is associated with a method for transmitting the resource to the client.
The filter is applied, the filter identifying at least one pre-requisite to accessing the resource (step 606). In one embodiment, the filter is applied to the client. In another embodiment, the filter is applied to a user of the client. In still another embodiment, the filter is applied to information associated with the client or with the user of the client device. In yet another embodiment, the policy engine 550 applies the filter to determine whether and how to grant access to the requested resource.
A determination is made that the client satisfies the at least one pre-requisite, responsive to applying the filter (step 608). In some embodiments, the policy engine 550 determines that the client satisfies the at least one prerequisite. In one of these embodiments, the policy engine 550 determines that the client executes a specified anti-virus program. In another of these embodiments, the policy engine 550 determines that the client is associated with a network address in a specified range of network addresses.
In still another of these embodiments, the policy engine 550 determines that the client executes a specified operating system program.
A determination is made regarding whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource (step 610). In one embodiment, the policy engine 550 determines that the user and the user's client device satisfy the requirements specified by the identified filter. In another embodiment, the policy engine 550 identifies the server 106 and the at least one method for providing access to the resource and grants the user access to the resource via the at least one method for providing, by the server 106, the resource.
The server in the plurality of servers provides access to the resource for the client according to the at least one method for providing access to the resource (step 612). In one embodiment, the server 105 is a resource provider selected to provide access to the resource for the client. In another embodiment, the policy engine 550 selects the server 106 responsive to applying a filter to the client and the server. In still another embodiment, the policy engine 550 selects the server to provide the access according to a rule having a priority level.
In some embodiments, a first rule is identified and a determination is made as to whether the client satisfies the associated policy and as to whether the identified server is able to provide the client with access to the requested resource according to the specified method. In one of these embodiments, if the client does not satisfy the policy, a different rule is identified, the second rule associated with a second policy and specifying the same server and the same method. In another of these embodiments, if the client does not satisfy the policy, a different rule is identified, the second rule associated with a second policy and specifying a different server or method. In still another of these embodiments, if the client satisfies the policy, but is unable to access the resource according to the specified method, a different rule is identified, the second rule associated with a different method and the same policy and the same server. In yet another of these embodiments, if the client satisfies the policy, but is unable to access the resource according to the specified method, a different rule is identified, the second rule associated with a different method and a different policy or server.
In one embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with a second server in the plurality of servers. In some embodiments, a determination is made that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter to information associated with at least one of the client and the user of the client. In other embodiments, a determination is made that the client is unable to use the at least one method for providing access specified by the rule. In one of these embodiments, the client satisfies the policy associated with the resource but lacks a requirement necessary for using the method specified by the rule. In still other embodiments, a determination is made that the server in the plurality of servers by the rule is unable to provide the resource to the client via the at least one method for providing access. In one of these embodiments, the server lacks the resource. In another of these embodiments, the server is overloaded or unavailable. In still another of these embodiments, the server lacks the ability to provide access via the specified method.
In one embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second server in the plurality of servers and with the at least one method specified by the first rule having the first rule priority level. In another embodiment, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with the first server in the plurality of servers.
In some embodiments, a determination is made as to whether to access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource. In one of these embodiments, the second server in the plurality of servers provides access to the resource according to the second method for providing access. In another of these embodiments, a second filter is applied. In other embodiments, a determination is made as to whether to provide access to the resource to the client by the second server in the plurality of servers according to the at least one method for providing access to the resource. In one of these embodiments, the at least one method is the method specified by the first rule having the first rule priority level. In another of these embodiments, the second server in the plurality of servers provides access to the resource according to the at least one method for providing access.
In some embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers. In one of these embodiments, a determination is made that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter. In another of these embodiments, a determination is made that the client is unable to use the method for providing access specified by the rule. In still another of these embodiments, a determination is made that the server in the plurality of servers by the rule is unable to provide the resource to the client via the first method for providing access.
In other embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, the at least one method for providing access to the resource and a second server in the plurality of servers.
In still other embodiments, an identification is made of a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource and the server in the plurality of servers. In one of these embodiments, a determination is made that the client satisfies at least one pre-requisite associated with the second filter, responsive to an application of the second filter. In another of these embodiments, a determination is made as to whether to access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource.
In still another of these embodiments, a determination is made that the client is able to use the second method for providing access specified by the second rule. In still even another of these embodiments, a determination is made that the second server in the plurality of servers by the rule is able to provide the resource to the client via the at least one method for providing access. In yet another of these embodiments, the second server in the plurality of servers provides access to the resource according to the second method for providing access.
In one embodiment, a determination is made as to whether to provide access to the resource to the client by the server in the plurality of servers according to a second method for providing access to the resource. In another embodiment, a determination is made as to whether the client satisfies a policy associated with a rule identifying the server and the second method. In still another embodiment, a determination is made as to whether to provide access to the resource to the client by a second server in the plurality of servers according to the at least one method for providing access to the resource. In still even another embodiment, a determination is made as to whether the client satisfies a policy associated with a rule identifying the second server and the first method. In yet another embodiment, a determination is made as to whether to provide access to the resource to the client by a second server in the plurality of servers according to a second method for providing access to the resource.
In some embodiments, the policy engine 550 identifies a rule applicable to a client request for access to a resource. In another embodiment, the policy engine 550 determines whether the client satisfies a policy associated with the rule. In still another embodiment, the policy engine 550 determines whether the client is able to access the resource according to the specified method for accessing the resource. In yet another embodiment, the policy engine 550 determines whether the identified resource provider is able to provide the requested resource according to the specified method for providing access. In other embodiments, the policy engine 550 continues to identify rules and apply the associated rules to the client until a rule is found that is associated with a policy the client satisfies and that identifies a server capable of providing the client with access to the requested rule according to a specified method.
Referring now to FIG. 7A, a block diagram depicts one embodiment of a system for interactive policy evaluation using resultant sets of policies. In brief overview, a graphical user interface 700 receives a description 710 and displays a description 715, an interactive element 720 and a second interface element 730. The interactive element 720 displays a description of a policy 725 and the second element 730 displays a description of a decision 735. In some embodiments, the system includes a policy simulation engine 702 and at least one stored policy 704.
In one embodiment, the graphical user interface 700 provides an interactive tool allowing a user - such as an administrator defining and managing policies - to specify the details of a request for access to a resource and to view the applicable policies and the resulting permissions and settings. In another embodiment, the graphical user interface 300 receives, from a user of the graphical user interface, the description 710, which includes at least one of a description of a user, a description of a resource, and of a description of a method of accessing a resource. In still another embodiment, the graphical user interface 700 displays a user interface element displaying policies applicable to any set of circumstances the user specifies, including theoretical circumstances. In yet another embodiment, the interactive tool simulates policy application to display, in the graphical user interface 700, an outcome of applying a policy to a set of characteristics associated with a user, a resource, or the user's request to access the resource. In some embodiments, the tool displays policies applied to previous requests. In one of these embodiments, the tool may use a session identifier to retrieve details associated with a previous request for access. In other embodiments, the interactive tool is a policy simulation engine 702.
Referring still to FIG. 7A, and in greater detail, a graphical user interface receives a description 710. The graphical user interface 700 receives, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In one embodiment, the graphical user interface 700 includes a text box element displaying the received description of the client requesting access to the resource. In another embodiment, the graphical user interface 700 includes a text box element displaying the received description of the resource. In still another embodiment, the graphical user interface 700 includes a text box element displaying the received description of the method of access requested by the client.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the client. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is a graphical depiction of a directory structure. In other embodiments, the description of the client includes, but is not limited to, at least one of user identity, client IP address, virus checker status, and time of day.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the resource. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is a graphical depiction of a directory structure. In still even another of these embodiments, the user interface element is an element enumerating available resources.
In yet another of these embodiments, the user interface element is an element enumerating Uniform Resource Locaters associated with available resources. In other embodiments, the description of the resource includes, but is not limited to, at least one of an identifier for the resource (e.g., a URI), a property of the resource (such as the file type or version), and an operating system executing on a machine providing access to the resource.
In some embodiments, the graphical user interface 700 includes a user interface element for entering the description of the method of access. In one of these embodiments, the user interface element is a text box. In another of these embodiments, the user interface element is a drop-down menu. In still another of these embodiments, the user interface element is an element enumerating available methods of access. In one embodiment, the interactive element 720 displays at least one policy applicable to the client request responsive to the received description. In other embodiments, the description of the method of access includes, but is not limited to, at least one of a type of access (download, view remotely, application streaming), a protocol (e.g., ICA, RDP, Xl l, VNC, etc.), and a software application executing on the client (e.g., an ICA client, an RDP client, an Xl 1 client, a VNC client, etc.).
In some embodiments, the graphical user interface 700 displays the description 715, generated responsive to the received description 710. In one of these embodiments, the description 715 is the description 710. In another of these embodiments, the description 715 includes information in addition to the description 710. For example, in still another of these embodiments, the description 710 describes a user and the description 715 describes the user and a default method of accessing resources.
In some embodiments, the system includes a policy simulation engine 702. In one of these embodiments, the policy simulation engine 702 is a policy engine as described above in connection with FIGs. 2A-2B. In another of these embodiments, the policy simulation engine 702 replaces the policy engine 220. In still another of these embodiments, the system includes both a policy engine - which may be the policy engine 220 or a different policy engine - and the policy simulation engine 702.
In some embodiments, filters are used in conjunction with the policy simulation engine 702. In other embodiments, filters are used within policies, including, but not limited to, access control policies, auditing policies, network routing policies, load balancing policies, policies relating to error reporting, and failure handling policies. In still other embodiments, policy engines other than those described above in connection with FIGs. 2A-2B use filters to evaluate an action to take with respect to a particular user or resource. In one of these embodiments, the policy engine is not an active policy engine; for example, a policy engine may operate in a system for interactive policy evaluation without providing decisions for active sessions, while a second policy engine makes decisions.
In some embodiments, a filter is used to describe at least one characteristic for evaluation when applying a policy. In one of these embodiments, the at least one characteristic is associated with a resource. In another of these embodiments, the at least one characteristic is associated with a user. In still another of these embodiments, the at least one characteristic is associated with a combination of users or resources. In yet another of these embodiments, the at least one characteristic is evaluated to make a policy decision, such as an access control decision. In other embodiments, filters are used to determine whether at least one entity matches at least one specified condition.
In some embodiments, the policy simulation engine 702 accesses at least one stored policy 704. In other embodiments, a policy includes, or is defined by, one or more filters. In still other embodiments, a policy includes, or is defined by, one or more access control lists. In still even other embodiments, a stored policy 704 is a stored list of filters.
In yet other embodiments, the stored policy 704 includes a plurality of files.
In one of these embodiments, a file in a file server environment has an access control list associated with the file but neither the file nor the access control list is separately stored.
In one embodiment, an access control list maps at least one filter to an allowed or denied permission setting included in the access control list. In another embodiment, a filter is a simple or compound condition that may or may not be met by a client requesting access to a resource. In still another embodiment, simple conditions include group membership, role membership, IP range membership, and a characteristic of a client device requesting access to a resource, such as whether the client device executes a particular application or has access to a particular hardware resource. In yet another embodiment, compound conditions are combinations of simple conditions that may be defined using a filter editor.
In one embodiment, a filter describes at least one characteristic of a resource. In another embodiment, a filter may specify a group of resources to which a particular resource should belong to satisfy the filter, such as, for example, specifying a particular named group of resources (such as, "office applications"), and specifying an operating system from which the resource is accessed (the WINDOWS VISTA operating system), and specifying a display capability supported by a system from which the resource is accessed. In still another embodiment, and for example, a filter may include a"leaf' condition specifying at least one of the following: a group of resources to which the resource should belong, a sub-directory which should enumerate the resource, an operating system capable of supporting the resource, a computing capability provided by a system from which the resource is accessed (such as a display capability or computing functionality), a required network characteristic (such as a per-application IP address), an environment in which the resource should execute (for example, an isolation environment), or a licensing requirement (for example, requiring a license for a specific user or for a specific type of request).
In one embodiment, a filter describes a characteristic associated with a combination of a user and a resource. In another embodiment, the filter may specify a first condition associated with a user and a second condition associated with a resource, and to satisfy the filter, the user and the resource must each satisfy the specified conditions. In still another embodiment, the filter specifies that a user be authorized to access a resource - for example, that the user own the resource, be licensed to use the resource, or have permission from an external policy system to access the resource. In yet another embodiment, for example, a filter specifies that a user satisfy a first filter and that the resource satisfy a second filter.
In one embodiment, a filter applies to a plurality of users. In another embodiment, a filter may specify a condition that a group of users involved in a collaborative application must all satisfy in order to satisfy the filter, for example, that all users belong to a particular group, or that at least one of the plurality of users has a particular role. In still another embodiment, a filter applies to a plurality of resources. In still even another embodiment, a filter applies to a plurality of users and to a resource. In still even another embodiment, a filter applies to a plurality of users and to a plurality of resources. In yet another embodiment, a filter applies to a plurality of resources and to a user.
In some embodiments, a filter is used in combination with a weight. In one of these embodiments, a weight is assigned to a condition and if the weight passes a threshold, the filter is satisfied. In other embodiments, weights are used in policies instead of filters. In still other embodiments, a policy specifies a requirement for a priority assigned to a particular resource or method of accessing the resource. In yet other embodiments, a policy is used in combination with a neural network.
In some embodiments, a filter defines a dynamic group. In one of these embodiments, the filter identifies a user belonging to the dynamic group. In another of these embodiments, the filter identifies a user excluded from the dynamic group. In still another of these embodiments, a member of the dynamic group satisfies a requirement specified by the filter. In some embodiments, the graphical user interface 700 provides an administrator with an improved method for generating filters and filter-based policies and simulating the result of applying the policy to a particular client or resource.
In one embodiment, the graphical user interface 700 allows an administrator to enter all details relating to a client, a resource, and an access method. In another embodiment, the graphical user interface 700 displays the access permissions and settings that result from simulating an application of a policy to the client, resource, or access method. In still another embodiment, only some details are entered, and the graphical user interface 7001ists the possible values for the other settings with the resulting access for each. For example, the graphical user interface 700 may allow the administrator to specify what type of access is required (access via presentation layer protocol connection to a server, access via downloading, access via application streaming, etc.) before displaying a description of whether access is allowed or denied and whether any alternatives are available.
In one embodiment, a server 106 displays the graphical user interface 700. In another embodiment, a client 102 displays the graphical user interface 700.
The graphical user interface 700 displays a plurality of interface elements providing a number of different views of actual or theoretical access requests and decisions.
Some or all of these interface elements may be optional, and some may not apply to certain access attempts. Each view may be presented as a window, tab, panel or other abstraction. Each view displays some details of the access attempt and may also allow modification of these details. In one embodiment, all views operate on the same underlying data, so that a change made by the administrator in one view leads to immediate changes to all other views. Although only certain views are described in connection with FIGs. 7A-7D, it should be understood that the system may provide multiple ones of any or each of those components and that other views representing different ways of viewing or manipulating the data displayed in the graphical user interface may be presented.
Referring now to FIG. 7B, a screen shot depicts one embodiment of a graphical user interface element for receiving and displaying a description of a client requesting access to a resource. FIG. 7B depicts the graphical user interface 700 and a description 715 generated from the received description 710. In the embodiment depicted by FIG.
7B, the graphical user interface 700 received a description of a client requesting access to the resource, the description including an identification of an operating system executing on a client, an identification of an anti-virus program executing on the client, a type of network to which the client connects, and an internet protocol address associated with the client.
In one embodiment, the description of the client includes information associated with a client - such as machine type, operating system version, software executing on the client, network configuration details, and information about a user of the client - and allows the administrator to enter or change the information. In another embodiment, the graphical user interface displays an interface element for loading the information saving the information to a file. In still another embodiment, the graphical user interface 700 displays a description generated from a list of applicable client data retrieved from a directory.
In some embodiments, the graphical user interface 700 includes an interface element for receiving and displaying a description of a client requesting access to a resource. In one of these embodiments, the interface element includes a text box, a drop-down menu, hyperlink, or a graphical depiction of a directory structure. For example, and as shown in FIG. 7B, the graphical user interface may include an interface element 705 into which a user, such as an administrator, can enter the description 710.
Referring now to FIG. 7C, a screen shot depicts one embodiment of a graphical user interface element for displaying a description of a resource requested by the client.
In one of these embodiments, the interface element may be a text box, an element enumerating available resources, an element enumerating Uniform Resource Locaters associated with available resources, a drop-down menu, or a graphical depiction of a directory structure. In still other embodiments, the graphical user interface 700 includes an interface element for displaying a description of a method for accessing a requested resource. In one of these embodiments, the interface element may be a text box, an element enumerating available methods of access, or a drop-down menu.
In one embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a resource. In another embodiment, the graphical user interface 700 may display an enumeration of resources retrieved from a resource directory. In still another embodiment, the description of the resource is an identifier of the resource, such as a uniform resource identifier. In still even another embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a policy. In yet another embodiment, the graphical user interface 700 includes an interface element allowing a user to enter or modify a description of a filter.
Referring now to FIG. 7D, a screen shot depicts one embodiment of a graphical user interface element for displaying a description of a method of access requested by the client. The method of access indicates the type of access attempted by the client. In one embodiment, the description is of a method for retrieving a resource such as an application program. In another embodiment, the description is of a method for accessing a remotely-executing resource, for example, via a presentation layer protocol connection between the client and a machine remote to the client. In still another embodiment, the description is of a method for streaming the resource to the client from a machine remote to the client.
Referring back to FIG. 7A, the interactive element 720 displays a description of a policy 725 and the second element 730 displays a description of a decision 735. The interactive element 720 displays at least one policy applicable to the client request for access to the resource. In one embodiment, the interactive element 720 displays at least one policy applicable to the client request, the at least one policy identified responsive to the received description. In another embodiment, the interactive element 720 displays all the policies that have an effect on whether access is allowed or denied for the specified client/resource and access method described. In another embodiment, the interactive element 720 includes a user interface element for requesting an override of an aspect of the policy. In still another embodiment, the interactive element 720 includes a user interface element for viewing and modifying a filter, condition or sub-policy associated with the policy.
The second element 730 in the graphical user interface 700 displays a decision made by applying the at least one policy to the received description. In some embodiments, the second element 730 includes a user interface element displaying a decision made by applying a policy already in use by an administrator in determining access rights. In other embodiments, the second element 730 includes a user interface element displaying a second decision made by a applying a second policy to a second received description. In still other embodiments, the interactive element 720 includes a user interface element for requesting an override of an aspect of the policy.
Referring now to FIG. 7E, a screen shot depicts one embodiment of a user interface element displaying a decision. FIG. 7E includes the graphical user interface 700, an interactive element 720 including a description of at least one policy 725, and a second element 730 including a description of a decision 735. In some embodiments, and as depicted in FIG. 7E, the graphical user interface 700 displays the interactive element 720 and the second element 730 in a first interface element and displays the description 715 in a second interface element. In other embodiments, the graphical user interface 700 displays the interactive element 720, the second element 730, and the description 715 in a single interface element. In still other embodiments, and as shown in FIG. 7E, the graphical user interface 700 displays the interactive element 720 and the second element 730 in a single interface element. Alternatively, as shown in FIG. 7A, the graphical user interface 700 may display the interactive element 720 and the second element 730 as separate interface element.
In some embodiments, the description of the policy 725 includes an access control list. In one of these embodiments, for each entry in the access control list, the description of the policy 725 indicates whether the client satisfies the requirement in the access control list. In other embodiments, the description of the policy 725 includes a description of a level of auditing that would be applied if the policy 725 were applied to a request. In still other embodiments, the description of the policy 725 includes a description of a method of caching that would be applied if the policy 725 were applied to a request. In yet other embodiments, the description of the policy 725 includes a description of a method of load balancing that would be applied if the policy 725 were applied to a request.
In one embodiment, the description of the policy 725 lists all policies that have an effect on whether access is allowed or denied for the specified client, resource, or access method. In another embodiment, in which no access method is specified, the description of the policy 725 lists all policies that have an affect on any access method.
In still another embodiment, for each policy, the applicability to the client or resource is highlighted together with any intermediate results. Intermediate results display a summary of how the results from different applicable policies affect the final decision -for example, and as shown in FIG. 7E, a policy for trusted clients might allow a method of access but a policy for clients who are members of a particular group ("Sales" in FIG.
7E) might deny the same method and (in the example shown in FIG. 7E) this results in a summary indicating that combining those two policies would result in a denial of access for the specified client.
In some embodiments, the graphical user interface displays an interface element allowing a user to select some or all of the data used in the tool to be presented in report form. In one of these embodiments, the user can highlight data for inclusion in a standard multi-part report. In another of these embodiments, the user can install custom report templates for use in report generation. In still another of these embodiments, the user can request the output of all data into the report, including client and resource details, overrides, policies applied and resultant access, auditing, session and other settings.
Referring now to FIG. 8A, a flow diagram depicts one embodiment of the steps taken in a method for interactive policy evaluation using resultant sets of policies. In brief overview, a graphical user interface receives at least one: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client (step 802). The graphical user interface displays at least one policy applicable to the received description (step 804). The graphical user interface displays a decision made by applying the at least one policy to the received description (step 806).
Referring still to FIG. 8A, and in greater detail, a graphical user interface receives at least one: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client (step 802). In one embodiment, the graphical user interface displays a plurality of interactive elements, which form an interactive tool allowing an administrator to specify a circumstance (such as a scenario in which a user requests access to a resource) and to view which policies would be applied in the circumstance and the permissions that result from applying the policies to the circumstance. In another embodiment, the administrator may also use the interactive tool to view the policies that would be applied under theoretical circumstances. For example, an administrator may specify a type of client request for a type of access to determine whether a client or user will be impacted by a policy change, or to determine what access rights a user needs in order to access a particular resource. In still another embodiment, the user of the graphical user interface 700 enters data associated with either a client requesting access to a resource or associated with the requested resource or associated with a policy applicable to the client requesting access.
In some embodiments, the user provides data directly to the graphical user interface 700.
In other embodiments, the user provides data to the policy simulation engine 702.
In one embodiment, the graphical user interface 700 receives, in the description of the client, a user identifier. In another embodiment, the graphical user interface 700 receives, in the description of the client, a client internet protocol (IP) address. In still another embodiment, the graphical user interface 700 receives an identification of a virus-checking program on the client. In yet another embodiment, the graphical user interface 700 receives, in the description of the client, a time of day.
In one embodiment, the graphical user interface 700 receives, in the description of the resource, an identifier of the resource. In another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of a property of the resource. In still another embodiment, the graphical user interface 700 receives, in the description of the resource, a file type of the resource. In still even another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of a server on which the resource resides. In yet another embodiment, the graphical user interface 700 receives, in the description of the resource, an identification of an operating system executed by a server on which the resource resides.
In one embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying a file type of the resource. In another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying a server on which the resource resides. In still another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file identifying an operating system executed by a server on which the resource resides. In yet another embodiment, the graphical user interface 700 retrieves, from a database, a configuration file storing a description of the client. In some embodiments, the graphical user interface retrieves, from a database, a state file saved by an administrator. In other embodiments, the graphical user interface 700 retrieves, from a database, a state file generated responsive to a user error.
In one embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request to retrieve the resource. In another embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request to remotely access the resource. In still another embodiment, the graphical user interface 700 receives, in the description of the requested method of access, a description of a request, a description of a presentation layer protocol. In still even another embodiment, the graphical user interface receives, in the description of the requested method of access, a description of a request, a description of a type of client agent. In yet another embodiment, the graphical user interface 700 displays a graphical user interface element displaying the at least one policy applicable to the client request for access to the resource.
The graphical user interface displays at least one policy applicable to the client request for access to the resource (step 804). In one embodiment, the graphical user interface displays a user interface element displaying the at least one policy. In some embodiments, the at least one policy is applicable to the received description of the client or the resource or the access method. In one of these embodiments, the description of the client includes information identifying a group of users to which a user of the client belongs and to which the at least one policy applies. In another of these embodiments, the description of the access method identifies a requested method to which the at least one policy applies. In still another of these embodiments, the description of the resource identifies a type of resource to which the at least one policy applies.
In one embodiment, the graphical user interface 700 displays the at least one policy responsive to receiving a request for information associated with the at least one policy. For example, the user may request additional information associated with a decision and receive a display of the at least one policy that affected the outcome of the decision. In another embodiment, the graphical user interface 700 displays at least one filter associated with the policy. For example, the user may request additional information associated with the at least one policy and receive the display of at least one filter which is a requirement for satisfaction of the policy. In some embodiments, the graphical user interface 700 displays a user interface element allowing a user to modify at least one filter associated with the policy. In other embodiments, the graphical user interface 700 displays a user interface element allowing a user to modify the policy.
The graphical user interface displays a decision made by applying the at least one policy to the received description (step 806). In some embodiments, the graphical user interface 700 displays a resultant set associated with the application of the at least one policy to the client request for access to the resource. In one embodiment, the graphical user interface 700 displays a result of simulating the application of a policy to a request, responsive to the received details in description 710. In some embodiments, the graphical user interface 700 displays a decision generated by a simulation component, such as a policy simulation engine 702. In other embodiments, the graphical user interface 700 displays a first decision inferred from a second decision. In one of these embodiments, a user provides a description of a client, a resource, or a method of access and a simulation tool - such as a policy simulation engine 702 - identifies a first decision from which the simulation tool infers a second decision and transmits the information to the graphical user interface 700 for display. For example, and in another of these embodiments, the first decision indicates that a client, a resource, or a method of access fails to satisfy a first filter. In this embodiment, if a second filter or a policy requires the satisfaction of the first filter, the simulation tool may infer that the second filter or policy will not be satisfied either. In another embodiment, the resulting second decision will indicate that the user of the client is not authorized to access the resource according to the method of access. In still another of these embodiments, a user of the graphical user interface 700 may indicate that a first filter is met or unmet and the simulation tool will determined that a second filter is defined in such a way that it is possible to infer the value of the second filter given the known value of the first filter. In still even another of these embodiments, the tool can signal that such a value is derived from other input values, rather than from that input explicitly.
In some embodiments, the graphical user interface 700 receives, from a simulation component, a decision made by applying the at least one policy to the received description. In one of these embodiments, for example, the simulation component receives the description from the graphical user interface 700, simulates the application of the at least one policy to the received description and transmits, to the graphical user interface 700, the decision. In another of these embodiments, the decision is transmitted to other tools, in addition to the graphical user interface. In still another of these embodiments, the simulation component is a policy simulation engine 702.
In some embodiments, a policy may be an expression, which may be evaluated in a context to determine the result. In one of these embodiments, the context describes some or all of the characteristics of a scenario in which the policy is applied. For example, the context may include the client name, the client's IP address, or the resource's name; however, the context need not specify all of the details of the scenario.
In another of these embodiments, where the policy is an access control policy, this determined result may be a decision to allow or deny a request. In still another of these embodiments, where the policy is an access routing policy, the determined result may specify a particular method of access - for example, specifying that the client may download, access remotely, or transform a requested resource from one format to another.
In some embodiments, a policy simulation engine 702 simulates an application of a policy to generate a result displayed by the graphical user interface 700.
In one of these embodiments, the policy simulation engine 702 is an actively used policy engine that makes decisions for active sessions. In other embodiments, a simulation policy engine, which is not an active policy engine making decisions for active sessions, simulates an application of a policy to generate a result displayed by the graphical user interface 700.
In some embodiments, the simulation takes place as it would in an active "run-time" environment. In one of these embodiments, if information is needed that is unknown then the same determination is made that would be taken if the information is unknown at run-time - typically this might be to assume the `default' or to raise an error.
In other embodiments, the simulation propagates any uncertainties and operations in the policy expression are explicitly extended to describe how uncertainty should be propagated. In one of these embodiments, for example, the expression (User=Fred) will return either `true' or `false' during runtime, but, during tristate simulation, the simulation may also return `unknown' if the user name is not known. Similarly, a combinatory operator such as `and' may be used in parts of the policy expression. For `normal' operation, this has the following transition table:
In uts Ou ut All inputs are `true' True Any input is `false' False During `tristate' evaluation the transition table is extended:
In uts Ou ut All inputs are `true' True Any input is `false' False At least one input is Unknown `unknown' and all other inputs are `true' Similarly the `not' and `or' operators are extended as follows:
"Or" Operator In uts Ou ut Any input is `true' True All inputs are `false' False At least one input is Unknown `unknown' and all other inputs are `false' "Not" Operator In uts Ou ut In ut is `True' False Input is `False' True Input is `Unknown' Unknown Any policy may be described using such an expression.
Referring now to FIG. 8B, a screen shot depicts one embodiment of a graphical user interface displaying a decision generated responsive to an automatic inference. As shown in FIG. 8B, an administrator has indicated, in a first interface element 810, that a first filter ("Trend") is not satisfied (by interacting with a second interface element 815).
The simulation tool identifies a second filter ("Trusted Users") as a compound filter, relying on the satisfaction of all of its sub-filters to reach a determination that a client request is authorized (identified in FIG. 8B by the "and" clause, which indicates that, in this embodiment, the second filter requires satisfaction of all the conjunctive sub-filters), and determines that the first filter is one of the sub-filters of the second filter; therefore, the simulation tool can infer that if the first filter is not met, the second filter will not be met, regardless of whether other sub-filters on which the satisfaction compound second filter relies are themselves satisfied. In some embodiments, a user of the graphical user interface 700 may interact with an interface element to request an override of an inference. In one of these embodiments, requesting an override results in the simulation tool generating a decision indicating that the overridden filter was met even if an analysis of related filters would have otherwise resulted in generation of a decision indicating that the overridden filter was not met (or vice versa, as appropriate). In other embodiments, the graphical user interface 700 displays an identification of an overridden filter, the filter override resulting from an evaluation of other data or filters. In still other embodiments, the graphical user interface 700 displays an identification of an overridden policy.
In some embodiments, the graphical user interface 700 displays an interface element displaying a summary of a decision. In one of these embodiments, the summary includes a description of how the interactive tool determined the decision. In another of these embodiments, the summary includes a description of at least one policy that affected the decision. In still another of these embodiments, the summary includes a description of a deficiency in the client, the request or the resource that resulted in a particular decision. In yet another of these embodiments, the summary includes a description of a characteristic of the client, the request, or the resource that satisfied a requirement of a policy, resulting in a particular decision. In yet another of these embodiments, the summary includes a description of an effect one policy had on a second policy that resulted in a particular decision. For example, the summary may include a description of a first policy that requires a client, a resource, or a request to satisfy a second policy where failure to meet the requirements of the second policy results in failure to satisfy the first policy.
In some embodiments, the graphical user interface 700 displays summaries for a plurality of decisions. In one of these embodiments, the graphical user interface 700 displays a given scenario (details regarding at least one of a client, a resource, and a request for access to the resource by the client) against multiple stored sets of policies. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first, existing policy to the scenario and also displays a decision resulting from an application of a second existing policy, which is a modified version of the first policy. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first, existing policy to the scenario and also displays a decision resulting from an application of a second theoretical policy, which is a modified version of the first policy. In another of these embodiments, the graphical user interface 700 displays a decision resulting from an application of a first theoretical policy to the scenario and also displays a decision resulting from an application of a second theoretical policy, which is a modified version of the first policy.
In still another of these embodiments, the graphical user interface 700 displays the differences between the decisions resulting from an application of each of the policies to the scenario. In yet another of these embodiments, viewing multiple decisions together allows an administrator to view the effect of different policies on a number of scenarios before the administrator begins enforcing any of the policies.
Referring now to FIG. 8C, and in some embodiments, the graphical user interface 700 includes an interface element 820 that displays a filter, or condition, that is used in a policy. In one embodiment, the interactive tool provided by the graphical user interface 700 generates a decision by determining whether a client, a resource or an access request satisfies a policy defined by a filter. In another embodiment, the applicability of policies generally depends on whether the client and/or resource meet a number of conditions. In another of these embodiments, these conditions are separately named and classified - for example "Trusted Client", "Access from Partner Site" or "Has Trend Installed".
Such classifications may be referred to as `Named Filters'. The filters may also be referred to as `Dynamic Groups', as they act as a dynamic classification of clients into those clients who do or do not meet a certain set of criteria.
In one embodiment, the interface element 820 allows an administrator to view all or some of the defined named filters, and to view which filters the client or resource matches or does not match. In another embodiment, the interface element 820 allows a user to request the display of any sub-filters and conditions that make up a filter. In some embodiments, these sub-filters and conditions are defined as Boolean expressions - such as "Operating System is Windows AND Trend Version is greater than 5". In other embodiments, the tool also allows the administrator to override the definition of a filter and assume that the client does or does not match it (regardless of its original definition).
In one of these embodiments, the ability to override the definition of a filter allows a user to debug proposed changes to the filter, or to determine what access would be permitted if the system changes slightly (for example, if the client upgraded a virus checker). In another of these embodiments, the interface element 820 displays an indication for each filter of whether a described client currently satisfies a requirement of the displayed filter, and whether the user requested an override of this value. In still another of these embodiments, a user interface element in the graphical user interface 700 provides a link allowing a user to view a particular test or filter where overrides were requested. In still other embodiments, the interface element 820 may display all defined named filters, or only a selection - for example, only those used in a policy or only those requested by the user.
In some embodiments, the graphical user interface 700 receives a modification to at least one filter. In one of these embodiments, the graphical user interface 700 displays a decision identified by the modified filter. In another of these embodiments, a determination is made, responsive to the modification, not to apply the applicable at least one policy to the received description. In still another of these embodiments, a determination is made, responsive to the modification, to apply at least one inapplicable policy to the received description. In yet another of these embodiments, the determination is displayed in the graphical user interface 700.
In some embodiments, the graphical user interface 700 receives a modification to at least one policy. In one of these embodiments, the graphical user interface displays a decision identified by the modified policy. In another of these embodiments, a determination is made, responsive to the modification, not to apply the applicable the policy to the received description. In still another of these embodiments, a determination is made, responsive to the modification, to apply at least one inapplicable policy to the received description. In yet another of these embodiments, the determination is displayed in the graphical user interface 700.
In one embodiment, the graphical user interface 700 receives a modification of the description of the user. In another embodiment, the graphical user interface 700 displays a decision identified by an application of the at least one policy to the modified user. In still another embodiment, the graphical user interface 700 receives a modification of the description of the requested resource. In yet another embodiment, the graphical user interface 700 displays a decision identified by an application of the at least one policy to the modified resource request.
In some embodiments, in addition to displaying the policies and settings that would be used for the given circumstance, allowing a user to enter a modification to a description or a policy allows many aspects of policy configuration to be overridden. For example, if a description of a decision specified that a client did not pass a`Has Virus Checker Installed' test - then the administrator could override this setting, and determine whether, if the client did pass this test, the decision would change.
Similarly, the administrator may indicate that a particular policy should be ignored, or that a particular server/services should be considered as out of service. In one of these embodiments, these facilities (which may collectively be referred to as "overrides") allow the tool to be used by the administrator to perform this type of `what if analysis.
In one embodiment, allowing the value of an entire expression or any sub-expression to be overridden allows a policy simulation engine 702 to make an assumption. For example, a user might specify that, for the purposes of investigation, evaluation of an expression "User is member of group `sales"' should be treated as evaluating to `true' - or equally should be treated to evaluating to `false', regardless of whether this is actually the case. In another embodiment, an override may be used as a short hand or for `what if analyses. For example, a user may want to answer the question "if I modified policy I to disallow access for this group, what would the overall effect be". An example of a use of overrides as a short hand might be "I know this is a trusted user - so mark the `trusted users' filter as true"; this may be quicker and simpler than entering all the user's details to cause the evaluation to take place.
In some embodiments, rather than providing buttons or other user interface to allow the administrator to change between "no override", "override as true"
and "override as false", the graphical user interface 700 provides a toggle control to toggle between "evaluates to true" and "override as false" - for expressions that naturally evaluate to true, and a toggle between "evaluates to false" and "override to true" for expressions that naturally evaluated to false. In one of these embodiments, during tristate evaluation, a toggle can be used to cycle between three cases - true, false and unknown (one of which will be the natural evaluated value, the other two of which will be overrides). In another of these embodiments, where one policy references a second policy, or other reusable parts of a policy (such as named filters), then an override to a reusable part will apply to equally to all uses of that reusable part. For example, if Policy I is defined as "if(Filterl), return `red' else `blue"', and if Policy 2 is defined as "if(Filterl) return `orange' else `green"', then overriding Filterl will affect both policies - leading to either (Policyl=red, Policy2=orange) or (Policyl=blue, Policy2=green). In still another of these embodiments, it is also possible to override only one of these by overriding the reference to the shared element.
In one embodiment, the graphical user interface 700 provides an interface element for generating a display of these analyses indicating that the analyses are provided as a result of an override request and identifying the overridden filter, condition or policy. In other embodiments, the administrator may configure the tool to allow the tool to identify by inference a condition that the administrator could satisfy in order to satisfy an overridden or unsatisfied policy. In one of these embodiments, the tool may identify a valid set of values that would satisfy any of the terms in a compound condition.
The graphical user interface and the policy simulation engine provide functionality allowing users, such as administrators, to interactively evaluate a wide variety of policies using dynamically generated, interactive resultant sets of policies. In some embodiments, the graphical user interface displays a decision made by applying the at least one access control policy to the at least one received description;
in some of these embodiments, the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one access control policy. For example, FIGs. 7B-7E and 8B-8C depict some embodiments of scenarios involving the use of access control policies. In other embodiments, however, the graphical user interface displays a decision made by applying other policies to the at least one received description. In one of these embodiments, the graphical user interface displays a decision made by applying the at least one auditing policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one auditing policy. In another of these embodiments, the graphical user interface displays a decision made by applying the at least one alarm-triggering policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one alarm-triggering policy. In still another of these embodiments, the graphical user interface displays a decision made by applying the at least one load-balancing policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one load-balancing policy. In still even another of these embodiments, the graphical user interface displays a decision made by applying the at least one resource-provisioning policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one resource-provisioning policy. In yet another of these embodiments, the graphical user interface displays a decision made by applying the at least one caching policy to the at least one received description; the graphical user interface receives the decision for display from the policy simulation engine that simulates the application of the at least one caching policy.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of auditing policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one auditing policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one auditing policy to the at least one received description. In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of auditing policies includes a graphical user interface displaying the decision of the application of the at least one auditing policy to the at least one received resource and a policy simulation engine simulating the application of the at least one auditing policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of caching policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one caching policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one caching policy to the at least one received description. In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of caching policies includes a graphical user interface displaying the decision of the application of the at least one caching policy to the at least one received resource and a policy simulation engine simulating the application of the at least one caching policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, the method for interactive policy evaluation using dynamically generated interactive resultant sets of access control policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one access control policy applicable to the at least one received description. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one access control policy to the at least one received description.
In some embodiments, a system for interactive policy evaluation using dynamically generated interactive resultant sets of access control policies includes a graphical user interface displaying the decision of the application of the at least one access control policy to the at least one received resource and a policy simulation engine simulating the application of the at least one access control policy. In one of these embodiments, the graphical user interface is a graphical user interface 700 as described above.
In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
Referring now to FIG. 8D, a screen shot depicts one embodiment of a graphical user interface including an interface element displaying an access routing decision. The graphical user interface receives at least one of a description of a client requesting access to a resource and a description of the resource, and the graphical user interface displays, in an interface element 830, at least one access routing policy applicable to the client request for access to the resource. In one embodiment, the graphical user interface 700 displays an access routing decision identified responsive to an application of an access routing policy to at least one of the description of the client requesting access to the resource and the description of the resource. In another embodiment, the graphical user interface 700 displays an identification of a service, or class of service, that will be authorized should the described client make the described request for access to the described resource.
In one embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to download the described resource. In another embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to receive application output data generated by an execution of the described resource on a remote machine 106 and transmitted to the client according to a presentation layer protocol. In still another embodiment, the graphical user interface 700 may receive a description of a type of client and display in the interface element 830 a description of an access routing decision indicating that the client is authorized to receive the described resource via a method for application streaming. In yet another embodiment, an access routing policy may determine both the type of access to be attempted (e.g., an applicable protocol) and the class or instance of service/server (a WINDOWS server or a server 106 providing access to a resource via a particular method or a server 106 belonging to a particular server farm 38). In some embodiments, a determination by an access routing policy can have a significant impact on other forms of policy, as it is in effect selecting a`concrete' access request (e.g. to use ICA to access server 53) rather than an abstract access request (e.g.
Run Word). In other embodiments, a simulation component with which the graphical user interface 700 interacts applies information relating to service load or server availability to the simulation of an application of an access routing policy to a described client or resource. In one of these embodiments, overrides are supported to allow an administrator to modify the information on which the simulation component relies. In another of these embodiments, the simulation component uses a session identifier to retrieve information relating to server load and availability for use in simulating application of a policy to an actual request. For example, an administrator may provide a description of a previously-made access request and request the display of what access routing determination would have been reached had a modified access routing policy been in effect at the time of the previous access request.
In some embodiments, the graphical user interface 700 displays additional information associated with the described resource responsive to an access routing decision. In one of these embodiments, the graphical user interface 700 displays an identification of a server farm 38 in which a server 106 resides, the server 106 providing access to the described resource. In another of these embodiments, the graphical user interface 700 displays an identification of a protocol for use in communicating with a server 106 providing access to the described resource. In still another of these embodiments, the graphical user interface 700 displays information associated with server load and availability of a server 106 providing access to the described resource. In still even another of these embodiments, the graphical user interface 700 displays information identifying a version of an application (such as an operating system) executed by a server 106 providing access to the described resource. In yet another of these embodiments, the graphical user interface 700 cannot display an identification of a server 106 providing access to the described resource until the access routing decision has been specified. For example, if the graphical user interface 700 receives a description of a resource that identifies a word processing application that is subject to an access routing policy, the graphical user interface 700 may delay the display of information associated with a server 106 providing access to the word processing application because the graphical user interface 700 may not have access to the information until the simulation of the application of the access routing policy identifies a type of access method and a level of service protocol and service.
In some embodiments, once the graphical user interface 700 displays information associated with the described resource and with an access routing policy decision, the graphical user interface 700 may display additional information associated with a session between a client 102 and a server 106. In one of these embodiments, there are a plurality of settings associated with a session between a client 102 and a server 106;
for example, client settings, network settings and server settings may be displayed. In another of these embodiments, these settings may be determined by a policy commonly referred to as a `session policy'. In still another of these embodiments, the session policy differs from an access policy in that it results in a number of settings - for example bandwidth limits, color depth, screen resolution, available optimization techniques, etc. - that are focused on the connection between the client and the server instead of on whether the client or a user of the client is authorized to access a resource provided by a server. In still even another of these embodiments, different session policies may apply to a given circumstance depending on client and/or resource properties. In yet another of these embodiments, a view of the information associated with the described resource displays the set of policies that may apply to a request for the resource, indicates which do apply in the given scenario, and may allow a user of the graphical user interface 700 to request and view additional information associated with the session policy.
In one embodiment, a method for interactive policy evaluation using dynamically generated interactive resultant sets of load-balancing policies includes the step of receiving, by a graphical user interface, a description of at least one resource. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one load-balancing policy applicable to the at least one resource. In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one load-balancing policy to the at least one resource. In yet another embodiment, the method includes the step of simulating, by a policy simulation engine, the application of the at least one load-balancing policy to the at least one resource. In some embodiments, the graphical user interface displaying the decision of the application of the at least one load-balancing policy to the at least one received resource is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine simulating the application of the at least one load-balancing policy is a policy simulation engine 702. In some embodiments, the load-balancing policy determines whether the at least one resource will provide a user with access to a requested resource. In other embodiments, the load-balancing policy is applied independent of a user request for access.
In some embodiments, a policy need not solely govern a user's access control.
For example, in one of these embodiments, a policy controls a scheduling decision, such as determination regarding whether to perform a data back-up operation. In other embodiments, the methods and systems described herein may be used in a scenario in which a policy decision is made dependant on a set of circumstances, which may or may not include a client or a resource; for example, a policy might be applied whenever a fault is diagnosed in a network, in order to determine the severity of the fault and determine how to handle the fault.
In one embodiment, a method for interactive policy evaluation using dynamically generated interactive resultant sets of fault-detection policies includes the step of receiving, by a graphical user interface, a description of at least one resource. In another embodiment, the method includes the step of displaying, by the graphical user interface, at least one fault-detection policy applicable to the at least one resource.
In still another embodiment, the method includes the step of displaying, by the graphical user interface, a decision made by applying the at least one fault-detection policy to the at least one resource. In yet another embodiment, the method includes the step of simulating, by a policy simulation engine, the application of the at least one fault-detection policy to the at least one resource. In some embodiments, the graphical user interface displaying the decision of the application of the at least one fault-detection policy to the at least one resource is a graphical user interface 700 as described above. In other embodiments, the policy simulation engine simulating the application of the at least one fault-detection policy is a policy simulation engine 702.
An example of a fault-detection policy might be:
if(faulty. source = `component A) severity= 100 action = shut down system In one of these embodiments, the methods and systems described herein may be used to analyze such policies. In another of these embodiments, rather than details being supplied about the client, resource and access methods, details are provided about the circumstance in which the policy is applied. For example, and in still another of these embodiments, if a policy can make decisions based on an attribute, then the attribute would be an input to the tool. In yet another of these embodiments, attributes may include, without limitation, a source of the fault raised, time of day of the fault, an identification of a number of similar faults raised within a time period, or an operating mode of the system on which the fault occurred.
In some embodiments, the methods and systems described herein provide a user with functionality for viewing a resultant set of policies given a particular scenario - a particular user or type of user requesting access to a particular resource via a particular access method. In one of these embodiments, the interactive tool and the graphical user interface with which the user interacts allows a user such as an administrator to view a specific circumstance and determine which policies would be applied and to view a resulting set of permissions. In another of these embodiments, the interactive tool allows the user to understand what effect a particular policy or policy change has on a particular user.
In other embodiments, methods and systems provide a user with the ability to view all resources under the control of the user and to view what classes of access are available to different classes of user for each resource or class of resource.
In one of these embodiments, therefore, rather than view a specific scenario, the user receives a higher level view focused instead on the classes of users and how the different classes may access each of a plurality of resources.
Referring now to FIG. 9A, a block diagram depicts one embodiment of a system for interactive evaluation of policies using a graphical user interface including a first graphical user interface element 910 and a second graphical user interface element 920.
The first graphical user interface element 910 enumerates at least one resource. The second graphical user interface element 920 receives an identification of a characteristic of at least one client and displays a result of an application of at least one policy associated with the at least one resource to the at least one client, the at least one policy applied responsive to the received identification of the characteristic. In one embodiment, a graphical user interface 900 displays the first graphical user interface element 910 and the second graphical user interface element 920 to a user. In another embodiment, the graphical user interface 900 is a web-based interface and displays information generated remotely. In still another embodiment, the graphical user interface 900 displays information generated locally.
Referring now to FIG. 9A, and in greater detail, the first graphical user interface element 910 displays at least one characteristic associated with at least one client. In one embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of anti-virus program executed by the at least one client. In another embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of operating system executed by the at least one client. In still another embodiment, the first graphical user interface element 910 includes an interface element displaying an identification of a type of application executed by the at least one client. In still even another embodiment, the first graphical user interface element 910 includes an interface element displaying an internet protocol (IP) address range, the at least one client assigned IP addresses in the IP address range. In yet another embodiment, the first graphical user interface element 910 includes an interface element receiving the at least one characteristic associated with the at least one client. For example, and in one embodiment, the first graphical user interface element 910 includes a text box, drop-down menu, radio button or checkmark box with which a user interacts to identify the at least one characteristic. In some embodiments, the first graphical user interface element 910 displays an identification of a filter matched by at least one client. In other embodiments, the first graphical user interface element 910 displays an identification of a filter unmatched by at least one client.
The second graphical user interface element 920 enumerates at least one resource and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. In one embodiment, the second graphical user interface element 920 includes an interface element displaying an enumeration of a plurality of resources under the control of a user. In another embodiment, the second graphical user interface element 920 includes an interface element displaying at least one policy. In still another embodiment, the second graphical user interface element 920 includes an interface element displaying a requirement of the at least one policy.
In one another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the at least one client. In another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the at least one client. In still another embodiment, the second graphical user interface element 920 includes an interface element indicating that an application of the at least one policy to the at least one client results in an allowance of access to the at least one resource by the client. In yet another embodiment, the second graphical user interface element 920 includes an interface element indicating that additional information associated with the at least one client is needed to identify a result of an application of the at least one policy to the at least one client.
In some embodiments, the first graphical user interface 910 and the second graphical user interface 920 display the results generated by a tool used in interactive evaluation of policies. In one embodiment, the display of the at least one characteristic associated with at least one client is a display of a list of criteria affecting the classification of users. In another embodiment, the display is a display of a list of group memberships or other information used by policies for one or more of the resources being examined by the tool. In still another embodiment, the list of criteria is an atomic list. In still even another embodiment, if the information in the list is not atomic (i.e., it is possible to break down the information in to smaller pieces), then the tool provides a user with the ability to expand the list to include a display of the atomic information. An example might be an item "Trusted Users" where "Trusted Users" is a classification used in policies, and that is itself defined as AND(Domain User, Virus OK). "Domain User"
and "Virus OK" may themselves be atomic conditions, or may be broken down in a similar way. In yet another embodiment, this part of the tool is used to identify the classes of user for which data is to be displayed in the second part of the tool.
In one embodiment, the second graphical user interface 920 displays a list of all resources evaluated by the interactive tool. In another embodiment, these resources are either automatically or manually classified according to the structure of the resource name (many resources have a hierarchical name such as A/B/C) and/or the access that is permitted for the identified class of user. For example, and in still another embodiment, the tool may use a single entry A/... to represent the resources A/B A/B/C and A/D. In still even another embodiment, a user may interact with the second graphical user interface 920 to expand this summary entry. In yet another embodiment, the interactive tool automatically expands the summary entry if the access permitted to the individual resources it represents is different from the access permitted for other resources in the class.
In one embodiment, the second graphical user interface 920 displays at least one policy that affects a particular resource or set of resources. In another embodiment, the user may select a resource or summary line in the second graphical user interface 920 and the policies that apply to this resource or resources will be displayed. In still another embodiment, for each policy that affects the class of client identified in the first graphical user interface 910 will be displayed to allow the user to view the effect of policy evaluation.
Referring now to FIG. 9B, a screen shot depicts one embodiment of a user interface for interactive evaluation of policies. The first graphical user interface element 910 displays an identification of a client. As depicted in FIG. 9B, the first graphical user interface element 910 displays a client that includes users in a domain, remote users, local users and a sub-category of users referred to as trusted users. In some embodiments, the first graphical user interface element 910 includes an interface element with which a user may identify a characteristic of the at least one client. As depicted in FIG.
9B, the user has indicated that the user wishes to view decisions for the at least one client satisfies the requirements of the filters "Local Users," "Trend," and "Trusted Users," and the group "Citrite\Domain Users."
The second graphical user interface 920 enumerates at least one resource and displays a result of an application of at least one policy associated with the at least one resource to the at least one client. As shown in FIG. 9B (under the heading "Resource Node"), the displayed enumeration of resources may include, without limitation, local applications, remotely-executing applications, internet or intranet sites, and file shares.
In one embodiment, the display of the result of the application of the at least one policy may include a color-coded display. For example, and as shown in FIG. 9B, the second graphical user interface 920 may visually code, using a first color or pattern (horizontal lines in FIG. 9B), a displayed identification that the application of the policy will result in an allowance of a request for access to a particular resource and the second graphical user interface 920 may color code using a second color (vertical lines in FIG. 9B), a displayed identification that the application of the policy will result in a denial of a request for access to a particular resource.
Referring now to FIG. 9C, a screen shot depicts an embodiment of a user interface for interactive evaluation of policies. As shown in FIG. 9C (under the heading "Resource Node"), the displayed enumeration of resources may include, without limitation, local applications, remotely-executing applications, internet or intranet sites, and file shares.
In one embodiment, and as described in connection with FIG. 9B, the display of the result of the application of the at least one policy may include a color-coded display. For example, and as shown in FIG. 9C, the second graphical user interface 920 may visually code, using a first color or pattern (horizontal lines in FIG. 9C), a displayed identification that the application of the policy will result in a denial of a request for access to a particular resource and the second graphical user interface 920 may visually code using, a second color or pattern, (vertical lines in FIG. 9C), a displayed identification that the application of the policy will result in an indication that insufficient data exists to reach a determination.
In some embodiments an administrator wants to see the effect of a policy on a large number of classes of users. For example, and in one of these embodiments, if users are classified by group, IP address and virus check, then there may be a very large number of potential combinations of classification which might have to be manually checked in order to see the result of any policy change - even if the change affected only one aspect. In another embodiment, using tristate logic may reduce this burden for the administrator. In still another embodiment, using the methods and systems described herein allows an administrator to indicate that they wish to see the effect of policies for users meeting one classification, and to indicate that they wish to see this regardless as to whether the use also meets other classifications. This may also be achieved using TriState logic as described above.
For example, and as shown in FIG. 9C, an administrator may indicate that they wish to see: i) the resources available to users who do not meet the `Trend' classification;
and ii) the results if it is unknown whether the user meets the Local Users, Remote Users or AdProd classifications. In response, the tool has indicated that access to all the listed resources is denied, regardless of whether the user meets these other classifications; with the exception of RDP access to /CPS Applications/notepad and /Web Resources/Adtech Sites. For these resources, the user may be permitted access, depending on whether or not they meet one or more of the classifications marked as unknown. The administrator can therefore concentrate his attention on access to these resources, saving considerable time.
In one embodiment, a system for interactive evaluation of access control policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one access control policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one access control policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of auditing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one auditing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one auditing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of caching policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one caching policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one caching policy associated with the at least one resource to the at least one client.
In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of load-balancing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one load-balancing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one load-balancing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of access-routing policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one client. In still another embodiment, the second graphical user interface element enumerates at least one resource and displays a result of an application of at least one access-routing policy associated with the at least one resource to the at least one client. In yet another embodiment, the policy simulation engine simulates the application of the at least one access-routing policy associated with the at least one resource to the at least one client. In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
In one embodiment, a system for interactive evaluation of fault-detection policies using a graphical user interface includes a first graphical user interface element, a second graphical user interface element, and a policy simulation engine. In another embodiment, the first graphical user interface element displays at least one characteristic associated with at least one resource. In still another embodiment, the second graphical user interface element displays a result of an application of at least one fault-detection policy associated with the at least one resource to the at least one resource. In yet another embodiment, the policy simulation engine simulates the application of the at least one fault-detection policy associated with the at least one resource to the at least one client.
In some embodiments, a graphical user interface 900 includes the first and second graphical user interface elements. In other embodiments, the policy simulation engine is a policy simulation engine 702 as described above.
Referring now to FIG. 10, a flow diagram depicts one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
The method includes the step of displaying an identification of at least one resource (step 1002). The method includes the step of receiving an identification of a characteristic of at least one client requesting access to the at least one resource (step 1004). The method includes the step of displaying a result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client (step 1006).
In some embodiments, an administrator maintains polices for a large number of classes of user. For example, and in one of these embodiments, if rules are specified depending on user groups, internet protocol (IP) address range and virus protection level, then the number of classes of user will be (no. of available user groups) times (no. of IP
address ranges used in policies) times (no. of available virus protection levels). In another of these embodiments, an interactive tool makes use of tri-state logic in applying policies to classes of users, allowing administrators to manage the vast amount of information. In still another of these embodiments, the interactive tool reduces the number of different resource classes that must be considered - rather than using static classes of resources, the interactive tool dynamically classifies resources depending on the permitted access for a particular class of users to keep the amount of information to be displayed to a minimum.
Referring now to FIG. 10, and in greater detail, an identification of at least one resource is enumerated (step 1002). In one embodiment, the graphical user interface element 900 displays the identification of the at least one resource. In another embodiment, the graphical user interface element 910 displays a plurality of resources over which a user has administrative control. In still another embodiment, the identification of the at least one resource is retrieved from a configuration file identifying available resources.
In some embodiments, at least one category of clients is displayed. In one embodiment, the graphical user interface 900 displays the at least one category of clients.
In another embodiment, a user interacts with the graphical user interface 910 to add a category of clients to a display. In still another embodiment, the graphical user interface 910 displays a plurality of categories of clients. In yet another embodiment, clients are categorized according to characteristics including, but not limited to, internet protocol addresses, operating system types, applications executed on the client, types of internet access available to the clients, and authorization levels of the clients (trusted, untrusted, etc.).
An identification of a characteristic of at least one client requesting access to the at least one resource is received (step 1006). In one embodiment, an identification of a type of operating system executed on the at least one client is received. In another embodiment, an identification of a type of application executed on the at least one client is received. In still another embodiment, an identification of a group in which the at least one client are members is received. In yet another embodiment, an identification of a range of internet protocol addresses associated with the at least one client is received.
In some embodiments, a characteristic of a client includes an indication as to whether or not to consider that characteristic of the client in evaluating policies. In one of these embodiments, for example, as opposed to identifying a characteristic such as a range of IP addresses or a kind of operating system executed by a client, a user may indicate that the policy simulation engine should take the characteristic into consideration in simulating an application of a policy to the client. In another of these embodiments, the user may indicate that the policy simulation engine should not take the characteristic into consideration in simulating an application of a policy to the client -for example, if a policy includes a filter requiring that the client have a particular characteristic, the user may indicate that the policy simulation engine should attempt to simulate an application of a policy without determining whether the filter is satisfied.
In some embodiments, a characteristic of at least one client considered in evaluating policies is the negation of another characteristic - for example, a characteristic may indicate that the at least one client is not a member of a group (e.g., "a User not in Sales"). In other embodiments, a user of the system may chose not to specify certain characteristics even if those characteristics were identified by the tool or are used in one or more policies.
In one embodiment, the characteristic of the client is an indication that the client, or a characteristic of the client, satisfies a requirement of a filter. In another embodiment, the characteristic of the client is an indication that the client, or a characteristic of the client, does not satisfy a requirement of a filter.
In some embodiments, the policy simulation engine identifies a characteristic that may be associated with the at least one client. In one of these embodiments, the graphical user interface displays the characteristic identified by the policy simulation engine. In another of these embodiments, the graphical user interface receives, from a user, confirmation that the characteristic identified by the policy simulation engine is associated with the at least one client. In still another of these embodiments, the graphical user interface receives, from a user, an indication that the characteristic identified by the policy simulation engine is not associated with the at least one client.
In one embodiment, a determination is made as to whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In another embodiment, an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client is displayed. In still another embodiment, a determination is made that at least one policy applies to the at least one client, responsive to the received identification of the characteristic. In some embodiments, at least one policy associated with the at least one resource is displayed.
A result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource is displayed, responsive to the received identification of the characteristic of the at least one client (step 1008). In one embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a denial of access to the at least one resource by the at least one client. In another embodiment, the graphical user interface 900 displays an identification of a requirement not satisfied by the at least one client. In still another embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in an authorization of access to the at least one resource by the at least one client. In still even another embodiment, the graphical user interface 900 displays an identification of a requirement satisfied by the at least one client. In yet another embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
Referring now to FIG. 11, a flow diagram depicts one embodiment of the steps taken in a method for interactive evaluation of policies using a graphical user interface.
The method includes the step of displaying an identification of at least one resource (step 1102). The method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource (step 1104). The method includes the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic (step 1106). The method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access applies to the at least one client (step 1108).
Referring now to FIG. 11, and in greater detail, an identification of at least one resource is displayed (step 1102). In one embodiment, the graphical user interface element 900 displays the at least one resource. In another embodiment, the graphical user interface element 910 displays a plurality of resources over which a user has administrative control. In still another embodiment, the identification of the at least one resource is retrieved from a configuration file identifying available resources.
In some embodiments, an identification of at least one client is displayed. In one embodiment, the graphical user interface 900 displays the at least one client.
In another embodiment, a user interacts with the graphical user interface 910 to add a client to a display. In still another embodiment, the graphical user interface 910 displays a plurality of categories of clients. In yet another embodiment, clients are categorized according to characteristics including, but not limited to, internet protocol addresses, operating system types, applications executed on the client, types of internet access available to the clients, and authorization levels of the clients (trusted, untrusted, etc.).
An identification of a characteristic of the at least one client requesting access to the at least one resource is received (step 1104). In one embodiment, an identification of a type of operating system executed on the at least one client is received. In another embodiment, an identification of a type of application executed on the at least one client is received. In still another embodiment, an identification of a group in which the at least one client are members is received. In yet another embodiment, an identification of a range of internet protocol addresses associated with the at least one client is received.
In some embodiments, the policy simulation engine identifies a characteristic that may be associated with the at least one client. In one of these embodiments, the graphical user interface displays the characteristic identified by the policy simulation engine. In another of these embodiments, the graphical user interface receives, from a user, confirmation that the characteristic identified by the policy simulation engine is associated with the at least one client. In still another of these embodiments, the graphical user interface receives, from a user, an indication that the characteristic identified by the policy simulation engine is not associated with the at least one client. In yet another of these embodiments, the graphical user interface receives, from a user, an indication that a negation of the characteristic identified by the policy simulation engine is associated with the at least one client.
A determination is made as to whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic (step 1106). In one embodiment, a determination is made that at least one policy applies to the at least one client, responsive to the received identification of the characteristic.
In another embodiment, a determination is made that at least one policy does not apply to the at least one client, responsive to the received identification of the characteristic.
In still another embodiment, a determination is made that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
In one embodiment, there is a plurality of conditions associated with a plurality of classifications of users. For example, in a scenario where there are three conditions (A, B, and C) used to classify users, there are eight sets of user classifications possible (None, A only, B only, C only, A and B, B and C, A and C, and all three). In some embodiments, and in many administrative scenarios, there are dozens of conditions evaluated to generate many more classifications of users. In one of these embodiments, the interactive tool uses tristate logic (as described above in connection with FIG. 9C) to limit the number of classifications that an administrator must consider in evaluating policies. In another of these embodiments, the tool allows an administrator to indicate that they do not know whether a user satisfies one of a plurality of characteristics; for example, the tool would allow an administrator to view, in a single classification, the access permitted to a user who meets filter A regardless of whether they meet filter B
and/or C rather than having to look separately at "A only", "A and B", "A and C" and "A, B and C".
In some embodiments, when tristate logic is used, it is not possible to always give a yes/no answer as to whether access to a resource will be permitted. For example, in one of these embodiments, if a resource has a single policy indicating access is allowed provided that conditions A and B are both met, then for the classification "A
is true, B
and C unknown", it is not possible to indicate if access will or will not be permitted. In another of these embodiments, to handle this situation, the graphical user interface may display a response including a`Maybe' answer. In still another of these embodiments, this is sufficient to indicate to an administrator that they have the option of more carefully examining a particular scenario if they require additional detail.
An indication is displayed that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client (step 1108). In one embodiment, the graphical user interface 900 displays an indication that the application of the at least one policy results in a request for additional information associated with the at least one client. In another embodiment, the graphical user interface 900 displays an identification of a requirement satisfied by the at least one client. In still another embodiment, the graphical user interface 900 displays an identification of a requirement not satisfied by the at least one client.
As described above, the methods and systems described herein provide functionality allowing users, such as administrators, to interactively evaluate a wide variety of policies using a graphical user interface. In some embodiments, the policy is an access control policy; for example, FIGs. 9B-9C depict some embodiments of scenarios involving the use of access control policies. In other embodiments, however, the graphical user interface displays a result of applying other policies.
In one embodiment, a method for interactive evaluation of auditing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one auditing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one auditing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of caching policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one caching policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one caching policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of access control policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one access control policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access control policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of load-balancing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one load-balancing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one load-balancing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of access-routing policies using a graphical user interface includes the step of displaying at least one client. In another embodiment, the method includes the step of displaying an identification of at least one resource. In still another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one client requesting access to the at least one resource. In still even another embodiment, the method includes the step of displaying a result of applying at least one access-routing policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one access-routing policy applies to the at least one client.
In one embodiment, a method for interactive evaluation of fault-detection policies using a graphical user interface includes the step of displaying at least one category of resources. In another embodiment, the method includes the step of receiving an identification of a characteristic of the at least one resource. In still another embodiment, the method includes the step of displaying a result of applying at least one fault-detection policy associated with the at least one resource to the at least one resource, responsive to the received identification of the characteristic of the at least one resource. In some embodiments, the method includes the step of displaying an indication that a second identification of a second characteristic is required to determine whether the at least one fault-detection policy applies to the at least one resource.
The systems and methods described above may be provided as one or more computer-readable programs embodied on or in one or more articles of manufacture. The article of manufacture may be a floppy disk, a hard disk, a CD-ROM, a flash memory card, a PROM, a RAM, a ROM, or a magnetic tape. In general, the computer-readable programs may be implemented in any programming language, LISP, PERL, C, C++, PROLOG, or any byte code language such as JAVA. The software programs may be stored on or in one or more articles of manufacture as object code.
Having described certain embodiments of methods and systems for dynamic generation of complex filters using a graphical user interface and for interactive policy evaluation, access routing and resource mapping using filters, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the disclosure may be used. Therefore, the disclosure should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims.
Claims (197)
1. A method for dynamic generation of filters using a graphical user interface, the method comprising the steps of:
(a) describing a first clause of a filter in a first graphical user interface element;
(b) describing at least one of: i) a conjunctive clause of the filter in a second graphical user interface element, and ii) a disjunctive sub-clause of the first clause of the filter in the first graphical user interface element; and (c) generating a filter responsive to the contents of the first graphical user interface element and the second graphical user interface element.
(a) describing a first clause of a filter in a first graphical user interface element;
(b) describing at least one of: i) a conjunctive clause of the filter in a second graphical user interface element, and ii) a disjunctive sub-clause of the first clause of the filter in the first graphical user interface element; and (c) generating a filter responsive to the contents of the first graphical user interface element and the second graphical user interface element.
2. The method of claim 1, wherein step (a) further comprises describing the first clause of the filter, the first clause comprising a second filter.
3. The method of claim 1, wherein step (a) further comprises receiving the description of the first clause from a user via a third graphical user interface element.
4. The method of claim 1, wherein step (a) further comprises describing the first clause of the filter using a non-algebraic language.
5. The method of claim 1, wherein step (b) comprises describing at least one of: i) a disjunctive clause of the filter in a second graphical user interface element, and ii) a conjunctive sub-clause of the first clause of the filter in the first graphical user interface element.
6. The method of claim 1, wherein step (b) further comprises describing a conjunctive clause of the filter using a non-algebraic language.
7. The method of claim 1, wherein step (b) further comprises describing a disjunctive sub-clause of the first clause of the filter using a non-algebraic language.
8. The method of claim 1, wherein step (b) further comprises describing a disjunctive sub-clause of the one or more disjunctive sub-clauses.
9. The method of claim 1, wherein step (b) further comprises describing a conjunctive sub-clause of the disjunctive sub-clause.
10. The method of claim 1, wherein step (b) further comprises describing a disjunctive sub-clause of the conjunctive clause.
11. The method of claim 1, wherein step (b) further comprises describing a plurality of conjunctive clauses of the filter.
12. The method of claim 11, further comprising the step of generating a graphical user interface element for each conjunctive clause in the plurality of conjunctive clauses, the generated graphical user interface element comprising a description of the conjunctive clause.
13. The method of claim 1, wherein step (b) further comprises describing a second filter as a disjunctive sub-clause of the first clause of the filter.
14. The method of claim 1, wherein step (b) further comprises describing a second filter as a disjunctive sub-clause of the conjunctive clause of the filter.
15. The method of claim 1, wherein step (c) further comprises describing the filter using a non-algebraic language.
16. The method of claim 1 further comprising the step of modifying a clause in the filter by using at least a third graphical user interface element to modify a description of the modified clause.
17. The method of claim 16, wherein the step of modifying a clause further comprises converting a conjunctive clause of the clause to a disjunctive clause.
18. The method of claim 17, wherein the step of modifying a clause further comprises adding the description of the modified clause into the first graphical user interface element and deleting the description of the modified clause from the second graphical user interface element.
19. The method of claim 16, wherein the step of modifying a clause further comprises converting a disjunctive clause of the first clause to a conjunctive clause.
20. The method of claim 19, wherein the step of modifying a clause further comprises the steps of:
i. generating a new graphical user interface element, ii. adding the description of the modified clause into the generated graphical user interface element, and iii. deleting the description of the modified clause from the first graphical user interface element.
i. generating a new graphical user interface element, ii. adding the description of the modified clause into the generated graphical user interface element, and iii. deleting the description of the modified clause from the first graphical user interface element.
21. A system for dynamic generation of filters using a graphical user interface, the system comprising:
a graphical user interface element comprising a description of a first clause of a filter;
one of: i) a second graphical user interface element comprising a description of at least one conjunctive clause of the filter, and ii) a description in the first graphical user interface element of a disjunctive sub-clause of the first clause of the filter; and a filter generated responsive to the contents of the first graphical user interface element and the second graphical user interface element.
a graphical user interface element comprising a description of a first clause of a filter;
one of: i) a second graphical user interface element comprising a description of at least one conjunctive clause of the filter, and ii) a description in the first graphical user interface element of a disjunctive sub-clause of the first clause of the filter; and a filter generated responsive to the contents of the first graphical user interface element and the second graphical user interface element.
22. The system of claim 21, wherein the first graphical user interface element further comprises a text box displaying the description of the first clause of the filter.
23. The system of claim 21, wherein the first graphical user interface element further comprises a description of a first clause of a filter, the first clause comprising a second filter.
24. The system of claim 21, wherein the first graphical user interface element further comprises a text box displaying a filter name associated with the description of the first clause of the filter.
25. The system of claim 21, wherein the first graphical user interface element further comprises a text box displaying a name associated with a first category of access control tests.
26. The system of claim 21, wherein the first graphical user interface element further comprises a text box displaying a description of a disjunctive sub-clause of the first clause of the filter.
27. The system of claim 21, wherein the first graphical user interface element further comprises a text box displaying a filter name associated with the description of the disjunctive sub-clause of the first clause of the filter.
28. The system of claim 21, wherein the second graphical user interface element further comprises a text box displaying the description of the conjunctive clause of the filter.
29. The system of claim 21, wherein the second graphical user interface element further comprises a text box displaying a filter name associated with the description of the conjunctive clause of the filter.
30. The system of claim 21, wherein the second graphical user interface element further comprises a text box displaying a filter name associated with a second category of access control tests.
31. The system of claim 21, wherein the system further comprises one of: i) a second graphical user interface element comprising a description of at least one disjunctive clause of the filter in, and ii) a description in the first graphical user interface element of a conjunctive sub-clause of the first clause of the filter.
32. A method for access routing and resource mapping using filters, the method comprising the steps of:
(a) receiving a request from a client for access to a resource;
(b) identifying a rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers;
(c) applying the filter, the filter identifying at least one pre-requisite to accessing the resource;
(d) determining that the client satisfies the at least one pre-requisite, responsive to applying the filter;
(e) determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource; and (f) providing, by the server in the plurality of servers, access to the resource for the client according to the at least one method for providing access to the resource.
(a) receiving a request from a client for access to a resource;
(b) identifying a rule having a rule priority level and associated with: i) a filter, ii) at least one method for providing access to the resource, and iii) a server in a plurality of servers;
(c) applying the filter, the filter identifying at least one pre-requisite to accessing the resource;
(d) determining that the client satisfies the at least one pre-requisite, responsive to applying the filter;
(e) determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource; and (f) providing, by the server in the plurality of servers, access to the resource for the client according to the at least one method for providing access to the resource.
33. The method of claim 32, wherein step (b) further comprises associating the rule with a method for providing access to the resource by streaming the resource to the client.
34. The method of claim 32, wherein step (b) further comprises associating the rule with a method for providing access to the resource by transmitting application-output data to the client using a presentation layer protocol.
35. The method of claim 32, wherein step (b) further comprises associating the rule with a method for providing access to the resource by executing the resource on a virtual machine executing on the server in the plurality of servers and transmitting application-output data to the client from the virtual machine using a presentation layer protocol.
36. The method of claim 32, wherein step (c) further comprises applying the filter to information associated with the client.
37. The method of claim 32, wherein step (c) further comprises applying the filter to information associated with a user of the client.
38. The method of claim 32, wherein step (d) further comprises determining that the client executes a specified anti-virus program.
39. The method of claim 32, wherein step (d) further comprises determining that the client is associated with a network address in a specified range of network addresses.
40. The method of claim 32, wherein step (d) further comprises determining that the client executes a specified operating system program.
41. The method of claim 32, wherein step (e) further comprises determining that the client is able to use the method for providing access specified by the rule.
42. The method of claim 32, wherein step (e) further comprises determining that the server in the plurality of servers by the rule is able to provide the resource to the client via the at least one method for providing access.
43. The method of claim 32, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with a second server in the plurality of servers.
44. The method of claim 43, wherein step (e) further comprises determining that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter.
45. The method of claim 43, wherein step (e) further comprises determining that the client is unable to use the at least one method for providing access specified by the rule.
46. The method of claim 43, wherein step (e) further comprises determining that the server in the plurality of servers by the rule is unable to provide the resource to the client via the at least one method for providing access.
47. The method of claim 43, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with the at least one method for providing access to the resource and associated with a second server in the plurality of servers.
48. The method of claim 43, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and associated with the server in the plurality of servers.
49. The method of claim 43 further comprising the steps of:
(g) determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; and (h) providing, by the second server in the plurality of servers, access to the resource according to the second method for providing access.
(g) determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; and (h) providing, by the second server in the plurality of servers, access to the resource according to the second method for providing access.
50. The method of claim 49, wherein step (g) further comprises applying a second filter.
51. The method of claim 49, wherein step (g) further comprises determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the at least one method for providing access to the resource.
52. The method of claim 51, wherein step (h) further comprises providing, by the second server in the plurality of servers, access to the resource according to the at least one method for providing access.
53. The method of claim 32, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers.
54. The method of claim 53, wherein step (e) further comprises determining that the client fails to satisfy the at least one pre-requisite, responsive to applying the filter.
55. The method of claim 53, wherein step (e) further comprises determining that the client is unable to use the method for providing access specified by the rule.
56. The method of claim 53, wherein step (e) further comprises determining that the server in the plurality of servers by the rule is unable to provide the resource to the client via the first method for providing access.
57. The method of claim 53, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, the at least one method for providing access to the resource and a second server in the plurality of servers.
58. The method of claim 53, wherein step (f) comprises identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource and the server in the plurality of servers.
59. The method of claim 53 further comprising the steps of:
(g) determining that the client satisfies at least one pre-requisite associated with the second filter, responsive to an application of the second filter;
(h) determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; and (i) providing, by the second server in the plurality of servers, access to the resource according to the second method for providing access.
(g) determining that the client satisfies at least one pre-requisite associated with the second filter, responsive to an application of the second filter;
(h) determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; and (i) providing, by the second server in the plurality of servers, access to the resource according to the second method for providing access.
60. The method of claim 59, wherein step (h) further comprises determining that the client is able to use the second method for providing access specified by the second rule.
61. The method of claim 59, wherein step (h) further comprises determining that the second server in the plurality of servers by the rule is able to provide the resource to the client via the at least one method for providing access.
62. The method of claim 59, wherein step (h) further comprises determining whether to provide access to the resource to the client by the server in the plurality of servers according to a second method for providing access to the resource.
63. The method of claim 59, wherein step (h) further comprises determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the at least one method for providing access to the resource.
64. The method of claim 63, wherein step (i) further comprises providing, by the second server in the plurality of servers, access to the resource according to the at least one method for providing access.
65. A system for access routing and resource mapping using filters comprising:
a rule having a first rule priority level and comprising:
an identification of a filter identifying at least one pre-requisite to accessing the resource, an identification of at least one method for providing access to a resource, and an identification of a server in a plurality of servers;
a policy engine comprising means for identifying the rule, means for applying the filter to a client requesting access to the resource, means for determining that the client satisfies the at least one pre-requisite, responsive to applying the filter, and means for determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource; wherein the server in the plurality of servers provides access to the resource according to the at least one method for providing access.
a rule having a first rule priority level and comprising:
an identification of a filter identifying at least one pre-requisite to accessing the resource, an identification of at least one method for providing access to a resource, and an identification of a server in a plurality of servers;
a policy engine comprising means for identifying the rule, means for applying the filter to a client requesting access to the resource, means for determining that the client satisfies the at least one pre-requisite, responsive to applying the filter, and means for determining whether to provide access to the resource to the client by the server in the plurality of servers according to the at least one method for providing access to the resource; wherein the server in the plurality of servers provides access to the resource according to the at least one method for providing access.
66. The system of claim 65, wherein the rule further comprises an identification of a filter identifying a pre-requisite specifying a network address range required for access to the resource.
67. The system of claim 65, wherein the rule further comprises an identification of a filter identifying a pre-requisite specifying an operating system type required for access to the resource.
68. The system of claim 65, wherein the rule further comprises an identification of a filter identifying a pre-requisite specifying an application type required for access to the resource.
69. The system of claim 65, wherein the rule further comprises an identification of a method for providing access to a resource by streaming the resource to the client.
70. The system of claim 65, wherein the rule further comprises an identification of a method for providing access to a resource by executing the resource on a server in the plurality of servers and transmitting application-output data to the client using a presentation layer protocol.
71. The system of claim 65, wherein the rule further comprises an identification of a method for providing access to a resource by executing the resource on a virtual machine executing on a server in the plurality of servers and transmitting application-output data to the client using a presentation layer protocol.
72. The system of claim 65, wherein the rule further comprises an identification of a server in a plurality of servers, the server providing access to the resource.
73. The system of claim 65, wherein the policy engine further comprises means for identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second method for providing access to the resource and a second server in the plurality of servers, means for determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; wherein the second server in the plurality of servers provides access to the resource according to the second method for providing access.
74. The system of claim 65, wherein the policy engine further comprises means for identifying a second rule having a lower rule priority level than the first rule priority level, the second rule associated with a second filter, a second method for providing access to the resource, and a second server in the plurality of servers, means for determining that the client satisfies at least one pre-requisite associated with the second filter, responsive an application of the second filter, and means for determining whether to provide access to the resource to the client by the second server in the plurality of servers according to the second method for providing access to the resource; wherein the second server in the plurality of servers provides access to the resource according to the second method for providing access.
75. A method for interactive policy evaluation using dynamically generated interactive resultant sets of policies, the method comprising the steps of:
(a) receiving, by a graphical user interface, at least one of:
i. a description of a client requesting access to a resource, ii. a description of the resource, and iii. a description of a method of access requested by the client;
(b) displaying, by the graphical user interface, at least one policy applicable to the at least one received description; and (c) displaying, by the graphical user interface, a decision made by applying the at least one policy to the at least one received description.
(a) receiving, by a graphical user interface, at least one of:
i. a description of a client requesting access to a resource, ii. a description of the resource, and iii. a description of a method of access requested by the client;
(b) displaying, by the graphical user interface, at least one policy applicable to the at least one received description; and (c) displaying, by the graphical user interface, a decision made by applying the at least one policy to the at least one received description.
76. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the client, a user identifier.
77. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the client, a client internet protocol (IP) address.
78. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the client, an identification of a virus-checking program on the client.
79. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the client, a time of day.
80. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the resource, an identifier of the resource.
81. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the resource, an identification of a property of the resource.
82. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the resource, a file type of the resource.
83. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the resource, an identification of a server on which the resource resides.
84. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the resource, an identification of an operating system executed by a server on which the resource resides.
85. The method of claim 75, wherein step (a) further comprises retrieving, from a database, a configuration file identifying a file type of the resource.
86. The method of claim 75, wherein step (a) further comprises retrieving, from a database, a configuration file identifying a server on which the resource resides.
87. The method of claim 75, wherein step (a) further comprises retrieving, from a database, a configuration file identifying an operating system executed by a server on which the resource resides.
88. The method of claim 75, wherein step (a) further comprises retrieving, from a database, a configuration file storing the description of the client.
89. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the requested method of access, a description of a request to retrieve the resource.
90. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the requested method of access, a description of a request to remotely access the resource.
91. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the requested method of access, a description of a presentation layer protocol.
92. The method of claim 75, wherein step (a) further comprises receiving, by the graphical user interface, in the description of the requested method of access, a description of a type of client agent.
93. The method of claim 75, wherein step (b) further comprises displaying, by the graphical user interface, a graphical user interface element displaying the at least one policy applicable to the at least one received description.
94. The method of claim 75, wherein step (b) further comprises receiving a request for information associated with the at least one policy.
95. The method of claim 75, further comprising the step of displaying at least one filter associated with the at least one policy.
96. The method of claim 95, further comprising the step of receiving a modification to the at least one filter.
97. The method of claim 96, wherein step (c) further comprises displaying, by the graphical user interface, a decision identified by the modified filter.
98. The method of claim 96 further comprising the step of determining, responsive to the modification, not to apply the applicable at least one policy to the received description.
99. The method of claim 96 further comprising the step of determining, responsive to the modification, to apply at least one inapplicable policy to the received description.
100. The method of claim 75 further comprising the step of receiving a modification to the at least one policy.
101. The method of claim 100, wherein step (c) further comprises displaying, by the graphical user interface, a decision identified by the modified policy.
102. The method of claim 100 further comprising the step of determining, responsive to the modification, not to apply the applicable at least one policy to the received description.
103. The method of claim 102 further comprising the step of determining, responsive to the modification, to apply at least one inapplicable policy to the received description.
104. The method of claim 75 further comprising the step of receiving a modification of the description of the user.
105. The method of claim 104, wherein step (c) further comprises displaying, by the graphical user interface, a decision identified by an application of the at least one policy to the modified user.
106. The method of claim 75 further comprising the step of receiving a modification of the description of the requested resource.
107. The method of claim 106, wherein step (c) further comprises displaying, by the graphical user interface, a decision identified by an application of the at least one policy to the modified resource.
108. The method of claim 75, wherein step (c) further comprises displaying a resultant set associated with the application of the at least one policy to the received description.
109. The method of claim 75, wherein step (c) further comprises displaying, by the graphical user interface, an access control decision made by applying the at least one policy to the at least one received description.
110. The method of claim 75, wherein step (c) further comprises displaying, by the graphical user interface, a load balancing decision made by applying the at least one policy to the at least one received description.
111. The method of claim 75, wherein step (c) further comprises displaying, by the graphical user interface, a caching decision made by applying the at least one policy to the at least one received description.
112. The method of claim 75, wherein step (c) further comprises displaying, by the graphical user interface, an auditing decision made by applying the at least one policy to the at least one received description.
113. The method of claim 75 further comprising the step of simulating, by a policy simulation engine, an application of the at least one policy to the received description.
114. The method of claim 75 further comprising the step of transmitting, by a policy simulation engine, to the graphical user interface, the access control decision.
115. A system for interactive policy evaluation using dynamically generated interactive resultant sets of policies, the system comprising:
a graphical user interface receiving, at least one of:
i. a description of a client requesting access to a resource, ii. a description of the resource, and iii. a description of a method of access requested by the client;
an interactive element in the graphical user interface displaying at least one policy applicable to the at least one received description; and a second element in the graphical user interface displaying a decision made by applying the at least one policy to the at least one received description.
a graphical user interface receiving, at least one of:
i. a description of a client requesting access to a resource, ii. a description of the resource, and iii. a description of a method of access requested by the client;
an interactive element in the graphical user interface displaying at least one policy applicable to the at least one received description; and a second element in the graphical user interface displaying a decision made by applying the at least one policy to the at least one received description.
116. The system of claim 115, wherein the graphical user interface further comprises a text box element displaying the received description of the client requesting access to the resource.
117. The system of claim 115, wherein the graphical user interface further comprises a text box element displaying the received description of the resource.
118. The system of claim 115, wherein the graphical user interface further comprises a text box element displaying the received description of the method of access requested by the client.
119. The system of claim 115, wherein the graphical user interface further comprises a user interface element for entering the description of the client.
120. The system of claim 115, wherein the user interface element further comprises one of a text box, a drop-down menu, and graphical depiction of a directory structure.
121. The system of claim 115, wherein the graphical user interface further comprises a user interface element for entering the description of the resource.
122. The system of claim 117, wherein the user interface element further comprises one of a text box, an element enumerating available resources, an element enumerating Uniform Resource Locaters associated with available resources, a drop-down menu, and graphical depiction of a directory structure.
123. The system of claim 115, wherein the graphical user interface further comprises a user interface element for entering the description of the method of access.
124. The system of claim 123, wherein the user interface element further comprises one of a text box, an element enumerating available methods of access, and a drop-down menu.
125. The system of claim 115, wherein the interactive element displays at least one policy applicable to the client request responsive to the received description.
126. The system of claim 115, wherein the graphical user interface further comprises a text box element receiving, from a user of the graphical user interface, the description.
127. The system of claim 115, wherein the second element displays a second decision made by applying a second policy to a second received description.
128. The system of claim 115 further comprising a policy simulation engine simulating an application of the at least one policy to the received description.
129. The system of claim 115, wherein the second element displays an access control decision made by applying the at least one policy to the at least one received description.
130. The system of claim 115, wherein the second element displays an auditing decision made by applying the at least one policy to the at least one received description.
131. The system of claim 115, wherein the second element displays a load balancing decision made by applying the at least one policy to the at least one received description.
132. The system of claim 115, wherein the second element displays a caching decision made by applying the at least one policy to the at least one received description.
133. A method for interactive evaluation of policies using a graphical user interface, the method comprising the steps of:
(a) enumerating an identification of at least one resource;
(b) receiving an identification of a characteristic of at least one client requesting access to the at least one resource; and (c) displaying a result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client.
(a) enumerating an identification of at least one resource;
(b) receiving an identification of a characteristic of at least one client requesting access to the at least one resource; and (c) displaying a result of applying at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource, responsive to the received identification of the characteristic of the at least one client.
134. The method of claim 133 further comprising the step of displaying at least one policy associated with the at least one resource.
135. The method of claim 133 further comprising the step of receiving an identification of a filter in the at least one policy, the filter satisfied by the at least one client.
136. The method of claim 133 further comprising the step of receiving an identification of a filter in the at least one policy, the filter not satisfied by the at least one client.
137. The method of claim 133 further comprising the step of identifying, by a policy simulation engine, a characteristic of the at least one client responsive to an evaluation of at least one filter in the at least one policy.
138. The method of claim 133, wherein step (b) further comprises receiving an identification of a type of operating system executed on the at least one client.
139. The method of claim 133, wherein step (b) further comprises receiving an identification of a type of application executed on the at least one client.
140. The method of claim 133, wherein step (b) further comprises receiving an identification of a group in which the at least one client is a member.
141. The method of claim 133, wherein step (b) further comprises receiving an identification of a range of internet protocol addresses associated with the at least client.
142. The method of claim 133 further comprising the step of determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic.
143. The method of claim 142, wherein step (c) further comprises displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
144. The method of claim 142 further comprising the step of determining that at least one policy applies to the at least one client, responsive to the received identification of the characteristic.
145. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, an indication that the application of the at least one policy results in a denial of access to the at least one resource by the at least one client.
146. The method of claim 133, wherein step (c) further comprises displaying an identification of a requirement not satisfied by the at least one client.
147. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, an indication that the application of the at least one policy results in an authorization of access to the at least one resource by the at least one client.
148. The method of claim 133, wherein step (c) further comprises displaying an identification of a requirement satisfied by the at least one client.
149. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
150. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, a result of applying an access control policy to the at least one client.
151. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, a result of applying an auditing policy to the at least one client.
152. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, a result of applying a caching policy to the at least one client.
153. The method of claim 133, wherein step (c) further comprises displaying, by the graphical user interface, a result of applying a load balancing policy to the at least one client.
154. The method of claim 133 further comprising the step of simulating, by a policy simulation engine, an application of the at least one policy associated with the at least one resource to the at least one client requesting access to the at least one resource.
155. A method for interactive evaluation of policies using a graphical user interface, the method comprising the steps of:
(a) displaying an identification of at least one resource;
(b) receiving an identification of a characteristic of at least one client requesting access to the at least one resource;
(c) determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic; and (d) displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
(a) displaying an identification of at least one resource;
(b) receiving an identification of a characteristic of at least one client requesting access to the at least one resource;
(c) determining whether at least one policy applies to the at least one client, responsive to the received identification of the characteristic; and (d) displaying an indication that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
156. The method of claim 155 further comprising the step of receiving an identification of a filter in the at least one policy, the filter satisfied by the at least one client.
157. The method of claim 155 further comprising the step of receiving an identification of a filter in the at least one policy, the filter not satisfied by the at least one client.
158. The method of claim 155 further comprising the step of identifying, by a policy simulation engine, a characteristic of the at least one client responsive to an evaluation of at least one filter in the at least one policy.
159. The method of claim 155, wherein step (b) further comprises receiving an identification of a type of operating system executed on the at least client.
160. The method of claim 155, wherein step (b) further comprises receiving an identification of a type of application executed on the at least one client.
161. The method of claim 155, wherein step (b) further comprises receiving an identification of a group in which the at least one client are members.
162. The method of claim 155, wherein step (c) further comprises determining that at least one policy applies to the at least one client, responsive to the received identification of the characteristic.
163. The method of claim 155, wherein step (c) further comprises determining that at least one policy does not apply to the at least one client, responsive to the received identification of the characteristic.
164. The method of claim 155, wherein step (c) further comprises determining that a second identification of a second characteristic is required to determine whether the at least one policy applies to the at least one client.
165. The method of claim 155, wherein step (c) further comprises determining whether at least one access control policy applies to the at least one client, responsive to the received identification of the characteristic.
166. The method of claim 155, wherein step (c) further comprises determining whether at least one auditing policy applies to the at least one client, responsive to the received identification of the characteristic.
167. The method of claim 155, wherein step (c) further comprises determining whether at least one caching policy applies to the at least one client, responsive to the received identification of the characteristic.
168. The method of claim 155, wherein step (c) further comprises determining whether at least one load-balancing policy applies to the at least one client, responsive to the received identification of the characteristic.
169. The method of claim 155, wherein step (d) further comprises displaying, by the graphical user interface, an indication that the application of the at least one policy results in a request for additional information associated with the at least one client.
170. The method of claim 155, wherein step (d) further comprises displaying an identification of a requirement satisfied by the at least one client.
171. The method of claim 155, wherein step (d) further comprises displaying an identification of a requirement not satisfied by the at least one client.
172. The method of claim 155, wherein step (d) further comprises displaying an indication that a second identification of a second characteristic is required to determine whether at least one access control policy applies to the at least one client.
173. The method of claim 155, wherein step (d) further comprises displaying an indication that a second identification of a second characteristic is required to determine whether at least one auditing policy applies to the at least one client.
174. The method of claim 155, wherein step (d) further comprises displaying an indication that a second identification of a second characteristic is required to determine whether at least one caching policy applies to the at least one client.
175. The method of claim 155, wherein step (d) further comprises displaying an indication that a second identification of a second characteristic is required to determine whether at least one load-balancing policy applies to the at least one client.
176. The method of claim 155 further comprising the step of receiving, from a policy simulation engine, the indication that the second identification of the second characteristic is required to determine whether the at least one policy applies to the at least one client.
177. A system for interactive evaluation of policies using a graphical user interface, the system comprising:
a first graphical user interface element enumerating at least one resource;
and a second graphical user interface element receiving an identification of a characteristic of at least one client and displaying a result of an application of at least one policy associated with the at least one resource to the at least one client, the at least one policy applied responsive to the received identification of the characteristic.
a first graphical user interface element enumerating at least one resource;
and a second graphical user interface element receiving an identification of a characteristic of at least one client and displaying a result of an application of at least one policy associated with the at least one resource to the at least one client, the at least one policy applied responsive to the received identification of the characteristic.
178. The system of claim 177, wherein the first graphical user interface element further comprises a display of a characteristic of the at least one client.
179. The system of claim 177, wherein the first graphical user interface element further comprises a display of an identification of a type of anti-virus program executed by the at least one client.
180. The system of claim 177, wherein the first graphical user interface element further comprises a display of an identification of a type of operating system executed by the at least one client.
181. The system of claim 177, wherein the first graphical user interface element further comprises a display of an identification of a type of application executed by the at least one client.
182. The system of claim 177, wherein the first graphical user interface element further comprises a display of an internet protocol (IP) address range, the at least one client assigned an IP address in the IP address range.
183. The system of claim 177, wherein the first graphical user interface element further comprises an interface element for receiving an identification of at least one characteristic of the at least one client.
184. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying the at least one policy.
185. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a requirement of the at least one policy.
186. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a filter of the at least one policy.
187. The system of claim 177, wherein the second graphical user interface element further comprises an interface element indicating that an application of the at least one policy to the at least one client results in a denial of access to the at least one resource by the at least one client.
188. The system of claim 177, wherein the second graphical user interface element further comprises an interface element indicating that an application of the at least one policy to the at least one client results in an allowance of access to the at least one resource by the at least one client.
189. The system of claim 177, wherein the second graphical user interface element further comprises an interface element indicating that additional information associated with the at least one client is needed to identify a result of an application of the at least one policy to the at least one client.
190. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a result of applying an access control policy to the at least one client.
191. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a result of applying an auditing policy to the at least one client.
192. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a result of applying a caching policy to the at least one client.
193. The system of claim 177, wherein the second graphical user interface element further comprises an interface element displaying a result of applying a load-balancing policy to the at least one client.
194. The system of claim 177 further comprising a policy simulation engine generating the result of the application of the at least one policy associated with the at least one resource to the at least one client.
195. The system of claim 177 further comprising a graphical user interface element receiving an identification of a filter in the at least one policy, the filter satisfied by the at least one client.
196. The system of claim 177 further comprising a graphical user interface element receiving an identification of a filter in the at least one policy, the filter not satisfied by the at least one client.
197. The system of claim 177 further comprising a graphical user interface element receiving, by a policy simulation engine, a characteristic of the at least one client responsive to an evaluation of at least one filter in the at least one policy.
Applications Claiming Priority (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/769,893 US20090007021A1 (en) | 2007-06-28 | 2007-06-28 | Methods and systems for dynamic generation of filters using a graphical user interface |
US11/769,896 | 2007-06-28 | ||
US11/769,893 | 2007-06-28 | ||
US11/769,896 US20090006618A1 (en) | 2007-06-28 | 2007-06-28 | Methods and systems for access routing and resource mapping using filters |
US12/147,022 US8561148B2 (en) | 2008-06-26 | 2008-06-26 | Methods and systems for interactive evaluation using dynamically generated, interactive resultant sets of policies |
US12/147,022 | 2008-06-26 | ||
US12/147,029 | 2008-06-26 | ||
US12/147,029 US8775944B2 (en) | 2008-06-26 | 2008-06-26 | Methods and systems for interactive evaluation of policies |
PCT/US2008/068490 WO2009006260A2 (en) | 2007-06-28 | 2008-06-27 | Methods and systems for interactive policy evaluation, access routing, and resource mapping using filters and for dynamic generation of filters |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2688271A1 true CA2688271A1 (en) | 2009-01-08 |
Family
ID=40120255
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2688271A Abandoned CA2688271A1 (en) | 2007-06-28 | 2008-06-27 | Methods and systems for interactive policy evaluation, access routing, and resource mapping using filters and for dynamic generation of filters |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP2160679A2 (en) |
AU (1) | AU2008270598A1 (en) |
CA (1) | CA2688271A1 (en) |
IL (1) | IL202672A0 (en) |
WO (1) | WO2009006260A2 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9519799B2 (en) | 2009-06-01 | 2016-12-13 | Koninklijke Philips N.V. | Dynamic determination of access rights |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1109116A1 (en) * | 1999-12-14 | 2001-06-20 | Sun Microsystems, Inc. | Method for visually filtering a database |
NZ537794A (en) * | 2001-01-26 | 2005-03-24 | Bridicum Security Group As | System for providing services and virtual programming interface |
NZ527660A (en) * | 2001-01-26 | 2005-03-24 | Bridicum Security Group As | System for providing services and virtual programming interface |
US8135815B2 (en) * | 2001-03-27 | 2012-03-13 | Redseal Systems, Inc. | Method and apparatus for network wide policy-based analysis of configurations of devices |
US20070061125A1 (en) * | 2005-08-12 | 2007-03-15 | Bhatt Sandeep N | Enterprise environment analysis |
-
2008
- 2008-06-27 CA CA2688271A patent/CA2688271A1/en not_active Abandoned
- 2008-06-27 WO PCT/US2008/068490 patent/WO2009006260A2/en active Application Filing
- 2008-06-27 AU AU2008270598A patent/AU2008270598A1/en not_active Abandoned
- 2008-06-27 EP EP08781057A patent/EP2160679A2/en not_active Ceased
-
2009
- 2009-12-10 IL IL202672A patent/IL202672A0/en unknown
Also Published As
Publication number | Publication date |
---|---|
EP2160679A2 (en) | 2010-03-10 |
WO2009006260A2 (en) | 2009-01-08 |
IL202672A0 (en) | 2010-06-30 |
AU2008270598A1 (en) | 2009-01-08 |
WO2009006260A9 (en) | 2009-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9430636B2 (en) | Methods and systems for interactive evaluation using dynamically generated, interactive resultant sets of policies | |
US8775944B2 (en) | Methods and systems for interactive evaluation of policies | |
US20090007021A1 (en) | Methods and systems for dynamic generation of filters using a graphical user interface | |
US10592683B1 (en) | Applying an authorization policy across multiple application programs with requests submitted through an HTTP-based API | |
US9152401B2 (en) | Methods and systems for generating and delivering an interactive application delivery store | |
US20090006618A1 (en) | Methods and systems for access routing and resource mapping using filters | |
US9219739B2 (en) | Reputation based access control | |
US10303892B1 (en) | Viewing protected documents in a web browser | |
US20200089892A1 (en) | Policy-based user device security checks | |
US8181222B2 (en) | Locally adaptable central security management in a heterogeneous network environment | |
US7516477B2 (en) | Method and system for ensuring that computer programs are trustworthy | |
US9401931B2 (en) | Method and system for dynamically associating access rights with a resource | |
CN107563203B (en) | Integrated security policy and event management | |
US7308702B1 (en) | Locally adaptable central security management in a heterogeneous network environment | |
US6345361B1 (en) | Directional set operations for permission based security in a computer system | |
TWI336043B (en) | Delegated administration of a hosted resource | |
US11645423B1 (en) | Method and apparatus for distributing policies for authorizing APIs | |
Kritikos et al. | Towards a security-enhanced PaaS platform for multi-cloud applications | |
US9043218B2 (en) | Rule compliance using a configuration database | |
JP4848430B2 (en) | Virtual role | |
US8904391B2 (en) | Policy-based access control approach to staff activities of a business process | |
US20060288401A1 (en) | System and method for generating a Java policy file for Eclipse plug-ins | |
Anupam et al. | Secure web scripting | |
KR20060128598A (en) | Method and system for membership determination through script | |
CA2688271A1 (en) | Methods and systems for interactive policy evaluation, access routing, and resource mapping using filters and for dynamic generation of filters |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |