Abstract: A centralized resource distribution is described where the decision portion of partitioning data among cluster nodes is made centralized while the actual mechanics to implement the partitioning remain a distributed algorithm. A central distribution coordinator is used to create an extensible central strategy that controls how the data will be partitioned across the cluster. The work to implement this strategy is performed by all of the members individually and asynchronously, in accordance with a distributed algorithm. The central strategy can be communicated to all cluster members and each member can perform the partitioning as it relates to itself. For example, in accordance with the distributed algorithm, one node may decide that it needs to obtain a particular partition in light of the central strategy and carry out the necessary steps to obtain that data, while other nodes may be asynchronously performing other individual partition transfers relevant to those particular nodes.

Abstract: A system and method is described for use with a data grid cluster, for supporting service level quorum in the data grid cluster. The data grid cluster includes a plurality of cluster nodes that support performing at least one service action. A quorum policy, defined in a cache configuration file associated with the data grid cluster, can specify a minimum number of service members that are required in the data grid cluster for performing the service action. The data grid cluster uses the quorum policy to determine whether the service action is allowed to be performed, based on a present state of the plurality of cluster nodes in the data grid cluster.

Abstract: A system and method is described for use with a data grid cluster, which uses cluster quorum to prevent split brain scenario. The data grid cluster includes a plurality of cluster nodes, each of which runs a cluster service. Each cluster service collects and maintains statistics regarding communication flow between its cluster node and the other cluster nodes in the data grid cluster. The statistics are used to determine a status associated with other cluster nodes in the data grid cluster whenever a disconnect event happens. The data grid cluster is associated with a quorum policy, which is defined in a cache configuration file, and which specifies a time period that a cluster node will wait before making a decision on whether or not to evict one or more cluster nodes from the data grid cluster.

Abstract: A system and method is described for use with a data grid cluster to support death detection. A network ring is formed by connecting a plurality of process nodes in the data grid, wherein each node in the network ring watches another node. A death of a first process node in the network ring can be detected by a second process node, when the second process node notices that its connection to the first process node has closed. The first process node then informs other process cluster nodes in the network ring that the first node is dead. In accordance with an embodiment, machine level death detection can also be supported in the data grid cluster by using an Internet Protocol (IP) monitor.

Abstract: A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.

Abstract: A system for distributing information from a first process to one or more security service modules. The system comprises a remote interface, capable of accepting first information from the first process, and a provisioning service provider (PSP) coupled to the remote interface. The PSP can obtain the first information from the remote interface, and also can provide second information to a local interface. The second information is based on the first information and is tailored for the one or more security service modules. The local interface can provide the second information to the one or more security service modules and the one or more security service modules can accept the second information and perform at least one of the following: adjust a configuration of the one or more security service modules to reflect the second information, and protect access to at least one resource based on the second information.

Abstract: A method for providing a security provider for a client comprises providing a service provider interface, that is compatible with a security framework layer, and one or more services. The one or more services include at least one of, authentication, authorization, auditing, role mapping and credential mapping. The one or more services can be exposed through the service provider interface and the framework layer can expose the one or more services to an application program interface.

Abstract: A system and method comprising the steps of, delegating a capability from a first user to a second user, propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources, providing the evidence to a first security service module belonging to the plurality of security service modules, enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module, and wherein the enforcement is carried out by the first security service module.

Abstract: A system and method for distributed enterprise security, comprising, a server operable to update information, wherein the information can include one or more of a policy and configuration information, a security control module (SCM) operable to accept the information, at least one security service module (SSM) operable to accept the information from the SCM, and herein the information accepted by the SCM is relevant to one or more of the at least one SSMs.

Abstract: A memory for storing data for access by an application program being executed on a computer system, comprising, a data structure stored in said memory, said data structure including, a name attribute wherein the name identifies an action or a role, a resource attribute wherein the resource attribute specifies a resource in a hierarchy of resources and determines a scope for the name attribute, a subject attribute wherein the subject attribute specifies at least one of, a user and group, and wherein the application program accesses the memory through an interface that is part of a security service module.

Abstract: A system and method for distributed enterprise security, comprising, a security control module (SCM) operable to accept information, wherein the information includes one or more policies, at least one security service module (SSM) operable to accept the information from the SCM, a role mapping module coupled to the at least one SSM, wherein the role mapping module is operable to map a user to at least one role based on the information, and wherein the information accepted by the SCM is relevant to the at least one SSM.

Abstract: A system and method for a distributed enterprise security, comprising, a first process capable of providing a second set of information derived from a first set of information, wherein the first set of information includes one or more of: a policy and configuration information, a security control module (SCM) capable of accepting the second set of information wherein the second set of information only includes information from the first set of information that is relevant to the SCM and wherein the SCM is capable of providing a third set of information wherein the third set of information is derived from the second set of information, a security service module (SSM) capable of accepting the third set of information from the SCM wherein the third set of information only includes information from the second set of information that is relevant to the SSM, wherein the SSM is capable of controlling access to one or more resources based on the third set of information, and wherein the SSM is capable of configuring

Abstract: A system and method for distributing security information, comprising, a remote interface capable of accepting the information from a distributor wherein the information includes at least one of: policy information and configuration information, a local interface capable of providing the information to at least one services layer, wherein the at least one services layer includes at least one security provider, and wherein the at least one services layer can dynamically configure the at least one security provider based on the information.

Abstract: A method for delegating enterprise security capabilities, comprising, providing a capability for a first user, wherein the capability can be expressed as a policy, delegating the capability from the first user to a second user, wherein the second user is allowed to have the capability only at times when the first user is allowed to have the capability, and wherein the delegated capability is propagated in a distributed enterprise security system.

Abstract: A system and method distributed enterprise security, comprising, a security control module (SCM) operable to accept information, wherein the information include one or more of: a policy and configuration information at least one security service module (SSM) operable to accept the information from SCM at least one security service providers coupled to the at least one SSM, wherein the at least one security service providers is cable of at least one of, authentication of a user, determining if access to a resource is permitted based on the information, auditing of a security decision, and mapping an authenticated identity to a set of credentials to be used to authenticate a target resource, and wherein the information accepted by the SCM is relevant to one or more of the at least one SSMs.

Abstract: A system and method for a configurable distributed security system, comprising, a security service module capable of dynamically instantiating one or more plugin security provider modules, the one or more security provider modules are coupled to the security service module wherein the one or more security provider modules are capable of responding to one or more changes in configuration information, a first process capable of modifying the configuration information, wherein the security service module is capable of accepting at least one of, security information and the configuration information, and wherein the security service module is capable of controlling access to one or more resources based on the security information.

Abstract: A system and method for a distributed system for controlling access to a first resource in a hierarchy of resources, comprising, a distributor located on a first server and capable of distributing to a second server a first policy for the first resource, a security service module (SSM) located on the second server and capable of managing based on the first policy conditions for access to at least one of: the first resource and a second resource that is hierarchically inferior to the first resource, and wherein the first policy can be overridden by a second policy wherein the second policy specifies conditions for access for a resource that is hierarchically inferior to the first resource.

Abstract: A method for searching a first set of policies, comprising, accessing the first set of policies wherein each policy in the first set of policies includes the following policy components, a resource, a subject, and one of an action and a role name, and wherein the subject includes at least one of, a user and a group, specifying one or more search criteria wherein the one or more search criteria includes one or more values for policy components and wherein the one or more values can include one or more wild cards, finding in the first set of policies a second set of policies that satisfy the one or more search criteria, and wherein a policy can be used to control access to a resource.

Abstract: A method for providing a security provider for a client, said method comprising, providing a service provider interface that is compatible with a security framework layer providing one or more services wherein the one or more services include at least one of, authentication, authorization, auditing, role mapping and credential mapping exposing the one or more services through the service provider interface and wherein the framework layer exposes the one or more services to an application program interface.

Abstract: A system and method for a dynamically configurable security system, comprising, a process having one or more resources to be protected, and a security service module coupled to the process, one or more plugin security provider modules that are compatible with and extend the security service module, wherein the security service module is capable of receiving security information updates, and wherein the security service module is capable of controlling access to the one or more resources based on the security information updates through the use of the one or more plugin security provider modules.