Abstract: A memory for storing data for access by an application program being executed on a computer system, comprising, a data structure stored in said memory, said data structure including, a name attribute wherein the name identifies an action or a role, a resource attribute wherein the resource attribute specifies a resource in a hierarchy of resources and determines a scope for the name attribute, a subject attribute wherein the subject attribute specifies at least one of, a user and group, and wherein the application program accesses the memory through an interface that is part of a security service module.

Abstract: A system and method for distributed enterprise security, comprising, a security control module (SCM) operable to accept information, wherein the information includes one or more policies, at least one security service module (SSM) operable to accept the information from the SCM, a role mapping module coupled to the at least one SSM, wherein the role mapping module is operable to map a user to at least one role based on the information, and wherein the information accepted by the SCM is relevant to the at least one SSM.

Abstract: A system and method for a distributed enterprise security, comprising, a first process capable of providing a second set of information derived from a first set of information, wherein the first set of information includes one or more of: a policy and configuration information, a security control module (SCM) capable of accepting the second set of information wherein the second set of information only includes information from the first set of information that is relevant to the SCM and wherein the SCM is capable of providing a third set of information wherein the third set of information is derived from the second set of information, a security service module (SSM) capable of accepting the third set of information from the SCM wherein the third set of information only includes information from the second set of information that is relevant to the SSM, wherein the SSM is capable of controlling access to one or more resources based on the third set of information, and wherein the SSM is capable of configuring

Abstract: A system and method for distributing security information, comprising, a remote interface capable of accepting the information from a distributor wherein the information includes at least one of: policy information and configuration information, a local interface capable of providing the information to at least one services layer, wherein the at least one services layer includes at least one security provider, and wherein the at least one services layer can dynamically configure the at least one security provider based on the information.

Abstract: A system and method distributed enterprise security, comprising, a security control module (SCM) operable to accept information, wherein the information include one or more of: a policy and configuration information at least one security service module (SSM) operable to accept the information from SCM at least one security service providers coupled to the at least one SSM, wherein the at least one security service providers is cable of at least one of, authentication of a user, determining if access to a resource is permitted based on the information, auditing of a security decision, and mapping an authenticated identity to a set of credentials to be used to authenticate a target resource, and wherein the information accepted by the SCM is relevant to one or more of the at least one SSMs.

Abstract: A method for delegating enterprise security capabilities, comprising, providing a capability for a first user, wherein the capability can be expressed as a policy, delegating the capability from the first user to a second user, wherein the second user is allowed to have the capability only at times when the first user is allowed to have the capability, and wherein the delegated capability is propagated in a distributed enterprise security system.

Abstract: A system and method for a configurable distributed security system, comprising, a security service module capable of dynamically instantiating one or more plugin security provider modules, the one or more security provider modules are coupled to the security service module wherein the one or more security provider modules are capable of responding to one or more changes in configuration information, a first process capable of modifying the configuration information, wherein the security service module is capable of accepting at least one of, security information and the configuration information, and wherein the security service module is capable of controlling access to one or more resources based on the security information.

Abstract: A system and method for a distributed system for controlling access to a first resource in a hierarchy of resources, comprising, a distributor located on a first server and capable of distributing to a second server a first policy for the first resource, a security service module (SSM) located on the second server and capable of managing based on the first policy conditions for access to at least one of: the first resource and a second resource that is hierarchically inferior to the first resource, and wherein the first policy can be overridden by a second policy wherein the second policy specifies conditions for access for a resource that is hierarchically inferior to the first resource.

Abstract: A method for searching a first set of policies, comprising, accessing the first set of policies wherein each policy in the first set of policies includes the following policy components, a resource, a subject, and one of an action and a role name, and wherein the subject includes at least one of, a user and a group, specifying one or more search criteria wherein the one or more search criteria includes one or more values for policy components and wherein the one or more values can include one or more wild cards, finding in the first set of policies a second set of policies that satisfy the one or more search criteria, and wherein a policy can be used to control access to a resource.

Abstract: A system and method for distributing information from a first process to one or more security service modules, said system comprising the steps of, a remote interface capable of accepting first information from the first process, a provisioning service provider coupled to the remote interface and capable of obtaining the first information from the remote interface, and further capable of providing second information to a local interface, wherein the second information is based on the first information and is tailored for the one or more security service modules, the local interface capable of providing the second information to the one or more security service modules and wherein the one or more security service modules are capable of accepting the second information and performing at least one of the following: adjusting a configuration of the one or more security service modules to reflect the second information, and protecting access to at least one resource based on the second information.

Abstract: A system and method for a dynamically configurable security system, comprising, a process having one or more resources to be protected, and a security service module coupled to the process, one or more plugin security provider modules that are compatible with and extend the security service module, wherein the security service module is capable of receiving security information updates, and wherein the security service module is capable of controlling access to the one or more resources based on the security information updates through the use of the one or more plugin security provider modules.

Abstract: A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.

Abstract: A method for providing a security provider for a client, said method comprising, providing a service provider interface that is compatible with a security framework layer providing one or more services wherein the one or more services include at least one of, authentication, authorization, auditing, role mapping and credential mapping exposing the one or more services through the service provider interface and wherein the framework layer exposes the one or more services to an application program interface.

Abstract: A system and method for a dynamically configurable security system, comprising, a security service module capable of dynamically instantiating one or more plugin security provider modules, the one or more security provider modules are coupled to the security service module wherein the one or more security provider modules are capable of responding dynamically to changes in configuration information, wherein the security service module is capable of receiving one or more security information updates, and wherein the security service module is capable of controlling access to one or more resources based on the one or more security information updates.

Abstract: A system and method for distributed enterprise security, comprising, a server operable to update information, wherein the information can include one or more of a policy and configuration information, a security control module (SCM) operable to accept the information, at least one security service module (SSM) operable to accept the information from the SCM, and herein the information accepted by the SCM is relevant to one or more of the at least one SSMs.

Abstract: A system and method comprising the steps of, delegating a capability from a first user to a second user, propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources, providing the evidence to a first security service module belonging to the plurality of security service modules, enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module, and wherein the enforcement is carried out by the first security service module.