| 摘要 |
The invention is a system and method for delegating security permission evaluation from a client computer to remote network service (e.g., a security server). The centralization of permission evaluation allows performance enhancements using rules compilation and better manageability. An application on a client machine may request a permission to access a resource at runtime and provide evidence data to a security server. The permission evaluation (the decision) is executed by the network service and enforced locally on the client machine. When the application runs on top of a virtual machine, its security manager may be used to hide all of the client-side processes, and thus providing the extra information to the network service in order to locally enforce the results.
|
