Patents Assigned to AXIOMATICS AB
-
Patent number: 11258826Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: GrantFiled: August 12, 2019Date of Patent: February 22, 2022Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Publication number: 20200076856Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: ApplicationFiled: August 12, 2019Publication date: March 5, 2020Applicant: Axiomatics ABInventor: Erik RISSANEN
-
Patent number: 10404707Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.Type: GrantFiled: November 18, 2014Date of Patent: September 3, 2019Assignee: AXIOMATICS ABInventor: Andrés Martinelli
-
Patent number: 10382487Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: GrantFiled: February 5, 2016Date of Patent: August 13, 2019Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Patent number: 10158641Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: GrantFiled: May 8, 2017Date of Patent: December 18, 2018Assignee: AXIOMATICS ABInventors: Erik Rissanen, Pablo Giambiagi
-
Patent number: 10007800Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.Type: GrantFiled: February 18, 2016Date of Patent: June 26, 2018Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Patent number: 9973509Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.Type: GrantFiled: January 6, 2017Date of Patent: May 15, 2018Assignee: AXIOMATICS ABInventor: Andres Martinelli
-
Publication number: 20170323029Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.Type: ApplicationFiled: April 17, 2017Publication date: November 9, 2017Applicant: Axiomatics ABInventor: ERIK RISSANEN
-
Publication number: 20170244711Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: ApplicationFiled: May 8, 2017Publication date: August 24, 2017Applicant: AXIOMATICS ABInventors: Erik RISSANEN, Pablo GIAMBIAGI
-
Publication number: 20170126687Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.Type: ApplicationFiled: January 6, 2017Publication date: May 4, 2017Applicant: AXIOMATICS ABInventor: Andres MARTINELLI
-
Patent number: 9626452Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.Type: GrantFiled: April 14, 2015Date of Patent: April 18, 2017Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Patent number: 9509722Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.Type: GrantFiled: February 16, 2015Date of Patent: November 29, 2016Assignee: AXIOMATICS ABInventors: Pablo Giambiagi, Erik Rissanen, Travis Spencer
-
Patent number: 9430662Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.Type: GrantFiled: December 15, 2014Date of Patent: August 30, 2016Assignee: AXIOMATICS ABInventors: Pablo Giambiagi, Peter Piotr Karpinski
-
Publication number: 20160246983Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.Type: ApplicationFiled: February 18, 2016Publication date: August 25, 2016Applicant: AXIOMATICS ABInventor: Erik RISSANEN
-
Publication number: 20160232370Abstract: An attribute-based access control (ABAC) policy governs the behaviour of an access control mechanism in a computer system which selectively permits and denies access to resources in the system. An administrator interface includes graphical elements that are responsive to user manipulation in such manner as allow the ABAC policy to be inspected and/or edited. In an online editing mode, a user's manipulations of the graphical representation have a direct effect on the behaviour of the access control mechanism.Type: ApplicationFiled: July 7, 2015Publication date: August 11, 2016Applicant: AXIOMATICS ABInventors: Erik RISSANEN, Fredrik HERNEGREN, Andres MARTINELLI, Elisabet Johanna ENLUND
-
Publication number: 20160234253Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: ApplicationFiled: February 5, 2016Publication date: August 11, 2016Applicant: Axiomatics ABInventor: Erik Rissanen
-
Patent number: 9401930Abstract: An attribute-based policy defining subjects' access to resources is enforced by a computer system. A processing means (PDP) in the system communicates with a nearby attribute value source and at least one remote attribute value source and is adapted to evaluate the policy for an access request containing one or more explicit attribute values, which together with the policy define at least one implicit reference to a further attribute value, which is retrievable from one of said attribute value sources. The processing means reduces the policy by substituting attribute values for attributes in the policy if they are contained in the request or retrievable from the nearby source. References to further attributes retrievable from a remote source only are cached together with intermediate results. All attribute values from a given remote source are retrieved on one occasion, and the intermediate results are used to terminate the evaluation.Type: GrantFiled: July 1, 2013Date of Patent: July 26, 2016Assignee: AXIOMATICS ABInventors: Pablo Giambiagi, Erik Rissanen
-
Patent number: 9372973Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.Type: GrantFiled: October 23, 2014Date of Patent: June 21, 2016Assignee: AXIOMATICS ABInventor: Pablo Giambiagi
-
Publication number: 20160072814Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.Type: ApplicationFiled: November 18, 2014Publication date: March 10, 2016Applicant: Axiomatics ABInventor: Andrés MARTINELLI
-
Patent number: 9223992Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: GrantFiled: July 19, 2011Date of Patent: December 29, 2015Assignee: AXIOMATICS ABInventors: Erik Rissanen, Pablo Giambiagi