Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.

Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.

Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.

Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.

Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.

Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.

Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.

Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.

Abstract: An attribute-based access control (ABAC) policy governs the behaviour of an access control mechanism in a computer system which selectively permits and denies access to resources in the system. An administrator interface includes graphical elements that are responsive to user manipulation in such manner as allow the ABAC policy to be inspected and/or edited. In an online editing mode, a user's manipulations of the graphical representation have a direct effect on the behaviour of the access control mechanism.

Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.

Abstract: An attribute-based policy defining subjects' access to resources is enforced by a computer system. A processing means (PDP) in the system communicates with a nearby attribute value source and at least one remote attribute value source and is adapted to evaluate the policy for an access request containing one or more explicit attribute values, which together with the policy define at least one implicit reference to a further attribute value, which is retrievable from one of said attribute value sources. The processing means reduces the policy by substituting attribute values for attributes in the policy if they are contained in the request or retrievable from the nearby source. References to further attributes retrievable from a remote source only are cached together with intermediate results. All attribute values from a given remote source are retrieved on one occasion, and the intermediate results are used to terminate the evaluation.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system.

Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.