Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: A system controls policy distribution with partial evaluation to permit/deny access to protected alternatives. The system includes a database to store access control policy functions for protected alternatives, a guard to guard access to a protected alternative and construct an access control request including attributes regarding the protected alternative, a policy decider to receive the access control request from the guard, a policy distributor connected to the database and policy decider, to collect the static attributes of the protected alternative, and send them to the policy distributor, which constructs a partial access control request from the static attributes, performs partial evaluation against the stored access control policy function, resulting in a simplified access control policy function, and sends the simplified function to the policy decider, to evaluate access control requests regarding the protected alternative, and return a permit or deny response to the guard.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: The present invention proposes methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. The invention further provides improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a set of admissible access requests, each of which comprises one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Abstract: The present invention relates to a system (10) operable to control policy distribution with partial evaluation in order to permit/deny access to a protected means (12). The system (10) comprises a storing means (14) operable to store all access control policy functions for all protected means (12), a guard means (16) operable to guard access to a protected means (12) and to construct an access control request comprising attributes regarding the protected means (12), a policy decision means (18) connected to the guard means (16) and operable to receive the access control request from the guard means (18). The system (10) also comprises a policy distribution means (20) connected to the storing means (14) and to the policy decision means (18).