Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: The present invention proposes methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. The invention further provides improved simplification rules allowing partial evaluation to be used in a broader range of situations.

Abstract: Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: The present invention relates to a system (10) operable to control policy distribution with partial evaluation in order to permit/deny access to a protected means (12). The system (10) comprises a storing means (14) operable to store all access control policy functions for all protected means (12), a guard means (16) operable to guard access to a protected means (12) and to construct an access control request comprising attributes regarding the protected means (12), a policy decision means (18) connected to the guard means (16) and operable to receive the access control request from the guard means (18). The system (10) also comprises a policy distribution means (20) connected to the storing means (14) and to the policy decision means (18).