Patents by Inventor Erik RISSANEN
Erik RISSANEN has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11258826Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: GrantFiled: August 12, 2019Date of Patent: February 22, 2022Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Publication number: 20200076856Abstract: A policy decision point for interacting with a computer system including a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP includes: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request including an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: ApplicationFiled: August 12, 2019Publication date: March 5, 2020Applicant: Axiomatics ABInventor: Erik RISSANEN
-
Patent number: 10382487Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: GrantFiled: February 5, 2016Date of Patent: August 13, 2019Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Patent number: 10158641Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: GrantFiled: May 8, 2017Date of Patent: December 18, 2018Assignee: AXIOMATICS ABInventors: Erik Rissanen, Pablo Giambiagi
-
Patent number: 10007800Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.Type: GrantFiled: February 18, 2016Date of Patent: June 26, 2018Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Publication number: 20170323029Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.Type: ApplicationFiled: April 17, 2017Publication date: November 9, 2017Applicant: Axiomatics ABInventor: ERIK RISSANEN
-
Publication number: 20170244711Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: ApplicationFiled: May 8, 2017Publication date: August 24, 2017Applicant: AXIOMATICS ABInventors: Erik RISSANEN, Pablo GIAMBIAGI
-
Patent number: 9646164Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: GrantFiled: June 24, 2015Date of Patent: May 9, 2017Assignee: AZIOMATICS ABInventors: Erik Rissanen, Pablo Giambiagi
-
Patent number: 9626452Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.Type: GrantFiled: April 14, 2015Date of Patent: April 18, 2017Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Patent number: 9509722Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.Type: GrantFiled: February 16, 2015Date of Patent: November 29, 2016Assignee: AXIOMATICS ABInventors: Pablo Giambiagi, Erik Rissanen, Travis Spencer
-
Publication number: 20160246983Abstract: In a policy decision point (500) coupled to at least one remote attribute source (107a-c), a method of transforming an attribute-based access control (ABAC) policy (106) to facilitate evaluation includes: identifying a functional expression (F1) of the ABAC policy; forming, based on the sub-hierarchy of the policy that has F1 as its hierarch, a remote query intended for a RAS such that the output data from execution of the remote query correspond to the outcome of an evaluation of F1; and transforming the ABAC policy by replacing the sub-hierarchy by a second functional expression that represents the remote query. A method of evaluating an access request against an ABAC policy includes using such a transformed ABAC policy. Furthermore, a method of evaluating an access request against an ABAC policy includes identifying remotely executable sub-hierarchies and delegating these to remote attribute sources.Type: ApplicationFiled: February 18, 2016Publication date: August 25, 2016Applicant: AXIOMATICS ABInventor: Erik RISSANEN
-
Publication number: 20160234253Abstract: The present invention relates to a policy decision point for interacting with a computer system comprising a plurality of resources, to which subjects' access is controlled by corresponding policy enforcement points. The PDP comprises: a memory storing at least two policy packages, each controlling access rights to resources, and a connection table associating each policy package with an end point address; a network interface operable to communicate with the PEPs, wherein the network interface obtains access requests from a PEP and returns access decisions to the PEP, each access request comprising an end point address for directing the access request to the PDP; and a processor operable to: analyze an access request and determine, based on the end point address receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined.Type: ApplicationFiled: February 5, 2016Publication date: August 11, 2016Applicant: Axiomatics ABInventor: Erik Rissanen
-
Publication number: 20160232370Abstract: An attribute-based access control (ABAC) policy governs the behaviour of an access control mechanism in a computer system which selectively permits and denies access to resources in the system. An administrator interface includes graphical elements that are responsive to user manipulation in such manner as allow the ABAC policy to be inspected and/or edited. In an online editing mode, a user's manipulations of the graphical representation have a direct effect on the behaviour of the access control mechanism.Type: ApplicationFiled: July 7, 2015Publication date: August 11, 2016Applicant: AXIOMATICS ABInventors: Erik RISSANEN, Fredrik HERNEGREN, Andres MARTINELLI, Elisabet Johanna ENLUND
-
Patent number: 9401930Abstract: An attribute-based policy defining subjects' access to resources is enforced by a computer system. A processing means (PDP) in the system communicates with a nearby attribute value source and at least one remote attribute value source and is adapted to evaluate the policy for an access request containing one or more explicit attribute values, which together with the policy define at least one implicit reference to a further attribute value, which is retrievable from one of said attribute value sources. The processing means reduces the policy by substituting attribute values for attributes in the policy if they are contained in the request or retrievable from the nearby source. References to further attributes retrievable from a remote source only are cached together with intermediate results. All attribute values from a given remote source are retrieved on one occasion, and the intermediate results are used to terminate the evaluation.Type: GrantFiled: July 1, 2013Date of Patent: July 26, 2016Assignee: AXIOMATICS ABInventors: Pablo Giambiagi, Erik Rissanen
-
Patent number: 9223992Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: GrantFiled: July 19, 2011Date of Patent: December 29, 2015Assignee: AXIOMATICS ABInventors: Erik Rissanen, Pablo Giambiagi
-
Patent number: 9191408Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.Type: GrantFiled: September 10, 2013Date of Patent: November 17, 2015Assignee: AXIOMATICS ABInventor: Erik Rissanen
-
Publication number: 20150295939Abstract: Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.Type: ApplicationFiled: June 24, 2015Publication date: October 15, 2015Applicant: AXIOMATICS ABInventors: Erik RISSANEN, Pablo GIAMBIAGI
-
Publication number: 20150220659Abstract: A method of providing access control to a database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the access-control policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permits access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.Type: ApplicationFiled: April 14, 2015Publication date: August 6, 2015Applicant: AXIOMATICS ABInventor: Erik RISSANEN
-
Publication number: 20150163250Abstract: A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1:v1=xj1, ARCj2:v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1:v1=xj1, ARCj2:v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.Type: ApplicationFiled: February 16, 2015Publication date: June 11, 2015Inventors: Pablo Giambiagi, Erik Rissanen, Travis Spencer
-
Patent number: 9049237Abstract: Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations.Type: GrantFiled: July 3, 2014Date of Patent: June 2, 2015Assignee: AXIOMATICS ABInventor: Erik Rissanen