Abstract: In implementations of NGAC graph evaluations, a computing device implements a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes. Policy binding nodes can be modeled as user attributes in the NGAC graph for each of the multiple policy classes, and each policy binding node is assigned to a corresponding one of the multiple policy classes. A user element is assigned as a member of a policy binding node, and the policy binding node delineates at least one policy permission on an object element and grants the policy permission on the object element to the user element. The computing device implements a policy decision module to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element, the granted policy permission, or the object element.

Abstract: In implementations of a repeatable NGAC policy class structure, a computing device implements a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes modeled with a composable policy class structure that is repeatable to instantiate each of the multiple policy classes in the graph. The composable policy class structure includes a policy class as enforceable access criteria by which the user elements are allowed or denied access to the object elements that represent the resources, an exclusion default object node and an exclusion default user node of the policy class, and an association that indicates object elements contained as members of the exclusion default object node granting all policy permissions to user elements contained as members of the exclusion default user node. The NGAC graph can be utilized to compute an access control decision across the multiple policy classes.

Abstract: In implementations of NGAC graph evaluations, a computing device implements a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes. Policy binding nodes can be modeled as user attributes in the NGAC graph for each of the multiple policy classes, and each policy binding node is assigned to a corresponding one of the multiple policy classes. A user element is assigned as a member of a policy binding node, and the policy binding node delineates at least one policy permission on an object element and grants the policy permission on the object element to the user element. The computing device implements a policy decision module to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element, the granted policy permission, or the object element.