Access control policy simulation and testing
First Claim
Patent Images
1. A computer-implemented method, comprising:
- identifying a computing resource associated with a first access request;
identifying an access control policy associated with the computing resource and the first access request;
generating a second access request that simulates access to the computing resource;
evaluating the second access request to determine whether one or more actions indicated by the first access request are granted per the access control policy;
generating debugging information regarding the evaluation of the second access request; and
providing the debugging information in response to the first access request,wherein the second access request includes an indication that the one or more actions indicated by the first access request are not to be performed.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.
40 Citations
25 Claims
-
1. A computer-implemented method, comprising:
-
identifying a computing resource associated with a first access request;
identifying an access control policy associated with the computing resource and the first access request;generating a second access request that simulates access to the computing resource; evaluating the second access request to determine whether one or more actions indicated by the first access request are granted per the access control policy; generating debugging information regarding the evaluation of the second access request; and providing the debugging information in response to the first access request, wherein the second access request includes an indication that the one or more actions indicated by the first access request are not to be performed. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more non-transitory computer-readable storage media having collectively stored thereon instructions that, if executed by one or more processors of a system, cause the system to:
-
identify a computing resource associated with a first access request; identify an access control policy associated with the computing resource and the first access request; generate a second access request that simulates access to the computing resource; process a result of the second access request and the access control policy to generate information associated with the access control policy; and provide the information in response to the first access request, wherein the information associated with the access control policy is debugging information associated with evaluating the request, and wherein the second access request includes an indication that one or more actions indicated by the first access request are not to be performed. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
one or more processors; and memory including instructions that, if executed by the one or more processors, cause the system to; identify a computing resource associated with a first access request; identify one or more access control policies associated with the computing resource and the first access request; generate a second access request that simulates access to the computing resource; evaluate a result of the second access request and the one or more access control policies; and generate information usable for debugging the evaluation of the first access request, the information indicating whether the first access request is authorized or denied and on a condition that the access request is denied, the information specifying one or more reasons the first access request is denied per the one or more access control policies, wherein the second access request includes an indication that one or more actions indicated by the first access request are not to be performed. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification