ACCESS CONTROL POLICY CONVERSION

US 20090178107A1
Filed: 04/11/2008
Published: 07/09/2009
Est. Priority Date: 01/09/2008
Status: Active Grant

First Claim

Patent Images

1. A method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:

for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource;

for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and

for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified(a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by(a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and(b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints. Authorizations in the data structures are defined in terms of subject, resource and action elements. For each resource in a set of resources in the source policy data structure, the data structure is analyzed to identify primary authorizations relating to that resource. For each primary authorization, policy data which represents a policy defining an access rule expressing that authorization is generated and stored in system memory and analyzed to identify any auxiliary constraints associated with that primary authorization. For each auxiliary constraint so identified, policy data is generated and stored in system memory.

52 Citations

View as Search Results

18 Claims

1. A method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:
- for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource;
  
  for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and
  
  for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified(a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by(a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and(b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as claimed in claim 1 wherein said auxiliary constraints comprise auxiliary authorizations.
  - 3. A method as claimed in claim 1 wherein, in step (b), the logical algorithm is one of a logical OR and a logical AND algorithm.
  - 4. A method as claimed in claim 1 including, for any primary authorization for which a plurality of auxiliary constraints are identified:
    - analyzing those constraints to identify any logical dependencies among the constraints; and
      
      for each logical dependency so identified, defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policies for the dependent constraints in accordance with that logical dependency.
  - 5. A method as claimed in claim 1 including, in step (a2), replacing each of the resource and action elements by a wildcard element regardless of whether the element matches that in the primary authorization.
  - 6. A method as claimed in claim 1 wherein said set of resources comprises all resources in the source policy data structure.
  - 7. A method as claimed in claim 1 including, in step (a), defining in the auxiliary constraint policy a fall-through rule which always denies access.
  - 8. A method as claimed in claim 1 wherein the access control policy data structure is an XACML policy data structure.
  - 9. A method as claimed in claim 1 wherein the source policy data structure represents an access control policy of a Tivoli Access Manager system, and wherein said auxiliary constraints comprise Traverse, ByPassPOP, and ByPassRule authorizations in the policy data structure.

10. A computer program comprising program code means for causing a computer to perform a method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:
- for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource;
  
  for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and
  
  for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified(a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by (a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and(b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.

11. Apparatus for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the apparatus comprising:
- memory for storing the data structures; and
  
  control logic configured;
  
  for each resource in a set of resources in the source policy data structure, to analyze that source policy data structure to identify primary authorizations relating to that resource;
  
  for each primary authorization, to generate and store in the memory an access contol policy data structure comprising policy data representing a policy defining an access rule expressing that authorization; and
  
  for each primary authorization, to analyze the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified(a) to generate and store in the access control policy data structure in the memory policy data representing a policy defining an access rule corresponding to that constraint, the access rule having subject, resource and action elements determined by (a1) copying the corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and(b) to define a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. Apparatus as claimed in claim 11 wherein the auxiliary constraints comprise auxiliary authorizations.
  - 13. Apparatus as claimed in claim 11 wherein the control logic is configured such that, in step (b), the logical algorithm is one of a logical OR and a logical AND algorithm.
  - 14. Apparatus as claimed in claim 11 wherein the control logic is configured such that, for any primary authorization for which a plurality of auxiliary constraints are identified, the control logic:
    - analyzes those constraints to identify any logical dependencies among the constraints; and
      
      for each logical dependency so identified, defines a logical algorithm in the access control policy data structure to combine the auxiliary constraint policies for the dependent constraints in accordance with that logical dependency.
  - 15. Apparatus as claimed in claim 11 wherein the control logic is configured such that, in step (a2), the control logic replaces each of the resource and action elements by a wildcard element regardless of whether the element matches that in the primary authorization.
  - 16. Apparatus as claimed in claim 11 wherein the control logic is configured such that, in step (a), the control logic defines in the auxiliary constraint policy a fall-through rule which always denies access.
  - 17. Apparatus as claimed in claim 11 for generating an XACML access control policy data structure.
  - 18. Apparatus as claimed in claim 11 for generating the access control policy data structure from a source policy data structure which represents an access control policy of a Tivoli Access Manager system, the control logic being configured to analyze the source policy data structure for each said primary authorization to identify auxiliary constraints comprising Traverse, ByPassPOP, and ByPassRule authorizations associated with that primary authorization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taiwan Semiconductor Manufacturing Company Limited
Original Assignee
International Business Machines Corporation
Inventors
Karjoth, Guenter, Van Herreweghen, Elsie A.

Granted Patent

US 8,122,484 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 16/24564   Applying rules; Deductive q...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

ACCESS CONTROL POLICY CONVERSION

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL POLICY CONVERSION

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links