ACCESS POLICY ANALYSIS
First Claim
1. One or more computer-readable storage media comprising executable instructions to perform a method of analyzing an access policy, the method comprising:
- abducing a set that comprises an assumption from information that comprises;
(a) an access query that evaluates to true or false depending on whether access to a resource is granted, and (b) one or more rules that govern access to said resource;
comparing said set with a plurality of tokens stored in a token store;
identifying a first one of said plurality of tokens based on a first finding that said first one of said plurality of tokens does not satisfy said set but has a similarity to said set; and
providing, to a person, a result that is based on said first one of said plurality of tokens.
2 Assignments
0 Petitions
Accused Products
Abstract
Software tools assist an access-policy analyst or creator to debug and/or author access policies. An access request contains a query that evaluates to either true or false depending on whether access is to be allowed. Abduction may be used to generate assumptions that, if true, would cause the access request to be true. The tool may perform analysis on the generated assumptions, such as: comparing the assumptions with tokens to detect errors in the tokens or to suggest changes to the tokens that would cause the query to be satisfied, or comparing the assumptions to a meta-policy. The tool may allow an analysis, policy author, or other person to interactively walk through assumptions in order to see the implications of the access policy.
75 Citations
20 Claims
-
1. One or more computer-readable storage media comprising executable instructions to perform a method of analyzing an access policy, the method comprising:
-
abducing a set that comprises an assumption from information that comprises;
(a) an access query that evaluates to true or false depending on whether access to a resource is granted, and (b) one or more rules that govern access to said resource;comparing said set with a plurality of tokens stored in a token store; identifying a first one of said plurality of tokens based on a first finding that said first one of said plurality of tokens does not satisfy said set but has a similarity to said set; and providing, to a person, a result that is based on said first one of said plurality of tokens. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of facilitating analysis of an access policy, the method comprising:
-
receiving a meta-policy that describes a first condition that is to be satisfied by the access policy that governs access to a resource; abducing one or more proofs of a query that evaluates to true or false depending on whether access to said resource is to be granted or denied, said abducing being based on information comprising;
(a) said query, (b) the policy;comparing said one or more proofs to said meta-policy; and providing a result indicating whether said access policy satisfies said meta-policy. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system comprising:
-
one or more data remembrance components; one or more executable components that are stored in at least one of said one or more data remembrance components and that execute on at least one of one or more processors, wherein the executable components receive a query and a policy, either abduce one or more proofs of said query under which said query is true under said policy or that obtain said one or more proofs from an abduction engine, perform a comparison of said one or more proofs with either a meta-policy or one or more tokens in a token store, and provide a result based on said comparison. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification