METHOD AND SYSTEM FOR THE SPECIFICATION AND ENFORCEMENT OF ARBITRARY ATTRIBUTE-BASED ACCESS CONTROL POLICIES

US 20090205018A1
Filed: 02/06/2009
Published: 08/13/2009
Est. Priority Date: 02/07/2008
Status: Abandoned Application

First Claim

Patent Images

1. A general attribute-based access control system, comprising:

at least one resource server that stores and retrieves computer-accessible resources referenced by objects to and from resource repositories;

at least one client module that authenticates human users, executes programs as processes on behalf of authenticated users, requests access to the computer-accessible resources referenced by the objects, and enforces access policies with respect to the objects;

an access control database including basic data sets and basic relations between the basic data sets, the basic data sets including data corresponding to users, user attributes, objects, object attributes, operations, policy classes, and the processes, wherein the objects are names for the computer-accessible resources to which access by processes is controlled and which may be stored on the at least one resource server, and each object is also an object attribute, the operations are actions that can be performed on the computer-accessible resources and also include administrative operations that create, delete, and update elements of the basic data sets and the basic relations, and a process is an instance of a computer program being executed on behalf of any of the users, has a unique identity, and issues access requests, and the basic relations including assignments, prohibitions, and obligations, wherein the assignments collectively are representations of the capabilities of the users to perform operations on the objects, the prohibitions are representations of the capabilities of the users that are denied to the users or the processes, and the obligations are representations of conditions under which the basic data sets and the basic relations are obligated to change in a manner also prescribed in the obligations; and

at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to the computer-accessible resource referenced by any of the objects to any of the processes, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A general attribute-based access control system includes at least one resource server, at least one client module, an access control database including basic data sets and basic relations between the basic data sets, at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to computer-accessible resources referenced by objects, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations.

138 Citations

15 Claims

1. A general attribute-based access control system, comprising:
- at least one resource server that stores and retrieves computer-accessible resources referenced by objects to and from resource repositories;
  
  at least one client module that authenticates human users, executes programs as processes on behalf of authenticated users, requests access to the computer-accessible resources referenced by the objects, and enforces access policies with respect to the objects;
  
  an access control database including basic data sets and basic relations between the basic data sets, the basic data sets including data corresponding to users, user attributes, objects, object attributes, operations, policy classes, and the processes, wherein the objects are names for the computer-accessible resources to which access by processes is controlled and which may be stored on the at least one resource server, and each object is also an object attribute, the operations are actions that can be performed on the computer-accessible resources and also include administrative operations that create, delete, and update elements of the basic data sets and the basic relations, and a process is an instance of a computer program being executed on behalf of any of the users, has a unique identity, and issues access requests, and the basic relations including assignments, prohibitions, and obligations, wherein the assignments collectively are representations of the capabilities of the users to perform operations on the objects, the prohibitions are representations of the capabilities of the users that are denied to the users or the processes, and the obligations are representations of conditions under which the basic data sets and the basic relations are obligated to change in a manner also prescribed in the obligations; and
  
  at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to the computer-accessible resource referenced by any of the objects to any of the processes, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The general attribute-based access control system as recited in claim 1, wherein the at least one client module includes a user authentication sub-module configured to establish an association between the human users and the data corresponding to the users of the basic data sets through an authentication scheme, a user space sub-module that executes programs as processes that issue access requests on behalf of any authenticated user, and a policy enforcement sub-module that enforces access control decisions with respect to the access requests issued by the user space sub-module, and wherein any access request issued by any of the processes is a pair composed of any of the operations and any of the objects.
  - 3. The general attribute-based access control system as recited in claim 2, wherein the access decision sub-module comprises software configured for receiving requests for decisions from the policy enforcement sub-module of the client module, determining whether to grant or deny access based on the configuration of the access control database, and returning the decision to the policy enforcement sub-module of the client module.
  - 4. The general attribute-based access control system as recited in claim 3, wherein the resource servers, the access control database, the client modules, and the server modules are included within one or more computer systems.
  - 5. The general attribute-based access control system as recited in claim 4, wherein an assignment between entities can only be established between any of the users and any of the user attributes, any of the user attributes and any other of the user attributes, any of the user attributes and any of the policy classes, any first object attribute and any second object attribute where the second object attribute is not an object, any of the object attributes and any of the policy classes, any of the user attributes and any of the operations, or any set of the operations and any of the object attributes, such that no chain of assignments exists that starts and ends with the same entity, wherein the assignment relations are established by the execution of administrative operations, wherein any user, any user attribute, or any object attribute belongs to any policy class and any policy class contains any user, any user attribute, or any object attribute if there exists a chain of assignments that starts with the user, the user attribute, or the object attribute and ends with the policy class, wherein any user has any user attribute if there exists a chain of assignments that starts with the user and ends with the user attribute;
    - and wherein any object has any object attribute if there exists a chain of assignments that starts with the object and ends with the object attribute.
  - 6. The general attribute-based access control system as recited in claim 5, wherein the permission is any triple including any user, any of the operations, and any of the objects, derived from assignments, where for each of the policy classes containing the object, the user has a user attribute belonging to the policy class, and the object has an object attribute belonging to the policy class, and there is a set of the operations that contains the operation such that the user attribute is assigned to the set of the operations and the set of the operations is assigned to the object attribute.
  - 7. The general attribute-based access control system as recited in claim 6, wherein any pair comprising any of the operations and any of the objects is a capability of any user if the triple including the user, the operation, and the object is one of the permissions.
  - 8. The general attribute-based access control system as recited in claim 7, wherein the prohibition relations include user deny relations where each user deny relation is any triple comprising any of the users, any set of the operations, and any set of the objects, and process deny relations where each process deny relation is any triple comprising a process identifier, any set of the operations, and any set of the objects.
  - 9. The general attribute-based access control system as recited in claim 8, wherein the access decision sub-module is configured with a reference mediation function that determines whether to grant or deny any access request that includes any operation and any object, the access request being issued by any process identified by a unique process identifier and being executed on behalf of a unique user, the reference mediation function grants the access request if the triple including the user, the operation, and the object is one of the permissions, and if no user-deny relation exists that includes the user, any set of the operations, and any set of the objects, where the operation included in the access request is included in the set of the operations of the user-deny relation and the object included in the access request is included in the set of the objects of the user-deny relation, and if no process-deny relation exists that includes the process identifier, any set of the operations, and any set of the objects, where the operation included in the access request is included in the set of the operations of the process-deny relation and the object included in the access request is included in the set of the objects of the process-deny relation, otherwise the reference mediation sub-module denies the access request.
  - 10. The general attribute-based access control system as recited in claim 9, wherein each of the obligation relations is any pair that includes an event pattern and a response, where the response includes a sequence of administrative operations applied to prescribed elements of the basic sets and the basic relations, and the event pattern specifies conditions that cause the event processing sub-module to execute the administrative operations on the prescribed elements when a successful execution of any operation on any object meets the conditions.
  - 11. The general attribute-based access control system as recited in claim 1, wherein the data of the basic data sets that corresponds to the users represents the human users.

12. A general attribute-based access control method, comprising:
- selecting an attribute-based access control policy for specification and enforcement;
  
  establishing a configuration of basic data sets in an access control database for the selected attribute-based access policy through execution of predefined administrative operations, the basic data sets including users, user attributes, operations, objects, object attributes, policy classes, and processes, the objects are names for computer-accessible resources to which access by the processes is controlled and which may be stored on a resource server, and each object is also an object attribute, the operations are actions that can be performed on a resource, and the processes are computer programs executed on behalf of any user having a unique identity and that can issue access requests; and
  
  establishing a configuration of basic relations between the basic data sets, the basic relations including assignments, prohibitions, and obligations for the selected attribute-based access policy, through execution of the predefined administrative operations, wherein any assignment between entities can be established only between any user and any user attribute, any user attribute and any other user attribute, any user attribute and any policy class, any first object attribute and any second object attribute where the second object attribute is not one of the objects, any object attribute and any policy class, any user attribute and any set of the operations, or any set of the operations and any object attribute, such that no chain of assignments exists that starts and ends with the same entity, wherein any user, any user attribute, or any object attribute belongs to any policy class and any policy class contains any user, any user attribute, or any object attribute if there exists a chain of assignments that starts with the user or user attribute or object attribute and ends with the policy class, wherein any user has any user attribute if there exists a chain of assignments that starts with the user and ends with the user attribute, wherein any object has any object attribute if there exists a chain of assignments that starts with the object and ends with the object attribute, wherein the prohibitions include user-deny relations and process-deny relations, where each user-deny relation is any triple that includes any user, any set of the operations, and any set of the objects and where each process deny relation is any triple that includes a process identifier, any set of the operations, and any set of the objects, wherein each of the obligations is any pair that includes an event pattern and a response, where the response includes a sequence of administrative operations applied to prescribed elements of the basic data sets and basic relations, and the event pattern specifies conditions that cause an event processing sub-module to execute the administrative operations on the prescribed elements when a successful execution of any operation on any object meets the conditions.
- View Dependent Claims (13, 14, 15)
- - 13. The general attribute-based access control method as recited in claim 12, further comprising selectively deriving permissions from the assignments, where each permission is any triple that includes any of the users, any of the operations, and any of the objects, where for each policy class containing the object, the user has a corresponding one of the user attributes belonging to the policy class, and the object has a corresponding one of the object attributes belonging to the policy class, and there is a set of the operations that includes the operation such that the corresponding user attribute is assigned to the set of the operations and the set of the operations is assigned to the corresponding object attribute.
  - 14. The general attribute-based access control method as recited in claim 13, further comprising:
    - establishing an association between a human user and a corresponding one of the users in the basic data set using an authentication scheme such that the human user becomes an authenticated user;
      
      establishing a session for the authenticated user, where the session includes a computer environment for the execution of the processes of the authenticated user; and
      
      establishing whether any of the objects are accessible to the authenticated user if there is any permission that includes the user, any operation, and any of the objects.
  - 15. The general attribute-based access control method as recited in claim 14, including:
    - executing a computer program within any process attempting to perform any operation on any object included in the objects that are deemed accessible;
      
      issuing an access request that includes the operation and the object that are subject to the execution attempt of the program to a policy enforcement sub-module;
      
      sending the access request from the policy enforcement sub-module to an access decision sub-module;
      
      determining in the access decision sub-module whether to grant or deny the access request using a reference mediation function that grants the access request if the triple that includes the authenticated user, the operation included in the access request, and the object included in the access request is any permission of the user and if no user-deny relation exists that is any triple including the authenticated user, any set of the operations, and any set of the objects, where the operation included in the access request is included in the set of the operations of the user-deny relation and the object included in the access request is included in the set of the objects of the user-deny relation, and if no process-deny relation exists that is any triple including the process identifier of the process, any set of the operations, and any set of the objects, where the operation included in the access request is included in the set of the operations of the process-deny relation and the object included in the access request is included in the set of the objects of the process-deny relation, otherwise the reference mediation function denies the access request;
      
      communicating the decision to grant or deny the access request to the policy enforcement sub-module, including communicating a physical location of a resource referenced by the object included in the access request if the decision is to grant;
      
      performing the operation included in the access request on the resource referenced by the object included in the access request and generating an event that includes the operation performed, the object, and a context including at least the user, the process identifier, and the object attributes that are assigned to the object for the decision to grant, or returning an error message to the process that issued the request if the decision is to deny; and
      
      searching for any obligation relations with event patterns that match the event, and executing the administrative operations in response to each obligation relation, thereby dynamically modifying a database configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Committe For Information Technology Standards
Original Assignee
International Committe For Information Technology Standards
Inventors
Gavrila, Serban I., Ferraiolo, David F.

Application Number

US12/366,855
Publication Number

US 20090205018A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/102 Entity profiles

METHOD AND SYSTEM FOR THE SPECIFICATION AND ENFORCEMENT OF ARBITRARY ATTRIBUTE-BASED ACCESS CONTROL POLICIES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND SYSTEM FOR THE SPECIFICATION AND ENFORCEMENT OF ARBITRARY ATTRIBUTE-BASED ACCESS CONTROL POLICIES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others