Auditing Authorization Decisions
First Claim
1. A device comprising:
- memory and a processor;
an auditing scheme module, stored in the memory and executable on the processor; and
an access control scheme module, stored in the memory and executable on the processor, that is integrated with the auditing scheme module,wherein the access control scheme module makes authorization decisions in response to access requests for resources, the authorization decisions including inputs, outputs, and internal data, and wherein the auditing scheme module includes an audit policy that comprises audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record.
1 Assignment
0 Petitions
Accused Products
Abstract
The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.
101 Citations
20 Claims
-
1. A device comprising:
-
memory and a processor; an auditing scheme module, stored in the memory and executable on the processor; and an access control scheme module, stored in the memory and executable on the processor, that is integrated with the auditing scheme module, wherein the access control scheme module makes authorization decisions in response to access requests for resources, the authorization decisions including inputs, outputs, and internal data, and wherein the auditing scheme module includes an audit policy that comprises audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more computer-readable storage media, storing computer-executable instructions that, when executed by a processor, configure the processor to perform acts comprising:
-
receiving an access request for a resource by an access control scheme; performing by the access control scheme, at least partly in response to the access request, an authorization decision for the resource, the authorization decision comprising inputs, outputs, and internal data; specifying, by an auditing scheme, an audit policy comprising audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record; and recording, by the auditing scheme, the audit record based at least in part on the specified audit policy. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method comprising:
performed by one or more processors executing computer-readable instructions; receiving an access request for a resource; performing, at least partly in response to the access request, an authorization decision for the resource, the authorization decision comprising inputs, outputs, and internal data; specifying, an audit policy comprising audit policy rules, the audit policy rules including audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data is to be included in an audit record, wherein the audit content rules comprise a semantic framework; and recording the audit record based at least in part on the specified audit policy. - View Dependent Claims (18, 19, 20)
Specification