SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY
First Claim
1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P), which is enforced to control access to one or more resources in a computer network, said method comprising the steps of:
- i) receiving a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these;
ii) extracting attributes to which all access requests in the set (R) assign identical values;
iii) reducing the ABAC policy at least by substituting values for the extracted attributes;
iv) caching the policy after said reducing as a simplified policy (P′
);
v) translating the cached simplified policy (P′
) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . );
vi) deriving all variable assignments (cj=[v1=xj1, v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and
vii) extracting, based on the variable assignments thus derived, all access requests from the set (R) for which the ABAC policy (P) yields the given decision (d).
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a set of admissible access requests, each of which comprises one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.
23 Citations
15 Claims
-
1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P), which is enforced to control access to one or more resources in a computer network, said method comprising the steps of:
-
i) receiving a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these; ii) extracting attributes to which all access requests in the set (R) assign identical values; iii) reducing the ABAC policy at least by substituting values for the extracted attributes; iv) caching the policy after said reducing as a simplified policy (P′
);v) translating the cached simplified policy (P′
) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . );vi) deriving all variable assignments (cj=[v1=xj1, v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and vii) extracting, based on the variable assignments thus derived, all access requests from the set (R) for which the ABAC policy (P) yields the given decision (d). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer system configured for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy, which is enforced to control access to one or more resources in a computer network,
wherein the reverse query indicates a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these, said computer system comprising: -
a data memory (12) operable to store one or more ABAC policies; a partial request generation means operable to construct, based on said set (R) of admissible access requests, a partial request (rpartial) assigning values only to attributes associated with identical values throughout the set (R) of admissible requests; a policy decision means connected to said partial request generation means and to the electronic storing means, and operable to evaluate said policy (P) for said partial request (rpartial), thereby yielding a simplified policy (P′
);a translation means, connected to said policy decision means and operable to translate said simplified policy (P′
), said subset (R) of said set of possible requests, and said given decision (d) into a satisfiable logic proposition (F) in Boolean variables (vi, i=1, 2, . . . );an analyzing means 483, connected to said translation means and operable to analyze said propositional logic formula (F) in order to determine a sequence ([c1, . . . , ck]) of conditions over requests, each condition defining a variable assignment (cj=[v1=xj1, v2=xj2, . . . ], j=1, 2, . . . ); and a conversion means connected to said analyzing means, and operable to extract, based on said sequence [c1, . . . , ck] of conditions, valid requests contained in said subset (R) which evaluate to said given decision (d).
-
Specification