Abducing assertion to support access query
First Claim
1. One or more computer-readable storage media comprising computer-executable instructions to perform a method of facilitating access to a resource, the method comprising:
- creating a first answer set that comprises a first assertion, a first variable, and a first constraint that have been chosen, said first answer set satisfying one or more conditions comprising;
that a first set of assertions that comprises or is derived from said first answer set will, when presented to a guard that controls access to the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard;
creating a second answer set that comprises a second assertion, a second variable, and a second constraint that have been chosen, said second answer set satisfying one or more conditions comprising;
that a second set of assertions that comprises or is derived from said second answer set will, when presented to said guard, cause said guard to find that said query evaluates to true under said policy;
determining that said first answer set is not subsumed by said second answer set; and
providing a solution that comprises said first answer set.
2 Assignments
0 Petitions
Accused Products
Abstract
Logical abduction is used to derive the premises that support an access query. In a logic-based access-control system, a query, as to one or more principals'"'"' right to access one or more resources, is a statement that can be either true or false. The statement evaluates to true if the principal is allowed to access the resource under the existing set of assertions. Assertions that, if made, would cause the statement to be true can be abduced from the query and from the policy against which the truth of the query is to be judged. The abduced assertions can be used to assist in making the appropriate assertions to cause the query to evaluate to true so that access to the resource can be granted.
31 Citations
20 Claims
-
1. One or more computer-readable storage media comprising computer-executable instructions to perform a method of facilitating access to a resource, the method comprising:
-
creating a first answer set that comprises a first assertion, a first variable, and a first constraint that have been chosen, said first answer set satisfying one or more conditions comprising; that a first set of assertions that comprises or is derived from said first answer set will, when presented to a guard that controls access to the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; creating a second answer set that comprises a second assertion, a second variable, and a second constraint that have been chosen, said second answer set satisfying one or more conditions comprising; that a second set of assertions that comprises or is derived from said second answer set will, when presented to said guard, cause said guard to find that said query evaluates to true under said policy; determining that said first answer set is not subsumed by said second answer set; and providing a solution that comprises said first answer set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of managing access to a resource, the method comprising:
-
abducing, from first information that comprises (a) a query and (b) a policy implemented by a guard that controls access to the resource, a first answer set that comprises a first assertion set, said first answer set comprising a first assertion, a first variable, and a first constraint that have been chosen, said first assertion set comprising said first assertion; receiving, by said guard, a second assertion set that comprises either (a) said first assertion set, or (b) a third assertion set that is derived from said first assertion set by substituting at least one variable in place of at least one principal named in said first assertion set; determining, by said guard, that said query is true under said policy in the presence of second information that comprises said second assertion set; and based on said determining, allowing an entity to access the resource. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. system comprising:
-
one or more data remembrance components; one or more processors; a set of executable components that are stored in at least one of said one or more data remembrance components and that execute on at least one of said one or more processors, the set of executable components comprising; a first executable component that abduces a first answer set from information that comprises (a) a query, and (b) a policy that governs access to a resource, said first answer set satisfying a condition that said query is true under said policy in the presence of a set of one or more assertions that is consistent with said first answer set, said first answer set comprising a first assertion, a first variable, and a first constraint that have been chosen; and a second executable component makes a determination whether said first answer set is subsumed by a second answer set, said second answer set comprising a second assertion, a second variable, and a second constraint that have been chosen; and a communications component through which said system provides said first answer set, said second answer set, or both said first answer set and said second answer set. - View Dependent Claims (17, 18, 19, 20)
-
Specification