Access control policy conversion
First Claim
1. A method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:
- for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource;
for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and
for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified(a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by(a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and(b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.
5 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints. Authorizations in the data structures are defined in terms of subject, resource and action elements. For each resource in a set of resources in the source policy data structure, the data structure is analyzed to identify primary authorizations relating to that resource. For each primary authorization, policy data which represents a policy defining an access rule expressing that authorization is generated and stored in system memory and analyzed to identify any auxiliary constraints associated with that primary authorization. For each auxiliary constraint so identified, policy data is generated and stored in system memory.
-
Citations
18 Claims
-
1. A method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:
-
for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource; for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified (a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by (a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and (b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program comprising program code means for causing a computer to perform a method for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the method comprising:
-
for each resource in a set of resources in the source policy data structure, analyzing the source policy data structure to identify primary authorizations relating to that resource; for each primary authorization, generating and storing policy data representing a policy defining an access rule expressing that authorization in an access control policy data structure; and for each primary authorization, analyzing the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified (a) generating and storing, in said access control policy data structure, policy data representing a policy defining an access rule corresponding to the identified auxiliary constraint, the access rule having subject, resource and action elements determined by (a1) copying corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and (b) defining a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure.
-
-
11. Apparatus for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints, authorizations in said data structures being defined in terms of subject, resource and action elements, the apparatus comprising:
-
memory for storing the data structures; and control logic configured; for each resource in a set of resources in the source policy data structure, to analyze that source policy data structure to identify primary authorizations relating to that resource; for each primary authorization, to generate and store in the memory an access contol policy data structure comprising policy data representing a policy defining an access rule expressing that authorization; and for each primary authorization, to analyze the source policy data structure to identify any auxiliary constraints associated with that primary authorization, and, for each auxiliary constraint so identified (a) to generate and store in the access control policy data structure in the memory policy data representing a policy defining an access rule corresponding to that constraint, the access rule having subject, resource and action elements determined by (a1) copying the corresponding elements for the auxiliary constraint, subject to (a2) for each of the resource and action elements, at least if that element does not match that in the primary authorization, replacing the element by a wildcard element, and (b) to define a logical algorithm in the access control policy data structure to combine the auxiliary constraint policy with the primary authorization policy such that evaluation of the policy combination for an access query corresponding to the primary authorization yields the same result as in the source policy data structure. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification