Delegation in logic-based access control
First Claim
1. One or more computer-readable memories having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
- abducing a first set of one or more assertions from information that comprises an access request for a first principal to access the resource, a system that performs said abducing not having in possession said first set of one or more assertions, said abducing being performed by acts comprising;
receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and
determining that said first answer set is not subsumed by said second answer set;
receiving a template that specifies said first set of one or more assertions;
obtaining a first token that satisfies a first one of said first set of one or more assertions;
presenting, to said guard, (a) a set of one or more tokens that comprises said first token, and (b) said access request;
receiving access to said resource from said guard; and
accessing said resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.
33 Citations
19 Claims
-
1. One or more computer-readable memories having stored thereon executable instructions to perform a method of facilitating access to a resource, the method comprising:
-
abducing a first set of one or more assertions from information that comprises an access request for a first principal to access the resource, a system that performs said abducing not having in possession said first set of one or more assertions, said abducing being performed by acts comprising; receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and determining that said first answer set is not subsumed by said second answer set; receiving a template that specifies said first set of one or more assertions; obtaining a first token that satisfies a first one of said first set of one or more assertions; presenting, to said guard, (a) a set of one or more tokens that comprises said first token, and (b) said access request; receiving access to said resource from said guard; and accessing said resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
-
-
8. A method of facilitating access to a resource, the method comprising:
using a processor to perform acts comprising; abducing a first plurality of assertions from information that comprises an access request and a policy under which a guard controls access to the resource, a system that performs said abducing not having in possession said first plurality of assertions, said abducing being performed by acts comprising; receiving a first answer set and a second answer set, said first answer set comprising said first plurality of assertions, said second answer set comprising a second plurality of assertions, said first plurality of assertions and said second plurality of assertions each satisfying a condition that either said first plurality of assertions or said second plurality of assertions will, when presented to a guard of the resource, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and determining that said first answer set is not subsumed by said second answer set; receiving, from a first principal, a template that specifies said first plurality of assertions and that further specifies a first token that satisfies a first one of said first plurality of assertions; determining from the template that a second one of said first plurality of assertions can be satisfied by a second token containing an assertion made by a second principal; retrieving or generating said second token; sending the guard of the resource said access request which includes a set of tokens which satisfy the template; and gaining access to the resource based on the request. - View Dependent Claims (9, 10, 11, 12)
-
13. A system comprising:
-
one or more data remembrance components; one or more processors; a template stored in said one or more data remembrance components, said template specifying a first set of one or more assertions; one or more executable components that are stored in said one or more data remembrance components, and that execute on said one or more processors, and that retrieve or generate a first token that satisfies a first one of said first set of one or more assertions, and that create a first data structure that comprises one or more tokens that, together with an access request, allow a first principal to access a resource to be true under a policy, said one or more tokens comprising said first token; a guard that evaluates said first data structure and determines whether to allow said first principal access to said resource based on said access request and said one or more tokens; and an abduction component that abduces said first set of one or more assertions from information that comprises an access request for said first principal to access the resource, said abduction component not having in possession said first set of one or more assertions, said abduction component abducing said first said of one or more assertions by; receiving a first answer set and a second answer set, said first answer set comprising said first set of one or more assertions, said second answer set comprising a second set of one or more assertions, said first set of said one or more assertions and said second set of said one or more assertions each satisfying a condition that either said first set of one or more assertions or said second set of one or more assertions will, when presented to said guard, cause said guard to find that a query evaluates to true under a policy implemented by said guard; and determining that said first answer set is not subsumed by said second answer set. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification