Provisioning access control using SDDL on the basis of a XACML policy
First Claim
1. A computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), said method comprising:
- providing, on a non-transitory computer readable media, a XACML policy (P) that, when implemented by a processor, is configured to control access to one or more resources in a computer network;
feeding the XACML policy (P) to a transformation engine, the transformation engine including software that, when executed by a processor, creates the at least one SDDL rule;
producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests;
translating, by the transformation engine based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . );
deriving, by the transformation engine, variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
creating, by the transformation engine, the at least one SDDL rule based on said variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition, wherein the at least one SDDL rule, when implemented by a processor, is configured to control access to the one or more resources in a computer network;
loading the at least one SDDL rule onto a non-transitory computer readable media of an SDDL system; and
controlling access to the one or more resources in the computer network using the at least one SDDL rule.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
35 Citations
11 Claims
-
1. A computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), said method comprising:
-
providing, on a non-transitory computer readable media, a XACML policy (P) that, when implemented by a processor, is configured to control access to one or more resources in a computer network; feeding the XACML policy (P) to a transformation engine, the transformation engine including software that, when executed by a processor, creates the at least one SDDL rule; producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests; translating, by the transformation engine based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ); deriving, by the transformation engine, variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;creating, by the transformation engine, the at least one SDDL rule based on said variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition, wherein the at least one SDDL rule, when implemented by a processor, is configured to control access to the one or more resources in a computer network;loading the at least one SDDL rule onto a non-transitory computer readable media of an SDDL system; and controlling access to the one or more resources in the computer network using the at least one SDDL rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory storage medium storing computer executable instructions for performing a computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network, said method comprising:
-
producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests; translating, based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ); deriving variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=Xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; andcreating at least one SDDL rule based on said variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=Xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
-
-
11. A system comprising:
-
an XACML authority tool; and a hardware policy converter to implement a computer-implemented method for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network, said method comprising; producing a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests; translating, based on the reverse query, the XACML policy (P) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ); deriving variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; andcreating at least one SDDL rule based on said variable assignments (RCj=[ARCj1;
v1=xj1, ARCj2;
v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
-
Specification