HIGHLY PARALLEL EVALUATION OF XACML POLICIES
First Claim
1. A method performed by a network element, the method comprising:
- in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user;
concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm;
combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and
determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
-
Citations
20 Claims
-
1. A method performed by a network element, the method comprising:
-
in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user; concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm; combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine-readable storage medium having instructions stored therein, which when executed by a processing logic, cause the processing logic to perform a method, the method comprising:
-
in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user; concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm; combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A network element, comprising:
-
a policy information point, in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, to extract a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user; a policy decision point to concurrently perform a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm, and to combine individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and a policy enforcement point to determine whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification