Context-based security policy evaluation using weighted search trees

摘要

A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.

主权项

1. A method for evaluating a context-based policy for access control, the policy having a set of attributes, the method comprising:
identifying a frequency of each of a set of attribute values with respect to one another to define a relative frequency distribution; sorting the set of attribute values according to the relative frequency distribution; assigning an identifier to each of the sorted attribute values; using the identifiers assigned to the sorted attribute values, generating a search tree weighted according to the identifiers assigned to the sorted attribute values, each leaf of the search tree defining a rule, and wherein a depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable; evaluating a request against the search tree weighted according to the identifiers assigned to the sorted attribute values to generate a response; and having an access control mechanism that uses the response to perform an access control operation; at least one of the identifying, generating, evaluating and using steps being carried out in software executing on a hardware element.