GRAPHICAL INTERACTION TECHNIQUES FOR CONFIGURING AN ACCESS CONTROL MECHANISM IN A COMPUTER SYSTEM

摘要

An attribute-based access control (ABAC) policy governs the behaviour of an access control mechanism in a computer system which selectively permits and denies access to resources in the system. An administrator interface includes graphical elements that are responsive to user manipulation in such manner as allow the ABAC policy to be inspected and/or edited. In an online editing mode, a user's manipulations of the graphical representation have a direct effect on the behaviour of the access control mechanism.

主权项

1. A computer-implemented method of generating, on the basis of a textual representation of an attribute-based access control, ABAC, policy, an equivalent graphical representation of the ABAC policy,
wherein a computer system comprises a plurality of resources and an access control mechanism, which is configured to selectively restrict access to resources in accordance with the textual representation of the ABAC policy, the method comprising: defining a graphical symbol being a graphical counterpart of an element of an ABAC policy that is allowed under a predefined policy syntax and, optionally, defining a graphical symbol being a graphical counterpart of an allowed relationship between elements of the policy, wherein symbols are defined for at least a subset of all elements and relationships allowed under the policy syntax; initiating a data record indicative of a graphical representation; and traversing the textual representation of the ABAC policy and, in response to encountering an element or relationship for which a symbol has been defined, instantiating a corresponding symbol in the data record.