| 发明名称 |
PROVISIONING SYSTEM-LEVEL PERMISSIONS USING ATTRIBUTE-BASED ACCESS CONTROL POLICIES |
| 摘要 |
A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system. |
| 申请公布号 |
US2016072814(A1) |
申请公布日期 |
2016.03.10 |
| 申请号 |
US201414546018 |
申请日期 |
2014.11.18 |
| 申请人 |
Axiomatics AB |
发明人 |
MARTINELLI Andrés |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A permissions provisioning module adapted to interact with a computer system, which comprises:
a plurality of resources, each resource being associated with an access control list (ACL) indicating permissions in respect of the resource; memory storing system metadata including metadata associated with the resources or metadata associated with principals of the system or both; an access control mechanism configured to selectively restrict principals' access to a resource in accordance with its associated ACL, wherein the access control mechanism of the computer system operates outside direct influence of the ABAC policy; and a processor configured to perform the functions of: a policy evaluator configured to evaluate an access query against an attribute-based access control (ABAC) policy based on a collection of attribute values at least sufficient to evaluate against the ABAC policy, which is retrievable by the policy evaluator and includes access rules expressed in terms of attributes; a data adapter configured to receive the system metadata and assign values to said attributes in the ABAC policy in accordance with the metadata, the attribute values being arranged resource-wise and principal-wise; and a permissions calculator configured to query the policy evaluator on combinations of resources and principals using the attribute values assigned by the data adapter, and to supply resulting permission data to the data adapter, wherein the data adapter is configured to arrange said permission data resource-wise, generate system-readable ACLs based thereon and supply the generated ACLs for deployment in the system. |
| 地址 |
Stockholm SE |
