Dynamic policy-based entitlements from external data repositories

摘要

A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.

主权项

1. A method for evaluating a context-based policy, the policy having a set of attributes, comprising:
receiving an entitlement request for a set of one or more entitlement values to be used by the policy to evaluate an authorization request; upon receipt of the entitlement request, and based at least on the policy, formulating a search query against an external data repository; executing the search query against the external data repository and, in response, receiving, as a result, a candidate set of one or more entitlement values, wherein the candidate set of one or more entitlement values is bounded by the policy; evaluating the entitlement request against the policy and the result of the search query to generate a response to the entitlement request:, wherein the receiving, formulating, executing and evaluating steps are implemented in software logic executing on a hardware element.