| 摘要 |
Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision. |
| 主权项 |
1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P) comprising functional expressions dependent on attributes, wherein the ABAC policy is evaluable for an access request if the access request assigns a value to at least one of said attributes, wherein an access decision resulting from said evaluation is enforced to control access to one or more resources in a computer network, said method comprising the steps of:
i) receiving a reverse query indicating a given access decision (d), which is one of permit access and deny access, and further indicating a set (R) of two or more access requests to the ABAC policy, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these; ii) extracting attributes to which all access requests in the set (R) assign identical values by studying each of the attributes appearing in the access requests in the set (R) to discover whether equal or different values are assigned to them, wherein an attribute is extracted if all requests assign equal values to the attribute; iii) reducing the ABAC policy at least by substituting said equal values for each of the extracted attributes; iv) caching the ABAC policy after said reducing, as a simplified policy (P′) comprising at least one functional expression dependent on an attribute; v) translating the cached simplified policy (P′) and the given decision (d) into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ); vi) deriving all variable assignments (cj=[v1=xj1, v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; vii) extracting, based on the variable assignments thus derived, all access requests from the set (R) for which the ABAC policy (P) yields the given decision (d); and viii) controlling access to the one or more resources in the computer network based on the access decision resulting from the evaluation of the ABAC policy. |
