摘要 |
<p>Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, "permit" or "deny". The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a subset of admissible access requests defined by constraints; (ii) constructing a partial request based on the subset; (iii) reducing the ABAC policy in accordance with the partial request; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition in Boolean variables; (vi) deriving all variable assignments satisfying the proposition; and (vii) processing the variable assignments, based on relationships between the variables and elements of the policy, in order to obtain a set of valid requests, which are contained in the subset and evaluate to the given decision.</p> |