| 主权项 |
1. A computer-implemented method of constructing a simplified attribute-based access control (ABAC) policy equivalent to a full ABAC policy, comprising:
inputting, by an input unit of a computing device, a full ABAC policy comprising a plurality of attribute-dependent expressions, wherein each expression is evaluable to one of Not applicable, Indeterminate and either Permit or Deny; inputting, by the input unit of the computing device, a partial request comprising at least one attribute value and at least one attribute identified as variable; partially evaluating, by a processor of the computing device, said full ABAC policy by substituting said at least one attribute value for a corresponding attribute appearing in an expression in the policy, by evaluating said expression completely, and by forming, based on an evaluation result on closed form obtained by the complete evaluation of said expression and predetermined simplification rules, a simplified ABAC policy equivalent to the full ABAC policy; outputting, by an output unit of the computing device, said simplified ABAC policy; and utilizing said simplified ABAC policy in place of said full ABAC policy to control access to entities of a system or network, wherein said simplified ABAC policy comprises an expression dependent on at least a first argument, which is a subordinate attribute-dependent expression dependent on at least one of the at least one attribute identified as variable, and a second argument, which is a result data field for storing said evaluation result, wherein the result data field comprises:
a target result field operable to store at least a Not applicable result from the evaluation of the expression itself, oran argument data field operable to store at least an Indeterminate result as said evaluation result. |
