Provisioning user permissions using attribute-based access-control policies

摘要

An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

主权项

1. A computer-implemented method of completely evaluating an attribute-based access control (ABAC) policy represented in the Extended Access Control Markup Language (XACML) language, for a set of elements in a computer system, wherein each element belongs to exactly one attribute category of several predefined categories selected from subjects, resources, actions and environments,
wherein the access control policy is represented as a first data record and comprises functional expressions which depend on attributes, each pertaining to elements in one of several predefined categories and being characteristics of these elements, each element in the set being associated with at least one attribute value assumed by an attribute of the element, and wherein the policy controls access of subjects in the set of elements to resources in the set of elements in accordance with values of the policy, including Permit and Deny, the method comprising the steps of: i) selecting, by a computing device, one of the predefined attribute categories as a primary category; ii) for the selected attribute category, performing the substeps of: ii-1) extracting, from the policy, expressions containing attributes in no other than the selected category; ii-2) extracting, from elements in the selected attribute category, values assumed by the attributes appearing in the extracted expressions; ii-3) evaluating, by the computing device, the extracted expressions for the extracted values and partitioning the elements in the primary category accordingly into at least one primary equivalence class; vi) for an arbitrary vector comprising one element from each remaining category and an arbitrary one of said primary equivalence classes, performing the substeps of: vi-2) evaluating, by the computing device, the policy for a combination of the vector and an arbitrary element in the primary equivalence class, yielding a decision of the policy; and vi-3) deducing from said evaluation a further decision of the policy for a combination of the vector and a further element in the primary equivalence class; and vii) encoding the result of the evaluation as a second data record representing results of the evaluation of the ABAC, policy as policy decisions associated with n-tuples of elements.