主权项 |
1. A computer-implemented method of completely evaluating an attribute-based access control (ABAC) policy represented in the Extended Access Control Markup Language (XACML) language, for a set of elements in a computer system, wherein each element belongs to exactly one attribute category of several predefined categories selected from subjects, resources, actions and environments,
wherein the access control policy is represented as a first data record and comprises functional expressions which depend on attributes, each pertaining to elements in one of several predefined categories and being characteristics of these elements, each element in the set being associated with at least one attribute value assumed by an attribute of the element, and wherein the policy controls access of subjects in the set of elements to resources in the set of elements in accordance with values of the policy, including Permit and Deny, the method comprising the steps of: i) selecting, by a computing device, one of the predefined attribute categories as a primary category; ii) for the selected attribute category, performing the substeps of: ii-1) extracting, from the policy, expressions containing attributes in no other than the selected category; ii-2) extracting, from elements in the selected attribute category, values assumed by the attributes appearing in the extracted expressions; ii-3) evaluating, by the computing device, the extracted expressions for the extracted values and partitioning the elements in the primary category accordingly into at least one primary equivalence class; vi) for an arbitrary vector comprising one element from each remaining category and an arbitrary one of said primary equivalence classes, performing the substeps of: vi-2) evaluating, by the computing device, the policy for a combination of the vector and an arbitrary element in the primary equivalence class, yielding a decision of the policy; and vi-3) deducing from said evaluation a further decision of the policy for a combination of the vector and a further element in the primary equivalence class; and vii) encoding the result of the evaluation as a second data record representing results of the evaluation of the ABAC, policy as policy decisions associated with n-tuples of elements. |