| 摘要 |
The present invention relates to a system (10) operable to control policy distribution with partial evaluation in order to permit/deny access to a protected means (12). The system (10) comprises a storing means (14) operable to store all access control policy functions for all protected means (12), a guard means (16) operable to guard access to a protected means (12) and to construct an access control request comprising attributes regarding the protected means (12), a policy decision means (18) connected to the guard means (16) and operable to receive the access control request from the guard means (18). The system (10) also comprises a policy distribution means (20) connected to the storing means (14) and to the policy decision means (18). The policy decision means (18) is operable to collect the static attributes of the protected means (12), and to send the static attributes to the policy distribution means (20), which in turn is operable to construct a partial access control request from the static attributes of the protected means (12), and to perform partial evaluation against the access control policy function stored in the storing means (14), resulting in a simplified access control policy function. The policy distribution means (20) is operable to send the simplified access control policy function to the policy decision means (18), which in turn is operable to use the simplified access control policy function to evaluate access control requests regarding the protected means (12), and to return a permit/deny response to the guard means (18). |
