| 摘要 |
XACML (eXtensible Access Control Markup Language) documents, PolicySets and Policies can become long, complex and difficult to completely comprehend. A method is provided for facilitating analysis of such code to make it easier to answer questions such as: Given a particular set of Attribute values (and/or others unknown as of now), what is permitted or denied; are any of the rules redundant; are any of the rules inconsistent; for any pair of policies in the code, what set of Attributes will they both return Permit; how can a policy be refactored into an equivalent set of policies in which each branch of the policy tree pertains to specific values of specified Attributes? To facilitate such analysis and refactoring, every Rule in the collection of policies being analyzed is reduced to an equivalent expression in DNF (Disjunctive Normal Form). Some terms, predicates and other elements may be eliminated.
|
