| 摘要 |
The present invention relates to a policy decision point (PDP, 204) for interacting with a computer system comprising a plurality of resources (110), to which subjects' access is controlled by corresponding policy enforcement points (PEPs, 202). The PDP (204) comprises: a memory (130) storing at least two policy packages, each controlling access rights to resources (110), and a connection table (304) associating each policy package with an end point address (302a-c); a network interface (212) operable to communicate with the PEPs (202), wherein the network interface (212) obtains access requests from a PEP (202) and returns access decisions to the PEP (202), each access request comprising an end point address for directing the access request to the PDP (204); and a processor (210) operable to: analyze an access request and determine, based on the end point address (302a-c) receiving the access request, an associated policy package; and evaluate the access request against the policy package thus determined. |
