45 results about "Attribute-based access control" patented technology

A general attribute-based access control system includes at least one resource server, at least one client module, an access control database including basic data sets and basic relations between the basic data sets, at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to computer-accessible resources referenced by objects, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations.

Systems and methods are disclosed for receiving an access request from a user device, the access request including an identity claim for a user; evaluating a risk of access based on matching an attribute of the user device with attributes stored in a user information database; authenticating the access request based on the identity claim and the risk evaluation to determine an authentication confidence level; generating a token based on the confidence level and the attribute matched; producing an authorization response based on inputs from the token, a risk based access control, a role based access control, and an attribute based access control, in which the authorization response determines whether to allow access to a system, deny access to the system, or request additional input from the user device.

The invention provides an access control method and system based on block chain technology. The block chain technology is combined with attribute-based access control in the method, and the method comprises the following steps: adding an object in a chain, binding a judgment process of attribute and strategy on all block chain nodes with reference to the strategy. The access authorization is converted from a centralized manner into a distributed manner, the consistency check of the judgment results in the whole network is achieved by using a consensus mechanism of the block chain, and the authorized operations for accessing the recorded transactions are permanently recorded on the block chain. The method has the advantages of anti-single point failure, flexible authorization mode, accurateaccess boundary, and record auditability. The access control method and system provided by the invention are applicable to operating environments such as enterprises and governments that have the need of data privacy protection and realize multi-branch cooperation work based on a block chain platform, the access permissions of users in the system can be dynamically and scalably managed, fine-grained permission management is achieved for the strategy and the attribute, and the access control method and system are of important practical significance for protecting the security of information systems in a distributed network environment.

The invention discloses an attribute-based access control model and a cross domain access method thereof. The attribute-based access control model comprises a first management domain and a second management domain, and is characterized by comprising certificate servers and attribute management servers. The cross domain access method of the system comprises the following steps: the certificate servers are respectively used for awarding a server certificate for the first management domain and the second management domain; a user downloads an attribute certificate to a local disk for storage by logging on the first management domain; the user submits the attribute certificate to the second management domain; a second access control server verifies the attribute certificate; and the second access control server extracts an attribute value to judge the operation validity of the user. The attribute-based access control model and the cross domain access method thereof of the invention have the obvious advantages that the role of the user and the management domains can be considered as a single attribute of the user, the efficiency problem of user-role-authority valuation under the condition of complex role in a role-based access control (RBAC) model can be effectively solved, and the corresponding access control method is provided for an anonymous user in an open network environment.

Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.

The invention discloses an access control method based on an attribute-based access control policy. The method is characterized by 1) extracting attribute information of a user-role table and a role-authority table in a database and generating a user-role-authority access control relation Hash table; 2) generating an access control policy according to the access control relation Hash table: carrying out iteration traversal on the access control relation Hash table to obtain key value pairs, that is, an attribute set of each user and authority thereof, and then, generating an access control policy rule of the user according to the authority attribute of the user; and 3) for each received access request, an internet-of-thing search engine judging the access request according to the access control policy rule to determine whether access is allowed. The method can give a quick response to the search request, thereby greatly improving efficiency of the internet-of-thing search engine.

The invention discloses method and device for generating an access controlling policy. The method comprises the following steps of: generating an ABAC policy expression according to ABAC policy information input by a user through a pre-established attribute-based access control (ABAC) policy view template; and converting the ABAC policy expression into an ABAC policy which is based on XACML and conforms to the XACML template according to mapping rules of the preset ABAC policy view template and an extensible access control markup language (XACML) template. In the invention, the user only needs to input some simple ABAC policy information through the ABAC policy view template and does not need to write a complicated ABAC policy based on XACML in a manual mode, therefore, the problem that the user difficultly defines the ABAC policy based on XACML is solved, the problem that errors are made in the process of writing the complicated ABAC policy based on XACML in a manual mode by the useris avoided, and the accuracy of the ABAC policy based on XACML is ensured.

The invention discloses an access control strategy composition method based on attribute. When access control of cross-domain resources is achieved, an access control strategy composition method based on attribute is a key technique. According to the access control strategy composition method, by defining authorization of entities through attribute of the entities, the credibility, as an independent attribute predicate, of a main body is added into an attribute authorization item of an access control strategy, so that conventional strategy composition is expanded, the expression capability of strategy composition is improved, and the security of objects in a safety domain is ensured. According to the access control strategy composition method, six strategy composition operators with credibility are defined to achieve access control strategy composition, and whether a strategy synthesis structure can meet the requirements of protecting resources, of different strategy composition parties or not is verified by virtue of attribute of algebras expressed by conventional strategies.

The invention relates to a method for generating a cross-domain access control strategy by rising from credit assessment to trust management. According to the method, a credit assessment model is established to realize a corresponding credit assessment subsystem; uncertainty assessment is carried out on a credit degree of an evaluated entity according to evaluation information given by an interaction entity; association relations between an attribute of an assessment entity, an attribute of an assessed entity, a resource attribute, a behavior attribute, an environment attribute and an entity credit degree are extracted; and then an access control strategy based on attributes is generated and description is carried out by an extensible access control mark language; at last, the generated access control strategy is converted into a strategy of a concrete trust management system. According to the invention, authorization strategy is generated dynamically according to behavior and environment attributes of an entity; and the method has good self adaptability and can be applied to cross-domain environments like cloud calculating having a lot of unfamilar entities.

Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a set of admissible access requests, each of which comprises one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

The invention discloses an extensible access control method for fog computing. According to the method, a linear secret sharing matrix is used as an access structure to realize attribute-based accesscontrol, fog nodes are used as edge service nodes, and encryption and decryption operations in the access control are reasonably distributed, so that the operation overhead of a terminal user in the access control is reduced. In addition, on the basis of maintaining the original access strategy, new legal members can be added to form a new access strategy, meanwhile, whether the access user tampers the original data or not when uploading the new access strategy can be detected, and integrity protection of the original data is achieved.

The invention discloses an attribute-based access control method with anonymous access capability, and mainly solves the problems that privacy of an access request subject is leaked and the subject cannot accurately provide attribute information in the prior art. The implementation scheme is as follows: a subject sending an access request only containing object identity information and operation;sending a signature request to the subject according to the subject attribute required by the strategy corresponding to the access request; and the subject generating a signature of the required subject attribute through the attribute certificate, and participating in strategy evaluation with the access request to obtain an access control decision evaluation result. According to the invention, theleakage of the subject attributes is avoided, the participation of irrelevant subject attributes in the access control decision is reduced, and the decision efficiency of access control is improved while the privacy of the subject is ensured.

The invention discloses an attribute based access control method and system. The method is implemented through steps as follows: granting and revocation of subject attribute information and a specific subject; collection of environmental attribute information; creation of a strategy; implementation of the strategy; acquisition of running state attributes; determination of a unified data demand response mode of all parts. Access control is realized through control of subjective and objective attribute information and the environmental attribute information, and a series of problems of poor safety, large authority management difficulty, extension difficulty and the like of traditional access control can be solved, so that efficient access control is realized.

The invention discloses an improved network access control method and a device. The method comprises the steps of verifying one or more policies out of a network access subject policy, a network access object policy and a content filtering policy; and generating the access operating authorization based on the above verification result. The network access subject policy comprises at least one or more factors out of the subject attribute, the subject authorization policy, the subject filtering policy and the conflict resolution policy. The network access object policy comprises at least one or more factors out of the object attribute and the object authorization policy. The content filtering policy comprises at least one or more factors out of the subject filtering policy and the object filtering policy. According to the embodiments of the network access control method and the device in the invention, the relation between users, the relation between a user and an object, the relation between objects and the attribute-based access control are integrated. Therefore, the method and the device are better in flexibility and implementation feasibility.