37 results about "XACML" patented technology

A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.

The invention provides an XACML strategy rule detecting method, belonging to the field of authorized strategy analysis in information safety. According to the XACML strategy rule, the method has a rule status definition, a rule status correlation definition and a conflict type analysis; on the basis, a strategy index based on a semantic tree is established, a concrete XACML strategy rule detectionis carried out and the rule conflict and the rule redundancy are analyzed; the detection method comprises two types: a conflict detection method based on a property level operation correlation and adetection method for other typed conflicts based on the status correlation. In the redundancy analysis, the analysis determining method of the rule redundancy is given respectively in the algorithms of allowing priority, refusing priority and the first-time application dispelling. By adopting the detection method, the strategy manager can precisely locate the rules causing the conflict and the reasons for the conflict; in the redundancy analysis, according to the analysis result, the strategy structure can be optimized and the redundancy rules which has no influence on accessing the determining result can be deleted, therefore, the strategy determining efficiency is improved.

The invention provides an evaluation and optimization method for an XACML (Extensible Access Control Markup Language) security strategy. The method comprises the following steps of: eliminating a redundancy rule; establishing a judgment result buffer pool and an XACML security strategy buffer pool; and dynamically changing the position of an XACML security strategy / rule. Specific to the performance defects and functional defects along with increase in the complexity of the strategy scale and strategy semantics in an existing XACML standard, the XACML security strategy evaluation and optimization method based on strategy redundancy elimination, caching and reordering is provided. Through adoption of the method, relevant optimum processing methods such as strategy analysis, rule matching and judgment response can be provided for performing fine-grained access control on resources; the efficiency during solving of the problems of strategy information retrieval, multi-strategy matching and the like with an XACML security strategy evaluation engine is increased effectively; and the system availability is enhanced. Moreover, the method can adapt to various strategy merging algorithms, and has high flexibility and availability.

A context-aware delegation engine can enable an account owner to identify granular criteria (or context) that will be used to determine what content a delegate will have access to. The account owner can therefore leverage a wide range of information to dynamically determine whether a delegate will receive access to particular content. The delegation engine can be configured to provide a delegation policy to be evaluated to determine whether a delegate should receive access to particular content. Such a delegation policy can be generated based on input provided by the delegator thereby providing the delegator with fine-grained control over which content will be accessible to a particular delegate. The delegation policy can be structured in accordance with an authorization protocol schema such as XACML, SAML, OAuth 2.0, OpenID, etc. to allow the evaluation of the delegation policy to be performed by a policy decision point in such authorization architectures.

The invention provides an automatic generation method of access control policy test on the basis of code generation and symbolic execution and makes up for deficiencies of the existing XACML (eXtensible Access Control Markup Language) policy test technologies and tools according to the actual demand of XACML policy test. The automatic generation method comprises the following steps: firstly, conducing numeralization processing on a to-be-tested XACML policy appointed by a user; then, converting the to-be-tested XACML policy into a C code expression form with equivalent semantics; generating test input of the C code through a symbolic execution tool; translating the generated test input into an XACML request; finally, using the generated XACML request as input of a policy evaluator, and transmitting the input to the XACML policy for evaluation to obtain an authorization result. According to the automatic generation method, the test request fully covering the XACML policy can be efficiently generated through the symbolic execution test technology; the automatic generation method is conductive to finding out errors in the XACML policy.