37 results about "XACML" patented technology

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

The invention provides an XACML strategy rule detecting method, belonging to the field of authorized strategy analysis in information safety. According to the XACML strategy rule, the method has a rule status definition, a rule status correlation definition and a conflict type analysis; on the basis, a strategy index based on a semantic tree is established, a concrete XACML strategy rule detection is carried out and the rule conflict and the rule redundancy are analyzed; the detection method comprises two types: a conflict detection method based on a property level operation correlation and a detection method for other typed conflicts based on the status correlation. In the redundancy analysis, the analysis determining method of the rule redundancy is given respectively in the algorithms of allowing priority, refusing priority and the first-time application dispelling. By adopting the detection method, the strategy manager can precisely locate the rules causing the conflict and the reasons for the conflict; in the redundancy analysis, according to the analysis result, the strategy structure can be optimized and the redundancy rules which has no influence on accessing the determining result can be deleted, therefore, the strategy determining efficiency is improved.

The invention discloses a ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption), which belongs to the field of information security. The method comprises the following steps: preparation and maintenance work which comprises initialization of CP-ABE (Ciphertext-Policy Attribute-Based Encryption), user registration and auditing, generation of an asymmetric key pair for signature and encryption by the system and the user, generation of a CP-ABE attribute key SK for the user and key and attribute certificate management is carried out; 2, and file sharing requires a file provider, an extensible access control markup language (XACML) access control system and a sharing user to work cooperatively. The attribute certificate in a PMI system is used as an expression document for a CP-ABE attribute set and the access structure, the XACML expresses the CP-ABE policy, and security of the attribute set and the access control structure description is ensured. A hierarchical structure with an inheritance relationship is introduced, features such as distribution, authorization and calculability are supported, the attribute authorization ability needs to comply with constraints, and the method is applicable to a distributed and open network application environment.

The invention discloses method and device for generating an access controlling policy. The method comprises the following steps of: generating an ABAC policy expression according to ABAC policy information input by a user through a pre-established attribute-based access control (ABAC) policy view template; and converting the ABAC policy expression into an ABAC policy which is based on XACML and conforms to the XACML template according to mapping rules of the preset ABAC policy view template and an extensible access control markup language (XACML) template. In the invention, the user only needs to input some simple ABAC policy information through the ABAC policy view template and does not need to write a complicated ABAC policy based on XACML in a manual mode, therefore, the problem that the user difficultly defines the ABAC policy based on XACML is solved, the problem that errors are made in the process of writing the complicated ABAC policy based on XACML in a manual mode by the useris avoided, and the accuracy of the ABAC policy based on XACML is ensured.

The invention discloses a distributed system authentication and permission management platform based on XACML and SAML under a big data environment. The platform comprises a cross-domain authentication management module, an authorization management module, an organizational management module, a personnel management module, a menu management module and a log management module, wherein the cross-domain authentication management module is arranged on an SAML processing server, the authorization management module is arranged on a sub-system XACML server, and the organizational management module, the personnel management module, the menu management module and the log management module are all arranged on a business processing system server. The platform utilizes the XACML to perform authorization and access control on a user, and authenticate the identity of the user by using cross-domain data interaction of the SAML. User permission is limited by reading an XACML file of the user and using an XACML frame based on a RBAC access control module, and thus authorization on user granularity is greatly enhanced. In a distributed system, the different platform provides assertion by exchanging SAML information, so that information transmission between the platforms is safer, and the data transmission quantity is less.

A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.

The invention provides an extensible access control markup language (XACML) strategy assessment engine system based on various optimization mechanisms. The problem that an existing XACML strategy assessment engine system cannot make a correct decision on access requests sent by a large number of users at the same time is solved. The system comprises an audit service (1), a strategy management service (2), a strategy decision service (3), a strategy persistence service (4) and an attribute assertion service (5). The audit service (1) records mutual information of the system. The strategy management service (2) provides a centralization type patterned strategic management platform. The strategy decision service (3) decides a user request. The strategy persistence service (4) provides a strategy storage function and a strategy search function. The attribute assertion service (5) provides an attribute storage function and an attribute search function. The system has the advantages of being high in assessment efficiency, small in matching computing amount, quick in matching speed and easy to integrate, the system can be used in distributed environment and can make the correct decision on the access requests sent by the large number of users.

The invention relates to a cloud computing access control system and method. The cloud computing access control system comprises a user access module which is used for realizing that a user sends a login request to a server of a cloud computing provider, the server responding to the login request of the user, and comprises an identity authentication module and a user management module; an access control module which is used for converting the login request of the user into an XACML format request and controlling and managing access right; a resource service management module which is used for managing different user access resources and monitoring and recording information of the user in the using process for log management; and an application service management module which is for initiating a call request to the resource service management module through a public interface, and comprises a resource service login module, a resource service deleting module and a resource service calling module. Through the organic integration of the monitoring mechanism and the XACML, flexibility of the authorization is enhanced; and the cloud computing access control system has fine grain performance, dynamic nature, extendibility and more security.

The invention discloses an ordering policy authorization method and system for extended xacml access control. The method comprises the following steps of: S1, defining and generating an access policy;S2, defining and generating a management policy and obtaining a policy library; S3, carrying out ordering on policies in the policy library according to level values from big to small; S4, submittingan access request to a pdp (Policy Determination Point) of an xacml access framework; and S5, searching the ordered policy library, and returning a determination result of a policy with the maximum level value. By the ordering policy authorization method and system disclosed by the invention, search efficiency of the authorized policy can be improved.

A context-aware delegation engine can enable an account owner to identify granular criteria (or context) that will be used to determine what content a delegate will have access to. The account owner can therefore leverage a wide range of information to dynamically determine whether a delegate will receive access to particular content. The delegation engine can be configured to provide a delegation policy to be evaluated to determine whether a delegate should receive access to particular content. Such a delegation policy can be generated based on input provided by the delegator thereby providing the delegator with fine-grained control over which content will be accessible to a particular delegate. The delegation policy can be structured in accordance with an authorization protocol schema such as XACML, SAML, OAuth 2.0, OpenID, etc. to allow the evaluation of the delegation policy to be performed by a policy decision point in such authorization architectures.

The invention discloses a cloud computing unified identity authentication method based on SAML and XACML. According to the method, an identity provider and a service provider are defined by using the SAML standard so that different security domains can be formed, and authentication exchange and data authorization between different security domains can be realized; besides, a framework of a general access control strategy and a performing authorization strategy of the request/response can be realized by using the XACML so that performing of the access control strategy in the cloud computing environment can be realized, and unified identity authentication and authority access control of cloud computing can be realized. According to the unified identity authentication method, the management control problem of unified identity authentication and access control authority of multiple application platforms under cloud computing can be effectively solved.

A system and method uses a set of XACML policies to identify an action or other single degree of variations of various entities that may be called using requests, and uses information from the policy that is useful for obtaining one or more XACML subjects and resources from a request to access the resource, and then builds an XACML policy request using the action or other single degree of variation, and the one or more subjects and resources to determine if authorization for performing the action or other single degree of variation on the one or more resources on behalf of the one or more subjects is granted. Only if the authorization is granted is the action or other single degree of variation performed on the one or more resources.

The invention discloses an access control authorization method based on policy review and authorization extension, which comprises the following steps: firstly, expanding the service type of traditional ABAC model resource authorization, and adding the concept of partial permission except permission and rejection; defining a strategy review module, checking whether the attributes of the user meet a review rule set and a privacy rule set in the strategy review module, checking rules in the review rule set firstly, and rejecting the service as long as one rule is not met; and after all the review rule sets are met, checking the privacy rule set, and displaying part of data or all data according to the matching condition of the user attribute and the privacy rule set. After an access control strategy of resources is formulated, all participated attributes in the system are uniformly described by applying an XACML (Extensible Access Control Markup Language). Fine-grained management of resources is realized, and flexibility is increased while privacy is guaranteed.

The invention discloses an Android application access control code generating method based on an XACML access control mechanism. A function achievement code of an Android application, an XACML strategy for describing the access control requirement of behaviors and resources of the Android application, and a UML activity graph model for describing the activities of the Android application are provided, codes for satisfying the access control strategy can be generated for behaviors and resources for accessing control authorities and inserted to corresponding positions in codes of the Android application, so that the Android application becomes an entire Android application system. By means of the Android application access control code generating method, an XACML language description accesscontrol strategy is utilized, the access control strategy can be defined with more fine grits, and the access control requirement of the application system can be described more specifically. By generating the access control codes, production and reuse of access control logic are achieved, and the workload and the error rate of developers of the application system are lowered.