专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US09430662B2 Provisioning authorization claims using attribute-based access-control policies 有权
标题翻译：使用基于属性的访问控制策略提供授权声明
公开(公告)号：US09430662B2
公开(公告)日：2016-08-30
申请号：US14570212
申请日：2014-12-15
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi , Peter Piotr Karpinski
IPC分类号： G06F21/62 , G06F21/60 , G06F21/00 , G06F21/31 , H04L29/06 , H04L9/00 , H04N19/42
CPC分类号： G06F21/62 , G06F21/00 , G06F21/31 , G06F21/604 , H04L9/00 , H04L29/06 , H04N19/42
摘要： Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.
摘要翻译：公开了用于供应授权权利要求的方法和装置，这些权利要求被强制以控制用户对计算机系统中的对象（资源）的访问，以及哪些等同于基于属性的访问控制（ABAC）策略。根据本发明的策略转换器包括策略处理器，通过对系统中的用户的属性值，对象或许可级别进行部分评估来处理策略，并输出在反向策略评估器中进行逆向评估的简化策略，由此用户，获得通过单个授权声明关联的对象和权限级别。负责授权声明的定义及其在计算机系统中的分发是授权声明生成器和授权声明发布界面。本发明可以被配置为返回对象和许可级别的每个组合的单个授权声明。

2. 发明授权

US08955040B2 Provisioning authorization claims using attribute-based access-control policies 有权
标题翻译：使用基于属性的访问控制策略提供授权声明
公开(公告)号：US08955040B2
公开(公告)日：2015-02-10
申请号：US13777735
申请日：2013-02-26
申请人： Axiomatics AB
发明人： Pablo Giambiagi , Peter Piotr Karpinski
IPC分类号： G06F21/00 , G06F21/60 , H04L29/06 , H04N19/42 , H04L9/00
CPC分类号： G06F21/62 , G06F21/00 , G06F21/31 , G06F21/604 , H04L9/00 , H04L29/06 , H04N19/42
摘要： Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.
摘要翻译：公开了用于供应授权权利要求的方法和装置，这些权利要求被强制以控制用户对计算机系统（330）中的对象（资源）的访问，并且其等价于基于属性的访问控制（ABAC）策略。根据本发明的策略转换器包括策略处理器（310），通过对系统中的用户的属性值，对象或许可级别进行部分评估来处理策略，并且输出简化策略，这些策略在反向策略评估器中进行反向评估（320），由此获得通过单个授权权利要求来关联的用户，对象和许可级别。负责授权声明的定义及其在计算机系统中的分发是授权声明生成器（330）和授权声明分发接口（340）。本发明可以被配置为返回对象和许可级别的每个组合的单个授权声明。

3. 发明申请

US20130227638A1 PROVISIONING AUTHORIZATION CLAIMS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES 有权
标题翻译：使用基于属性的访问控制政策提供授权书
公开(公告)号：US20130227638A1
公开(公告)日：2013-08-29
申请号：US13777735
申请日：2013-02-26
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi , Peter Piotr Karpinski
IPC分类号： G06F21/00
CPC分类号： G06F21/62 , G06F21/00 , G06F21/31 , G06F21/604 , H04L9/00 , H04L29/06 , H04N19/42
摘要： Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system (330), and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor (310) processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator (320), whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator (330) and an authorization claim distribution interface (340). The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.
摘要翻译：公开了用于供应授权权利要求的方法和装置，这些权利要求被强制以控制用户对计算机系统（330）中的对象（资源）的访问，并且其等价于基于属性的访问控制（ABAC）策略。根据本发明的策略转换器包括策略处理器（310），通过对系统中的用户的属性值，对象或许可级别进行部分评估来处理策略，并且输出简化策略，这些策略在反向策略评估器中进行反向评估（320），由此获得通过单个授权权利要求来关联的用户，对象和许可级别。负责授权声明的定义及其在计算机系统中的分发是授权声明生成器（330）和授权声明分发接口（340）。本发明可以被配置为返回对象和许可级别的每个组合的单个授权声明。

4. 发明授权

US09372973B2 Provisioning user permissions attribute-based access-control policies 有权
标题翻译：配置用户权限基于属性的访问控制策略
公开(公告)号：US09372973B2
公开(公告)日：2016-06-21
申请号：US14522300
申请日：2014-10-23
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi
IPC分类号： G06F21/31 , H04L29/06
CPC分类号： G06F21/31 , H04L63/20
摘要： An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.
摘要翻译：用于一组元素的基于属性的访问控制策略（例如，XACML策略）取决于由几个预定类别之一中的元素携带的属性。为了评估一组要素的这种策略，本发明提供了一种方法，包括以下步骤：（I）选择主要类别; （二）将主要类别的要素划分为对政策影响的等价类; 和（III）使用等价类别通过扣除来代替至少一项政策评估。评估结果可以表示为向后兼容格式的访问矩阵。可以通过在中间阶段应用部分策略评估，通过形成包含元素元组合的等价类和/或通过从策略中提取最大长度的功能表达式来分析每个元素的影响，可以进一步提高策略评估的效率。

5. 发明申请

US20150163250A1 PROVISIONING ACCESS CONTROL USING SDDL ON THE BASIS OF AN XACML POLICY 有权
标题翻译：基于XACML政策的SDDL提供访问控制
公开(公告)号：US20150163250A1
公开(公告)日：2015-06-11
申请号：US14623311
申请日：2015-02-16
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi , Erik Rissanen , Travis Spencer
IPC分类号： H04L29/06
CPC分类号： H04L63/20 , G06F21/00 , G06F21/6218 , H04L63/10
摘要： A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1:v1=xj1, ARCj2:v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1:v1=xj1, ARCj2:v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
摘要翻译：公开了一种方法，以及相应的数据载体和策略转换器，用于从可扩展访问控制标记语言XACML策略（P）生成至少一个安全描述符定义语言SDDL规则，其中所述至少一个SDDL规则是可执行以控制对计算机网络中的一个或多个资源的访问。产生反向查询，指示作为允许访问和拒绝访问之一的给定决策（d）和允许访问请求的集合（R）。基于反向查询，XACML策略（P）和给定决策（d）被转换为布尔变量（vi，i = 1,2，...）中的可满足的逻辑命题。从所述ROBDD，可变分配（RCj 导出满足逻辑命题的= [ARCj1：v1 = xj1，ARCj2：v2 = xj2，...，j = 1,2，...），并且基于所述变量赋值（RCj）创建至少一个SDDL规则 = [ARCj1：v1 = xj1，ARCj2：v2 = xj2，...，j = 1,2，...）满足逻辑命题。

6. 发明授权

US09401930B2 System and method for using partial evaluation for efficient remote attribute retrieval 有权
标题翻译：用于部分评估的高效远程属性检索的系统和方法
公开(公告)号：US09401930B2
公开(公告)日：2016-07-26
申请号：US13932734
申请日：2013-07-01
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi , Erik Rissanen
IPC分类号： G06F17/00 , H04L29/06 , G06F21/60 , G06F21/62
CPC分类号： H04L63/20 , G06F21/604 , G06F21/6218 , H04L63/10
摘要： An attribute-based policy defining subjects' access to resources is enforced by a computer system. A processing means (PDP) in the system communicates with a nearby attribute value source and at least one remote attribute value source and is adapted to evaluate the policy for an access request containing one or more explicit attribute values, which together with the policy define at least one implicit reference to a further attribute value, which is retrievable from one of said attribute value sources. The processing means reduces the policy by substituting attribute values for attributes in the policy if they are contained in the request or retrievable from the nearby source. References to further attributes retrievable from a remote source only are cached together with intermediate results. All attribute values from a given remote source are retrieved on one occasion, and the intermediate results are used to terminate the evaluation.
摘要翻译：计算机系统执行基于属性的策略来定义主体对资源的访问。系统中的处理装置（PDP）与附近的属性值源和至少一个远程属性值源通信，并且适于评估包含一个或多个显式属性值的访问请求的策略，其中策略定义在对另一属性值的至少一个隐含引用，其可从所述属性值源之一检索。如果策略中的属性的属性值包含在请求中或从附近的源中检索，则处理装置减少策略。只能从远程源检索的其他属性的引用与中间结果一起缓存。一次提取给定远程源的所有属性值，并使用中间结果终止评估。

7. 发明申请

US20150101014A1 PROVISIONING AUTHORIZATION CLAIMS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES 审中-公开
标题翻译：使用基于属性的访问控制政策提供授权书
公开(公告)号：US20150101014A1
公开(公告)日：2015-04-09
申请号：US14570212
申请日：2014-12-15
申请人： AXIOMATICS AB
发明人： Pablo Giambiagi , Peter Piotr Karpinski
IPC分类号： G06F21/62 , G06F21/60 , G06F21/31
CPC分类号： G06F21/62 , G06F21/00 , G06F21/31 , G06F21/604 , H04L9/00 , H04L29/06 , H04N19/42
摘要： Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level.
摘要翻译：公开了用于供应授权权利要求的方法和装置，这些权利要求被强制以控制用户对计算机系统中的对象（资源）的访问，以及哪些等同于基于属性的访问控制（ABAC）策略。根据本发明的策略转换器包括策略处理器，通过对系统中的用户的属性值，对象或许可级别进行部分评估来处理策略，并输出在反向策略评估器中进行逆向评估的简化策略，由此用户，获得通过单个授权声明关联的对象和权限级别。负责授权声明的定义及其在计算机系统中的分发是授权声明生成器和授权声明发布界面。本发明可以被配置为返回对象和许可级别的每个组合的单个授权声明。

8. 发明申请

US20130227639A1 PROVISIONING ACCESS CONTROL USING SDDL ON THE BASIS OF A XACML POLICY 有权
标题翻译：基于XACML政策的SDDL提供访问控制
公开(公告)号：US20130227639A1
公开(公告)日：2013-08-29
申请号：US13777789
申请日：2013-02-26
申请人： Axiomatics AB
发明人： Pablo Giambiagi , Erik Rissanen , Travis Spencer
IPC分类号： G06F21/00
CPC分类号： H04L63/20 , G06F21/00 , G06F21/6218 , H04L63/10
摘要： A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.
摘要翻译：公开了一种方法，以及相应的数据载体和策略转换器，用于从可扩展访问控制标记语言XACML策略（P）生成至少一个安全描述符定义语言SDDL规则，其中所述至少一个SDDL规则是可执行以控制对计算机网络中的一个或多个资源的访问。产生反向查询，指示作为允许访问和拒绝访问之一的给定决策（d）和允许访问请求的集合（R）。基于反向查询，XACML策略（P）和给定决策（d）被转换为布尔变量（vi，i = 1,2，...）中的可满足的逻辑命题。从所述ROBDD，可变分配（RCj 导出满足逻辑命题的= [ARCj1：v1 = xj1，ARCj2：v2 = xj2，...，j = 1,2，...），并且基于所述变量赋值（RCj）创建至少一个SDDL规则 = [ARCj1：v1 = xj1，ARCj2：v2 = xj2，...，j = 1,2，...）满足逻辑命题。

9. 发明授权

US10158641B2 System and method for evaluating a reverse query 有权
公开(公告)号：US10158641B2
公开(公告)日：2018-12-18
申请号：US15589296
申请日：2017-05-08
申请人： AXIOMATICS AB
发明人： Erik Rissanen , Pablo Giambiagi
IPC分类号： G06F17/00 , H04L29/06 , G06F21/62
摘要： Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

10. 发明授权

US09646164B2 System and method for evaluating a reverse query 有权
公开(公告)号：US09646164B2
公开(公告)日：2017-05-09
申请号：US14748903
申请日：2015-06-24
申请人： AXIOMATICS AB
发明人： Erik Rissanen , Pablo Giambiagi
IPC分类号： G06F17/00 , H04L29/06 , G06F21/62
CPC分类号： H04L63/10 , G06F21/62 , G06F2221/2141
摘要： Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式