SE1051394A1 - A system and method for evaluating a reverse query - Google Patents
A system and method for evaluating a reverse query Download PDFInfo
- Publication number
- SE1051394A1 SE1051394A1 SE1051394A SE1051394A SE1051394A1 SE 1051394 A1 SE1051394 A1 SE 1051394A1 SE 1051394 A SE1051394 A SE 1051394A SE 1051394 A SE1051394 A SE 1051394A SE 1051394 A1 SE1051394 A1 SE 1051394A1
- Authority
- SE
- Sweden
- Prior art keywords
- policy
- operable
- subset
- requests
- attributes
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/9032—Query formulation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G06F17/30967—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Description
15
20
25
30
2
Policy Enforcement Point (PEP) within a target application/system captures
access requests in real-time and sends them to a Policy Decision Point (PDP) for
evaluation against XACML policies.
The semantics of an XACML policy P is given as a function fp mapping a
request to a decision:
fp: Request -> Decision
A Policy Decision Point is the component in charge of evaluating this
function and thus is optimized for that purpose.
ln many situations, however, it is necessary to evaluate the inverse of the
policy function,
(fp)'1: Decision _» Set(Request)
Given a decision d, (f,,)'1(d) is the set of all requests that evaluate to d. For
example, (f,)'1(PERM|T) is the set of all requests that are permitted by the policy
P.
ln general, there is a priori a set R of interesting requests. For instance, to
determine all the users that may "read" a certain file only requests that identify
the action as "read" and the resource as "file F” are of interest. ln other words,
what needs to be computed is actually the intersection of (fp)'1(d) with R,
(fpfld) fi R-
These concepts and procedure are summarized by the following
definitions.
Definition (Reverse Query): A reverse query is a triple < P, d, R> where
P is a policy, d 6 Decision and R is a subset of Request.
Definition (Reverse Query Eva|uation): A reverse query < P, d, R > is
evaluated by computing (fp)"1(d) Fl R, where fp is the semantic function associated
to policy P.
The evaluation of a reverse query is in general much more demanding, in
terms of computing resources, in particular, time, than evaluating a request
against a policy. lf the set of requests of interest, R = {r1, r,,}, contains a
relatively small number of requests then the reverse query < P, d, R > may be
effectively evaluated by computing
20
25
30
3
fp(r1), fp(r,,)
and picking only those requests which evaluate to d.
That is, a reverse query can be evaluated by sending each request of
interest to the PDP (loaded with the policy P) and then comparing the returned
decision with the expected decision d.
If the set R is large, however, the method described above becomes
impractical, particularly in situations where the reverse query needs to be
evaluated in real-time, e. g., in the context of an interactive system where a user
would be waiting for the result of such evaluation.
Summary of the invention
The above mentioned problems are solved by a system operable to
evaluate a reverse query, definíng an expected decision, and a subset of a set of
possible requests, over a policy in real-time according to Claim 1. The system
comprises a first storing means operable to store policies. The system also
comprises a partial request generation means operable to construct a partial
request from the subset of the set of possible requests. Furthermore, the system
also comprises a policy decision means connected to the partial request
generation means, and to the first storing means and operable to partially evaluate
the policy over the partial request. resulting in a simplified policy. The system also
comprises a translation means connected to the policy decision means and
operable to translate the simplified policy, the subset of the set of possible
requests, and the expected decision into a propositional logic formula.
Furthermore, the system also com prises an analyzing means connected to the
translation means and operable to analyze the propositional logic formula in order
to determine a sequence of conditions over requests. The system also comprises
a conversion means connected to the analyzing means, and operable to convert
the sequence of conditions to a set of valid requests contained in the subset, and
evaluate to the expected decision.
The main advantage with this system is that it can evaluate a reverse
query in real-time. A further advantage with this system is that it can make the
evaluation of a reverse query in real-time even if the subset of requests contains a
large number of requests.
20
25
30
4
A further advantage in this context is achieved if the system also
comprises a policy information means connected to the policy decision means,
and the conversion means and operable to handle a set of attributes.
Furthermore, it is an advantage in this context if the partial request
generation means also is operable to examine the subset of possible requests in
order to determine (l) the set (D) of attributes that are associated with exactly the
same set of values in all requests of the subset( R ); (ll) the set (A) of attributes
that are absent in all requests of the subset( R ); and (lll) the set (U) of all other
attributes not included in any of the sets (D or A) of attributes.
A further advantage in this context is achieved if the partial request
generation means also is operable to, by using the sets (D, A and U) of attributes,
define the partial request which (IV) associates to each attribute in the set (D) of
attributes, the exact set of values associated to it by any request in the subset( R
); (V) marks all attributes in the set (A) as not present; and (VI) leaves all attributes
in the set (U) Undefined.
Furthermore, it is an advantage in this context if the translation means also
is operable to represent the simplified policy with a tree structure, and to,
whenever a sub-tree represents a Boolean expression that compares an attribute
with a fixed value, replace the whole sub-tree by a variable.
A further advantage in this context is achieved if the translation means
also is operable to, from each condition node and downwards, whenever a sub-
tree represents a Boolean expression, but at least one of its children evaluates to
a non-Boolean value, replace the whole sub-tree by a variable.
Furthermore, it is an advantage in this context if the system also
comprises a second storing means connected to the translation means, and to the
conversion means, and operable to store the correlation between each Variable
and the sub-tree it has replaced.
A further advantage in this context is achieved if the variables can hold a
value from the set, representing the values true, false and indeterminate.
Furthermore, it is an advantage in this context if the conversion means
also is operable to, given a request r 6 R, determine if it fulfills any condition, and
if it does, then r is added to the set of valid requests.
The above mentioned problems are also solved with a method for
evaluating a reverse query, defining an expected decision, and a subset ( R ) of a
15
20
25
30
5
set of possible requests, over a policy (P) in real-time according to Claim 10. The
method is performed with the aid of a system. The method comprises the steps:
- with the aid of a first storing means, comprised in the system, to store policies;
- with the aid of a partial request generation means, comprised in the system, to
construct a partial request from the subset( R ) of the set of possible requests;
- with the aid of a policy decision means connected to the partial request
generation means, and to the first storing means, to partially evaluate the policy
over the partial request resulting in a simplified policy;
- with the aid of a translation means, connected to the policy decision means, to
translate the simplified policy, the subset of the set of possible requests, and the
expected decision into a propositional logic formula;
- with the aid of an analyzing means connected to the translation means, to
analyze the propositional logic formula in order to determine a sequence of
conditions over requests; and
- with the aid of a conversion means, connected to the analyzing means, to
convert the sequence of conditions to a set of valid requests contained in the
subset( R ), and evaluate to the expected decision.
The main advantage with this method is that it can evaluate a reverse
query in real-time. A further advantage with this method is that it can make the
evaluation of a reverse query in real-time even if the subset of requests contains a
large number of requests.
A further advantage in this context is achieved if the method also
comprises the step:
- with the aid of a policy information means, comprised in the system, and
connected to the policy decision means, and the conversion means, to handle a
set of attributes.
Furthermore, it is an advantage in this context if the method also
comprises the steps:
- with the aid of the partial request generation means, to examine the subset ( R )
of possible request in order to determine
- (I) the set (D) of attributes that are associated with exactly the same set of values
in all requests of the subset( R );
- (ll) the set (A) of attributes that are absent in all requests of the subset ( R ); and
10
20
25
30
6
- (III) the set (U) of all other attributes not included in any of the sets (D or A) of
attributes.
A further advantage in this context is achieved if the method also
com prises the steps:
- with the aid of the partiai request generation means. by using the sets (D, A and
U) of attributes, to define the partial request, which
- (IV) associates to each attribute in the set (D) of attributes, the exact set of
values associated to it by any request in the subset ( R );
- (V) marks all attributes in the set (A) as not present; and
- (VI) leaves all attributes in the set (U) undefined.
Furthermore, it is an advantage in this context if the method also
comprises the steps:
- with the aid of the translation means, to represent the simplified policy with a tree
structure;
- whenever a sub-tree represents a Boolean expression that compares an attribute
with a fixed value; and
-to replace the whole sub-tree by a Variable..
A further advantage in this context is achieved if the method also
comprises the step:
- with the aid of the translation means, from each condition node and downwards,
whenever a sub-tree represents a Boolean expression, but at least one of its
children evaluates to a non-Boolean value, to replace the whole sub-tree by a
variable.
Furthermore, it is an advantage in this context if the method also
comprises the step:
- with the aid of a second storing means, comprised in the system, and connected
to the translation means, to store a correlation between each Variable and the sub-
tree it has replaced.
A further advantage in this context is achieved if the variables can hold a
value from the set, representing the values true, false and indeterminate.
Furthermore, it is an advantage in this context if the method also
comprises the steps:
- with the aid of the conversion means, given a request r 6 R, to determine if it
fulfills any condition; and
20
25
30
7
- if it does, to add r to the set of valid requests.
The above mentioned problems are also solved with at least one computer
program product according to Claim 19. The at least one computer program
product is/are directly loadable into the internal memory of at least one digital
computer, and comprises software code portions for performing the steps of the
method according to the present invention when the at least one product is/are run
on the at least one computer.
The main advantage with this computer program product is that it can
evaluate a reverse query in real-time. A further advantage with this product is that
it can make the evaluation of a reverse query in real-time even if the subset of
requests contains a large number of requests.
lt will be noted that the term "comprises/comprising" as used in this
description is intended to denote the presence of a given characteristic, step or
component, without excluding the presence of one or more other Characteristics,
features, integers, steps, components or groups thereof.
Embodiments of the invention will now be described with a reference to
the accompanying drawíngs, in which:
Brief description of the drawings
Fig. 1 is a block diagram of a system operable to evaluate a reverse
query, defining an expected decision, and a subset of a set of possible requests,
over a policy in real-time according to the present invention;
Fig. 2 is a flow chart of a method for evaluating a reverse query, defining
an expected decision, and a subset of a set of possible requests, over a policy in
real-time according to the present invention; and
Fig. 3 schematically shows a number of computer program products
according to the present invention.
Detailed description of the preferred embodiments
In fig. 1 there is disclosed a block diagram of a system 10 operable to
evaluate a reverse query, defining an expected decision (d), and a subset ( R ) of
a set of possible requests, over a policy (P) in real-time according to the present
invention. The system 10 comprises a first storing means 12 operable to store
policies. Furthermore, the system 10 also comprises a partial request generation
20
25
30
8
means 14 operable to construct a partial request (rpanim) from the subset( R ) of
the set of possible requests. As is apparent in fig. 1, the system 10 also comprises
a policy decision means 16 connected to the partial request generation means 14,
and to the first storing means 12, and operable to partially evaluate the policy (P)
over the partial request (rpamêfl) resulting in a simplified policy (P'). Furthermore, the
system 10 also comprises a translation means 20 connected to the policy decision
means 16, and operable to translate the simplified policy (P'), the subset( R) of
the set of possible requests, and the expected decision (d) into a propositional
logic formula (F). The system 10 also comprises an analyzing means 18
connected to the translation means 20, and operable to analyze the propositional
logic formula (F) in order to determine a sequence [c1, ] of conditions over
requests. As also is apparent in fig. 1, the system 10 also comprises a conversíon
means 22 connected to the analyzing means 18, and operable to convert the
sequence [c1, ..., ck] of conditions to a set of valid requests contained in the subset
( R ), and evaluate to the expected decision (d).
According to one alternative, the system 10 can also comprise a policy
information means 30 operable to handle a set of attributes 32. The policy
information means 30 is connected to the policy decision means 16, and to the
conversíon means 22. These connections are disclosed in fig. 1 with broken lines,
because these elements are not mandatory in the system 10.
According to another alternative, the partial request generation means 14
is also operable to examine the subset( R ) of the set of possible requests in order
to determine (I) the set (D) of attributes that are associated with exactly the same
set of values in all requests of the subset ( R ); (ll) the set (A) of attributes that are
absent in all requests of the subset( R ); and (lll) the set (U) of all other attributes
not included in any of the sets (D or A) of attributes.
According to a further alternative, the partial request generation means 14
is also operable to, by using the sets (D, A and U) of attributes, define the partial
request (rpawm), which (IV) associates to each attribute in the set (D) of attributes,
the exact set of values associated to it by any request in the subset ( R ); (V)
marks all attributes in the set (A) as not present; and (VI) leaves all attributes in
the set (U) Undefined.
According to yet another alternative, the translation means 20 is also
operable to represent the simplified policy (P') with a tree structure, and to,
15
20
25
30
9
whenever a sub-tree represents a Boolean expression that compares an attribute
with a fixed value, replace the whole sub-tree by a variable (vi).
According to another alternative, the translation means 20 is also operable
to, from each condition node and downwards, whenever a su b-tree represents a
Boolean expression, but at least one of its children evaluates to a ncn-Boolean
value, replace the whole sub-tree by a variable (vi).
As also is apparent in fig. 1, the system 10 can also comprise a second
storing means 24 operable to store the correlation between each Variable (vi) and
the sub-tree it has replaced. The second storing means 24 is connected to the
translation means 20, and to the conversion means 22. These connections are
disclosed in fig. 1 with a broken line, because these elements are not mandatory in
the system 10.
Furthermore, according to another alternative, the variables (vi) can hold a
value from the set { T, F, -1- }, representing the values true, false and
indeterminate.
According to yet another alternative, the conversion means 22 is also
operable to, given a request r 6 R, determine if it fulfills any condition c,-, and if it
does, then r is added to the set of valid requests.
ln fig. 2 there is disclosed a flow chart of a method for evaluating a reverse
query, defining an expected decision (d), and a subset( R ) of a set of possible
requests, over a policy (P) in real-time according to the present invention. The
method is performed with the aid of a system 10 (see fig. 1). The method begins at
block 50. The method continues, at block 52, with the step: with the aid of a first
storing means 12, comprised in the system 10, to store policies. Thereafter, the
method continues, at block 54, with the step: with the aid of a partial request
generation means 14, comprised in the system 10, to construct a partial request
(rparüai) from the subset ( R ) of the set of possible requests. The method continues,
at block 56, with the step: with the aid of a policy decision means 16 connected to
the partial request generation means 14, to partíally evaluate the policy (P) over
the partial request (rpamai) resulting in a simplified policy (P'). Thereafter, the
method continues, at block 58, with the step: with the aid of a translation means
20, connected to the policy decision means 16, to translate the simplified policy
(P'), the subset ( R ) of the set of possible requests, and the expected decision (d)
into a propositional logic formula (F). The method continues, at block 60, with the
20
25
30
10
step: with the aid of an analyzing means 18 connected to the translation means
20, to analyze the propositional logic formula (F) in order to determine a sequence
[c1, ck] of conditions over requests. Thereafter, the method continues, at block
62, with the step: with the aid of a conversion means 22, connected to analyzing
means 18, to convert the sequence [c1, ck] of conditions to a set of valid
requests contained in the subset( R ), and evaluate to the expected decision (d).
The method is completed at block 64.
According to one alternative, the method also comprises the step: with the
aid of a policy information means 30, comprised in the system 10, and connected
to the policy decision means 16, and to the conversion means 22, to handle a set
of attributes 32.
According to another alternative, the method also comprises the steps:
with the aid of the partial request generation means 14, to examine the subset ( R
) of possible requests in order to determine
- (I) the set (D) of attributes that are associated with exactly the same set of values
in all requests of the subset( R );
- (ll) the set (A) of attributes that are absent in all requests of the subset( R ); and
- (lll) the set (U) of all other attributes not included in any of the sets (D or A) of
attributes.
According to yet another alternative, the method also comprises the steps:
with the aid of the partial request generation means 14, by using the sets (D, A
and U) of attributes, to define the partial request (rparfig), which
- (IV) associates to each attribute in the set (D) of attributes, the exact set of
values associated to it by any request in the subset( R );
- (V) marks all attributes in the set (A) as not present; and
- (Vl) leaves all attributes in the set (U) undefined.
Furthermore, according to another alternative, the method also comprises
the steps:
- with the aid of the translation means 20, to represent the simplified policy (P')
with a tree structure;
- whenever a sub-tree represents a Boolean expression that compares an attribute
with a fixed value; and
-to replace the whole sub-tree by a Variable (vi).
According to a further alternative, the method also comprises the step:
20
25
30
11
- with the aid of the translation means 20, from each condition node and
downwards, whenever a sub-tree represents a Boolean expression, but at least
one of its children evaluates to a non-Boolean value, to replace the whole sub-tree
by a Variable (vi).
According to another alternative, the method also comprises the step:
- with the aid of a second storing means 24, comprised in the system 10, and
connected to the translation means 20, and to the conversion means 22 to store a
correlation between each Variable (V1) and the sub-tree it has replaced.
According to yet another alternative, the variables (V1) can hold a value
from the set { T, F, J- }, representing the values true, false and indeterminate.
Furthermore, according to another alternative, the method also comprises
the steps:
- with the aid of the Conversion means 22, given a request r CR, to determine if it
fulfills any condition c,; and
- if it does, to add r to the set of valid requests.
In fig. 3, some computer program products 1021, ..., 102,, according to the
present invention are schematically shown. ln fig. 3, n different digital computers
1001, .., 100,1 are shown, where n is an integer. In fig. 3, n different computer
program products 1021, 102,1 are shown, here shown in the form of CD discs.
_, 102,1 are directly loadable into
the internal memory of the n different computers 1001,
The different computer program products 1021, ..
_ 100,1. Each computer
program product 1021; 102,1 comprises software code portions for performing
all the steps according to fig. 2, when the product/products 1021, 102,1 is/are
run on the computers 1001, ..., 100,1. The computer program products 1021,
102,1 may, for instance, be in the form of diskettes, RAM discs. magnetic tapes,
magneto-optical discs or some other suitable products.
The invention is not limited to the described embodiments. It will be
evident for those skilled in the art that many different modifications are feasible
within the scope of the following Claims.
Claims (19)
1. A system (10) operable to evaluate a reverse query, defining an expected decision (d), and a subset( R ) of a set of possible requests, over a policy (P) in real-time, said system (10) comprisíng a first storing means (12) operable to store policies, characterized in that said system (10) also comprises a partial request generation means (14) operable to construct a partial request (rpanizfl) from said subset( R ) of said set of possible requests, a policy decision means (16) connected to said partial request generation means (14), and to the first storing means (12), and operable to partially evaluate said policy (P) over said partial request (rparüai) resulting in a simplified policy (P'), a translation means (20) connected to said policy decision means (16), and operable to translate said simplified policy (P'), said subset( R ) of said set of possible requests, and said expected decision (d) into a propositional logic formula (F), an analyzing means (18) connected to said translation means (20), and operable to analyze said propositional logic formula (F) in order to determine a sequence [c1, ck] of conditions over requests, and a conversion means (22) connected to said analyzing means (18), and operable to convert said sequence [c1, ck] of conditions to a set of valid requests contained in said subset( R ), and evaluate to said expected decision (d).
2. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 1, characterized in that said system (10) also comprises a policy information means (30) connected to said policy decision means (16), and said conversion means (22), and operable to handle a set of attributes (32).
3. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 1or 2, characterized in that said partial request generation means (14) also is operable to examine said subset( R ) of possible requests in order to determine (I) the set (D) of attributes that are associated with exactly the same set of values in all requests of said subset ( R ); (ll) the set (A) of attributes that are absent in all requests of said subset( R ); and (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes. 15 20 25 30 13
4. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 3, characterized in that said partial request generation means (14) also is operable to, by using said sets (D, A and U) of attributes, define said partial request (rpamafl), which (IV) associates to each attribute in said set (D) of attributes, the exact set of values associated to it by any request in said subset( R ); (V) marks all attributes in said set (A) as not present; and (VI) leaves all attributes in said set (U) Undefined.
5. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to any one of Ciaims 1-4, characterized in that said translation means (20) also is operable to represent said simplified policy (P') with a tree structure, and to, whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value, replace said whole sub-tree by a variable (Vi)-
6. A system ( 10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 5, characterized in that said translation means (20) also is operable to, from each condition node and downwards, whenever a sub- tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, replace said whole sub-tree by a variable (v|).
7. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 5, or 6, characterized in that said system (10) also comprises a second storing means (24) connected to said translation means (20), and to said conversion means (22), and operable to store the correlation between each variable (vi) and said sub-tree it has replaced.
8. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to Claim 7, characterized in that said variables (vi) can hold a value from the set {T, F, J-}, representing the values true, false and indeterminate.
9. A system (10) operable to evaluate a reverse query over a policy (P) in real-time according to any one of Ciaims 5-8, when dependent on Claim 5, 20 25 30 14 characterized in that said Conversion means (22) also is operable to, given a request r 6 R, determine if it fulfiils any condition c|, and if it does, then r is added to said set of valid requests.
10. defining an expected decision (d), and a subset ( R ) of a set of possible requests, A method for evaluating, with the aid of a system (10), a reverse query, over a policy (P) in real-time, said method comprises the steps: - with the aid of a first storing means (12), comprised in said system (10), to store policies; - with the aid of a partial request generation means (14), comprised in said system (10), to construct a partial request (rpaflm) from said subset( R ) of said set of possible requests; - with the aid of a policy decision means (16) connected to said partial request generation means (14), and to said first storing means (12), to partially evaluate said policy (P) over said partial request (rpamag resulting in a simplified policy (P'); - with the aid of a translation means (20), connected to said policy decision means (16), to translate said simplified policy (P'), said subset( R )of said set of possible requests, and said expected decision (d) into a propositional Iogic formula (F); - with the aid of an analyzing means (18) connected to said translation means (20), to analyze said propositional logic formula (F) in order to determine a sequence [c1, ck] of conditions over requests; and - with the aid of a conversion means (22), connected to said analyzing means (18), to convert said sequence [c1, ck] of conditions to a set of valid requests contained in said subset( R ), and evaluate to said expected decision (d).
11. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 10, characterized in that said method also comprises the step: - with the aid of a policy information means (30), comprised in said system (10), and connected to said policy decision means (16), and said conversion means (22), to handle a set of attributes (32).
12. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 10 or 11, characterized in that said method also comprises the steps. 20 30 15 - with the aid of said partial request generation means (14), to examine said subset( R ) of possible requests in order to determine - (l) the set (D) of attributes that are associated with exactly the same set of values in all requests of said subset ( R ); - (ll) the set (A) of attributes that are absent in all requests of said subset( R ); and - (lll) the set (U) of all other attributes not included in any of the sets (D or A) of attributes.
13. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 12, characterized in that said method also comprises the steps: - with the aid of said partial request generation means (14), by using said sets (D, A and U) of attributes, to define said partial request (rpanig), which - (IV) associates to each attribute in said set (D) of attributes, the exact set of values associated to it by any request in said subset( R ); - (V) marks all attributes in said set (A) as not present; and - (VI) leaves all attributes in said set (U) Undefined.
14. A method for evaluating a reverse query over a policy (P) in real-time according to any one of Claims 10-13, characterized in that said method also comprises the steps: - with the aid of said translation means (20), to represent said simplified policy (P') with a tree structure; -whenever a sub-tree represents a Boolean expression that compares an attribute with a fixed value; and -to replace said whole sub-tree by a Variable (vi). 15. according to Claim 14, characterized in that said method also comprises the step: A method for evaluating a reverse query over a policy (P) in real-time - with the aid of said translation means (20), from each condition node and downwards, whenever a sub-tree represents a Boolean expression, but at least one of its children evaluates to a non-Boolean value, to replace said whole sub- tree by a variable (vi).
15 20 25 16
16. A method for evaluating a reverse query over a policy (P) in real-time according to Claim 14, or 15, characterized in that said method also comprises the step: - with the aid of a second storing means (24), comprised in said system (10), and connected to said translation means (20), and to said conversion means (22), to store a correlation between each Variable (V1) and said sub-tree it has replaced.
17. according to Claim 16, characterized in that said variables (V1) can hold a value A method for evaluating a reverse query over a policy (P) in real-time from the set (T, F, -1-}, representing the values true, false and indeterminate.
18. A method for evaluating a reverse query over a policy (P) in real-time according to any one of Claims 14-17, when dependent on Claim 14, characterized in that said method also comprises the steps: - with the aid of said conversion means (22), given a request r 6 R, to determine if it fulfills any condition 01-; and - if it does, to add r to said set of valid requests. ., 102,1) directly loadable _, 100,,), comprising software code portions for performing the steps of Claim 10 when said
19. At least one computer program product (1021, .. into the internal memory of at least one digital computer (1001, .. at least one product (1021, .. (1001. 1001.). _, 102,1) is/are run on said at least one computer
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE1051394A SE1051394A1 (sv) | 2010-12-30 | 2010-12-30 | A system and method for evaluating a reverse query |
US13/695,880 US9223992B2 (en) | 2010-12-30 | 2011-07-19 | System and method for evaluating a reverse query |
PCT/SE2011/050955 WO2012091653A1 (en) | 2010-12-30 | 2011-07-19 | A system and method for evaluating a reverse query |
EP11853144.1A EP2548141B1 (en) | 2010-12-30 | 2011-07-19 | A system and method for evaluating a reverse query |
EP15164634.6A EP2921986B1 (en) | 2010-12-30 | 2011-07-19 | A system and method for evaluating a reverse query |
US14/748,903 US9646164B2 (en) | 2010-12-30 | 2015-06-24 | System and method for evaluating a reverse query |
US15/589,296 US10158641B2 (en) | 2010-12-30 | 2017-05-08 | System and method for evaluating a reverse query |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE1051394A SE1051394A1 (sv) | 2010-12-30 | 2010-12-30 | A system and method for evaluating a reverse query |
Publications (1)
Publication Number | Publication Date |
---|---|
SE1051394A1 true SE1051394A1 (sv) | 2011-10-13 |
Family
ID=44900240
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
SE1051394A SE1051394A1 (sv) | 2010-12-30 | 2010-12-30 | A system and method for evaluating a reverse query |
Country Status (4)
Country | Link |
---|---|
US (1) | US9223992B2 (sv) |
EP (2) | EP2548141B1 (sv) |
SE (1) | SE1051394A1 (sv) |
WO (1) | WO2012091653A1 (sv) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3572963A1 (en) | 2011-05-05 | 2019-11-27 | Axiomatics AB | Database access-control policy enforcement using reverse queries |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8489685B2 (en) | 2009-07-17 | 2013-07-16 | Aryaka Networks, Inc. | Application acceleration as a service system and method |
US8966576B2 (en) * | 2012-02-27 | 2015-02-24 | Axiomatics Ab | Provisioning access control using SDDL on the basis of a XACML policy |
US9455923B2 (en) * | 2014-06-06 | 2016-09-27 | Verizon Patent And Licensing Inc. | Network policy and network device control |
EP2993606A1 (en) | 2014-09-05 | 2016-03-09 | Axiomatics AB | Provisioning system-level permissions using attribute-based access control policies |
US10922423B1 (en) * | 2018-06-21 | 2021-02-16 | Amazon Technologies, Inc. | Request context generator for security policy validation service |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE60131900T2 (de) * | 2000-10-26 | 2008-12-04 | Flood, James C. jun., Portland | Verfahren und system zur verwaltung von verteilten inhalten und verwandten metadaten |
US7437362B1 (en) * | 2003-11-26 | 2008-10-14 | Guardium, Inc. | System and methods for nonintrusive database security |
US7333981B2 (en) | 2004-12-17 | 2008-02-19 | International Business Machines Corporation | Transformation of a physical query into an abstract query |
US7533088B2 (en) | 2005-05-04 | 2009-05-12 | Microsoft Corporation | Database reverse query matching |
US7921452B2 (en) * | 2005-08-23 | 2011-04-05 | The Boeing Company | Defining consistent access control policies |
US7941336B1 (en) * | 2005-09-14 | 2011-05-10 | D2C Solutions, LLC | Segregation-of-duties analysis apparatus and method |
US20070078840A1 (en) | 2005-10-05 | 2007-04-05 | Microsoft Corporation | Custom function library for inverse query evaluation of messages |
US7472130B2 (en) * | 2005-10-05 | 2008-12-30 | Microsoft Corporation | Select indexing in merged inverse query evaluations |
US20070143851A1 (en) * | 2005-12-21 | 2007-06-21 | Fiberlink | Method and systems for controlling access to computing resources based on known security vulnerabilities |
US7747647B2 (en) * | 2005-12-30 | 2010-06-29 | Microsoft Corporation | Distributing permission information via a metadirectory |
US7849507B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for filtering server responses |
US7702689B2 (en) | 2006-07-13 | 2010-04-20 | Sap Ag | Systems and methods for querying metamodel data |
US8010991B2 (en) * | 2007-01-29 | 2011-08-30 | Cisco Technology, Inc. | Policy resolution in an entitlement management system |
US8024771B2 (en) * | 2007-09-19 | 2011-09-20 | International Business Machines Corporation | Policy-based method for configuring an access control service |
US20090205018A1 (en) * | 2008-02-07 | 2009-08-13 | Ferraiolo David F | Method and system for the specification and enforcement of arbitrary attribute-based access control policies |
US20090265780A1 (en) | 2008-04-21 | 2009-10-22 | Varonis Systems Inc. | Access event collection |
US8250526B2 (en) * | 2008-08-12 | 2012-08-21 | Oracle America, Inc. | Method for analyzing an XACML policy |
US20100153695A1 (en) * | 2008-12-16 | 2010-06-17 | Microsoft Corporation | Data handling preferences and policies within security policy assertion language |
SE534334C2 (sv) * | 2009-05-07 | 2011-07-12 | Axiomatics Ab | Ett system och förfarande för att styra policydistribuering med partiell evaluering |
US8959157B2 (en) | 2009-06-26 | 2015-02-17 | Microsoft Corporation | Real-time spam look-up system |
US8826366B2 (en) * | 2010-07-15 | 2014-09-02 | Tt Government Solutions, Inc. | Verifying access-control policies with arithmetic quantifier-free form constraints |
US8805881B2 (en) * | 2010-05-06 | 2014-08-12 | International Business Machines Corporation | Reputation based access control |
US8601549B2 (en) * | 2010-06-29 | 2013-12-03 | Mckesson Financial Holdings | Controlling access to a resource using an attribute based access control list |
-
2010
- 2010-12-30 SE SE1051394A patent/SE1051394A1/sv not_active Application Discontinuation
-
2011
- 2011-07-19 WO PCT/SE2011/050955 patent/WO2012091653A1/en active Application Filing
- 2011-07-19 US US13/695,880 patent/US9223992B2/en active Active
- 2011-07-19 EP EP11853144.1A patent/EP2548141B1/en not_active Not-in-force
- 2011-07-19 EP EP15164634.6A patent/EP2921986B1/en active Active
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3572963A1 (en) | 2011-05-05 | 2019-11-27 | Axiomatics AB | Database access-control policy enforcement using reverse queries |
Also Published As
Publication number | Publication date |
---|---|
US20130055344A1 (en) | 2013-02-28 |
EP2548141A1 (en) | 2013-01-23 |
EP2921986A1 (en) | 2015-09-23 |
EP2548141B1 (en) | 2015-06-03 |
WO2012091653A1 (en) | 2012-07-05 |
EP2921986B1 (en) | 2019-09-25 |
EP2548141A4 (en) | 2013-05-29 |
US9223992B2 (en) | 2015-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Nelson et al. | Security and privacy for big data: A systematic literature review | |
WO2017076263A1 (zh) | 融合知识库处理方法和装置及知识库管理系统、存储介质 | |
Hu et al. | Anomaly discovery and resolution in web access control policies | |
US7882110B2 (en) | Method and system for migrating documents | |
SE1051394A1 (sv) | A system and method for evaluating a reverse query | |
US20180144132A1 (en) | Kind of android malicious code detection method on the base of community structure analysis | |
US10158641B2 (en) | System and method for evaluating a reverse query | |
Elhadi et al. | Structure and attributes community detection: comparative analysis of composite, ensemble and selection methods | |
US8250536B2 (en) | Analysis of a legacy source code application | |
CN106228068A (zh) | 基于混合特征的Android恶意代码检测方法 | |
Zhang et al. | MRMondrian: Scalable multidimensional anonymisation for big data privacy preservation | |
CN112968917B (zh) | 一种用于网络设备的渗透测试方法和系统 | |
US20110219000A1 (en) | Search apparatus, search method, and recording medium storing program | |
CN103036697B (zh) | 一种多维度数据去重方法及系统 | |
Carbone et al. | Fast&&Serious: a UML based metric for effort estimation | |
KR101416586B1 (ko) | 해쉬를 이용한 전문 기반 논리 연산 수행 방법 | |
WO2008005637A2 (en) | Hybrid assessment tool, and systems and methods of quantifying risk | |
Afonin | Ontology models for access control systems | |
Ramli | Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming | |
Dutta et al. | Aggregation of heterogeneously related information with extended geometric Bonferroni mean and its application in group decision making | |
Ergenç Bostanoǧlu et al. | Minimizing information loss in shared data: Hiding frequent patterns with multiple sensitive support thresholds | |
WO2021012211A1 (zh) | 一种为数据建立索引的方法以及装置 | |
CN110995747A (zh) | 一种分布式存储安全性分析方法 | |
KR101259911B1 (ko) | 관계형 데이터베이스를 온톨로지로 변환하는 규칙기반 온톨로지 변환 장치 및 방법 | |
Al-Saraireh et al. | A New Attribute-Based Access Control Model for RDBMS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NAV | Patent application has lapsed |