1. Field
The present disclosure relates generally to computer security. More specifically, the present disclosure relates to a technique for efficiently evaluating a security policy for a user's session.
2. Related Art
A user in a secure system typically logs onto a session, attempts several operations within that session, and then logs off the session. During these attempted operations, a security system can evaluate whether or not the operations are allowed in the session according to the roles associated with the user. This evaluation is called security policy evaluation. Typically, the system uses an Access Control List (ACL), which contains a set of Access Control Entries (ACEs). From the set of ACEs, security policy evaluation determines what privileges are granted or denied to a particular user. For example, an ACE might contain a privilege that represents that an employee can only execute a read operation on an object such as a database of employee records. However, extracting the set of ACEs associated with a user in an ACL is often a computationally expensive operation.