1. Technical Field
This disclosure relates generally to access control mechanisms in a distributed computing environment and, in particular, to computationally-efficient techniques for evaluating context-based policies for authorization and entitlements processing.
2. Background of the Related Art
The eXtensible Access Control Markup Language, or XACML, is an Organization for the Advancement of Structured Information Standards (OASIS)-managed industry standard for managing access control policy. The industry standard is available from the OASIS web site. XACML provides an XML-based context-based security language for specifying access control policies. When used for access control, existing open standard formats such as XACML are focused around returning a single access decision, such as “permit” or “deny.” In contrast, “entitlements” involve the notion of returning a set of items for which access is allowed. Typically, entitlements are a set of control specifications (rendered through policies) that govern an identity's access to information, application and systems, where a user is one such identity. Support for entitlements is a common requirement to facilitate more efficient access control models.
In contextual security policy such as XACML, wherein an access control request is composed of a context containing attributes about the request itself and the relevant environment, entitlements often are provided by selecting from the policy a subset of these attributes to “index” and support. This approach, however, is limited in that only the attributes chosen to be indexed can be returned as a set of entitlements. For example, if resource-id (the unique identifier of a resource) is chosen to index, a request for entitlements regarding which subjects are allowed to access the resource would not return meaningful results.
It would be desirable to allow entitlements to be evaluated using a contextual security policy language such as XACML without requiring certain attributes to be indexed explicitly. It is also desired to provide computationally-efficient techniques for performing such evaluation.