1. Field of the Invention
The present invention relates generally to an improved data processing system and more specifically to a computer implemented method, an apparatus, and a computer program product for indexing of security policies.
2. Description of the Related Art
The eXtensible Access Control Markup Language, or XACML, is an Organization for the Advancement of Structured Information Standards (OASIS) managed industry standard for managing access control policy. The industry standard is available from the OASIS web site at www.oasis-open.org. eXtensible Access Control Markup Language is an example of a context-based security language. In this example, an authorization request context is a set of attributes, such as the subject's login identifier, and the policy of the context is a set of rules that inspect the values in the context to reach a decision. In eXtensible Access Control Markup Language, these rules are nested in policy and policy set objects which can also be nested in turn.
A policy set, policy, and rule, or “policy element,” are determined to be “applicable” to a request through a combination of functions that must evaluate to provide a response of “true.” Each policy element can have multiple combinations of functions, but only one combination must be true for a policy to be applicable to the request. For example, a rule can be applicable to a request, in the form of, “if the subject is Craig AND if the resource is /foo, OR if the subject is Kerry AND the action is read, because the expression will evaluate to true.
This type of request representation is inefficient for runtime evaluation. Each combination of functions in the request must be evaluated, at run time, to determine the applicability of a policy element. The time required to evaluate the requests with respect to specific policies increases as the number of requests and number of policies increase. The evaluation time is directly related to the number of requests and policies. An individual request evaluation response time is also directly related to the number of functions within a policy being evaluated.