CPC H04L 63/105 (2013.01) [H04L 63/102 (2013.01); H04L 63/104 (2013.01)] | 14 Claims |
1. A method comprising:
in an effective permissions service:
retrieving one or more access policies that define access permissions between a principal and a resource of a plurality of resources;
determining an effective permission defining the access of the principal to the resource based on the access policies, including processing the one or more policies in order of priority, wherein a higher priority policy controls over a lower priority policy when the lower priority policy conflicts with the higher priority policy;
defining the effective permission in a canonical format;
storing the effective permission for reference when the principal attempts to access the resource;
including the effective permission in a privilege graph with connections between the principal and a plurality of resources that include the resource, wherein the connections indicate a plurality of effective permissions, which include the effective permission, for the plurality of resources;
identifying a changed access policy;
determining that the changed access policy applies to the access of the principal to the resource; and
determining an update to the effective permission based on the changed access policy.
|