31 results about "Extended Access Control" patented technology

A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition.

Content access may be provided and processed by assigning responsibility for obtaining entitlement data to the client's browser. Thus, in one example, the client may be configured to synchronize and coordinate data lookups associated with a content request, rather than relying on the server to do so. The network architecture may use a mediator design pattern, in which the client's browser acts as the mediator (i.e., middleman) between a content server and an entitlement data server. Accordingly, synchronous calls between server-side services might not be required. Instead, data necessary for the content server to process a client request for access to protected content may be received in the incoming request from the client's browser.

A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (vi, i=1, 2, . . . ) From said ROBDD, variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition are derived and at least one SDDL rule is created based on said variable assignments (RCj=[ARCj1: v1=xj1, ARCj2: v2=xj2, . . . ], j=1, 2, . . . ) satisfying the logic proposition.

The invention provides a key server-based key management method in an encrypting file system and belongs to the filed of storage safety. The invention is characterized in that a group key server processes each key management request in the system and performs strict check for user identification and access authority; a user terminal sends a key operation request to the group key server; the organized key information, based on extended access control list, comprises a file key, a user ID and an access authority; the group key server protects the confidentiality and integrity thereof by using the privacy key itself; the user terminal realizes the key cache function and reduces the frequency of communication with the group key server; the system can cancel the key by using the delay encryption technique, postpone the time of file re-encryption until the file content is updated, and minimize the influence of key cancel operation on the system performance.

The present invention discloses a method for performing access control and user equipment. The method includes: when a user equipment suitable for extended access and having an access level of a non-ordinary level initiates a delay-tolerant service, according to the user equipment of an ordinary level in a system message, The access level restriction parameter corresponding to the data service initiated by the device, or the access level restriction parameter corresponding to the signaling service initiated by the common level user equipment in the system message, or the cell access decision based on the extended access level parameter in the system message . This solution is suitable for extended access control (EAB) user equipment with non-ordinary access levels. When initiating delay-tolerant services, the network side can implement access control for it, which solves the problem of such user equipment access The problem of uncertain access decision when accessing the network.

The invention discloses method and device for generating an access controlling policy. The method comprises the following steps of: generating an ABAC policy expression according to ABAC policy information input by a user through a pre-established attribute-based access control (ABAC) policy view template; and converting the ABAC policy expression into an ABAC policy which is based on XACML and conforms to the XACML template according to mapping rules of the preset ABAC policy view template and an extensible access control markup language (XACML) template. In the invention, the user only needs to input some simple ABAC policy information through the ABAC policy view template and does not need to write a complicated ABAC policy based on XACML in a manual mode, therefore, the problem that the user difficultly defines the ABAC policy based on XACML is solved, the problem that errors are made in the process of writing the complicated ABAC policy based on XACML in a manual mode by the useris avoided, and the accuracy of the ABAC policy based on XACML is ensured.

The invention relates to a method for generating a cross-domain access control strategy by rising from credit assessment to trust management. According to the method, a credit assessment model is established to realize a corresponding credit assessment subsystem; uncertainty assessment is carried out on a credit degree of an evaluated entity according to evaluation information given by an interaction entity; association relations between an attribute of an assessment entity, an attribute of an assessed entity, a resource attribute, a behavior attribute, an environment attribute and an entity credit degree are extracted; and then an access control strategy based on attributes is generated and description is carried out by an extensible access control mark language; at last, the generated access control strategy is converted into a strategy of a concrete trust management system. According to the invention, authorization strategy is generated dynamically according to behavior and environment attributes of an entity; and the method has good self adaptability and can be applied to cross-domain environments like cloud calculating having a lot of unfamilar entities.

The invention relates to methods and arrangements for controlling access of a mobile device to a network, such as GSM. The mobile devices belong to an access control class (ACC) and for providing extended access control may also belong to an additional access control class (EACC). The arrangement broadcasts system information to the mobile devices, which system information indicates whether mobile device, which belong to an access control class (ACC), is allowed to access or are barred from accessing the network, and the system information further indicates whether the mobile device, which also belong to an extended access control class (EACC), is allowed to access or are limited from accessing the network. Different ways for limiting access is provided. An example is to block the mobile device from initiating communication, and allow the mobile device for communication initiated by the network. An example is to block the mobile device from communication initiated from the network, and allow the mobile for initiating communication. An example is to block the mobile device from initiating communication, as well as for communication initiated by the network. A mobile device blocked from network initiated communication is not allowed to answer a paging from the network.

The invention discloses an extensible access control method oriented to fog computing. The method adopts a linear secret sharing matrix as an access structure to realize attribute-based access control, uses fog nodes as edge service nodes, and reasonably distributes encryption and decryption in access control. computing to reduce the computing overhead of end users in access control. Moreover, the present invention can add new legal members to form a new access policy on the basis of maintaining the original access policy, and can also detect whether the access user has tampered with the original data when uploading the new access policy, and realizes the original data. Integrity protection.

The invention discloses an identification cryptographic technique-based electronic passport extended access control system and an identification cryptographic technique-based authentication method. The authentication method comprises the following steps that: a key service centre provides a key service; a passport verification center makes an application for sensitive biological characteristic information-reading authority, the key service center issues an authorization smart card to perform authorization, and the passport verification center distributes the authorization smart card to a verification terminal controlled thereby; and a passport issuing center applies the key service center for an authentication key and a public parameter for authentication and writes the authentication keyand the public parameter into passport smart card of an electronic passport. During passport verification, the authorization smart card and the passport smart card implement an identification cryptographic algorithm-based authentication protocol to judge if the verification terminal has the authority to read sensitive biological characteristic data. The system and the method avoid loopholes in authentication trust transmission in a European proposal, save the establishment of a complicate PKI system, and allow for low system construction cost. Compared with Singaporean EAC, the method provides flexible authorization for a certifying organization, and can still authorize the certifying organization after the issue of a passport.

Content access may be provided and processed by assigning responsibility for obtaining entitlement data to the client's browser. Thus, in one example, the client may be configured to synchronize and coordinate data lookups associated with a content request, rather than relying on the server to do so. The network architecture may use a mediator design pattern, in which the client's browser acts as the mediator (i.e., middleman) between a content server and an entitlement data server. Accordingly, synchronous calls between server-side services might not be required. Instead, data necessary for the content server to process a client request for access to protected content may be received in the incoming request from the client's browser.