Access Control System and Process for Managing and Enforcing an Attribute Based Access Control Policy

An access control system for managing and enforcing an attribute based access control (ABAC) policy includes: a minimum ABAC implementation that produces a representation access control list in an ABAC policy system; and a local host system that produces a resource repository access control list in the local host system such that the resource repository access control list is based on the representation access control list.

This is a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions over those policies on objects that are locally protected using Access Control Lists (ACLs). The method is as follows:

1. Centrally express an ABAC policy that conforms to the access control rules of the enterprise using a standalone ABAC system.
2. Introduce representations of local objects needing protection into the ABAC expression as object attributes.
3. Maintain a correspondence between the ABAC representations and the actual objects in local systems.
4. Formulate ACLs for representations in accordance with the ABAC policy using policy analytics (i.e., who can access the representation and how).
5. Create ACLs on local objects using the ACLs of their corresponding representations.
6. As the ABAC policy configuration changes, update the ACLs on affected representations and automatically update corresponding ACLs on local objects.

• Policy support that goes beyond what is feasible through direct management of ACLs
• Simpler authorization management than direct management of ACLs
• Better performance then ABAC in granting or denying user access requests
• Policy analytics beyond what is possible through ACLs
• Enforces ABAC policies in local systems with minimal changes to those systems