An access control system for managing and enforcing an attribute based access control (ABAC) policy includes: a minimum ABAC implementation that produces a representation access control list in an ABAC policy system; and a local host system that produces a resource repository access control list in the local host system such that the resource repository access control list is based on the representation access control list.
This invention is a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions over those policies on objects that are locally protected using Access Control Lists (ACLs). The method is based on the expression of an ABAC policy that conforms to the access control rules of an enterprise and leverages the ABAC policy expression by introducing representations of locally protected objects into the ABAC system through their assignment to object attributes. The method further maintains a correspondence between the ABAC representations of the protected objects and the actual protected objects in local systems. The method also leverages an ability to conduct policy analytics in such a way as to formulate ACLs for those representations in accordance with the ABAC policy and creates ACLs on local objects using the ACLs of their corresponding representations. As the ABAC policy configuration changes, the method updates the ACLs on affected representations and automatically updates corresponding ACLs on local objects. Operationally, user attempts to access objects in local systems and the ABAC policy are enforced in those systems in terms of the ABAC-managed ACLs.