[go: up one dir, main page]

GB2640111A - Authorization policy validation - Google Patents

Authorization policy validation

Info

Publication number
GB2640111A
GB2640111A GB2510312.8A GB202510312A GB2640111A GB 2640111 A GB2640111 A GB 2640111A GB 202510312 A GB202510312 A GB 202510312A GB 2640111 A GB2640111 A GB 2640111A
Authority
GB
United Kingdom
Prior art keywords
authorization policy
computer
implemented method
entity
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB2510312.8A
Other versions
GB202510312D0 (en
Inventor
W Hicks Michael
Holman Kastner John
Torlak Emina
Matthew Mccutchen Richard
McAdams Darin
Rungta Neha
Joseph Eline Aaron
Wallace Cutler Joseph
Ioannidis Eleftherios
Ryan Disselkoen Craig
Headley Kyle
Mamat Anwar
Marshall Wells Andrew
Hanne Hietala Kesha
He Shaobo
Edward Stalzer Mark
Lovelock Julian
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Amazon Technologies Inc
Original Assignee
Amazon Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US18/070,349 external-priority patent/US12261888B2/en
Priority claimed from US18/070,321 external-priority patent/US12483595B2/en
Priority claimed from US18/070,371 external-priority patent/US12425455B2/en
Application filed by Amazon Technologies Inc filed Critical Amazon Technologies Inc
Publication of GB202510312D0 publication Critical patent/GB202510312D0/en
Publication of GB2640111A publication Critical patent/GB2640111A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

A system and method for authorization policy validation. A validator takes as input an authorization policy to be analyzed and a schema that specifies entity types and their attributes, types of entity parents in an entity hierarchy, and which entity types can be used with which actions. The validator checks that the policy conforms to the schema. If the check passes, then the policy is guaranteed to be free of both type errors and attribute access errors for any input that conforms to the schema.

Claims (1)

  1. CLAIMS What is claimed is: 1. A computer-implemented method comprising: obtaining an authorization policy schema; determining whether there are any inconsistencies between an authorization policy in an authorization policy language and the authorization policy schema such that if there are no determined inconsistencies between the authorization policy and the authorization policy schema, then the authorization policy is guaranteed to be free of runtime type errors and free of runtime attribute access errors for any input that conforms to the authorization policy schema; determining one or more inconsistencies between the authorization policy and the authorization policy schema; and causing display of information indicating that the authorization policy is invalid with respect to the authorization policy schema. 2. The method of claim 4, further comprising: storing a set of entities arranged in an entity hierarchy; and wherein the authorization policy further comprises at least one expression in terms of one or more entities in the entity hierarchy. 3. The computer-implemented method of claim 1, wherein the authorization policy schema and the authorization policy are identified to a policy validator by parameters in a command line invocation of the policy validator. 4. The computer-implemented method of claim 1, wherein the authorization policy language is a dynamically typed language. 5. The computer-implemented method of claim 1, wherein the authorization policy comprises: (a) an effect;
    1. Atty. Docket No.: 1030P80219WO 82 (b) an authorization policy head that selects one or more principals, one or more actions, or one or more resources to which the authorization policy applies; and (c) one or more optional conditional clauses that further refine the circumstances under which the authorization policy applies; 6. The computer-implemented method of any one of claims 1-5, further comprising: detecting a Boolean expression in the authorization policy that dereferences an optional attribute of an entity without checking for existence of the optional attribute of the entity as a condition precedent; and wherein the information displayed indicates that the Boolean expression lacks a check for existence of the optional attribute of the entity as a condition precedent. 7. The computer-implemented method of any one of claims 1-5, further comprising: detecting an entity type in the authorization policy that is not an entity type listed in the entity types specification; and wherein the information displayed indicates the entity type in the authorization policy. 8. The computer-implemented method of any one of claims 1-5, further comprising: detecting an action in the authorization policy that is not an action listed in the actions specification; and wherein the information displayed indicates the action in the authorization policy. 9. The computer-implemented method of any one of claims 1-5, further comprising: detecting an action in the authorization policy that is applied to an unsupported principal or resource in the authorization policy; and wherein the information displayed indicates the action in the authorization policy and indicates the unsupported principal or resource in the authorization policy to which the action is applied. 10. The computer-implemented method of any one of claims 1-5, further comprising: detecting an improper use of a hierarchy containment operator in the authorization policy; and wherein the information displayed comprises a hint about proper use of the hierarchy containment operator in an authorization policy. Atty. Docket No.: 1030P80219WO 83
    11. The computer-implemented method of any one of claims 1-5, further comprising: detecting an improper use of an equality operator in the authorization policy; and wherein the information displayed comprises a hint about proper use of the hierarchy containment operator
    12. The computer-implemented method of any one of claims 1-5, further comprising: detecting an unrecognized attribute of an entity in the authorization policy that is not specified as an attribute of the entity in the authorization policy schema; and wherein the information displayed indicates the unrecognized attribute
    13. The computer-implemented method of any one of claims 1-5, further comprising: detecting a type mismatch in an operator expression in the authorization policy, the operator expression comprising an operator having valid semantics on only certain data types, the operator expression applying the operator to a value of a data type for which the operator does not have valid semantics; and wherein the information displayed indicates the type mismatch
    14. The computer-implemented method of any one of claims 1-5, further comprising: detecting that the authorization policy always evaluates to false; and wherein the information displayed indicates that the authorization policy always evaluates to false .
    15. A system comprising: a first set of one or more electronic devices to implement an authorization policy validation service in a provider network, the authorization policy validation service comprising instructions which when executed cause the authorization policy validation service to perform a method as recited in any one of claims 1-14. Atty. Docket No.: 1030P80219WO 84
GB2510312.8A 2022-11-28 2023-11-21 Authorization policy validation Pending GB2640111A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US18/070,349 US12261888B2 (en) 2022-11-28 2022-11-28 Authorization policy validation
US18/070,321 US12483595B2 (en) 2022-11-28 2022-11-28 Authorization policy evaluation
US18/070,371 US12425455B2 (en) 2022-11-28 2022-11-28 Authorization policy analysis
PCT/US2023/080793 WO2024118405A1 (en) 2022-11-28 2023-11-21 Authorization policy validation

Publications (2)

Publication Number Publication Date
GB202510312D0 GB202510312D0 (en) 2025-08-13
GB2640111A true GB2640111A (en) 2025-10-08

Family

ID=89378662

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2510312.8A Pending GB2640111A (en) 2022-11-28 2023-11-21 Authorization policy validation

Country Status (4)

Country Link
CN (1) CN120283232B (en)
DE (1) DE112023004490T5 (en)
GB (1) GB2640111A (en)
WO (1) WO2024118405A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090077618A1 (en) * 2005-07-29 2009-03-19 Identity Engines, Inc. Segmented Network Identity Management
WO2019005511A1 (en) * 2017-06-29 2019-01-03 Amazon Technologies, Inc. Security policy analyzer service and satisfiability engine

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9177171B2 (en) * 2012-03-11 2015-11-03 International Business Machines Corporation Access control for entity search
US9471798B2 (en) * 2013-09-20 2016-10-18 Oracle International Corporation Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090077618A1 (en) * 2005-07-29 2009-03-19 Identity Engines, Inc. Segmented Network Identity Management
WO2019005511A1 (en) * 2017-06-29 2019-01-03 Amazon Technologies, Inc. Security policy analyzer service and satisfiability engine

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Anon,1901.22,"AWS Identity and Access Management. User Guide"https://web.archive.org/web/20220120055317/https://docs.aws.amazon.com/IAM/latest/UserGuide/iam-ug.pdf,Pages:1-883. *
STONE G N et al,"Network Policy Languages: a survey and a new approach",01.01.2001,IEEE NETWORK., 2001-01-01, IEEE SERVICE CENTER, NEW YORK, NY., US *

Also Published As

Publication number Publication date
DE112023004490T5 (en) 2025-10-16
CN120283232B (en) 2025-09-30
GB202510312D0 (en) 2025-08-13
WO2024118405A1 (en) 2024-06-06
CN120283232A (en) 2025-07-08

Similar Documents

Publication Publication Date Title
Hartig Querying trust in rdf data with tsparql
US10540349B2 (en) Recommending data enrichments
US10789384B2 (en) Differentially private database permissions system
US9104967B2 (en) Applying ruleset limiting criteria for affirming rule inputs and outputs
US20090019313A1 (en) System and method for performing client-side input validation
US20080222124A1 (en) Abstractly mapped physical data fields
US20190243643A1 (en) Mapping api parameters
Amir-Mohammadian et al. Correct audit logging: Theory and practice
US8214382B1 (en) Database predicate constraints on structured query language statements
US7660811B2 (en) System that facilitates database querying
US8805772B2 (en) Contextual feedback of rules proximity based upon co-occurence history in a collaborative rule editing system
US20110055918A1 (en) Access control model of function privileges for enterprise-wide applications
US10176237B2 (en) Graphically displaying lifecycle information of a governed object in a service registry in combination with the policies asserted for the lifecycle states
US9171330B2 (en) Transparency data analysis and reporting
Sohr et al. Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL
GB2640111A (en) Authorization policy validation
Balbiani et al. Unification in epistemic logics
US10540255B2 (en) Staged refinement for static analysis
US20090157606A1 (en) Query based rule optimization through rule combination
US10719424B1 (en) Compositional string analysis
US11675752B2 (en) Systems and methods for generating schema notifications
US11620171B2 (en) Systems and methods for generating schema notifications
Drossopoulou et al. How to break the bank: Semantics of capability policies
Kovács et al. Runtime enforcement of information flow security in tree manipulating processes
CN115576978A (en) Response method, device, system and medium for service processing request