JP2003316745A - Access control system and access right managing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access control system capable of improving the safety of an access control object against information leakage or an illegal invasion through a provider unprotected in security, in a situation considering multi- attribution. <P>SOLUTION: The access control system is provided with a plurality of host computers classified to a plurality of groups, a group managing mechanism, and an access control mechanism. The group managing mechanism sets an access control condition for every host computer. In this access control condition, when an access from each host computer to the other host computer in the same group or the other group is allowed in a group policy of all groups including respective host computers, an access from each host computer to the other host computer is allowed, and in a case other than this case this access is not allowed. The access control mechanism controls the access from each host computer to the other host computer based on the access control condition set by the group managing mechanism. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access control system and an access right management method, and more particularly to a technique effective in a multiple attribution environment in which group members belong to a plurality of groups.

[0002]

2. Description of the Related Art An information system is composed of numerous hardware resources, software resources, data resources and network resources. Access control technology is a technology for preventing unauthorized access to these resources connected by a network. A device or software in which the access control technology is implemented is called an access control mechanism, and specific examples of the access control mechanism include a database management system, a WWW server, a file system, packet filtering and the like. A person who issues an access request to a resource is called an access requester, and specific examples of the access requester include a human user and a computer host. Access control technology consists of a mechanism for authentication of access rights and access control. At the authentication stage of the access authority, the legitimacy of the access requester is confirmed by the user ID and password. At the access control stage, it is confirmed whether the access request type of the access requester is within the allowable range of the access right given to the access requester, and if it is within the allowable range, access to the resource is permitted.
Decide the access right for each user to various resources,
A person who sets the access control mechanism is called an access administrator. In order to realize access control, the access manager must appropriately set the access control mechanism so that the efficiency of the work that requires access to the resource and the ensuring of the information security are compatible.

In a distributed system composed of many resources, setting access rights for all access requesters for each individual resource imposes a heavy work burden on the access manager. In addition, a large load is also placed on the side of the access control mechanism that checks the access right, which affects the efficiency of the entire system. The load imposed on the system and the access manager by performing access control is called access control cost. One way to keep access control costs low is to set access rights for all resources for each access requester, instead of assigning aliases to multiple resources or access requesters. , There are ways to reduce the number of controls. Examples of aggregation include classification by user business type and job authority, and IP assigned to the host.
(Internet Protocol) This is a classification of addresses by network. As a more specific method of classifying by business type, for example, the accounting department consolidates programs and files required for accounting processing in server units or directory units, and prohibits access from other departments. As a more specific example of classification by job authority, it is possible to perform access control according to job authority such as department manager, section manager, employee, and part-time job.

[0004]

In a distributed system composed of many resources, there are resources that cannot be simultaneously granted access to one access requester. An example of this is that users who are permitted to access the personnel information database within the company do not permit access to external networks such as the Internet in order to prevent information leakage to the outside of the company. To be Another example is partner companies and VPN
For hosts that are allowed access via (Virtual Private Network), access from hosts outside the department is not allowed in order to prevent them from being used in a stepping stone attack. Can be mentioned. As described above, assigning aliases to a plurality of access requesters and aggregating them is one of the methods for suppressing the access control cost. On the other hand, in a work group that transcends an organization in a company, one access requester belongs to a plurality of business types and job authorities. This means that one access requester is included in multiple aliases at the same time, and this state is called multiple attribution. In a situation where multiple attributions are taken into consideration, the access manager who manages each alias must also consider whether multiple aliases to which individual access requesters belong are allowed to belong at the same time.

In the conventional technique of managing the access requester list belonging to the alias and managing the access right to the alias, only the access right to the access control target managed by itself can be managed. If the access control target access managers are different, the behavior of the access requester to the access control target cannot be grasped, and therefore the risk of information leakage or a bastion attack cannot be avoided. The present invention has been made to solve the above-mentioned problems of the prior art, and an object of the present invention is to enhance the security of an access control target against information leakage or a bastion attack in a situation in which multiple attribution is taken into consideration. The object of the present invention is to provide an access control system and an access right management method. The above and other objects and novel features of the present invention will become apparent from the description of this specification and the accompanying drawings.

[0006]

Among the inventions disclosed in the present application, a brief description will be given to the outline of typical ones.
It is as follows. That is, the present invention is an access right management method in an access control system comprising a plurality of host computers grouped into a plurality of groups and an access control mechanism, wherein the access control mechanism comprises: When access to another host computer in the same group or another group is permitted by the group policy of all groups to which each host computer belongs, access from each host computer to the other host computer Is permitted, and otherwise it is not permitted.
That is, according to the present invention, when a group management mechanism is provided, and the group management mechanism permits access from the respective host computers to the other host computers according to the group policy of all groups to which the respective host computers belong. In, access control conditions for permitting access from each of the host computers to the other host computer and disallowing otherwise are set for each of the host computers, and the access control mechanism,
Access from each of the host computers to the other host computer is controlled based on the access control conditions set by the group management mechanism.

In a preferred embodiment of the present invention, the group management mechanism manages a host computer belonging to each group and a group policy of each group, and a host computer for each group, The access control condition for each host computer is generated based on the group policy of each group. In a preferred embodiment of the present invention, the access control mechanism is a packet filtering device. In a preferred embodiment of the present invention, at least one of the host computers belongs to a plurality of groups.

The present invention comprises an "access control mechanism", an "access control target", an "access requester", an "access manager" and a "group management mechanism". As described above, the "access control mechanism" is a device or software in which the access control technology is implemented. The “access control target” is various resources such as data, services, and host computers. "Access requester"
As mentioned above, is a user or a host computer.
The “access manager” is a person who determines the access right of the “access requester” to the “access control target” and sets the “access control mechanism”. The "group management mechanism" includes a "group member management mechanism", a "group policy management mechanism", a "group policy conversion mechanism", and an "access control setting mechanism". A group means a set of a set of access control policies, “access control targets” that are access control targets, and “access requesters” to which the access control policies are applied. The "access control policy" of the group is hereinafter referred to as the "group policy".

An "access requester" who is subject to access control restrictions by the "group policy" is called a "group member". The “group member management mechanism” of the group management mechanism has a function of managing group member information and a function of accepting and processing an edit request from an access manager. The group member information is a list of group members belonging to each group. Here, "belonging to a group" means that the group member
This means that the access to the access control target inside and outside the group is restricted by the group policy.
The “group policy management mechanism” of the group management mechanism has a function of managing group policy information and a function of accepting and processing an edit request from an access manager.
Group policy information includes resource access rights and
It consists of member access rights. What are resource access rights?
The access right to the access control target in the group from inside and outside the group is meant, and the member access right means the access right to the access control target from inside and outside the group from the group member.

The "group policy conversion mechanism" of the group management mechanism has a function of managing information about the access control mechanism and a setting content of the access control mechanism from information registered in the group member management mechanism and the group policy management mechanism. Have the function to The information on the access control mechanism is the information on the access requester and the access control target that can perform the access control processing by each access control mechanism, the information on the format of the setting information necessary for the access control processing,
It is also information regarding a setting method of setting information necessary for the access control processing. Whether or not to permit an access request from a certain access requester to a certain access control target is determined as follows. The group policy of all groups to which the access requester belongs is checked, and the actual access is permitted only when the content of the access request is permitted by the whole group policy. If there is a group for which the content of the access request is not permitted, the actual access is not permitted. The "access control setting mechanism" of the group management mechanism has a function of setting the setting contents of the access control mechanism generated by the group policy conversion mechanism in the access control mechanism.

[0011] The access manager is
Or, it exists for each group. The access manager sends a group member information edit request, a group policy information edit request, and an access control mechanism setting request to the group management mechanism. The access requester issues an access request to the access control target to the access control mechanism via the host or the network. The access requester can use the access control target if his or her access request is permitted by the access control mechanism, and cannot use the access control target unless it is permitted. Access administrator, member access rights,
In particular, by setting an access right from the group member to an access control target outside the group, it is possible to restrict the action of the group member. This allows the access manager to set the access right corresponding to the multiple attribution environment in which the group members belong to a plurality of groups. As described above, according to the present invention, in a situation in which multiple attribution is taken into consideration, it is possible to add the restriction of the access control policy to the behavior of the group member, and enhance the security of the access control target against information leakage and bastion attack.

[0012]

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In all the drawings for explaining the embodiments, the same reference numerals are given to those having the same function, and the repeated description thereof will be omitted. FIG. 1 is a block diagram showing a schematic configuration of an access control system according to an embodiment of the present invention. In FIG. 1, 110, 12
Reference numerals 0, 210, 220, 310, 320 are host computers (hereinafter, simply referred to as hosts) having an IP network communication function. Each host has a function of an access requester that requests access to another host and a function of an access control target that accepts access from another host. A packet filtering device 400 has an access control mechanism by filtering IP packets. Each of the above-mentioned hosts is connected to the packet filtering device 400 and
It is possible to communicate with each other via 00. Reference numeral 500 is a group management device that implements a group management mechanism. The group management device 500 includes a group member management mechanism 51.
0, a group policy management mechanism 520, a group policy conversion mechanism 530, and an access control setting mechanism 540 having a setting function for the packet filtering device 400. The accounting department group 100, the internet group 200, and the development department group 300 are the group management devices 5
It is a group defined in 00.

FIG. 2 shows the group management device 50 shown in FIG.
It is a flow chart which shows the processing procedure of 0. The group management device 500 receives a request from the access manager (step 11), determines the type of the request (step 12), and updates the group member information (step 1).
3), update processing of group policy information (step 1
4), group policy conversion processing (step 15), access control mechanism setting processing (step 16), and termination processing are executed. In the present embodiment, it is assumed that the access manager of each group can send the request of each type to the group management apparatus 500 from an arbitrary host belonging to the group. FIG. 3 is a flowchart showing a processing procedure of the update processing of the group member information shown in FIG. The group member information management mechanism 510
Accept requests from access managers (step 2
1) determining the type of the request (step 22), adding group member information (step 23), changing group member information (step 24), and deleting group member information (step 25). Execute each process.

FIG. 4 is a flow chart showing a processing procedure for updating the group policy information shown in FIG. The group policy information management mechanism 520 receives a request from the access manager (step 31), determines the type of the request (step 32), adds the group policy information (step 33), and changes the group policy information. (Step 34) and each processing of group policy information deletion processing (step 35) are executed. In the present embodiment, the group policy conversion mechanism 530 has information regarding the format of the setting information of the packet filtering device 400, information regarding the setting method of the setting information of the packet filtering device 400, and the host (110, 1).
20, 210, 220, 310, 320) are registered as access requesters who are access controllable by the packet filtering device 400 and are access control targets.

FIG. 5 shows information managed by the group member management mechanism 510 and the group policy management mechanism 520 in this embodiment. In the description of the group policy shown in FIG. 5, “◯” represents communication permission, and “x” represents communication non-permission. “A → B” represents communication from the access requesting host A to the access control target host B. A group policy in which A is a group member represents a member access right, and a group policy in which A is not a group member represents a resource access right. “A ← → B” is a notation in which two of “A → B” and “B → A” are omitted. “(Α)” represents all the members belonging to the group α. “All” represents all hosts inside and outside the group.

FIG. 6 is a flowchart showing the processing procedure of the group policy conversion processing shown in FIG. The group policy conversion mechanism 530 is used by the packet filtering device 4
Access requester (host) that can access control with 00
And whether or not communication is possible for all combinations of access control targets (hosts) (step 51 to step 6).
4). Whether or not the communication of “X (access requester) → Y (access control target)” is possible is determined as follows. First, the communication permission flag is set to ON for each combination (step 52), all groups to which the access requester X belongs are searched and a belonging group list is created (step 5).
3). Next, the group policies of the respective searched groups (steps 54 to 60) are searched in order from the top (steps 55 to 58), and whether the group policy in which the combination of “X → Y” is first included is the communication permission or not , It is checked whether communication is not permitted (step 56, step 57).

In the group policies of all the groups to which the access requester X belongs, the communication is permitted only when "X → Y" is the communication permission, and there is a group in which the content of the access request is not permitted. If yes, the communication permission flag is set to OFF (step 59). In addition, “X → Y” is added to all group policies in the group.
Even if the combination is not included, the communication permission flag is set to OFF (step 59). Next, when the communication permission flag is ON, the setting contents of the access control mechanism are created with the contents of communication permission (step 61, step 6).
2) When the communication permission flag is OFF, the access control setting mechanism 540 creates the setting contents of the access control mechanism with the content of communication non-permission (step 61, step 63). The setting contents of are set in the packet filtering device 400.

The above-mentioned determination of communication permission and communication non-permission will be specifically described below with reference to FIG. State 1 State 1 shown in FIG. 5 shows the initial state of the present embodiment. In the initial state of the present embodiment, the group members of the accounting department group 100 are the host 110 and the host 120. The group policy of the accounting department group 100 states that “communication between the host 110 and the host 120 is permitted,
The communication between the members of the accounting department group 100 and the Internet group 200 is not permitted ”. The description of “× (100) ← → (200)” in FIG.
It is essentially unnecessary if the procedure for determining whether communication is permitted or not is described above, but it is explicitly described here for the sake of explanation. The group members of the Internet group 200 are the host 210 and the host 220. The group policy of the Internet group 200 has the content of permitting all communications inside and outside the group. The group members of the development department group 300 are the host 310 and the host 320. The group policy of the development department group 300 is such that only communication within the development department group 300 is permitted.

State 2 State 2 shown in FIG. 5 is a state in which communication from the host 320 to the host 220 is permitted in the state 1. The group policy entry [521] is the development department group 30.
As a group policy of 0, host 320 to host 2
Communication to host 20 and host 220 to host 320
Indicates that communication to is not permitted.

State 3 State 3 shown in FIG. 5 is a state in which the host 310 belongs to the accounting department group 100 in the state 2. The group policy entry [522] indicates that communication between the host 110 and the host 310 is permitted as the group policy of the accounting department group 100. The group member entry [511] represents that access control is performed with respect to the communication destination from the host 310 as the group policy of the accounting department group 100. The group policy entry [523] indicates that communication between hosts belonging to the development department group 300 is permitted even in the group policy of the accounting department group 100. The group policy entry [524] indicates that communication between the host 110 and the host 310 is permitted as the group policy of the development department group 300. Although both the host 120 and the host 310 belong to the accounting department group 100, mutual communication is not permitted by the group policy of the accounting department group 100.

State 4 State 4 shown in FIG. 5 is a state in which the host 320 belongs to the accounting department group 100 in the state 3. The group policy entry [525] is the accounting department group 10
As a group policy of 0, host 110 and host 32
Indicates that 0 communication is permitted. The group member entry [512] indicates that access control is performed with respect to the communication destination from the host 320 as a group policy of the accounting department group 100. The group policy entry [526] indicates that communication between the host 110 and the host 320 is permitted as the group policy of the development department group 300. Here, whether or not the host 220 and the host 320 can communicate is described. The host 220 belongs to only the Internet group 200, and the group policy of the Internet group 200 allows communication between the host 220 and the host 320.

On the other hand, the groups to which the host 320 belongs are the development department group 300 and the accounting department group 100. In the group policy of the development department group 300, the host [320] to the host [220] are specified by the entry [521].
Communication is permitted. In the group policy of the accounting department group 100, the host 22 is defined by the entry [527].
0 is not permitted to communicate with the host 320. From the above,
As a result of checking the group policy of the group to which each host belongs, there is a policy that communication is not allowed.
Communication between the host 220 and the host 320 is not permitted. The fact that the communication between the host 220 and the host 320 is not permitted means that even if the host 320 is multi-affiliated with the accounting department group 100 and the development department group 300, “a member of the accounting department group 100 cannot communicate with the Internet group 200”. It is based on the group policy of the accounting group 100 that “does not allow”.

In the above-mentioned prior art, the accounting department group 1
When the host 320 adds the host 320 to the accounting department group 100 as a group member,
Even if he knew which other groups he belonged to, he couldn't know what he had access to or restrict access to it.
This can be realized by making an inquiry to the access manager of the development department group 300 or requesting access control, but in this case, the access control cost becomes enormous. According to the present invention, it becomes unnecessary for the access manager to know which group each member belongs to and to mutually check the contents of the access rights of each member for a plurality of groups. This makes it possible not only to improve the security of access control targets against information leakage and bastion attacks, but also to reduce the access control costs incurred by the access administrator in a situation where multiple attribution is taken into consideration. . In addition, the present invention is an IP
-It is particularly suitable for an environment in which centralized access control is performed at an intermediate point of a plurality of networks, such as an inter-VPN communication service in a VPN service. By introducing the group management function of the present invention into such a service, it is possible to differentiate it from the similar service. Although the invention made by the present inventor has been specifically described based on the above-described embodiment, the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the scope of the invention. Of course,

[0024]

The effects obtained by the typical ones of the inventions disclosed in the present application will be briefly described as follows. According to the present invention, the access administrator
To know which group each member belongs to,
Also, it becomes unnecessary to mutually check the contents of the access rights of a plurality of groups of each member. This makes it possible not only to increase the safety of access control targets against information leakage and bastion attacks, but also to reduce the access control costs incurred by access administrators in a situation where multiple attribution is taken into consideration. Become.

[Brief description of drawings]

FIG. 1 is a block diagram showing a schematic configuration of an access control system according to an embodiment of the present invention.

FIG. 2 is a flowchart showing a processing procedure of the group management device shown in FIG.

FIG. 3 is a flowchart showing a processing procedure of group member information update processing shown in FIG.

FIG. 4 is a flowchart showing a processing procedure of update processing of the group policy information shown in FIG.

FIG. 5 is a diagram for explaining information managed by a group member management mechanism and a group policy management mechanism in the present embodiment.

FIG. 6 is a flowchart showing a processing procedure of the group policy conversion processing shown in FIG.

[Explanation of symbols]

100 ... Accounting Department Group, 110, 120, 210, 2
20, 310, 320 ... Host computer, 200 ...
Internet group, 300 ... Development group, 4
00 ... Packet filtering device, 500 ... Group management device, 510 ... Group member management mechanism, 520 ...
Group policy management mechanism, 530 ... Group policy conversion mechanism, 540 ... Access control setting mechanism.

Claims (10)

[Claims] 1. An access control system comprising: a plurality of host computers divided into a plurality of groups; and an access control mechanism, wherein the access control mechanism is provided from each of the host computers in the same group or in another group. When access to other host computers in a group is permitted by the group policy of all groups to which each host computer belongs, access from each host computer to the other host computers is permitted, and otherwise In the case of, the access control system is characterized in that it is not permitted. 2. A group management mechanism is provided, wherein the group management mechanism is configured to permit access from the respective host computers to the other host computers according to a group policy of all groups to which the respective host computers belong. An access control condition that permits access from each of the host computers to the other host computer and disallows access in other cases is set for each of the host computers. The access control system according to claim 1, wherein access from each of the host computers to the other host computer is controlled based on an access control condition set by a mechanism. 3. The group management mechanism is managed by a group member management function that manages a host computer belonging to each group, a group policy management mechanism that manages a group policy of each group, and the group member management function. A group policy conversion mechanism that generates an access control condition for each host computer based on a host computer for each group and a group policy for each group that is managed by the group policy management mechanism; and a group policy conversion mechanism that is generated by the group policy conversion mechanism. The access control system according to claim 2, further comprising an access control setting mechanism that sets the access control conditions set in the access control mechanism. 4. The access control system according to claim 1, wherein the access control mechanism is a packet filtering device. 5. At least one of said host computers
5. The access control system according to claim 1, wherein one belongs to a plurality of groups. 6. An access right management method in an access control system comprising a plurality of host computers grouped into a plurality of groups and an access control mechanism, wherein the access control mechanism is the same from each host computer. When access to another host computer in a group or another group is permitted by the group policy of all the groups to which each host computer belongs, access from each host computer to the other host computer is permitted. An access right management method characterized by permitting and otherwise disabling. 7. A group management mechanism is provided, wherein the group management mechanism is configured to permit access from the respective host computers to the other host computers according to a group policy of all groups to which the respective host computers belong. An access control condition that permits access from each of the host computers to the other host computer and disallows access in other cases is set for each of the host computers. The access right management method according to claim 6, wherein access from each of the host computers to the other host computer is controlled based on an access control condition set by the mechanism. 8. The group management mechanism manages a host computer belonging to each group and a group policy of each group, and manages the host computer of each group and the group policy of each group. The access right management method according to claim 7, wherein an access control condition for each host computer is generated based on the above. 9. The access right management method according to claim 6, wherein the access control mechanism is a packet filtering device. 10. The access right management method according to claim 6, wherein at least one of the host computers belongs to a plurality of groups.