JP2015087944A - Roll-based access control method and system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To convert an RBAC policy designed at a policy definition point so as to become the minimum authority into policies of policy execution points based on various restrictions of an access control mechanism and connection forms of systems since many policy execution points exist from diversity of pieces of equipment to be managed in a cloud system.SOLUTION: In a method for converting an RBAC policy defined at a policy definition point into policies at a plurality of policy execution points, the policy definition point and the policy execution points are connected with a network, and the policy definition point executes: processing for generating matrixes of functions of objects and the respective systems; and processing for converting the RBAC policy into the policies at the policy execution points by performing constraint programming by using the RBAC policy, restrictions of an access control mechanism at the policy execution points, and connection forms of the systems as constraints.

Description

  The present invention relates to role-based access control in the cloud. In particular, the present invention relates to access control when the system configuration changes with time.

  Generally, in an information system, access control is necessary to manage information resources safely. In conventional information systems, DAC (Discretionary Access Control), which defines the “read / write / execute” authority for information resources, was the mainstream, but the authority associated with changes in user status such as job responsibilities The redefinition was complicated, and it was a factor that caused security accidents due to human error.

  Therefore, as the access control, RBAC (Role Based Access Control) that facilitates policy definition by setting operation authority for each job role is desirable. In RBAC, the authority is not assigned directly to the user, but the authority is set and assigned in units called Roles, thereby eliminating the complexity of authority resetting associated with the status change. Here, the “policy” is an access right value (type or content).

  However, in the cloud system, there are many policy enforcement points (PEP: a system that executes access control) due to the diversity of devices to be managed, and the policy format required for access control differs for each policy enforcement point. Therefore, a technique for converting the RBAC policy defined at the policy definition point (PDP: RBAC policy definition system) into a policy at each policy enforcement point is required.

  As a technique for converting a policy, Patent Document 1 exists. In Patent Document 1, an RBAC policy is converted into an AD (Active Directory) resource policy by mapping an operation and an ACE (Access Control Entry) in advance.

JP 2009-539183 A

  In the information system, it is necessary to prevent access to the equipment outside the scope of duties that the user should fulfill (principle of separation of duties). Therefore, it is desirable to set the minimum access right in access control, that is, the resources necessary for performing a series of operations and the access right to each device (the principle of minimum authority, “minimum authority” These are resources and access rights necessary to perform a series of processing.)

  However, in Patent Document 1, since the operations defined in the RBAC policy and the authority set at each policy enforcement point are fixedly mapped, various restrictions of the access control mechanism at each policy enforcement point are caused. Therefore, it is difficult to set the minimum authority for each device. Further, since the ACE is converted to ACE at each policy enforcement point, the authority cannot be set so as to minimize the connection between the systems based on the system connection form and the RBAC policy. That is, the connection between the systems has been set manually in advance.

  The present invention has been made in view of such a situation, and based on various restrictions of the access control mechanism at each policy enforcement point and the connection form of the entire system, the scope of operation authority to each device is the minimum authority. Thus, an object is to convert an RBAC policy defined at a policy definition point into a policy at each policy enforcement point.

  The present invention is a method of converting an RBAC policy defined at a policy definition point into a policy at a plurality of policy enforcement points, wherein the policy definition point and the policy enforcement point are connected to a network, and the policy definition point is Constraint programming using the process of generating a matrix of objects (including classes and instances) and the functions of each system, the RBAC policy, the restrictions on the access control mechanism at the policy enforcement point, and the connection form of the system And converting the policy into the policy enforcement point policy.

  That is, the subject of the operation of the present invention is the “policy definition point”. When the client apparatus 101 receives a processing request from a user, the client apparatus 101 requests the policy definition point 103 to set an access right request according to the processing request. The policy definition point 103 determines the authority to be set for each policy enforcement point 104 according to the role. That is, the client apparatus 101 receives a request for executing an application (AP), the AP is executed at the policy enforcement point 104, and the policy definition point is set with authority according to the role.

  Here, the relationship between “role” and “class” or “instance” will be described. Multiple resources (processing devices, storage devices, etc.) that make up the network are each assigned a unique role. These multiple roles have a hierarchical structure, and the upper structure is called a “class”. Each class includes several “instances” as a lower structure, and a hierarchical structure from an upper class to a lower instance is defined. Such a hierarchical structure differs depending on the purpose and is not a fixed structure. Therefore, even in the same instance (resource), the hierarchical level on the hierarchical structure composed of classes and instances may be different.

  Furthermore, in the present invention, an access authority is set for an instance (resource) according to the level in the hierarchical structure, and the policy definition point (so-called server) controls the setting.

  According to the present invention, based on various restrictions of the access control mechanism and the connection form of the entire system, the RBAC policy defined at the policy definition point is set so that the operation to each device has the least authority. It becomes possible to convert to.

It is a figure which shows the example of a system configuration. It is a figure which shows the example of a function structure of a client apparatus. It is a figure which shows the example of a function structure of a policy definition point. It is a figure which shows the example of a function structure of a policy enforcement point. It is a figure which shows the example of the hardware constitutions of an apparatus. It is a figure which shows the example of the sequence diagram of a policy definition process. It is a figure which shows the example of a system configuration setting request message. It is a figure which shows the example of a clustering request message. It is a figure which shows the example of a class and an instance. It is a figure which shows the example of a policy enforcement point information setting request message. It is a figure which shows the example of a role setting request message. It is a figure which shows the example of a role hierarchy structure. 6 is a diagram illustrating an example of access right modeling 614. FIG. 10 is a diagram illustrating an example of an instance extension 619. FIG. It is a figure which shows the example of the sequence diagram of an operation authorization process. It is a figure which shows the example of an access right request message.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Note that the present invention is not limited thereby.

  In this embodiment, an example of a system that defines an RBAC policy at a policy definition point and performs access control at the policy enforcement point will be described.

  In the following description, “by hand” means that the user performs a predetermined input operation on the terminal.

(System configuration)
FIG. 1 shows an example of a system configuration in this embodiment.

  In FIG. 1, the system according to this embodiment includes a client apparatus 101, a network 102, a policy definition point 103, and a policy enforcement point 104. A user uses system functions via the client device 101. The number of client devices 101 is not limited to one, and there may be a plurality of client devices 101 depending on the embodiment. The network 102 is not limited to a public network or a private network, and the connection interface is not limited. A client apparatus 101, a policy definition point 103 (PDP: a system that defines an RBAC policy), and a policy enforcement point 104 (PEP: a system that executes access control) are connected to the network 102, and the connection protocol is not limited. The network 102 need not be a single network, and may be multiple depending on the embodiment.

  The policy definition point 103 corresponds to an authentication device or the like. The policy definition point 103 is not limited to one, and may be plural depending on the embodiment. The policy enforcement point 104 corresponds to a storage integrated management device, storage, logical unit, hypervisor integrated management device, hypervisor, virtual machine, computing device, network device, and the like. There are a plurality of policy enforcement points 104.

  The client device 101 requests access right setting to the policy definition point 103 which is a processing device that executes a series of processing (role), and the policy definition point 103 performs access right setting processing to achieve the request. Is requested to the policy enforcement point 104 which is a processing device for executing a specific process.

  Further, depending on the request from the client apparatus 101, the content of the policy definition point 103 and the combination of the content of the policy enforcement point 104 corresponding thereto differ.

  FIG. 2 is an example of a functional configuration of the client apparatus 101 in this embodiment.

  The client apparatus 101 includes a control unit 201, an input / output unit 210 (that is, a terminal) that receives a request from a user and displays information to the user, and a transmission / reception unit 211 connected to the network 102.

  2, the control unit 201 includes a system configuration setting request unit 202, a clustering request unit 203, a policy enforcement point information setting request unit 204, a role design request unit 205, an access right modeling request unit 206, a policy definition request unit 207, The access right request unit 208 and the operation request unit 208 are configured.

  The input / output unit 210 is a processing unit that controls input from the user via an interface such as a keyboard and controls output to the user via an interface such as a monitor. The transmission / reception unit 211 is a processing unit that transmits and receives information via the network 102.

  Each request unit 202 to 208 in the control unit 201 receives each request from the input / output unit 210, and exchanges messages and the like with the policy definition point 103 via the transmission / reception unit 211 and the network 102. However, only the operation request unit 209 in the same control unit 201 receives each request from the input / output unit 210, and exchanges messages and the like with the policy enforcement point 104 via the transmission / reception unit 211 and the network 102, The communication partner is different from other request units.

(Each request part of the client device)
The system configuration setting request unit 202 receives a system configuration setting request from the user via the input / output unit 210, transmits a system configuration setting request message to the policy definition point 103 via the transmission / reception unit 211, and passes through the transmission / reception unit 211. A processing unit that receives a system configuration setting response message from the policy definition point 103 and notifies the user of the system configuration setting result via the input / output unit 210.

  The clustering request unit 203 receives a clustering request from the user via the input / output unit 210, transmits a clustering request message to the policy definition point 103 via the transmission / reception unit 211, and performs clustering from the policy definition point 103 via the transmission / reception unit 211. A processing unit that receives the response message and notifies the user of the clustering result via the input / output unit 210.

  The policy enforcement point information setting request unit 204 receives a policy enforcement point information setting request from the user via the input / output unit 210, transmits a policy enforcement point information setting request message to the policy definition point 103 via the transmission / reception unit 211, The processing unit receives a policy enforcement point information setting response message from the policy definition point 103 via the transmission / reception unit 211 and notifies the user of the policy enforcement point information setting result via the input / output unit 210.

  The role design request unit 205 receives a role design request from the user via the input / output unit 210, transmits a role design request message to the policy definition point 103 via the transmission / reception unit 211, and receives a policy definition point via the transmission / reception unit 211. A processing unit that receives a role design response message from 103 and notifies the user of the role design result via the input / output unit 210.

  The access right modeling request unit 206 receives an access right modeling request from the user via the input / output unit 210, transmits an access right modeling request message to the policy definition point 103 via the transmission / reception unit 211, and transmits / receives the transmission / reception unit 211. This is a processing unit that receives an access right modeling response message from the policy definition point 103 via, and notifies the user of the access right modeling result via the input / output unit 210.

  The policy definition request unit 207 receives a policy definition request from the user via the input / output unit 210, transmits a policy definition request message to the policy definition point 103 via the transmission / reception unit 211, and transmits the policy definition point via the transmission / reception unit 211. A processing unit that receives a policy definition response message from 103 and notifies the user of a policy definition result via the input / output unit 210.

  The access right requesting unit 208 receives an access right request from the user via the input / output unit 210, transmits an access right request message to the policy definition point 103 via the transmission / reception unit 211, and sends a policy definition point via the transmission / reception unit 211. 103 is a processing unit that receives an access right response message from 103 and notifies the user of the access right result via the input / output unit 210.

  The operation request unit 209 receives an operation request from the user via the input / output unit 210, transmits an operation request message to the policy enforcement point 104 via the transmission / reception unit 211, and operates from the policy enforcement point 104 via the transmission / reception unit 211. A processing unit that receives a response message and notifies an operation result to the user via the input / output unit 210.

  FIG. 3 is an example of a functional configuration of the policy definition point 103 in this embodiment.

  The policy definition point 103 includes a control unit 301, a storage unit 314, and a transmission / reception unit 323 connected to the network 102.

  The control unit 301 includes a system configuration setting processing unit 302, a clustering processing unit 303, a policy enforcement point information setting processing unit 304, a role design processing unit 305, an access right modeling processing unit 306, a policy definition processing unit 307, a constraint condition setting unit. 308, a constraint programming processing unit 309, an instance extension processing unit 310, an access right processing unit 311, an access right addition processing unit 312, and an access right deletion processing unit 313.

  Each of the processing units 302 to 307 and 311 in the control unit 301 exchanges messages and the like with the client device 101 via the transmission / reception unit 323 and the network 102. However, the processing units 308 to 310 in the same control unit 301 are called from the processing unit 307, the processing units 312 and 313 are called from the processing unit 311, and the policy enforcement points are transmitted via the transmission / reception unit 323 and the network 102. Messages are exchanged with 104, and the communication partner is different from other processing units.

(Each processing part of policy definition point)
The system configuration setting processing unit 302 receives the system configuration setting request message from the client device 101 via the transmission / reception unit 323, stores the system configuration information in the system configuration storage area 315, and stores the system configuration information in the client device 101 via the transmission / reception unit 323. It is a processing unit that transmits a system configuration setting response message.

  The clustering processing unit 303 receives a clustering request message from the client apparatus 101 via the transmission / reception unit 323, manually classifies the policy enforcement points 104 into classes and instances from the system configuration information on the system configuration storage area 315, and stores the class storage. This is a processing unit that stores class information in the area 316, stores instance information in the instance storage area 317, and transmits a clustering response message to the client apparatus 101 via the transmission / reception unit 323.

  The policy enforcement point information setting processing unit 304 receives the policy enforcement point information setting request message from the client apparatus 101 via the transmission / reception unit 323, stores the policy enforcement point information in the policy enforcement point information storage area 318, and the transmission / reception unit 323. Is a processing unit that transmits a policy enforcement point information setting response message to the client apparatus 101 via.

  The role design processing unit 305 receives a role design request message from the client apparatus 101 via the transmission / reception unit 323, performs role design, stores role information in the role / policy storage area 319, and receives the client via the transmission / reception unit 323. It is a processing unit that transmits a role design response message to the apparatus 101.

  The access right modeling processing unit 306 receives the access right modeling request message from the client apparatus 101 via the transmission / reception unit 323, and receives the policy enforcement point information on the policy enforcement point information storage area 318 and the class on the class storage area 316. The access right is modeled from information (associating the resource and the access right), the access right modeling information is stored in the access right model storage area 320, and the access right is accessed to the client apparatus 101 via the transmission / reception unit 323. A processing unit that transmits a modeling response message.

  The policy definition processing unit 307 receives the policy definition request message from the client apparatus 101 via the transmission / reception unit 323, performs policy definition of the policy enforcement point 104 (sets the access right), and stores it in the role / policy storage area 319. The processing unit stores policy information and transmits a policy definition response message to the client apparatus 101 via the transmission / reception unit 323.

  The constraint condition setting unit 308 is called from the policy definition processing unit 307, generates a constraint condition from policy enforcement point information (configuration information input manually) in the policy enforcement point information storage area 318, and generates a constraint condition storage area 321. Is a processing unit for storing constraint conditions.

  The constraint programming processing unit 309 is a processing unit that is called from the policy definition processing unit 307 and defines a policy for each policy enforcement point 104 by constraint programming using the constraint conditions in the constraint condition storage area 321. In constraint programming, the relationship between variables is programmed in the form of constraints, and the constraint condition represents the relationship between the variables.

  The instance extension processing unit 310 is a processing unit that is called from the policy definition processing unit 307, is called, and updates the access right modeling information on the access right model storage area 320 from the instance information on the instance storage area 317. That is, a new association between a resource and an access right is performed.

  The access right processing unit 311 receives the access right request message from the client apparatus 101 via the transmission / reception unit 323, and determines the access right for the policy enforcement point 104 based on the role information and policy information in the role / policy storage area 319. The processing unit transmits an access right response message to the client apparatus 101 via the transmission / reception unit 323. The contents of the access right determined here are stored in the access right granting status storage area 322. For example, based on a request from the client device 101, the granting status of the access right is displayed on the input / output unit 210 of the client device 101. Is done.

  The access right addition processing unit 312 is called from the access right processing unit 311, transmits an access right addition request message to the policy enforcement point 104 via the transmission / reception unit 323, and accesses from the policy enforcement point 104 via the transmission / reception unit 323. A processing unit that receives an additional response message.

  The access right deletion processing unit 313 is called from the access right processing unit 311, transmits an access right deletion request message to the policy enforcement point 104 via the transmission / reception unit 323, and is accessed from the policy enforcement point 104 via the transmission / reception unit 323. A processing unit that receives a deletion response message. Access rights are added or deleted based on manual instructions.

  Reference numeral 314 denotes a storage unit, which is a system configuration storage area 315, a class storage area 316, an instance storage area 317, a policy enforcement point information storage area 318, a role policy storage area 319, an access right model storage area 320, a restriction It comprises a condition storage area 321 and an access right grant status storage area 322.

(Each storage area for policy definition points)
The system configuration storage area 315 is an area for storing the system configuration information of this embodiment.

  The class storage area 316 is an area for storing class information of the policy enforcement point 104.

  The instance storage area 317 is an area for storing instance information of the policy enforcement point 104.

  The policy enforcement point information storage area 318 is an area for storing information of the policy enforcement point 104.

  The role policy storage area 319 is an area for storing role information defined in the RBAC and policy information of the policy enforcement point 104.

  The access right model storage area 320 is an area for storing access right modeling information.

  The constraint condition storage area 321 is an area for storing constraint conditions. The access right granting status storage area 322 is an area for storing the access right granting status.

  Next, the transmission / reception unit 323 is a processing unit that performs transmission / reception of information via the network 102.

  FIG. 4 is an example of a functional configuration of the policy enforcement point 104 in the present embodiment.

  The policy enforcement point 104 includes a control unit 401 and a transmission / reception unit 405 connected to the network 102.

  The control unit 401 includes an access right addition processing unit 402, an access right deletion processing unit 403, and an operation processing unit 404.

  The access right addition processing unit 402 is a processing unit that receives an access right addition request message from the policy definition point 103 via the transmission / reception unit 405 and transmits an access right addition response message from the policy definition point 103 via the transmission / reception unit 405. is there.

  The access right deletion processing unit 403 is a processing unit that receives an access right deletion request message from the policy definition point 103 via the transmission / reception unit 405 and transmits an access right deletion response message from the policy definition point 103 via the transmission / reception unit 405. is there.

  The operation processing unit 404 is a processing unit that receives an operation request message from the client device 101 via the transmission / reception unit 405 and transmits an operation response message from the client device 101 via the transmission / reception unit 405.

  The transmission / reception unit 405 is a processing unit that performs transmission / reception of information via the network 102.

  FIG. 5 is an example of a hardware configuration diagram of the apparatus in the present embodiment. The hardware configuration shown in FIG. 5 shows the hardware configuration of each of the client apparatus 101, policy definition point 103, and policy enforcement point 104 shown in FIG.

  In FIG. 5, a computer 501 includes a CPU 502, a memory 503, an external storage device 504, a transmission / reception device 505, an output device 506, and an input device 507. The processing unit of each device is stored as a program in the external storage device 504, loaded into the memory 503, and executed by the CPU 502. A memory 503 or an external storage device 504 is used as a storage area in the storage unit. The transmission / reception unit of each device is realized by the transmission / reception device 505. The input / output unit of each device is realized by an output device 506 and an input device 507.

  In particular, the CPU 502 and the memory 503 correspond to the control units in each of the client device 101, the policy definition point 103, and the policy enforcement point 104, and each processing unit in the control unit illustrated in FIG. 2, FIG. 3, and FIG. , Stored as a program in the memory 503 and executed by the CPU 502. The storage unit 314 in FIG. 3 is the external storage device 504 shown in FIG. The transmission / reception device 505 in FIG. 5 is each transmission / reception unit in FIG. 2, FIG. 3, and FIG. 4, and is connected to the network 102 shown in FIG. The output device 506 and the input device 507 in FIG. 5 are the input / output unit 210 in FIG.

(Processing procedures using various information)
An example of a series of processes executed by the client apparatus 101, the policy definition point 103, and the policy enforcement point 104 when defining a policy from the initial state in this system will be described with reference to FIGS.

  FIG. 6 is an example of a sequence diagram of policy definition processing in this embodiment.

((1) Setting system configuration information)
In this embodiment, system configuration information is first provided to the policy definition point 103. Therefore, first, the client apparatus 101 transmits a system configuration setting request message 601 to the policy definition point 103. An example of the system configuration setting request message 601 is shown in FIG. The system configuration setting request message 601 includes parameters of the policy enforcement point 104, the network 102, and the network topology (configuration information) 701. In the example of FIG. 7, the policy enforcement point 104 is LU [1], hypervisor [1], the network 102 is NW [1], the topology 701 is LU [1] -LU [2] -hypervisor [1], etc. It has become.

  Returning to FIG. 6, the system configuration setting processing unit 302 of the policy definition point 103 performs system configuration setting 602 next. The system configuration setting 602 acquires information on the policy enforcement point 104, the network 102, and the topology 701 from the system configuration setting request message 601 and stores the information in the system configuration storage area 315. Then, the policy definition point 103 transmits a system configuration setting response message 603 to the client apparatus 101. The system configuration setting response message 603 includes parameters of the execution result of the system configuration setting 602, and the execution result is expressed by a truth value. For example, “1” is set if the execution result is successful, and “0” is set if the execution result is unsuccessful.

  In this way, in this embodiment, the user provides system configuration information such as the policy enforcement point 104, the network 102, and the topology 701 to the policy definition point 103, but the policy definition point 103 is port scanned (used / unused for each port). The policy enforcement point 104 may be specified by a method such as checking the status of the system and the like, and the system configuration information may be automatically constructed. Further, system configuration information may be acquired from an integrated management device or the like.

((2) Clustering)
Next, in this embodiment, the policy definition point 103 clustering process 303 clusters the policy enforcement point 104 and the network 102 based on the system configuration information. That is, the constituent elements are grouped according to the type or connection relationship of the constituent elements.

((2-1) Analysis of clustering request message)
Therefore, first, the client apparatus 101 transmits a clustering request message 604 to the clustering processing unit 303 of the policy definition point 103. An example of the clustering request message 604 is shown in FIG. The clustering request message 604 includes class 801 and instance 802 parameters. In the example of FIG. 8, Class_LU [1], Class_hypervisor [1], Class_NW [1], and the like are classes 801, and the policy enforcement point 104 is an instance 802, which is included in any class 801 without duplication. That is, each of the plurality of policy enforcement points 104 is classified into one of the classes manually.

((2-2) Class and instance classification)
FIG. 9 shows examples of classes and instances in this embodiment. In this embodiment, the same function and access mechanism of the policy enforcement point 104 are the same class. These classifications are performed manually. Further, when there are a plurality of instances 802 of the network 102 that connect the class 801 and the class 801, the instance 802 group is set to the class 801. In the example of FIG. 9, LU [1], LU [2], and LU [x] have the same function / access mechanism, so that the class is 801_1, and the network 102_1 that connects the class 801_1 and the class 801_k and the network 102_m is defined as class 801_k + 1.

((2-3) Class and instance information storage)
Returning to FIG. 6, the policy definition point 103 performs clustering 605 as follows.

  Clustering 605 is performed by the clustering processing unit 303, acquires information on the class 801 and the instance 802 from the clustering request message 604, stores the class 801 in the class storage area 316, and stores the instance 802 in the instance storage area 317. Then, the policy definition point 103 transmits a clustering response message 606 to the client device 101. The clustering response message 606 includes parameters of the execution result of the clustering 605, and the execution result is expressed by a truth value.

  As described above, in this embodiment, the user executes clustering, and the clustering result is provided to the policy definition point 103. The identity of the function / access mechanism is determined from the information of the policy enforcement point 104, and the clustering method is used. You may cluster by.

((3) Setting the policy enforcement point detailed information to the policy definition point)
((3-1) Policy enforcement point information setting request)
Next, in this embodiment, detailed information of the policy enforcement point 104 is provided to the policy definition point 103. Therefore, first, the client apparatus 101 transmits a policy enforcement point information setting request message 607 to the policy definition point 103.

  An example of the policy enforcement point information setting request message 607 is shown in FIG. The policy enforcement point information setting request message 607 includes parameters of a class 801, a function 1001, a related class 1002, and an access control mechanism 1003. The access control mechanism 1003 stores information related to means for accessing each policy enforcement point.

  The related class 1002 means a class 801 that is affected by the function 1001 being executed. In the example of FIG. 10, the function 1001 of the Class_hypervisor [1] is virtual machine creation or the like, and the access control mechanism 1003 of the Class_hypervisor [1] is an RBAC restriction mechanism or the like. Depending on the class as in the example of FIG. 10, the function 1001, the related class 1002, and the access control mechanism 1003 may not be provided.

((3-2) Policy enforcement point information storage)
Returning to FIG. 6, the policy enforcement point information setting processing unit 304 of the policy definition point 103 performs policy enforcement point information setting 608 next. The policy enforcement point information setting 608 is performed by the policy enforcement point information setting processing unit 304, acquires information on the function 1001 and the access control mechanism 1003 from the policy enforcement point information setting request message 607, and stores the information in the policy enforcement point information storage area 318. To store. Then, the policy definition point 103 transmits a policy enforcement point information setting response message 609 to the client device 101. The policy enforcement point information setting response message 609 is composed of parameters of the execution result of the policy enforcement point information setting 608, and the execution result is expressed by a truth value.

((4) Policy definition point role design)
Next, in this embodiment, a roll is designed.

((4-1) Requirements for roll design)
Therefore, first, the client apparatus 101 transmits a role design request message 610 to the policy definition point 103. An example of the roll design request message 610 is shown in FIG. This message is a message requesting to set a class or an instance for the role hierarchy.

  The role design request message 610 includes parameters of a role 1101, an upper role 1102, a permission function 1103, a permission instance 1104, and an attribute 1105. In the example of FIG. 11, (Role 1101, Upper role 1102, Permitted function 1103, Permitted instance 1104, Attribute 1105) are ("Company A in charge", "Server in charge", None, "Hypervisor [1]",. “Instance”).

  FIG. 12 shows an example of a role hierarchical structure in the present embodiment. FIG. 12 shows a hierarchical structure including an upper hierarchy (upper role) 1105a and a lower hierarchy (lower role or instance) 1105b. The role 1101 is arbitrarily named by the user, and the role 1101 existing in the upper role 1105a designates a lower role or instance in the lower layer 1105b, thereby configuring a role hierarchical structure. The role 1101 has one of two types of attributes, “class” and “instance” (in the hierarchical structure of the role, the higher one is a class, the lower one is an instance, and the whole has a tree structure. The role 1101 with the “class” attribute is assigned a function that the user is permitted to execute, for example, a function such as virtual machine creation 1001 as the permitted function 1103, and the role 1101 with the “instance” attribute is assigned as the upper role 1105 a. A lower hierarchy cannot be taken (assigned). An instance 802 permitted to be operated by the user is assigned as a permitted instance 1104 to a role 1101 having an “instance” attribute, and the upper role 1105a must be designated.

((4-2) Storage of information included in role design request)
Returning to FIG. 6, the policy definition point 103 performs role design 611 next. The role design processing unit 305 performs the role design 611, acquires information on the role 1101, the upper role 1102, the permitted function 1103, the permitted instance 1104, and the attribute 1105 from the role design request message 610, and stores the information in the role / policy storage area 319. To store. Then, the policy definition point 103 transmits a role design response message 612 to the client device 101. The role design response message 612 includes parameters of the execution result of the role design 611, and the execution result is expressed by a truth value.

  As described above, in this example, roles are constructed in a hierarchical structure, and role design is performed by assigning attributes according to the hierarchy to each role. However, role design is not limited to this embodiment. A standard roll design proposed by NIST (National Institute of Standards and Technology) may be used.

((5) Access rights modeling)
Next, in this embodiment, in order to generate intermediate data (access right matrix 1302 described later) necessary for policy definition from the class 801 and the function 1001 given to the policy definition point 103, access right is modeled.

((5-1) Generation of access right matrix)
Therefore, first, the client apparatus 101 transmits an access right modeling request message 613 to the access right modeling processing unit 306 of the policy definition point 103. The access right modeling request message 613 is a message transmitted to cause the policy definition point 103 to execute the access right modeling 614, and is a message having no parameters.

  Next, the policy definition point 103 performs access right modeling 614 for each role 1101 of the “class” attribute. Access right modeling 614 is performed by the access right modeling processing unit 306.

  An example of access right modeling 614 in this embodiment is shown in FIG. First, the access right matrix 1301 is generated from the class 801 information on the class storage area 316 and the function 1001 on the policy enforcement point information storage area 318. As shown in FIG. 13, the access right matrix 1301 has an access source 1302 and an access destination 1304 as columns, and a main body 1303 and a function 1001 as rows. The elements of the access right matrix 1301 are binary values, and are all “0” when the access right matrix 1301 is generated.

((5-2) Access right plot)
Next, the access right necessary for the role 1101 is plotted (parameter setting) from the permission function 1103 for the role 1101 on the role / policy storage area 319, the function 1001 on the policy enforcement point information storage area 318, and the related class 1002. For example, when the access right modeling 614 is executed for the “server charge” role 1101, the “server charge” role 1101 has the “virtual machine creation” permission function 1103 and the “virtual machine creation” Function 1001 has “Class_LU [1]” as the related class 1002, and therefore, on the access right matrix 1301, the access source 1302 “Class_hypervisor [1]” and the main body 1303 “Class_LU [1]” function 1001 “ The “none” element and the main body 1303 “Class_hypervisor [1]” and the access destination 1304 “Class_LU [1]” function 1001 “virtual machine creation” elements are incremented to 1. That is, the flag of the predetermined element is set from “0” indicating “no authority” to “1” indicating “authorization”.

  Such processing is performed for all permission functions 1103 of the role 1101 in charge of the server, and the access right matrix 1301 is stored in the access right model storage area 320. The above access right modeling process is performed as “class”. The access rights matrix 1301 is generated by the number of “class” attribute roles 1101 by repeating the number of attribute roles 1101.

  Then, the policy definition point 103 transmits an access right modeling request message 615 to the client apparatus 101. The access right modeling request message 615 includes parameters of the execution result of the access right modeling 614, and the execution result is expressed by a truth value.

((6) Class policy definition)
Next, in this embodiment, the policy definition of the policy enforcement point 104 is defined for each role 1101 having the “class” attribute.

  Therefore, first, the client apparatus 101 transmits a policy definition request message 616 to the policy definition point 103. The policy definition request message 616 is a message transmitted to cause the policy definition point 103 to execute a series of policy definition processes, and is a message having no parameters.

((6-1) Setting constraint conditions)
Next, the policy definition point 103 executes a series of policy definition processing by the policy definition processing unit 307. First, the policy definition processing unit 307 performs constraint condition setting 617. The restriction condition setting 617 is performed by the restriction condition setting unit 308, and in each record of the access right matrix 1301 from the class 801 regarding the network in the class storage area 316, the class 801 that can be the access source 1302 and the access destination 1304 is manually restricted. Perform the operation.

  Further, based on the access control mechanism 1003 on the policy enforcement point information storage area 318, the access right setting at the policy enforcement point 104 restricts the access right guarantee area on the access right matrix 1301. In this embodiment, it is assumed that the access right guarantee area for access right setting can be designed in advance. Furthermore, a universal property such as “the number of access right settings at the policy enforcement point 104 should be smaller” is a weak constraint condition. The constraint condition is stored in the constraint condition storage area 321.

((6-2) Executing constraint programming)
Next, the policy definition processing unit 307 performs constraint programming 618 for the entire access right matrix 1301 as follows.

  The constraint programming 618 is performed by the constraint programming processing unit 309 and searches for the access right setting at the policy enforcement point 104 that includes all the incremented elements on the access right matrix 1301. Then, the access right setting obtained by the constraint programming 618 for each role 1101 and the access right guarantee area for each access right setting are stored in the role / policy storage area 319.

((6-3) Instance expansion)
Next, the policy definition processing unit 307 performs instance expansion 619. That is, the access right can be set for the lower-level instances.

  The instance extension processing unit 310 performs the instance extension 619, and copies the access right matrix 1301 generated for each role 1101 of the “class” attribute by the number of roles 1101 of the lower “instance” attribute, For each 1101, the class 801 of the access source 1302, the subject 1303, and the access destination 1304 is extended to the instance 802 on the access right matrix 1301.

  The result of the instance expansion 619 is shown in FIG. In the example of FIG. 14, the class 801 “Class_LU [1]” is extended to the instances 802 “LU [1]” and “LU [2]”. The value of the element of the access right matrix 1301 inherits the value before the instance extension 619 and decrements the instance 802 that is not included in the permitted instance 1104 on the role policy storage area 319. Then, the access right matrix 1301 that executed the instance expansion 619 is stored in the access right model storage area 320.

((7) Execution of constraint programming in the access right guarantee area)
Next, the policy definition processing unit 307 performs constraint programming 620 similar to the above-described constraint programming 618 for each access right guarantee area (instance extension area). The constraint programming 620 is performed by the constraint programming processing unit 309, and the access right guarantee area that the access right guarantee area has been expanded by the instance expansion 619 is targeted. In order to review the access right setting corresponding to the access right guarantee area, search for the optimal access right setting (setting of the access right that satisfies the restrictions of the restriction conditions) in the access right guarantee area, and the role policy storage area It stores in 319.

  Then, the policy definition point 103 transmits a policy definition response message 621 to the client device 101. The policy definition response message 621 is composed of parameters of the execution result of the policy definition process, and the execution result is expressed by a truth value.

  As described above, in this embodiment, the access right setting of the policy enforcement point 104 based on the role design is searched by constraint programming using the system topology and the access control mechanism of the policy enforcement point 104 as constraint conditions. Note that the constraint conditions given in the present embodiment are examples and are not limited.

  In this example, roles and system configurations are abstracted to class level by clustering before policy definition processing, and access right setting search by class level constraint programming and access right setting search by instance level constraint programming are executed in policy definition processing. doing. By searching the access right setting separately for classes and instances, there is an effect of reducing the risk of the computation of constraint programming diverging. In other words, by dividing the access right setting targets into classes and instances, it is possible to limit the target of constraint programming calculation.

  Also, by dividing into classes and instances, in constraint programming, the constraint conditions associated with classes and instances can be inherited as they are even if the contents of classes and instances are slightly changed, and instance-level constraint programming is a partial problem. Can be explored as

  In recent years, the opportunity of instance generation / deletion has increased due to the advancement of virtualization technology. By making instance-level constraint programming a partial problem, there is an effect of reducing the cost of recalculation.

  The above is an example of a series of processes executed by the client apparatus 101, the policy definition point 103, and the policy enforcement point 104 when defining a policy from the initial state in this system.

(Specific example of a series of processing)
An example of a series of processes executed by the client apparatus 101, the policy definition point 103, and the policy enforcement point 104 when the system is authorized in this system will be described with reference to FIGS.

((1) Request access right)
FIG. 15 is an example of a sequence diagram of the operation authorization process in the present embodiment. In this embodiment, the policy definition point 103 first sets an access right to the policy enforcement point 104. Therefore, first, the client apparatus 101 transmits an access right request message 1501 to the policy definition point 103. The access right request message 1501 includes a role 1101 that the user desires to access and an access time parameter.

((2) Setting access rights)
Next, the policy definition point 103 performs access right setting processing. The access right setting process is executed by the access right addition processing unit 312 and transmits an access right addition message 1502 to all policy enforcement points 104.

  An example of the access right addition request message 1502 is shown in FIG. The access right addition request message 1502 includes parameters of the access right setting 1601. The access right setting 1601 acquires an access right setting value corresponding to the role 1101 that the user desires to access from the role / policy storage area 319.

  Next, the policy enforcement point 104 performs access right addition 1503. An access right addition 1503 is executed by the access right addition processing unit 402, and an access right is added based on the access right setting 1601 at the policy enforcement point 104. The policy enforcement point 104 transmits an access right addition response message 1504 to the policy definition point 103. The access right addition response message 1504 is composed of execution result parameters of the access right addition 1503, and the execution result is expressed by a truth value.

  The access right setting process as described above is repeated for all policy enforcement points 104. This processing may be omitted for the policy enforcement point 104 where the access right setting 1601 corresponding to the role 1101 that the user desires to access does not exist.

((3) Completion of access right setting)
Next, the policy definition point 103 transmits an access right response message 1505 to the client apparatus 101. The access right response message 1505 is composed of parameters of the execution result of the access right setting process, and the execution result is expressed by a truth value.

((4) Operation request)
Next, in this embodiment, the operation is executed at the policy enforcement point 104. Therefore, the client apparatus 101 transmits an operation request message 1506 to the policy enforcement point 104 for each operation that the user wants to execute. The operation request message 1506 is a message transmitted to cause the policy enforcement point 104 to execute an operation, and is a message having no parameters.

  Next, the policy enforcement point 104 executes operation 1507. The operation 1507 is executed by the operation processing unit 404, and any one of the functions 1001 is executed according to the user's request. Then, the policy enforcement point 104 transmits an operation response message 1508 to the client device 101. The operation response message 1508 includes parameters of the execution result of the access right setting process, and the execution result is expressed by a truth value.

((5) Delete access right)
Next, in this embodiment, in order to release the policy enforcement point 104 (resource such as a device) to which the access right is set after use, the added access right is deleted. Therefore, the policy definition point 103 executes access right deletion processing. The access right deletion processing is executed by the access right deletion processing unit 403 when the access time in the access right addition request message 1502 elapses after the access right addition processing. In the access right deletion process, an access right deletion request message 1509 is transmitted to all policy enforcement points 104 for which the access right is set. The access right deletion request message 1509 includes a parameter for deleting the access right setting 1601. On the other hand, the access right setting 1601 acquires an access right setting value corresponding to a new role 1101 that the user desires to access from the role / policy storage area 319.

  Next, the policy enforcement point 104 designated as a countermeasure for the access right deletion by the parameter executes the access right deletion 1510. The access right deletion 1510 is executed by the access right deletion processing unit 403 and deletes the access right based on the parameter for deleting the access right setting 1601 on the access right deletion request message 1509. Then, the policy enforcement point 104 transmits an access right deletion response message 1511 to the policy definition point 103. The access right deletion response message 1511 is composed of parameters of the execution result of the access right deletion 1510, and the execution result is expressed by a truth value.

  When the addition and deletion of access rights are repeated, information necessary for continuation of processing at each policy enforcement point 104 is retained as necessary. For example, (1) First, the access right is added to the policy enforcement point α with the role A and then deleted. (2) The access right is added to the policy enforcement point α with the role B and then deleted. ) When adding an access right to the policy enforcement point α in role A, even while role B in (2) is being executed. If the information at the time of executing with the role A in (1) is not retained, the consistency of the information cannot be maintained when the role A in (3) is resumed.

(Other examples)
As described above, in this embodiment, the access right of the policy enforcement point 104 is executed every time the user makes an operation request.

  In general, avoid the situation where operations that should not be executed simultaneously at the stage of role design are given to one role. However, if multiple roles are assigned to one person, operations that must not be executed simultaneously. You may have both rights. Therefore, the method of statically assigning access rights to all roles in advance increases the risk of simultaneously performing operations that should not be performed simultaneously, which is not preferable. Therefore, dynamically assigning access rights as in this embodiment has the effect of reducing the risk and facilitating separation of responsibilities. That is, by dynamically performing the series of processes (addition and deletion of access rights to each policy enforcement point) described above (1) to (5), one policy enforcement point 104 (resource) is temporarily stored. Can be authorized to operate.

  In this embodiment, the access right deletion timing is determined based on the access time specified by the user. However, the policy definition point 103 makes an inquiry to the policy enforcement point 104 by broadcasting, confirms the end of the operation, and determines the access right. May be deleted.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files that realize each function can be stored in a recording device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

101: client device, 102: network, 103: policy definition point, 104_1, 104_n: policy enforcement point, 201, 301, 401: control unit, 314: storage unit, 211: input / output unit, 211, 323, 405: transmission / reception 501: Computer, 502: CPU, 503: Memory, 504: External storage device, 505: Transmission / reception device, 506: Output device, 507: Input device

Claims (15)

A role-based access control method at a policy definition point connected to a network and a plurality of policy enforcement points,
By the policy definition point,
Processing for receiving system configuration information, receiving policy enforcement point function information and access control mechanism information, and receiving a role based on role-based access control;
Processing for modeling access rights, setting constraint conditions, and searching for access right setting values of the policy enforcement points that satisfy the role by constraint programming;
The policy definition point performs a process of transmitting the access right setting value to a plurality of policy enforcement points via the network.
And a role-based access control method. By the policy definition point,
The role-based access control method according to claim 1, wherein the system configuration information and the access control mechanism information at the policy enforcement point are used as a strong constraint. By the policy definition point,
The role-based access control method according to claim 2, wherein a process is performed in which the total number of the access right setting values and the number of the access right setting values unnecessary for the role are set as weak constraints. By the policy definition point,
Clustering the system configuration information to generate class configuration information;
A process of classifying the role into a class attribute role and an instance attribute role;
A process of searching for a provisional access right setting value of the policy enforcement point that satisfies the class attribute role by constraint programming using the class configuration information as a constraint condition;
Inheriting the restriction condition, inheriting the provisional access right setting value, and performing a process of searching for the access right setting value of the policy enforcement point that satisfies the instance attribute role by constraint programming.
The role-based access control method according to claim 3. By the policy definition point,
A process of receiving update information of the system configuration information and acquiring instance increase / decrease information;
Inheriting the access right setting value, performing a process of correcting as a partial problem by constraint programming limited to the access right setting value that can be changed by the increase or decrease of the instance,
The role-based access control method according to claim 4. By the policy definition point,
The function information of the policy enforcement point is received, the class is divided into a function subject, an access source, and an access destination, and an access model of a class attribute role is determined by a combination of the subject, the access source, the access destination, and the function. The role-based access control method according to claim 1, wherein the role-based access control method is generated. By the policy definition point,
The access model of an instance attribute role is generated by inheriting the access model of the class attribute role and extending the subject, the access source, and the access destination from the class to the instance. 6. The role-based access control method according to 6. By the policy definition point,
A process of receiving an access desired role, and the policy definition point transmits the access right setting value corresponding to the access desired role to a plurality of policy enforcement points via the network;
After the end of a certain period of time or after receiving an operation end signal, carry out a process of deleting the access right set at the policy enforcement point.
The role-based access control method according to claim 1. A role-based access control system having a policy definition point connected to a network and a plurality of policy enforcement points,
The policy definition point is
Processing for receiving system configuration information, receiving policy enforcement point function information and access control mechanism information, and receiving a role based on role-based access control;
Means for modeling an access right, setting a constraint condition, and searching for an access right setting value of the policy enforcement point satisfying the role by constraint programming;
A role-based access control system, wherein the policy definition point includes means for transmitting the access right setting value to a plurality of policy enforcement points via the network. The policy definition point is
10. The role-based access control system according to claim 9, further comprising a unit that performs processing using the system configuration information and the access control mechanism information of the policy enforcement point as a strong constraint. The policy definition point is
The role-based access control according to claim 10, further comprising: a process for setting a weak restriction condition on a total number of the access right setting values and a number of the access right setting values unnecessary for the role. system. The policy definition point is
The function information of the policy enforcement point is received, the class is divided into a function subject, an access source, and an access destination, and an access model of a class attribute role is determined by a combination of the subject, the access source, the access destination, and the function. The role-based access control system according to claim 9, further comprising means for generating. The policy definition point is
Means for inheriting the access model of the class attribute role and generating an access right model of the instance attribute role by extending the subject, the access source, and the access destination from the class to the instance. The role-based access control system according to claim 12. The policy definition point is
Means for receiving an access desired role, and the policy definition point transmits the access right setting value corresponding to the access desired role to a plurality of policy enforcement points via the network;
10. The role-based access control according to claim 9, further comprising means for executing a process of deleting an access right set at the policy enforcement point after a predetermined time or after receiving an operation end signal. system. A storage medium that is readable and enlightened with a program for executing a role-based access control method at a policy definition point connected to a network and a plurality of policy enforcement points,
The access control method is:
By the policy definition point,
Processing for receiving system configuration information, receiving policy enforcement point function information and access control mechanism information, and receiving a role based on role-based access control;
Processing for modeling access rights, setting constraint conditions, and searching for access right setting values of the policy enforcement points that satisfy the role by constraint programming;
The policy definition point performs a process of transmitting the access right setting value to a plurality of policy enforcement points via the network.
A storage medium characterized by that.

Images