JP5708131B2 - ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, AUTHENTICATION DEVICE AND ITS PROGRAM, AND SERVICE PROVIDING DEVICE - Google Patents

Description

  The present invention relates to an access control system, an access control method, an authorization device and a program thereof, and a service providing device, and more particularly to an access control system, an access control method, an authorization device and an access control system that perform access control using a policy in a distributed environment. The present invention relates to a program and a service providing apparatus.

  An example of an authentication technique in a distributed system such as cloud computing is described in Non-Patent Document 1. As shown in FIG. 21, in the access control system 90, a service providing device 70 (Service Provider: SP) that provides a service to the user 60 and an authorization device that holds the personal information 98 of the user and provides the service providing device 70. Information is exchanged with 80 (Identity Provider: IdP).

  The user 60 accesses the service providing apparatus 70 (step S1), and requests service provision. The authorization device 80 centrally manages user information, and the service providing device 70 entrusts the authorization device 80 with authentication and authorization processing. That is, when an access request from the user 60 is made and the service providing apparatus 70 needs to perform user authentication or authorization determination, the authorization apparatus 80 is requested to perform authentication and authorization processing (step S2). 60, user authentication is performed (step S3). Then, the authorization device 80 determines whether an authenticated user can access. The determination result is returned from the authorization device 80 to the service providing device 70 (step S4). Then, according to the determination result, a service is provided from the service providing device 70 to the user 60 (step S5).

  In order to exchange this authentication information between the authorization device 80 and the service providing device 70, various methods such as OpenID have been proposed. By using OpenID, single sign-on by a lightweight process is realized.

  In order to realize authorization processing in a distributed environment, a specification called XACML (eXtensible Access Control Markup Language) has been proposed (Non-Patent Document 2). As illustrated in FIG. 22, the system 50 described in Non-Patent Document 2 performs PAP (Policy Enforce Point) 72 that permits access to the resource 52 based on the authorization determination result, and the access permission determination in order to perform the authorization determination. A system including a PDP (Policy Decision Point) 82 to be performed, a PAP (Policy Administration Point) 84 for managing an access policy, and a PIP (Policy Information Point) 86 for managing information necessary for access control is defined.

The system 50 described in Non-Patent Document 2 having such a configuration operates as follows.
That is, when the access requester 62 accesses the information of the PEP 72, the PEP 72 requests the PDP 82 for authorization determination. Then, the PDP 82 acquires a policy from the PAP 84, acquires information from the PIP 86, and determines whether to permit or deny access to the PEP 72. Thereafter, the PDP 82 notifies the determination result to the PEP 72. When the PEP 72 acquires the notification, it determines whether to permit access to the resource 52 according to the notification and responds to the access of the access requester 62.

  Patent Document 1 describes an access policy setting device. If this apparatus is used, a new policy can be set by analogy based on a policy that has already been set. Therefore, an access policy can be easily set before access control is performed.

JP 2007-213208 A

Naohiro Fujisaki, “2nd authentication technology in cloud computing era”, [online], August 25, 2010, Atmark IT, [Search February 21, 2011], Internet, <URL : Http://www.atmarkit.co.jp/fwin2k/operation/adfs2sso02/adfs2sso02_01.html> OASIS Standards, “eXtensible Access Control Markup Language (XACML) Version 2.0”, [online], February 1, 2005, OASIS, [ Retrieved on December 21, 2010], Internet, <URL: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf>

In the system described in the above-mentioned document, since complicated processing such as prior arrangement is required, there is a problem that the load of policy creation is high.
The reason is that it is difficult to determine all IdPs and SPs to exchange information in advance in the access control system in the distributed system described in the above document. For example, the IdP or SP with which information is exchanged may be changed and cannot be determined in advance. For this reason, setting a policy in advance by the IdP and SP has a very high processing load, and it is not realistic to pre-define all policies in advance. In addition, if IdP and SP for exchanging information are determined in advance, it is possible to exchange an appropriate policy in advance, but in reality, IdP and SP are not fixed but fluid.

  An object of the present invention is to provide an access control system, an access control method, an authorization device and its program, and a service providing device that solve the above-described problem that the processing load of creating a policy in advance is high. There is.

The access control system of the present invention
A service providing device for providing a service to a user;
An authorization device that performs authorization determination of an access request to the resource from the user from the service providing device, and
The authorization device is
Request accepting means for accepting an access request to the resource from the user from the service providing device;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
A response unit that returns the determination result of the authorization determination unit using a policy that has not been violated by the policy setting to the service providing device ;
Receiving a policy setting for controlling access to the resource and creating a first partial policy ,
The service providing apparatus includes:
Receiving a policy setting for controlling access to the resource, and comprising a second policy creating means for creating a second partial policy;
The authorization determination unit of the authorization device combines the first partial policy created by the first policy creation unit and the second partial policy created by the second policy creation unit, and creates a combined policy as the temporary policy. It is an access control system that performs the authorization determination using a registered policy.
The access control system of the present invention
A service providing device for providing a service to a user;
An authorization device that performs authorization determination of an access request to the resource from the user from the service providing device, and
The authorization device is
Request accepting means for accepting an access request to the resource from the user from the service providing device;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
Response means for returning the determination result of the authorization determination means using the policy without violation of the policy setting to the service providing device,
The authorization determination means is an access control system that performs the authorization determination using the verified policy when there is a policy registered as the verified policy.

The authorization device of the present invention is
Request accepting means for accepting an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
A response unit that returns the determination result of the authorization determination unit using a policy that has not been violated by the policy setting to the service providing device ;
A partial policy creating means for accepting a policy setting for access control to the resource and creating a first partial policy ;
The authorization determination means uses the combined policy obtained by combining the second partial policy for access control to the resource created by the service providing apparatus and the first partial policy as the provisionally registered policy. An authorization device that performs authorization determination.
The authorization device of the present invention is
Request accepting means for accepting an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
Response means for returning the determination result of the authorization determination means using the policy without violation of the policy setting to the service providing device,
The authorization determination means is an authorization device that performs the authorization determination using the verified policy when there is a policy registered as the verified policy.

The service providing apparatus of the present invention
The second partial policy for creating a combined policy used by the authorization device for authorization judgment is combined with the first partial policy created by the authorization device that performs authorization judgment of access to the resource. A partial policy creating means for receiving and creating a control policy setting is provided.

The access control method of the present invention
An authorization device that performs authorization judgment on access to resources
Accepting a request for access to a resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy temporarily registered in advance, based on attribute information of the user and the resource, performs an authorization determination as to whether or not to permit access to the resource,
Based on the determination result of the authorization determination, confirm that there is no policy setting violation in the previously provisionally registered policy,
Register the policy that did not violate the policy setting as a verified policy,
The determination result of the authorization determination using the policy that did not violate the policy setting is returned to the service providing device ,
further,
The service providing apparatus accepts a policy setting for access control to the resource, creates a first partial policy,
The authorization device accepts a policy setting for access control to the resource, creates a second partial policy,
In the access control method, the authorization device performs the authorization determination using a combined policy obtained by combining the created first partial policy and the created second partial policy as the provisionally registered policy. .
Further, the access control method of the present invention includes:
An authorization device that performs authorization judgment on access to resources
Accepting a request for access to a resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy temporarily registered in advance, based on attribute information of the user and the resource, performs an authorization determination as to whether or not to permit access to the resource,
Based on the determination result of the authorization determination, confirm that there is no policy setting violation in the previously provisionally registered policy,
Register the policy that did not violate the policy setting as a verified policy,
The determination result of the authorization determination using the policy that did not violate the policy setting is returned to the service providing device,
Furthermore, in the access control method, when the authorization device has a policy registered as the verified policy, the authorization determination is performed using the verified policy.

The computer program of the present invention is:
In the computer for realizing the authorization device that performs authorization judgment of the access request to the resource from the user,
A procedure for receiving an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, a procedure for determining whether to permit access to the resource based on attribute information of the user and the resource,
A procedure for confirming that there is no policy setting violation in the preliminarily registered policy based on the determination result of the authorization determination, and registering the policy without the policy setting violation as a verified policy,
A procedure for returning the determination result of the authorization determination using the policy without the policy setting violation to the service providing apparatus ;
A procedure for accepting setting of a policy for controlling access to the resource and creating a first partial policy;
A procedure for performing the authorization determination by using a combined policy obtained by combining the second partial policy for controlling access to the resource created by the service providing apparatus and the first partial policy as the temporarily registered policy; Is a program for executing
The computer program of the present invention is
In the computer for realizing the authorization device that performs authorization judgment of the access request to the resource from the user,
A procedure for receiving an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, a procedure for determining whether to permit access to the resource based on attribute information of the user and the resource,
A procedure for confirming that there is no policy setting violation in the preliminarily registered policy based on the determination result of the authorization determination, and registering the policy without the policy setting violation as a verified policy,
A procedure for returning the determination result of the authorization determination using the policy without the policy setting violation to the service providing apparatus;
When there is a policy registered as the verified policy, this is a program for executing a procedure for performing the authorization determination using the verified policy.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a method, an apparatus, a system, a recording medium, a computer program, etc. are also effective as an aspect of the present invention.

  The various components of the present invention do not necessarily have to be independent of each other. A plurality of components are formed as a single member, and a single component is formed of a plurality of members. It may be that a certain component is a part of another component, a part of a certain component overlaps with a part of another component, or the like.

  Moreover, although the several procedure is described in order in the method and computer program of this invention, the order of the description does not limit the order which performs a several procedure. For this reason, when implementing the method and computer program of this invention, the order of the several procedure can be changed in the range which does not interfere in content.

  Furthermore, the plurality of procedures of the method and the computer program of the present invention are not limited to being executed at different timings. For this reason, another procedure may occur during the execution of a certain procedure, or some or all of the execution timing of a certain procedure and the execution timing of another procedure may overlap.

  According to the present invention, there are provided an access control system, an access control method, an authorization device and program thereof, and a service providing device that reduce the load of prior policy creation processing.

It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the computer which implement | achieves each apparatus of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of the procedure of the policy creation process of the access control system which concerns on embodiment of this invention. It is a flowchart which shows an example of the procedure of the authorization determination process of the access control system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the system of a nonpatent literature description. It is a block diagram which shows the structure of the system of a nonpatent literature description.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In all the drawings, the same reference numerals are given to the same components, and the description will be omitted as appropriate.

(First embodiment)
FIG. 1 is a functional block diagram showing a configuration of an access control system 1 according to the embodiment of the present invention.
The access control system 1 according to the present embodiment includes a service providing apparatus 100 that provides a service to the user 3, and an authorization apparatus 200 that performs an authorization determination on an access request from the service providing apparatus 100 to the resource 10 from the user 3. Prepare.

  The service providing apparatus 100 is a so-called service provider (SP) and provides various services to the user 3. The authorization device 200 is a so-called identity provider (IdP), centrally manages the information of the user 3, and performs processing such as authentication of the user 3 and authorization determination instead of the service providing device 100. The service providing apparatus 100 entrusts the authorization apparatus 200 to the authorization apparatus 200 for authentication or authorization determination processing of the user 3.

  The authorization device 200 uses the request accepting unit 202 that accepts an access request from the service providing device 100 to the resource 10 from the user 3 and a policy that is provisionally registered in response to the access request. An authorization determination unit 208 that performs an authorization determination as to whether or not to permit access to the resource 10 based on the attribute information of the ten, and a policy setting violation in a policy that has been temporarily registered based on the determination result of the authorization determination unit 208 A registration unit (policy storage unit 210, authorization determination unit 208) for registering a policy without a policy setting violation as a verified policy, and an authorization determination unit using the policy with no policy setting violation. And a response unit 212 that returns the determination result of 208 to the service providing apparatus 100.

  More specifically, the authorization device 200 includes a request receiving unit 202, a user information storage unit (shown as “user information” in the figure) 204, a resource information storage unit (shown as “resource information” in the figure) 206, An authorization determination unit 208, a policy storage unit 210, and a response unit 212 are provided.

  As shown in FIG. 2, for example, the service providing apparatus 100 or the authorization apparatus 200 includes a CPU 120, a memory 122, a hard disk 124, and a communication device (a network communication unit 126 that connects to and communicates with the network 5), and includes a keyboard and a mouse. It can be realized using a server computer or a personal computer connected to an input device 150 such as a display, a display device 152 such as a display, an output device (not shown) such as a printer, or a device corresponding thereto.

  The service providing apparatus 100 or the authorization apparatus 200 further includes an operation receiving unit 128 that receives an input from the input device 150 and a display control unit 130 that performs display control of the display device 152. These elements of the service providing apparatus 100 or the authorization apparatus 200 are connected to each other via a bus 134. Then, the CPU 120 controls the service providing apparatus 100 or the entire authorization apparatus 200 together with each element. And CPU120 reads the program memorize | stored in the hard disk 124, and it can implement | achieve each function of each unit of the service provision apparatus of each figure of this invention, or an authorization apparatus by executing. In addition, in each figure, it has abbreviate | omitted about the structure of the part which is not related to the essence of this invention, and is not showing in figure.

  The computer program according to the present embodiment responds to an access request, a procedure for receiving an access request from the service providing apparatus 100 that provides a service to the user 3 to the resource 10 to the computer for realizing the authorization apparatus 200. Then, using a policy temporarily registered in advance, based on the attribute information of the user 3 and the resource 10, based on the procedure for determining whether to permit access to the resource 10, the determination result of the authorization determination The procedure for confirming that there is no policy setting violation in the policy that has been provisionally registered in advance, and for registering the policy that has not been violated as a verified policy, the result of the authorization decision using the policy that did not have a policy setting violation Is sent to the service providing apparatus 100.

  The computer program of this embodiment may be recorded on a computer-readable recording medium. The recording medium is not particularly limited, and various forms can be considered. The program may be loaded from a recording medium into a computer memory, or downloaded to a computer through a network and loaded into the memory.

  In the following embodiments, the computer program of the present invention similarly executes the procedure of the flowchart of each figure on the computer for realizing each function of each unit of the service providing apparatus and the authorization apparatus of each figure. To be described.

  In the present embodiment, one user 3, one service providing apparatus 100, and one authorization apparatus 200 are illustrated, but the present invention is not limited to this. In the present embodiment, a plurality of service providing apparatuses 100 perform distributed processing and provide services to a plurality of users 3. The plurality of authorization devices 200 perform distributed processing and respond to requests from the plurality of service providing devices 100. That is, the service providing apparatus 100 or the authorization apparatus 200 can be realized by a virtual server or the like. The service providing apparatus 100 and the authorization apparatus 200 are connected to each other via the network 5 (FIG. 2).

  In the authorization device 200 of FIG. 1, the request receiving unit 202 receives a request for access to the resource 10 from the user 3 from the service providing device 100. The user information storage unit 204 stores attribute information of the user 3. The user 3 is an end user that the service providing apparatus 100 provides a service. The information stored in the user information storage unit 204 includes, for example, invariant information such as the user ID, address, and telephone number of the user 3, the location information of the user 3, the time when the user 3 is accessing, and the service of the user 3 Includes variable information such as usage fee payment status. The service providing apparatus 100 corresponds to XEPML (eXtensible Access Control Markup Language) PEP (Policy Enforce Point).

  The resource information storage unit 206 stores attribute information of the resource 10. Information stored in the resource information storage unit 206 includes, for example, identification information of the resource 10, attribute information such as data type, creation or registration date, title, creation source, storage location, and access to the resource 10. This includes information such as the attribute information of the user to be prohibited, the level at which access is permitted or prohibited (reference only, changeable, etc.), the time period during which access is permitted or prohibited, and the access conditions for the resource 10. The user information storage unit 204 and the resource information storage unit 206 correspond to XIPML PIP (Policy Information Point).

  In response to the access request from the service providing apparatus 100, the authorization determination unit 208 uses the policy temporarily registered in the policy storage unit 210 to store the attribute information and resources of the user 3 stored in the user information storage unit 204. Based on the attribute information of the resource 10 stored in the information storage unit 206, an authorization determination as to whether or not to permit access to the resource 10 is performed. It corresponds to PDP (Policy Decision Point) of XACML.

The policy defines, for example, an access right to the resource 10 and describes a criterion for determining whether the authorization device 200 permits or rejects access when performing access control. The policy includes information such as who can access the resource 10 with what authority.
The policy includes, for example, “access source entity”, “access destination resource”, “resource processing (Read / Write, etc.)”, “execution condition (valid period, etc.)”, and the like.

  The policy storage unit 210 stores a policy temporarily registered in advance. Further, the authorization determination unit 208 confirms that there is no policy setting violation in the temporarily registered policy based on the determination result, and registers the policy without the policy setting violation in the policy storage unit 210 as the verified policy. To do. The policy storage unit 210 corresponds to a PAP (Policy Administration Point) in XACML.

  Preliminarily registered policies stored in the policy storage unit 210 include those that have been temporarily registered and that have not yet been verified as to whether the authorization device 200 is suitable for making an authorization decision. Can do. The policy temporarily registered in advance can include a policy set based on information held by either the authorization device 200 or the service providing device 100, for example. That is, the provisionally registered policy is one in which items necessary for authorization determination are not set, one set to refer to user information that the authorization device 200 does not have for determination, or a plurality of policies Policies that violate policy settings, such as those in which there are conflicting policies (for example, both a white list and a black list exist) can be included.

  The user information storage unit 204, the resource information storage unit 206, and the policy storage unit 210 can use the hard disk 124 of FIG. Alternatively, the user information storage unit 204, the resource information storage unit 206, and the policy storage unit 210 are stored in the authorization device 200 via another storage device (not shown) connected to the authorization device 200 or the network 5 (FIG. 2). An accessible storage device (not shown) may be used.

  The response unit 212 returns the determination result of the authorization determination unit 208 using the policy for which there is no policy setting violation to the service providing apparatus 100.

  In the configuration as described above, an access control method in the access control system 1 of the present embodiment will be described below. FIG. 3 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, description will be made with reference to FIGS. 1 and 3.

  In the access control method according to the embodiment of the present invention, the request reception unit 202 (FIG. 1) of the authorization device 200 that performs authorization judgment of access to the resource 10 (FIG. 1) provides a service to the user 3 (FIG. 1). An access request (authorization request) to the resource 10 from the user 3 is received from the service providing apparatus 100 (FIG. 1) to be provided (step S101 in FIG. 3). In response to the access request (authorization request), the authorization determination unit 208 (FIG. 1) of the authorization device 200 uses the policy provisionally registered in advance, to the resource 10 based on the attribute information of the user 3 and the resource 10. An authorization determination is made as to whether or not access is permitted (step S103 in FIG. 3). The authorization determination unit 208 (FIG. 1) of the authorization device 200 confirms that there is no policy setting violation in the policy temporarily registered based on the determination result of the authorization determination (step S105 in FIG. 3), and the policy setting violation. 3 (NO in step S105 in FIG. 3), is registered as a verified policy (step S107 in FIG. 3), and the determination result of the authorization determination using the policy with no policy setting violation is stored in the service providing apparatus 100. A reply is made (step S109 in FIG. 3). Then, this process ends.

If a policy setting violation is confirmed (YES in step S105 in FIG. 3), the policy used for the authorization determination is not registered as a verified policy, and the process ends.
In addition, a policy for which a policy setting violation has been confirmed may be deleted from the policy storage unit 210. Alternatively, it may be recorded in the policy storage unit 210 as a policy setting violation policy.

  As described above, according to the access control system 1 according to the embodiment of the present invention, since the authorization device 200 does not verify the policy in advance, the policy creation load is reduced. In addition, it is possible to confirm whether or not the policy is set correctly by performing an authorization determination process using an unverified provisionally registered policy. Even in a situation where the authorization device 200 and the service providing device 100 do not exchange information regarding authorization processing entrustment in advance, the authorization device 200 and the service providing device 100 can entrust authorization determination by dynamically exchanging policies. Can be realized.

(Second Embodiment)
FIG. 4 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 according to the present embodiment is different from the above-described embodiment in that a combined policy created by combining partial policies created by the service providing apparatus 300 and the authorization apparatus 220 is used for authorization determination.

  In the access control system in the distributed system, since the service providing apparatus 300 entrusts management of user information to the authorization apparatus 220, the service providing apparatus 300 does not have user information. Therefore, since it is difficult for the service providing apparatus 300 to grasp what user information exists, it is difficult to grasp the contents described in the policy, and what information may be set in the policy. I don't know.

  Therefore, in this embodiment, without exchanging information in advance between the service providing apparatus 300 and the authorization apparatus 220, using the partial policies created by each, a combined policy is created and used for authorization determination. It is possible to set a more appropriate policy while reducing the policy creation load.

  In the present embodiment, the authorization device 220 further includes a first policy creation unit 222 that accepts a policy setting for access control to the resource 10 from the service providing device 300 and creates a first partial policy.

  The service providing apparatus 300 is combined with the first partial policy created by the authorization apparatus 220 that performs authorization judgment of access to the resource 10 and the second part for creating the joint policy used by the authorization apparatus 220 for authorization judgment. A second policy creation unit 302 is provided that creates a policy upon accepting a policy setting for controlling access to the resource 10.

  Then, the authorization determination unit 208 includes a second partial policy for controlling access to the resource 10 created by the second policy creation unit 302 of the service providing apparatus 300, a first partial policy created by the first policy creation unit 222, The authorization policy is determined using the combined policy obtained by combining the two as a temporarily registered policy.

  More specifically, the authorization device 220 includes a user information storage unit 204, a resource information storage unit 206, an authorization determination unit 208, and a policy storage unit 210 similar to those of the authorization device 200 of the above embodiment of FIG. The first policy creating unit 222 and the combined policy obtaining unit 224 are provided. The service providing apparatus 300 and the authorization apparatus 220 according to the present embodiment can also include configurations similar to those of the service providing apparatus 100 and the authorization apparatus 200 according to the above-described embodiment illustrated in FIG. This can be done, but is omitted here.

In the authorization device 220, the first policy creation unit 222 receives, for example, a policy setting for controlling access to the resource 10 from the administrator of the authorization device 220, and creates a second partial policy based on the accepted setting.
In the authorization device 220, an access control policy defined by the IdP itself is formulated, and the first policy creation unit 222 receives the setting of the policy. The policy created by the first policy creation unit 222 need not specify all policy elements required for the authorization device 220 to execute access control. Some policy elements may not be defined. For example, it is not necessary to define “access destination resource information” in the policy. The policy first developed by this IdP is called a first partial policy.

  The second policy creating unit 302 of the service providing apparatus 300 receives, for example, a policy setting for controlling access to the resource 10 from the administrator of the service providing apparatus 300, and creates a second partial policy based on the received setting. This second partial policy is a policy defined by the SP itself based on information held by the SP.

  The policy setting in the second policy creation unit 302 of the service providing device 300 and the first policy creation unit 222 of the authorization device 220 is performed by, for example, displaying a policy setting screen (not shown) on the display device 152 (FIG. 2) of each device. indicate. The policy setting screen can present the resource 10 and user 3 attribute information in the range possessed by each device, and various information possessed by each provider (SP or IdP). The administrator performs a policy setting operation using the input device 150 (FIG. 2) while referring to the information presented on the policy setting screen. The first policy creation unit 222 and the second policy creation unit 302 receive an administrator setting operation via the operation reception unit 128 (FIG. 2). Various user interfaces can be considered for the policy setting contents and the operation method, but the detailed description is omitted because it does not relate to the essence of the present invention.

  The combined policy acquisition unit 224 includes the second partial policy for access control to the resource 10 created by the second policy creation unit 302 of the service providing apparatus 300 and the first partial policy created by the first policy creation unit 222. Get the combined policy. Various specific policy combining methods and obtaining methods are conceivable and will be described in detail in an embodiment described later. The combined policy acquisition unit 224 stores the acquired combined policy in the policy storage unit 210, and the authorization determination unit 208 uses it for authorization determination. This combined policy is not verified in advance, is stored in the policy storage unit 210 of the authorization device 220, and is used at the time of authorization determination as described in the above embodiment.

  For example, the combining policy is combined with the second partial policy by adding a policy element not defined by IdP to the first partial policy or by overwriting the first partial policy defined by IdP. A join policy is created.

  The computer program of this embodiment is described so that the computer for implement | achieving each function of each unit of the service provision apparatus mentioned above and the authorization apparatus may perform the following procedures.

  The computer program of this embodiment is combined with the first partial policy created by the authorization device 220 that performs authorization judgment of access to the resource 10 in the computer for realizing the service providing device 300, and the authorization device 220 authorizes the computer program. It is described that the second partial policy for creating the combined policy used for the determination is received by setting the policy for controlling access to the resource 10 and the procedure for creating the second partial policy is executed.

  In addition, the computer program according to the present embodiment is created by the service providing apparatus 300, a procedure for accepting the policy setting for access control to the resource 10 to the computer for realizing the authorization apparatus 220 and creating the first partial policy. It is described to execute a procedure for performing authorization determination using a combined policy obtained by combining the second partial policy for controlling access to the resource 10 and the first partial policy as a temporarily registered policy.

  An access control method in the access control system 1 of the present embodiment configured as described above will be described below. FIG. 5 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, a description will be given with reference to FIGS. 4 and 5.

  In the access control method according to the embodiment of the present invention, the second policy creating unit 302 (FIG. 4) of the service providing apparatus 300 accepts the setting of the policy for controlling access to the resource 10 (FIG. 4), and the second part The policy is created (step S301 in FIG. 5), and the first policy creation unit 222 (FIG. 4) of the authorization device 220 accepts the policy setting for access control to the resource 10 and creates the first partial policy (FIG. 5). 5, the authorization determination unit 208 (FIG. 4) of the authorization device 220 uses the second partial policy created by the second policy creation unit 302 of the service providing device 300 and the first policy creation unit 222 of the authorization device 220. The authorization determination is performed using the combined policy obtained by combining the first partial policy created by the above as a temporarily registered policy (not shown).

  More specifically, in the access control system 1 of the present embodiment, the second policy creation unit 302 of the service providing apparatus 300 accepts policy settings from the administrator of the service providing apparatus 300, and the second part according to the accepted settings. A policy is created (step S301 in FIG. 5).

  Also, the first policy creation unit 222 of the authorization device 220 receives policy settings from the administrator of the authorization device 220, and creates a first partial policy according to the received settings (step S221 in FIG. 5).

  Then, the combined policy acquisition unit 224 of the authorization device 220 uses the second partial policy created by the second policy creation unit 302 of the service providing device 300 and the first partial policy created by the first policy creation unit 222 of the authorization device 220. , And a combined policy is acquired (step S223 in FIG. 5).

Then, the combined policy acquisition unit 224 of the authorization device 220 registers the acquired combined policy in the policy storage unit 210 (FIG. 4) of the authorization device 220 (step S225 in FIG. 5).
The authorization determination unit 208 (FIG. 4) of the authorization device 200 performs authorization determination using the policy provisionally registered in step S225 of FIG. 5 (not shown).

  As described above, according to the access control system 1 according to the embodiment of the present invention, the same effect as the above embodiment can be obtained, and the authorization device 220 and the service providing device 300 can create the partial policies respectively created. Since the coupling policy is originally created, it is not necessary for the service providing apparatus 300 to acquire and manage the information in the user information storage unit 204 and the resource information storage unit 206 held by the authorization device 220 in advance. Therefore, the service providing apparatus 300 can easily set a policy based only on the information held by the service providing apparatus 300, so that the load of the policy creation process can be reduced.

  Furthermore, according to the present embodiment, the second partial policy created by the service providing apparatus 300 is combined with the first partial policy created by the authorization apparatus 220 based on the attribute information of the user 3 or the resource 10 as a combined policy. Used for authorization decision. Therefore, since the combined policy can be dynamically created based on not only the information held by the service providing apparatus 300 but also the information held by the authorization apparatus 220, a more appropriate policy can be set.

(Third embodiment)
FIG. 6 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 of the present embodiment is different from the above-described embodiment of FIG. 4 in that a combined policy used for authorization determination created by combining partial policies created by the service providing apparatus 310 and the authorization apparatus 230, respectively, It differs in that the authorization device 230 creates it. In this embodiment, the authorization policy is created by the authorization device. However, as described in other embodiments described later, the service providing device may create the coupling policy.

In the access control system 1 of the present embodiment, the service providing apparatus 310 includes a second policy creating unit 302 similar to the service providing apparatus 300 of the above embodiment of FIG. 4 and further includes a partial policy transmitting unit 312.
The authorization device 230 includes a user information storage unit 204, a resource information storage unit 206, an authorization determination unit 208, a policy storage unit 210, and a first policy creation unit 222 similar to the authorization device 220 of the above embodiment of FIG. Further, a partial policy receiving unit 232 and a combined policy creating unit 234 are provided.
Although not shown in FIG. 6, the authorization device 230 of the present embodiment can include a request reception unit 202 and a response unit 212 that are the same as the authorization device 200 of FIG. 1.

  In the present embodiment, the service providing apparatus 310 includes a second policy creation unit 302 that accepts a policy setting for access control to the resource 10 and creates a second partial policy. Furthermore, the service providing apparatus 310 includes a partial policy transmission unit 312 that transmits the second partial policy created by the second policy creation unit 302 to the authorization device 230.

The authorization device 230 receives from the service providing device 310 the setting of the partial policy receiving unit 232 that receives the second partial policy for access control to the resource 10, and the access control policy for the resource 10, and sets the first partial policy. The policy creating unit (first policy creating unit 222) to be created, the second partial policy received by the partial policy receiving unit 232, and the first partial policy created by the first policy creating unit 222 are combined, and a combined policy is obtained. And a combined policy creating unit 234 for creating.
In addition, the authorization determination unit 208 performs an authorization determination using the combined policy created by the combined policy creation unit 234 as a temporarily registered policy.

  For example, the combined policy creating unit 234 adds or overwrites the second partial policy received by the partial policy receiving unit 232 from the service providing apparatus 310 to the first partial policy created by the first policy creating unit 222 and combines them. The policy can be completed.

  An access control method in the access control system 1 of the present embodiment configured as described above will be described below. FIG. 7 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, a description will be given with reference to FIGS. 6 and 7.

  In the access control method according to the embodiment of the present invention, the second policy creating unit 302 (FIG. 6) of the service providing apparatus 310 accepts the setting of the policy for controlling access to the resource 10 (FIG. 6), and the second part The policy is created (step S301 in FIG. 7), and the first policy creation unit 222 (FIG. 6) of the authorization device 230 accepts the policy setting for access control to the resource 10 and creates the first partial policy (FIG. 7). 7, the combined policy creation unit 234 (FIG. 6) of the authorization device 230 creates the second partial policy created by the second policy creation unit 302 of the service providing device 310 and the first policy creation unit of the authorization device 230. The first partial policy created by 222 is joined to create a joined policy (step S233 in FIG. 7), and the authorization determination unit 208 (FIG. 6) of the authorization device 230 receives the authorization device 2 Performing authorization decision using binding policy binding policy creation unit 234 creates a 0 as the temporary registered policy.

  More specifically, as shown in FIG. 7, in the access control system 1 of the present embodiment, the second policy creating unit 302 (FIG. 6) of the service providing apparatus 310 creates the second partial policy (FIG. 7). Step S301). Then, the partial policy transmission unit 312 (FIG. 6) of the service providing device 310 transmits the second partial policy created by the second policy creation unit 302 to the authorization device 230 (FIG. 6) (step S311 in FIG. 7).

Further, the first policy creation unit 222 (FIG. 6) of the authorization device 230 accepts the policy setting for access control to the resource 10 and creates the first partial policy (step S221 in FIG. 7). Then, the partial policy receiving unit 232 (FIG. 6) of the authorization device 230 receives the second partial policy from the service providing device 310 (step S231 in FIG. 7). Then, the combined policy creation unit 234 (FIG. 6) of the authorization device 230 combines the received second partial policy and the first partial policy created by the first policy creation unit 222 to create a combined policy (FIG. 7). Step S233). Then, the combined policy creation unit 234 (FIG. 6) of the authorization device 230 registers the created combined policy in the policy storage unit 210 (FIG. 6) of the authorization device 230 (step S235 in FIG. 7).
Then, the authorization determination unit 208 (FIG. 6) of the authorization device 230 performs authorization determination using the combined policy registered in the policy storage unit 210 of the authorization device 230 as a temporarily registered policy (not shown).

  As described above, according to the access control system 1 according to the embodiment of the present invention, the same effect as in the above embodiment can be obtained, and the partial policy created by the authorization device 230 and the service providing device 310 can be obtained. Since the connection policy is originally created, it is not necessary for the service providing apparatus 310 to acquire and manage the information in the user information storage unit 204 and the resource information storage unit 206 held by the authorization device 230 in advance. Therefore, since the service providing apparatus 310 can set a policy based only on the information held by the service providing apparatus 310, the load of the policy creation process can be reduced.

  Furthermore, according to the present embodiment, the second partial policy created by the service providing device 310 is combined with the first partial policy created by the authorization device 230 based on the attribute information of the user 3 or the resource 10 as a combined policy. Used for authorization decision. Therefore, since the combined policy can be dynamically created based on not only the information held by the service providing apparatus 310 but also the information held by the authorization apparatus 230, it is possible to set a more appropriate policy.

(Fourth embodiment)
FIG. 8 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 of this embodiment is different from the above-described embodiment of FIG. 6 in that the service providing apparatus 320 generates a coupling policy.

  In the access control system 1 of the present embodiment, the service providing apparatus 320 includes a second policy creating unit 302 similar to the service providing apparatus 310 of the above embodiment of FIG. 6, and further includes a first policy receiving unit 322, A combined policy creation unit 324 and a combined policy transmission unit 326 are provided.

  Further, the authorization device 240 is the same as the authorization device 230 of the above embodiment of FIG. 6, the first policy creation unit 222, the user information storage unit 204, the resource information storage unit 206, the authorization determination unit 208, and the policy storage And a combined policy creation instructing unit 242 and a combined policy receiving unit 244.

  In the service providing apparatus 320, the first policy reception unit 322 that receives the first policy created by the authorization device 240, the second partial policy created by the second policy creation unit 302, and the first policy reception from the authorization device 240. A combining policy creating unit 324 that combines the first partial policy received by the unit 322 and creates a joining policy; a joining policy transmitting unit 326 that transmits the joining policy created by the joining policy creating unit 324 to the authorization device 240; Is provided.

  The combined policy creation unit 324 appends or overwrites the first partial policy received by the first policy reception unit 322 from the authorization device 240 to the second partial policy created by the second policy creation unit 302, and creates the combined policy. Can be completed.

The authorization device 240 transmits the first partial policy created by the first policy creation unit 222 to the service providing device 320, and combines the second partial policy created by the service providing device 320 and the transmitted first partial policy. A combination policy creation instruction unit 242 that instructs the service providing apparatus 320 to create a combination policy, and a combination policy reception unit 244 that receives the combination policy from the service providing apparatus 320.
In addition, the authorization determination unit 208 performs an authorization determination using the combined policy received by the combined policy reception unit 244 as a temporarily registered policy.

  An access control method in the access control system 1 of the present embodiment configured as described above will be described below. FIG. 9 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, description will be made with reference to FIGS.

  First, the second policy creating unit 302 (FIG. 8) of the service providing apparatus 320 accepts the policy setting for access control to the resource 10 (FIG. 8), and creates the second partial policy (step S301 in FIG. 9). The first policy creation unit 222 (FIG. 8) of the authorization device 240 receives the policy setting for access control to the resource 10 and creates the first partial policy (step S221 in FIG. 9).

  Then, the combined policy creation instruction unit 242 (FIG. 8) of the authorization device 240 transmits the first partial policy created by the first policy creation unit 222 of the authorization device 240 to the service providing device 320. Then, the combined policy creation instruction unit 242 of the authorization device 240 sends an instruction to combine the second partial policy created by the service providing device 320 and the received first partial policy to the service providing device 320. This is performed (step S241 in FIG. 9).

  The first policy receiving unit 322 (FIG. 8) of the service providing apparatus 320 receives the first policy created by the authorization device 240 from the authorization device 240 (step S321 in FIG. 9). Then, the combined policy creation unit 324 (FIG. 8) of the service providing device 320 receives the second partial policy created by the second policy creation unit 302 of the service providing device 320 and the first policy reception unit 322 of the authorization device 240. The first partial policy is combined to create a combined policy (step S323 in FIG. 9). Then, the combined policy transmission unit 326 (FIG. 8) of the service providing apparatus 320 transmits the combined policy created by the combined policy creating unit 324 of the service providing apparatus 320 to the authorization device 240 (step S325 in FIG. 9).

Then, the combined policy receiving unit 244 (FIG. 8) of the authorization device 240 receives the combined policy from the service providing device 320 (step S243 in FIG. 9). Then, the combined policy reception unit 244 (FIG. 8) of the authorization device 240 registers the created combined policy in the policy storage unit 210 (FIG. 8) of the authorization device 240 (step S245 in FIG. 9).
The authorization determination unit 208 (FIG. 8) of the authorization device 240 performs authorization judgment using the combined policy registered in the policy storage unit 210 of the authorization device 240 as a temporarily registered policy (not shown).

  As described above, according to the access control system 1 of the embodiment of the present invention, the same effect as that of the above embodiment can be obtained, and the authorization device 240 and the service providing device 320 can be based on the partial policies created respectively. Therefore, it is not necessary for the service providing apparatus 320 to acquire and manage the information in the user information storage unit 204 and the resource information storage unit 206 held by the authorization device 240 in advance. Therefore, since the service providing apparatus 320 can set a policy based only on the information held by the service providing apparatus 320, the load of the policy creation process can be reduced.

  Further, according to the present embodiment, the second partial policy created by the service providing device 320 is combined with the first partial policy created by the authorization device 240 based on the attribute information of the user 3 or the resource 10 as a combined policy. Used for authorization decision. Therefore, since the combined policy can be dynamically created based on not only the information held by the service providing device 320 but also the information held by the authorization device 240, a more appropriate policy can be set.

(Fifth embodiment)
The access control system 1 of the present embodiment is different from the above embodiment in that a verified policy is used for authorization determination.
In the access control system 1 of the present embodiment, the service providing device and the authorization device can have the same configuration as that of any of the above-described embodiments of FIG. 1, FIG. 4, FIG. 6, and FIG.
In the following description, it will be described as having the configuration of the embodiment of FIG.

In the present embodiment, the authorization device 200 includes a policy storage device (policy storage unit 210) that stores a policy used for authorization determination as to whether or not to permit access to the resource 10.
In addition, when there is a policy registered as a verified policy, the authorization determination unit 208 of the authorization device 200 performs an authorization determination using the verified policy.

An access control method in the access control system 1 of the present embodiment configured as described above will be described below.
FIG. 10 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, description will be made with reference to FIGS. 1 and 10.

  In the access control method of this embodiment, when there is a policy registered as a verified policy, the authorization device 200 (FIG. 1) performs authorization determination using the verified policy (step S113 in FIG. 10).

  More specifically, the access control method of this embodiment includes steps S101 and S105 to S109 similar to those in the flowchart of the above-described embodiment of FIG. 3, and further includes steps S111 to S115 of FIG. Have. In FIG. 10, steps S105 to S109 are omitted.

  As shown in FIG. 10, first, an authorization device 200 (FIG. 1) that performs authorization determination of access to the resource 10 (FIG. 1) provides a service to the user 3 (FIG. 1). ) Receives an access request (authorization request) to the resource from the user 3 (step S101 in FIG. 10).

  In response to the access request (authorization request), the authorization determination unit 208 (FIG. 1) of the authorization device 200 refers to the policy storage unit 210 (FIG. 1) to determine whether there is a policy registered as a verified policy. Is determined (step S111 in FIG. 10). When there is a verified policy (YES in step S111 in FIG. 10), the authorization determination unit 208 of the authorization device 200 performs an authorization determination using the verified policy (step S113 in FIG. 10). Then, after step S113 in FIG. 10, the process proceeds to step S109 in FIG. 3, and the determination result of the authorization determination is returned to the service providing apparatus 100.

  If there is no verified policy (NO in step S111 in FIG. 10), the authorization determination unit 208 of the authorization device 200 performs an authorization determination using the policy temporarily registered in the policy storage unit 210 (step in FIG. 10). S115). Then, after step S115 in FIG. 10, the process proceeds to step S105 in FIG.

  If it is known that the policy stored in the policy storage unit 210 is a verified policy, the determination process in step S111 and step S115 in FIG. 10 are not necessary. Further, the processing in step S105 and step S107 in FIG. 3 is also unnecessary.

  As described above, according to the access control system 1 of the embodiment of the present invention, the same effect as that of the above embodiment can be obtained, and the authorization determination can be performed using the verified policy. Since the violation is eliminated, the policy setting violation determination procedure is not required, the authorization determination process can be simplified with an appropriate policy, and the load of the authorization determination process can be reduced.

(Sixth embodiment)
FIG. 11 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 of the present embodiment is different from the above embodiment in that the service providing apparatus 340 has a configuration for realizing a function of providing a service in response to an access request to the resource 10 from the user 3. To do.

  In addition to the components of the service providing apparatus 100 of the access control system 1 of the above-described embodiment of FIG. 1, the service providing apparatus 340 of the present embodiment further includes an authorization request unit 342, a result receiving unit 346, and a service providing unit 348. And comprising. In FIG. 11, the configuration of FIG. 1 is omitted. The access control system 1 according to this embodiment includes the authorization device 200 according to the above-described embodiment illustrated in FIG. 1, but may include the authorization device according to the above-described embodiment according to FIG. 4, FIG. 6, or FIG.

  The service providing apparatus 340 according to the present embodiment includes an authorization request unit 342 that requests the authorization apparatus 200 to determine authorization for access to the resource 10 in response to an access request to the resource 10 from the user 3, and the authorization apparatus 200. The authorization determination result receiving unit (result receiving unit 346) that receives the result of the authorization determination of access to the resource 10 from the user, and responds to the access request from the user 3 according to the authorization determination result received by the result receiving unit 346 And an access execution unit (service providing unit 348) that executes access to the resource 10 to be performed.

More specifically, in the service providing apparatus 340, the authorization request unit 342 requests authorization for access to the resource 10 from the authorization apparatus 200 in response to an access request to the resource 10 from the user 3.
The result receiving unit 346 receives the result of the authorization determination for access to the resource 10 from the authorization device 200.
The service providing unit 348 executes access to the resource 10 corresponding to the access request from the user 3 according to the authorization determination result received by the result receiving unit 346.

The operation of the access control system 1 of the present embodiment configured as described above will be described below.
FIG. 12 is a flowchart showing an example of the operation of the access control system 1 of the present embodiment. Hereinafter, a description will be given with reference to FIGS. 11 and 12.

  First, the user 3 (FIG. 11) makes a service access request to the service providing apparatus 340 (FIG. 11) (step S401 in FIG. 12). For example, an access request is made from the user 3 by accessing a website (not shown) and performing an operation of downloading a certain content on the terminal (not shown) of the user 3.

  In response to the access request from the user 3 (YES in step S501 in FIG. 12), the authorization request unit 342 of the service providing apparatus 340 requests authorization determination from the authorization apparatus 200 (FIG. 11). (Step S503 in FIG. 12).

  Then, the authorization device 200 performs authorization judgment as described with reference to FIG. 3 or 10 of the above embodiment, and the result is returned to the service providing device 340. The result receiving unit 346 (FIG. 11) of the service providing apparatus 340 receives the determination result from the authorization apparatus 200 (step S505 in FIG. 12).

  Then, referring to the received determination result, when access to the resource 10 is permitted (YES in step S507 in FIG. 12), the service providing unit 348 (FIG. 11) of the service providing apparatus 340 accesses the resource 10. The service is provided to the user 3 (step S509 in FIG. 12).

  On the other hand, referring to the received determination result, when access to the resource 10 is prohibited (NO in step S507 in FIG. 12), the service providing unit 348 of the service providing apparatus 340 notifies the user 3 that access is not possible ( Step S511 in FIG. 12). For example, the service providing unit 348 displays a notification message indicating that the user 10 does not have access rights to the resource 10 on the screen of a display (not shown) of the terminal of the user 3.

  The terminal of the user 3 receives the service provided from the service providing apparatus 340 and the notification of inaccessibility (step S403 in FIG. 12). For example, when access to the resource 10 is possible, the terminal of the user 3 can access and download the resource 10.

As described above, according to the access control system 1 of the present embodiment, the same effect as that of the above embodiment can be obtained, and authorization determination can be performed with an appropriate policy in response to an access request from the user 3 to the resource 10. The service can be quickly provided to the user 3.
(Seventh embodiment)
FIG. 13 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 according to the present embodiment is different from the above-described embodiment in that the policy is reset when there is a policy setting violation as a result of the authorization determination.
As shown in FIG. 13, the access control system 1 of this embodiment includes an authorization device 260 and a service providing device 350.

  As described above, in the access control system 1 of this embodiment, since only the authorization device 260 has information that can be used for authorization determination, the service providing device 350 uses which information the authorization device 260 uses for authorization determination. I do n’t know if I ’m doing it. Therefore, the authorization device 260 can properly interpret the policy set by the service providing device 350, or the service providing device 350 cannot verify.

  In addition, even if the service providing apparatus 350 sets information that the authorization apparatus 260 does not have as a policy, the authorization apparatus 260 cannot perform authorization determination. For example, the service providing apparatus 350 may create a policy that the authorization apparatus 260 cannot determine. However, since the service providing device 350 does not grasp the possession information of the authorization device 260, it cannot verify whether the authorization device 260 can determine the policy. As a result, there arises a problem that access control is not performed correctly.

  Therefore, in this embodiment, when the authorization device 260 determines that the policy set by the service providing device 350 is authorized, if the policy setting is violated, the policy is requested to the service providing device 350 to reset the policy. Let it be set.

  Here, the policy setting violation means, for example, that the policy is going to refer to user information that is not held by the authorization device 260, in which an item that is essential for authorization determination is not set in the combined policy There are conflicting policies, for example, both a white list and a black list exist.

  In the access control system 1 of this embodiment, when it is determined that there is a policy setting violation in the policy used by the authorization determination unit 208 for the authorization determination, a policy resetting unit (joint policy resetting unit 352) that resets the policy. ). The authorization determination unit 208 uses the policy reset by the combination policy resetting unit 352 as a provisionally registered policy and uses it for authorization determination until the policy used for the authorization determination confirms that there is no policy setting violation. The policy resetting unit 352 repeats the policy resetting, and the authorization determination unit 208 repeats the authorization determination using the policy reset by the combined policy resetting unit 352 as the temporarily registered policy.

Specifically, the authorization device of this embodiment has the same configuration as the authorization device of FIG. 6 or FIG. Further, the service providing apparatus of the present embodiment has the same configuration as the service providing apparatus of FIG. 6 or FIG. 8, and further has the same configuration as the service providing apparatus 340 of FIG. As shown in FIG. 13, the access control system 1 of the present embodiment further includes a combined policy resetting unit 352 in addition to the above configuration.
In the present embodiment, the combined policy resetting unit is assumed to be included in a device having the combined policy creating unit 352, either the service providing device or the authorization device. That is, in the case of FIG. 6, the authorization device 230 can include the combined policy resetting unit 352 in the case of FIG. 8, the service providing device 320.

  More specifically, in FIG. 13, the service providing apparatus 350 includes a combined policy resetting unit 352. In the figure, a service providing apparatus 350 includes a second policy creating unit 302, a first policy receiving unit 322, a combined policy creating unit 324, and a combined policy transmission similar to the service providing apparatus 320 of the above embodiment of FIG. 11, an authorization request unit 342 similar to the service providing apparatus 340 in FIG. 11, a result receiving unit 346, and a service providing unit 348, and a combined policy resetting unit 352.

  In the service providing apparatus 350, the combined policy resetting unit 352 instructs the policy resetting from the authorization device 260 when the authorization determination unit 208 of the authorization device 260 determines that there is a policy setting violation in the policy used for the authorization determination. Follow the steps below to reset the binding policy.

  In the combined policy resetting process, for example, the current policy setting information is presented to the administrator on the policy setting screen displayed on the display device 152 (FIG. 2), and the policy is changed or added. The administrator's operation to be performed can be received via the operation receiving unit 128 (FIG. 2), and the policy can be reset.

  In addition, the authorization device 260 may notify the resetting instruction by transmitting to the service providing device 350 including the item that has violated the policy setting. The service providing apparatus 350 can notify the administrator by presenting the notified policy setting violation item on the setting screen of the display device 152. The administrator can reset the policy while confirming the item that has violated the policy setting.

  Further, the authorization device 260 of the present embodiment includes a request reception unit 202, a user information storage unit 204, a resource information storage unit 206, an authorization determination unit 208, which are the same as the authorization device 200 of the embodiment of FIG. A policy storage unit 210, a response unit 212, a first policy creation unit 222 similar to the authorization device 240 of the above-described embodiment of FIG. 8, a combined policy creation instruction unit 242, and a combined policy reception unit 244 are provided. Furthermore, a combined policy resetting instruction unit 262 is provided.

  In the authorization device 260, the combined policy resetting instruction unit 262 instructs the service providing device 350 to reset the policy when the authorization determination unit 208 determines that the policy used for the authorization determination has a policy setting violation. . The policy reset by the service providing apparatus 350 is received by the combined policy reception unit 244 and used by the authorization determination unit 208 for authorization determination, as in the above embodiment.

The operation of the access control system 1 of the present embodiment configured as described above will be described below. FIG. 14 is a flowchart showing an example of the operation of the access control system 1 according to the embodiment of the present invention. Hereinafter, description will be made with reference to FIGS. 13 and 1.
In FIG. 14, the authorization device 260 performs steps S221 and S241 to S245 similar to the flowchart showing the operation of the authorization device 240 of the above embodiment of FIG. 9 in advance, and then performs the authorization of the above embodiment of FIG. Steps S101 to S109 similar to those in the flowchart showing the operation of the apparatus 200 are performed, and steps S261 and S263 are further included. The service providing apparatus 350 performs steps S301 and S321 to S325 similar to the flowchart showing the operation of the service providing apparatus 320 of the above embodiment of FIG. 9 in advance, and then the service providing apparatus of the present embodiment of FIG. Steps S351 to S359 of the flowchart showing the operation of 350 are performed.

  Specifically, first, the authorization request unit 342 (FIG. 13) of the service providing apparatus 350 responds to an access request to the resource 10 (FIG. 13) from the user 3 (FIG. 13), and the authorization device 260 (FIG. 13). 13), an authorization request is made (step S351 in FIG. 14). The request reception unit 202 (FIG. 13) of the authorization device 260 receives the authorization request from the service providing device 350 (step S101 in FIG. 14), and the authorization determination unit 208 (FIG. 13) of the authorization device 260 performs the authorization determination. (Step S103 in FIG. 14).

  Based on the determination result of the authorization determination, if there is a policy setting violation in the policy temporarily registered in advance (YES in step S105 of FIG. 14), the combined policy reset instruction unit 262 (FIG. 13) of the authorization device 260 The service providing apparatus 350 is instructed to reset the policy (step S261 in FIG. 14). Then, when the combined policy resetting unit 352 (FIG. 13) of the service providing apparatus 350 receives an instruction from the authorization device 260 (step S353 in FIG. 14), the combined policy resetting unit 352 of the service providing apparatus 350 performs the policy. Is reset (step S355 in FIG. 14). Then, the combined policy transmission unit 326 (FIG. 13) transmits the combined policy reset by the combined policy resetting unit 352 to the authorization device 260 (step S357 in FIG. 14).

  If no policy reset instruction is received in step S353 in FIG. 14, the determination result is received in step S359. In FIG. 14, it is described that the service providing apparatus 350 receives the policy resetting instruction and the determination result from the authorization apparatus 260 in steps S353 and S359, respectively, but is not limited thereto. The service providing apparatus 350 determines whether the information received from the authorization apparatus 260 is a policy reset instruction or a determination result. If the information is a policy reset instruction, the process proceeds to step S355. If the information is a determination result, the process ends. The procedure may be branched, such as proceeding to access permission determination.

  Then, the combined policy receiving unit 244 (FIG. 13) of the authorization device 260 receives the reset combined policy transmitted from the service providing device 350 (step S263 in FIG. 14). And it returns to step S103 and the authorization determination part 208 performs authorization determination using the received joint policy.

  Step S103, step S105, step S261, step S353 to step S357, and step S263 of FIG. 14 are repeated until there is no combination policy setting violation.

  In the authorization device 260, when a policy setting violation occurs in a policy that has been provisionally registered in advance (NO in step S105 in FIG. 14), the authorization determination unit 208 of the authorization device 260 verifies the policy that has not had a policy setting violation. Is registered in the policy storage unit 210 (FIG. 13) of the authorization device 200 (step S107 in FIG. 14). Then, the response unit 212 (FIG. 13) of the authorization device 260 returns the determination result of the authorization judgment using the policy for which there is no policy setting violation to the service providing device 350 (step S <b> 109 in FIG. 14). Then, the result receiving unit 346 (FIG. 13) of the service providing apparatus 350 receives the determination result from the authorization apparatus 260 (step S359 in FIG. 14).

In response to the authorization determination result thus obtained, the service providing unit 348 of the service providing apparatus 350 determines whether the user 3 can access the resource 10 and performs a service providing process (not shown).
The process after the authorization request unit 342 of the service providing apparatus 350 receives the determination result can be the same as the process after step S505 of the service providing apparatus 340 of the above embodiment of FIG.

  As described above, according to the access control system 1 of the embodiment of the present invention, the same effect as the above embodiment can be obtained, and the verified policy can be set efficiently. The reason for this is that if a policy setting violation is found from the result of the authorization decision for an unverified policy, the policy is reset, and the policy setting is repeated until there is no policy setting violation. This is because it can be registered.

(Eighth embodiment)
FIG. 15 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
As shown in FIG. 15, the access control system 1 of this embodiment includes an authorization device 270 and a service providing device 360.
The access control system 1 of the present embodiment is different from the above-described embodiment of FIG. 13 in policy resetting processing when it is determined that the policy setting is violated at the time of authorization determination. That is, in this embodiment, in the case of a policy setting violation, the authorization device 270 creates a combined policy based on a policy that is considered necessary for authorization determination, the service providing device 360 verifies the combined policy, and the user 3 receives the resource 10 It is determined whether to permit or prohibit access, and the result is reflected in the policy and transmitted to the authorization device 270. The authorization device 270 performs authorization determination processing.

The service providing apparatus 360 according to the present embodiment has the same configuration as the service providing apparatus 350 according to the above-described embodiment illustrated in FIG. 13, and further includes a combined policy receiving unit 362 and a combined policy verifying unit 364.
Further, the authorization device 270 of this embodiment has the same configuration as the authorization device 260 of the above-described embodiment of FIG. 13, and further includes a combined policy creation unit 272 and a combined policy transmission unit 274.
Note that only some of the components of the service providing device 350 and the authorization device 260 in FIG. 13 are shown in FIG.

  In the authorization device 270 according to the present embodiment, when the combined policy creation unit 272 determines that the policy setting has been violated when the authorization determination unit 208 performs an authorization determination using the policy temporarily registered in the policy storage unit 210. Create a join policy.

  Here, the combined policy created by the combined policy creating unit 272 includes information on the status of access that the authorization device 270 is currently trying to determine, for example, access source entity, access destination resource, and resource processing (Read / Write, etc.) ), Execution conditions (valid period, etc.).

The combined policy transmission unit 274 transmits the combined policy created by the combined policy creation unit 272 to the service providing device 360.
The combination policy receiving unit 362 of the service providing apparatus 360 receives the combination policy transmitted from the authorization apparatus 270. The combined policy verifying unit 364 verifies the status information from the combined policy received by the combined policy receiving unit 362 and determines whether or not the user 3 is permitted to access the resource 10. Then, the combined policy verification unit 364 defines the result as a new combined policy, passes the result to the combined policy transmission unit 326, and causes the authorization device 270 to transmit the result.

  Here, the combined policy verification unit 364 may determine whether or not to permit access based on a predetermined criterion based on the status information acquired from the received combined policy. Alternatively, the combined policy verification unit 364 presents the status information acquired from the received combined policy on the setting screen of the display device 152 (FIG. 2), and the administrator confirms the status and determines whether or not to permit access. The determination may be made by using the input device 150 (FIG. 2) to select whether or not to allow access, and may be received via the operation receiving unit 128 (FIG. 2).

  The procedure of the policy resetting process of the access control system 1 of the present embodiment configured as described above will be described below. FIG. 16 is a flowchart showing an example of the operation of the access control system 1 according to the embodiment of the present invention. Hereinafter, a description will be given with reference to FIGS. 15 and 16.

  The processing procedure of the authorization device 270 includes steps S101 to S109 similar to those in the flowchart of the above embodiment of FIG. 14, and further includes steps S271 to S275. Further, the processing procedure of the service providing apparatus 360 includes steps S351 and S359 similar to those in the flowchart of the above-described embodiment of FIG. 14, and further includes steps S363 to S367.

  Here, processing different from the above embodiment, that is, processing after the case where the authorization determination unit 208 (FIG. 15) of the authorization device 270 determines that the policy setting has been violated (YES in step S105) will be described.

  When the authorization determination unit 208 (FIG. 15) of the authorization device 270 determines that the policy setting has been violated (YES in step S105), the combined policy creation unit 272 (FIG. 15) of the authorization device 270 attempts to determine the access itself. A join policy including the situation is created (step S271 in FIG. 16).

  Then, the combined policy created by the combined policy creating unit 272 is transmitted to the coupled policy transmitting unit 274 (FIG. 15) service providing device 360 of the authorization device 270 (step S273 in FIG. 16). Then, the combined policy receiving unit 362 (FIG. 15) of the service providing apparatus 360 receives the combined policy from the authorization apparatus 270 (step S363 in FIG. 16).

  The combined policy verifying unit 364 (FIG. 15) of the service providing apparatus 360 verifies the access status from the combined policy received by the combined policy receiving unit 362, and determines whether or not to allow the user 3 to access. Then, a new policy is defined including the determined result (step S365 in FIG. 16).

  Then, the combined policy transmission unit 326 (FIG. 15) of the service providing apparatus 360 transmits the newly specified combined policy to the authorization apparatus 270 (step S367 in FIG. 16). Then, the combined policy receiving unit 244 (FIG. 15) of the authorization device 270 receives the newly specified combined policy from the service providing device 360 (step S275 in FIG. 16). Then, returning to step S103 in FIG. 16, the authorization determination unit 208 of the authorization device 270 performs authorization determination using the combined policy received by the combined policy reception unit 244.

  In addition, when a joint policy is not received in step S363 of FIG. 16, a determination result is received in step S359. In FIG. 16, it is described that the service providing apparatus 360 receives the combined policy and the determination result from the authorization apparatus 270 in steps S363 and S359, respectively, but the present invention is not limited to this. 14, the service providing apparatus 360 determines whether the information received from the authorization apparatus 270 is a combined policy or a determination result. If the information is a combined policy, the process proceeds to step S365. The procedure may be branched such as ending this processing and proceeding to access permission determination.

  In this way, instead of the authorization device 270 issuing a policy resetting instruction to the service providing device 360, the authorization device 270 transmits a combined policy to the service providing device 360, and the service providing device 360 resets the policy. Instead, the policy setting violation can be resolved by verifying the combined policy created by the authorization device 270 and reflecting the result in the policy.

  As described above, according to the access control system 1 of the present embodiment, the same effects as those of the above-described embodiment can be obtained, and a policy that can be surely collated can be created when the policy setting is violated. The reason is that the authorization policy 270 notifies the service providing device 360 of the joining policy including the situation to be determined, and the service providing device 360 verifies the joining policy and determines whether or not to allow the user 3 to access. This is because the new connection policy is defined and notified to the service providing apparatus 360. As a result, it is possible to create a policy that does not include a policy that cannot be determined by the authorization device 270 and that reflects an access permission determination result intended by the service providing device 360. In this way, a policy that can be reliably verified is created.

(Ninth embodiment)
FIG. 17 is a functional block diagram showing the configuration of the access control system 1 according to the embodiment of the present invention.
The access control system 1 of the present embodiment includes an authorization device 280 and a service providing device 340 similar to that of the above-described embodiment of FIG.
The access control system 1 of this embodiment is different from the above-described embodiment in that information is collected when information is insufficient at the time of authorization determination.

As described above, since only the authorization device 280 has information that can be used for authorization determination, the service providing device 340 does not know which information is used for authorization determination. Accordingly, the service providing apparatus 340 may create a policy that cannot be determined by the authorization apparatus 280.
Therefore, in the present embodiment, when authorization determination is performed using the policy set by the service providing apparatus 340, information is collected when necessary information is insufficient.

The service providing apparatus 340 of the access control system 1 of this embodiment has the same configuration as that of the service providing apparatus 340 of the above embodiment of FIG. Further, the authorization device 280 of the present embodiment includes a request reception unit 202, a user information storage unit 204, a resource information storage unit 206, a policy storage unit 210, and the like, similar to the authorization device 200 of the above embodiment of FIG. And an authorization determination unit 282 and an information collection unit 284.
In addition, the access control system 1 of this embodiment can also contain the structure of the access control system 1 of the other said embodiment.

  In the authorization device 280 of the present embodiment, when the authorization determination unit 282 performs authorization determination, if the attribute information of the user 3 is insufficient, a collection unit (information collection unit 284) that collects the attribute information of the insufficient user 3 is further provided. Prepare.

When the attribute information of the user 3 is insufficient, the authorization determination unit 282 instructs the information collection unit 284 to collect the attribute information of the user 3, and based on the attribute information of the user 3 collected by the information collection unit 284, again, Make an authorization decision. The authorization determination unit 282 performs determination using the attribute information of the user 3 stored in the user information storage unit 204 when performing the authorization determination, but attribute information necessary for the authorization determination is obtained from the user information storage unit 204. If not, the information collection unit 284 collects information.
In the information collection unit 284, the attribute information can be acquired from, for example, another device (an other authorization device or service providing device).

The operation of the access control system 1 of the present embodiment configured as described above will be described below. FIG. 18 is a flowchart showing an example of the operation of the access control system 1 according to the embodiment of the present invention. Hereinafter, description will be made with reference to FIGS. 17 and 18.
In the present embodiment, the authorization device 280 further includes steps S141 to S145 instead of step S103 in FIG. 3 after step S101 similar to the flowchart showing the operation of the authorization device 200 in the embodiment in FIG. . After step S145 of FIG. 18 of the present embodiment, the same processing as that after step S105 of FIG. 3 is performed.

  Specifically, first, the request receiving unit 202 (FIG. 17) of the authorization device 280 transfers from the service providing device 340 (FIG. 17) that provides a service to the user 3 (FIG. 17) to the resource 10 from the user 3. An access request (authorization request) is accepted (step S101 in FIG. 18).

  When the authorization determination unit 282 (FIG. 17) of the authorization device 280 makes an authorization decision in response to the accepted authorization request, if the attribute information of the user 3 is insufficient (YES in step S141 in FIG. 18), the authorization device 280 The information collection unit 284 (FIG. 17) collects the attribute information of the lacking user 3 (step S143 in FIG. 18). If the attribute information of the user 3 is not insufficient (NO in step S141 in FIG. 18), the process proceeds to step S145 in FIG.

Then, the authorization determination unit 282 (FIG. 17) of the authorization device 280 uses the policy temporarily registered in the policy storage unit 210 (FIG. 17) to use the user information storage unit 204 (FIG. 17) and the resource information storage unit 206. Based on the attribute information of the user 3 and the resource 10 stored in (FIG. 17), an authorization determination is made as to whether or not to permit access to the resource 10 (step S145 in FIG. 18).
Then, the process proceeds to step S105 in FIG.

  In this embodiment, the determination of the lack of user information is performed before the authorization determination process in step S145 of FIG. 18, but the present invention is not limited to this. A configuration in which the lack of user information is output as a determination result by the approval determination unit 282 performing an approval determination, and according to the result, the information collection unit 284 collects user information, and the authorization determination unit 282 performs the determination again. It can also be.

  As described above, according to the access control system 1 according to the embodiment of the present invention, the same effect as the above embodiment is obtained, and information necessary for the determination in the authorization determination using the policy that has not been verified. If there is a shortage of information, it is possible to collect information and make an authorization decision, thereby reducing the possibility of a policy setting violation.

  In the access control system 1 of the above embodiment, each process described in each embodiment can be performed as a series of processes. For example, when the authorization device 280 receives an authorization determination request from the service providing device 340 (step S101 in each figure), the authorization device 280 first uses the combined policy created in the procedure of FIG. 5, FIG. 7, or FIG. Then, authorization determination is performed (step S103 in each figure or step S145 in FIG. 18). At this time, the determination result output by the authorization determination unit 282 includes “access OK”, “access NG”, “policy setting violation”, or “insufficient user information”.

  If a determination of “access OK” or “access NG” is made (NO in step S105 in each figure), the policy has been verified, so that “the binding policy held by the authorization device 280 has no policy setting violation” Can be considered. Therefore, this policy is stored as a verified policy in the policy storage unit 210 of the authorization device 280 (step S107 in each figure), and the access determination result is returned to the service providing apparatus 340 (step S109 in each figure).

  When the determination is made that “user information is insufficient”, for example, when the authorization determination unit 282 has not acquired the information held by the authorization device 280 (YES in step S141 in FIG. 18), the information collection unit 284 of the authorization device 280 is the user. Information is acquired and authorization determination is performed again (step S145 in FIG. 18).

  If it is determined that “policy setting violation” (YES in step S105 in FIG. 14), the policy cannot be verified, and a policy resetting request is issued to the service providing apparatus 340 (step S261 in FIG. 14). Thereafter, when the binding policy is acquired again (step S263 in FIG. 14), the authorization determination is performed again (step S103 in FIG. 14).

  According to the above processing, even when the authorization device 280 does not verify the combined policy, the authorization determination processing can be performed using the policy, so it is possible to confirm whether or not the policy is set correctly. Even when the authorization device 280 and the service providing device 340 have not exchanged information related to the entrustment of authorization processing in advance, the authorization device 280 and the service providing device 340 can perform authorization by dynamically exchanging partial policies and combined policies. Judgment of judgment can be realized.

As mentioned above, although embodiment of this invention was described with reference to drawings, these are the illustrations of this invention, Various structures other than the above are also employable.
For example, in the access control system 1 of the above-described embodiment of FIGS. 8 to 10, the service providing apparatus 320 is configured to create the binding policy in advance and transmit it to the authorization apparatus 240, but may be created at other timings. it can.

19 and 20 are flowcharts illustrating an example of the operation of the access control system 1 according to another embodiment.
In other embodiments shown in FIGS. 19 and 20, a join policy can be created during an authorization decision transaction. 8 to 10, when the service providing device 320 receives the partial policy from the authorization device 240, the service providing device 320 immediately creates a combined policy, returns it to the authorization device 240, and registers it. That is, policy registration processing and authorization determination processing are performed separately, but in the embodiment of FIGS. 19 and 20, the authorization determination processing and policy registration processing are performed simultaneously.

  The access control system 1 according to the present embodiment has a service providing apparatus 370 having the same configuration as the service providing apparatus 320 in FIG. 8 and the service providing apparatus 340 in FIG. 11 and an authorization having the same configuration as the authorization apparatus 240 in FIG. An apparatus 290. The service providing apparatus 370 further includes a policy storage unit (not shown) that temporarily stores the created second partial policy and the first partial policy transmitted from the authorization apparatus 290.

The operation of the access control system 1 of this embodiment will be described. Hereinafter, description will be made with reference to FIGS. 8, 11, 19, and 20.
First, the second policy creation unit 302 (FIG. 8) of the service providing apparatus 370 creates a second partial policy (step S301 in FIG. 19). The second partial policy created by the second policy creation unit 302 is temporarily stored in a policy storage unit (not shown) (step S371 in FIG. 19).

  On the other hand, the first policy creation unit 222 (FIG. 8) of the authorization device 290 creates the first partial policy (step S221 in FIG. 19). Then, the combined policy creation instruction unit 242 (FIG. 8) of the authorization device 290 transmits the first partial policy created by the first policy creation unit 222 to the service providing device 370 (step S291).

  Then, the first policy receiving unit 322 (FIG. 8) of the service providing apparatus 370 receives the first partial policy from the authorization apparatus 290 (step S373 in FIG. 19). Then, the first partial policy received by the first policy receiving unit 322 is stored in the policy storage unit (step S375 in FIG. 19).

  Then, the authorization request unit 342 (FIG. 11) of the service providing device 370 responds to the access request from the user 3 (YES in step S501 of FIG. 20), and the combined policy creation unit 324 (FIG. 8) of the service providing device 370. ) Reads out the second partial policy created by the second policy creation unit 302 and the first partial policy received from the authorization device 290 from the policy storage unit, and creates a combined policy (step S531 in FIG. 20).

  Then, the combined policy transmission unit 326 (FIG. 8) of the service providing apparatus 370 requests the authorization device 290 (FIG. 8) for authorization determination and transmits the combined policy created by the combined policy creation unit 324 (FIG. 8). 20 step S533). The service providing apparatus 370 proceeds to step S505 in FIG. 12 and waits for an authorization determination result from the authorization apparatus 290. The subsequent processing is the same as in the above embodiment.

  Then, the combined policy receiving unit 244 (FIG. 8) of the authorization device 290 receives the combined policy from the service providing device 370 together with the authorization determination request (step S293 in FIG. 20).

  Then, the authorization determination unit 208 (FIG. 8) of the authorization device 290 performs authorization determination using the received combined policy (step S295 in FIG. 20). And it progresses to step S105 of FIG.3, FIG.14 or FIG.16, and performs a process according to the result of authorization determination. The subsequent processing is the same as in the above embodiment.

  According to the configuration described above, the same effect as in the situation embodiment can be obtained. Further, when the service providing apparatus 370 receives an access request in advance, a connection policy is created and an authorization determination request is made. It is not necessary for the device 290 to temporarily register the combined policy in the policy storage unit 210 in advance. Since it is not necessary to transmit and receive the 65 policy in advance between the authorization device 290 and the service providing device 370, the amount of communication between the authorization device 290 and the service providing device 370 can be reduced. Further, for example, when the policy is changed in a short period, it is possible that the policy before the change need not be temporarily registered in the authorization device 290. Since the policy storage unit 210 can be reduced in memory capacity and the registration processing procedure can be omitted, the processing load can be reduced.

  The access control system 1 according to the present invention provides a service provider in an environment where there is a business provider (SP) that provides content to a user and a mobile carrier that manages user information and performs centralized access control. Can be applied to applications such as entrusting access control determination to a mobile carrier.

  Also, in the situation where there is a company (IdP) that outsources the business system to an external business operator (SP), when an employee uses the service of the external business enterprise that is outsourced, the approval judgment is made within the company. It can also be applied to uses such as in

  Also, in an environment where a shopping platform provider (IdP) providing a place for electronic commerce and a plurality of shopping sites (SP) exist, authorization determination is not performed at each shopping site, and the shopping platform operator It can also be applied to uses such as prescribing and making authorization judgments based on policies.

  In addition, in an entrance / exit management system of a building management system (IdP) in which a plurality of tenants (SP) are occupying, each tenant defines an entrance / exit policy (join policy), and the building management system is admitted according to the prescribed policy. It is also applicable to a system that determines whether or not an admission is permitted (authorization determination) (for example, an entrance gate is opened and closed according to a policy).

While the present invention has been described with reference to the embodiments and examples, the present invention is not limited to the above embodiments and examples. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
In addition, when acquiring and using the information regarding a user in this invention, this shall be done legally.

The present invention can also include the following aspects.
(Appendix 1)
Request accepting means for accepting an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
An authorization device comprising: a response unit that returns the determination result of the authorization determination unit that uses a policy that does not violate the policy setting to the service providing device.

(Appendix 2)
In the authorization device described in (Appendix 1),
A partial policy creating means for accepting a policy setting for access control to the resource and creating a first partial policy;
The authorization determination means uses the combined policy obtained by combining the second partial policy for access control to the resource created by the service providing apparatus and the first partial policy as the provisionally registered policy. An authorization device that makes authorization decisions.

(Appendix 3)
In the authorization device described in (Appendix 2),
Partial policy receiving means for receiving the second partial policy from the service providing device;
A combination policy creating means for joining the second partial policy received by the partial policy receiving means and the first partial policy created by the partial policy creating means to create a combined policy;
The authorization determination unit is an authorization device that performs the authorization determination by using the combined policy created by the combined policy creating unit as the temporarily registered policy.

(Appendix 4)
In the authorization device described in (Appendix 2),
The first partial policy created by the partial policy creating means is transmitted to the service providing apparatus, and the second partial policy created by the service providing apparatus and the transmitted first partial policy are combined to form a combined policy. A combined policy creation instructing unit for instructing the service providing apparatus to create
A coupling policy receiving means for receiving the coupling policy from the service providing device;
The authorization determination unit is an authorization device that performs the authorization determination using the combined policy received by the combined policy receiving unit as the provisionally registered policy.

(Appendix 5)
In the approval device according to any one of (Appendix 1) to (Appendix 4),
A policy storage device for storing a policy used for authorization determination as to whether or not to permit access to the resource;
The registration means registers the verified policy in the policy storage device,
The authorization determination unit is an authorization device that performs an authorization determination using the verified policy registered in the policy storage device by the registration unit.

(Appendix 6)
In the approval device according to any one of (Appendix 1) to (Appendix 5),
When the authorization determination means performs the authorization determination, if the user attribute information is insufficient, the authorization determination means further comprises a collection means for collecting the attribute information of the user that is insufficient,
The authorization determination means instructs the collection means to collect the attribute information of the user when the attribute information of the user is insufficient, and again based on the attribute information of the user collected by the collection means, An authorization device that makes authorization decisions.

(Appendix 7)
(Appendix 1) to (Appendix 6) an authorization request means for requesting authorization determination of access to the resource in response to an access request to the resource from a user, to the authorization device according to any one of
An authorization decision result receiving means for receiving the result of the authorization decision of the access to the resource from the authorization device;
A service providing apparatus comprising: an access execution unit that executes access to the resource corresponding to the access request from the user according to the result of the authorization determination received by the authorization determination result receiving unit.

(Appendix 8)
The second partial policy for creating a combined policy used by the authorization device for authorization judgment is combined with the first partial policy created by the authorization device that performs authorization judgment of access to the resource. A service providing apparatus comprising partial policy creating means for receiving and creating a control policy setting.

(Appendix 9)
In the service providing apparatus described in (Appendix 8),
In response to a request for access to the resource from a user, an authorization request means for requesting an authorization device to determine authorization for access to the resource;
Authorization decision result receiving means for receiving the result of the authorization decision of the access to the resource, which is performed based on the policy from the authorization device;
A service providing apparatus comprising: an access execution unit that executes access to the resource corresponding to the access request from the user according to the result of the authorization determination received by the authorization determination result receiving unit.

(Appendix 10)
In the service providing apparatus according to (Appendix 8) or (Appendix 9),
Partial policy receiving means for receiving the first partial policy created by the authorization device from the authorization device;
A combined policy creating means for creating a combined policy by combining the second partial policy created by the partial policy creating means and the first partial policy received by the partial policy receiving means;
A service providing apparatus comprising: a policy transmission unit that transmits the combination policy created by the combination policy creation unit to the authorization device.

(Appendix 11)
In the service providing apparatus described in (Appendix 10),
A service providing apparatus further comprising policy transmission means for transmitting the second partial policy created by the partial policy creation means to the authorization device.

(Appendix 12)
An authorization device that performs authorization judgment on access to resources
Accepting a request for access to a resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy temporarily registered in advance, based on attribute information of the user and the resource, performs an authorization determination as to whether or not to permit access to the resource,
Based on the determination result of the authorization determination, confirm that there is no policy setting violation in the previously provisionally registered policy,
Register the policy that did not violate the policy setting as a verified policy,
An access control method for returning the determination result of the authorization determination using a policy without violation of policy setting to the service providing apparatus.

(Appendix 13)
In the access control method described in (Appendix 12),
The service providing apparatus accepts a policy setting for access control to the resource, creates a first partial policy,
The authorization device accepts a policy setting for access control to the resource, creates a second partial policy,
An access control method in which the authorization device performs the authorization judgment by using a combined policy obtained by combining the created first partial policy and the created second partial policy as the temporarily registered policy.

(Appendix 14)
In the access control method described in (Appendix 12) or (Appendix 13),
The access control method in which, when there is a policy registered as the verified policy, the authorization device performs the authorization determination using the verified policy.

(Appendix 15)
In the computer for realizing the authorization device that performs authorization judgment of the access request to the resource from the user,
A procedure for receiving an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, a procedure for determining whether to permit access to the resource based on attribute information of the user and the resource,
A procedure for confirming that there is no policy setting violation in the preliminarily registered policy based on the determination result of the authorization determination, and registering the policy without the policy setting violation as a verified policy,
The program for performing the procedure which returns the determination result of the authorization determination using the policy without the policy setting violation to the service providing apparatus.

(Appendix 16)
In the program described in (Appendix 15),
A procedure for accepting setting of a policy for controlling access to the resource and creating a first partial policy;
A procedure for performing the authorization determination using a combined policy obtained by combining the second partial policy for controlling access to the resource created by the service providing apparatus and the first partial policy as the temporarily registered policy; A program that is executed by a computer.

(Appendix 17)
A computer that implements a service providing apparatus that provides services to users,
The second partial policy for creating a combined policy used by the authorization device for authorization judgment is combined with the first partial policy created by the authorization device that performs authorization judgment of access to the resource. A program that accepts control policy settings and executes the creation procedure.
(Appendix 18)
A service providing device for providing a service to a user;
An authorization device that performs authorization determination of an access request to the resource from the user from the service providing device, and
The authorization device is
Request accepting means for accepting an access request to the resource from the user from the service providing device;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
An access control system comprising: a response unit that returns the determination result of the authorization determination unit using a policy that does not have a policy setting violation to the service providing apparatus.
(Appendix 19)
In the access control system described in (Appendix 18),
The authorization device is
Receiving a policy setting for controlling access to the resource, and comprising a first policy creating means for creating a first partial policy;
The service providing apparatus includes:
Receiving a policy setting for access control to the resource, further comprising a second policy creating means for creating a second partial policy;
The authorization determination unit of the authorization device combines the first partial policy created by the first policy creation unit and the second partial policy created by the second policy creation unit, and creates a combined policy as the temporary policy. An access control system that performs the authorization determination using a registered policy.
(Appendix 20)
In the access control system described in (Appendix 18) or (Appendix 19),
When there is a policy registered as the verified policy, the authorization determination means performs an authorization determination using the verified policy.
(Appendix 21)
In the access control system according to any one of (Appendix 18) to (Appendix 20),
When it is determined that there is a policy setting violation in the policy used by the authorization determination unit, the policy determination unit further includes a policy resetting unit configured to reset the policy,
The authorization determination unit uses the policy reset by the policy resetting unit as the provisionally registered policy for the authorization determination, and confirms that the policy used for the authorization determination has no policy setting violation. Until,
The policy resetting means repeats the policy resetting,
The access control system in which the authorization determination unit repeats the authorization determination using the policy reset by the policy resetting unit as the temporarily registered policy.

DESCRIPTION OF SYMBOLS 1 Access control system 3 User 5 Network 10 Resource 100 Service provision apparatus 120 CPU
122 memory 124 hard disk 126 network communication unit 128 operation reception unit 130 display control unit 134 bus 150 input device 152 display device 200 authorization device 202 request reception unit 204 user information storage unit 206 resource information storage unit 208 authorization determination unit 210 policy storage unit 212 Response unit 220 Authorization device 222 First policy creation unit 224 Join policy acquisition unit 230 Authorization device 232 Partial policy reception unit 234 Join policy creation unit 240 Authorization device 242 Join policy creation instruction unit 244 Join policy reception unit 260 Authorization device 262 Join policy re-transmission Setting instruction unit 270 Authorization device 272 Join policy creation unit 274 Join policy transmission unit 280 Authorization device 282 Authorization determination unit 284 Information collection unit 290 Authorization device 300 Service provision device 302 Second policy creation unit 310 Service Providing device 312 Partial policy transmitting unit 320 Service providing device 322 First policy receiving unit 324 Combined policy creating unit 326 Combined policy transmitting unit 340 Service providing device 342 Authorization requesting unit 346 Result receiving unit 348 Service providing unit 350 Service providing device 352 Combined policy Resetting unit 360 Service providing device 362 Combined policy receiving unit 364 Combined policy verifying unit 370 Service providing device

Claims (12)

A service providing device for providing a service to a user;
An authorization device that performs authorization determination of an access request to the resource from the user from the service providing device, and
The authorization device is
Request accepting means for accepting an access request to the resource from the user from the service providing device;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
A response unit that returns the determination result of the authorization determination unit using a policy that has not been violated by the policy setting to the service providing device ;
Receiving a policy setting for controlling access to the resource and creating a first partial policy ,
The service providing apparatus includes:
Receiving a policy setting for controlling access to the resource, and comprising a second policy creating means for creating a second partial policy;
The authorization determination unit of the authorization device combines the first partial policy created by the first policy creation unit and the second partial policy created by the second policy creation unit, and creates a combined policy as the temporary policy. An access control system that performs the authorization determination using a registered policy . The access control system according to claim 1 .
When there is a policy registered as the verified policy, the authorization determination means performs an authorization determination using the verified policy. A service providing device for providing a service to a user;
An authorization device that performs authorization determination of an access request to the resource from the user from the service providing device, and
The authorization device is
Request accepting means for accepting an access request to the resource from the user from the service providing device;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
E Bei and a response means for returning the determination result to the service providing device of the authorization decision unit using the policy did not have the policy setting violation,
When there is a policy registered as the verified policy, the authorization determination means performs an authorization determination using the verified policy .   The access control system according to claim 3,
  The authorization device is
    Receiving a policy setting for access control to the resource, further comprising a first policy creating means for creating a first partial policy;
  The service providing apparatus includes:
    Receiving a policy setting for controlling access to the resource, and comprising a second policy creating means for creating a second partial policy;
  The authorization determination unit of the authorization device combines the first partial policy created by the first policy creation unit and the second partial policy created by the second policy creation unit, and creates a combined policy as the temporary policy. An access control system that performs the authorization determination using a registered policy. In the access control system according to any one of claims 1 to 4 ,
When it is determined that there is a policy setting violation in the policy used by the authorization determination unit, the policy determination unit further includes a policy resetting unit configured to reset the policy,
The authorization determination unit uses the policy reset by the policy resetting unit as the provisionally registered policy for the authorization determination, and confirms that the policy used for the authorization determination has no policy setting violation. Until,
The policy resetting means repeats the policy resetting,
The access control system in which the authorization determination unit repeats the authorization determination using the policy reset by the policy resetting unit as the temporarily registered policy. Request accepting means for accepting an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
A response unit that returns the determination result of the authorization determination unit using a policy that has not been violated by the policy setting to the service providing device ;
A partial policy creating means for accepting a policy setting for access control to the resource and creating a first partial policy;
The authorization determination means uses the combined policy obtained by combining the second partial policy for access control to the resource created by the service providing apparatus and the first partial policy as the provisionally registered policy. An authorization device that makes authorization decisions . Request accepting means for accepting an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, based on attribute information of the user and the resource, an authorization determination unit that determines whether to permit access to the resource;
Based on the determination result of the authorization determination means, confirm that there is no policy setting violation in the previously provisionally registered policy, and a registration means for registering the policy without the policy setting violation as a verified policy;
Response means for returning the determination result of the authorization determination means using the policy without violation of the policy setting to the service providing device ,
When there is a policy registered as the verified policy, the authorization determination unit is configured to perform the authorization determination using the verified policy .   The second partial policy for creating a combined policy used by the authorization device for authorization judgment is combined with the first partial policy created by the authorization device that performs authorization judgment of access to the resource. A service providing apparatus comprising partial policy creating means for receiving and creating a control policy setting. An authorization device that performs authorization judgment on access to resources
Accepting a request for access to a resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy temporarily registered in advance, based on attribute information of the user and the resource, performs an authorization determination as to whether or not to permit access to the resource,
Based on the determination result of the authorization determination, confirm that there is no policy setting violation in the previously provisionally registered policy,
Register the policy that did not violate the policy setting as a verified policy,
The determination result of the authorization determination using the policy that did not violate the policy setting is returned to the service providing device ,
further,
The service providing apparatus accepts a policy setting for access control to the resource, creates a first partial policy,
The authorization device accepts a policy setting for access control to the resource, creates a second partial policy,
An access control method in which the authorization device performs the authorization judgment by using a combined policy obtained by combining the created first partial policy and the created second partial policy as the temporarily registered policy . An authorization device that performs authorization judgment on access to resources
Accepting a request for access to a resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy temporarily registered in advance, based on attribute information of the user and the resource, performs an authorization determination as to whether or not to permit access to the resource,
Based on the determination result of the authorization determination, confirm that there is no policy setting violation in the previously provisionally registered policy,
Register the policy that did not violate the policy setting as a verified policy,
The determination result of the authorization determination using the policy that did not violate the policy setting is returned to the service providing device ,
Furthermore, when the authorization device has a policy registered as the verified policy, the access control method performs the authorization determination using the verified policy . In the computer for realizing the authorization device that performs authorization judgment of the access request to the resource from the user,
A procedure for receiving an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, a procedure for determining whether to permit access to the resource based on attribute information of the user and the resource,
A procedure for confirming that there is no policy setting violation in the preliminarily registered policy based on the determination result of the authorization determination, and registering the policy without the policy setting violation as a verified policy,
A procedure for returning the determination result of the authorization determination using the policy without the policy setting violation to the service providing apparatus ;
A procedure for accepting setting of a policy for controlling access to the resource and creating a first partial policy;
A procedure for performing the authorization determination by using a combined policy obtained by combining the second partial policy for controlling access to the resource created by the service providing apparatus and the first partial policy as the temporarily registered policy; A program for running In the computer for realizing the authorization device that performs authorization judgment of the access request to the resource from the user,
A procedure for receiving an access request to the resource from the user from a service providing apparatus that provides a service to the user;
In response to the access request, using a policy provisionally registered in advance, a procedure for determining whether to permit access to the resource based on attribute information of the user and the resource,
A procedure for confirming that there is no policy setting violation in the preliminarily registered policy based on the determination result of the authorization determination, and registering the policy without the policy setting violation as a verified policy,
A procedure for returning the determination result of the authorization determination using the policy without the policy setting violation to the service providing apparatus ;
When there is a policy registered as the verified policy, a program for executing a procedure for performing the authorization determination using the verified policy .

Images