EP1834467A1 - Zugangssteuerungsverfahren - Google Patents
ZugangssteuerungsverfahrenInfo
- Publication number
- EP1834467A1 EP1834467A1 EP05848355A EP05848355A EP1834467A1 EP 1834467 A1 EP1834467 A1 EP 1834467A1 EP 05848355 A EP05848355 A EP 05848355A EP 05848355 A EP05848355 A EP 05848355A EP 1834467 A1 EP1834467 A1 EP 1834467A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- criterion
- given
- access control
- resources
- control module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- the present invention relates to the field of access control.
- This domain generally involves a given user of a set of users, who wishes to apply a given function of a set of functions to a resource of a set of resources. Access control meets many fields of application, on both software and hardware resources.
- acGes authorization will be given by an access control device that controls the opening of each gate.
- Access to medicines in a hospital may also be restricted to some people depending on the nature of the drug, ie, for example, nurses have access to common and cheap drugs like aspirin, while access to the entire pharmacy.
- Drugs are the resources here, and all users include a group of nurses and a group formed by the preparers.
- the set of functions that users may wish to apply includes a physical entry of drugs.
- Access control is also used in the field of computer network management.
- Such networks such as the Internet for example, include a set of routers.
- a network management tool makes it possible to modify the software of all or part of the routers; thus, if one of the routers fails, the network management tool can reconfigure the other routers.
- a responsible person will have the right to stop the routers, a guardian will be able to visualize the state of the routers and disable alarms, while a trainee (“trainee” in English) will be able to visualize the state of the routers and simulate stops in order to train the network management.
- the rights of individuals may be limited to a subset of routers. For example, some people will only be able to view the state of a particular router, while others will have the ability to restart all routers of a given technology.
- FIG. 1 illustrates the operation of an exemplary access control device according to the prior art.
- a software module 3 transmits to a module of access control 4 a message 5.
- the message 5 comprises a user field 6 containing an identifier of the given user 1, a function field 7 containing an identifier of the given function and a resource field 8 containing an identifier of the given resource. .
- the access control module 4 comprises a user variable 10, a function variable 11 and a resource variable 12 allocated during the creation of the access control module 4.
- the user identifiers of the set of users for that environment are entered, as well as the identifiers of the functions of the set of functions and the resource identifiers of the set of resources.
- the access control module 4 determines whether the given user 1 is authorized to apply the function given to the given resource from the identifier of the given user 1 received, the identifier of the given function received and the identifier of the given resource received.
- the control module access 4 refers to the software module 3 a response to the message 5 received. In the example shown in FIG. 1, the response is positive: the given user 1 is authorized to apply the given function to the given resource.
- the number of users of all users is generally relatively small, for example a hundred people.
- the number of functions of the set of functions is generally relatively low, for example about ten functions.
- the number of resources of the set of resources can be relatively high, of the order of one million for example,
- the management of the access control device can thus be relatively difficult because of the relatively high number of resource identifiers.
- each resource identifier can be classified according to the membership of the resource corresponding to a given resource group, provided that the anyone who configures the access control module is aware of this categorization.
- a paper document detailing the membership of each resource in a given resource group is usually printed for this purpose.
- the classification of the resource identifiers then makes it possible to simplify the programming of the authorization determination algorithm: in a first step, the algorithm determines which group belongs to the identifier of the given resource received, and in a second time determines which answer to grant according to this group and other received identifiers, ie the identifier of the given user and the identifier of the given function.
- the configuration of the access control module is done manually, from a paper document containing the categorization of resources.
- the present invention makes management of the access control device easier.
- the present invention provides an access control method for determining whether a given user of a set of users can apply a given function of a set of functions to a given resource from a set of resources, the resources being able to be ranked according to at least one criterion.
- the access control method according to (invention comprises a step of transmitting to an access control module of a message comprising a user field containing a group identifier of the given user, as well as a list of structured fields. in at least one criterion field, each criterion field containing the value of a criterion determined for the given resource.
- the method according to the present invention makes it possible to avoid the entry and storage in the access control module of a relatively large number of resource identifiers.
- the person configuring the access control module does not need to know all the resources, but simply potential values of criteria.
- the management of the access control module is thus clarified and simplified.
- the access control module when new resources are added to an already existing set of resources, it is not necessary to enter the identifiers of the new resources in the access control module. If a given user tries to apply a given function to a new resource, the access control module will not receive an identifier of the new resource but a message comprising a list of fields structured in at least one criterion field, each field criterion containing the value of a specific criterion for the new resource. The addition of the new resource is therefore transparent for the access control module.
- the method according to the present invention makes it possible to save the memory space of the access control module.
- the user field contains a group identifier of the given user, that is to say possibly an identifier of the user himself if it is considered that the group of the given user comprises only one user.
- the user can be human or name
- the user can be a software application that seeks to apply a given function to a given resource.
- the list of Ghamps is advantageously structured in several fields of criteria.
- the list of fields may, for example, be structured in p criteria, each criterion being able, in this example, to take the same number q of values.
- the access control module can comprise p criterion variables, each criterion variable corresponding to a criterion.
- q potential values can be entered for each criterion, ie p * q values.
- the p Grottires each capable of taking q values make it possible to define q p groups of resources. Not only the person configuring the access control module must manage resource identifiers, but it must be classified into q p groups, one often much higher number than the p * q values of the method of the present invention.
- the field list includes a single criterion field.
- the transmitted message also comprises a function field containing an identifier of the given function.
- the transmitted message may not include a function field.
- each criterion field also contains an identifier of the determined criterion. This characteristic is of course not limiting.
- Each criterion field thus contains a criterion-value identifier pair of the criterion.
- the message is then transmitted according to a free protocol, in which the criterion of each criterion field can be identified by the criterion identifier.
- Free protocols allow greater flexibility in terms of order of criteria fields within the message, choice of criteria, etc.
- each criterion field may contain only your value of the criterion determined for the given resource.
- the message is then transmitted according to a fixed protocol.
- the method first comprises a step of authenticating the given user.
- the given user who wishes to apply the given function to the given resource can be first authenticated, for example by a software module.
- the identifier of the authenticated user may be transmitted to the access control module as the user's group identifier.
- the method may also include a categorization step of the given user in a group, for example the trainee group, especially if the rights are the same for all members of the group.
- An identifier of this group can be transmitted to the access control module.
- the method according to the present invention may comprise a step of authentication not of the given user, but of the requester who seeks to determine whether the given user can apply the function given to a given resource.
- the given user may indeed be distinct from the requerrant
- the method according to the present invention does not include any authentication step.
- the method according to the present invention preferably comprises a step of determining the value of each criterion field for the given resource.
- This step can be performed by software that queries the given resource, which in turn transmits the value of each criterion field.
- the software may have a resource representation of the set of resources it knows for each resource the value of each criterion field. The invention is not limited by the manner in which this determination is implemented.
- the method according to the present invention may not include this step of determining the value of each criterion field for the given resource.
- the given user may want to apply the given function to all resources responding to at least one given criterion.
- the user can directly enter the value of each criterion field.
- the present invention also relates to an access control module for determining whether a given user of a set of Users can apply a given function of a set of functions to a given resource from among a set of resources, the resources which may be classified according to at least one Gritère.
- the access control module according to the invention comprises:
- a list of criterion variables structured in at least one criterion variable, each criterion variable corresponding to a determined criterion, authorization determination means from a user group identifier received by the access control module and from a list of values received by the access control module, comprising, for at least a criterion variable of the list of criterion variables, a value of the criterion determined for the given resource.
- the access control modules comprise the identifiers of all the resources of the set of resources, and possibly a list of groups, so as to allow a determination in two stages.
- the access control module determines which resource group the received identifier belongs to, and then determines whether or not the authorization should be granted. the group of resources thus found and a user identifier received.
- the access control module according to the present invention makes it possible to avoid this first step: it is - with the user group identifier received - the list of values received which determines the authorization, and not a found value. from a received identifier.
- the access control module according to the present invention thus does not need to keep in memory the identifiers of all the resources of the set of resources.
- the access control module according to the invention is in fact intended to receive the message of the method according to the present invention and therefore has the same advantages as the method according to the present invention. It can be adapted for the same preferential characteristics, without these being limiting.
- the access control module according to the invention may advantageously comprise a list of several criterion variables, each criterion variable corresponding to a determined criterion.
- the access control module may advantageously comprise a function variable.
- the means of determination can also take into account a function identifier received by the access control module.
- the access control module according to the present invention is capable of operating with a software module according to the prior art, and conversely, the software module according to the present invention is capable of operating with an access control module according to the present invention. prior art.
- the present invention also relates to an access control device for implementing the method according to the present invention, comprising an access control module according to the present invention.
- the access control device determines whether a given user of a set of users can apply a given function of a set of functions to a given resource from a set of resources.
- the set of resources advantageously comprises software resources.
- the software resources include software.
- the access control device thus makes it possible to determine whether a given user can apply a given function to a software.
- resources may include physical resources, such as doors.
- the software resources advantageously comprise network equipment of a telecommunication computer network.
- Network equipment may for example include routers.
- the process according to. The present invention finds here a particularly advantageous application in view of the large number of possible routers in such a network. This application is of course not limiting.
- the access control device may, for example, comprise the software module and the access control module.
- the software module includes software for generating messages comprising a device. user field and a list of fields structured in at least one criterion field, each criterion field containing the value of a criterion determined for the given resource.
- the software module and the access control module can be integrated in the same device, for example a network management tool, or in several separate devices.
- FIG. 2 illustrates an exemplary operation of an exemplary access control device according to a preferred embodiment of the present invention
- a given user 1 wishes to apply to a given resource, here given router 2, a given function, here to read a file or a program from this router 2 "The given router 2 is identified by the identifier 12533.
- the given user 1 authenticates with a software module 3 and formulates his request so that the software module 3 receives an identifier of the given resource and an identifier of the given function.
- the given resource 3 is part of a set of resources. Routers can be classified according to two criteria: location and technology.
- the software module 3 sends a message 5 to an access control module 4 to know if the given user 1 can access his request.
- the Access control module 4 sends its agreement or disagreement in response to the received message.
- the access control module is created with a user variable 10, a function variable 11, and a list of criterion variables.
- the list of criterion variables includes a location variable 16 and a technology variable 17.
- the access control module 4 When the access control module 4 is installed in order to manage access to the set of resources considered, here the routers of a given telecommunications computer network, a person must configure the access control module. For at least one criterion variable, the person enters a set of potential values of the corresponding determined criterion for the resources of the set of resources considered.
- the computer network includes routers in Europe, the United States and Japan: there will therefore be three potential values of the location criterion during installation.
- the routers of this network may be ATM routers or MPLS routers, two potential values for the technology criterion for the set of resources considered.
- the sets of potential values therefore depend on the set of resources.
- the access control module may comprise a criterion variable without a set of potential values of associated criterion. Potential value sets can also evolve.
- the person When the access control module is configured, the person must be aware of the potential value sets. These can be printed on a paper (or electronic) document for this purpose.
- the paper document does not include, unlike the paper document of the prior art, a list of the identifiers of all the resources of the set of resources considered.
- the software module 3 determines, for the given resource, the value of a location criterion field and the value of a technology criterion field.
- the software module 3 comprises a representation of each resource of the set of resources and is able to determine the value of the location criterion and the value of the technology criterion for each resource of the set of resources.
- the software module 3 generates and therefore transmits the message 5.
- the message 5 comprises:
- Each criterion field (14, 16) contains an identifier of a given criterion and the value of this criterion determined for the given resource 2.
- a location field 14 contains, for example, an identifier of the location criterion, "loc" in the figure as well as the value “Europe” or an identifier of this value, while a technology field 15 contains an identifier of the criterion technology, "tech” in the figure, as well as the value ⁇ c ATM "or an identifier thereof value.
- the message 5 can be transmitted according to a free protocol, or according to a fixed protocol.
- the chosen protocol does not limit the present invention.
- a free protocol allows a greater flexibility of use: for example, the given user 1 may wish to apply a given function to all routers of a given technology, for example ATM routers.
- the software module 3 can then generate a message comprising:
- a user field containing an identifier of the given user a function field containing an identifier of the given function
- the criterion field contains an identifier of the technology criterion and the "ATM" value of this criterion
- the message can be generated and transmitted once: if the authorization is obtained, the given user can apply the given function to all ATM routers.
- the software module can also and preferably transmit this message several times, for example before each application of the given function to one of the ATM routers.
- authorization determination means 13 make it possible to determine the authorization from the received user's identifier, the received function identifier, the value of the criterion of location received and the value of the criterion of technology received.
- the access control module then returns to the software module a binary response allowing or not the given user 1 to apply the given function to the given resource.
- the access control module may possibly return a response other than an authorization or a non-authorization: in particular, the access control module may return an error message, for example when the list of fields of the message received includes a criterion field containing an identifier of a criterion not known by the access control module.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0453289A FR2880487B1 (fr) | 2004-12-31 | 2004-12-31 | Procede de controle d'acces |
PCT/FR2005/051147 WO2006072730A1 (fr) | 2004-12-31 | 2005-12-28 | Procede de controle d'acces |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1834467A1 true EP1834467A1 (de) | 2007-09-19 |
Family
ID=34953222
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05848355A Withdrawn EP1834467A1 (de) | 2004-12-31 | 2005-12-28 | Zugangssteuerungsverfahren |
Country Status (5)
Country | Link |
---|---|
US (1) | US20080016560A1 (de) |
EP (1) | EP1834467A1 (de) |
JP (1) | JP2008527482A (de) |
FR (1) | FR2880487B1 (de) |
WO (1) | WO2006072730A1 (de) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8667606B2 (en) | 2010-07-24 | 2014-03-04 | International Business Machines Corporation | Session-controlled-access of client data by support personnel |
US20130173467A1 (en) * | 2011-12-29 | 2013-07-04 | Ebay Inc. | Methods and systems for using a co-located group as an authorization mechanism |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6408336B1 (en) * | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US6119230A (en) * | 1997-10-01 | 2000-09-12 | Novell, Inc. | Distributed dynamic security capabilities |
US6064656A (en) * | 1997-10-31 | 2000-05-16 | Sun Microsystems, Inc. | Distributed system and method for controlling access control to network resources |
US6279111B1 (en) * | 1998-06-12 | 2001-08-21 | Microsoft Corporation | Security model using restricted tokens |
JP2000187589A (ja) * | 1998-12-22 | 2000-07-04 | Oki Electric Ind Co Ltd | プログラムシステムのコンポーネントアクセス制御装置 |
JP2001117803A (ja) * | 1999-10-15 | 2001-04-27 | Hitachi Ltd | アクセス権判定方法および装置およびアクセス権判定プログラムを記録したコンピュータ読み取り可能な記録媒体 |
US6766397B2 (en) * | 2000-02-07 | 2004-07-20 | Emc Corporation | Controlling access to a storage device |
JP4211285B2 (ja) * | 2002-05-24 | 2009-01-21 | 株式会社日立製作所 | ネットワークストレージシステムの仮想一元化方法及び装置 |
US20050091658A1 (en) * | 2003-10-24 | 2005-04-28 | Microsoft Corporation | Operating system resource protection |
-
2004
- 2004-12-31 FR FR0453289A patent/FR2880487B1/fr not_active Expired - Fee Related
-
2005
- 2005-12-28 US US11/813,209 patent/US20080016560A1/en not_active Abandoned
- 2005-12-28 WO PCT/FR2005/051147 patent/WO2006072730A1/fr active Application Filing
- 2005-12-28 JP JP2007548882A patent/JP2008527482A/ja active Pending
- 2005-12-28 EP EP05848355A patent/EP1834467A1/de not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO2006072730A1 * |
Also Published As
Publication number | Publication date |
---|---|
FR2880487B1 (fr) | 2007-06-01 |
JP2008527482A (ja) | 2008-07-24 |
US20080016560A1 (en) | 2008-01-17 |
FR2880487A1 (fr) | 2006-07-07 |
WO2006072730A1 (fr) | 2006-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6564327B1 (en) | Method of and system for controlling internet access | |
EP1932318B1 (de) | Verfahren zur authentifizierung eines kunden, identität und dienstanbieter, authentifizierung und authentifizierungs-sicherungsanfragesignale und entsprechende computerprogramme | |
US8646026B2 (en) | Smart web services security policy selection and validation | |
CN103399909B (zh) | 在提供访问联网内容文件中分配访问控制级的方法和设备 | |
US20010013096A1 (en) | Trusted services broker for web page fine-grained security labeling | |
US20100122318A1 (en) | Policy-based service managment system | |
JP4467256B2 (ja) | 代理認証プログラム、代理認証方法、および代理認証装置 | |
WO2001001656A1 (en) | Universal session sharing | |
Bambacht et al. | Web3: A decentralized societal infrastructure for identity, trust, money, and data | |
WO2004036351A2 (en) | Cross-site timed out authentication management | |
US20040177097A1 (en) | Web-based, biometric authentication system and method | |
EP1501242A2 (de) | Benutzung von Netzwerkpolitikregelsystem für die Verwaltung von Netzwerkpolitikregeln | |
AU2005292568A1 (en) | A method and apparatus for assigning access control levels in providing access to networked content files | |
EP1704700B1 (de) | Verfahren und system zum betreiben eines computernetzwerks, das für inhaltsveröffentlichungen bestimmt ist | |
EP1708447A1 (de) | Verfahren und Vorrichtung für Kommuniziereninformationen zwischen Vorrichtungen | |
US7426551B1 (en) | System, method and computer program product for dynamic system adaptation using contracts | |
EP2807815B1 (de) | System und verfahren zur steuerung einer dns-anfrage | |
EP1834467A1 (de) | Zugangssteuerungsverfahren | |
WO2005034468A1 (fr) | Systeme d'acces a un reseau adapte pour la mise en oeuvre d'un procede a signature simplifiee, et serveur pour sa realisation | |
EP1610519A1 (de) | Verfahren und Plattform zum Vermittlen zwischen Anwendung Web Services | |
WO2003046730A2 (fr) | Procede de securisation d'un acces a une ressource numerique | |
WO2010034928A1 (fr) | Plate-forme de reseau informatique | |
EP2472818B1 (de) | Datenverarbeitungsverfahren zur Kontrolle des Zugriffs auf Internetinhalte | |
WO2010023376A1 (fr) | Système informatique à serveur d'accès simplifié, et procédé correspondant | |
EP3979109A1 (de) | Verfahren und system zur authentifizierung eines benutzers auf einem benutzergerät |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070731 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20100803 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20101214 |