JP2003162449A - Integrated access management system, integrated access management device and its method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve a problem that specifying a resource in an access destination with a URI (URL) format is difficult to apply to an integrated authentication/ right management that includes databases. <P>SOLUTION: An integrated access management system includes an access control list for integrated management (ACL), an access range determination part, and an integrated access management device. The ACL has name fields in which plural information resources, including one or more databases, are uniquely specified by respective element names, and each access right for the plural information resources is set as an access right with its element name. The access range determination part, when requested for access to an information resource, determines an access range referring to the access right with the element name corresponding to the information resource in the ACL. The integrated access management device has the ACL, and manages each access right for the plural information resources based on the determined result of access range executed by the access range determination part. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to WWW (World).
d Wide Web) server, database server,
The present invention relates to an access integrated management system, an integrated access management device and method, and a program for integrating and managing authentication and access control for a plurality of computer resources of different types such as a file server.

[0002]

2. Description of the Related Art Due to the spread of WWW services in recent years,
In the past, it has become common to convert information that has been transmitted and received using a paper as a medium into an electronic document and publish it on a WWW server. In addition, a WWW server and a database server are connected to a CGI (Common Gateway Interface).
ace) programs are linked to each other to dynamically and automatically edit the information stored in the database according to the user's request and present it to the user as a Web document.

As described above, the WWW server has the highly convenient information disclosure function as described above. On the other hand, in a large company that owns a lot of information to be disclosed and shared, a series of information is disclosed by a plurality of distributed WWW servers. That is, in each content (information resource disclosed by WWW) of the WWW server, the range accessible by the user is set as the authority bit of the corresponding file. For example, in-house WWW for large companies
In the server system group, the access level to each content is classified and controlled according to the position of the user or the organization to which the user belongs.

In this case, how to set access authorization to the contents of a large number of distributed WWW servers becomes a problem. That is, if the access authority is directly set to the distributed content resources in each WWW server, the load of the authority management work increases. Therefore, a system has been devised that centrally manages authentication information and access control information of a plurality of WWW servers.

FIG. 7 is a diagram showing the configuration of a conventional WWW server authentication / authority management system for centrally managing the above-mentioned WWW server authentication information and access control information. The system performs integrated authentication / authority management by a so-called reverse proxy method. In the figure, 100 is WWW
W with the function of receiving and displaying electronic information from the server
The server host names “w1” and “w2” in the URI are designated by the eb browser, respectively. Reference numeral 101 denotes an integrated authentication / authority management device including each of the program units 101a to 101c, which relays an access request to a WWW server located in its internal network,
The authentication information and access control information are centrally managed. Here, the integrated authentication / authority management device 101 uses the WWW
It functions as one of the servers. The integrated authentication management program unit 101a authenticates the user who has requested access to the WWW server. Reference numeral 101b denotes an integrated authority management program section, which determines whether or not the user has the access authority to the content requested to be accessed. 101c
Is a URL conversion program part, which is a virtual URL (Uniform Resource) specified by the user.
Locator) is a WWW located in the internal network
It is converted into an actual URL corresponding to the servers 102a and 102b. 102a and 102b are WWW servers located in the internal network of the integrated authentication / authority management device 101.

Next, the operation will be described. First, the user uses the Web browser 100 to request a URI (Unifo).
rm Resource Identifier) is specified to request the target content from the WWW server. Here, the user is, for example, "http: // TW
The URI "1 / w1 / 1" is specified. Although the URI has a concept of comprehensively including a URL in the strict sense, it is substantially synonymous with the URL in the WWW, and therefore is described as URI = URL hereinafter.

[0007] The Web browser 100 analyzes the URI designated by the user and transmits an HTTP request packet to the integrated authentication / authority management device 101, which is the WWW server of the destination (corresponding to the information marked with in the figure). ).

If the user has not been authenticated, the integrated authentication management program section 101a in the integrated authentication / authority management apparatus 101 requests the user to send authentication information (for example, user name and password). To do. After that, when the authentication information is transmitted from the user in response to the authentication information request, the integrated authentication management program unit 101a
It is determined whether or not the authentication information and the authentication information registered in advance are coincident with each other, and when the determination result coincides, the user is authenticated as the user who receives the service (corresponding to the exchange of information with a symbol in the figure). If the user has already been authenticated, the above process is not required.

When the above authentication process is completed, the integrated authority management program unit 101 in the integrated authentication / authority management apparatus 101.
b determines whether the user who has performed the above authentication has the access right to the content requested by the Web browser 100. Specifically, the integrated authority management program unit 101b uses the integrated authority management access control list (ACL; Access Control Lis).
t) 103, a UR of “http: // TW1 / w1 / 1” that specifies the content desired by the user
It is determined whether or not I is set to be accessible (corresponding to the information marked with in the figure).

At this time, if the access control list 103 for integrated authority management is set to be accessible, the URL conversion program unit 1 in the integrated authentication / authority management apparatus 101.
01c is a virtual URI designated by the user "h
"http: // TW1 / w1 / 1" is converted into "http: // w1 / 1" which is the URI for the actual WWW server 102a by referring to the URI mapping table 104 (in the information indicated by the symbol in the figure) Equivalent to). U after this conversion
Using the RI, the integrated authentication / authority management device 101 issues an HTTP request in place of the browser 100, and receives a response from the WWW server 102a.

The integrated authentication / authority management device 101 has a WWW
The link information etc. of the information received from the server 102a is rewritten to the integrated link information for integrated management, and the We
b Reply to the browser 100. As a result, the user can refer to the electronic information regarding the desired content.

Further, as an integrated authentication / authority management system for WWW servers other than the above-mentioned method, for example, Japanese Patent Laid-Open No. 2000-2000
There is an access control setting system disclosed in Japanese Patent Laid-Open No. 112891, and as an integrated authority management system including a database server, there is a network system disclosed in Japanese Patent Laid-Open No. 2000-10930.

[0013]

Since the conventional integrated authentication / authority management system is configured as described above, since the resource to be accessed is specified in the URI (URL) format, the integrated authentication / database including the database is There was a problem that it was difficult to apply to authority management.

The above problem will be specifically described. Specifying the resource to be accessed in the URI (URL) format as in the prior art is effective for a static electronic document that can be specified in the URI format. However, in an integrated authentication / authority management system including a database, that is, a system that handles accessible information in a database dynamically by linking a WWW server and a database server, various requests from a Web browser are linked to the database server. WWW server (application server) that receives
Since the W application (CGI program) relays the exchange of information with the database, it is difficult to specify the data in advance by the URI.

For example, in the HTTP-GET protocol, parameters regarding authentication and access authority must be included in the URI and passed to the system side. However, the method of converting to the URI including the above parameters is not constant for each WWW application on the system side. That is, it is necessary for the user to create a URI including parameters according to each WWW application. Therefore, when the URI itself corresponding to each WWW application cannot be predicted, it is difficult to perform ACL management on a URI basis in advance. As a specific example, there is a case where the decoding process for extracting the parameter from the URI is hidden by each WWW application.

Further, in the HTTP-POST protocol, parameters such as user information are not passed as a URI but are passed as content to the system side. For example,
The system side sends the content related to the parameter input screen to the Web browser, and the content is returned to the system side as the content in which the user inputs the parameter along the input item. Therefore, when the access destination resource is specified based on the URI as in the conventional case, it is possible to control whether or not the CGI program specified by the URI can be used, but it is not possible to control at a finer level. . For example, when the CGI program provides a subdivided function, it cannot be supported.

Therefore, it is necessary to individually set the access authority of the resource on the database server side, and the WW
The integrated management of authentication and access authority to the W server and the database server becomes incomplete, and the setting becomes complicated.

On the other hand, although it is possible to manage the authentication / authority management for the database separately from the integrated authentication / authority management apparatus, the user / group information of the integrated authentication / authority management apparatus cannot be used as it is. There was a problem that the work of matching the user / group repositories of was complicated.

The present invention has been made to solve the above problems. In a system form in which a WWW server and a database server are linked, access authority management for a database is integrated with content management of the WWW server. An object is to obtain an access integrated management system, an access integrated management device and method, and a program.

Further, according to the present invention, in a client / server type database access mode, an access integrated management system, an access integrated management device and method, and a program for performing access authority management for a database by integrating with contents management of a WWW server are obtained. The purpose is to

[0021]

An integrated access management system according to the present invention has a namespace for uniquely designating a plurality of information resources including one or a plurality of databases by element names, and When there is an access request for the integrated management access control list in which each access right is set as the access right for the element name and the access request for the information resource, the access right for the element name corresponding to the information resource in the integrated management access control list is set. With reference to the access range determination unit for determining the access range and the access control list for integrated management, each access authority for a plurality of information resources is managed based on the access range determination result by the access range determination unit. And an access integrated management device for controlling the access.

The access integrated management system according to the present invention includes an access management device that manages access to the database in cooperation with a database server device that directly manages the database, and the access range determination unit is provided in the access management device. When an access request is made to the information resource of the database managed by the database server device, the access range of the element name corresponding to the information resource in the integrated management access control list is referred to and the access range is determined. It is a thing.

An integrated access management system according to the present invention includes a database server device that directly manages a database, and an access range determination unit is provided in the database server device for an information resource of a database managed by the device. When there is an access request, the access range of the integrated management access control list is determined by referring to the access authority of the element name corresponding to the information resource.

The access integrated management device according to the present invention is
An access control list for integrated management that has a namespace that uniquely specifies multiple information resources including one or multiple databases by element names and sets each access authority of multiple information resources as access authority of element name In addition, each access authority to a plurality of information resources is managed based on the access range determined by referring to the integrated management access control list.

The access integrated management device according to the present invention is
The integrated management access control list is provided with an update information collection unit that collects update information from the database.

The access integrated management device according to the present invention is
When the update information collecting unit reaches a predetermined condition set in advance,
The latest information is automatically collected from the database.

The access integrated management method according to the present invention is
An access control list for integrated management that has a namespace that uniquely specifies multiple information resources including one or multiple databases by element names and sets each access authority of multiple information resources as access authority of element name Prepare,
When an access request is made to an information resource, an access range determination step of determining the access range by referring to the access authority of the element name corresponding to the information resource in the integrated management access control list, and an access range determination step And an access authority management step of managing each access authority to a plurality of information resources based on the determination result of the access range in.

The program according to the present invention has a namespace for uniquely designating a plurality of information resources including one or a plurality of databases by element names, and the access authority of each of the plurality of information resources is the access authority of the element name. When an access request is made to the integrated management access control list and the information resource set as above, the access range of the element name corresponding to the information resource of the integrated management access control list is referenced to determine the access range. A computer having an access range determination means and an integrated management access control list, and causing a computer to function as an access integrated management means for managing each access right to a plurality of information resources based on the access range determination result by the access range determination means Is.

[0029]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below. Embodiment 1. 1 is a diagram showing the overall configuration of a network system according to Embodiment 1 of the present invention. In the figure, 1a and 1b are Web browsers having a function of sending and receiving HTTP data and browsing HTML data, and are designated by server host names "w1" and "w2" in the URI, respectively. Reference numeral 2 is a client terminal having a function of directly accessing the database 9 by SQL or the like. The client terminal 2 will be described in detail in the embodiment described later. 3 is a web browser 1a, 1
b, a network such as the Internet, which is interposed between the client side such as the client terminal 2 and the system side subsequent to the firewall 4. Reference numeral 4 denotes a firewall, which is arranged between the system and the network 3 to regulate data transmission / reception during this period. Reference numeral 5 denotes an integrated authentication / authority management device (access integrated management device)
It integrally manages access to the database 9 from the eb browsers 1a and 1b and the client 2. Further, the integrated authentication / authority management device 5 has HTTP / HTT as a basic function.
It has a function as a WWW server that supports the PS protocol. 6a and 6b are WWW servers, and integrated authentication /
Access from the Web browsers 1a and 1b and the client 2 is integratedly managed by the authority management device 5. Reference numeral 7 denotes an integration module (access range determination unit, access range determination means), which is a WWW server (access management device).
6b, which is used for integrated management of access to the database 9 via the database server 8. Reference numeral 8 denotes a database server (database server device) that manages the database 9 and has a server host name “w” in the URI.
3 ".

As shown in the figure, in the network system of the present invention, when accessing the WWW servers 6a, 6b, which are application servers, from the Web browsers 1a, 1b and the client terminal 2 via the network 3, integrated authentication / The authority management device 5 always relays the access. Further, from the viewpoint of security, access from the Web browsers 1a and 1b and the client terminal 2 is restricted by the firewall 4. Specifically, the firewall 4 is set to allow access only to the integrated authentication / authority management device 5 so that the WWW servers 6a and 6b cannot be directly accessed.

FIG. 2 is a diagram showing in detail each component in the network system shown in FIG. In the figure, 5
Reference numeral a denotes an integrated authentication management program section (access integrated management means) which functions as a subsystem in the integrated authentication / authority management apparatus 5, and authenticates a user who has requested access to the WWW servers 6a and 6b and the database 9. The integrated authentication management program section 5a stores an entry for the authenticated user in the user / group definition database section 10
It is added to the session management table in the table, and whether or not it has been authenticated is managed by referring to the session management table. 5b
Is an integrated authority management program unit (access integrated management means) that functions as a subsystem in the integrated authentication / authority management apparatus 5, and sets whether or not there is an authority to set the target resource on the system side and access to the target resource. Respond to such inquiries. Reference numeral 5c denotes a URL conversion program unit (access integrated management unit) that functions as a subsystem in the integrated authentication / authority management device 5, and the URI received from the client side and the WWW servers 6a and 6b on the back end side corresponding to the URI. And the URI of the database 9 are mapped. 7a is CGI
It is a module and executes processing of data in the database 9 via the WWW server 6b. 7b is CGI
Among the DB access modules of the module 7a, the CGI DB access module (access range determination unit, access range determination means), which is a module replaced for integrated management, is used for integrated authority management in the integrated authentication / authority management apparatus 5. It has a function of managing access to the database 9 by referring to the access control list. Reference numeral 10 is a user / group definition database unit, 11 is a central ACL management database unit, and 12 is a URL mapping database unit, which is a database included in the integrated authentication / authority management device 5.

FIG. 3 is a diagram showing the contents of the user / group definition database section in FIG. As shown in the figure, the user management section of the user / group definition database section 10 manages authentication information such as a login user name (user name) and a login password (password).
This login user name is an internally unique user ID
Is managed as. Also, the login password is
Methods other than password-based authentication can also be applied. For example, the client certificate itself may be stored in the user management unit. In this way, the user / group definition database unit 10 manages the authentication information according to each authentication method. Further, it has a session management table that is referred to when the integrated authentication management program unit 5a determines whether or not the user is an authenticated user.

FIG. 4 is a diagram showing the contents of the centralized ACL management database section in FIG. The integrated authority management access control list (hereinafter, abbreviated as integrated ACL) in the centralized ACL management database unit 11 is expanded for the database 9 by providing a database object management namespace. That is, the authority management for the conventional Web server is performed with reference to the WEB management namespace, and the authority management for the database 9 is performed with reference to the database object management namespace. In this database object management namespace, objects in the database 9 such as "connection", "tables", and "view"
ws) ”,“ role ”,“ trigger ”,“ synonym ”, etc. can be managed on the integrated authentication / authority management device 5. These objects are managed by inputting an administrator console or a setting command using the administrator console 15 shown in FIG. 6 described later.

The central ACL management database unit 11
Then, for each table in the database 9, it is possible to set what kind of authority the user or group shown in FIG. 3 has. For example, the table A in the database 9 is replaced with "/ DBACL / Server2 / DBname" in the database object management namespace.
/ Tables / A ", and the basic authority of reading, writing, and changing is set for this. In addition to the basic authority, it also has a function of defining a “role” and setting it as the authority of each “table” or “viewpoint”. These correspond to general relational database management functions, but the integrated ACL of the present invention is characterized in that these are defined as unique integrated namespaces.

Next, the operation will be described. First, for example, a user of the Web browser 1a (specified by the user name user1) asks "h" to the network system.
ttp: // tw1 / w2 / search. cgi / se
arch. cgi? user =% aaa% bbb & gr
oup =% ccc% ddd & cond =% ee% ff
It is assumed that a search request "f" is made. "% Aaa% bbb" after "?" In the above URI is the URI
The parameter value part of the program encoded according to the encoding rules. However, the parameter value portion is simplified here for simplification of description, and is different from the actual encoded character string. In addition, the variable names and types for the parameters (in the above example, "user", "gr")
"up", "cond" (corresponding to a character string of search condition) is a part defined on the CGI program side, and the encoded "% aaa" of the parameter value part is included.
With the character string such as, the entire character length changes each time depending on the condition.

Here, since the part indicating the server host name included in the URI is "tw1", the Web
The browser 1a can send an HTTP request to the integrated authentication / authority management device 5 (hereinafter, appropriately abbreviated as "integrated management device") specified by the character string "TW1". As a result, the integrated authentication management program section 5a in the integrated management device 5 shifts to an operation of confirming whether or not the user has been authenticated.

If the user has not been authenticated, the integrated authentication management program section 5a requests the user to send authentication information (for example, user name and password).
After that, when the authentication information is received from the user in response to the authentication information request, the integrated authentication management program section 5a
Matching between the authentication information and the authentication information previously registered in the authentication database of the user / group definition database unit 10 shown in FIG. 3 is performed. At this time, if the determination results match, the user who receives the service is authenticated. If the user has already been authenticated,
The above process is not required.

When the authentication process is completed as described above, the integrated authentication management program section 5a adds the entry of the user to the above-mentioned management table and returns the normal termination code to the Web browser 1a.

Next, the integrated authority management program 5b in the integrated management apparatus 5 is the central ACL management database 11
Among the registered contents of the integrated ACL in, the authorization information part of the URI is referred to and it is determined whether or not the user has the authority for the specified URI. Here, as described above, since the URI includes a portion that changes according to the input parameter, the ACL cannot be set in advance in the related art. Therefore, in the present invention, the user's execution right that the program can be used is set in advance as a URI that specifies up to the program path portion and is a regular expression thereafter. For example, "http: // tw1 /
w2 / search. cgi / search. cgi? u
ser =% aaa% bbb & group =% ccc% d
If dd & cond =% ee% fff ", the character string" http: // t
w1 / w2 / search. cgi / search. cg
"i" is specified, and the regular expression after this is "* user".
Replaced with the character string "1 executable" and "h
ttp: // tw1 / w2 / search. cgi / se
arch. cgi * user1 Executable ”UR
It is set as L. The integrated authority management program 5b refers to the character string after "*" and determines whether or not the user has authority for the URI specified.

Here, the ability to execute the program specified by the URI and the function of setting the authority to the data portion referred to as a result of the execution are different, and the present invention provides the latter. In the following, the program execution by CGI will be described as an example. The present invention is not limited to CGI as long as it is a program path that can be specified by a URI. For example, it may be replaced by similar means such as Java (registered trademark) servlet.

First, since "user1" can be executed, the integrated authority management program 5b section can execute the above-mentioned URI.
If the access is not denied to the CGI program specified by, the process ends normally.

Subsequently, the URI conversion program portion 5c
Refers to the content of the URL mapping database unit 12 to convert the integrated URL into a URI for actually accessing the WWW server 6b. Specifically, the integrated URL “http: // tw1 / w2 / search.
cgi / search? user =% aaa% bbb &
group =% ccc% ddd & cond =% eee%
fff ”is, for example,“ http: // w2 / serc
h. cgi / search? user =% aaa% bb
b & group =% ccc% ddd & cond =% ee
e% fff ”, and the integrated management device 5 accesses the WWW server 6b by this URI. In addition, at the time of this access, the HTTP header stores the user name that identifies the user who requested the access and the information about the group to which the user belongs, and transmits it to the WWW server 6b.

The WWW server 6b receives the access request and H by the converted URL received from the integrated management device 5.
The additional information in the TTP header is sent to the CGI module 7a specified by the URI.

The CGI module 7a sends a search request to the database 9 based on the search information received as the URI as described above. Here, the search request is made by, for example, SQL. In this case, the search condition from the Web browser 1a is CGI at the time of the search request.
SQL such as "database name", its "table name" and "viewpoint name" to be accessed by the module 7a
Converted to the information and format required for issuing the sentence. After that, the CGI module 7a creates an SQL sentence based on the above information and issues it to the CGI DB access module 7b.

For the sake of simplicity, the SQL will be described below.
An example applied to a relational database where statements can be used is explained. It should be noted that the present invention uses such SQ
It is needless to say that the present invention is not limited to the L database and can be applied to other than the above as long as the configuration satisfies the purpose.

When the SQL statement is issued as described above, the CGI DB access module 7b uses the previously defined address information (communication position information) of the integrated management device 5 to communicate the communication information. To get. The communication information of the integrated management device 5 includes, for example, IP address and port information.

Next, the CGI DB access module 7
b is the table name information by analyzing the input SQL sentence,
Acquire access request information such as viewpoint information. continue,
The CGI DB access module 7b uses the communication information to access the integrated management device 5 and execute the integrated ACL.
Pre-defined database object space information (base part) and input SQL sentence are analyzed to obtain table name information and viewpoint information, and the database object management namespace and the inspection in the integrated ACL setting are performed. Convert and synthesize into proper authority information.

After that, the CGI DB access module 7b sends these pieces of information and the authentication information such as the user name and the belonging group name together to the integrated management device 5 to determine whether or not the database object of the database 9 can be accessed. Is checked and response processing is performed.

Here, if there is no access authority, an error is returned. Specifically, when the CGI DB access module 7b determines that there is no access authority,
Web content corresponding to the error is returned from the WWW server 6b to the integrated management device 5. This content is transmitted to the Web browser 1a by the integrated management device 5.

On the other hand, if the user has access authority, a search request such as SQL is issued from the CGI module 7a to the database server 8 as in the case of normal database processing.
As a result, the database server 8
Is searched, and the data corresponding to the search condition is returned to the CGI module 7a. In the CGI module 7a, the information returned from the database 9 is sent to We such as HTML.
b It is converted into a format suitable for display on the browser and returned to the integrated management device 5. In the integrated management device 5, after performing processing such as rewriting the link information into an integrated link, the content is returned to the Web browser 1a that has issued the search request.

Although an example of the search request has been described above, the operation by the SQL statement is not limited to the search request, and other operations are possible. Further, regarding the access authority on the database side, all access may be made possible, and access control may be performed only by the integrated management device 5, or on the database side, it is also possible to set ACL on a database object such as a table.

As described above, according to the first embodiment, since the namespaces for designating the database object names of the database 9 and their relations are integrated on the integrated management device 5, the statics based on the URI such as HTTP and FTP are used. In addition to the access control of the dynamic content, the dynamic access control of the content using the database 9 can be efficiently integrated and managed.

Further, according to the first embodiment, the directory information such as user information and group information in the integrated management apparatus 5 which has already been integrated (centralized) managed can be used in database management. , It can be managed more efficiently than the normal database management.

Further, according to the first embodiment, the database object for which the integrated ACL is set is not directly set in the actual object itself such as the table in the database 9 but in the integrated management device 5. Since it is managed as a data object management namespace of the virtual integrated authority management ACL managed by, it is possible to flexibly manage settings without affecting the substance of the object. For example, the same tag can be mixed and used for a plurality of object names depending on the namespace.

Embodiment 2. In the first embodiment, the reference module of the integrated (centralized) ACL is set in the DB of the WWW server.
Although the example of mounting in the access module is shown, the second embodiment is adapted to the client / server type database access mode by mounting in the DB access processing module on the database server side.

FIG. 5 is a diagram showing in detail each component of the network system according to the second embodiment of the present invention.
In the figure, 8A is a DBMS for managing the database 9.
A database server (database server device) including a (database management system), which directly receives an access request from the client side and executes data exchange with the database 9. In the illustrated example, the database server 8A is assumed to be a SQL-enabled relational database. Reference numeral 13 denotes a DB access processing module (access range determination unit, access range determination means) obtained by replacing a part of the DB access module in the database server 8A for integrated management, and access for integrated authority management in the integrated management apparatus 5. It has a function of managing access to the database 9 by referring to the control list. Specifically, the SQ incorporated in the database server 8A
It is a program that executes access processing to the database 9 described in L or the like. Reference numeral 14 is an administrator console for managing the integrated ACL from the outside. In addition, the same components as those in FIGS. 1 and 2 are denoted by the same reference numerals, and duplicate description will be omitted.

Next, the operation will be described. First, for example, it is assumed that the client terminal 2 makes a search request for the database 9 to the database server 8A by SQL or the like. At this time, the DB access processing module 13 of the database server 8A checks the access right of the integrated ACL database object space before checking the right attached to the actual database object.

In the authority check referring to this integrated ACL, if there is no access right, the DB access processing module 13 rejects the access from the client terminal 2 to the object of the database 9. Further, the inspection of the substance object may or may not be executed.

On the other hand, if there is access authority, the above SQL
Database server 8A
Searches the database 9 and returns the data corresponding to the search condition to the client terminal 2 which made the search request.

The management of the integrated ACL information is performed by, for example, the command line or GUI of the administrator virtual terminal.
This is performed from the administrator console 14 equipped with (graphical user interface).

As described above, according to the second embodiment, it is possible to perform more general integration of access management. More specifically, in the above-described first embodiment, the module that refers to the integrated ACL is a module (CG that performs access processing with the client side in the WWW server).
Since it is realized by replacing the I module 7a), the integrated ACL is not referred to for every access to the database 9. That is, as described in the first embodiment, the integrated ACL is referred to in the access processing related to the CGI program specified by the URI. On the other hand, in the second embodiment, a part of the DB access module of the database server 8A is replaced with the DB access processing module 13, so that ACL management for all access requests to the database 9 is performed regardless of the CGI program or the like. Can be performed based on the integrated ACL of the integrated management device 5.

In the above-described first and second embodiments, an example in which one database is handled has been shown, but a plurality of databases can be handled in the same way.
In other words, according to the present invention, objects in a plurality of databases are managed in an integrated manner by the data object management namespace of the virtual ACL for integrated authority management. Without setting, you can flexibly manage settings.

Further, the present invention has a great effect when the system to be integrated is a WWW system which cooperates with a database. That is, by changing or adding the DB access module part of the WWW server, or changing or adding the access processing module on the database side,
It is a great advantage that integrated access control management can be performed without changing the CGI program group in the WWW server to be integrated. In general, the change / addition of the DB access module part (so-called driver part) is smaller than the change of the program group (application) such as CGI, and the change part is small, and the advantage of the effect of this method is great.

Third Embodiment In the above embodiment, the integrated A
Although the integrated management of the database using the CL has been shown, the third embodiment will explain means for efficiently generating the integrated ACL name space.

FIG. 6 is a diagram showing in detail each component of the network system according to the third embodiment of the present invention.
In the figure, reference numeral 15 denotes an administrator console for externally managing the integrated ACL, which includes a command line of a virtual terminal for the administrator or a GUI (graphical user interface). In addition, the same components as those in FIG. 1 are designated by the same reference numerals, and duplicate description will be omitted.

Next, an outline will be described. Also in the third embodiment, the object space of the database 9 creates and manages a virtual name space as shown in FIG. Therefore, it is necessary to synchronize the virtual namespace of the integrated ACL and the namespace of the database 9 side. Specifically, unless the database administrator reflects the “table name” and “viewpoint name” created in the namespace of the database 9 as namespace information in the integrated ACL,
It is not possible to carry out detailed and efficient management.

Therefore, for example, in the integrated ACL shown in FIG. 4, the root of the table name "/ DBACL / Se"
A program for collecting information such as table names is set as a procedure (information collecting unit) in "rver2 / DBname / Tables". The operation will be described below.

The administrator is an administrator console (GUI)
When the user clicks (selects) the root of the table name of the integrated ACL or inputs a command using 15, the above procedure is started. At this time, the procedure is executed by the DBMS (DB
Management system), collects the table name and access authority information actually created by the DBMS for the objects in the database 9, and sends it back to the administrator console 15.

The administrator console 15 displays the information collected by the above procedure by the GUI function. Thereby, the administrator can appropriately reflect the information in the namespace of the integrated ACL.

As described above, according to the third embodiment, a procedure for collecting table names and authority information actually created by the DBMS of the database server 8,
Since the administrator console 15 that reflects the information collected by the procedure in the integrated ACL is provided, it is possible to efficiently complete the name space of the integrated database objects and improve the management efficiency. That is, unless the above procedure is provided, in the integrated (centralized) ACL management, the administrator has to manually generate the namespace.
On the other hand, by collecting the table name and the authority information on the database 9 side by the above procedure and returning them to the administrator console 15, the administrator can explicitly specify the information by the command line or GUI by the administrator console 15 based on the information. It is possible to create a database object management namespace of the integrated ACL.

In the third embodiment, the namespace generating procedure is supposed to refer to the database 9 only when the administrator explicitly inquires about the namespace. The synchronization method may be as follows.

First, in the case of the system form of the first embodiment, when setting the above procedure in the namespace, the time interval, date and time, time, etc. for issuing and synchronizing this procedure are set, and according to this. A form that complements the namespace can be considered.

Further, in the case of the system form of the second embodiment, trigger information (eg, creation of a new or changed table) for creating / changing the database 9 is set in the namespace. As a result, the administrator console 15 receives the change notification from the database server 8A and changes the name of the virtual namespace. For example, D
The B access processing module 13 hooks the table creation command on the database side, and notifies the administrator console 14 of information indicating that the database has been changed.
The administrator uses the administrator console 14 to execute the integrated AC.
The name space information for L management is changed according to the above notification.

The contents dynamically evaluated by the above procedure may be preread in advance at regular intervals and the latest information of the database 9 may be held in a memory (not shown) in the integrated management device 5. As a result, the integrated management device 5
The evaluation speed due to can be improved.

[0075]

As described above, according to the present invention, each information resource including one or a plurality of databases has a namespace for uniquely designating it by an element name, and each access authority of the plurality of information resources. Prepare an integrated management access control list in which is set as the access authority of the element name, and when an access request is made to the information resource, refer to the access authority of the element name corresponding to the information resource of the integrated management access control list. And determine the access range,
Since each access right to a plurality of information resources is managed based on the result of the determination of the access range, for example, H
In addition to access control of static contents by URI such as TTP and FTP, there is an effect that access to dynamic contents using a database can be efficiently integrated and managed. In addition, the directory information that has already been integrated and managed can be used also in database management, and there is an effect that it can be managed more efficiently than when database management is performed separately. In addition, if the database object for which you want to set the integrated control access control list is a table in the database,
Since it is not set directly on the actual object itself but is managed as the namespace of the integrated management access control list, there is an effect that setting management can be done flexibly without affecting the substance of the object. .

According to the present invention, in the access management device for managing access to the database in cooperation with the database server device for directly managing the database, there is an access request for the information resource of the database managed by the database server device. And the access range of the element name corresponding to the information resource of the integrated management access control list is referenced to determine the access range, so that, for example, in addition to access control of static content by URI such as HTTP or FTP. , There is an effect that access to dynamic contents using a database can be efficiently integrated and managed. Further, when applying the present invention, since it is only necessary to add the means for performing the access range determination in the access management device, there is an effect that the burden for applying the present invention can be reduced.

According to the present invention, in a database server device that directly manages a database, when an access request is made to an information resource of a database managed by the device, the information resource of the integrated management access control list is dealt with. Since the access scope of the element name is determined by referring to the access authority of the element name, there is an effect that a more general integration of access management to the database can be performed. Further, in applying the present invention, since it is only necessary to add the means for performing the access range determination in the database server device, there is an effect that the burden for applying the present invention can be reduced.

According to the present invention, since the information collection unit for collecting the update information of the integrated management access control list from the database is provided, the integrated ACL name space can be efficiently supplemented and the management efficiency is improved. The effect is that it can be done.

According to the present invention, when the information collecting unit reaches a predetermined condition set in advance, the latest information is automatically collected from the database, so that the integrated ACL namespace can be automatically supplemented. There is an effect that the management efficiency can be further improved.

[Brief description of drawings]

FIG. 1 is a diagram showing an overall configuration of a network system according to a first embodiment of the present invention.

FIG. 2 is a diagram showing in detail each component in the network system in FIG.

3 is a diagram showing the contents of a user / group definition database unit in FIG.

4 is a diagram showing the contents of a centralized ACL management database unit in FIG.

FIG. 5 is a diagram showing in detail each component of the network system according to the second embodiment of the present invention.

FIG. 6 is a diagram showing in detail each component of a network system according to a third embodiment of the present invention.

FIG. 7 is a diagram showing a configuration of a conventional WWW server authentication / authority management system.

[Explanation of symbols]

1a, 1b Web browser, 2 client terminals,
3 network, 4 firewall, 5 integrated authentication / authority management device (access integrated management device), 5a integrated authentication management program section (access integrated management means), 5b
Integrated authority management program unit (access integrated management unit), 5c URL conversion program unit (access integrated management unit), 6a, 6b WWW server, 7 integration module (access range determination unit, access range determination unit), 7a CGI module, 7b CGI DB access module (access range determination unit, access range determination means), 8, 8A database server (database server device), 10 user / group definition database unit, 11 centralized ACL management database unit, 12U
RL mapping database unit, 13 DB access processing module (access range determination unit, access range determination means), 14 and 15 administrator console.

Claims (8)

[Claims] 1. A namespace that uniquely designates a plurality of information resources including one or a plurality of databases by element names, and each access right of the plurality of information resources is set as an access right of the element name. When an access request is made to the integrated management access control list and the information resource, the access range is determined by referring to the access authority of the element name corresponding to the information resource in the integrated management access control list. An access range determination unit, and an access integrated management apparatus having the integrated management access control list and managing each access right to the plurality of information resources based on the access range determination result by the access range determination unit. Access integrated management system equipped. 2. An access management device that manages access to the database in cooperation with a database server device that directly manages the database, and an access range determination unit is provided in the access management device and the database server device. When an access request is made to an information resource of a database managed by, the access range of the integrated management access control list is determined by referring to the access authority of the element name corresponding to the information resource. The integrated access management system according to claim 1. 3. A database server device for directly managing a database, wherein the access range determination unit is provided in the database server device, and when an access request is made to an information resource of the database managed by the device, 2. The access integrated management system according to claim 1, wherein the access range is determined by referring to the access authority of the element name corresponding to the information resource in the integrated management access control list. 4. A namespace that uniquely designates a plurality of information resources including one or a plurality of databases by element names, and each access authority of the plurality of information resources is set as an access authority of the element name. An access integrated management device comprising an integrated management access control list, and managing each access right to the plurality of information resources based on an access range determined by referring to the integrated management access control list. 5. The access integrated management device according to claim 4, further comprising an information collection unit that collects update information of the integrated management access control list from a database. 6. The access integrated management device according to claim 5, wherein the information collecting unit automatically collects the latest information from the database when a predetermined condition set in advance is reached. 7. A namespace that uniquely designates a plurality of information resources including one or a plurality of databases by element names, and each access right of the plurality of information resources is set as an access right of the element name. When an access control list for integrated management is prepared and an access request is made to the information resource, the access range of the element name corresponding to the information resource of the integrated management access control list is referred to and the access range is set. An access integrated management method comprising: an access range determination step of determining; and an access authority management step of managing each access authority to the plurality of information resources based on the access range determination result in the access range determination step. 8. A namespace that uniquely designates a plurality of information resources including one or a plurality of databases by element names, and each access authority of the plurality of information resources is set as an access authority of the element name. Access control list for integrated management, when an access request is made to the information resource, access for determining the access range by referring to the access authority of the element name corresponding to the information resource of the integrated management access control list The computer functions as an access integrated management unit that has a range determination unit and the integrated management access control list, and manages each access right to the plurality of information resources based on the access range determination result by the access range determination unit. Program to let.