JP2007004610A - Complex access approval method and device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily set or manage flexible access control rule corresponding to an organization using an information system in such configurations that a plurality of information resources are respectively associated with a single access with relevancy. <P>SOLUTION: One or more primitive access is generated with any of a plurality of information resources as an object according to access type from requested complex access (S04), and the access type of each of the generated primitive access is set according to the role of the object and the access type of the complex access, and approval decision is operated on the basis of a primitive access limit rule to the primitive access (S08), and the approval decision of the requested complex access is operated according to the result of the approval result. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a method and apparatus for controlling access to information resources managed in an information system, and in particular, a plurality of information resources are managed in association with each other, and a single access performed by a user, an execution process, or another entity. It relates to authorization of access in an information system in which an action affects each of these associated information resources in their respective ways.

  In an information system, in order to maintain the confidentiality and asset value of information resources such as data and programs managed in the system, it is necessary to control access to these information resources such as reference, execution, change, and deletion. . In general, an object that accesses a protection target is called a subject, and an information resource that is a protection target is called an object. In addition, access types such as reference, execution, change, and deletion are referred to as access types. The access control mechanism generally includes an access authorization process that determines whether or not an access request from a subject should be permitted according to a predetermined rule, and an access request from a subject according to the result of the access authorization process. This can be divided into access forcible processing that actually performs an operation on the corresponding object.

  One element that characterizes the method of access authorization processing is how to manage a subject's access authority, that is, a set of a subject, an object that is permitted to be executed, and an access type. This is an extremely important factor that determines the efficiency and safety of the authorization / modification process by the administrator of access authority.

  In the classic access authorization method, an access control list that describes a set of subjects and access types allowed (or denied) for each object is used as an access control rule, thereby managing access authority. It was. In the UNIX (registered trademark) file system, subjects are not classified into individual entities, but are classified into three types: an object owner (owner), a group to which the object owner belongs, and an arbitrary subject, and an access control list. Is managing.

  However, with this classic method, when there are a large number of subjects and objects, it is necessary to add subjects, change the permission level that should be granted to individual subjects, or add objects or individual objects. The management cost of continuing to modify the access control list so as to keep it appropriate according to the change of the confidentiality level becomes extremely high. In addition, due to the high management cost, it is difficult to maintain appropriate security, such as a situation where an incorrect setting is made and the system is operated.

  On the other hand, in recent years, an access authorization method using an access control policy using an attribute of a subject or object as a parameter as an access control rule has been widely adopted. The access control policy is composed of predicate expressions that use attributes of subjects, objects, and operations that characterize access as parameters. For example, “access to an object whose title level attribute is 10 by a subject whose job level attribute is B or higher is permitted to be an operation whose type attribute is a reference”. Formally described. When an access request occurs, the values of various attributes of the access request are identified, the attribute values are substituted into the corresponding parameter part of the access control policy, and whether or not the access request can be accepted according to the evaluation result Determine.

  According to the access control policy, instead of defining permission / rejection for each combination of objects and subjects like an access control list, authority is given to a combination of those grouped by a measure of attributes. There is an effect that the management process by the authority manager is greatly improved. An example of the access control policy format is XACML (see Non-Patent Document 1).

  By the way, in an information system, a plurality of information resources are associated and managed, and a plurality of associated information resources are influenced by a single access action performed by a user, an execution process, or other entities. There are many forms that are affected. For example, there are various file systems represented by the UNIX (registered trademark) file system. In these file systems, files are arranged and managed on nodes having a tree structure constituted by a hierarchical relationship of directories or folders. A file is an information resource including specific information content (content), and a folder (directory) is also an information resource for file management. If the relationship between a folder and the files and folders placed in it is called a parent-child relationship, an arbitrary folder has zero or more files or folders as child elements, and an arbitrary file or folder is excluded except for the root of the tree structure. They are managed in association such that they have only one parent element.

  Here, consider an example of access of copying a folder of a file to another folder. From the viewpoint of the subject requesting execution of this access, this access can be regarded as a single atomic process in which the file to be copied is the subject and the copy is the access type. However, in completing this request, not only the file to be copied, but also the folder where the file was originally placed and the folder to which the file is copied, This has the effect of creating a new child element. In other words, a plurality of different types of accesses are executed as a series of transactions for the plurality of subjects. Such access is referred to as complex information resource access or simply complex access.

With regard to authorization for multiple access, the UNIX (registered trademark) file system evaluates whether the copy source file can be read and whether the copy destination folder can be written, and only when both are permitted. Control is performed such that execution of the operation is permitted. In general, a single complex access requested by a subject is broken down into primitive accesses that each have multiple information resources involved in that access as objects, and for each primitive access, It can be said that authorization is performed based on the access control list corresponding to the object, and based on the result, authorization of the originally requested complex access is performed.
OASIS (Organization for the Advancement of Structured Information Standards): XACML (eXtensible Access Control Markup Language) Version 1.1 Committee Specification, 2003 (http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification -1.1.pdf)

  As a method for authorizing multiple access in an information system in which a plurality of information resources are managed in association with each other, a method in the UNIX (registered trademark) file system as described above is representative. However, as described above, the access control list used for primitive access authorization increases the number of subjects and objects, and the management cost such as setting and modification increases explosively. The burden on the administrator of the information system or object will be extremely high.

  As one effective method for solving such a problem, it is conceivable to use an access control policy having an attribute as a parameter as an access control rule when granting decomposed primitive access. In this way, even if the number of subjects and objects increases, it can be managed with a relatively small amount of definition.

  However, even if such an improvement is made, the following problems still remain unsolved.

  First, in the prior art, the procedure for decomposing complex access into primitive access has been completely incorporated into the access control mechanism of the information system and is inflexible. For example, the decomposition of the copy operation in the previous UNIX (registered trademark) file system is implemented in the access control mechanism of the file system. Therefore, information system managers must establish rules specific to their organizations to decompose complex access and derive primitive access for the purpose of reducing the cost of managing access control rules and enforcing consistent security policies. Even if you want to change or modify something, it is very difficult to customize that way.

  Second, in the conventional technology, the primitive access derived by decomposing the complex access is an object in which one of the information resources involved in the originally requested complex access is exclusively selected. Is set. Therefore, in the authorization of primitive access, the attribute related to the information resource that is the object in the access is conditioned in the policy and reflected in the determination result, but other information resources involved in the same complex access are also reflected in the determination result. Fine authorization that reflects attributes cannot be realized.

  Third, in the conventional technology, when decomposing from complex access to primitive access, to determine the configuration of primitive access based only on the type of compound access, that is, the combination of access type and object, A flexible decision is not made according to the attributes of information resources involved in complex access, such as management entity, confidentiality, and importance. In such a method, it is difficult to reflect the information resource management entity and the difference in security level required for the information resource, and it is difficult to protect the information resource appropriately.

  The present invention has been made in view of the above points. In an information system in which a plurality of information resources are involved in a single access action performed by a user, an execution process, or other entities, Makes it easy to set and manage flexible access control rules according to the organization to be used, extremely reduces costs, and enables fine-grained access authority settings according to the attributes of information resources involved in access. A composite access authorization method and apparatus are provided.

  The composite access authorization method of the present invention is a method for authorizing a composite access request when a composite access request involving a plurality of information resources is received from a subject. As one access, from the first access, one or more second accesses (primitives) using one of a plurality of information resources involved in the first access as an object according to the access type of the first access. The primary access generation step for generating the second access, the respective access types of the generated second access, the role of the second access object in the first access, the access type of the first access, and Primitive access type determination step and the primitive access type determination Primitive access authorization step for performing authorization judgment based on an access control rule corresponding to the second access for each of one or a plurality of second accesses whose access types are set by the step, and primitive access authorization step And a general authorization step for performing authorization judgment of the requested complex access in accordance with the authorization judgment result.

  The composite access authorization device of the present invention is a composite access authorization device that authorizes a composite access request when a composite access request involving a plurality of information resources is received from a subject. Information management means holding a composite access definition table showing the relationship with all information resources involved in the composite access for each type, access control rules used for authorization of primitive access, and the requested composite One of the multiple information resources involved in the first access from the first access according to the access type of the first access by referring to the composite access definition table with the primary access as the first access Create one or more primitive accesses with the object as the object, and set the access type of each generated primitive access to the primitive The access object is set according to the role of the first access and the access type of the first access, and is based on the access control rule for each of one or more primitive accesses generated and set with the access type. And an authorization determination unit that performs authorization determination for the requested complex access according to the result of the authorization determination.

  The first effect of the present invention is that the system administrator can flexibly customize the procedure for generating the primitive access by decomposing the complex access in response to the request of each information system in the authorization of the complex access. It is in. The reason for this is that in the conventional technology, the authorization procedure for complex access itself is completely incorporated in the access control mechanism inside the information system, and the information system needs to be significantly modified for customization. In the present invention, if the number of primitive accesses generated from compound access, the object and access type of each primitive access are set in association with the compound access type as a generation source, Primitive access is generated on the basis of the authorization, and authorization of the initial composite access is performed based on these authorization results. This is because it is possible to realize authorization for complex access.

  The provision of a mechanism that can flexibly set and change such rules does not allow execution of individual primitive accesses alone, but allows complex access by a combination of them (for example, for a certain file) Further, it has an effect of enabling a high level of authorization determination such as allowing the contents to be referred to, but allowing the operation to copy the contents to another specific folder.

  The second effect of the present invention is that the cost for management necessary for reflecting the security policy of the organization in the access control is reduced as compared with the prior art. The reason is that in the present invention, the access control rule used for authorization of the primitive access generated as described above is described based on the subject and the object attribute of the primitive access generated based on the correspondence. This is because even if the number of potential subjects and objects increases, authority can be described and modified with a small amount of access control rules.

  The third effect of the present invention is that access authorization can be determined under finer conditions than before. The reason is that, in the prior art, only the object of the primitive access is considered in the authorization of the primitive access, whereas in the present invention, not only the object of the primitive access but the primitive access is considered. This is because it is possible to describe and evaluate access control rules using as parameters the attributes of other information resources (related resource information) involved in the complex access that is the source of the access.

  Furthermore, in the present invention, when describing such other information resources as parameters in the access control rule, the relationship of the related information resources as seen from the object of the primitive access in the primitive access is indicated as a designation. May be. This configuration makes it easier for an administrator to describe, modify, and confirm access control rules corresponding to primitive access, and knowledge of complex access that is the source of primitive access. This can be done without having to have the efficiency of such work. Furthermore, the same primitive access and access control rule can be made to correspond to a plurality of different complex accesses, and the definition amount can be reduced.

  The fourth effect of the present invention is that appropriate authorization with necessary processing efficiency and security can be performed according to the characteristics of information resources involved in complex access. The reason is that since the primitive access is generated according to the attribute of the information resource involved in the complex access, even the complex access of the same access type may generate different primitive accesses. it can. In this way, for example, primitive access and access control rules that make strict decisions according to the value of the attribute related to the confidentiality of the information resource group to be accessed, and vice versa, simple primitive access and access control rules are used separately. This is because it is possible to make an authorization decision with strictness and high speed necessary and sufficient for the characteristics of the information resource. In addition, it is possible to use different access control rules according to subject attributes. As described above, authorization can be made more efficient according to characteristics such as the reliability and position of subjects that execute complex access, or strictly. Can be used for adaptive authorization.

  The fifth effect of the present invention is an access that reflects the intention of the manager of each information resource in a situation where there are a plurality of information management entities and the information resources managed by them are mixed on one information system. It is that control can be realized easily. The reason is that it is possible to select an access control rule to be used for authorization of primitive access according to the characteristics of the information resource to be accessed for primitive access. This is because the access control rules can be switched according to the management subject of the information resource by defining using the administrator.

  A sixth effect of the present invention is that an interface for accessing an information resource is simplified, and an application program for accessing the information resource can be easily designed and implemented. The reason is that not all the information resources involved in access are specified by the interface, but only the minimum information resources necessary for characterizing the access are specified, and the information resources not specified are designated as the specified information resources. This is because the access control mechanism is mechanically and automatically specified from the relationship between the two.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments of the invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram showing an overall configuration of an information system to which an access authorization method according to an embodiment of the present invention is applied. It is assumed that this information system is installed in a company and is used by an employee or the like of the company to share an electronic document necessary for performing business.

  This information system is configured such that a file server 1, a plurality of user terminals 2, and a user attribute management device 3 are connected via a communication network 4. The file server 1 holds electronic files including information to be protected such as trade secrets and personal information, and provides users with access to these electronic files while performing access control according to the present invention. The user terminal 2 is a terminal used by a user to access an electronic file managed by the file server 1 and perform operations such as browsing, registration, deletion, and updating for the electronic file. The user attribute management device 3 centrally manages information on employees and the like in the company where this information system is operated. Such information is provided to various business systems in the company such as the file server 1. provide. Here, the file server 1, the user terminal 2, and the user attribute management device 3 can communicate with each other via the communication network 4.

  FIG. 2 is a block diagram illustrating the configuration of the file server 1 using functional blocks. The file server 1 includes functional blocks of a transmission / reception unit 10, a file management unit 11, an authorization determination unit 12, an authentication unit 13, an access control information management unit 14, an attribute acquisition unit 15, and a maintenance unit 16. The operation of these functional blocks is as follows.

  The transmission / reception unit 10 is a functional block that communicates with the user terminal 2 and the user attribute management device 3 via the communication network 4, and receives a request for access from the user terminal 2 and returns a response to it, The user attribute management device 3 is inquired about the attribute of the user and the response is acquired.

  The file management unit 11 stores a plurality of electronic files together with their attributes, and further provides operation functions such as reading, writing, creating, copying, and erasing. In the present embodiment, the electronic file is managed so as to belong to one of folders (directories) having a hierarchical tree structure, and the folder is also managed with an attribute associated therewith. If the relationship between a folder and the files and folders placed in it is called a parent-child relationship, an arbitrary folder has zero or more files or folders as child elements, and an arbitrary file or folder is excluded except for the root of the tree structure. They are managed in association such that they have only one parent element. FIG. 5 shows an example of management of files and folders and their hierarchical relationship and attributes in the file management unit 11. In the figure, “ID” indicates an identifier for uniquely identifying each electronic file, “Type” indicates whether it is a file or a folder, and “Parent Folder ID” indicates a target folder or Indicates the ID of the folder that is the parent element of the file, and the “apparent name” is an apparent name used in place of the ID when displaying the electronic file in a list or the like so that the user can easily understand and understand the file. Is shown. The “attribute symbol” indicates an attribute defined for each folder or file specified by the ID, and “attribute value” indicates an attribute value given to such an attribute.

  The authorization determination unit 12 determines whether a user can access an electronic file managed in the file server 1.

  The authentication unit 13 authenticates a user who accesses an electronic file managed in the file server 1. In the present embodiment, user authentication is performed by authentication based on public key cryptography using a public key certificate, and the authentication unit 13 verifies the validity of the user public key certificate. It also holds the certificate authority's public key certificate.

  The access control information management unit 14 holds an access control information group used as a determination criterion when the authorization determination unit 12 determines whether or not a user can access an electronic file, and provides the information to the authorization determination unit 12. . This access control information group will be described in detail later.

  The attribute acquisition unit 15 inquires of the user attribute management apparatus 3 via the transmission / reception unit 10 about the user attribute used as a parameter when the authorization determination unit 12 determines whether the user can access the electronic file. Obtained and provided to the authorization determination unit 12.

  The maintenance unit 16 has an interface for a system administrator or an information manager to set, update, and delete an access control information group managed by the access control information management unit 14 based on the information system security policy. I have.

  In this embodiment, a configuration is shown in which user authentication is performed using a public key certificate. However, the present invention does not depend on such an authentication method. For example, authentication based on password verification is performed. It may be used.

  FIG. 3 shows the configuration of the user terminal 2 by function blocks. The user terminal 2 includes a transmission / reception unit 20, an instruction unit 21, a storage unit 22, a display unit 23, a processing unit 24, and an authenticated unit 25. The operation of each of these functional blocks is as follows.

  The transmission / reception unit 20 is for communicating with the file server 1 via the communication network 4 and transmits an access request to the file server 1 and obtains a response to the request.

  The instruction unit 21 is a part that receives instructions such as access to the file server 1 from the user who uses the user terminal 2 and editing operation for the result, and specifically includes a mouse, a keyboard, and the like.

  The storage unit 22 stores the contents of an electronic file acquired from the file server 1 and an electronic file scheduled to be registered in the file server 1.

  The display unit 23 is a part that displays a response to an access request to the file server 1, an acquired electronic file, and other processing results and conveys them to the user. Specifically, the display unit 23 is a display device such as a CRT or a liquid crystal display or Consists of audio output devices such as speakers.

  The processing unit 24 is a part that uses an electronic file acquired from the file server 1 or an electronic file scheduled to be registered in the file server 1 for editing or numerical calculation.

  The authenticated unit 25 proves the ID of the user who uses the user terminal 2 in response to the authentication request from the file server 1. As described above, since the authentication method using the public key certificate is adopted in the present embodiment, the authenticated unit 25 holds the user's private key and the corresponding public key certificate. . In addition, the storage part of the user's private key or the entire part to be authenticated 25 of the authenticated unit 25 is mounted on another device such as a portable medium so that it can be separated from the user terminal 2 as necessary. May be. As such a medium, it is desirable to use a tamper-resistant medium such as an IC card from the viewpoint of preventing damage such as impersonation due to leakage of a secret key.

  FIG. 4 shows the configuration of the user attribute management device 3 by function blocks. The user attribute management device 3 includes a transmission / reception unit 30, a user attribute storage unit 31, and a maintenance unit 32. The operation of these functional blocks is as follows.

  The transmission / reception unit 30 communicates with the file server 1 via the communication network 4. The transmission / reception unit 30 receives a user attribute acquisition request from the file server 1, and receives the corresponding user attribute from the user attribute storage unit 31. Remove and return. The user attribute acquisition request includes a user ID which is a user identifier.

  The user attribute storage unit 31 holds values of various attributes of authorized users in the information system in association with IDs of the users.

  The maintenance unit 32 is a part used by a system administrator or a person in charge of personnel in a company to set, update, delete, etc. user attribute values managed in the user attribute storage unit 31 and the entire user entry. It is.

  In the present embodiment, the user attribute management apparatus 3 centrally manages the user attributes, and when the user attributes are required, the user attribute management apparatus is inquired and acquired. The present invention does not depend on such user attribute management. For example, for each user, the attribute is issued as an attribute certificate and held by the user. By performing attribute authentication using an attribute certificate between and the user attribute, the attribute may be transmitted by a method that does not involve a device such as the user attribute management device 3.

  Next, the access control information group managed by the access control information management unit 14 of the file server 1 will be described in more detail. The access control information management unit 14 manages one composite access definition table, a plurality of primitive access derivation rules, and a plurality of primitive access control rules as access control information.

  FIG. 6 shows a part of the definition contents of the composite access definition table. The compound access definition table is a list of compound accesses defined by the file server 1 and corresponds to an interface for accessing information resources that the file server 1 discloses to the user terminal 2.

  The composite access definition table has one record for each type of composite access. Each record includes a composite access type symbol 101 for identifying the type of access, a description 102 for the access type, A role symbol list 103 corresponding to the access type. In the role symbol list 103, for all information resources involved in access of the access type, the role symbol 104 for identifying the information resource in the access and the information A description 105 of the role of the resource is described as a pair. For example, in the example shown in FIG. 6, the record 106 includes “an information resource having a role symbol“ copiedFile ”indicating an existing file to be copied and a role symbol“ srcFolder ”indicating a parent folder of the existing file to be copied. A composite operation of “duplicating a file with a composite access type symbol of“ copyFile ””, which involves an information resource possessed by an information resource having a role symbol of “destFolder” indicating the parent folder of the copied new file Access is defined.

  FIG. 7 shows a definition example of a primitive access derivation rule used in this embodiment. The primitive access derivation rule is information used to generate a plurality of primitive accesses corresponding to the compound access attempted on the file server 1 by the user of the user terminal. It is defined corresponding to the composite access type defined in the table. The primitive access derivation rule defines an application target designating unit 111 for designating a composite access to which the primitive access derivation rule is applied by a composite access type, and a rule for deriving the primitive access from the composite access. A unit derivation rule list 112 including the same number of unit derivation rules as the number of primitive accesses to be derived is constructed.

  The unit derivation rules included in the unit derivation rule list 112 are respectively an object designating unit 113 that designates a derived primitive access object by a role symbol of an information resource in a complex access that is a derivation source, and its primitive access. The basic access type symbol 114 for specifying the access type and the related information resource definition unit 115 are in a triple configuration. In the related information resource definition unit 115, for each of zero or more information resources other than the primitive access object that should be considered when granting the primitive access, the relation from the primitive access object And the related information resource designation unit 117 that designates the information resource corresponding to the related information resource symbol by the role symbol in the complex access from which the information resource is derived corresponds by “=”. One or more sets of the related information resource symbol 116 and the related information resource designating unit 117 are connected and described.

  Note that, as shown in FIG. 8, the application target designation unit of the primitive access derivation rule is applied, and the application target access type designation unit 111A that designates the complex access to which the primitive access derivation rule is applied by the compound access type. And an application target condition designating unit 111B that conditions the complex access to which the primitive access derivation rule is applied according to any attribute of any information resource involved in the complex access. In that case, for the derivation of the primitive access from a certain composite access, the access type of the composite access and the attributes of the information resource involved in the composite access are respectively applied to the application target access type specifying unit 111A and the application target. A unit derivation rule list that matches the condition specifying unit 111B is used.

  For example, in the definition state shown in FIG. 8, even if the operation is the same “copy file”, the value of the “confidentiality” attribute of the parent folder (srcFolder) of the copied file is “high”. In this case, the unit derivation rule list 112A is selected at the time of derivation of the primitive access, and in other cases (“other”), the unit derivation rule list 112B is selected.

  Similarly, the unit derivation rule list 112B of FIG. 8 includes two unit derivation rules having a role symbol of “copiedFile” in the object designating unit 112. In this way, the unit derivation rule list can include a plurality of unit derivation rules having the same role symbol in the object designating unit. In such a case, a plurality of primitive accesses related to one information resource involved in the access are derived from one compound access.

  Similarly, the unit derivation list 112B of FIG. 8 includes a unit derivation rule in which the related information resource definition unit 115 is blank, but such a configuration is also allowed. In this case, the primitive access derived from the unit derivation rule is treated as having no associated information resource, and authorization is determined. Similarly, in the unit derivation list 112B of FIG. 8, “srcFolder” which is one of three types of information resources defined in the composite access definition table as information resources related to the corresponding composite access “copyFile” is stored. There is no unit derivation rule for the information resource as a role that has this in the object specification section. As described above, it is not essential to derive a primitive access that uses the information resource as a direct object for all information resources involved in the compound access from a certain compound access.

  FIG. 9 shows a definition example of primitive access control rules used in this embodiment. A primitive access control rule is an access control rule used for granting individual primitive access derived by a primitive access derivation rule. The primitive access control rule includes an application target specifying unit 121 and a determination condition unit 122. The application target designating unit 121 designates the primitive access to which the primitive access derivation rule is applied by the primitive access type.

  The determination condition part 122 includes a conditional expression composed of three field values of the attribute designation part 123, the operator part 124, and the comparison value part 125, or such a conditional expression by a logical operator such as AND or OR. A complex conditional expression in which a plurality of bonds are connected by a certain connector 126 is described. The attribute designating unit 123 sets the parameter of the condition based on the combination of the character string 131 representing the subject and the attribute symbol 132 designating the attribute of the subject, or the character string 134 representing the object and the attribute of the object. It is specified by a set of attribute symbols 135 to be specified. Further, the comparison value portion 125 includes a value applied to the corresponding attribute specifying portion 123 and a value to be compared by the calculation method specified by the operator portion 124, either by the direct value 133 or the attribute specifying portion. In the same manner as in 123, a character string representing a subject or object is specified by a set 136 of an attribute symbol that specifies an attribute of the character string.

  As shown in FIG. 10, in addition to the object and subject, the attribute specifying unit 123 can also specify attributes of other information resources involved in the composite access that is the source of the primitive access. At this time, the information resource is designated as indicated by reference numerals 137 and 138 by the related information resource symbol 116 defined for the primitive access.

  Next, the access control operation in this embodiment will be described with reference to FIG.

  First, in the user terminal 2, the instruction unit 21 detects an access operation to an information resource such as a file or a folder by the user, and specifies an information resource and an access type related to the access (S01). Next, based on the specified information, in accordance with the definition on the composite access definition table managed by the file server 1, the composite access type symbol and the identifier (ID) for each information resource involved A combination of the role symbol of the information resource and the ID of the user who performed the operation, that is, the subject is formatted and transmitted to the file server 1 as an access request (S02). At the time of this transmission, the authenticated unit 25 and the authenticating unit 13 exchange messages as necessary to authenticate the user.

  Next, the file server 1 that has received such an access request searches the access control information management unit 14 based on the composite access type symbol included in the access request, and identifies the corresponding primitive access derivation rule. (S03). If the application target specifying unit of the primitive access derivation rule includes an application target condition specifying unit as shown in FIG. 8, the attribute of the information resource necessary for evaluating the condition is set as the file management unit 11. Get from and use.

  If the primitive access derivation rules to be applied can be identified, the unit derivation rule list included in the identified primitive access derivation rules is referred to generate only primitive accesses that are defined (S04). The generated primitive access subjects are all the subjects in the access request sent from the user terminal.

  For example, it is assumed that an access request “<copyFile”, (“copiedFile = id003”, “srcFolder = id002”, “destFolder = id010”), “subject-id001”> is transmitted. Referring to FIG. 7, three unit derivation rules are defined in the unit derivation rule list corresponding to the composite access type “copyFile”, and the following three primitive accesses are generated according to the respective derivation rules. Is done.

<“Copy”, “id00003”, (“oldParent = id002”, “newParent = id010”)>,
<“Copy_child”, “id00002”, (“cloneChild = id003”, “goTo = id010”)>,
<“Create_child”, “id00010”, (“comeFrom = id002”)>.

  The first element of each bracket is a symbol of the primitive access type, and the second element is an object ID in the primitive access. The third element is for each information resource other than an object related to the primitive access, a symbol indicating the relation of the information resource in the primitive access and the ID of the information resource is set by “=”. Are arranged in the number of related information resources.

  Next, an authorization decision is made for each of the three generated primitive accesses (S05). In the authorization of each primitive access, first, the access control information management unit 14 is searched based on the type of primitive access to be authorized, the access control rule to be applied is specified (S06), and the access to be applied. The attribute of the object or subject or related information resource that appears in the control rule is acquired from the file management unit 11 or the user attribute management device 3 (S07), and the acquired various attributes are applied to the access control rule and evaluated. The true / false value is obtained. If true is obtained, permission is granted, and if false, rejection is made (S08).

  The above processing is repeated for each generated primitive access. If there is a primitive access that is determined to be rejected, the requested complex access is determined to be rejected, so that the authorization determination for the remaining unevaluated primitive accesses is not performed.

  If the authorization determination for all primitive accesses is permitted, it is determined that the composite access from which the primitive access is derived is permitted, and an access request is sent from the authorization determining unit 12 to the file management unit 11. Then, the operation corresponding to the access request is executed (S09). Thereafter, the operation result corresponding to the operation is returned to the user terminal 2 (S10), and the process related to the access request is completed.

  If even one of the generated primitive accesses is denied, the complex access from which the primitive access is derived is rejected, and a response to that effect is returned to the user terminal 2 (S11), and the process related to the access request is terminated.

(Second embodiment)
Next, a second embodiment of the present invention will be described. This embodiment is substantially the same as the first embodiment described above, but the configuration direction of the access control information is different, and accompanying this, the file server 1 is disclosed to the user terminal 2. The access interface to the information resource is different.

  FIG. 12 shows a part of the definition contents of the composite access definition table used in this embodiment. The composite access table in this embodiment is the same as that in the first embodiment in terms of its meaning and configuration.

  However, the role symbol list 103A included in each record is greatly different in that only a part, not all, of information resources related to access of the access type is shown. Compared with the composite access definition table in the first embodiment, in the composite access definition table of the present embodiment, for example, in the record corresponding to the “copy file” operation, “the existing file to be replicated” is recorded. “SrcFolder” indicating “parent folder” does not exist.

  FIG. 13 shows a definition example of primitive access derivation rules used in this embodiment. The primitive access derivation rule in the present embodiment is similar to the primitive access derivation rule in the first embodiment in terms of its meaning and configuration.

  However, a method different from that of the first embodiment is permitted for the method of specifying the information resource in the object specifying unit 113 and the related information resource defining unit 115 constituting the unit derivation rule included in the unit derivation rule list 112. Yes. In the first embodiment, information resources are always specified by role symbols in complex access. In the second embodiment, role symbols 141 or 143 in complex access and information resources are A method of specifying an information resource in combination with a symbol 142 or 144 indicating a relationship in information resource management, that is, a relationship based on a parent-child relationship between information resources managed by the file management unit 11 is added. The information resource management relevance includes “parent” indicating a parent on the folder hierarchy, “child” indicating a child on the folder hierarchy, and “bros” indicating a resource in the same hierarchy.

  For example, “copyFile.parent” specified in the object specification unit 113 in the second record shown in FIG. 13 is the parent folder of the information resource specified in the role “copyFile” in the corresponding composite access “copyFile”. Point to.

  Such identification of information resources based on relevance is performed when generating primitive access (step S04).

  Specifically, when it is assumed that an access request <“copyFile”, (“copiedFile = id003”, “destFolder = id010”), “subject-id001”> is transmitted, referring to FIG. Since the parent folder ID of the information resource having “id003” as the ID specified in “copiedFile” is “id002”, the information resource “sales material” folder having “id002” as the ID is specified.

  By configuring the primitive access derivation rules in this way, information resources that can be uniquely identified from the relevance to other information resources in information resource management among the information resources involved in complex access are complex. It can be omitted from the access definition table, that is, the interface for accessing information resources.

It is a block diagram which shows the structure of the information system to which the access control method of one Embodiment of this invention is applied. It is a block diagram which shows the structure of a file server. It is a block diagram which shows the structure of a user terminal. It is a block diagram which shows the structure of a user attribute management apparatus. It is a figure which shows the mode of management of the information resource in a file management part. It is a figure which shows a part of specific example of a composite access definition table. It is a figure which shows the example of a definition of a primitive access derivation rule. It is a figure which shows another example of a definition of a primitive access derivation rule. It is a figure which shows the example of a definition of a primitive access control rule. It is a figure which shows another example of a definition of a primitive access control rule. It is a flowchart which shows operation | movement of access control. It is a figure which shows a part of specific example of the composite access definition table used in 2nd embodiment of this invention. It is a figure which shows the example of a definition of the primitive access derivation rule used in 2nd embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 File server 2 User terminal 3 User attribute management apparatus 4 Communication network 10, 20, 30 Transmission / reception part 11 File management part 12 Authorization judgment part 13 Authentication part 14 Access control information management part 15 Attribute acquisition part 16, 32 Maintenance part DESCRIPTION OF SYMBOLS 21 Instruction part 22 Memory | storage part 23 Display part 24 Processing part 25 Authentication part 31 User attribute storage part 101 Composite access classification symbol 102 Description of access classification 103 Role symbol list 104 Role symbol 105 Description of role 111 Applied object designation | designated part 112 Unit derivation rule list 113 Object designation part 114 Primitive access type symbol 115 Related information resource definition part 116 Related information resource symbol 117 Related information resource designation part 121 Application target designation part 122 Judgment condition part 123 Attribute designation part 124 Operator part 125 Ratio Value unit 126 connector

Claims (10)

A method for authorizing a composite access request when a composite access request involving a plurality of information resources is received from a subject,
With the requested complex access as the first access, from the first access, depending on the access type of the first access, one of a plurality of information resources involved in the first access is defined as an object. A primitive access generation step for generating one or more second accesses to:
Primitive access type determination that sets each access type of the generated second access according to the role of the second access object in the first access and the access type of the first access Steps,
Approval based on an access control rule corresponding to the second access for each of one or a plurality of second accesses generated by the primitive access generation step and whose access type is set by the primitive access type determination step A primitive access authorization step to make the decision;
In accordance with the result of the authorization determination in the primitive access authorization step, the overall authorization step for performing the authorization determination of the requested complex access,
A composite access authorization method. Attributes are associated with the subject and / or the information resource,
The access control rule is a conditional expression that optionally includes a subject attribute or an object attribute as a parameter,
The primitive access authorization step performs authorization judgment of the second access by applying the attribute of the object or subject of the second access to be authorized and evaluating the access control rule. The described complex access authorization method. The access control rule includes, as a parameter, a related information resource that is an information resource other than the object of the second access among information resources involved in the first access that is a generation source of the corresponding second access. Further including attributes,
3. The composite access according to claim 2, wherein the primitive access authorization step performs authorization judgment of the second access by further applying an attribute of one or more related information resources and evaluating the access control rule. Access authorization method.   The composite access authorization method according to claim 3, wherein the attribute of the related information resource in the access control rule is indicated by using a relation to the related information resource from a corresponding second access object. In the primitive access generation step, a second access is generated according to an attribute of an arbitrary information resource involved in the first access that is the generation source,
5. The primitive access type determination step, wherein each access type of the second access is set according to an attribute of an arbitrary information resource involved in the first access that is a generation source. The composite access authorization method according to any one of the preceding claims.   6. The primitive access authorization step includes a step of determining an access control rule to be used according to an access type of a second access to be authorized and / or an attribute of an object of the second access. The composite access authorization method according to any one of the above.   7. The composite access according to any one of claims 1 to 6, wherein the primitive access authorization step includes a step of determining an access control rule to be used according to an administrator of a second access object to be authorized. Access authorization method.   The compound access according to any one of claims 1 to 7, wherein the primitive access authorization step includes a step of determining an access control rule to be used according to an attribute of a subject of a second access to be authorized. Authorization method.   Identify information resources that do not include identification information in the access request among the information resources involved in the complex access based on the relationship between the information resources and other information resources that include the identification information in the access request. The composite access authorization method according to any one of claims 1 to 8. A composite access authorization device that authorizes a composite access request when a composite access request involving a plurality of information resources is received from a subject,
An information management means for holding a composite access definition table showing a relationship with all information resources involved in the composite access for each type of composite access, and an access control rule used for authorization of primitive access;
With the requested complex access as the first access, referring to the complex access definition table, the first access is involved in the first access according to the access type of the first access. One or a plurality of primitive accesses using any one of a plurality of information resources as an object is generated, and each access type of the generated primitive access is set as a role in the first access of the object of the primitive access. And the access type of the first access, and for each of one or more primitive accesses generated and set with the access type, an authorization decision is made based on the access control rule, and the authorization An authorization determination means for performing an authorization determination of the requested complex access according to a determination result; and
A complex access authorization device.

Images