JP2007172154A - Access control device, access control method and access control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform access control according to various conditions even if the same user belongs to a plurality of groups in acces control to data while facilitating setting therefor. <P>SOLUTION: In the access control device 100, a first storage part 109 stores user information showing a group each user belongs to in group type basis and in user basis, and a second storage part 110 data information showing a group to which access to each data is permitted in group type basis and in data basis. A comparison part 107 compares user information of a user who requests access with data information of data for which the access is requested in group kind basis, and a determination part 108 determines the propriety of the access based on the group type-based comparison result. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access control device, an access control method, and an access control program.

When setting the access right for a document file, a method for inputting the scope of the target person to whom the access right is set as a group to which the target person belongs, such as “manager” or “technical staff”. There is. Target groups may be grouped based on different criteria, for example, “Management” or “General employees” grouped by job level, and “Technology” grouped by job type. Groups such as “in charge” or “sales representative” may coexist as a group. By storing the priority order between overlapping target person groups as priority information, even if the same target person belongs to a plurality of groups, the access right can be set without contradiction. For example, if the access right setting condition set for “Technical Manager” and the access right setting condition set for “General Employee” overlap, refer to the priority information, For the target person who is “general employee”, the setting of enabling the access right set for the “technical staff” is possible (for example, see Patent Document 1). In addition, by setting access rights for combinations of target person groups that overlap each other, if the same target person belongs to a plurality of groups, the access right can also be set by the combination of groups to which the target person belongs. . For example, access rights are set for a combination of “technical staff” and “manager”, and the corresponding document file is accessed only by those who are “technical staff” and who are “managers”. Settings such as permission are possible.
JP 2005-55998 A

  Conventionally, when controlling access to data such as a document file, if the same user belongs to a plurality of groups, the access right set for one group must be selected. There was a problem that access control could not be performed together. In addition, the access rights set for a combination of multiple groups could be applied. However, if access control is performed according to various conditions, the combination of groups becomes complicated, making the setting complicated and difficult. There was a problem of becoming.

  It is an object of the present invention to control access according to various conditions and facilitate settings for controlling the access to data even when the same user belongs to a plurality of groups. To do.

An access control apparatus according to the present invention
In an access control device for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage unit that stores in the storage device for each group type and each user indicating
A second storage unit that stores data information indicating a group that allows access to each piece of data among a plurality of groups of the same group type in the storage device for each group type and each data;
An input unit for inputting a request for access to data by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison unit that compares the data information with the processing device for each group type;
And a determination unit that determines whether the access is permitted or not based on a comparison result for each group type by the processing device.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, And a setting unit for writing the set user information to the storage device.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And a setting unit for writing the set data information to the storage device.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit for designating a group of a hierarchical type to which a user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, And a setting unit for writing the set user information to the storage device.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit that designates a group of a hierarchical type that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And a setting unit for writing the set data information to the storage device.

The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison unit performs a logical operation on the read user information and data information by the processing device for each group type,
The determination unit is configured to determine, by the processing device, whether the access is permitted based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison unit calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
The determination unit calculates a logical product of logical OR calculation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

Moreover, the access control method according to the present invention includes:
In an access control method for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage step of storing in the storage device for each group type and each user indicating whether
A second storage step of storing, in the storage device for each group type and each data, data information indicating a group that allows access to each of a plurality of data among a plurality of groups of the same group type;
An input step of inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison step in which the processing device compares data information for each group type;
And a determination step of determining, by the processing device, whether the access is permitted based on a comparison result for each group type by the processing device.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step for designating a group of authority types to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, A setting step of writing the set user information to the storage device.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step of designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And a setting step of writing the set data information to the storage device.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, A setting step of writing the set user information to the storage device.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And a setting step of writing the set data information to the storage device.

The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison step performs logical operation on the read user information and data information by the processing device for each group type,
In the determining step, the processing device determines whether the access is permitted or not based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison step calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
In the determination step, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

The access control program according to the present invention is
In an access control program that is executed by a computer having an input device, a storage device, and a processing device to control access to data by a user,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage process for storing in the storage device for each group type and each user indicating
A second storage process for storing, in the storage device, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
An input process for inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information Comparison processing for comparing data information for each group type by the processing device;
Based on a comparison result for each group type by the processing device, the computer is caused to execute determination processing for determining whether the access is permitted or not by the processing device.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, A setting process for writing the set user information to the storage device is executed by a computer.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating a group of authority types permitted to access data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And setting processing for writing the set data information to the storage device is executed by the computer.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, A setting process for writing the set user information to the storage device is executed by a computer.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group that permits access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And setting processing for writing the set data information to the storage device is executed by the computer.

The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
In the comparison process, the read user information and data information are logically operated by the processing device for each group type,
The determination process is characterized in that the processing device determines whether the access is permitted or not based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
In the comparison process, a logical product of the read user information and data information is calculated by the processing device for each group type, and a logical sum of all bits included in the calculation result is calculated by the processing device for each group type. And
In the determination processing, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

The access control apparatus according to the present invention is
In an access control device for controlling access to data by a user using a computer having a storage device and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage unit that stores in the storage device for each group type and each user indicating
A second storage unit that stores data information indicating a group that allows access to each piece of data among a plurality of groups of the same group type in the storage device for each group type and each data;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information Comparing unit for each group type by the processing device,
And a determination unit that determines whether the access is permitted or not based on a comparison result for each group type by the processing device.

Moreover, the access control method according to the present invention includes:
In an access control method for controlling access to data by a user using a computer having a storage device and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage step of storing in the storage device for each group type and each user indicating whether
A second storage step of storing, in the storage device for each group type and each data, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information Comparing step for each group type by the processing device,
And a determination step of determining, by the processing device, whether the access is permitted based on a comparison result for each group type by the processing device.

The access control program according to the present invention is
In an access control program that is executed by a computer having a storage device and a processing device to control access to data by a user,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage process for storing in the storage device for each group type and each user indicating
A second storage process for storing, in the storage device, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information And comparison processing for each group type by the processing device,
Based on a comparison result for each group type by the processing device, the computer is caused to execute determination processing for determining whether the access is permitted or not by the processing device.

  In the present invention, the comparison unit included in the access control device, in response to the access request input by the input device, sets the user information of the user who requested the access and the data information of the data requested to be accessed for each group type. The user information and data information read from the storage device are compared by the processing device for each group type, and the determination unit provided in the access control device determines whether the access is based on the comparison result for each group type by the processing device. Judgment is made by the processing device, when controlling access to data, even if the same user belongs to multiple groups, access control can be performed according to various conditions, and settings for that can be done easily It becomes possible to.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing the configuration of the access control apparatus according to the present embodiment.

  In the present embodiment, the access control apparatus 100 includes an input device 101, a storage device 102, and a processing device 103, and includes a designation unit 104, a setting unit 105, an input unit 106, a comparison unit 107, and a determination unit 108. The storage device 102 includes a first storage unit 109 and a second storage unit 110. The operation (processing) of each unit will be described later.

  FIG. 2 is a diagram illustrating an example of the appearance of the access control apparatus 100.

  2, the access control device 100 includes a system unit 910, a CRT (Cathode Ray Tube) display device 901, a keyboard (K / B) 902, a mouse 903, a compact disc device (CDD) 905, and a printer device 906. Are connected by a cable. Further, the access control apparatus 100 is connected to the Internet 940 via a local area network (LAN) 942 and a gateway 941.

  FIG. 3 is a diagram illustrating an example of a hardware configuration of the access control apparatus 100.

  FIG. 3 is a diagram illustrating an example of a hardware configuration of the access control apparatus according to the present embodiment.

  In FIG. 3, the access control device 100 includes a CPU (Central Processing Unit) 911 that executes a program. The CPU 911 includes a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a CRT display device 901, a K / B 902, a mouse 903, a FDD (Flexible Disk Drive) 904, and a bus 912. A device 920, a CDD 905, and a printer device 906 are connected.

  The RAM 914 is an example of a volatile memory. The ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are examples of nonvolatile memories. These are examples of the storage device 102.

  The communication board 915 is connected to the LAN 942 or the like. The communication board 915 is an example of the input device 101 or the output device.

  For example, K / B 902 and FDD 904 are examples of the input device 101. For example, the CRT display device 901 is an example of an output device.

  Here, the communication board 915 is not limited to the LAN 942 but may be directly connected to the Internet 940 or a WAN (Wide Area Network) such as ISDN (Integrated Services Digital Network). When directly connected to a WAN such as the Internet 940 or ISDN, the access control apparatus 100 is connected to a WAN such as the Internet 940 or ISDN, and the gateway 941 is not necessary.

  The magnetic disk device 920 stores an operating system (OS) 921, a window system 922, a program group 923, and a file group 924. The program group 923 is executed by the CPU 911, the OS 921, and the window system 922.

  The program group 923 stores a program for executing a function described as “˜unit” in the description of the present embodiment. The program is read and executed by the CPU 911.

  For example, the CPU 911 is an example of the processing device 103.

  In the file group 924, what is described as “˜data”, “˜information”, and “˜result” in the description of the present embodiment is stored as a file or a part thereof.

  In addition, the arrow portion of the flowchart described in the description of the present embodiment mainly indicates input / output of data, and for the input / output of the data, the data is a magnetic disk device 920, an FD (Flexible Disk), an optical disk, a CD. (Compact Disc), MD (Mini Disc), DVD (Digital Versatile Disk) and other recording media. Alternatively, it is transmitted through a signal line or other transmission medium.

  In addition, what is described as “˜unit” in the description of the present embodiment may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented by software alone, hardware alone, a combination of software and hardware, or a combination of firmware.

  Further, the program for carrying out the present embodiment may be stored using a recording device using other recording media such as the magnetic disk device 920, FD, optical disk, CD, MD, and DVD.

  Hereinafter, an example of the operation of the access control apparatus 100 (access control method, access control program processing procedure) will be described with reference to a flowchart. In the following example, the access control apparatus 100 controls access to the data A by the user A. For this purpose, the access control apparatus 100 sets, as user information, which group (also referred to as a role) user A belongs to each of the three types of groups (also referred to as categories), and which access to data A Whether to allow users belonging to the group is set as data information. Here, it is assumed that each group is set (grouped) based on one of three types of setting criteria. The group type indicates which setting criterion among the three types of setting criteria is set for each group. That is, in the following example, a group is classified into one of three types of groups. In the following example, it is assumed that there are three types of groups (setting criteria), but for convenience, only two types may be used in the description. The present embodiment can also be applied when there are one, two, or four or more group types.

  In the following, basic types, authority types, and hierarchical types will be exemplified as the three types of groups. Each basic type group is set independently. For example, when the “X project” group, the “Y project” group, and the “Z project” group are set, if the user A is in charge of the X project and the Z project, the user A is “X project”. User information can be set so as to belong to the “Z project” group. Each authority type group is set so as to correspond to the level of access authority on a one-to-one basis. For example, when a “confidential” group and a “secret” group with lower authority are set, if the user A has access authority to the confidential information, the user A belongs to the “confidential” group. User information can be set in Each of the hierarchical type groups is set so that a plurality of groups form a tree structure (hierarchical organization structure). For example, if the “1 Section” group, the “1 Section” group, and the “2 Section” group, which are subordinate to it, are set, if the user A belongs to the 1 section, the user A will be “1 Section”. User information can be set so as to belong to the group.

  FIG. 4 is a flowchart showing the operation of the access control apparatus 100 when setting user information of user A and data information of data A for the basic type group.

The designation unit 104 designates the basic type group X ₁ to which the user A belongs (for example, “X project” group or “Z project” group) by the input device 101 (step S1101: designation step (processing)). Setting unit 105, to indicate a group X ₁ as specified by the input device 101 as a group by the user A belongs, set by the processing device 103 the user information of the user A (step S1102), the storage device user information set 102 (step S1103) (steps S1102 to S1103: setting step (process)). The first storage unit 109 stores the user information of the user A regarding the basic type group in the storage device 102 (step S1104: first storage step (process)).

The designation unit 104 designates a basic type group Y ₁ (for example, an “X project” group or a “Z project” group) that permits access to the data A by using the input device 101 (step S1105: designation step ( processing)). Setting unit 105, to indicate a group Y ₁ designated by the input device 101 as a group to allow access to the data A, and set by the processing device 103 the data information of the data A (step S1106), the set data Information is written in the storage device 102 (step S1107) (steps S1106 to S1107: setting steps (processing)). The second storage unit 110 stores the data information of the data A for the basic type group in the storage device 102 (step S1108: second storage step (process)).

  FIG. 5 is a flowchart showing the operation of the access control apparatus 100 when setting the user information of user A and the data information of data A for the authority type group.

The designation unit 104 designates the authority type group X ₂ (for example, “confidential” group) to which the user A belongs by using the input device 101 (step S1201: designation step (process)). Setting unit 105, to indicate a group X ₂ which is designated by the input device 101 as a group by the user A belongs, set by the processing device 103 the user information of the user A (step S1202), the storage device user information set 102 (step S1203) (steps S1202 to S1203: setting step (process)). The first storage unit 109 stores the user information of the user A regarding the authority type group in the storage device 102 (step S1204: first storage step (process)).

The designation unit 104 designates the authority type group Y ₂ (for example, the “secret” group described above) that permits access to the data A using the input device 101 (step S1205: designation step (process)). Setting unit 105, to indicate the group _{Y 2} designated by the input device 101 as a group to allow access to data A, is set by the processor 103 the data information of the data A (step S1206). Further, the setting unit 105 indicates the data information of the data A so as to indicate all the groups (for example, the “confidential” group) corresponding to the higher access authority level than the group Y ₂ as a group permitting access to the data A. Is set by the processing device 103 (step S1207). Then, the setting unit 105 writes the set data information in the storage device 102 (step S1208) (steps S1206 to S1208: setting steps (processing)). The second storage unit 110 stores the data information of the data A for the authority type group in the storage device 102 (step S1209: second storage step (process)).

  As described above, in this embodiment, setting of appropriate access rights for data is automatically performed only by designating which level of access authority to allow access to the data. . For example, as shown in FIG. 6A, when a group of “confidential”, “confidential”, “secret”, and “caution” is set in order from the top of the access authority level as the authority type group. To do. If a piece of data is “secret” level information, that data must be accessible not only to users with “secret” level access rights, but also to users with higher “secret” and “secret” level access rights. I must. At this time, if only the “secret” group is specified as the group that permits access to the data, the “confidential” and “confidential” groups are automatically allowed access as shown in FIG. Set as the group to be. As a result, even if the user belonging to the “secret” or “confidential” group is not set to belong to the “secret” group, the user can access the data.

  FIG. 7 is a flowchart showing the operation of the access control apparatus 100 when setting user information of user A and data information of data A for a hierarchical type group.

The designation unit 104 designates the hierarchical type group X ₃ (for example, “group 1” group) to which the user A belongs by using the input device 101 (step S1301: designation step (processing)). Setting unit 105, to indicate the group X ₃ designated by the input device 101 as a group by the user A belongs, set by the processing device 103 the user information of the user A (step S1302), the storage device user information set 102 (step S1303) (steps S1302 to S1303: setting step (process)). The first storage unit 109 stores the user information of the user A regarding the hierarchical type group in the storage device 102 (step S1304: first storage step (process)).

The designation unit 104 designates a hierarchical type group Y ₃ (for example, “Group 1” group) that permits access to the data A using the input device 101 (step S1305: step (process)). Setting unit 105, as shown a group _{Y 3} designated by the input device 101 as a group to allow access to data A, is set by the processor 103 the data information of the data A (step S1306). Furthermore, the setting unit 105 has a group belonging to the group Y _{3 in} a lower hierarchy than the group Y ₃ (for example, the “1 section” group or the “2 section” group as the parent of the “1 section” group). The data information of the data A is set by the processing device 103 so as to indicate all the child groups as a group permitting access to the data A (step S1307). Then, the setting unit 105 writes the set data information in the storage device 102 (step S1308) (steps S1306 to S1308: setting steps (processing)). The second storage unit 110 stores the data information of the data A for the hierarchical type group in the storage device 102 (step S1309: second storage step (process)).

  In this way, in this embodiment, it is only necessary to specify which group (for example, a department of an organization such as a company) in any hierarchy of the tree structure is allowed to access data. Appropriate access rights for data are automatically set. For example, as shown in FIG. 8A, as a hierarchical type group, a group “1”, a group “1”, which is a child group of the group “1”, a group “1” It is assumed that groups “1” and “2” are set as child groups of “”. Assuming that certain data is information that should be disclosed only to “1st section”, all users belonging to “1st section” must be able to access the data. At this time, if only the “Group 1” group is designated as a group that permits access to the data, the “Group 1” group and the “Group 2” group are automatically set as shown in FIG. It is set as a group that allows access. As a result, a user belonging to the “1” or “2” group can access the data without setting that the user belongs to the “1 Section” group. Become.

  FIG. 9 is a flowchart showing the operation of the access control apparatus 100 when the user A requests access to the data A.

  The input unit 106 inputs an access request to the data A by the user A using the input device 101 (step S1401: input step (process)) (the access request to the data A by the user A is stored in the storage device 102 in advance. The comparison unit 107 may read this access request from the storage device 102). The comparison unit 107 responds to the access request input from the input device 101 (when the comparison unit 107 reads the access request from the storage device 102, according to the access request read from the storage device 102), the basic type, The user information of user A and the data information of data A for each group of authority type and hierarchy type are read from the storage device 102 (step S1402), and the user information about each group of the read basic type, authority type, and hierarchy type And the data information are compared by the processing device 103 (step S1403) (steps S1402 to S1403: comparison step (processing)). Based on the comparison result by the processing device 103, the determination unit 108 determines whether or not the user A is permitted to access the data A by the processing device 103 (step S1404: determination step (processing)).

  For example, as shown in FIG. 10, there are three levels of “privacy”, “confidential”, and “secret” in order from the top as access authority levels, and “1” belonging to “1” and “1” as departments It is assumed that there are “section 1” and “section 2” belonging to “section”, “section 2”, and “section 1”, and “X project”, “Y project”, and “Z project” as projects. The data information is set so that only a user who has an access authority of “secret” level or higher, belongs to “1 person”, and is in charge of “X project” or “Z project” can access data A. Is set. Further, the user A belongs to the “confidential” group in the authority type group, the “one person” group in the hierarchical type group, and the “X project” and “Z project” groups in the basic type group. It is assumed that user information is set as described above. For user B, the user information is set so that it belongs to the “confidential” group in the authority type group, the “one person” group in the hierarchical type group, and the “Z project” group in the basic type group. Suppose that For user C, user information is set so that it belongs to the “secret” group in the authority type group, the “two-member” group in the hierarchical type group, and the “Y project” group in the basic type group. Suppose that

  In such a case, according to the conventional method, the condition for controlling the access to the data A is (“confidential” OR “confidential” OR “secret”) AND “one” AND (“X project” OR “Z project”. ) Had to be set in a complicated format. In addition, the conditions for controlling access to the user A must be set in a complicated format such as “confidential” AND “1” AND (“X project” OR “Z project”). On the other hand, in the present embodiment, it is possible to control access to the data A of each user with the simple setting as described above. For example, first, the user information and the data information for the authority type group are compared, and if the user does not belong to the authority type group permitted to access the data A, the user's access is denied. Can be determined immediately. Next, the user information and the data information for the hierarchical type group are compared, and if the user does not belong to the hierarchical type group permitted to access the data A, the user (in this example, the user C ) To immediately deny access. Finally, the user information and data information for the basic type group are compared. If the user does not belong to the basic type group permitted to access the data A, the user (in this example, the user B) is compared. ) To deny access.

As described above, the access control apparatus according to the present embodiment is
In an access control device for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage unit that stores in the storage device for each group type and each user indicating
A second storage unit that stores data information indicating a group that allows access to each piece of data among a plurality of groups of the same group type in the storage device for each group type and each data;
An input unit for inputting a request for access to data by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison unit that compares the data information with the processing device for each group type;
And a determination unit that determines whether the access is permitted or not based on a comparison result for each group type by the processing device.

  With such a feature, when controlling access to data, even when the same user belongs to a plurality of groups, it is possible to perform access control according to various conditions and to facilitate the setting. It becomes possible.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

  Due to these characteristics, when controlling access to data, for example, a group in which the same user is set for each project in charge, a group set for each access authority level, a group set for each department, , It is possible to control access according to various conditions such as which project each user is in charge of, which level of access authority, and which department.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And a setting unit for writing the set data information to the storage device.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit that designates a group of a hierarchical type that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And a setting unit for writing the set data information to the storage device.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

In addition, the access control method according to the present embodiment is
In an access control method for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage step of storing in the storage device for each group type and each user indicating whether
A second storage step of storing, in the storage device for each group type and each data, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
An input step of inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison step in which the processing device compares data information for each group type;
And a determination step of determining, by the processing device, whether the access is permitted based on a comparison result for each group type by the processing device.

  With such a feature, when controlling access to data, even when the same user belongs to a plurality of groups, it is possible to perform access control according to various conditions and to facilitate the setting. It becomes possible.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

  Due to these characteristics, when controlling access to data, for example, a group in which the same user is set for each project in charge, a group set for each access authority level, a group set for each department, , It is possible to control access according to various conditions such as which project each user is in charge of, which level of access authority, and which department.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step of designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And a setting step of writing the set data information to the storage device.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And a setting step of writing the set data information to the storage device.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

The access control program according to the present embodiment is
In an access control program that is executed by a computer having an input device, a storage device, and a processing device to control access to data by a user,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage process for storing in the storage device for each group type and each user indicating
A second storage process for storing, in the storage device, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
An input process for inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information Comparison processing for comparing data information for each group type by the processing device;
Based on a comparison result for each group type by the processing device, the computer is caused to execute determination processing for determining whether the access is permitted or not by the processing device.

  With such a feature, when controlling access to data, even when the same user belongs to a plurality of groups, it is possible to perform access control according to various conditions and to facilitate the setting. It becomes possible.

  The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure As described above, at least two of the three types of hierarchical groups in which each group is set are included.

  Due to these characteristics, when controlling access to data, for example, a group in which the same user is set for each project in charge, a group set for each access authority level, a group set for each department, , It is possible to control access according to various conditions such as which project each user is in charge of, which level of access authority, and which department.

The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating a group of authority types permitted to access data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. And setting processing for writing the set data information to the storage device is executed by the computer.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group that permits access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. And setting processing for writing the set data information to the storage device is executed by the computer.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

Embodiment 2. FIG.
In the following, with respect to the operation of the access control apparatus according to the present embodiment, differences from the first embodiment will be mainly described. The configuration of the access control apparatus according to the present embodiment is the same as that of access control apparatus 100 of the first embodiment shown in FIG. In the present embodiment, the operation of access control apparatus 100 when setting user information of user A and data information of data A for the basic type group is the same as that of the first embodiment described with reference to FIG. It is the same. In this embodiment, the operation of access control apparatus 100 when user A requests access to data A is the same as that of the first embodiment described with reference to FIG.

  FIG. 11 is a flowchart showing the operation of the access control apparatus 100 when setting user information of user A and data information of data A for the authority type group.

The designation unit 104 designates the authority type group X ₂ (for example, “confidential” group) to which the user A belongs by using the input device 101 (step S2201: designation step (process)). Setting unit 105, to indicate a group _{X 2} which is designated by the input device 101 as a group by the user A belongs, it is set by the processing device 103 the user information of the user A (step S2202). Furthermore, the setting unit 105 displays the user information of the user A so that all the groups corresponding to the access authority level lower than the group X ₂ (for example, the “secret” group) belong to the user A. (Step S2203). Then, the setting unit 105 writes the set user information in the storage device 102 (step S2204) (steps S2202 to S2204: setting step (process)). The first storage unit 109 stores the user information of the user A regarding the authority type group in the storage device 102 (step S2205: first storage step (process)).

The designation unit 104 designates the authority type group Y ₂ (for example, the “secret” group described above) that permits access to the data A by the input device 101 (step S2206: designation step (process)). Setting unit 105, to indicate the group Y ₂ designated by the input device 101 as a group to allow access to the data A, and set by the processing device 103 the data information of the data A (step S2207), the set data Information is written in the storage device 102 (step S2208) (steps S2207 to S2208: setting step (process)). The second storage unit 110 stores the data information of the data A for the authority type group in the storage device 102 (step S2209: second storage step (process)).

  As described above, in the present embodiment, based on the same concept as in the first embodiment, setting the appropriate access right for the user is automatically performed only by specifying the level of the access right of the user. For example, although not shown, it is assumed that “confidential”, “confidential”, “secret”, and “caution” groups are set in order from the top of the access authority level as the authority type group. If a user has "confidential" level access privileges, the user has access not only to data containing "secret" level information, but also to data containing "secret" and "caution" level information below it. It must be possible. At this time, if only the “confidential” group is designated as the group to which the user belongs, the “secret” and “caution” groups are automatically set as the groups to which the user belongs. As a result, even if you do not set to allow access from users belonging to the “secret” group to data that allows access from users belonging to the “secret” or “caution” group, The user can access the data.

  FIG. 12 is a flowchart showing the operation of the access control apparatus 100 when setting user information of user A and data information of data A for a hierarchical type group.

The designation unit 104 designates the hierarchical type group X ₃ (for example, “group 1” group) to which the user A belongs by using the input device 101 (step S2301: designation step (process)). Setting unit 105, to indicate the group _{X 3} designated by the input device 101 as a group by the user A belongs, it is set by the processing device 103 the user information of the user A (step S2302). Furthermore, setting section 105, a group the group X ₃ belongs in the upper hierarchy from the group X ₃ (e.g., a parent group to the child groups of "1 engagement" as a group of "1 Section") All user A As shown as the group to which the user belongs, the user information of the user A is set by the processing device 103 (step S2303). Then, the setting unit 105 writes the set user information in the storage device 102 (step S2304) (steps S2302 to S2304: setting step (process)). The first storage unit 109 stores the user information of the user A regarding the hierarchical type group in the storage device 102 (step S2305: first storage step (process)).

The designating unit 104 designates a hierarchical type group Y ₃ (for example, “Group 1” group) that permits access to the data A using the input device 101 (step S2306: designation step (processing)). Setting unit 105, as shown a group Y ₃ designated by the input device 101 as a group to allow access to the data A, and set by the processing device 103 the data information of the data A (step S2307), the set data Information is written into the storage device 102 (step S2308) (steps S2307 to S2308: setting step (process)). The second storage unit 110 stores the data information of the data A for the hierarchical type group in the storage device 102 (step S2309: second storage step (process)).

  As described above, in the present embodiment, based on the same idea as in the first embodiment, it is only necessary to specify which group (for example, a department of an organization such as a company) belongs to an arbitrary hierarchy of the tree structure. The appropriate access right for the user is automatically set. For example, although not shown in the drawing, as a group of a hierarchical type, “Group 1”, “Group 2” group, “Group 1” group which is a child group of “Group 1” group, “Group 1” group Assume that groups “1” and “2” corresponding to child groups are set. Assuming that a user belongs to “1 Section”, the user should not only disclose data including information to be disclosed only within “1 Section” but also only within “1 Section” (“2 Section”). It must also be possible to access data containing information (also published in At this time, if only the group “1” is designated as the group to which the user belongs, the “section 1” group is automatically set as the group to which the user belongs. As a result, even if it is not set to permit the access from the user belonging to the “group 1” group to the data permitting the access from the user belonging to the “section 1” group, the user can The data can be accessed.

As described above, the access control apparatus according to the present embodiment is
In the same access control apparatus as in the first embodiment,
The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, And a setting unit for writing the set user information to the storage device.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit for designating a group of a hierarchical type to which a user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, And a setting unit for writing the set user information to the storage device.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

In addition, the access control method according to the present embodiment is
In the same access control method as in the first embodiment,
The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step for designating a group of authority types to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, A setting step of writing the set user information to the storage device.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, A setting step of writing the set user information to the storage device.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

The access control program according to the present embodiment is
In the same access control program as in the first embodiment,
The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, A setting process for writing the set user information to the storage device is executed by a computer.

  With such a feature, when controlling access to data, for example, when the same user belongs to a group set for each access authority level and a group set based on other setting criteria, It is possible to facilitate setting for control.

The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, A setting process for writing the set user information to the storage device is executed by a computer.

  Due to such a feature, when controlling access to data, for example, when the same user belongs to a group set for each department and a group set based on other setting criteria, access control is performed. It is possible to facilitate the setting for doing so.

Embodiment 3 FIG.
In the following, the operation of the access control apparatus according to the present embodiment will be described mainly with respect to differences from the first and second embodiments. The configuration of the access control apparatus according to the present embodiment is the same as that of access control apparatus 100 of the first embodiment shown in FIG. In the present embodiment, the operation of access control apparatus 100 when setting user information of user A and data information of data A is the same as in the first and second embodiments.

  In this embodiment, the user information is set as a bit string, and if the bit at a predetermined position for each group is 1, it indicates that the user belongs to the group corresponding to that bit, and if the bit is 0 It is assumed that the user does not belong to the group corresponding to the bit. Similarly, in this embodiment, data information is set as a bit string, and if a bit at a predetermined position for each group is 1, access to data from users belonging to the group corresponding to the bit is permitted. If the bit is 0, it indicates that access to data from users belonging to the group corresponding to the bit is denied.

  FIG. 13 is a flowchart showing the operation of the access control apparatus 100 when the user A requests access to the data A.

  The input unit 106 inputs an access request to the data A by the user A using the input device 101 (step S3401: input step (processing)) (the access request to the data A by the user A is stored in the storage device 102 in advance. The comparison unit 107 may read this access request from the storage device 102). The comparison unit 107 responds to the access request input from the input device 101 (when the comparison unit 107 reads the access request from the storage device 102, according to the access request read from the storage device 102), the basic type, The user information of user A and the data information of data A for each group of authority type and hierarchy type are read from the storage device 102 (step S3402). The comparison unit 107 uses the processing device 103 to calculate the logical product of the user information and the data information for each group of the read basic type, authority type, and hierarchy type (step S3403). The comparison unit 107 calculates the logical sum of all bits included in the logical product operation result by the processing device 103 by the processing device 103 for each group of the basic type, authority type, and hierarchy type (steps S3404 to S3404). : Comparison step (processing)). The determination unit 108 uses the processing device 103 to calculate the logical product of the logical sum operation results for the basic type, authority type, and hierarchy type groups by the processing device 103 (step S3405). When the logical product operation result is 1, the determining unit 108 determines that the user A is permitted to access the data A (step S3406). When the logical product operation result is 0, the user A performs the operation. It is determined to deny access to data A (step S3407) (steps S3405 to S3407: determination step (process)).

  For example, as shown in (a) of FIG. 14, “Department 1” and “Department 2” as departments, “Department 1”, “Department 2”, “Department 3” and “Department 4”, There are “1 Section” and “2 Section” belonging to “Section 2”. As shown in FIG. 14B, the access authority levels are “Top Secret”, “Secret”, and “Caution” in order from the top. Suppose there are two levels. In (a) and (b) of FIG. 14, the number displayed on the right side of the name of the group indicates what digit (the number of bits from the right) of the bit string the group corresponds to. For example, the group “section 1”, which is a hierarchical type group, corresponds to the first digit (the first bit from the right) of the bit string of user information and data information regarding the hierarchical type group.

  In this example, as shown in FIG. 14 (c), the data information is set so that only the user who belongs to “Section 1” and has the access authority of the “attention” level or higher is allowed to access the data A. Suppose that it is set. It is assumed that the data information is set so that only a user who belongs to “Section 2” and has an access authority of “top secret” level or higher is allowed to access data B. For user A, “Group 2”, “Group 4”, and “Group 2” “Group 2” groups in the “Group 1” group, and “Secret” in the authority type group It is assumed that user information is set so as to belong to a group. Here, for convenience of explanation, the data information is set by the same method as in the first embodiment (for example, see step S1207 in FIG. 5 and step S1307 in FIG. 7), and the user information is set in the same method as in the second embodiment ( For example, although an example in the case of setting in step S2203 in FIG. 11 and step S2303 in FIG. 12 is shown, both data information and user information may be set by the same method as in the first embodiment. It may be set by the same method as in the second embodiment.

  As shown in FIG. 14C, in this example, first, the bit sequence of the user information and the bit sequence of the data information for the hierarchical type group are ANDed, and all the bits included in the AND operation result are further calculated. Find the logical sum of (digits). If the logical sum is 0, it can be understood that the user does not belong to the group of the hierarchical type permitted to access the data, and in this case, it can be immediately determined that the access of the user is denied. (That is, the operation for the next authority type group can be omitted). In this example, the bit sequence of the user information and the bit sequence of the data information for the authority type group are next subjected to a logical product operation, and further, a logical sum of all bits (digits) included in the logical product operation result is obtained. . If the logical sum is 0, it is found that the user does not belong to the authority type group permitted to access the data. In this case, the user's access (access to data B in this example) is determined. You can decide to refuse. When the result of the logical sum operation performed on each of the group of the hierarchy type and the authority type is all 1, that is, when the logical product of each logical sum operation result is 1, the user access (in this example, , Access to data A) can be determined.

As described above, the access control apparatus according to the present embodiment is
In the same access control apparatus as in the first and second embodiments,
The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison unit performs a logical operation on the read user information and data information by the processing device for each group type,
The determination unit is configured to determine, by the processing device, whether the access is permitted based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison unit calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
The determination unit calculates a logical product of logical OR calculation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

In addition, the access control method according to the present embodiment is
In the same access control method as in the first and second embodiments,
The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison step performs logical operation on the read user information and data information by the processing device for each group type,
In the determining step, the processing device determines whether the access is permitted or not based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison step calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
In the determination step, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

The access control program according to the present embodiment is
In the same access control program as in the first and second embodiments,
The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
In the comparison process, the read user information and data information are logically operated by the processing device for each group type,
The determination process is characterized in that the processing device determines whether the access is permitted or not based on a logical operation result for each group type by the processing device.

The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
In the comparison process, a logical product of the read user information and data information is calculated by the processing device for each group type, and a logical sum of all bits included in the calculation result is calculated by the processing device for each group type. And
In the determination processing, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is In the case of 0, it is judged that the access is denied.

  With such a feature, it is possible to quickly and efficiently perform processing when controlling access to data.

1 is a block diagram showing a configuration of an access control apparatus according to Embodiment 1. FIG. 2 is a diagram illustrating an example of an appearance of an access control device according to Embodiment 1. FIG. 3 is a diagram illustrating an example of a hardware configuration of an access control apparatus according to Embodiment 1. FIG. FIG. 3 is a flowchart showing an operation of the access control apparatus according to the first embodiment. FIG. 3 is a flowchart showing an operation of the access control apparatus according to the first embodiment. 6 is a conceptual diagram illustrating an example of settings of an access control device according to Embodiment 1. FIG. FIG. 3 is a flowchart showing an operation of the access control apparatus according to the first embodiment. 6 is a conceptual diagram illustrating an example of settings of an access control device according to Embodiment 1. FIG. FIG. 3 is a flowchart showing an operation of the access control apparatus according to the first embodiment. 6 is a conceptual diagram illustrating an example of settings of an access control device according to Embodiment 1. FIG. FIG. 10 is a flowchart showing the operation of the access control apparatus according to the second embodiment. FIG. 10 is a flowchart showing the operation of the access control apparatus according to the second embodiment. FIG. 10 is a flowchart showing the operation of the access control apparatus according to the third embodiment. FIG. 10 is a conceptual diagram illustrating an example of settings of an access control device according to a third embodiment.

Explanation of symbols

  100 access control device, 101 input device, 102 storage device, 103 processing device, 104 specification unit, 105 setting unit, 106 input unit, 107 comparison unit, 108 judgment unit, 109 first storage unit, 110 second storage unit , 901 CRT display device, 902 K / B, 903 mouse, 904 FDD, 905 CDD, 906 printer device, 910 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk device, 921 OS, 922 window system, 923 programs, 924 files, 940 Internet, 941 gateway, 942 LAN.

Claims (27)

In an access control device for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage unit that stores in the storage device for each group type and each user indicating
A second storage unit that stores data information indicating a group that allows access to each piece of data among a plurality of groups of the same group type in the storage device for each group type and each data;
An input unit for inputting a request for access to data by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison unit that compares the data information with the processing device for each group type;
An access control device, comprising: a determination unit that determines whether the access is permitted or not based on a comparison result for each group type by the processing device.   The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure The access control apparatus according to claim 1, wherein the access control apparatus includes at least two of the three types of hierarchy types in which each group is set. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, The access control apparatus according to claim 1, further comprising: a setting unit that writes the set user information to the storage device. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control device
A designation unit for designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. The access control apparatus according to claim 1, further comprising: a setting unit configured to write the set data information in the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit for designating a group of a hierarchical type to which a user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, The access control apparatus according to claim 1, further comprising: a setting unit that writes the set user information to the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control device
A designation unit that designates a group of a hierarchical type that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. The access control apparatus according to claim 1, further comprising: a setting unit configured to write the set data information in the storage device. The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison unit performs a logical operation on the read user information and data information by the processing device for each group type,
The access control apparatus according to claim 1, wherein the determination unit determines whether the access is permitted or not based on a logical operation result for each group type by the processing apparatus. The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison unit calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
The determination unit calculates a logical product of logical OR calculation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is The access control apparatus according to claim 1, wherein if it is 0, it is determined to deny the access. In an access control method for controlling access to data by a user using a computer having an input device, a storage device, and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage step of storing in the storage device for each group type and each user indicating whether
A second storage step of storing, in the storage device for each group type and each data, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
An input step of inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information A comparison step in which the processing device compares data information for each group type;
An access control method comprising: a determination step of determining whether the access is permitted or not based on a comparison result for each group type by the processing device.   The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure The access control method according to claim 9, further comprising at least two of the three types of hierarchy types in which each group is set. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step for designating a group of authority types to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, The access control method according to claim 9, further comprising a setting step of writing the set user information to the storage device. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control method includes:
A designation step of designating a group of authority types that allow access to data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. The access control method according to claim 9, further comprising: a setting step that sets the data information and writes the set data information to the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, The access control method according to claim 9, further comprising a setting step of writing the set user information to the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control method includes:
A designation step for designating a hierarchical type group that allows access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. The access control method according to claim 9, further comprising: a setting step that sets the data information and writes the set data information to the storage device. The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
The comparison step performs logical operation on the read user information and data information by the processing device for each group type,
The access control method according to claim 9, wherein the determination step determines whether the access is permitted or not based on a logical operation result for each group type by the processing device. The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
The comparison step calculates a logical product of the read user information and data information by the processing device for each group type, and calculates a logical sum of all bits included in the calculation result by the processing device for each group type. And
In the determination step, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is The access control method according to any one of claims 9 to 14, wherein, in the case of 0, it is determined to deny the access. In an access control program that is executed by a computer having an input device, a storage device, and a processing device to control access to data by a user,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage process for storing in the storage device for each group type and each user indicating
A second storage process for storing, in the storage device, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
An input process for inputting a data access request by a user through the input device;
In response to the access request input by the input device, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information Comparison processing for comparing data information for each group type by the processing device;
An access control program that causes a computer to execute determination processing for determining whether access is permitted or not based on a comparison result for each group type by the processing device.   The group type includes a basic structure in which each group of a plurality of groups is set independently and an authority type in which each group is set to have a one-to-one correspondence with a level of access authority and a plurality of groups form a tree structure The access control program according to claim 17, further comprising at least two of the three types of hierarchy types in which each group is set. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating the authority type group to which the user belongs by the input device;
Along with the authority type group specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups corresponding to the access authority level lower than the group as the group to which the user belongs, The access control program according to claim 17, wherein the computer executes a setting process for writing the set user information to the storage device. The group type includes an authority type in which each group is set to correspond to an access authority level on a one-to-one basis.
The access control program is
A designation process for designating a group of authority types permitted to access data by the input device;
Along with the authority type group specified by the input device, the processing apparatus displays the data information of the data so as to indicate all groups corresponding to a higher access authority level than the group as a group permitting access to the data. 18. The access control program according to claim 17, further comprising: causing the computer to execute setting processing for setting the data information and writing the set data information to the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group to which the user belongs by the input device;
Along with the group of the hierarchy type specified by the input device, the user information of the user is set by the processing device so as to indicate all the groups to which the group belongs in the hierarchy higher than the group as the group to which the user belongs, The access control program according to claim 17, wherein the computer executes a setting process for writing the set user information to the storage device. The group type includes a hierarchical type in which each group is set so that a plurality of groups form a tree structure,
The access control program is
A designation process for designating a hierarchical type group that permits access to data by the input device;
In addition to the group of the hierarchy type specified by the input device, the data information of the data is indicated in the processing device so as to indicate all groups belonging to the group in a hierarchy lower than the group as a group that permits access to the data. 18. The access control program according to claim 17, further comprising: causing the computer to execute setting processing for setting the data information and writing the set data information to the storage device. The user information is a bit string indicating whether or not a user belongs to the group by the value of a bit at a predetermined position for each group,
The data information is a bit string indicating whether or not access to the data of the group is permitted by the value of a bit at a predetermined position for each group,
In the comparison process, the read user information and data information are logically operated by the processing device for each group type,
18. The access control program according to claim 17, wherein the determination processing determines whether the access is permitted or not based on a logical operation result for each group type by the processing device. The user information is a bit string indicating that the user belongs to the group when the bit at a predetermined position for each group is 1, and indicates that the user does not belong to the group when the bit is 0. ,
The data information indicates that access to the data of the group is permitted when the bit at a predetermined position for each group is 1, and access to the data of the group is permitted when the bit is 0. A bit string indicating that
In the comparison process, a logical product of the read user information and data information is calculated by the processing device for each group type, and a logical sum of all bits included in the calculation result is calculated by the processing device for each group type. And
In the determination processing, the processing device calculates a logical product of logical sum operation results for each group type by the processing device, and determines that the access is permitted when the calculation result is 1, and the calculation result is The access control program according to any one of claims 17 to 22, wherein in the case of 0, it is determined to deny the access. In an access control device for controlling access to data by a user using a computer having a storage device and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage unit that stores in the storage device for each group type and each user indicating
A second storage unit that stores data information indicating a group that allows access to each piece of data among a plurality of groups of the same group type in the storage device for each group type and each data;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information Comparing unit for each group type by the processing device,
An access control device, comprising: a determination unit that determines whether the access is permitted or not based on a comparison result for each group type by the processing device. In an access control method for controlling access to data by a user using a computer having a storage device and a processing device,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage step of storing in the storage device for each group type and each user indicating whether
A second storage step of storing, in the storage device for each group type and each data, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information Comparing step for each group type by the processing device,
An access control method comprising: a determination step of determining whether the access is permitted or not based on a comparison result for each group type by the processing device. In an access control program that is executed by a computer having a storage device and a processing device to control access to data by a user,
Among a plurality of groups set based on the same setting standard among a plurality of setting standards, user information indicating a group to which each user of a plurality of users belongs is based on any setting standard among the plurality of setting standards. A first storage process for storing in the storage device for each group type and each user indicating
A second storage process for storing, in the storage device, data information indicating a group that allows access to each data of a plurality of data among a plurality of groups of the same group type;
In response to a user access request for data, the user information of the user who requested the access and the data information of the data requested to be accessed are read from the storage device for each group type, and the read user information and data information And comparison processing for each group type by the processing device,
An access control program that causes a computer to execute determination processing for determining whether access is permitted or not based on a comparison result for each group type by the processing device.

Images