JP2009193289A - Access right management method, access management system and access right management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect/extract contradiction about such complicate relations as SoD constraint based on relations between a plurality of subjects or objects. <P>SOLUTION: This access right management system for verifying the contradiction of access rights is provided with a rule comparing means which generates a rule with constraint by applying attributes specifying constraint to an access right to be derived from a policy including access right definitions to make a rule storage means store it, and which compares position relations on a coordinate space of points using a value configuring access right by using the access rights included in the rule with constraint stored in the rule storage means as objects to verify the contradiction of the access rights. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an access right management method, an access right management system, and an access right management program for managing access rights.

  Each access right is determined from a policy (condition statement using s, o, a itself or a group) that is a conditional statement that grants access rights (a set of subject (s), object (o), and action (a)). A derived access control system is used. In such an access control system, there may be inconsistencies in access rights that cannot be found from policy. As a method for detecting and extracting such inconsistencies in access rights, by using a manual or some simulation tool, enumerate all combinations of access rights based on the policy to detect and extract inconsistent access rights. A method is conceivable.

  However, in the method using the above-described manpower and simulation tool, since all combinations of access rights are inspected, a long time is required for processing, which is not realistic. In addition, every time the policy is changed, it is necessary to recheck all combinations of access rights from the beginning, which is inefficient. Therefore, an access right management system has been devised for improving the processing time and efficiency problems (see, for example, Patent Document 1).

  The access right management system described in Patent Document 1 includes an object class database, a subject class database, an access right control rule database, a propagation rule database, a request reception unit, an access permission determination unit, and a class information conversion. Means, contradiction rule detection means, and contradiction part extraction means. The access right management system having such a configuration and described in Patent Document 1 is derived from a policy described using roles by assuming propagation rules of roles (subjects and groups of objects). Detect and extract inconsistent access rights.

  In addition, according to the propagation rule of the access right management system described in Patent Document 1, the depth of a node when a subject (subject) or an object (object) is represented by a single tree according to the configuration of an organization or the like. As each role. Therefore, access denial to the upper (root) role is propagated to the lower (leaf) role, and access permission to the lower role is propagated to the upper role. When the access right derived from the policy described using this role conflicts with a subject or object as a result of propagation, it is detected and extracted as a contradiction. That is, it is possible to shorten the processing time required for detection / extraction by examining only the range covered by the propagation rule of a role for the access rights of subjects and objects that can be expressed by a single tree.

  Furthermore, in the access right management system described in Patent Document 1, the scope of subjects and objects that cause inconsistencies when a policy is changed is limited to the influence of the role used by the policy that has changed. be able to. Therefore, more efficient detection / extraction can be performed than re-inspecting all access rights every time a policy change occurs.

JP 2005-182478 A (paragraph 0035, FIG. 1)

  However, the access right management system described in Patent Document 1 has a problem that contradiction cannot be detected and extracted for more complicated relationships such as a SoD (Separation of Duty) constraint. The reason is that the access right management system described in Patent Document 1 determines whether there is a contradiction independently for each combination of a subject and an object. Therefore, the access right management system described in Patent Document 1 is not regarded as a contradiction unless a plurality of conflicting access rights are derived from a combination of a subject and an object. That is, unlike the SoD constraint, it is impossible to determine whether there is a contradiction based on the relationship between a plurality of subjects and objects such as the derivation status of access rights of other subjects and objects.

  Therefore, the present invention provides an access right management method, an access right management system, and an access right management program capable of detecting and extracting contradiction for a more complicated relationship such as a SoD constraint based on the relationship between a plurality of subjects and objects. The purpose is to do.

  An access right management method according to the present invention is an access right management method for verifying inconsistencies in access rights, and is based on a policy including an access right definition based on the scope of access rights targeted by a constraint that is a criterion for inconsistency verification. Generate a constrained rule with an attribute that specifies the constraint for the derived access right, store it in the rule storage means, and target the access rights included in the restricted rule stored in the rule storage means The present invention is characterized in that the inconsistency of access rights is verified by comparing the positional relationship of the points in the coordinate space using the values constituting the access rights.

  Another aspect of the access right management method according to the present invention is an access right management method for verifying an inconsistency of access rights, wherein at least one of a subject, an object, and an action, which is a value constituting the access right, is obtained. By taking the coordinate axis, one access right is expressed as one point on the coordinate space, and a set of access rights is expressed as an area on the coordinate space, and the restrictions to be satisfied by the access right are expressed in the coordinate space. By pre-defining a placement pattern where points should or should not be placed for one or more areas, the points of access rights derived from a policy containing access rights definitions are subject to constraints. If the access right is related to the restriction, an identifier indicating that the restriction corresponds to the restriction The same restriction as the access right included in the restriction rule stored in the rule storage means in order to generate and store the added restricted rule in the rule storage means and verify whether the access right satisfies the restriction. Only the access rights with identifiers related to the ID are to be verified, and whether there is a conflict of access rights by verifying whether the access rights to be verified are in the arrangement pattern described in the constraint It is characterized by doing.

  An access right management system according to the present invention is an access right management system that verifies an inconsistency of access rights, and is a constrained rule to which an attribute specifying a constraint is assigned to an access right derived from a policy including an access right definition Is generated and stored in the rule storage means, and for the access rights included in the restricted rules stored in the rule storage means, the positional relationship of the points using the values constituting the access rights in the coordinate space is determined. It is characterized by comprising rule comparison means for verifying inconsistency of access rights by comparing.

  Another aspect of the access right management system according to the present invention is an access right management system for verifying inconsistency of access rights, and at least one of a subject, an object, and an action, which is a value constituting the access right. By taking the coordinate axis, one access right is expressed as one point on the coordinate space, and a set of access rights is expressed as an area on the coordinate space, and the restrictions to be satisfied by the access right are expressed in the coordinate space. By pre-defining a placement pattern where points should or should not be placed for one or more areas, the points of access rights derived from a policy containing access rights definitions are subject to constraints. If it is within the area, it indicates that the access right is related to the restriction and indicates that it corresponds to the area of the restriction In order to generate a constrained rule with a separate child and store it in the rule storage means and verify whether the access right satisfies the restrictions, the access right included in the constrained rule stored in the rule storage means Only access rights with identifiers related to the same constraint are to be verified, and by verifying whether the access rights to be verified are in the arrangement pattern described in the constraints, conflicts in access rights can be confirmed. A rule comparison means for verifying the presence or absence is provided.

  An access right management program according to the present invention is an access right management program for verifying inconsistencies in access rights, and is based on a range of access rights to which a restriction serving as a basis for inconsistency verification is applied. A process for generating a constrained rule to which an attribute specifying a constraint is assigned to an access right derived from a policy including an access right definition and storing the rule in a rule storage unit, and a constrained rule stored in the rule storage unit The access right included in each other is subjected to a process of verifying the contradiction of the access right by comparing the positional relationship of the points in the coordinate space using the values constituting the access right.

  Another aspect of the access right management program according to the present invention is an access right management program for verifying a contradiction of access rights, which is a value of the subject, object or action that is a value constituting the access right. Among them, by taking at least one or more coordinate axes, one access right is expressed as one point on the coordinate space, and a set of access rights is expressed as an area on the coordinate space, and the restriction that the access right must satisfy Access right derived from a policy including access right definition by pre-defining as a placement pattern where a point should not be placed or should be placed for one or more regions in the coordinate space If the point is within the restriction target area, the access right is related to the restriction and the restriction Generate a constrained rule with an identifier indicating that it corresponds to the area and store it in the rule storage means, and store it in the rule storage means in order to verify whether the access right satisfies the restrictions Only the access rights with identifiers related to the same restrictions as the access rights included in the restricted rule are to be verified, and it is verified whether the access rights to be verified are in the placement pattern described in the restrictions. By doing so, a process for verifying whether there is a conflict in access rights is executed.

  According to the present invention, contradiction can be detected and extracted even for more complicated relationships such as SoD constraints.

  Embodiments of the present invention will be described below with reference to the drawings. The present invention relates to an access right management system that manages access rights, and more particularly to an access right management system that can verify inconsistencies in access rights. Hereinafter, first, terms used in the present embodiment will be described.

  In the present embodiment, “access right” means a set of a specific subject (s), an object (o), and an action (a). The “access right definition” is a regular expression or a conditional statement that expresses one or more access rights by enumeration, group, range designation, etc. of the access right itself or s, o, a.

  A “policy” is a conditional statement that grants access rights. The “policy” includes a unique “policy ID” in the policy group and an access right definition.

  The “rule” includes an access right and a policy ID for identifying the policy from which the rule is derived. In the present embodiment, one or more rules are derived by interpreting and expanding a certain policy. Therefore, the policy from which the rule is derived can be identified from the policy ID included in the rule.

  The “constraint” is information that specifies a criterion for verifying the contradiction of access rights. The “constraint” defines a unique “constraint ID” in the constraint group, a “constraint name” that is a character string indicating the type of constraint processing, and one or more “constraint domains”. One or more access right definitions are included. Further, the “constraint domain” is an access right set (a range of access rights targeted by a constraint that is a criterion for contradiction verification) as a unit as a constraint target. In the present embodiment, one or more constraint domains exist for a certain constraint. For example, if the SoD constraint prohibits the coexistence of two access right sets, there are two constraint domains.

  The “restricted rule” is a rule to which an attribute specifying a constraint is given. The “restricted rule” includes a rule and a constraint ID for identifying a constraint to which the rule is a target. Accordingly, the policy from which the restricted rule is derived can be identified from the policy ID included in the restricted rule. Further, it is possible to specify a restriction subject to the restricted rule from the restriction ID included in the restricted rule.

  In this embodiment, the restricted rule is plotted on the multi-dimensional space having at least s, o, a as coordinate axes, using the values of s, o, a included in the restricted rule as coordinate values. Expressed as a point. When expressing a restricted rule as a point on a multidimensional space, the coordinates of the point are one element expressed by a multidimensional matrix. Therefore, a plurality of restricted rules can be compared using coordinate positions or matrix operations.

  The “contradiction result” is information that is output when it is determined that the rule is violated as a result of comparison between the rule and the constraint. The contradiction result includes a constraint ID for identifying the violated constraint, a policy ID corresponding to the policy from which the violating rule is derived, and the violating access right. Therefore, it is possible to specify the constraint that is the determination criterion for the contradiction result from the constraint ID included in the contradiction result. In addition, it is possible to identify a policy that is a constraint violation based on the contradiction result from the policy ID included in the contradiction result.

  Next, the configuration of the access right management system according to the present invention will be described with reference to the drawings. FIG. 1 is a system configuration diagram showing a configuration example of an access right management system according to the present invention. As shown in FIG. 1, the access right management system includes a contradiction verification device 100, a policy management device 200, and a constraint management device 300.

  In the present embodiment, the access right management system is realized by a computer system using an information processing apparatus such as a personal computer that operates according to a program. The contradiction verification device 100, the policy management device 200, and the constraint management device 300 may be constructed by separate computer systems, or may be partially or wholly implemented by the same computer system. Good.

  As shown in FIG. 1, the contradiction verification apparatus 100 includes a rule comparison unit 101, a rule storage unit 102, a contradiction result reference unit 103, and a contradiction result storage unit 104. The policy management apparatus 200 includes a policy editing unit 201 and a policy storage unit 202. The constraint management apparatus 300 includes a constraint editing unit 301 and a constraint storage unit 302.

  Specifically, the rule comparison unit 101 and the contradiction result reference unit 103 communicate with the CPU of the information processing apparatus that operates according to the program, a storage medium such as a RAM, the policy management apparatus 200, and the constraint management apparatus 300. And a communication interface. The policy editing unit 201 and the constraint editing unit 301 are specifically realized by a CPU of an information processing apparatus that operates according to a program and a storage medium such as a RAM. Furthermore, the rule storage unit 102, the contradiction result storage unit 104, the policy storage unit 202, and the constraint storage unit 302 are specifically realized by a storage medium such as a RAM or a hard disk.

  Specifically, the rule comparison unit 101 is realized by a CPU of an information processing apparatus that operates according to a program. The rule comparison unit 101 has a function of reading a constraint from the constraint storage unit 302, reading a policy from the policy storage unit 202, and comparing a rule obtained by developing the read policy with the constraint. Further, the rule comparison unit 101 has a function of generating a restricted rule for a constraint that requires comparison between rules, and storing the generated restricted rule in the rule storage unit 102. Further, the rule comparison unit 101 has a function of storing a rule that violates the constraint as a contradiction result in the contradiction result storage unit 104 if there is a rule that violates the constraint.

  In the present embodiment, the rule comparison unit 101 generates a rule with constraints to which an attribute (for example, constraint ID) for specifying a constraint is added to an access right derived from a policy including an access right definition, and a rule storage unit 102 is stored. Further, the rule comparison unit 101 uses a value constituting the access right for the access rights included in the restricted rule stored in the rule storage unit 102 (for example, coordinate values corresponding to the rule). The inconsistency of the access right is verified by comparing the positional relationship in the coordinate space.

  In this embodiment, the rule comparison unit 101 takes one access right on the coordinate space by taking at least one of subjects, objects, or actions, which are values constituting the access right, on the coordinate axis. A set of access rights is expressed as an area on the coordinate space, as well as a single point. In addition, the rule comparison unit 101 predefines the constraint that the access right should satisfy as an arrangement pattern in which points should not be arranged or should be arranged in one or more areas on the coordinate space. If the access right point derived from the policy including the access right definition is within the restriction target area, the identifier indicating that the access right is related to the restriction The added restricted rule is generated and stored in the rule storage unit 102. In addition, the rule comparison unit 101 performs access with an identifier related to the same restriction as the access right included in the restricted rule stored in the rule storage unit 102 in order to verify whether or not the access right satisfies the restriction. It is verified whether or not there is a contradiction in access rights by verifying whether or not only the right is a verification target, and whether or not the access right point to be verified is in the arrangement pattern described in the constraint.

  In this embodiment, the rule comparison unit 101 realizes a violation permission determination unit, an attribute addition unit, an access right contradiction determination unit, and a constraint identification unit.

  Specifically, the rule storage means 102 is realized by a storage device such as a magnetic disk device or an optical disk device. The rule storage unit 102 stores the restricted rule generated by the rule comparison unit 101.

  Specifically, the contradiction result reference unit 103 is realized by a CPU of an information processing apparatus that operates according to a program. The contradiction result reference unit 103 reads the contradiction result from the contradiction result storage unit 104, and searches for and acquires (extracts) the corresponding constraint from the constraint storage unit 302 using the constraint ID described (included) in the read contradiction result. ) Function. Further, the contradiction result reference unit 103 has a function of searching and acquiring (extracting) a corresponding policy from the policy storage unit 202 using the policy ID described (included) in the contradiction result read from the contradiction result storage unit 104. Is provided.

  Then, the contradiction result reference unit 103 generates a user interface for displaying the contradiction result (hereinafter abbreviated as UI) based on the access right described in the contradiction result, the acquired restriction, and the acquired policy. And a function of displaying a contradiction result screen on a display device such as a display device.

  Specifically, the contradiction result storage means 104 is realized by a storage device such as a magnetic disk device or an optical disk device. The contradiction result storage unit 104 stores the contradiction result generated by the rule comparison unit 101.

  The policy editing unit 201 is specifically realized by a CPU of an information processing apparatus that operates according to a program. The policy editing unit 201 has a function of providing a policy editing method to the user by generating a policy editing UI and displaying a policy editing screen on the display device.

  Specifically, the policy editing unit 201 provides, as an editing method, a policy input form using a Web interface or the like, or a text or binary editor that directly edits policy data. The policy editing unit 201 may provide a policy editing method to another system or apparatus that substitutes / automates the user's work.

  Further, the policy editing unit 201 has a function of acquiring the edited content, generating a policy, and storing the generated policy in the policy storage unit 202.

  Specifically, the policy storage means 202 is realized by a storage device such as a magnetic disk device or an optical disk device. The policy storage unit 202 stores the policy generated by the policy editing unit 201.

  Specifically, the restriction editing unit 301 is realized by a CPU of an information processing apparatus that operates according to a program. The constraint editing unit 301 has a function of providing a constraint editing method to the user by generating a constraint editing UI and displaying a constraint editing screen on a display device. Further, the constraint editing unit 301 has a function of acquiring the edited content, generating a constraint, and storing the generated constraint in the constraint storage unit 302.

  In this embodiment, the CPU that realizes the rule comparison unit 101, the contradiction result reference unit 103, the policy editing unit 201, and the constraint editing unit 301 may be realized by a common CPU.

  In the present embodiment, a storage device (not shown) of the information processing apparatus that implements the access right management system stores various programs for managing the access right. For example, the storage device of the information processing apparatus that implements the access right management system allows the computer to access the access derived from the policy including the access right definition based on the range of the access right that is subject to the restriction that is the basis for inconsistency verification. A process for generating a constrained rule with an attribute that specifies a constraint for the right and storing it in the rule storage means, and access for the access rights included in the constrained rule stored in the rule storage means An access right management program for executing a process of verifying inconsistency of access rights by comparing the positional relationship of the points in the coordinate space using the values constituting the rights is stored.

  Next, the operation of the access right management system in this embodiment will be described. FIG. 2 is a flowchart showing processing of the entire access right management system according to the present invention. As shown in FIG. 2, the policy editing unit 201 first generates a policy according to the access right setting desired by the user (step S100).

  Specifically, the policy editing unit 201 provides a policy editing method to the user by generating a policy editing UI and displaying a policy editing screen on the display device. Then, the user operates the policy management apparatus 200 to instruct input of policy editing contents. Then, the policy editing unit 201 acquires (inputs) the editing content according to the input operation of the user, thereby generating a policy based on the acquired editing content.

  Next, the constraint editing unit 301 generates a constraint according to the content of the constraint to be verified as to whether or not there is a contradiction with the generated policy (step S200). Specifically, the constraint editing unit 301 provides a constraint editing method to the user by generating a constraint editing UI and displaying a constraint editing screen on the display device. Then, the user operates the constraint management apparatus 300 to give an instruction to input constraint editing content. Then, the constraint editing unit 301 acquires (inputs) the edited content according to the input operation of the user, thereby generating a constraint based on the acquired edited content.

  Note that in the present embodiment, the correspondence between the content of the constraint and the constraint is determined in advance. The “rule that requires comparison between rules” described later corresponds to a rule having a specific constraint name.

  Next, the rule comparison unit 101 verifies whether or not the policy generated in step S100 is consistent, based on the constraint generated in step S200. Then, if there is a contradiction in the generated policy, the rule comparison unit 101 outputs information indicating the policy determined to be inconsistent as a contradiction result (step S300).

  Specifically, the rule comparison unit 101 decomposes the policy acquired from the policy management device 20 and the constraint acquired from the constraint management device 30 into access rights, respectively, and compares them to access rights to be restricted. To decide. Further, the rule comparison unit 101 determines whether there is a contradiction in access rights based on the constraint and outputs a contradiction result. The contradiction result output from the rule comparison unit 101 is stored in the contradiction result storage unit 104.

  Next, the contradiction result reference unit 103 identifies the policy from which the access right is derived and the corresponding constraint for the access right that violates the constraint described (included) in the contradiction result. Then, the contradiction result reference unit 103 generates a contradiction result display UI for displaying the identified policy and constraint, and causes the display device to display the contradiction result screen (step S400).

  Specifically, the contradiction result reference unit 103 uses the policy ID described (included) in the contradiction result acquired from the contradiction result storage unit 104 to use the policy management apparatus 200 (specifically, the policy storage unit). 202) to retrieve (extract) the corresponding policy. Further, the contradiction result reference unit 103 searches for and acquires the corresponding constraint from the constraint management device 300 (specifically, the constraint storage unit 302) using the constraint ID described (included) in the contradiction result ( Extract. Then, the contradiction result reference unit 103 generates a contradiction result display UI based on the acquired contradiction result, the policy, and the constraint, and displays the contradiction result screen on the display device.

  Next, the process in each step shown in FIG. 2 will be described in more detail. First, policy editing processing (processing in step S100) performed by the policy editing unit 201 will be described. FIG. 3 is a flowchart showing policy editing processing.

  As shown in FIG. 3, the policy editing unit 201 first generates a UI for editing a policy, and provides the user with the editing method by displaying it to the user (step S101). For example, the policy editing unit 201 uses a Web interface or the like to display a policy editing Web page screen on the display device, and provides the user with a policy input form.

  Next, the policy editing unit 201 acquires (inputs) the editing contents performed by the user using the generated UI (step S102). For example, the policy editing unit 201 generates a policy by arranging values input and selected by the user in the input form according to a predetermined grammar. Next, the policy editing unit 201 generates a policy using the acquired editing content and stores it in the policy storage unit 202 (step S103).

  Next, the constraint editing process (the process in step S200) performed by the constraint editing unit 301 will be described. FIG. 4 is a flowchart showing the constraint editing process. As shown in FIG. 4, the constraint editing unit 301 first generates a UI for editing the constraint and provides the user with the editing method by displaying it to the user (step S201). For example, the constraint editing unit 301 displays a screen of a constraint editing Web page on a display device using a Web interface or the like, and provides a constraint input form to the user.

  In addition, the constraint editing unit 301 acquires (inputs) editing contents performed by the user using the generated UI (step S202). Next, the constraint editing unit 301 generates a constraint using the acquired editing content and stores it in the constraint storage unit 302 (step S203).

  Next, rule comparison processing (processing in step S300) performed by the rule comparison unit 101 will be described. FIG. 5 is a flowchart showing the rule comparison process. As shown in FIG. 5, the rule comparison unit 101 first acquires (extracts) a constraint from the constraint storage unit 302 (step S301). For example, the rule comparison unit 101 reads all constraints stored in the constraint storage unit 302.

  When there are a large number of constraints stored in the constraint storage unit 302, the rule comparison unit 101 is configured to repeat the process of reading one constraint and comparing it with the policy for the number of constraints. May be.

  When the constraint is acquired from the constraint storage unit 302, the rule comparison unit 101 makes an inquiry to the policy management apparatus 200 as to whether or not an unexamined policy exists in the policy storage unit 202 (step S302). If there is no uninspected policy in the policy storage unit 202, the rule comparison unit 101 ends the process (N in step S302).

  If there is an unverified policy in the policy storage unit 202 (Y in step S302), the rule comparison unit 101 reads the unverified policy from the policy storage unit 202 and decomposes it into access rights. Then, the rule comparison unit 101 further generates a rule by assigning a policy ID to the read policy (step S303).

  Next, the rule comparison unit 101 sets the access right described (included) in the generated rule to the access right derived from the access right definition described (included) in the constraint read in step S301. Compare (step S304). Then, the rule comparison unit 101 determines whether there is another rule having an access right that matches the access right derived from the constraint, and extracts a rule having the same access right from the rule storage unit 102 (step S305). If there is no rule with matching access rights, the rule comparison unit 101 returns to the process in step S302 (N in step S305).

  When there is a rule with matching access rights (Y in step S305), the rule comparison unit 101 checks the type of constraint. The rule comparison unit 101 is a rule that requires comparison between rules in determining a constraint violation among rules having an access right that matches the access right derived from the constraint (the rule extracted in the process of step S305). It is determined whether or not there is (step S306).

  Specifically, the rule comparison unit 101 extracts rules that need to be compared with each other. If it is a rule that violates a constraint that is determined independently for a single access right that does not require comparison between rules (that is, it can be said that a constraint is violated when it matches the constraint) (N in step S306) ), The rule comparison means 101 moves to the processing in step S311 and generates a contradiction result.

  When it is determined that the rules need to be compared with each other (Y in step S306), the rule comparison unit 101 is based on the constraint ID described (included) in the constraint and the rule that is the target of the constraint. To generate a new restricted rule. Then, the rule comparison unit 101 stores the newly generated restricted rule in the rule storage unit 102 (step S307).

  Next, the rule comparison unit 101 acquires (extracts) the constraint ID described (included) in the existing constrained rule stored previously from the rule storage unit 102, and creates a newly generated constrained rule. It is compared with the constraint ID described (included) (step S308). Next, the rule comparison unit 101 determines whether there is an existing restricted rule in which a matching constraint ID is described (included) for the constraint ID described (included) in the newly generated restricted rule. Is discriminated (step S309).

  If there is no existing constrained rule with a matching constraint ID, the rule comparison unit 101 determines that the rule from which the newly generated constrained rule is derived is not a constraint violation, and returns to the process in step S302 (step S309). N).

  When there is an existing constrained rule with a matching constraint ID, the rule comparison unit 101 determines whether the rule storage unit 102 is based on the newly generated constrained rule and the existing constrained rule with a matching constraint ID. The access right is acquired (extracted), and it is determined whether or not there is a violation with respect to the content of the constraint having the matching constraint ID (step S310). If not violated (N in step S310), the rule comparison unit 101 determines that the newly generated restricted rule and the rule group of the existing restricted rule are not a constraint violation, and returns to the process in step S302.

  The violation of the constraint content is, for example, when there is a constraint including a plurality of (for example, two) access right definitions such as an SoD constraint, and the same subject s is included in both of the access right definitions. That is true.

  For example, as an example of a constraint, there is a SoD constraint between two constraint domains. More specifically, an SoD constraint having two constraint domains, that is, a constraint domain 1 in which an object is a file 1 and an action is written and a constraint domain 2 in which an object is a file 2 and an action is written can be considered. In the case of this SoD constraint, if a user who can be a subject has a read access right for both file 1 and file 2, or if a read access right and a write access right exist for each, it is a violation of the constraint. Absent. However, the presence of the write access right for both file 1 and file 2 is a constraint violation.

  Further, for example, as another example of the SoD constraint, in three or more constraint domains, a user's access right is allowed to exist in a constraint domain of a certain number or less (for example, two or less), but a certain number or more ( For example, there is a constraint that violates a constraint when it exists in three or more constraint domains. This SoD constraint is used, for example, as a constraint that defines the degree to which authority concentration is allowed for a large number of access rights.

  For example, another example of a constraint is a constraint having one constraint domain, and a constraint violation occurs when an access right corresponding to the constraint domain exists. This restriction is used, for example, as a restriction that defines a prohibited access right.

  For example, another example of a constraint is a constraint having one constraint domain, and there is a constraint that violates a constraint when there is no access right corresponding to the constraint domain. This restriction is used, for example, as a restriction that defines an essential access right.

  Also, for example, as another example of a constraint, a constraint having two or more constraint domains, and when an access right corresponding to one constraint domain exists, an access corresponding to one or more other constraint domains If there is no right, there is a constraint that violates the constraint. For example, in the so-called workflow, this restriction is used as a restriction that does not allow the existence of the access right for the process to be executed in the subsequent stage unless the access right for the process to be executed in the previous stage exists.

  Further, for example, as another example of a constraint, a constraint having two or more constraint domains, and when an access right corresponding to one constraint domain exists, access corresponding to one or more other constraint domains There is a constraint that violates the constraint if the right exists. This restriction is called a dynamic SoD restriction, for example, and a single access right corresponding to each restriction domain does not violate the restriction. However, a restriction violation occurs only when the access right in the previous stage corresponds to a specific restriction domain. Is used as a constraint.

  When the rule group violates the constraint (Y in step S310), the rule comparison unit 101 uses the constraint ID of the constraint, the access right described (included) in the rule, and the policy ID. , Generate contradictory results. Next, the rule comparison unit 101 stores the generated contradiction result in the contradiction result storage unit 104, and returns to the process in step S302 (step S311).

  When verifying the contradiction of access rights, the rule comparison unit 101 treats the rule derived from the policy as a point on the multi-dimensional coordinate space with the access right (a set of s, o, a). For example, when executing the processing in step S310, the rule comparison unit 101 assigns an attribute (constraint ID) indicating a constraint to a point (rule) under the influence of the constraint, and a point with the attribute (constrained rule). It is determined whether or not the subjects (eg, s) in the match. According to such a method, since the relationship of access rights can be compared as a positional relationship in the coordinate space, it is easy to detect contradiction even for complex relationships based on the relationship between a plurality of subjects and objects such as SoD constraints. Extraction can be performed. Note that, when comparing the points on the coordinate space, the rule comparison unit 101 may perform the comparison using a matrix operation on the coordinate values of the points.

  Next, the contradiction result reference process (the process in step S400) performed by the contradiction result reference unit 103 will be described. FIG. 6 is a flowchart showing the contradiction result reference process. As shown in FIG. 6, the contradiction result reference unit 103 first acquires (extracts) a contradiction result from the contradiction result storage unit 104 (step S401). Next, the contradiction result reference unit 103 searches for a constraint corresponding to the constraint ID from the constraint storage unit 302 using the constraint ID described (included) in the acquired contradiction result, and acquires (extracts) it. (Step S402).

  Next, when a constraint is acquired from the constraint storage unit 302, the contradiction result reference unit 103 uses the policy ID described (included) in the acquired contradiction result and corresponds to the policy ID from the policy storage unit 202. The policy to be searched is retrieved and acquired (extracted) (step S403).

  Next, the contradiction result reference means 103 gives detailed information to the acquired constraint and the acquired policy for the acquired contradiction result, generates a contradiction result display UI, and displays the contradiction result on the display device. A screen is displayed and displayed to the user (step S404). For example, the contradiction result reference means 103 takes out necessary parts from the contents of the acquired constraints and policies and displays them as a table or simply displays them together.

  As described above, according to the present embodiment, the access right management system uses a rule storage means as a restricted rule for those access rights subject to restrictions that cannot be determined by a single access right. 102. Then, the rule comparison means 101 of the access right management system compares the access rights included in the plurality of restricted rules. Because of such a configuration, for example, contradiction can be detected and extracted even for a complicated relationship based on a relationship between a plurality of subjects and objects such as SoD constraints.

  Specifically, according to the present embodiment, in the access right management system, the rule derived from the policy is plotted on the coordinate space as a point using the access right (a set of s, o, a), and the constraint An attribute indicating a constraint is assigned to the affected point. By doing so, contradiction can be detected and extracted even for more complicated relationships such as SoD constraints. In other words, by comparing the relationship of access rights as a positional relationship in the coordinate space, it is possible to easily detect and extract inconsistencies even for complex relationships based on the relationship between multiple subjects and objects such as SoD constraints. it can.

  Further, for example, the access right management system described in Patent Document 1 has a problem in that it cannot process conflict detection / extraction at high speed except for a role propagation rule of a single organization. The reason is that the access right management system described in Patent Document 1 assumes that the relationship between subjects and objects can be expressed by a single tree whose depth increases by one. Therefore, access rights that cannot be expressed at a single depth on a single tree, such as subjects or groups of objects in a more general relationship, such as multiple trees based on multiple organizations or concurrent roles across multiple roles. Cannot handle the combination of. As a result, all access rights must be enumerated by humans and simulation tools, and contradictions must be detected and extracted by human confirmation.

  On the other hand, according to the present embodiment, the rule comparison unit 101 further performs an access right comparison process necessary for detecting / extracting contradictions only for rules having the same constraint ID stored in the rule storage unit 102. Limited to. Therefore, even if there is a policy change, it is only necessary to compare when the changed policy is under the influence of the constraint, and if the access rights to be compared are only inspected for those constraints. It will be good.

  That is, according to the present embodiment, the access right management system efficiently detects and extracts contradictions without enumerating all access rights and reexamining them, not just the role propagation rules of a single organization. it can. Therefore, not only the roll propagation rule of a single organization but also the detection and extraction of contradiction can be processed at high speed and efficiently. Even when the policy is changed, it is possible to efficiently detect and extract contradictions without enumerating all access rights and reexamining them.

  In other words, the access right comparison process necessary to detect and extract contradictions is performed in the coordinate space and is limited to only those points with attributes indicating constraints. Inconsistency detection / extraction can be processed quickly and efficiently. By doing so, the comparison process is simply a comparison between coordinates, and the comparison process can be omitted for points unrelated to the constraints.

  Next, the minimum configuration of the access right management system according to the present invention will be described. FIG. 7 is a configuration diagram showing a minimum configuration example of the access right management system. As shown in FIG. 7, the access right management system includes a rule comparison unit 101 and a rule storage unit 102 as minimum components.

  In the access right management system with the minimum configuration shown in FIG. 7, the rule comparison means 101 generates a rule with a constraint in which an attribute specifying a restriction is given to an access right derived from a policy including an access right definition. A function for storing in the storage means 102 is provided. Further, the rule comparison unit 101 compares the positional relationship in the coordinate space of the points using the values constituting the access right for the access rights included in the restricted rule stored in the rule storage unit 102. It has a function to verify the contradiction of access rights.

  According to the minimum configuration access right management system shown in FIG. 7, it is possible to detect and extract contradiction even for more complicated relationships such as SoD constraints.

  In this embodiment, the characteristic configuration of the access right management system as shown in the following (1) to (5) is shown.

(1) The access right management system is an access right management system that verifies inconsistencies in access rights, and is an attribute (for example, constraint ID) that specifies restrictions on access rights derived from a policy including access right definitions. A rule with restrictions is generated and stored in a rule storage means (for example, realized by the rule storage means 102), and the access rights included in the restricted rules stored in the rule storage means are targeted. Rule comparison means (for example, by the rule comparison means 101) that verifies the contradiction of the access right by comparing the positional relationship in the coordinate space of the points (for example, coordinate values corresponding to the rule) using the values constituting the access right. To be realized).

(2) The access right management system is an access right management system that verifies the contradiction of access rights, and takes at least one of a subject, an object, or an action that is a value constituting the access right as a coordinate axis. By expressing one access right as one point on the coordinate space, expressing a set of access rights as an area on the coordinate space, and restricting the access right to one or more in the coordinate space By defining points in advance as placement patterns that should or should not be placed on a region, the point of access right derived from a policy that includes the access right definition is within the restricted region. If the access right is related to the restriction, an identifier indicating that it corresponds to the area of the restriction is added. A constrained rule is generated and stored in a rule storage unit (for example, realized by the rule storage unit 102) and stored in the rule storage unit to verify whether the access right satisfies the constraint. Only access rights with identifiers related to the same restrictions as the access rights included in the rule are to be verified, and verify whether the access rights to be verified are in the arrangement pattern described in the restrictions. Thus, it may be configured to include a rule comparison unit (for example, realized by the rule comparison unit 101) for verifying whether there is a contradiction in access rights.

(3) In the access right management system, the rule comparison means accesses by comparing the positional relationship in the coordinate space, assuming that only the points to which the attribute specifying the constraint is given are compared in the coordinate space. It may be configured to verify a conflict of rights.

(4) In the access right management system, when there is another rule that matches the access right derived from the constraint in the generated constrained rule, the rule comparison means, when the derived access right is single, You may be comprised so that it may determine with the contradiction of the access right having arisen.

(5) In the access right management system, the rule comparison unit may be configured to verify the contradiction of access rights in the SoD constraint based on the relationship between a plurality of subjects or objects.

  The present invention can be applied to uses for verifying inconsistencies in access rights. In particular, the present invention can be suitably applied to an access right management system that performs inconsistency verification of access rights for constraints based on the relationship between a plurality of subjects and objects such as SoD constraints.

It is a system configuration | structure figure which shows one structural example of the access right management system by this invention. It is a flowchart which shows the whole process of an access right management system. It is a flowchart which shows the policy edit process in a policy edit means. It is a flowchart which shows the constraint edit process in a constraint edit means. It is a flowchart which shows the rule comparison process in a rule comparison means. It is a flowchart which shows the contradiction result reference process in a contradiction result reference means. It is a block diagram which shows the minimum structural example of an access right management system.

Explanation of symbols

100 Contradiction verification device 101 Rule comparison unit 102 Rule storage unit 103 Contradiction result reference unit 104 Contradiction result storage unit 200 Policy management unit 201 Policy editing unit 202 Policy storage unit 300 Constraint management unit 301 Constraint editing unit 302 Constraint storage unit

Claims (13)

An access right management method for verifying inconsistencies in access rights,
Based on the range of access rights targeted by the constraint that serves as the basis for inconsistency verification, a rule is created by generating a restricted rule with an attribute specifying the constraint for the access right derived from the policy that includes the access right definition Stored in storage means,
For access rights included in the restricted rules stored in the rule storage means, verify the contradiction of access rights by comparing the positional relationship in the coordinate space of the points using the values constituting the access rights An access right management method characterized by: An access right management method for verifying inconsistencies in access rights,
By representing at least one of the subject, object or action, which is a value constituting the access right, on the coordinate axis, one access right is represented as one point on the coordinate space, and a set of access rights is represented. Expressed as a region in the coordinate space,
A policy including an access right definition is defined by predefining a restriction to be satisfied by the access right as an arrangement pattern in which a point should not be or should be arranged in one or more areas on the coordinate space. If the access right point derived from is within the restriction target area, a restriction rule with an identifier indicating that the access right is related to the restriction is generated. Stored in the rule storage means,
In order to verify whether or not the access right satisfies the restriction, only the access right with an identifier related to the same restriction as the access right included in the restricted rule stored in the rule storage unit is to be verified, An access right management method characterized by verifying whether or not there is a contradiction in access rights by verifying whether the access rights to be verified are in an arrangement pattern described in a constraint.   The access according to claim 1 or 2, wherein the inconsistency of the access right is verified by comparing the positional relationship in the coordinate space only with respect to the point to which the attribute specifying the constraint is given in the coordinate space. Rights management method.   2. When there is another rule that matches the access right derived from the restriction in the generated constrained rule, and it is determined that the access right contradiction occurs when the derived access right is single. The access right management method according to any one of claims 1 to 3.   The access right management method according to any one of claims 1 to 4, wherein inconsistencies in access rights in a SoD constraint based on a plurality of subjects or object relationships are verified. An access right management system for verifying inconsistencies in access rights,
Generate a constrained rule to which an attribute specifying a constraint is assigned to an access right derived from a policy including an access right definition, and store the constrained rule in the rule storage unit. Access comprising a rule comparison means for verifying inconsistencies in access rights by comparing the positional relationship of the points using the values constituting the access rights in the coordinate space for the included access rights Rights management system. An access right management system for verifying inconsistencies in access rights,
By representing at least one of the subject, object or action, which is a value constituting the access right, on the coordinate axis, one access right is represented as one point on the coordinate space, and a set of access rights is represented. Expressed as an area in the coordinate space, and the constraints that the access right should satisfy are defined in advance as an arrangement pattern in which points should not be or must be arranged for one or more areas in the coordinate space Thus, if the access right point derived from the policy including the access right definition is within the restriction target area, the identifier indicating that the access right is related to the restriction and that it corresponds to the restriction area. Generates a restricted rule with the added and stores it in the rule storage means to check whether the access right satisfies the restriction. In order to verify, only the access right with an identifier related to the same restriction as the access right included in the restricted rule stored in the rule storage means is to be verified, and the point of the access right to be verified is the restriction An access right management system comprising rule comparison means for verifying whether or not there is a contradiction in access rights by verifying whether or not the arrangement pattern described in FIG.   The rule comparison unit verifies the contradiction of access rights by comparing the positional relationship in the coordinate space, assuming that only the points to which the attribute specifying the constraint is given are compared in the coordinate space. Or the access right management system of Claim 7.   When there is another rule that matches the access right derived from the constraint in the generated restricted rule, the rule comparison means indicates that the access right contradiction occurs when the derived access right is single. The access right management system according to any one of claims 6 to 8, wherein the access right management system is determined.   The access right management system according to any one of claims 6 to 9, wherein the rule comparison unit verifies an inconsistency of access rights in the SoD constraint based on a plurality of subjects or object relationships. An access right management program for verifying inconsistencies in access rights,
On the computer,
Based on the range of access rights targeted by the constraint that serves as the basis for inconsistency verification, a rule is created by generating a restricted rule with an attribute specifying the constraint for the access right derived from the policy that includes the access right definition Processing to store in the storage means;
For access rights included in the restricted rules stored in the rule storage means, verify the contradiction of access rights by comparing the positional relationship in the coordinate space of the points using the values constituting the access rights A program for managing access rights to execute An access right management program for verifying inconsistencies in access rights,
On the computer,
By representing at least one of the subject, object or action, which is a value constituting the access right, on the coordinate axis, one access right is represented as one point on the coordinate space, and a set of access rights is represented. Expressed as an area in the coordinate space, and the constraints that the access right should satisfy are defined in advance as an arrangement pattern in which points should not be or must be arranged for one or more areas in the coordinate space Thus, if the access right point derived from the policy including the access right definition is within the restriction target area, the identifier indicating that the access right is related to the restriction and that it corresponds to the restriction area. A process for generating a restricted rule to which is added and storing it in the rule storage means;
In order to verify whether or not the access right satisfies the restriction, only the access right with an identifier related to the same restriction as the access right included in the restricted rule stored in the rule storage unit is to be verified, An access right management program for executing a process of verifying whether there is a contradiction in access rights by verifying whether the access rights to be verified are in the arrangement pattern described in the constraint. On the computer,
The processing for verifying the contradiction of access rights is performed by comparing the positional relationship in the coordinate space only with respect to the point to which the attribute specifying the constraint is given in the coordinate space. 12. The access right management program according to 12.

Images