JP2010287171A - Apparatus and method for visualizing access control, and program of the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To implement a user interface allowing a person who sets rules for controlling access to data to easily find setting errors. <P>SOLUTION: An access control visualization apparatus includes a database for storing data, a rule application part for applying one or more predetermined access control rules to the data sequentially in a predetermined application order to refine the data stepwise, and a display part for displaying the one or more predetermined access control rules onscreen in the predetermined application order in a predetermined spaced array, and displaying the data refined by each access control rule between the display of the access control rule and the display of the access control rule to be applied next. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an access control visualization method, an access control visualization device, and a program therefor for setting access control for various types of information used on a system used by a plurality of people.

  With the spread of Web systems in recent years, a system is often shared and used by a plurality of people. Some of the information used on this system requires access control, such as personal information and business secret information. Access control is composed of a plurality of rules, and the rules include target users, target information, and target operation conditions. Examples of target users include managers and general employees. Examples of target information include personal information. Examples of target operations include operations such as writing and reading. Further, depending on the type of information, detailed conditions can be given. Examples of the detailed conditions include “an employee can read personal information from 9 am to 5 pm”.

  Conventionally, a tabular interface disclosed in Non-Patent Documents 1 to 3 and the like is used as a user interface for confirming a setting state during or after setting an access control rule. As an example of a tabular user interface, there is an example in which access control rules are displayed in rows and target groups, target data, and permitted processes are displayed in columns. The tabular interface has an advantage that a plurality of rules can be looked down because the target group, target data, and permitted processes are arranged and displayed in columns. FIG. 3 and FIG. 10 show an example in which the access control rule is expressed in a tabular format for combinations of target users and target information and target operations. FIG. 3 is a table listing access control rules for data set in a system in which a part-time job shares and checks a customer's telephone number. It is possible to overlook the setting contents regarding what data items in the user DB can be accessed under what write conditions and read conditions. FIG. 10 is a table listing access control rules for data set in a system in which participants predict the outcome of sports matches. It is possible to overlook the setting contents as to what data items in the game day DB and the win / loss prediction DB can be accessed under what write conditions and read conditions.

J. Karat, C. Karat, C. Brodie and J. Feng, "Privacy in information technology: Designing to enable privacy policy management in organizations", Int. J. Human-Computer Studies 63, 2005, p.153-174 P. Inglesant, MASasse, D. Chadwick and LLShi, "Expressions of Expertness: The Virtuous Circle of Natural Language for Access Control Policy Specification", In Proceedings of the 4th Symposium on Usable Privacy and Security (SOUP '08), July 2005, p.77-88 K.Vaniea, L.Cranor, Q.Ni and E.Bertino, "Access Control Policy Analysis and Visualization Tools for Security Professionals", [online], [Search May 14, 2009], Internet <URL: http: //www.cs.purdue.edu/homes/ni/file/soups08.pdf>

  The tabular interface cannot present narrowed-down data obtained by applying each rule sequentially to information (various data accumulated in the database) or narrowed-down data after all rules have been applied. Therefore, there is a problem that it is difficult for a person who sets the rule (mainly a system administrator) to find an error in the detailed condition.

  An object of the present invention is to narrow down data to be disclosed by sequentially applying access control rules to data according to user attributes and the like, and simultaneously and step by step how the applied rules and how data has been narrowed down. By displaying, an object is to realize an access control visualization device, an access control visualization method, and a program thereof that support the discovery of a setting error when a person who sets a rule confirms the setting.

  The access control visualization device of the present invention includes a database for storing data, and a rule application unit that narrows down the data in stages by sequentially applying a predetermined one or more access control rules to the data according to a predetermined application order; The predetermined one or more access control rules are arranged and displayed on the screen at predetermined intervals according to the predetermined application order, and the data after narrowing down by each access control rule is displayed next to each access control rule. And a display unit for displaying each of the access control rules to be applied.

  According to the access control visualization device of the present invention, the access control rules are sequentially applied to the data according to the user attributes and the like to narrow down the disclosed data, and the applied rules and how the data has been narrowed down by the applied rules. By displaying simultaneously and gradually, it becomes easy for a person who sets the rule to find a setting error when checking the setting.

FIG. 3 is a diagram illustrating a functional configuration example of an access control visualization apparatus 100. The figure which shows the example of a processing flow of the access control visualization apparatus. The figure which shows an example of the access control rule of a tabular form. The figure which shows an example of the database which applies the access control rule of FIG. The figure which shows the example of a display in the display part 130 at the time of applying the access control rule of FIG. 3 to the database of FIG. The figure (1/4) which shows another example of a display in display part 130 at the time of applying the access control rule of Drawing 3 to the database of Drawing 4. The figure (2/4) which shows another example of a display in the display part 130 at the time of applying the access control rule of FIG. 3 to the database of FIG. The figure (3/4) which shows another example of a display in the display part 130 at the time of applying the access control rule of FIG. 3 to the database of FIG. The figure (4/4) which shows another example of a display in the display part 130 at the time of applying the access control rule of FIG. 3 to the database of FIG. The figure which shows another example of the access control rule of a table format. The figure which shows an example of the database which applies the access control rule of FIG. FIG. 13 is a diagram showing a display example on the display unit 130 when the access control rule of FIG. 10 is applied to the database of FIG. 11. FIG. 14 is a diagram (1/4) illustrating another display example on the display unit 130 when the access control rule of FIG. 10 is applied to the database of FIG. FIG. 14 is a diagram (2/4) illustrating another display example on the display unit 130 when the access control rule of FIG. 10 is applied to the database of FIG. FIG. 13 is a diagram (3/4) illustrating another display example on the display unit 130 when the access control rule of FIG. 10 is applied to the database of FIG. The figure (4/4) which shows another example of a display in the display part 130 at the time of applying the access control rule of FIG. 10 to the database of FIG. The figure which shows the access control rule containing an error corresponding to the access control rule of FIG. The figure which shows the access control rule containing an error corresponding to the access control rule of FIG.

  FIG. 1 shows a functional configuration example of the access control visualization apparatus 100, and FIG.

  The access control visualization apparatus 100 includes a database 110 that stores data, and a rule application unit 120 that performs stepwise narrowing by sequentially applying a predetermined one or more access control rules to the data according to a predetermined application order (execute S1). Each access control rule is arranged and displayed on the screen at a predetermined interval (for example, from top to bottom or from left to right) according to a predetermined application order, and the data after narrowing down by each access control rule is subjected to the access control. A display unit 130 (execute S2) is provided between the display of the rule and the display of the access control rule applied next.

  As for the access control rule, for example, a completed version having the contents shown in FIGS. 3 and 10 may be stored in the rule application unit 120 in advance, and may be used. Input may be performed as input → narrowing → input → narrowing →... Also, these are combined and once the entire version is displayed, the rules are corrected by individual input from the input unit 131 as necessary (S11), and the narrowed data after the correction rule is applied by the rule application unit 120 May be generated (S12) and displayed again on the display unit 130 (S13). When the database 110 and the rule application unit 120 are arranged on the server side, and the display unit 130 (and the input unit 131) is arranged on the client side, a screen on the client side can be obtained by using the completed version for the access control rule. It can be expected that the processing at the time of display generation will be light. On the other hand, when entering rules individually, a transaction occurs with the server each time the client inputs, so the processing is generally heavier than using the finished version, but the rules are entered while checking the refinement process. There is a merit that you can.

  When displaying on the display unit 130, the data before and after each narrowing may be displayed in a lump, or the data after narrowing down step by step automatically every time a rule is applied, either automatically at an arbitrary time interval or by a mouse click or keystroke. May be displayed.

  Further, the process before and after the data is narrowed down by the rule may be dynamically expressed by animation or the like. For example, each time the data to be refined is slid on the screen and the data to be refined overlaps the already displayed rule display, the display contents of the data are the data before and after application of the rule. It can be expressed by a series of dynamic display processes that change and narrow down in stages.

  More specifically, first, the data to be narrowed down is displayed at the top of the screen, and one or more rules to be applied for narrowing down are displayed below the data display from the top to the bottom of the screen in a predetermined application order. . Here, a space necessary for displaying the data after applying the rule is left between each rule display. Next, the data display to be narrowed down is moved so as to flow down from the top to the bottom of the screen by a predetermined trigger such as pressing a “play” button appropriately provided on the screen. The data display moving path is set so that the data display passes through the rule displays in the predetermined order. Before the data display passes through each rule display, the data before the rule application is fixedly displayed in the space above the rule display. Subsequently, after the data display passes the rule display, the data after the rule application is fixedly displayed in a space below the rule display. After that, if there is a rule display that has not been applied yet on the data display movement path, the screen is the same as above by applying the next rule with the data after applying the previous rule as the data before applying the next rule. Perform display processing. When the data display passes through all the rule displays displayed on the screen, candidate data to be reflected in the system is displayed below the last rule display. A rule setter such as a system administrator confirms the suitability of the rules by checking the candidate data. Note that, in view of a visual effect, the fixed display of each data that is being narrowed down other than the candidate data may be displayed lightly after the data display is moved.

A specific implementation example of the display process in the display unit 130 is shown below (preconditions and 1 to 4).
Precondition.
Data is stored in the database 110 in advance.
Screen display control rules (such as a program for displaying a series of animations) are stored in advance on the display unit 130.
1.1 or more access control rules (restriction conditions) and the order in which these rules are applied are set. Note that it is not always necessary to use a rule that has been stored in advance, and the rule may be manually input or selected from previously prepared options.
2. The screen display is instructed by pressing the “Display” button.
3. Screen information is generated based on the setting of “1”, and data is sequentially narrowed down according to the rule application order set in “1”, and this information is stored. Specifically, “data before narrowing down”, “access control rule” that is a narrowing condition, “data after narrowing down”, and their order relationship are stored (in a memory or the like).
4). Displays the stored screen information. At this time, when displaying the narrowed-down data by an animation that moves from top to bottom, it is displayed based on a screen display control rule stored in advance. Note that the display by animation may use any display method as long as it represents a data flow.

The access control rule shown in FIG. 3 includes two databases, a customer DB as shown in FIG. 4 (a) and a user DB as shown in FIG. 4 (b) in a system in which a part-time job shares and checks a customer's telephone number. This is an example of a rule used when data is narrowed down. Specifically, the following rules are defined.
(i-1) The employee can write information in the customer DB and the user DB.
(i-2) The employee can read (reference) information from the customer DB and the user DB.
(i-3) The part-time job can read information of a customer who is in charge of the customer DB and whose “check” item is “not yet”.
(i-4) The part-time job can overwrite the “check” item of the customer in charge in the customer DB with “done”.

  FIG. 5 shows a display example on the display unit 130 when the access control rule having such contents is applied to each DB. For example, when narrowing down the data of the customer DB to “user” “γ” whose “role” is “part-time job”, the rule application unit 120 acquires (a) the data of the customer DB from the database 110, and (b) Narrow down the data in which “Responsible” is “γ” and “Check” item is “unchecked” (Rule (i-3)), and (c) Only the “Check” item can be overwritten to “Done” (Rule ( i-4)) is performed on the screen together with the rule to which the data before and after applying the rule is applied on the display unit 130 after performing the stepwise narrowing process. When displaying, the narrowing process of (a) → (a) (b) → (a) (b) (c) may be displayed at once, or may be displayed stepwise at an arbitrary time interval. Then, it may be displayed step by step (a) → (a) (b) → (a) (b) (c) by mouse click or keyboard keystroke. These series of displays are for the setter, and when the user uses the system, only (c), which is a narrowing result, is displayed as an interface screen (the shaded portion is a portion that cannot be corrected by the user). Further, it may be dynamically expressed by animation or the like. An example is shown in FIGS. The data to be narrowed down and the rules to be applied are the same as in FIG. The state in which the data before narrowing and the two rules applied to narrowing in FIG. 6 (a) are displayed is the initial state. When the button on the screen is pressed, the data display before narrowing down slides downward as shown in FIG. 6B, gradually overlaps the first rule display, and eventually passes as shown in FIG. As shown in (a) and (b), data after narrowing down according to the first rule is displayed. Note that the data before narrowing down according to the first rule is displayed lightly above the first rule display as shown in FIGS. 6 (b) and 7 (a) (b) even after the data display slide starts. Continue to be. Subsequently, as shown in FIG. 8 (a), the data display after narrowing down by the first rule slides further downward, gradually overlaps with the second rule display, and eventually passes to pass through FIG. As shown in b) and FIG. 9, the data after narrowing down by the second rule is displayed. It should be noted that the data before narrowing down by the second rule (= data after narrowing down by the first rule) is 2 even after the start of the data display slide, as shown in FIGS. It continues to appear lightly above the first rule display.

  In this manner, a rule setter such as a system administrator can easily confirm whether or not necessary access settings are appropriate from the displayed rules and corresponding data before and after narrowing down.

Further, the access control rule shown in FIG. 10 is based on a user DB as shown in FIG. 11 (a) and a game date DB as shown in FIG. 11 (b) in a system in which participants predict the outcome of a sport game. It is an example of what is used when data is narrowed down from three databases such as a win / loss prediction DB as shown in FIG. Specifically, the following rules are defined.
(ii-1) The administrator can read (reference) all information.
(ii-2) The administrator can write all information.
(ii-3) Participants can read (refer to) information on match dates.
(ii-4) The participant can read (refer to) the winning / losing prediction text from the day of the match date.
(ii-5) Participants can write a statement of the winning or losing prediction from tomorrow to the day before the match date with their own name.

  FIG. 12 shows a display example on the display unit 130 when the access control rule having such contents is applied to each DB. In this example, the display is performed on February 20, 2009. For example, when narrowing down the data of the winning / losing prediction DB to “user ID” “Tanaka” whose “role” is “participant”, the rule applying unit 120 acquires (a) the data of the winning / losing prediction DB from the database 110. (B) Narrow down the data (game ID is gameA or gameB) until “user ID” is “Tanaka” and “game date” is February 20, 2009 (rule (ii-4)), (c ) It is possible to write the text of the prediction of winning or losing by the name of my name after February 21, 2009 by the day before the “game day” (in this example, gameC is applicable) (Rule (ii-5)) In this way, after performing the step-by-step narrowing process, the display unit 130 displays the data before and after applying the rule together with the rule to which the data is applied on the screen. At the time of display, as in the example of FIG. 5, the narrowing process of (a) → (a) (b) → (a) (b) (c) may be displayed at once, or step by step at an arbitrary time interval. Or (a) → (a) (b) → (a) (b) (c). These series of displays are for the setter, and when the user uses the system, only the result of narrowing down (c) is displayed as the interface screen (the user satisfies the writing requirements in the non-shaded part) You can write match ID and win / loss prediction comments). Further, it may be dynamically expressed by animation or the like. An example is shown in FIGS. The data to be narrowed down and the rules to be applied are the same as in FIG. The state in which the data before narrowing and the two rules applied to narrowing in FIG. 13A are displayed is the initial state. When the button on the screen is pressed, the data display before narrowing down slides downward on the page as shown in FIG. 13B, and gradually overlaps the first rule display. As shown in (a) and (b), data after narrowing down according to the first rule is displayed. The data before narrowing down according to the first rule is displayed lightly above the first rule display as shown in FIGS. 13 (b) and 14 (a) (b) even after the data display slide starts. Continue to be. Subsequently, as shown in FIG. 15 (a), the data display after narrowing down according to the first rule slides further downward, gradually overlaps with the second rule display, and eventually passes to pass through FIG. As shown in b) and FIG. 16, the data after narrowing down by the second rule is displayed. Note that the data before narrowing down according to the second rule (= data after narrowing down according to the first rule) is 2 even after the start of the data display slide, as shown in FIGS. It continues to appear lightly above the first rule display.

  In this manner, a rule setter such as a system administrator can easily confirm whether or not necessary access settings are appropriate from the displayed rules and corresponding data before and after narrowing down.

  By configuring the access control visualization device as described above, the access control rules are sequentially applied according to the user's attributes, etc., to narrow down the disclosed data, and the applied rules and how the data has been narrowed down accordingly Are displayed at the same time and step by step so that it is easy for a person who sets a rule to find a setting error when checking the setting. Note that a configuration may be adopted in which the screen display of the present invention is transitioned to, for example, by clicking the screen display of the tabular access control rule as shown in FIG. 3 or FIG.

  If it is determined that the setting is appropriate as a result of checking the access control setting by the access control visualization apparatus of the present invention, the setting is reflected in the system. On the other hand, if a setting error is found, the setting is corrected as appropriate. The refined data to which the corrected rule is applied is checked again, and if it is determined to be appropriate, the setting is reflected in the system.

  When the above access control visualization device is realized by a computer, the processing contents of the functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer. In this case, at least a part of the processing content may be realized by hardware. Further, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

[Verification of effects]
The access control rule shown in FIG. 3 and FIG. 10 is set as the correct answer, and the access control rule in which four setting errors are embedded is displayed in the conventional table format (FIG. 17 and FIG. ) And a test for finding a setting error was performed on 10 subjects. As a result, 9 out of 10 people overlooked some errors in the conventional table format, but when the display format of the present invention was used in combination with the conventional table format, 6 out of 10 people found all errors, The effect of the invention was confirmed.

Claims (9)

A database for storing data;
A rule application unit that narrows down the data in stages by sequentially applying a predetermined one or more access control rules to the data according to a predetermined application order;
The predetermined one or more access control rules are arranged and displayed on the screen at predetermined intervals according to the predetermined application order, and the data after narrowing down by each access control rule is displayed next to each access control rule. A display unit for displaying between the display of the applied access control rules,
An access control visualization device comprising: The access control visualization device according to claim 1,
The access control visualization device characterized in that the predetermined one or more access control rules are prepared in advance or sequentially input. The access control visualization device according to claim 1 or 2,
The access control visualization apparatus, wherein the display unit displays the narrowed-down data stepwise in accordance with the application order of the access control rules. The access control visualization device according to any one of claims 1 to 3,
An input unit for correcting and inputting an access control rule applied to the filtered data;
The rule applying unit applies the modified access control rule to the data before narrowing down and narrows down again,
The access control visualization apparatus, wherein the display unit can refer to the data before narrowing down, the data after narrowing down again, and the access control rule used for narrowing down again. A rule applying step in which the rule applying unit narrows down the data in stages by sequentially applying predetermined one or more access control rules to the data stored in the database according to a predetermined application order;
The display unit displays the predetermined one or more access control rules arranged on the screen at predetermined intervals according to the predetermined application order, and displays the data after narrowing down by each access control rule. A display step for displaying between each of the access control rules and the display of the next applied access control rule,
Access control visualization method to execute. The access control visualization method according to claim 5,
The access control visualization method, wherein the one or more predetermined access control rules are prepared in advance or sequentially input. The access control visualization method according to any one of claims 5 and 6,
The display step includes a step of displaying the narrowed-down data stepwise in accordance with the application order of the access control rules. The access control visualization method according to any one of claims 5 to 7,
An input step for modifying and entering the access control rule after the display step;
A correction rule application step of applying the modified input access control rule to the data before narrowing down and narrowing down again;
A re-displaying step for making it possible to refer to the data before narrowing down, the data after narrowing down again, and the access control rule used for narrowing down again;
An access control visualization method for further executing.   The program for functioning a computer as an access control visualization apparatus in any one of Claims 1 thru | or 4.

Images