JP2014137648A - Access control system and access control method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access control system and access control method which can limit access to information other than the original purpose, and have a reduced load for an information management server.SOLUTION: An information processing device 100 comprises means 101 which transmits a token issue request to a rule management device 300 when information is required to process a task. The rule management device 300 comprises means 302 which determines whether or not the information processing device 100 has access authority for the information when the token issue request is received, and means 303 and 301 which generate a signed token and transmit it to the information processing device 100 when the device has the access authority. An information management device 200 comprises means 202 which performs signature verification when the signed token is received from the information processing device 100, and means 203 and 201 which transmit the information requested by the information processing device 100 to the information processing device 100 when the signature verification succeeds.

Description

  The present invention relates to an access control system and an access control method for controlling access to information by an accessor.

  Access control technology for preventing unauthorized access to information is an indispensable technology for preventing information leakage and unauthorized use. Conventionally, access control to information has been performed by setting an access right for authority such as a user who refers to information or a post of the user (see, for example, Non-Patent Document 1). A conventional access control technique will be described below.

  FIG. 3 is a diagram showing a configuration of an information management server used in a conventional access control technique. The information management server 1000 is a server that manages various information related to individuals and the like, and includes a communication unit 1001, an access authority check unit 1002, an information search unit 1003, an access authority table T1001, and an information table T1002.

  A communication unit 1001 communicates with other servers via a network. The access authority check unit 1002 searches the access authority table T1001 based on information sent from the client terminal and checks whether there is access authority.

  The access authority table T1001 is a table that associates a user ID or authority type with an information type code. Table 1 shows an example of the access authority table T1001. As for the authority type, for example, if only members belonging to “XXX section” can access the information type code 40, “XXX section” is described as the symbol “A” and described in the column of the table. deep. As the authority type, a title such as “section manager or higher” may be described as a symbol “B”. The access authority check unit 1002 checks the access authority to the information type code in the access authority table T1001 based on the user ID or the authority type.

  The information search unit 1003 searches the information table T1002 for information after the validity of the access right is confirmed.

  The information table T1002 includes a personal code for identifying an individual, an information type code indicating the type of information, and an information entity. Table 2 shows an example of the information table T1002. The information search unit 1003 searches the information table T1002 with the personal code and the information type code, and acquires an information entity.

  A processing procedure in the prior art will be described with reference to FIG. First, the communication unit 1001 acquires a user ID or authority type, an information type code, and a personal code sent from the outside such as a client terminal. Next, the access authority check unit 1002 searches the access authority table T1001 using the user ID or authority type acquired by the communication unit 1001 and the information type code. If there is a matching record, a signal indicating that there is an access authority is sent to the information search unit 1003, and if there is no matching record, a signal indicating that there is no access authority is sent to the communication unit 1001.

  Next, when the check by the access authority check unit 1002 is OK, the information search unit 1003 searches the information table T1002 with the personal code and information type code acquired by the communication unit 1001, and acquires the information entity. To the communication unit 1001. Finally, the communication unit 1001 transmits the obtained result (the information entity obtained by the information search unit 1003 or the NG signal obtained by the access authority check unit 1002) to an external access destination such as a client terminal. .

[Online], access control matrix, [search January 7, 2013], Internet <URL: http://www.jpo.go.jp/shiryou/s_sonota/hyoujun_gijutsu/info_sec_tech/c-2-1.html >

  In the case of the prior art, the access right is set for the user who refers to the information or the post of the user, so that the access can be made according to the intention of the user having the access right. For this reason, unauthorized access is possible, for example, because a person with access rights has malicious intent. For example, in the public sector, the user first registers information in the application work, and processing is performed after confirmation by a public institution staff. However, in the conventional access right setting method, the access right is set for the staff. , I was able to access user information at times other than application work. Access to information is defined in advance by rules (bylaws, laws and regulations), and there has been a demand for a mechanism that allows access to information only in accordance with these rules.

  In the case of the prior art, since the access control function is prepared for each server that holds information, for example, when performing access control according to laws and regulations, when changing the access control function, The change work has to be performed on all the servers that are owned, which has been a cumbersome work.

  Furthermore, since the information management server responds to information requests from clients, it is necessary to authorize processing even a little. Therefore, there has been a demand for a mechanism that can easily change the access control function and reduce the load on the information management server.

  An object of the present invention made in view of such problems is to provide an access control system and an access control method that can restrict access to information other than the purpose to be originally accessed and have a low load on the information management server. It is to provide.

  An access control system comprising an information processing device for processing a business, an information management device for providing information, and a rule management device for checking access authority, which are connected to each other via a network, When the information is required when processing, the token management request means for transmitting a token issue request to the rule management device, and the rule management device receives the token issue request, An access authority determination unit that determines whether or not the device has an access authority to the information, and generates a signed token when the access authority determination unit determines that the apparatus has the access authority And token generating means for transmitting the signed token to the information processing apparatus, and the information management apparatus When the signed token is received from the information processing device, a verification unit that performs signature verification of the signed token, and information that the information processing device requests when the verification unit succeeds in the signature verification. And an information acquisition means for transmitting to the information processing apparatus.

  In addition, an access control method according to the present invention provides an access to a system that includes an information processing device that processes business, an information management device that provides information, and a rule management device that checks access authority, connected to each other via a network. In the control method, when the information processing apparatus needs information when processing a task, a token issuance request step for transmitting a token issuance request to the rule management apparatus, and the rule management apparatus, Upon receiving the token issue request, an access authority determining step for determining whether or not the information processing apparatus has an access authority for the information, and the access authority determining step by the rule management apparatus in the access authority determining step. If it is determined that the token is included, a signed token is generated and the signed token A token generating step for transmitting a token to the information processing device, a verification step for performing signature verification of the signed token when the information management device receives the signed token from the information processing device, and the information An information acquisition step of transmitting information requested by the information processing apparatus to the information processing apparatus when the management apparatus succeeds in signature verification in the verification step.

  According to the present invention, since the access authority to information is linked to a procedure such as business, access to information can be permitted only during the procedure such as business. Since the information cannot be accessed after the procedure is completed, there is an advantage that the access time to the information can be limited within the procedure.

  Further, according to the present invention, the access control function is separated from the server that holds the information, so that the rule management server searches the rule table and the rule information even when the access authority is changed due to a rule change or the like. Therefore, the access control function can be changed more efficiently than in the prior art.

  Furthermore, according to the present invention, the information management server can easily provide the information by checking whether or not the information can be provided simply by requesting the information provision request from the client without requesting the rule management server to perform the access authority check. It is possible to reduce resources of the information management server (realization with an inexpensive server).

It is a figure which shows the structure of the access control system which concerns on embodiment of this invention. It is a flowchart which shows the process sequence of the access control method which concerns on embodiment of this invention. It is a figure which shows the structure of the information management server used in the conventional access control technique.

  Embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram showing a configuration of an access control system according to an embodiment of the present invention. The access control system shown in FIG. 1 includes a client terminal (information processing apparatus) 100 connected to a network 400, an information management server (information management apparatus) 200, and a rule management server (rule management apparatus) 300.

  The client terminal 100 is a device that processes business, and includes a communication unit 101, an input unit 102, an output unit 103, a business processing unit 104, and an information inquiry destination table T101.

  The communication unit 101 communicates with the information management server 200 and the rule management server 300 via the network 400. For example, when information is required when processing a business, a token issuance request is transmitted to the rule management server 300

  The input unit 102 performs input to the client terminal 100 from the outside.

  The output unit 103 outputs the processing result in the client terminal 100 and the like from the client terminal 100 to the outside.

  The job processing unit 104 executes a job in accordance with an instruction from the input unit 102, and executes the job using information to which an information type code is assigned. The business processing unit 104 performs business using various information such as name and address. The information type code is a code assigned to the type of information such as name and address used for this business. It is. For example, name: 10, address: 20, occupation: 30, annual income: 40, permanent address: 50, and the like.

  The business processing unit 104 stores a business ID 105 for business processing executed on the client terminal 100 and a client code 106 that is a code for uniquely identifying the client terminal 100 in the network.

  Further, when using information to which an information type code is assigned in business processing, the business processing unit 104 searches the information inquiry destination table T101 with the information type code.

  The information inquiry destination table T101 is a table that associates information related to information necessary for the business processing unit 104 and the information management server 200 that stores the information. Table 3 shows an example of the information inquiry destination table T101.

  The information management server 200 is a server that provides information, and includes a communication unit 201, a condition check unit 202, an information search unit 203, and an information table T201.

  The communication unit 201 communicates with the client terminal 100 via the network 400.

  The condition check unit 202 performs signature verification of the signed token generated by the rule management server 300 and received via the client terminal 100 to confirm the validity. When the signature verification is successful (that is, when the validity of the signed token is confirmed), the condition check unit 202 further stores the client code stored in the signed token and the client received from the client terminal 100. You may make it collate with a code | cord | chord.

  The information search unit 203 acquires the information requested by the client terminal 100 from the information table T201 that stores the information when the signature verification by the condition check unit 202 is successful or when the verification of the client code matches.

  The information table T201 is a table for storing user information, and includes an individual code for identifying an individual, an information type code indicating the type of information, and an information entity. Table 4 shows an example of the information table T201. The information search unit 203 searches the information table T201 with the personal code and the information type code, and acquires an information entity.

  The rule management server 300 is a server that has rule information related to access authority and checks an access range (access authority check) as to whether or not the business being executed on the client terminal 100 is permitted by regulations. A communication unit 301, a rule information search unit 302, a token generation unit 303, a classification code table T301, and a rule table T302.

  The communication unit 301 communicates with the client terminal 100 via the network 400.

  The rule information search unit 302 refers to the classification code table T301, acquires the information requester classification code from the client code 106 (information requester code), and obtains the information provider classification from the information management server code (information provider code). Get the code.

  The classification code table T301 is a table for managing the correspondence of the classification request code (“municipalities”, “Ministry of Health, Labor and Welfare”, “Pension Agency”, etc.) to the information requester code or the information provider code. Table 5 shows an example of the classification code table T301.

  After acquiring the information requester classification code and the information provider classification code, the rule information search unit 302 searches the rule table T302 with the information requester classification code, the information provider classification code, the business ID, and the information type code. The access authority for the information of the client terminal 100 is determined.

  The rule table T302 indicates whether the information requester may be provided with specific information regarding a specific business ("who", "who", "with which business", "what information" may be provided). It is a described table. Table 6 shows an example of the rule table T302. For example, the rule table T302 describes and manages an access range to information defined by rules (regulations, laws, etc.) using rules.

  If the rule information search unit 302 determines that the token generation unit 303 has access authority, the token generation unit 303 generates a signed token.

  Next, a processing procedure in the access control system according to the embodiment of the present invention will be described with reference to FIG. FIG. 2 is a flowchart showing a processing procedure of the access control method according to the embodiment of the present invention.

  The communication units 101, 201, and 301 are assumed to have an authentication function and an encrypted communication path construction function. The communication unit 101 and the communication unit 201 configure an encrypted communication path by authenticating the other party by mutual authentication or the like between the client terminal 100 and the information management server 200 via the network 400. The encrypted communication is performed between the unit 101 and the communication unit 201. Similarly, the communication unit 101 and the communication unit 301 configure an encrypted communication path by authenticating the other party by mutual authentication or the like between the client terminal 100 and the rule management server 300. And the communication unit 301 are communicated by this encrypted communication.

  First, the client terminal 100 gives an instruction from the outside, for example, by inputting a personal code at the input unit 102, sends the personal code to the business processing unit 104, and instructs execution of business processing (step S101).

  Next, the client terminal 100 executes business processing in the business processing unit 104 based on the personal code input from the input unit 102. When information required for processing does not exist in the client terminal 100 when information is required for business processing, the information inquiry destination table T101 is searched with the information type code assigned to the missing information, The information management server code having information (information management server code) and access destination information are acquired (step S102).

  The business processing unit 104 extracts the business ID 105 and the client code 106 that the business processing unit 104 has, and together with the business ID 105 and the client code 106, the personal code input from the input unit 102 and the information obtained from the information inquiry destination table T101. The management server code and the access destination information and the information type code of the information found to be insufficient in the business process are sent to the communication unit 101 to request information acquisition.

  In response to a request from the business processing unit 104, the communication unit 101 sends a business ID 105, a client code 106, a personal code, an information management server code, and an information type code to the rule management server 300, and obtains missing information. A token issuance request for is sent (step S103).

  When the communication unit 301 receives a token issue request from the communication unit 101, the rule management server 300 receives the business ID 105, the client code 106, the information management server code, the information type code, and the personal code, and the rule information search unit 302.

  The rule information search unit 302 first searches the classification code table T301 and performs code conversion (step S104). That is, the client code 106 searches the classification code table T301 to acquire the classification code, and sets it as the information requester classification code. In addition, the information management server code searches the classification code table T301 to acquire the classification code, and sets it as the information provider classification code.

  Next, the rule information search unit 302 searches the rule table T302 with the four information of the business ID 105, the information type code, the information requester classification code, and the information provider classification code, and whether the rule information is in accordance with a predetermined rule (that is, Whether or not the client terminal 100 has access authority to the information) is determined (step S105). If there is a matching record, the rule information search unit 302 sends an individual code, an information type code, and a client code together with an OK signal indicating that the token generation unit 303 has access authority. If not, an error signal indicating that the communication unit 301 has no access authority is sent.

  If it is determined by the rule information search unit 302 that the token generation unit 303 has access authority, the token generation unit 303 creates a token that summarizes the personal code, the information type code, and the client code (step S106). Thereafter, a signature is given to the token, and the signed token is sent to the communication unit 301.

  The communication unit 301 returns the signed token obtained from the token generation unit 303 or the error signal obtained from the rule information search unit 302 to the client terminal 100 (step S107).

  When the communication unit 101 receives an error signal from the communication unit 301, the client terminal 100 sends an error signal to the job processing unit 104. Further, when the communication unit 101 receives the signed token from the communication unit 301, the client terminal 100 transmits the signed token together with the client code 106 to the information management server 200 based on the access destination information ( Step S108).

  In the information management server 200, the communication unit 201 receives the signed token and the client code 106 from the communication unit 101, and sends them to the condition check unit 202.

  The condition check unit 202 verifies the signature of the signed token (step S109). If the signature verification result of the signed token is NG, an error is returned to the communication unit 201. When the signature verification result of the signed token is OK, the client code stored in the token is checked against the client code 106 received from the communication unit 101. An error is returned, and if they match, the personal code and information type code in the token are sent to the information search unit 203.

  The information search unit 203 searches the information table T201 with the personal code and information type code received from the condition check unit 202, and acquires the information entity requested by the client terminal 100 (step S110). The information search unit 203 sends the acquired information entity to the communication unit 201.

  When an error signal is returned from the condition check unit 202, the communication unit 201 transmits an error signal to the communication unit 101. When the information entity is obtained from the information search unit 203, the communication unit 201 transmits the information entity to the client. It transmits to the terminal 100.

  In the communication unit 101, the client terminal 100 sends the error signal received from the communication unit 201 or the information entity of the search result to the job processing unit 104.

  If the business processing unit 104 obtains an error signal from the communication unit 101, the business processing unit 104 ends the business processing and sends an error signal to the output unit 103. When the requested information entity is obtained, the business process is continued using the information entity. When the business process is completed, the business process result is sent to the output unit 103. Finally, the output unit 103 outputs an error signal, which is information obtained from the business processing unit 104, or a business processing result (step S111).

  If the business processing unit 104 of the client terminal 100 lacks a plurality of pieces of information (when a plurality of pieces of information with information type codes are used), a token issuance request is issued to the rule management server 300. Is performed a plurality of times, and a plurality of pieces of information are acquired from the information management server 200.

  In addition, the information management server 200 having information that is deficient in the client terminal 100 may be different for each information. In this case, the client terminal 100 sends the deficient information and the information to the rule management server 300. A token issuance request is executed for each information management server 200 having the information, and information is individually acquired from the information management server 200 having the information. Note that the same information management server 200 may request information collectively with one token.

  Further, when a plurality of types of business are processed in the client terminal 100, the business processing unit 104 and the information inquiry destination table T101 are provided for each business ID, and in the business processing, the business ID together with the personal code is input by the input unit 102. This can be realized by inputting.

  As described above, in the present invention, the purpose of accessing each piece of information is described by a rule as a series of procedures, and an ID is assigned and managed by the rule management server 300. When some information held by another server is needed while performing work at the client terminal 100, information related to the work being performed is sent to the rule management server 300 to request a token. The rule management server 300 checks whether or not the rule is complied with based on information from the client terminal 100, and if it is OK, returns a token to the client terminal 100. The client terminal 100 obtains desired information by sending a token to the information management server 200, and continues the business with the obtained information.

  By such a procedure, access to information can be restricted to a rule unit, not a person unit to access. In other words, users who need access to the information do not directly access the information, but can only access it by executing the access procedure, so it is possible to restrict arbitrary access outside the access procedure. . Thus, access to information for purposes other than the purpose can be restricted, and information leakage or unauthorized use can be prevented. Further, by separating the access control function from the information management server 200 that holds the information, the rule management server 300 can search the rule table T302 and the rule information even when the access authority is changed due to a rule change or the like. It is possible to easily cope with the problem by simply updating the unit 302, and it is possible to reduce resources of the information management server.

100 Client terminal 101, 201, 301 Communication unit 102 Input unit 103 Output unit 104 Business processing unit 105 Business ID
106 Client Code 200 Information Management Server 202 Condition Checking Unit 203 Information Searching Unit 300 Rule Management Server 302 Rule Information Searching Unit 303 Token Generation Unit T101 Information Query Destination Table T201 Information Table T301 Classification Code Table T302 Rule Table

Claims (6)

An access control system comprising an information processing device for processing business, an information management device for providing information, and a rule management device for checking access authority, connected to each other by a network,
The information processing apparatus includes:
A token issuance request means for transmitting a token issuance request to the rule management device when information is required when processing a job;
The rule management device includes:
When receiving the token issuance request, an access authority determining unit that determines whether or not the information processing apparatus has an access authority to the information;
Token generation means for generating a signed token and transmitting the signed token to the information processing apparatus when the access authority determination means determines that the access authority is determined;
The information management device includes:
Verification means for verifying the signature of the signed token when the signed token is received from the information processing apparatus;
An access control system comprising: an information acquisition unit configured to transmit information requested by the information processing apparatus to the information processing apparatus when the verification unit succeeds in the signature verification.   The access authority determining means determines whether or not the user has the access authority by referring to a rule table that describes whether the information requester may be provided with specific information related to a specific job. The access control system according to claim 1, wherein: The information acquisition means, when the signature verification is successful, collates the client code stored in the signed token with the client code received from the information processing apparatus,
3. The access control system according to claim 1, wherein the information acquisition unit acquires information requested by the information processing apparatus from an information table storing information when the collation matches. 4. . An access control method for a system comprising an information processing device for processing business, an information management device for providing information, and a rule management device for checking access authority, connected to each other by a network,
A token issuance request step for sending a token issuance request to the rule management device when information is needed when processing a job by the information processing apparatus;
When receiving the token issue request by the rule management device, an access authority determining step of determining whether or not the information processing apparatus has an access authority to the information;
A token generation step of generating a signed token and transmitting the signed token to the information processing apparatus when the rule management apparatus determines that the access authority is determined in the access authority determination step. When,
A verification step of performing signature verification of the signed token when the information management apparatus receives the signed token from the information processing apparatus;
An information acquisition step of transmitting information requested by the information processing device to the information processing device when the information management device succeeds in signature verification in the verification step;
An access control method comprising:   The access authority determining step determines whether or not the user has the access authority by referring to a rule table that describes whether or not the information requester may be provided with specific information related to a specific job. The access control method according to claim 4, wherein: In the verification step, when the signature verification is successful, the client code stored in the signed token is compared with the client code received from the information processing apparatus,
The access control method according to claim 4 or 5, wherein the information acquisition step acquires information requested by the information processing apparatus from an information table storing information when the collation matches. .

Images