JP2014170517A - Management device, communication system, management method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve appropriate security within a system.SOLUTION: A management device is equipped with an access control rule generation part 57 for generating a second access control rule, in which an access control rule to each point belonging to a component is determined for each category of a user, on the basis of a correspondence relationship between component identification information identifying the component and point identification information identifying a point belonging to the component and a first access control rule in which the access control rule of each group is determined for each point.

Description

  The present invention relates to a management device, a communication system, a management method, and a program.

  Devices such as various sensors or actuators, storage with data storage functions, applications, and devices with system manager functions cooperate with each other in order to realize power visualization, energy saving control, and improvement in daily life. Systems and mechanisms for realizing them are becoming popular. In particular, a large-scale system has a large amount of devices, and handles a large amount of data acquired from these devices and accumulated in the storage.

  In such a system, it is difficult to ensure the security of the entire system only by restricting access from a third party by controlling access to the device. For example, even if it is set on the sensor side so that sensor data is not passed to a certain application, the data is accumulated in another storage, and if the storage does not perform application access control, the result is the application. Sensor data is acquired. In addition, there are cases where data acquired by a plurality of sensors is accumulated in the same storage, and therefore, the storage needs to be subjected to access control for each data.

  As described above, IEEE 1888.3, which is an extended specification of IEEE 1888, is defined as a mechanism for realizing appropriate security in a system in which the affiliation relationship between devices and data is complicated. In IEEE1888, devices and data are handled in separate units of “component” and “point” (see, for example, Non-Patent Document 1).

“Basic Technology to Support Smart Community: Management of Mass Sensing Point Components, Address Resolution Technology IEEE1888 Registry Overview”, NTT Technology Journal, November 2012, pp. 199 38-41

  As the system becomes larger, the number of access control rules increases, and configuration changes are likely to occur. In such an environment, it is necessary to efficiently generate rules and operate them appropriately. However, although the conventional IEEE 1888.3 defines each security management mechanism, the rule generation and operation method is not defined. As described above, since there is no efficient rule generation and proper operation method, appropriate security cannot be realized in the system.

  Therefore, one aspect of the present invention has been made in view of the above problems, and it is an object to provide a management device, a communication system, a management method, and a program that can realize appropriate security in the system. To do.

  (1) According to one aspect of the present invention, the correspondence between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component, and a user for each point A second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule in which an access control rule for each group is defined The management device includes an access control rule generation unit.

  (2) Moreover, one aspect of the present invention is the above-described management apparatus, which acquires information for reflecting at least one of addition, change, and deletion of components or points from the resource information management apparatus And a correspondence acquisition unit that acquires the correspondence stored in the resource information management device from the resource information management device when the information acquisition unit acquires the information, and the access control The rule generation unit generates the second access control rule based on the correspondence relationship acquired by the correspondence relationship acquisition unit and the first access control rule.

  (3) Moreover, one aspect of the present invention is the above-described management device, further including a distribution unit that distributes the second access control rule generated by the access control rule generation unit to the resource information management device.

  (4) One embodiment of the present invention is the above-described management device, wherein the first access control rule and the second access control rule include an access control rule for each method.

  (5) Further, according to one aspect of the present invention, a correspondence relationship between component identification information that identifies a component that is a component device of a communication system and point identification information that identifies a point that is data managed by the component is stored. The management device includes a correspondence acquisition unit that acquires the correspondence from the resource information management device, a correspondence acquired by the correspondence acquisition unit, and an access for each group of users for each point. Access control rule generation for generating a second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule in which the control rule is defined A communication system.

  (6) Further, according to one aspect of the present invention, the access control rule generation unit includes component identification information that identifies a component that is a component device of the communication system, and point identification information that identifies a point that is data managed by the component And a first access control rule in which an access control rule for each group of users is defined for each point, an access control rule for each point belonging to the component is defined for each group of users. A management method including a step of generating a second access control rule.

  (7) Further, according to one embodiment of the present invention, a correspondence relationship between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component is stored in a computer. And a second access control rule for each point belonging to the component for each group of users based on a first access control rule for which each group of users has an access control rule for each point. A program for executing an access control rule generation step for generating an access control rule.

  (8) Further, according to one aspect of the present invention, based on a correspondence relationship between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component, The management apparatus includes a first access control rule generation unit that generates a first access control rule in which an access control rule for each group of users is defined for each point.

(9) Moreover, one aspect of the present invention is the management apparatus described above, wherein an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule. An access control rule generation unit for generating a second access control rule;
An information acquisition unit that acquires information for reflecting at least one of addition, change, and deletion of components or points, and when the information acquisition unit acquires the information, the information acquisition unit stores the information. A correspondence relationship acquisition unit that acquires the correspondence relationship from the resource information management device, wherein the access control rule generation unit is based on the correspondence relationship acquired by the correspondence relationship acquisition unit and the first access control rule. Then, the second access control rule is generated.

  (10) Moreover, one aspect of the present invention is the management device described above, further including a distribution unit that distributes the second access control rule generated by the access control rule generation unit to the resource information management device, The first access control rule and the second access control rule include an access control rule for each method.

  (11) One aspect of the present invention is the management device described above, wherein one or both of the first access control rule and the second access control rule includes an access control rule in a method unit. In the case where information indicating that a certain method among a plurality of methods is permitted and information indicating that all the plurality of methods are permitted are mixed in the access control rule, the mixed access control rule includes Of the included methods, the most restrictive access control rule is generated with priority.

  (12) One embodiment of the present invention is a communication system including a resource information management device and a management device, and the resource information management device includes component identification information for identifying a component that is a component device of the communication system. A storage unit that stores a correspondence relationship with point identification information for identifying a point that is data managed by the component; and the management device acquires the correspondence relationship from the resource information management device And a first access control rule generation unit that generates a first access control rule in which an access control rule for each group of users is defined for each point based on the correspondence acquired by the correspondence acquisition unit. It is a communication system.

  (13) Further, according to one aspect of the present invention, the access control rule generation unit includes component identification information that identifies a component that is a component device of the communication system, and point identification information that identifies a point that is data managed by the component And a first access control rule generation step for generating a first access control rule in which an access control rule for each group of users is defined for each point based on the correspondence relationship.

  (14) Further, according to one embodiment of the present invention, a correspondence relationship between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component is stored in a computer. This is a program for executing a first access control rule generation step for generating a first access control rule in which an access control rule for each group of users is defined for each point.

  According to one embodiment of the present invention, appropriate security can be realized in the system.

It is the schematic which shows an example of a structure of the communication system in the 1st Embodiment of this invention. It is a schematic block diagram which shows an example of a structure of the security management apparatus in the 1st Embodiment of this invention. It is the schematic which shows an example of the data memorize | stored in the registry in the 1st Embodiment of this invention. It is the schematic which shows an example of the data showing the 1st access control rule in the 1st Embodiment of this invention. It is the schematic which shows an example of the data showing the 2nd access control rule in the 1st Embodiment of this invention. It is a sequence diagram which shows an example of the flow of a process of the communication system in the 1st Embodiment of this invention. It is the schematic which shows an example of a structure of the communication system in the 2nd Embodiment of this invention. It is the schematic which shows an example of the data showing the policy information in the 2nd Embodiment of this invention. It is the schematic which shows an example of the data showing the policy information in the 2nd Embodiment of this invention. It is the schematic which shows another example of the 1st access control rule in the 2nd Embodiment of this invention. It is the schematic which shows an example of the data showing the rule of the attribute information of the point in the 2nd Embodiment of this invention, and the rule of a component.

(First embodiment)
Hereinafter, a first embodiment of the present invention will be described in detail with reference to the drawings. In IEEE1888, device and data information are handled by another dictionary mechanism (registry function). For this reason, in order to update rules in real time according to the system configuration change, it is necessary to link the security management mechanism with the registry. Therefore, in this embodiment, an example of cooperation between the security management mechanism and the registry will be described. In addition, a rule creation process regarding access control generated at that time will be described. In addition, information managed by the registry in IEEE 1888 can be referenced from various components, but access restrictions on the information are not defined in IEEE 1888.3, and there are no effective operation methods so far. There wasn't. In contrast, in the present embodiment, access control of information managed by the registry will be described.

  FIG. 1 is a schematic block diagram showing a configuration of a communication system 1 according to the first embodiment of the present invention. The communication system 1 includes a gateway (hereinafter referred to as GW) 11 to 14, storages 21 to 22, applications 31 to 32, a registry (resource information management device) 40, and a security management device (management device) 50. And sensors 111, 121, 122 and 141, and actuators 112, 131, 132 and 142. A sensor 111 and an actuator 112 are connected to the GW 11. Sensors 121 and 122 are connected to the GW 12. Actuators 131 and 132 are connected to the GW 13. A sensor 141 and an actuator 142 are connected to the GW 14. Sensors and actuators are collectively referred to as device equipment. The GWs 11 to 14, the storages 21 to 22, and the applications 31 to 32 are examples of components. Further, the data of the sensor and the actuator are referred to as points.

  A device device is a device product that is a unit for purchase / relocation and maintenance management, and includes one or more sensors or switches. The device device is connected to the GW. For example, when the device device is a power meter, the device device transmits sensor data such as a power value to the GW. Further, for example, the device device switches on and off of a switch to be mounted according to switch control by the GW.

The GWs 11 to 14 accommodate devices underneath and communicate with other components (for example, GWs, storages 21 to 22, applications 31 to 32) and the registry 40 via the network. Also, information on device devices to be managed is stored.
The storages 21 to 22 store data acquired from sensors connected under the GWs 11 to 14, or data generated or processed by the applications 31 to 32. The storages 21 to 22 provide data to other components and obtain data from other components. The storages 21 to 22 also communicate with the registry 40.

  For example, the applications 31 to 32 acquire data from the GWs 11 to 14 and the storages 21 to 22 and display the acquired data. In addition, the applications 31 to 32 process, for example, the acquired data and provide it to other components. Furthermore, the applications 31 to 32 give control commands to the actuators under the GWs 11 to 14, for example. In addition, the applications 31 to 32 use the registry 40 to search for devices.

  The registry 40 centrally manages resource information (for example, information on various components and points). Here, the resource information is information related to hardware and software for configuring and operating the communication system 1. The registry 40 transmits the stored various component and point information to the security management device 50. The registry 40 manages not only component information but also point information managed under the component. Specifically, for example, the registry 40 includes a storage unit in which a correspondence relationship between component identification information for identifying a component and point identification information for identifying a point belonging to the component is stored. Thereby, it is possible to manage the affiliation relationship between components and points. Information managed in the registry 40 can be registered, updated, and deleted from various components using a dedicated interface.

  The security management device 50 holds a rule (for example, an access control list in which access control is specified) in which access control at a level such as authentication using a certificate, point, or method is specified. The security management device 50 distributes the access control list to each component.

FIG. 2 is a schematic block diagram showing the configuration of the security management device 50 in the present embodiment. The security management device 50 includes an input unit 51, a communication unit 52, a processing unit 53, and a storage unit 59.
For example, the input unit 51 receives an input of a first access control rule (see table T4 in FIG. 4) by a person who operates the security management device 50, and outputs the received first access control rule to the processing unit 53. In the first access control rule, an access control rule for each group is defined for each point. Specifically, for example, the first access control rule includes a role definition table T3 (see FIG. 4), a table T4 (see FIG. 4) in which an access control rule for each role is defined for each point, and other conditions. Table T5 (see FIG. 4). Here, the role represents a group to which the same access control rule can be applied.

The communication unit 52 communicates with the registry 40, the GWs 11 to 14, the storages 21 to 22, and the applications 31 to 32 via a network.
The processing unit 53 causes the storage unit 59 to store the first access control rule accepted by the input unit 51. Here, the processing unit 53 includes an information acquisition unit 54, a correspondence relationship acquisition unit 55, an access control rule generation unit 57, and a distribution unit 58.

The information acquisition unit 54 sends information for reflecting at least one of addition, change, and deletion of components or points from the registry 40 via the communication unit 52 when the configuration in the component is changed or deleted. get. At this time, the registry 40 may notify the information acquisition unit 54 of the information, or the information acquisition unit 54 may acquire the information from the registry 40 at a timing according to a predetermined operation. When the information acquisition unit 54 acquires the information, the information acquisition unit 54 notifies the correspondence acquisition unit 55 that the information has been acquired.
When the information acquisition unit 54 acquires information indicating that the connection is acquired, the correspondence relationship acquisition unit 55 stores component identification information for identifying a component and a point identification for identifying a point belonging to the component, which are stored in the registry 40 The correspondence relationship with the information is acquired from the registry 40. The correspondence relationship acquisition unit 55 outputs the acquired correspondence relationship to the access control rule generation unit 57.

The rule acquisition unit 56 acquires, for example, by reading the first access control rule from the storage unit 59, and outputs the read first access control rule (see FIG. 4) to the access control rule generation unit 57.
The access control rule generation unit 57 generates the second based on the correspondence relationship acquired by the correspondence relationship acquisition unit 55 (see FIG. 3) and the first access control rule acquired by the rule acquisition unit 56 (see FIG. 4). Access control rules (see FIG. 5) are generated. Here, as an example, the second access control rule belongs to the table T6 (see FIG. 5) in which the access control rule to each point belonging to the component is defined for each role, and to the component and the role. A table T7 (see FIG. 5) in which an access control rule for each point is defined, and a table T8 (see FIG. 5) in which an access control rule for each point belonging to the component for each role is defined. Details of the second access control rule generation process will be described later. The access control rule generation unit 57 outputs the generated second access control rule to the distribution unit 58. Further, the access control rule generation unit 57 stores the generated second access control rule in the storage unit 59.
The distribution unit 58 distributes the second access control rule (for example, the table T7 and the table T8) for the registry 40 generated by the access control rule generation unit 57 to the registry 40 via the communication unit 52. The distribution unit 58 distributes the second access control rule (for example, the table T6) for each component generated by the access control rule generation unit 57 to the corresponding component via the communication unit 52.

FIG. 3 is an example of data stored in the registry 40. The table T1 is an example of a component table. In the table T1, a name (name) of each component, a URL, and point identification information (key) for identifying a point managed under the name are associated.
The table T2 is an example of a point table. In the table T2, point identification information (name), the attribute name of the point (Attr-name), and the value of the corresponding attribute (Attr-value) are associated. For example, with respect to a point with point identification information B, it is indicated that the location is X and the device is a temperature sensor (temp).

  Next, the first access control rule will be described with reference to FIG. FIG. 4 is an example of data representing the first access control rule. The table T3 is an example of a role definition table. A list of components that use common access control rules is shown. In the table T3, roles and components are associated with each other. Accordingly, when the same role is associated with two different components, a common access control rule is applied to the two different components. This table T3 is the same as that defined in IEEE1888.1.

  The table T4 is an example of a table in which access control rules for each role are defined for each point. The table T4 describes access control rule definitions according to the attributes of point information managed by the registry 40 and point identification information. In the table T4, a point attribute name (name), a corresponding attribute value (value), a role (role), a policy (Policy), and a method name (method) are associated with each other. Here, the policy is an item indicating whether or not the corresponding method is permitted, and indicates “OK” when permitted or “NG” when not permitted. For example, the first row of the table T4 is defined to permit data acquisition by FETCH (data reference request) by userA (APP2) for a point whose location (Location) is X.

  The table T5 is an example of a table for other conditions. The other condition table T5 is a table for setting another rule for the component itself or supplementing a rule that cannot be generated only by the first access control rule table T4. In the table T5, a name (name), a value (value), a role (role), a policy (Policy), and a method name (method) are associated with each other. For example, “component” representing a component is set in the name (name), and the name of the component is set in the value (value). Here, “*” represents all, and in the example of the first row of this table T5, a setting is made such that any method by the operator is permitted for GW1.

  For example, the access control rule generation unit 57 generates a second access control rule from the tables of FIGS. 3 and 4. Specifically, for example, the access control rule generation unit 57 extracts all points belonging to each component using the table T1. Then, the access control rule generation unit 57 uses, for example, the first access control rule table T4, and for each point belonging to each extracted component, an intermediate table in which all methods are NG for each component and group. Create Then, for example, the access control rule generation unit 57 updates the intermediate table by applying the rules of the table T4 line by line to the created intermediate table.

  Specifically, for example, in the case of the rule in the first row of the table T4, the access control rule generation unit 57 refers to the table T2 and extracts the points A, B, and C with respect to the point whose location is X, and the table T1 , It is extracted that the component having the points A, B, and C is GW1. Therefore, when FETCH or WRITE is permitted, LOOKUP (list reference request) may be permitted. Therefore, when the component is “GW1” and the group using the initiator is “userA”, an access control rule is generated. The unit 57 updates the intermediate table so as to permit, for example, LOOKUP. Here, WRITE is, for example, writing sensor data or operating an actuator.

Subsequently, after all the rules of the table T4 are applied, the access control rule generation unit 57 adds the rules described in the table T5 of other conditions to the created intermediate table, for example, for each component and group. A table in which access control rules are defined (for example, see table T7 in FIG. 5 described later) is generated. For example, the access control rule generation unit 57 generates a table (for example, see table T8 in FIG. 5 described later) in which access control for each group using the initiator is determined from the table T7.
Similarly, the access control rule generation unit 57 refers to the tables T1 to T5, for example, and generates a table (for example, refer to a table T6 in FIG. 5 described later) representing the access control rule for each group for each table component. To do.

Next, the second access control rule will be described with reference to FIG. FIG. 5 is an example of data representing the second access control rule. The table T6 is a table representing an access control rule for a certain component. The access control rule generation unit 57 creates a table such as the table T6 for each component connected to the communication system 1. Then, the distribution unit 58 distributes the table T6 created for a certain component to that component. Note that the access control rule generation unit 57 may store the table T6 created for the component in the storage unit 59 and return access permission in response to an access permission inquiry from the responder.
In the table T6, a group name, a policy, a method name, and a point name that use the initiator are associated. Here, the initiator is a device that transmits a request to a device that responds to a request (also referred to as a responder or a responder). For example, the first row of the table T6 indicates that “FETCH” is permitted for all points for the group “operator”. Note that the description method of the table T6 conforms to IEEE1888.1.

  The table T7 is a table representing access control rules for each component of the registry 40. In this table T7, an access control rule for each point belonging to the component is defined for each component and initiator. In the table T7, the component name, the group name using the initiator, the policy, the method name, and the point identification information are associated with each other.

  For example, a rule is generated in the table T7 so that when an initiator whose access to a component is actually restricted is searched in the registry 40, the information is not responded. By generating such a rule, for example, in the case of this table T7, when the component used by userB inquires the registry 40 about the component information having the point B with LOOKUP, the registry 40 inquires only the information of GW1. Return to the component where there was.

  The table T8 is a table that represents an access control rule for each component of the registry 40. The group name using the initiator, the policy, the method name, and the point identification information are associated with each other. Since the table T8 is uniquely obtained from the table T7, the access control rule generation unit 57 generates the table T8 from the table T7.

FIG. 6 is a sequence diagram illustrating an example of a processing flow of the communication system 1 in the present embodiment.
(T101) First, the processing unit 53 of the security management device 50 causes the storage unit 59 to store the first access control rule input from the user via the input unit 51.
(T102) Next, when a component to be a responder is added to the communication system 1 later, the component registers information on the component and points belonging to the component in the registry 40.

(T103) Next, the registry 40 notifies the security management apparatus 50 that the component and point information has been newly registered. The security management device 50 may periodically inquire whether or not new component and point information has been registered in the registry 40.
(T104) Next, the correspondence acquisition unit 55 of the security management device 50 inquires the registry 40 about component and point information.
(T105) Next, the correspondence relationship acquisition unit 55 of the security management device 50 acquires component and point information from the registry 40. The component and point information includes a correspondence relationship between component identification information for identifying the component and point identification information for identifying the point belonging to the component.

  (T106) Next, the access control rule generation unit 57 of the security management device 50 uses the correspondence acquired by the correspondence acquisition unit 55 (see FIG. 3) and the first access control rule (see FIG. 3) acquired by the rule acquisition unit 56. 4), an access control list including the second access control rule (see FIG. 5) is generated. As a result, an access control list for each component (see table T6 in FIG. 5) and an access control list for the registry (see tables T7 and T8 in FIG. 5) are generated.

(T107) Next, the security management device 50 distributes the access control list generated for the component to each component.
(T108) Next, each component transmits information indicating success to the security management device 50 when the held access control list is updated with the distributed access control list. On the other hand, each component transmits information indicating failure to the security management apparatus 50 when the held access control list cannot be updated with the distributed access control list.

(T109) Next, the security management device 50 distributes the access control list generated for the registry 40 (see table T7 and table T8 in FIG. 5) to the registry 40.
(T110) Next, when updating the held access control list with the distributed access control list, the registry 40 transmits information indicating success to the security management device 50. On the other hand, if the stored access control list cannot be updated with the distributed access control list, the registry 40 transmits information indicating failure to the security management device 50.

Thereafter, the operation is started based on the newly distributed access control list.
(T111) For example, the initiator requests a point that can be referred to by the user A to the registry 40 by executing a method called LOOKUP of points by the user A.
(T112) In response, the registry 40 refers to the stored access control list and returns a list of points that can be referred to by the user A to the initiator.
(T113) For example, when the initiator executes a method called LOOKUP of a component by user A, the component having a specific point in the list of referenceable points returned in T112 is registered in the registry. Request to 40.
(T114) In response to this, the registry 40 refers to the held access control list and returns a list of components having a specific point that can be referred to by the user A to the initiator.

(T115) For example, the initiator requests one of the referenceable component lists obtained in T114 as a responder, and requests the responder to refer to the specific point.
(T116) In response to this, if the updated access control list indicates that the FETCH by the user A is permitted, the responder transmits the point to the initiator that requested the point. Thus, this sequence is completed.
Note that at T115 of this sequence, the initiator executes FETCH as an example. However, the initiator is not limited to FETCH, and may execute WRITE or TRAP. Here, TRAP is, for example, setting a condition so as to notify a specified component.

  As described above, in the first embodiment of the present invention, the access control rule generation unit 57 in the security management device 50 includes the component identification information for identifying the component that is a component device of the communication system and the point that is the data managed by the component. Based on the correspondence relationship with the point identification information to be identified and the first access control rule in which the access control rule for each group of users is defined for each point, each point belonging to that component for each group of users A second access control rule in which the access control rule is defined is generated. As a result, the second access control rule required when the system is scaled up or the configuration is changed can be efficiently created based on the first access control rule. In addition, since the second access control rule is generated based on the first access control rule in which the access control rule of each group is determined for each point, even when the same data is scattered in a plurality of components, A correct second access control rule can be generated for the data. Thereby, the same access control rule can be applied to all the data. As a result, the registry or each component can correctly perform access control.

The information acquisition unit 54 acquires information indicating that a component is newly connected to the communication system 1 from the registry 40. When the information acquisition unit 55 acquires information indicating that the information acquisition unit 54 is connected, the correspondence relationship acquisition unit 55 acquires the correspondence relationship stored in the registry 40 from the registry 40. Then, the access control rule generation unit 57 generates a second access control rule based on the correspondence relationship acquired by the correspondence relationship acquisition unit 55 and the first access control rule.
Thereby, when a component is newly connected to the communication system 1, the security management device 50 can immediately generate the second access control rule. As a result, the security management device 50 can update the second access control rule in real time in cooperation with the registry 40.

  The distribution unit 58 distributes the second access control rule generated by the access control rule generation unit 57 to the registry 40. Thereby, the registry 40 can perform registration restriction or reference restriction of information by each component in accordance with the second access control rule.

  Further, the first access control rule and the second access control rule include an access control rule for each method. As a result, the first access control rule can be set based on the access control rule for each method, thereby facilitating operator rule setting. Furthermore, since the second access control rule to be generated is also a rule based on the access control rule for each method, it is easy for the operator to check the rules used in the registry and each component.

  In the first embodiment of the present invention, each component controls access according to the second access control rule distributed from the security management device 50, but the present invention is not limited to this. The security management device 50 may directly determine whether or not access control of other functional units (for example, components and registries) is possible. In that case, the security management device 50 may hold the access control list without distributing it, and components, registries, etc. may inquire the security management device 50 each time.

  In the first embodiment of the present invention, the security management device 50 distributes the access control list to each component. However, the present invention is not limited to this. The communication system 1 further includes a resource access control device (RAM: Resource Access Manager), and the resource access control device acquires an access control list from the security management device 50, and distributes the acquired access control list to each component. Good.

  Further, in the first embodiment of the present invention, the input unit 51 receives the first access control rule, but the first access control rule may be stored in the storage unit 59 in advance. Further, the security management device 50 may obtain the first access control rule from another device.

(Second Embodiment)
Hereinafter, a second embodiment of the present invention will be described in detail with reference to the drawings.
In a system designed by IEEE1888 or a system having a similar mechanism, it is difficult to ensure the security of the entire system only by performing simple access control for each device that communicates. For example, in IEEE 1888, a plurality of sensors are managed by one GW, but it is assumed that access control is necessary for each point, not for each GW. Also, even if it is set on the GW side so that data at a specific point is not passed to a certain application, the data is accumulated in another storage and the storage does not perform application access control. As a result, sensor data is acquired by the application.

  As described above, IEEE 1888.3, which is an extended specification of IEEE 1888, is defined as a mechanism for realizing appropriate security in a system in which the affiliation between devices and data is complicated. IEEE 1888.3 enables description and operation of access control rules at points, procedures (functions), and method levels. Here, the point is a unit of data acquired from a sensor or actuator connected to the GW. In addition, the procedure refers to a FETCH / WRITE / TRAP procedure defined in inter-component communication in IEEE 1888, a REGISTRATION / LOOKUP procedure defined in inter-component registry communication, and is defined in IEEE 1888.1. SERVICE procedures scheduled to be included. The method level is a rule for realizing the procedure, such as query (FETCH / TRAP) or data (WRITE).

  These functions are defined in IEEE1888.3 as being realized by an access control device (hereinafter also referred to as ACM). In addition, a resource access device (Resource Access Manager: hereinafter also referred to as RAM or security management device 50), which is a mechanism for managing and distributing rules (access control list: hereinafter referred to as ACL) for this ACM. Is defined in IEEE1888.1. IEEE 1888.1 stipulates that component communication (WRITE procedure and FETCH procedure) should be used as a method for distributing or obtaining an ACL.

  The amount of ACL increases as the system becomes larger, and configuration changes are likely to occur. For this reason, it is necessary to efficiently generate an ACL and operate it appropriately. IEEE 1888.3 defines a security management device, but does not define an ACL generation method or operation method. In the first embodiment, the data handled by the registry function has been described. However, there are cases where the ACL cannot be set at a fine level. Specifically, there are cases where attribute range specification, point range specification, and condition specification cannot be performed. Specific attribute range specification and point range specification include policy input specifying the range of the Att-value attribute of the point table managed by the registry, time range specification specifying the key attribute of the component table, component and registry There is a range specification of point IDs. Further, in the first embodiment, there may be a case where the AND condition cannot be described for the attribute information.

  In the first embodiment, an example of generating the ACL of component information and point information registered in the registry without excess or deficiency has been described. However, unnecessary ACL (ACL not set in the RAM, etc.) ) Is also generated, which is inefficient. Further, in the first embodiment, it is not possible to generate and operate an ACL for adding a new point that is not registered in the registry. In particular, when the ACL is applied to the registry itself, it is difficult for the RAM to generate an ACL corresponding to a new point (such as key information of component information).

In the first embodiment, since the ACL generated by the RAM is transmitted to all the target components, differential transmission such as transmission of ACL only at a changed portion is not considered.
Therefore, in the second embodiment, ACL generation efficiency and distribution efficiency of RAM (a mechanism for generating, managing, and distributing ACLs defined in IEEE 1888.1) in a system using a mechanism similar to IEEE 1888 and IEEE 1888. The case of improving the will be described. That is, in the second embodiment, an example will be described in which ACL setting and ACL distribution amount are reduced by improving the setting policy input method and generation method with respect to the first embodiment.

FIG. 7 is a schematic diagram illustrating an example of a configuration of a communication system 1A according to the second embodiment of the present invention.
The communication system 1A includes GWs 11 to 14, storages 21 to 22, applications 31 to 32, a registry (resource information management device) 40, a security management device (management device, RAM) 50A, and sensors 111, 121, and 122. And a sensor 141, actuators 112, 131, 132 and an actuator 142, and ACMs (access control devices) 60A, 70A. A sensor 111, an actuator 112, and an ACM 60 are connected to the GW 11. A sensor 121 and a sensor 122 are connected to the GW 12. An actuator 131 and an actuator 132 are connected to the GW 13. A sensor 141 and an actuator 142 are connected to the GW 14. The sensors 111, 121, 122, 141 and the actuators 112, 131, 132, 142 are collectively referred to as device devices. Device devices, storages 21 to 22, and applications 31 to 32 are examples of components. Data acquired from device devices managed by the GWs 11 to 14 are referred to as points.

  Each device device is a device product that is a unit of purchase, relocation, and maintenance management. For example, sensors such as power sensors and temperature sensors, and actuators that can control the power and temperature of smart taps, smart meters, air conditioners, etc. It is equipped with one or more sensors, switches, etc. Each device is connected to each GW 11-14, for example. For example, when the device device is a power meter, the device device transmits sensor data such as a power value to each of the managed GWs 11 to 14. Further, for example, each device device switches on and off of a switch to be mounted according to switch control by the GWs 11 to 14.

Each of the GWs 11 to 14 accommodates device devices under its control, and communicates with other components (for example, other GWs, storages 21 to 22, and applications 31 to 32) and the registry 40 via the network. In addition, each GW 11 to 14 manages and stores information on device devices managed under it.
Each GW 11 to 14 searches the registry 40 for registration of component information, registration of point information, a communication target component, a communication target point, and the like. Further, when each of the GWs 11 to 14 becomes a responder, the ACL acquires the communication target component and the communication target point from the registry 40 (or the security management apparatus 50A).

  The storages 21 to 22 store data acquired from the device devices connected to the GW by the GWs 11 to 14 and data generated or processed by the applications 31 to 32, respectively. Each of the storages 21 to 22 provides data to other components and obtains data from other components. Each of the storages 21 to 22 also communicates with the registry 40 and searches the registry 40 for a communication target component and a communication target point. In addition, each of the storages 21 to 22 acquires the ACL from the registry 40 (or the security management device 50A).

  Each application 31-32 acquires data from each GW11-14 or each storage 21-22, for example, and displays the acquired data. Moreover, each application 31-32 processes the acquired data, for example, and provides it to another component. In addition, each of the applications 31 to 32 gives a control command to the device devices under the control of the GWs 11 to 14, for example. Each of the applications 31 to 32 communicates with the registry 40 and searches the registry 40 for a communication target component and a communication target point. Further, each of the applications 31 to 32 acquires the ACL from the registry 40 (or the security management device 50A).

  The registry 40 centrally manages resource information (for example, information on various components and information on various points). Here, the resource information is information related to hardware and software for configuring and operating the communication system 1A. The registry 40 transmits the stored information on various components and information on various points to the security management device 50. The registry 40 manages not only component information but also point information managed under the component. The component information is, for example, information on the component itself and information on points managed by the component. The point information is attribute information (location, sensor type, etc.) of the point itself.

  Specifically, for example, the registry 40 includes a storage unit in which a correspondence relationship between component identification information for identifying a component and point identification information for identifying a point belonging to the component is stored. Thereby, it is possible to manage the affiliation relationship between components and points. Information managed in the registry 40 can be registered, updated, and deleted from various components using a dedicated interface.

  The security management device 50A generates an ACL, manages the generated ACL, and distributes the managed ACL. When generating the ACL, the security policy information is stored in the security management device 50 in advance, and when the configuration is changed or the policy information is changed, the security management device 50 is activated whenever necessary. Can be updated.

  Each ACM 60A, 70A performs access control. Specifically, for example, each of the ACMs 60A and 70A has component level authentication (also referred to as AM in IEEE1888.3), component level access control, point access control, procedure level and method level. Execute access control of Each ACM 60A, 70A is mainly used by a component serving as a responder (both responder and initiator in the case of component level authentication) and the registry 40. There are two operation modes of each ACM 60A, 70A, an operation mode in which the components and the registry 40 etc. are mounted and operated, and each ACM 60A, 70A exists in the communication system 1A. There is an operation mode in which each component or the registry 40 makes an inquiry to the ACMs 60A and 70A.

  Since the configuration of the security management device 50A according to the second embodiment is the same as the configuration of the security management device 50 shown in FIG. 2, the portions different from the security management device 50 with reference to FIG. The description will be given with reference.

8 and 9 are schematic diagrams illustrating an example of data representing policy information in the second embodiment.
The policy information includes component definition information and registration rule information, point attribute information rule information, point time designation rule information, and component rule information.
The table T9 is an example of data representing component definition information and registration rule information. The table T9 includes a SAN representing the relationship between the component and the SAN, a role representing a group of initiators, an ACL range of the component registration procedure (REGISTRATION (component)), and an ACL of the point registration procedure ACL. A range (REGISTRATION (point)) is associated.
If the component is not subjected to the registration procedure, the ACL range (REGISTRATION (component)) of the component registration procedure may not be described. Similarly, when the point is a point for which the registration procedure is not performed, it is not necessary to describe the ACL range (REGISTRATION (point)) of the point registration procedure. When no role is used, role information (role) need not be described. At this time, the REGISTERTION (component) ACL and the REGISTERTION (point) ACL generated by the security management device 50A will be described later.

  The table T10 is an example of data representing rule information of point attribute information. The table T10 describes policy information based on point attribute information. The table 10 includes point identification number information (num), an attribute name of the point (Attr-name), a value of the corresponding attribute (Attr-value), a namespace (namespace), a role (role), , Policy (Policy) and method name (method) are associated with each other. When num is the same point identification number information, it is handled as an and condition. For example, when Location = x and sensor = watt, userA represents that FETCH and WRITE are possible. In the method, each procedure (for example, at least one of FETCH, WRITE, TRAP, LOOKUP, and REGISTERATION) and a method (query, data, registration, lookup) for realizing it are provided. ) Etc. are described. At this time, the description range includes not only component communication but also policy information for communication between the component and the registry 40.

For example, when LOOKUP is described in the method name (method) (or when: * is described), it is assumed that both LOOKUP (component) and LOOKUP (point) are targeted. * Represents a wild card, and when a method name (method) is described using the *, a specified procedure or method (excluding REGISTERATION) is included.
In the method name (method), an attribute range may be specified. In this case, the Attr-value may be described using a comparison symbol (<, ≧, etc.), and the security management device 50A acquires all the point information of the registry 40 for items that fall within this range. The ACL of the corresponding point may be created and updated.

  The table T11 is an example of data representing point time designation rule information. Table 11 is used when ACL is defined in units of time. In the table T11, point identification number information (num), start time (start), end time (stop), role (role), policy (Policy), and method name (method) are associated with each other. ing. The time specification rule information of the point can be created from the component information stored in the registry 40. When num is the same point identification number information, it is handled as an and condition. In addition, when LOOKUP is described in the method name (method) (or when: * is described), it is assumed that both LOOKUP (component) and LOOKUP (point) are targeted. * Represents a wild card, and when a method name (method) is described using the *, a specified procedure or method (excluding REGISTERATION) is included. The description format may be described by information stored in advance in the registry 40, for example, <,>, ≧, ≦, =, ≠.

  The table T12 is an example of data representing component rule information. The table T12 sets each component and individual ACL. In the table T12, point identification number information (num), a role (role), a responder (responder), a policy (Policy), and a method name (method) are associated with each other. The description format of the table T12 is the same as that in the first embodiment. In the method name (method) of the table T12, a REGISTRATION procedure (method) may be described. When the SAN (or identification information such as URL) of the registry 40 is described in the responder, the security management device 50A determines that the ACL is for the point information of the registry 40. When the method name (method) in the table T12 is described as LOOKUP or REGISRATION for a responder other than the registry 40, the security management device 50A targets a component table such as the table T3 in FIG. Judge. Thus, different ACLs can be defined for the LOOKUP in the component table (table T1 in FIG. 3) and the point table (table T2 in FIG. 3). For example, LOOKUP (component) is possible, but LOOKUP (point) is An ACL that cannot be defined can be defined. Note that the policy of the registry 40 may be further described in the table T12.

Next, an ACL generation method will be described.
The security management device 50A generates an ACL by using the above-described table in which the policy information is registered (tables T9 to T12 in FIGS. 8 and 9) and the information in the registry 40. For example, when the policy information is described as in the tables T9 to T12 in FIGS. 8 and 9, the security management device 50A applies the policy information to the ACL in the order of the tables T9, T10, T11, and T12. The ACL generation in the security management device 50A (the mechanism for acquiring registry data and sequentially generating and updating ACLs that match the policy information) is the same as in the first embodiment, but in this embodiment, The difference is that not all of the necessary ACLs are generated from the registry 40 at the same time when generating the ACL, but only the ACL specified in the policy information is generated. The security management device 50A appropriately generates and updates ACL using the data of the registry 40 with respect to the rules shown in the table T10 of FIG. 8 and the table T11 of FIG. Among the policy information, there is an item “num” for the table T10 in FIG. 8 and the tables T11 and T12 in FIG. 9, and the security management device 50A generates the ACL in the order of num. As described above, the case where num is the same is described as an and condition. The operation method when * is used for ACL will be described later.

  Specifically, for example, when generating the ACL of GW1, the security management device 50A generates a policy for all points as NG as the default ACL, and based on the attribute rules of the tables T15 and T17 in FIG. , ACLs that need to be defined are sequentially generated. Next, the security management device 50A refers to the tables T16 and T18 in FIG. 11 and applies the component rules from the upper row of the ACL to generate the ACL of the GW1. Next, the security management device 50A converts the generated ACL of the GW1 into a description format for distribution, and distributes the ACL of the converted description format of the GW1.

Next, the first access control rule according to this embodiment will be described with reference to FIG.
The table T3 is an example of a role definition table. A list of components that use common access control rules is shown. In the table T3, roles and components are associated with each other. Accordingly, when the same role is associated with two different components, a common access control rule is applied to the two different components. This table T3 is the same as that defined in IEEE1888.1.

  The table T4 is an example of a table in which access control rules for each role are defined for each point. The table T4 describes access control rule definitions according to the attributes of point information managed by the registry 40 and point identification information. In the table T4, a point attribute name (name), a corresponding attribute value (value), a role (role), a policy (Policy), and a method name (method) are associated with each other. Here, the policy is an item indicating whether or not the corresponding method is permitted, and indicates “OK” when permitted or “NG” when not permitted.

  The table T5 is an example of a table for other conditions. The other condition table T5 is a table for setting another rule for the component itself or supplementing a rule that cannot be generated only by the first access control rule table T4. In the table T5, a name (name), a value (value), a role (role), a policy (Policy), and a method name (method) are associated with each other. For example, “component” representing a component is set in the name (name), and the name of the component is set in the value (value). Here, “*” represents all, and in the example of the first row of this table T5, a setting is made such that any method by the operator is permitted for GW1.

  The security management device 50A generates an ACL as shown in FIG. In the illustrated example, the security management device 50A generates and manages an ACL for each component key rather than for each component with respect to the registry 40. As described in the first embodiment, this is a partial response at the time of LOOKUP, for example, with respect to component A information, keyX information responds but keyY information does not respond. It is to do. In addition, the registration (REGISTRATION (component)) is also made possible to perform an operation in which OK or NG is set for each key. However, in the security management device 50 according to the first embodiment, in order to generate an ACL from information stored in the registry 40, a state where a point is newly added under the component, for example, keyX is added to the component A. keyY and keyY are registered, and when keyX and keyY are OK, the following description may be made in order to correspond to a state in which new keyZ is registered. An ACL generation method such as

  With respect to a policy in which “*” is described in id such as “http: // GW / *”, the security management device 50A directly distributes or acquires the policy as an ACL to the ACM of the component and the registry 40. The ACM that operates the above may apply the ACL to the description whose id is “http: // GW / ˜˜”. Further, only “*” may be described in the point rule. When these descriptions are made, the security management device 50A does not generate the ACL without excess or deficiency based on the information in the registry 40 when generating the ACL, and the item “*” is generated as an ACL as it is. You may make it do. Note that “*” may be mixed with individual point designations when specifying points when generating an ACL. The ACL description of the registration when these description formats are used is as shown in tables T13 and T14 in FIG.

FIG. 10 is a schematic diagram illustrating another example of the first access control rule in the second embodiment.
The table T13 is a table showing another example of the component ACL, and the table T14 is a table showing another example of the point ACL.
The tables T13 and T14 are the same as the tables T7 and T8 shown in FIG.

FIG. 11 is a schematic diagram illustrating an example of data representing a rule of point attribute information and a component rule in the present embodiment.
Tables T15 and T16 are examples of data representing rule of point attribute information and component rules in the first case GP1 described later, and tables T17 and T18 are data in the second case GP2 described later. It is an example of the data showing the rule of the attribute information of a point, and the rule of a component.

  Tables T15 and T17 include point identification number information (num), the attribute name of the point (Attr-name), the value of the corresponding attribute (Attr-value), the name space (namespace), and the role (role). ), Policy (Policy), and method name (method). Since this table is the same as the table T10, its description is omitted.

  In the tables T16 and T18, the point identification number information (num), the role (role), the responder (responder), the policy (Policy), and the method name (method) are associated with each other. Since this table is the same as the table T12, its description is omitted.

  In the first embodiment, an example in which all ACLs are generated once using registry information has been described. However, in the second embodiment, it is not necessary to generate anything other than the ACL set in the policy. The distribution destination component and the registry 40 may be operated so that the ACL that has not been distributed is NG (or OK). However, if the ACL that has not been distributed is not NG (or OK), security management The device 50A may generate all ACLs without excess or deficiency based on the information in the registry 40 as in the first embodiment. For the table T10 in FIG. 8 and the table T11 in FIG. 9, the target ACL may be generated based on the point information and the component information in the registry 40. For the table T9 in FIG. 8 and the table T12 in FIG. 9, the described rules can be used as ACLs as they are.

  Here, when applying the rule of the table T12 in FIG. 9, if “*” is partially described as “*” or “http: // *”, the security management device 50A generates the current rule. It is only necessary to delete all the target ACLs once and change the rules to ACLs. Specifically, in the case of the first case GP1 (for example, when pointB is Location = x and managed by STORAGE1), the ACL of userA with respect to STORAGE1 is a rule like the table T10 in FIG. When point B = OK is applied, when a rule such as table T12 in FIG. 9 is applied, point B is also included in the range of *, so the ACL of point B = OK is deleted, and “* = NG”. Only ACLs are generated and managed.

  In the case of the second case GP2, an ACL of “* = NG” is generated as in the first case GP1, but the point A = OK described in the second row of the table T12 in FIG. Since it is applied as it is, an ACL of “* = NG, point A = OK” is generated. In other words, in the case of the second case GP2, the component operating the registry 40 determines that “point A is OK, but other points are NG”. By doing so, it becomes possible to accurately operate the rule of “*” and a specific point.

Next, description of ACL using wild card (*) and difference sending will be described.
A description will be given of the operation method in the case where the security management device 50A recognizes the description of a wild card (*) in the ACL (particularly point id) to be generated and updated.
The security management device 50A can reduce the number of ACLs to be generated by accepting the description by the wild card, and can also describe the ACL for the information not registered in the registry 40. . On the other hand, when performing an ACL difference update or the like, if a description using a wild card and a description not using a wild card are mixed, the operation may be complicated. Therefore, it is necessary to specify ACL differential sending when a wild card is used.

First, the priority of wild cards will be described using, for example, the following descriptions (1) to (3).
(1) point = “http: // GW1 / pointA” Policy = “NG”
(2) point = “http: // GW1 / *” Policy = “OK”
(3) point = “*” Policy = “NG”
When descriptions using wild cards and descriptions not using wild cards coexist, it is determined that the more restrictive, the higher the priority.
In the example of description (1) to (3) above, http: // GW / pointA satisfies all the conditions (1) to (3), but the restriction on the description of (1) is the most. The security management apparatus 50A determines that http: // GW1 / pointB is OK, but http: // GW / pointA is NG.

Next, ACL difference generation when a description using wild cards and a description not using wild cards coexist will be described. When the ACL of each point is generated without excess or deficiency, the security management device 50A sends only the ACL of the point where the update has occurred, so that the differential update is possible. On the other hand, when a description using a wild card and a description not using a wild card are mixed, it is necessary to maintain consistency between the ACL sent by the security management device 50A and the ACL sent differentially. Therefore, when the ACL of NG or OK is always set for the point id = “*” (= all points) and the security management device 50A generates the ACL, the difference from the ACL registered in the registry 40 is calculated. Then, only the calculated difference is sent. Note that, as a default setting on the side of the security management device 50A to be sent, if point id = “*” (= all points) is set as OK or NG, the difference sending may not be performed.

The ACL registered in the registry 40 can be inquired of the registration destination at the time of ACL update. However, the ACL registered last time and the ACL to be generated are confirmed and stored as ACL information that does not need to be sent. By doing so, it may be managed by the security management device 50A. Further, ACLs that are inconsistent and duplicated at the time of previous registration may be added to delete them. Specifically, contradictory and overlapping ACLs can be derived from the following steps.
(I) Add a deletion flag that deletes all ACLs to the existing ACL. (Ii) Add the generated ACL one by one. At this time, the same point (method) as the ACL to which the deletion flag is assigned is specified. If the ACL exists, the ACL deletion flag itself is deleted, that is, the deletion flag is removed.

  As described above, the security management device 50A can reduce ACL management by deleting not only contradictory ACLs but also overlapping ACLs. For example, if the existing ACL * = OK point A = NG and the new ACL is * = NG point B = OK, the security management apparatus 50A adds the new ACL as it is, and * = NG, point A = NG, point B = NG. However, since point A is NG, there is no problem, but since management is complicated, the difference is sent so that registration and deletion such as point A = DC (don't care) are performed.

  Thus, according to the second embodiment of the present invention, the management device (security management device 50A) is component identification information for identifying a component that is a component device of the communication system 1A and data managed by the component. A first access control rule generating unit access control rule that generates a first access control rule in which an access control rule for each group of users is defined for each point based on the correspondence with point identification information for identifying a point Generator 57).

  Thereby, the security management apparatus 50A can set detailed ACL such as ACL setting common to point information starting with http: // GW1, setting a range, setting an AND condition, and the like. Is connected to the communication system 1A, the second access control rule can be generated immediately. As a result, the security management device 50A can update the second access control rule in real time in cooperation with the registry 40.

  In addition, the management device (security management device 50A) includes an information acquisition unit 54 that acquires information for reflecting at least one of addition, change, and deletion of components or points from the resource information management device (registry 40); When the information acquisition unit 54 acquires the information, a correspondence acquisition unit 55 that acquires the correspondence stored in the resource information management device (registry 40) from the resource information management device (registry 40); The access control rule generation unit 57 generates the second access control rule based on the correspondence acquired by the correspondence acquisition unit 55 and the first access control rule.

  The management device (security management device 50A) further includes a distribution unit 58 that distributes the second access control rule generated by the access control rule generation unit 57 to the resource information management device (registry 40). The access control rule and the second access control rule include an access control rule for each method.

  In the management device (security management device 50A), one or both of the first access control rule and the second access control rule includes an access control rule in a method unit, and a method among a plurality of methods. When the information indicating permission of the information and the information indicating permission of all of the plurality of methods are mixed in the access control rule, the most restrictive method among the methods included in the mixed access control rule A certain access control rule is generated with priority.

  In the second embodiment of the present invention, each component controls access according to the second access control rule distributed from the security management device 50A. However, the present invention is not limited to this. The security management device 50A may directly determine whether or not access control of other functional units (for example, components and registries) is possible. In this case, the security management device 50A may hold the access control list without distributing it, and the component, the registry 40, etc. may inquire the security management device 50A every time.

  In the second embodiment of the present invention, an example in which the security management device 50A includes the function of the resource access control device has been described. However, the present invention is not limited to this. For example, the communication system 1A may include the security management device 50 and the resource access control device. In this case, among the functions of the security management device 50A of the second embodiment, the security management device performs the same function as the security management device 50 shown in the first embodiment, and the security management device 50A of the second embodiment. Of these functions, the resource access control apparatus may perform functions other than the functions of the security management apparatus 50 shown in the first embodiment.

  In the second embodiment of the present invention, the security management device 50A distributes the access control list (ACL) to each component. However, the present invention is not limited to this. The communication system 1A further includes a resource access control device (RAM: Resource Access Manager). The resource access control device acquires an access control list from the security management device 50A, and distributes the acquired access control list to each component. Good.

  In the second embodiment of the present invention, the input unit 51 receives the first access control rule, but the first access control rule may be stored in the storage unit 59 in advance. Further, the security management device 50 may obtain the first access control rule from another device.

  Note that a program for executing each process of the security management devices 50 and 50A of each embodiment of the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system. By executing, the above-described various processes relating to the security management devices 50 and 50A may be performed.

  Here, the “computer system” may include an OS and hardware such as peripheral devices. Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used. The “computer-readable recording medium” means a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a CD-ROM, a hard disk built in a computer system, etc. This is a storage device.

  Further, the “computer-readable recording medium” refers to a volatile memory (for example, DRAM (Dynamic) in a computer system serving as a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. Random Access Memory)) that holds a program for a certain period of time is also included. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  As mentioned above, although embodiment of this invention was explained in full detail with reference to drawings, a specific structure is not restricted to this embodiment. Each configuration in each embodiment, a combination thereof, and the like are examples, and the addition, omission, replacement, and other changes of the configuration can be made without departing from the spirit of the present invention. Further, the present invention is not limited by the embodiments, and is limited only by the scope of the claims.

DESCRIPTION OF SYMBOLS 1, 1A ... Communication system 11, 12, 13, 14 ... Gateway (GW), 21, 22 ... Storage, 31, 32 ... Application, 40 ... Registry (Resource information management device ), 50, 50A ... security management device (management device), 51 ... input unit, 52 ... communication unit, 53 ... processing unit, 54 ... information acquisition unit 55 ... correspondence relationship Acquisition unit 56 ... Rule acquisition unit 57 ... Access control rule generation unit 58 ... Distribution unit 59 ... Storage unit 60A, 70A ... ACM (access control device) 111 121, 122, 141 ... sensor, 112, 131, 132, 142 ... actuator

Claims (14)

Correspondence between component identification information for identifying a component that is a component of a communication system and point identification information for identifying a point that is data managed by the component, and an access control rule for each group of users is defined for each point. A management apparatus comprising: an access control rule generating unit that generates a second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule . An information acquisition unit that acquires information for reflecting at least one of addition, change, and deletion of components or points from the resource information management device;
When the information acquisition unit acquires the information, a correspondence acquisition unit that acquires the correspondence stored in the resource information management device from the resource information management device;
Further comprising
The management device according to claim 1, wherein the access control rule generation unit generates the second access control rule based on the correspondence relationship acquired by the correspondence relationship acquisition unit and the first access control rule. The management device according to claim 1, further comprising a distribution unit that distributes the second access control rule generated by the access control rule generation unit to a resource information management device. The management device according to any one of claims 1 to 3, wherein the first access control rule and the second access control rule include an access control rule in a method unit. A communication system comprising a resource information management device and a management device,
The resource information management device
A storage unit in which a correspondence relationship between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component is stored;
The management device
A correspondence acquisition unit that acquires the correspondence from the resource information management device;
Based on the correspondence acquired by the correspondence acquisition unit and the first access control rule in which the access control rule for each group of users is defined for each point, to each point belonging to the component for each user group An access control rule generation unit for generating a second access control rule in which the access control rule is defined;
A communication system comprising: Correspondence between component identification information for identifying a component that is a component device of the communication system and point identification information for identifying a point that is data managed by the component, and a user group for each point Generating a second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule in which the access control rule is defined Management method to have. On the computer,
Correspondence between component identification information for identifying a component that is a component of a communication system and point identification information for identifying a point that is data managed by the component, and an access control rule for each group of users is defined for each point. And generating an access control rule generating step for generating a second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule. Program. Based on the correspondence between the component identification information for identifying the component that is a component device of the communication system and the point identification information for identifying the point that is the data managed by the component, the access control rule for each group of users is determined for each point. A management apparatus comprising: a first access control rule generation unit that generates a predetermined first access control rule. An access control rule generating unit that generates a second access control rule in which an access control rule for each point belonging to the component is defined for each group of users based on the first access control rule;
An information acquisition unit for acquiring information for reflecting at least one of addition, change, and deletion of components or points;
When the information acquisition unit acquires the information, a correspondence acquisition unit that acquires the correspondence stored in the resource information management device from the resource information management device;
Further comprising
The management apparatus according to claim 8, wherein the access control rule generation unit generates the second access control rule based on the correspondence relationship acquired by the correspondence relationship acquisition unit and the first access control rule. A distribution unit that distributes the second access control rule generated by the access control rule generation unit to a resource information management device;
The management device according to claim 8 or 9, wherein the first access control rule and the second access control rule include an access control rule in a method unit. One or both of the first access control rule and the second access control rule include an access control rule on a method basis, and information indicating that a certain method among a plurality of methods is permitted and the plurality of methods When the access control rule includes information indicating that all of the access control rules are mixed, the access control rule having the most restriction among the methods included in the mixed access control rule is generated with priority. The management device according to any one of claims 8 to 10. A communication system comprising a resource information management device and a management device,
The resource information management device
A storage unit in which a correspondence relationship between component identification information for identifying a component that is a component device of a communication system and point identification information for identifying a point that is data managed by the component is stored;
The management device
A correspondence acquisition unit that acquires the correspondence from the resource information management device;
A communication system comprising: a first access control rule generation unit that generates a first access control rule in which an access control rule for each group of users is defined for each point based on the correspondence acquired by the correspondence acquisition unit . Based on the correspondence between the component identification information for identifying the component that is a component device of the communication system and the point identification information for identifying the point that is the data managed by the component, the access control rule generation unit A first access control rule generating step for generating a first access control rule in which an access control rule for each group is defined;
Management method. On the computer,
Based on the correspondence between the component identification information for identifying the component that is a component device of the communication system and the point identification information for identifying the point that is the data managed by the component, the access control rule for each group of users is determined for each point. A program for executing a first access control rule generation step for generating a predetermined first access control rule.

Images