JP4796164B2 - Policy management apparatus and program - Google Patents

Description

  The present invention relates to a policy management apparatus and program for managing policy information, and for example, relates to a policy management apparatus and program capable of autonomously re-editing policy information while restricting the editable range of policy information.

  In recent years, the importance of access control technology that controls actions for specific information and processing based on authority information has increased. In the access control technology, for example, when an action request for personal information or approval processing is received, authority information owned by the action requester (access subject or subject), and an access control rule indicating whether or not the action is permitted for each authority information in advance Alternatively, there is a method for determining whether or not an action can be executed based on an access control policy.

  An access control policy is generally a set of access control rules. As an access control policy, a standard description specification called XACML (eXtensible Access Control Markup Language) has been released and has been widely used. In the XACML specification, as an ancillary element, an obligation element that prescribes an obligation is described. In the responsibility element, it is generally assumed that the content of the responsibility action “must be” is described.

  However, the XACML specification does not stipulate a detailed description of the responsibility elements. In addition, the XACML specification does not stipulate how to handle access control policies when including responsibilities, and how to process evaluation results.

  On the other hand, as an access control method for a document file, there is a method of giving authority information as a security attribute. In this method, for example, authority information for a document file is described in an action permission / inhibition format such as “permission permission” or “edit permission”, and the obtained authority information is assigned to a user. This type of authority information is known as an access control matrix (Access Control Matrix) or an access control list (Access Control List).

  However, in the action availability format, it is difficult to describe detailed and flexible access control contents such as conditions such as permitted access time and access location, and more detailed function restrictions.

  For this reason, in recent years, information in a more flexible description format such as an access control policy or a license has begun to be used. Along with this, allowed conditions and more detailed function restrictions can be described. In general document applications, an access control method of an access control policy format has begun to be adopted.

  For example, in the access control method of the access control policy format, when an access request to a document file is received, it is determined whether or not the document file can be opened, and control such as limiting to a function specified by the access control policy is performed. Execute.

  Normally, policy information such as an access control policy or a license is given only to those having a specific authority. For example, in a company or the like, policy information reflecting company regulations and the like can often be set only by an administrator having specific authority. In recent years, such policy information protection technology and management technology (hereinafter also referred to as policy protection technology) have attracted attention.

  As a conventional policy protection technique, a method of encrypting policy information and a method of controlling access to policy information are known. In this type of policy protection technology, policy information is often managed centrally on a specific server device.

  In particular, in the case of policy information distributed along with data such as document files, the policy information is edited only for those who have authority information or a completely prohibited method that prohibits all policy information editing at the distribution destination. In many cases, the editing of policy information is controlled by an access control method such as an authorized person permission method. The reason is that if policy information can be edited by a person who does not have authority information such as a document operator at the distribution destination, compulsory policy information that should not be edited may be edited.

JP 2006-268464 A

  However, in the above access control method, there is a possibility that exceptional editing of policy information at the distribution destination may be hindered by either the full prohibition method or the authorized person permission method. Examples of exceptional editing here include adding or deleting a document operator who has the authority to open a document file at the distribution destination. If editing of policy information at the distribution destination is hindered, if you want to edit policy information, you need to return the document file to the policy setter (authorized person) of the distribution source and have it redistributed after editing Therefore, there is a possibility of hindering the use of document files.

  In addition, the full prohibition method cannot be adapted to a situation where policy information is desired to be edited. As an example of this situation, there is a situation where it is desired to update the access control content (eg, accessible valid period, etc.) to the document file as the document content is edited. In such a situation, it is preferable that the policy management apparatus autonomously edits the policy information in accordance with the editing of the document contents, rather than the document operator directly editing the policy information.

  Here, it is different from the above-mentioned “automatically edit policy information in accordance with editing of document contents”, but as a related technique, other policy information (binder document access right) can be There is a technique for automatically editing policy information (access rights of an original document) (see, for example, Patent Document 1). However, this technique does not perform access control for access right change (policy information editing), and is not directly related to the access control method described above.

  In any case, it is preferable that the policy management apparatus autonomously edits the policy information in accordance with the editing of the document content. According to the study by the present inventor, the policy management apparatus may autonomously edit document attribute information as well as policy information.

  On the other hand, when the editing of policy information is permitted, it is unclear what mechanism the access control method will be. According to the study of the present inventor, not only the restriction on the editable range for disabling compulsory policy information, but also the edited policy information is autonomously re-edited as intended by the original policy setter. It is thought that a mechanism to do this is necessary.

  For example, when editing to add policy information, not only the process for determining whether policy information can be added, but also the process for setting the expiration date of policy information to be added, and the authority specified by the policy information to be added (allowed) It is presumed that there is a need for a process that restricts the action.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a policy management apparatus and program capable of autonomously re-editing policy information while restricting the editable range of policy information.

  Another object of the present invention is to provide a policy management apparatus and program capable of autonomously editing document attribute information while restricting the editable range of policy information.

  A first aspect of the present invention is a policy management apparatus that is connected to a document file storage unit that stores a document file including policy information and manages addition and deletion of policy elements in the policy information. A rule element including an operator ID as an access subject attribute value corresponding to the permission, a policy addition destination ID as a resource attribute value and a policy addition as an action attribute value, and a responsible action attribute value corresponding to the permission Policy addition based on policy template information, the first responsibility element including the policy addition destination ID as the responsibility resource attribute value, and control policy addition based on the responsibility policy attribute value corresponding to the permission, policy policy addition, responsibility A second responsibility element including a control policy addition destination ID as a resource attribute value and the policy addition destination ID Policy storage means for storing policy information comprising a policy addition destination policy set element and a control policy addition destination policy set element including the control policy addition destination ID, and a policy from the document file in the document file storage means Policy element including means for extracting information and writing the policy information to the policy storage means, an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value First request receiving means for receiving an input of an addition request, and policy information in the policy storage means in response to the policy element addition request, and an operator ID and resource attribute value as an access subject attribute value A policy evaluation request including a policy addition destination ID as a policy addition value and a policy addition as an action attribute value is created. Upon receipt of the policy evaluation request and the first policy request creation means for transmitting the acquired policy information, and the policy evaluation request and policy information transmitted, the access subject attribute value, the resource attribute value in the policy evaluation request, and The policy element addition request is permitted when the action attribute value is compared with the access subject attribute value, the resource attribute value, and the action attribute value in the rule element of the policy information, and the comparison result indicates a match. If the evaluation result by the first policy evaluation unit and the first policy evaluation unit is permission, first and second responsibility elements corresponding to the permission are extracted from the policy information, and the evaluation result, First evaluation result sending means for sending evaluation result information including the first and second responsibility elements, and analyzing presence / absence of responsibility elements in the evaluation result information, When there are first and second responsibility elements in the evaluation result information, first responsibility execution request sending means for sending a duty execution request including the first and second responsibility elements, and in the responsibility execution request A target element including an initial value of a new operator ID as an access subject attribute value and an operation name as an action attribute value based on policy template information held in advance according to the action attribute value in the first responsibility element, and a target As a rule element including a policy expiration date corresponding to the case where the evaluation result by the element is permitted, and as a new policy element ID and control policy element ID and action attribute values as resource attribute values corresponding to the result after the policy expiration date A new policy element generating means for generating a new policy element having the third responsibility element including the policy deletion of the policy and the new element policy ID, and in the responsibility execution request 2 In accordance with the responsibility action attribute value in the responsibility element, based on the control policy template information stored in advance, the operator ID as the access subject attribute value, the new element policy ID as the resource attribute value, and the initial as the action attribute value A fourth policy element including a rule element including a value update, a new policy element ID as a resource attribute value corresponding to a case where the evaluation result by the rule element is permitted, and an update of the initial value as an action attribute value A control policy element generating means for generating a control policy element having the control element policy ID, a policy element adding means for adding the generated new policy element and control policy element to the policy information, and an access subject The operator ID as the attribute value, the new policy element ID as the resource attribute value, and the initial value as the action attribute value A second request receiving means for receiving an input of a policy element update request including new, an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, in response to the policy element update request, and A policy evaluation request including update of the initial value as an action attribute value, a second evaluation request generating means for transmitting the policy evaluation request and the acquired policy information, the transmitted policy evaluation request, and When the policy information is received, the access subject attribute value and the action attribute value in the policy evaluation request and the access subject attribute value, the resource attribute value, and the action attribute value in the target element in the control policy element of the policy information are mutually A second policy evaluation unit that evaluates the policy element update request as permitted when the comparison results indicate a match; When the evaluation result by the second policy evaluation means is permission, the fourth responsibility element corresponding to the permission is extracted from the policy information, and evaluation result information including the evaluation result and the fourth responsibility element is transmitted. Analyzing the second evaluation result sending means and the presence / absence of a responsibility element in the evaluation result information, and if there is a fourth responsibility element in the evaluation result information, a responsibility execution request including the fourth responsibility element And an initial value of the operator ID as the access subject attribute value of the new policy element, based on the second responsibility execution request sending means for sending the action attribute value in the fourth duty element in the duty execution request New policy element updating means for updating, third request accepting means for accepting an input of an operation request including an operator ID as an access subject attribute value, and an operation name as an action attribute value; Then, a policy evaluation request including the operator ID as the access subject attribute value and the operation name as the action attribute value is generated, and the policy evaluation request and the third policy request generating means for transmitting the acquired policy information are transmitted. When the transmitted policy evaluation request and policy information are received, the access subject attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and action in the target element in the new policy element of the policy information When the attribute values are compared with each other, and the comparison results indicate coincidence, the third policy evaluation unit that evaluates the operation request as permitted, and the evaluation result by the third policy evaluation unit is permitted The document file corresponding to the policy information corresponding to the permission is read from the document file storage means, and the display of the document file is executed. When the evaluation result by the display means and the third policy evaluation means is permission, the third responsibility element corresponding to the permission is extracted from the policy information, and the evaluation result including the evaluation result and the third responsibility element A third evaluation result transmitting means for transmitting information, and the presence / absence of a responsibility element in the evaluation result information are analyzed, and if there is a third responsibility element in the evaluation result information, the third responsibility element is included. A third duty execution request sending means for sending a duty execution request, and based on the action attribute value in the third duty element in the duty execution request, the policy expiration date and the current date and time information are compared; A policy element deleting unit that deletes the new policy element and the control policy element from the policy information based on the third responsibility element when the current date and time information has passed the policy expiration date; It is a policy management device.

  According to a second aspect of the present invention, there is provided a document storage unit that stores a document file including content information, document attribute information, and policy information, and the document file is edited by changing the state of the document file by editing the document file. A policy management apparatus connected to document editing means for sending a state change notification including file designation information, state change information indicating the state change and an operator ID, and corresponds to permission of a policy evaluation request Rule elements including an operator ID as an access subject attribute value, a policy set element ID as a resource attribute value, and a policy view as an action attribute value, and duty execution as a duty subject attribute value corresponding to rejection of a policy evaluation request Subject ID, a value indicating document attribute information as a responsible resource attribute value, a change of document attribute information as a responsible action attribute value, a responsibility A policy storage unit for storing policy information including a responsibility element including a changed value as a supplemental attribute value and a policy set element including the policy set element ID; and a document file from the document storage unit. Policy information is extracted from the document file in the middle of being read by the document editing means, and the policy extraction means for writing the policy information to the policy storage means. When the state change notification is detected, the state change in the state change notification is detected. Information and a predetermined specific state change information, and when the two match, an event information sending means for sending a state change notification including the matched state change information as event information, and this event information Based on the operator ID as the access subject attribute value and the document file corresponding to the specified information as the resource attribute value. A policy evaluation request including a policy set element ID and policy browsing as an action attribute value in the policy information in the policy information, and a means for sending the policy evaluation request and the policy information in the policy storage means, and the policy evaluation request Receiving the policy information, means for acquiring document attribute information of the document file from the document editing means, and obtaining the policy evaluation request, the policy information and the document attribute information, and then the access subject in the policy evaluation request When the attribute value, resource attribute value, and action attribute value are compared with the access subject attribute value, resource attribute value, and action attribute value in the rule element of the policy information, respectively, and the comparison results indicate matching The policy evaluation request is evaluated as allowed, and if any of the comparison results indicate a mismatch, the policy evaluation request is evaluated as rejected. Means for sending out evaluation result information including the evaluation result indicating rejection and the responsibility element corresponding to the evaluation result, and document attribute information, and whether or not the responsibility element is included in the evaluation result information If the responsibility element is included in the evaluation result information, the responsibility execution entity ID as the responsibility entity attribute value, the value indicating the document attribute information as the resource attribute value, and the document attribute information as the action attribute value A means for sending a duty execution request including a duty element having a change and a changed value as a duty supplement attribute value and document attribute information; and upon receiving the duty execution request and the document attribute information, Means for determining the responsibility execution entity indicated by the responsibility execution entity ID as the responsibility entity attribute value included in the responsibility element in the execution request as the transmission destination of the responsibility execution request, and the responsibility execution request including this responsibility element When receiving the responsibility execution request and the document attribute information, the document attribute information is edited based on the responsibility element in the responsibility execution request. Sending the edited document attribute information to the document editing means, overwriting the document attribute information in the document file being displayed by the document editing means with the edited document attribute information; Means for sending an obligation completion notification indicating completion of editing of the document attribute information after sending the document attribute information; and means for notifying the document editing means that the policy browsing request is rejected upon receiving the duty completion notice. Is a policy management device.

  In addition, although each above aspect described the case where it represented as an apparatus, you may express as a storage medium which stored not only this but the method, the program, and the program.

(Function)
In the first aspect, the policy management apparatus acquires policy information and creates a policy evaluation request in response to a policy element addition request including each attribute value that restricts the editable range of the policy information. Based on the policy evaluation request and the policy information, the policy element addition request is evaluated as permitted or denied, the first and second responsibility elements corresponding to the permission are extracted from the policy information, and a new policy element is generated according to the first responsibility element. The control policy element is generated according to the second responsibility element, and the new policy element and the control policy element are added to the policy information. The policy management apparatus autonomously re-edits the policy information so that the new policy element and the control policy element are deleted from the policy information when the current date and time information has passed the policy expiration date.

  Therefore, in the first aspect, the policy information can be autonomously edited while restricting the editable range of the policy information.

  In the second aspect, a policy evaluation request including each attribute value that restricts the editable range of policy information is sent based on the event information based on the state change notification sent from the document editing means. Create and send out this policy evaluation request and policy information. Upon receipt of this policy evaluation request and policy information, the document attribute information of the document file is acquired from the document editing means, and the policy evaluation request is permitted based on the policy information. Evaluate the rejection, send the evaluation result information indicating the rejection and the evaluation result information including the responsibility element corresponding to the evaluation result, and the document attribute information, edit the document attribute information based on the responsibility element, The document attribute information is sent to the document editing means, and the document attribute information in the document file being displayed by the document editing means is overwritten with the edited document attribute information. , Autonomously edit the document attribute information.

  Therefore, in the second aspect, document attribute information can be edited autonomously while restricting the editable range of policy information.

  As described above, according to the present invention, policy information can be autonomously re-edited while restricting the editable range of policy information. Further, the document attribute information can be edited autonomously while restricting the editable range of the policy information.

It is a schematic diagram which shows the structural example of the utilization terminal to which the policy management apparatus which concerns on the 1st Embodiment of this invention was applied. It is a schematic diagram which shows the other structural example of the utilization terminal in the embodiment. It is a schematic diagram which shows the structural example of the document file in the embodiment. It is a schematic diagram which shows the structural example of the policy file in the same embodiment. It is a schematic diagram which shows the function structure of the policy management apparatus in the embodiment. It is a sequence diagram for demonstrating the browsing refusal and deletion operation | movement of the policy element in the embodiment. It is a sequence diagram for demonstrating the browsing refusal and deletion operation | movement of the policy element in the embodiment. It is a schematic diagram which shows the structural example of the policy evaluation request | requirement in the embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a sequence diagram for demonstrating the addition operation | movement of the policy element in the embodiment. It is a sequence diagram for demonstrating the addition operation | movement of the policy element in the embodiment. It is a schematic diagram which shows the structural example of the policy evaluation request | requirement in the embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a schematic diagram which shows the structural example of the policy information in the same embodiment. It is a schematic diagram which shows the structural example of policy template information in the embodiment. It is a schematic diagram which shows the structural example of policy template information in the embodiment. It is a schematic diagram which shows the structural example of the policy template element in the embodiment. It is a schematic diagram which shows the structural example of the policy template element in the embodiment. It is a schematic diagram which shows the state with the policy file in the same embodiment. It is a schematic diagram which shows the operation | movement which adds a policy element from a certain state of the policy file in the embodiment. It is a schematic diagram which shows the operation | movement which deletes the policy element added to the policy file in the same embodiment. It is a schematic diagram which shows the structural example of the utilization terminal to which the policy management apparatus which concerns on the 2nd Embodiment of this invention was applied. It is a schematic diagram which shows the other structural example of the utilization terminal in the embodiment. It is a schematic diagram which shows the function structure of the policy management apparatus in the embodiment. It is a sequence diagram for demonstrating the browsing operation | movement of the policy element in the embodiment. It is a sequence diagram for demonstrating the browsing operation | movement of the policy element in the embodiment. It is a sequence diagram for demonstrating the edit operation | movement of the document attribute information in the embodiment. It is a sequence diagram for demonstrating the edit operation | movement of the document attribute information in the embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Note that this user terminal can be implemented in either a hardware configuration or a combination configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

(First embodiment)
1 and 2 are schematic diagrams illustrating a configuration example of a user terminal to which the policy management apparatus according to the first embodiment of the present invention is applied. As shown in FIG. 1, the user terminal 1 includes an operating system unit 2, a document file storage unit 3, and a policy management device 4 as functional blocks. As shown in FIG. 2, such a use terminal 1 may be realized by including a storage unit 5 as hardware resources, an input unit 6, a CPU 7, and an output unit 8.

  Here, the operating system unit 2 represents a normal OS (Operating System) as a functional block, and can be realized by the CPU 7 executing the operating system 2p as a program stored in the storage unit 5. ing.

  The document file storage unit 3 is a storage area that can be read / written from the operating system unit 2 and the policy management device 4, and can be realized as a part of the storage unit 5. The document file storage unit 3 stores the policy file fp as electronic data. The document file fd to be included is stored.

  The policy management device 4 is for managing policy information obtained from the policy file fp in the storage unit 5, and is realized by the CPU 7 executing the policy management program 4 p as a program stored in the storage unit 5. It is possible. Details of the policy management device 4 will be described later.

  The storage unit 5 is a storage device that can be read / written from each of the units 6 to 8, and stores an operating system 2p, a policy management program 4p, a policy file fp, and a document file fd.

  As shown in FIG. 3, the document file fd includes content information fdc indicating the content of the document, and document attribute information fda indicating the structure and media type of the document. For example, in the Open Document Format format which is a standard office document format standard, the document attribute information fda is included in an XML format file. Further, the document attribute information fda is not limited to the document structure and media type, and may include information such as a document status indicating a document state such as an initial distribution state or a post-editing state, or a last updated person. In the present embodiment, a policy file fp is included as one of such document attribute information fda. However, the policy file fp is not limited to the format included in the document file fd as described above, and may be a single file format. Note that the policy information handled by the policy management apparatus 4 is intended for materialization as a policy file, but may be policy information as an object arranged in the storage unit 5 or the like. The policy information may be expressed as a plurality of policy files and objects. The notation “policy information” refers to information expressed in the policy file fp. Further, “element” in the policy information may be read as “element information”. For example, the responsibility element may be read as responsibility element information.

  The policy file fp includes one or more policy set elements eps10 and eps13 as shown in FIG.

  The one or more policy set elements eps10 and eps13 include one or more policy elements ep11 to ep13. The policy set element eps10 may include another policy set element eps13.

  The policy elements ep11 to ep13 include one or more rule elements er11 to er13, and may include one or more obligation elements eo11a, eo11b, and eo13.

  In policy elements ep11 to ep13, access control contents including a plurality of elements are described in an arbitrary description language. Here, an example using the XACML V2.0 format, which is a standard policy description language, will be described as a description language. Hereinafter, the policy description example refers to the XACML V2.0 format, but description of information not related to the policy description (eg, name space, data type, etc.) is omitted. This embodiment refers to the XACML V2.0 format, but uses unique definitions for some elements and attributes.

  As the element information of the access control content, for example, “subject”, “action”, “resource”, “environment” and the like can be mentioned. “Subject” indicates the subject of access execution, and “action” indicates the action content of access execution. “Resource” indicates an object of access execution, and “environment” indicates an environment of access execution.

  In the policy elements ep11 to ep13, part or all of such element information may be described in the rule elements er11 to er13.

  The policy management device 4 uses a rule element, a policy element (including a set of rule elements), or a policy set element (including a set of policy elements) in the policy information ip to generate a policy browsing request, a policy element addition request, etc. It is determined whether or not the requested access conforms to the policy information ip, and the effect (“Permit” or “Deny” etc. specified in the conforming rule element, policy element or policy set element) ) As a determination result, a function for selecting an obligation element in policy information ip based on the determination result, and a function for executing an obligation to edit each element in policy information based on the selected responsibility element I have.

  “Obligation” elements eo11a, eo11b, and eo13 describe the responsibilities associated with the determination results. These obligation elements eo11a, eo11b, and eo13 are used as elements that express autonomous editing of policy information. The

  Next, the functional configuration of the policy management device 4 will be described. As shown in FIG. 5, the policy management apparatus 4 includes a user interface unit 41, a policy execution unit 42, a policy operation unit 43, a policy storage unit 43a, a policy evaluation unit 44, a duty management unit 45, a policy addition duty execution unit 45a, Each function unit includes a policy deletion responsibility execution unit 45b, a policy editing responsibility execution unit 45c, an encryption processing unit 46, a key management unit 46a, a user authentication unit 47, and an authentication information storage unit 47a.

  Here, the user interface unit 41 receives from the policy execution unit 42 a function for sending an operation request for requesting an operation such as browsing or editing of policy information to the policy execution unit 42 by the operation of the operator U. And an interface function unit including a function for displaying and outputting an operation result. As a function of sending an operation request to the policy execution unit 42, for example, a policy element addition request including an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value A policy element update request including a function of accepting an input of an operator, an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of an initial value of the operator ID as an action attribute value And the function to accept.

  The policy execution unit 42 is a function unit that requests a policy evaluation from the policy evaluation unit 44 based on an operation request received from the user interface unit 41, and a function unit that controls a policy operation request according to the result of the policy evaluation. . At this time, if the policy evaluation result includes a responsibility element indicating that policy editing is to be performed, a responsibility execution request is transmitted to the responsibility management unit 45. The policy execution unit 42 also executes control of events and data in the policy management device 4. That is, the policy execution unit 42 has a function of executing an instruction to each functional unit and a function of transferring data necessary for processing. However, the policy execution unit 42 may be omitted and a direct call may be made between the other functional units.

  The policy execution unit 42 requests policy evaluation by, for example, acquiring policy information in the policy storage unit 43a in response to a policy element addition request received from the user interface unit 41, and an access subject attribute. A policy evaluation request including an operator ID as a value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value is created, and the policy evaluation request and the acquired policy information are sent to the policy evaluation unit 44 In response to the policy element update request, the function to be sent includes the operator ID as the access subject attribute value, the new policy element ID as the resource attribute value, and the update of the initial value of the operator ID as the action attribute value It has a function of creating a policy evaluation request and transmitting the policy evaluation request and the acquired policy information. Further, in the policy execution unit 42, as a function of executing an instruction to each functional unit and a function of transferring data necessary for processing, for example, the presence / absence of a responsible element in the evaluation result information received from the policy evaluation unit 44 If there is a responsibility element in the evaluation result information, a responsibility execution request including the responsibility element is transmitted to the responsibility management unit 45.

  The policy operation unit 43 is a functional unit that performs operations on policy information such as browsing and editing policy information. The example of the present embodiment includes a process of extracting the policy file fp from the document file fd and converting it into policy information. Similarly, it includes processing for generating a policy file fp from policy information and including it in the document file fd. At this time, the converted policy information may be temporarily stored as policy information in the policy storage unit 43a in the policy management device 4 by the policy operation unit 43.

  The policy storage unit 43a is a storage device that can be read / written from each of the units 42 to 45 and 45a to 45c. For example, an operator ID as an access subject attribute value corresponding to permission of a policy evaluation request, and a resource attribute value Policy addition destination ID and policy addition as an act attribute value, policy addition based on new policy template information as an obligation action attribute value corresponding to permission, policy addition destination ID as an obligation resource attribute value, The second responsibility element including the first responsibility element including the control policy addition based on the control policy template information as the responsibility action attribute value corresponding to the permission, the control policy addition destination ID as the responsibility resource attribute value, and the policy addition Policy addition destination policy set element including the destination ID and control policy addition destination policy set including the control policy addition destination ID It is used to store policy information and a component. Details of the policy information will be described later.

  The policy evaluation unit 44 is a functional unit that executes policy evaluation using a policy evaluation request and policy information. In the example of the present embodiment, processing for evaluating the above-described policy information in the XACML V2.0 format is executed. Note that the processing described in the present embodiment is executed for the expression format expanded in the present embodiment, specifically, the responsibility expression. As processing for evaluating policy information, for example, when a policy evaluation request and policy information sent by the policy execution unit 42 are received, an access subject attribute value, resource attribute value and action attribute value in the policy evaluation request, A function that evaluates a policy element addition request as permission when the access subject attribute value, the resource attribute value, and the action attribute value in the rule element of the policy information are compared with each other, and the comparison results indicate a match, and When the result is permission, each responsibility element corresponding to this permission is extracted from the policy information, and the evaluation result and the evaluation result information including each responsibility element are transmitted to the policy execution unit 42.

  The responsibility management unit 45 is a functional unit that controls the responsibility execution units 45a to 45c. Specifically, the responsibility management unit 45 has a function of executing instructions to the responsibility execution units 45a to 45c and a function of passing data necessary for processing. Yes. As these instruction execution function and data transfer function, for example, based on the responsibility subject attribute value of the responsibility element in the responsibility execution request received from the policy execution unit 42, the responsibility execution request is sent to any of the responsibility execution units 45a to 45c. The function to send to is included. Note that the function may be omitted and a direct call may be made to the responsibility execution units 45a to 45c. In addition, a registration function or the like may be included so that the duty execution units 45a to 45c can be used on the apparatus. Next, each responsibility execution part 45a-45c is described.

  The policy addition responsibility execution unit 45a adds a policy element in the policy information based on the duty execution request received from the duty management unit 45. For example, the action attribute in the first duty element in the duty execution request Based on the policy template information stored in advance, the target element including the initial value of the new operator ID as the access subject attribute value, the file opening as the action attribute value, and the evaluation result by the target element are permitted. A rule element including a policy expiration date corresponding to the case, a new policy element ID and a control policy element ID as resource attribute values corresponding to a result after the policy expiration date, and a policy deletion as an action attribute value A function for generating a new policy element having a third responsibility element and a new element policy ID, and a responsibility action attribute in the second responsibility element in the responsibility execution request A rule element including an operator ID as an access subject attribute value, a new element policy ID as a resource attribute value, and an initial value update as an action attribute value based on control policy template information held in advance based on the value A fourth policy element including a new policy element ID as a resource attribute value and an update of an initial value as an action attribute value corresponding to a case where the evaluation result by the rule element is permitted, and a control element policy ID A function for generating the control policy element and a function for adding the generated new policy element and control policy element to the policy information. “File open” is an example of an action attribute value. Needless to say, the action attribute value is not limited to a file open, and any operation name such as file duplication, file content printing, and file deletion can be used. Yes. Accordingly, it goes without saying that an arbitrary operation request can be used for a file read request (= file open request) described later. In other words, “open file as action attribute value” can be expanded or generalized to “operation name as action attribute value”, and “file read request” can be expanded or generalized to “operation request (= operation name request)”. Possible.

  The policy deletion responsibility execution unit 45b deletes the policy element in the policy information based on the duty execution request received from the duty management unit 45. For example, the action in the third duty element in the duty execution request Based on the attribute value, the policy expiration date is compared with the current date and time information, and if the current date and time information has passed the policy expiration date, the new policy element and the control are controlled based on the third responsibility element. It has a function to delete policy elements from policy information.

  The policy editing responsibility execution unit 45c edits the policy element in the policy information based on the duty execution request received from the duty management unit 45. For example, the action in the fourth duty element in the duty execution request It has a function of updating the initial value of the operator ID as the access subject attribute value of the new policy element based on the attribute value.

  The cryptographic processing unit 46 is a functional unit that executes generation and verification of a digital signature and decryption of encrypted data. This functional part is a functional part mainly for protecting the confidentiality and integrity of document information and policy information, and is a supplementary functional part.

  The key management unit 46 a is a functional unit that manages information such as an encryption key, a digital signature generation key, and a digital signature verification key that are used by the cryptographic processing unit 46. Part. That is, the encryption processing unit 46 and the key management unit 46a may be omitted. The key management unit 46a may be implemented as an external device of the device such as a smart card.

  The user authentication unit 47 is a functional unit that authenticates a user when a request is generated from the user via the user interface unit 41 by a user such as the operator U. This function unit is a function unit for acquiring information (in this case, an access subject attribute value) related to an operator used when the policy evaluation unit 44 performs policy evaluation. If not required for policy evaluation, the user authentication unit 47 may be omitted. The user authentication unit 47 acquires identity information including an authentication element that is a basis for authenticating the user from the authentication information storage unit 47a. Usually, the identity information includes user identification information, an authentication factor, other user attribute information (such as authority held by the user), and the like. The user authentication unit 47 and the authentication information storage unit 47a may be implemented as external devices of the device. For example, it is conceivable to use an existing authentication device such as a user authentication server device.

  Next, the operation of the policy management apparatus 4 configured as described above will be described.

(Policy element browsing and deletion operations: FIGS. 6 and 7)
In this operation, the policy management apparatus 4 is operated by the operator U, and the policy information ip browsing process is executed. The policy information ip defines restrictions on the operator U who can browse. Details will be described below.

  [Step ST1] In the policy management apparatus 4, a user authentication request including the operator ID “USER01” and an authentication factor (eg, a password) is input to the user interface unit 41 by the operation of the operator U. The user interface unit 41 sends this user authentication request to the user authentication unit 47 via the policy execution unit 42. Note that the user interface unit 41 may transmit / receive data to / from the user authentication unit 47 without using the policy execution unit 42.

  Based on this user authentication request, the user authentication unit 47 executes user authentication while referring to the authentication information storage unit 47a, and sends an authentication result indicating success or failure to the user interface unit 41 via the policy execution unit 42. Send it out. In the case of an authentication result indicating failure, the user interface unit 41 terminates the process, so the case of an authentication result indicating success will be described below.

  [Step ST2] The user interface unit 41 displays and outputs an authentication result indicating success.

  [Step ST3] In the user interface unit 41, the designation information of the document file fd as the resource attribute value is input in accordance with the operation of the operator U, so that the operator ID “USER01” used for user authentication and the input The policy browsing request including the designated information to be processed is input. However, when the user authentication in steps ST1 and ST2 is omitted, the user interface unit 41 also inputs the operator ID “USER01” as the access subject attribute value in the operation of step ST3.

  Here, as the specification information of the document file fd, for example, path information indicating the position of the document file fd can be used. The policy browsing request may be read as a policy read request, a policy display request, or a policy output request.

  [Step ST4] The user interface unit 41 sends the policy browsing request and the operator ID to the policy execution unit 42.

  [Step ST5] Upon receiving the policy browsing request and the operator ID, the policy executing unit 42 sends out the policy browsing request to the policy operating unit 43 among the policy browsing request and the operator ID.

  [Steps ST6 to ST7] Based on the policy browsing request, the policy operation unit 43 extracts the policy file fp from the document file fd in the document file storage unit 3, and converts the policy file fp into policy information ip. For example, when the document file fd or the policy file fp is protected by encryption or digital signature, the policy operation unit 43 activates the encryption processing unit 46 via the policy execution unit 42, and The encryption processing unit 46 performs decryption, digital signature verification, and the like. The processing in the encryption processing unit 46 may be in accordance with processing of a general encryption method and digital signature method. As a result, the policy information ip as the decrypted policy file fp or the policy information ip as the policy file fp when the verification result is valid is acquired. When decryption and verification are not required, the extracted policy file fp becomes the policy information ip as it is.

  In any case, the policy operation unit 43 temporarily writes the acquired policy information ip in the policy storage unit 43a.

  [Step ST8] The policy operation unit 43 sends the policy information ip in the policy storage unit 43a to the policy execution unit 42.

  [Step ST9] Upon receiving this policy information ip, the policy execution unit 42 creates a policy evaluation request which is a request for determining whether or not the policy information ip can be read (viewed). As shown in FIG. 8, the policy evaluation request includes an access subject attribute value “USER01” indicating the operator U as the access subject “Subject” that has input the policy browsing request, and a resource indicating the access target as the resource “Resource”. The attribute value “PolicySetId-00001” and the action attribute value indicating the requested action “action” (here, “read”) are included. As the resource attribute value indicating the access target, the identification information “PolicySetId-00001” indicating the policy set (PolicySet) element positioned at the top of the elements constituting the policy information ip to be accessed is used. The access subject attribute value, resource attribute value, and action attribute value are, in detail, the value of the attribute value (AttributeValue) element that the access subject element has, the value of the attribute value element that the resource element has, and the attribute value element that the action element has Each is described as a value.

  [Step ST10] The policy execution unit 42 sends the created policy evaluation request and the requested policy information ip to the policy evaluation unit 44.

  [Step ST11] The policy evaluation unit 44 evaluates whether to permit or reject the policy browsing request according to whether or not the policy evaluation request matches the policy information ip, and obtains an evaluation result.

  For example, the policy information ip shown in FIGS. 9 to 11 includes an access subject attribute value “USER01”, a resource attribute value “PolicySetId-00001”, and an action attribute value “read”. These access subject attribute values “USER01”, When the resource attribute value “PolicySetId-00001” and the action attribute value “read” respectively match the access subject attribute value, the resource attribute value, and the action attribute value in the policy evaluation request, there is a certain validity for the operator U “USER01”. If it is within the period (2008-04-01 T12: 00: 00.910000000 + 09: 00), it indicates that browsing of the policy set element having the policy set ID-00001 is permitted (Permit). In this example, the operator U “USER01”, the policy set ID-00001, and the reading (read) were matched, but the validity period (2008-04-01 T12: 00: 00.910000000 + 09: 00) Suppose that it did not fit.

  Accordingly, the policy evaluation unit 44 evaluates that the policy evaluation request does not conform to the policy information ip, and obtains information “Deny” shown in the result (Effect) of the policy information ip as an evaluation result. . The evaluation result is expressed by information such as “Permit” or “Deny” or similar information. Further, an obligation element in the policy information ip is attached to the evaluation result. In the example shown in FIGS. 9 to 11, when the evaluation result in the policy element or policy set element in which the responsibility element is arranged matches the execution (FulfillOn) attribute value (in this example, “Deny”), the responsibility element is evaluated. Attached to the results.

  Thereafter, the policy evaluation unit 44 responds to the policy execution unit 42 with the evaluation result information including the evaluation result “Deny” and the responsibility element.

  When the evaluation result indicates “Permit”, the policy execution unit 42 displays the policy information ip on the user interface unit 41. Here, however, the evaluation result indicates “Deny”. The process proceeds to step ST12 without displaying the policy information ip.

  In addition, when it is desired to restrict the browsing of the details of the policy information ip (the constituent elements of the policy information ip, the value of the attribute value element, the structure of the child elements possessed by each constituent element, etc.), In the displayed state, the user interface unit 41 may be prompted to input a detailed browsing request for the policy information ip. In that case, a policy element or rule element having a value corresponding to the details of each policy information ip as a value of an attribute value (AttributeValue) element of the resource element may be similarly defined.

  [Steps ST12 to ST13] As illustrated in FIG. 7, the policy execution unit 42 analyzes whether or not the responsibility element is included in the evaluation result information. If the responsibility element is included in the evaluation result information, the responsibility element The responsibility execution request including “” is sent to the responsibility management unit 45. As this responsibility element, any element can be used, but here, as an example, it is assumed that a responsibility element expressing that the policy information ip is deleted is used.

  In the policy information ip shown in FIGS. 9 to 11, as described above, the operator U “USER01” is permitted to view the policy set element “PolicySet-00001” within a certain valid period. It is expressed as a Target element that is a child element of the policy element. The valid period is indicated by a rule element having a rule ID (RuleId) attribute value “Rule-00001”. In addition, the rule element whose rule ID attribute value is “Rule-00002” indicates that browsing other than the valid period is rejected. Further, the responsibility element eo indicates that the policy element (Policy-00001) is deleted when the valid period has passed.

  In this responsibility element eo, “DeletePolicyObligationService” is defined in the action execution subject (the responsibility-subject attribute value of the AttributeAssignment element). The value indicating the action subject is an example of an identification name indicating the policy deletion responsibility execution unit 45b.

  In addition, "delete policy" is specified in the action content of the obligation execution (the attribute action attribute attribute value of the AttributeAssignment element), and the object of the obligation execution action (the attribute resource attribute (obligation-resource) attribute value) ) Shows the identification information of the target policy element. In this example, a policy ID (PolicyId) attribute that is an attribute of a policy element is used, and “PolicySet-00001” is shown as the attribute value. In other words, the responsibility element eo indicates the responsibility that the policy deletion responsibility execution unit 45b deletes the policy information ip of “PolicySet-00001”.

  [Step ST14] Upon receiving the responsibility execution request including this responsibility element, the responsibility management unit 45 determines that the responsibility execution request is sent to the policy deletion responsibility execution unit 45b based on this responsibility element.

  [Step ST15] After that, the duty management unit 45 sends a duty execution request including this duty element to the policy deletion duty execution unit 45b.

  [Steps ST16 to ST17] Upon receiving the responsibility execution request including this responsibility element, the policy deletion responsibility execution unit 45b deletes the policy element corresponding to “PolicySet-00001” based on this responsibility element. Thereby, the policy management apparatus 4 can autonomously delete the elements of the policy information ip that are no longer used without making the operator U aware of it.

  [Step ST18] After that, the policy deletion responsibility execution unit 45b sends an obligation completion notification indicating policy deletion to the responsibility management unit 45.

  [Step ST19] The responsibility management unit 45 sends this responsibility completion notification to the policy execution unit 42.

  [Step ST20] Upon receiving this responsibility completion notification, the policy execution unit 42 notifies the user interface unit 41 that the policy browsing request is rejected.

  [Step ST21] Upon receiving this notification, the user interface unit 41 displays that the policy browsing request has been rejected and notifies the operator U of it.

(Policy element addition and editing operations: FIGS. 12 and 13)
Next, an operation for adding a policy element to the policy information ip will be described. This operation is executed when the operator U adds a new document operator or the like. At this time, the addition range is not permitted, but the addition range is restricted. In this operation, it is assumed that the policy execution unit 42 has already acquired the policy information ip by the above-described operation.

  [Step ST31] In the user interface unit 41 of the policy management apparatus 4, a policy element addition request for requesting to add a policy element to a specific policy set element is input by an operation of the operator U. . Specifically, this policy element addition request includes “USER01 (operator ID)” as an access subject attribute value, “PolicySetId-00005 (policy addition destination ID)” as a resource attribute value, and “ add policy ". For convenience of explanation, the policy element to be added here is referred to as a new policy element.

  [Step ST32] The user interface unit 41 sends this policy element addition request to the policy execution unit 42.

  [Step ST33] Upon receiving the policy element addition request, the policy execution unit 42 creates a policy evaluation request, which is a request for evaluating whether or not the policy element addition request is possible, in the same manner as described above. The policy evaluation request created here includes an access subject attribute value “USER01”, a resource attribute value “PolicySetId-00005”, and an action attribute value “add policy” as shown in FIG. In this policy evaluation request, the resource attribute value specifies the policy set element “PolicySetId-00005” to which the policy element is added (PolicySetId attribute value of the PolicySet element). The action attribute value specifies an action (add policy) for adding a policy element.

  [Step ST34] The policy execution unit 42 sends the created policy evaluation request and the already acquired policy information ip to the policy evaluation unit 44.

  The policy evaluation unit 44 evaluates whether or not the policy evaluation request matches the policy information ip, and obtains an evaluation result. For example, as shown in FIG. 15 to FIG. 17, the policy information ip includes one policy set element “PolicySet-00002”, the first to third policy set elements “PolicySet-00003”, “PolicySet-00004”, “ PolicySet-00005 ”is included. The first policy set element “PolicySet-00003” includes one policy element “Policy-00002”. This policy element “Policy-00002” includes one rule element “Rule-00003” and first and second responsibility elements (“Obligation-00003”, “Obligation-00002”) eo1 and eo2.

  This rule element “Rule-00003” has an access subject attribute value “USER01”, a resource attribute value “PolicySetId-00005”, and an action attribute value “add policy”. These access subject attribute value “USER01”, resource attribute value When “PolicySetId-00005” and the action attribute value “add policy” respectively match the access subject attribute value, the resource attribute value, and the action attribute value in the policy evaluation request, there is a content that obtains “permit” as an evaluation result. is described.

  The first and second responsibility elements eo1 and eo2 indicate responsibilities when the evaluation result based on the rule element “Rule-00003” is “permit”.

  The first responsibility element eo1 includes the responsibility entity attribute value “AddPolicyObligationService (policy addition responsibility execution unit 45a)”, the responsibility action attribute value “add policy with template”, the responsibility resource attribute value “PolicySet-00005”, the responsibility supplement attribute value “ The policy addition information execution unit 45a has policy template information ", and shows the obligation to add (store) a new policy element constructed from the policy template information to the third policy set element" PolicySet-00005 ". The responsibility resource attribute value “PolicySet-00005” indicates the identification information of the policy set element that is the subject of the responsibility execution. In this example, “PolicySet-00005” is shown as an attribute value of a policy set ID (PolicySetId) attribute that is an attribute of a policy set element. Also, the responsibility element eo1 has the responsibility ID (ObligationId) attribute value “Obligation-00003”. Here, the policy template information ipt is template information for restricting the description of the new policy element as shown in FIGS. 18 and 19, and the new policy element is described depending on the description of the policy template information. Is done.

  The second responsibility element eo2 includes the responsibility subject attribute value “AddPolicyObligationService (policy addition responsibility execution unit 45a)”, the responsibility action attribute value “add policy with template”, the responsibility resource attribute value “PolicySet-00004”, the responsibility supplement attribute value “ The policy addition information execution unit 45a has the policy template information "and the policy element constructed by the policy template information is added (stored) to the second policy set element" PolicySet-00004 ". This responsibility element eo2 has the responsibility ID attribute value “Obligation-00002”. Here, the policy template information is template information of a policy element (also referred to as a subsequent forced policy element or a control policy element) for controlling a new policy element, and depends on the description of the policy template information. Is described.

  The second policy set element “PolicySet-00004” is an element including a set of control policy elements added based on the second responsibility element eo2.

  The third policy set element “PolicySet-00005” is an element including a set of new policy elements added based on the first responsibility element eo1.

  Accordingly, when the policy evaluation unit 44 receives the transmitted policy evaluation request and policy information ip, the access subject attribute value “USER01”, the resource attribute value “PolicySetId-00005”, and the action attribute value “add” in this policy evaluation request. “policy” is compared with the access subject attribute value “USER01”, resource attribute value “PolicySetId-00005”, and action attribute value “add policy” in the rule element of the policy information ip, and the comparison results match. When a policy element is indicated, the policy element addition request is evaluated as Permit.

  [Step ST35] When the evaluation result is “permit”, the policy evaluation unit 44 extracts the first and second responsibility elements eo1, eo2 corresponding to this permission from the policy information ip, and the evaluation result “permission”. (Permit) ”, and sends the evaluation result information including the first and second responsibility elements eo1 and eo2 to the policy execution unit 42.

  [Steps ST36 to ST37] Upon receiving the evaluation result information, the policy execution unit 42 analyzes the presence / absence of a responsible element in the evaluation result information when the evaluation result information includes an evaluation result “Permit”. . On the other hand, when the evaluation result information includes the evaluation result “Deny”, the policy execution unit 42 notifies the operator U that the policy addition request is rejected via the user interface unit 41. . However, in this example, since the first and second responsibility elements eo1 and eo2 are included in the evaluation result information, the policy execution unit 42 sends a responsibility execution request including the responsibility elements eo1 and eo2 to the responsibility management unit 45. Send it out.

  [Step ST38] Upon receiving the responsibility execution request including the responsibility elements eo1 and eo2, the responsibility management unit 45, based on the responsibility subject attribute value “AddPolicyObligationService (policy addition responsibility execution unit 45a)” of the responsibility elements eo1 and eo2 The transmission destination of the responsibility execution request is determined to be the policy addition responsibility execution unit 45a.

  [Step ST39] Thereafter, the responsibility management unit 45 sends a responsibility execution request including these responsibility elements eo1 and eo2 to the policy addition responsibility execution unit 45a.

  [Step ST40] Upon receiving the duty execution request including the duty elements eo1 and eo2, the policy addition duty execution unit 45a is requested to add based on the duty action attribute value “add policy with template” of the duty elements eo1 and eo2. Policy element identification information is generated. In the example of the responsibility element shown in FIGS. 15 to 17, since there are responsibility elements for which two “add policy with template” are defined, the identification information of the two policy elements is generated.

  Next, the policy addition responsibility execution unit 45a generates a policy element from the policy template information. The content of the policy element to be added depends on the policy template information.

  The policy template information ipt for the new policy element shown in FIGS. 18 and 19 can be created in advance from a policy template element ipt 'as shown in FIGS. 20 and 21, for example. The policy template element ipt 'includes at least one target template (TargetTemplate) element, rule template (RuleTemplate) element, or responsibility template (ObligationTemplate) element. The target template element, the rule template element, and the responsibility template element are defined as elements for expressing a template of a child element constituting the policy element.

  For example, when it is desired to create policy template information ipt as shown in FIG. 18 and FIG. 19 by the duty example whose duty ID attribute value is “Obligation-00003”, the attribute value surrounded by a broken line cannot be estimated in advance. As described above, the policy template information ipt includes a mixture of attribute values that can be statically determined in advance and variable attribute values that are dynamically acquired when the policy element is generated. Therefore, the target template element, the rule template element, and the responsibility template element in the policy template element ipt ′ are identical to the template part (TemplatePortion) element or the variable attribute assignment (VariableAttributeAssignment) element as shown in FIGS. Contains more than one. The rule combination algorithm ID (RuleCombiningAlgId) attribute value of the policy template element “ip” indicates the value of the rule combination algorithm ID attribute of the policy element generated by this policy template element.

  The template partial element is an element indicating an attribute value that can be statically determined in advance, and has a value as it is described below the child elements of the target element. However, the values in FIGS. 20 and 21 are values encoded in the base 64 format. Encoding in the base 64 format is an example, and any format may be used as long as it does not inhibit XML processing. For example, a value obtained by escaping tag characters may be used.

  The variable attribute assignment element is an element indicating an attribute value of a variable that is dynamically acquired. For example, in the example of FIG. 20 and FIG. 21, using “dateTime-add-dayTimeDuration” which is a function defined in XACML V2.0, the time 3 days after the policy element generation time (“P3D”) is set. Indicates that the value is substituted.

  The target template (TargetTemplate) element is template information of the target (Target) element immediately below the policy element. The rule template element is template information of the rule element immediately below the policy element. The effect (Effect) attribute value of the rule template element indicates the effect attribute value of the rule element generated by the rule template element. The responsibility template element indicates template information of the responsibility element immediately below the policy element.

  The policy addition responsibility execution unit 45a generates a new policy element and a control policy element based on the policy template information ipt expressed in this way.

  For example, the policy addition responsibility execution unit 45a includes an initial value of a new operator ID as an access subject attribute value and a file open (Open File) as an action attribute value based on policy template information stored in advance. And a rule element including a policy expiration date corresponding to the case where the evaluation result by the target element is permitted, and a new policy element ID and control policy element ID as a resource attribute value corresponding to a result after the policy expiration date, an action A new policy element ep5 including a third responsibility element including policy deletion as an attribute value and a new element policy ID is generated.

  Further, for example, the policy addition responsibility execution unit 45a, based on the control policy template information held in advance, the operator ID as the access subject attribute value, the new element policy ID as the resource attribute value, and the operator ID as the action attribute value A new policy element ID as a resource attribute value corresponding to a case where the evaluation result by the rule element is permitted, and an update of the initial value as an action attribute value. A control policy element ep4 including the responsibility element and the control element policy ID is generated.

  [Step ST41] The policy addition responsibility execution unit 45a changes the generated policy elements ep4 and ep5 from the state shown in FIG. 22 to the responsibility resource attribute value “PolicySet-00004” of each responsibility element eo1 and eo2, as shown in FIG. "," PolicySet-00005 "is added to the policy set elements eps4 and eps5 in the policy information ip.

  [Step ST42] After that, the policy addition responsibility execution unit 45a sends a responsibility completion notification indicating policy addition to the responsibility management unit 45.

  [Step ST43] The responsibility management unit 45 sends this responsibility completion notification to the policy execution unit 42.

  [Step ST44] Upon receiving this responsibility completion notification, the policy execution unit 42 notifies the user interface unit 41 that the policy addition has been completed.

  [Step ST45] Upon receiving this notification, the user interface unit 41 displays that the policy addition has been completed and notifies the operator U of the completion.

  Thereafter, the policy execution unit 42 acquires the value of the element that the operator U wants to add (for example, the operator ID of the operator who wants to add) from the operator U via the user interface unit 41. The policy execution unit 42 adds the acquired value to each policy element via the policy operation unit 43. Prior to adding the acquired value, whether or not this addition may be performed may be evaluated by the policy evaluation unit 44 in the same manner as described above. In this case, the policy to be compared with respect to the policy evaluation request is a control policy element.

This operation will be supplementarily described as follows.
When the user interface unit 41 receives an input of a policy element update request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of an operator ID initial value as an action attribute value The policy element update request is sent to the policy execution unit 42.

  In response to this policy element update request, the policy execution unit 42 includes a policy including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of the initial value as an action attribute value. An evaluation request is created, and this policy evaluation request and already acquired policy information are sent to the policy evaluation unit 44.

  When the policy evaluation unit 44 receives the transmitted policy evaluation request and policy information, the policy evaluation unit 44 accesses the access subject attribute value and the action attribute value in the policy evaluation request, and the access subject attribute in the target element in the control policy element of the policy information. A value, a resource attribute value, and an action attribute value are compared with each other, and when the comparison results indicate a match, the policy element update request is evaluated as permitted.

  When the evaluation result is permission, the policy evaluation unit 44 extracts the fourth responsibility element corresponding to the permission from the policy information, and the policy execution unit 42 extracts the evaluation result information including the evaluation result and the fourth responsibility element. To send.

  The policy execution unit 42 analyzes the presence / absence of the responsibility element in the evaluation result information, and if there are the third and fourth responsibility elements in the evaluation result information, the policy execution unit 42 is responsible for the responsibility execution request including the fourth responsibility element. The data is sent to the management unit 45.

  The duty management unit 45 sends this duty execution request to the policy editing duty execution unit 45c.

  Based on the action attribute value in the fourth responsibility element in the responsibility execution request, the policy editing responsibility execution unit 45c selects the operator who wants to add the initial value of the operator ID as the access subject attribute value of the new policy element. The operator ID shown is updated to “USER02”.

  The above operation is a case of an obligation element for newly adding a policy element. By changing the responsibility expression, the element value and attribute value of the policy element can be edited by executing the same processing. For example, the responsible entity attribute value is defined as “ModifyPolicyObligationService”, and the responsible activity attribute value is defined as “modify policy”. “ModifyPolicyObligationService” is an example of an identification name indicating the policy editing responsibility execution unit 45c. Responsible resource attribute values specify target elements and attribute values. Specifically, the XPath format is used. The responsibility supplement attribute value specifies the attribute value to be changed. Further, each added policy element is deleted after the expiration date, as described above, as shown in FIG.

  For example, the user interface unit 41 inputs a file read request including an operator ID as an access subject attribute value (a value obtained by updating an initial value: an ID indicating an added operator) and a file open as an action attribute value. Is sent to the policy execution unit 42.

  In response to the file read request, the policy execution unit 42 creates a policy evaluation request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and a file open as an action attribute value. The policy evaluation request and the already acquired policy information are sent to the policy evaluation unit 44.

  When the policy evaluation unit 44 receives the transmitted policy evaluation request and policy information, the policy evaluation unit 44 accesses the access subject attribute value and the action attribute value in the policy evaluation request, and the access subject attribute in the target element in the new policy element of the policy information. The value and the action attribute value are compared with each other, and if the comparison results indicate a match, the file read request is evaluated as being permitted.

  Further, when the evaluation result is permission, the policy evaluation unit 44 extracts the third responsibility element corresponding to the permission from the policy information, and the policy execution unit 42 extracts the evaluation result information including the evaluation result and the third responsibility element. To send.

  When the evaluation result in the evaluation result information is permitted, the policy execution unit 42 reads the document file fd including the policy information from the document file storage unit 3 and displays the content information fdc of the document file fd on the user interface unit 41. Let

  Further, the policy execution unit 42 analyzes the presence / absence of the responsibility element in the evaluation result information, and if there is a third responsibility element in the evaluation result information, the responsibility execution request including the third responsibility element is accounted for. Send to unit 45.

  The duty management unit 45 sends this duty execution request to the policy editing duty execution unit 45c.

  The policy editing responsibility execution unit 45c compares the policy expiration date with the current date / time information based on the action attribute value in the third responsibility element in the responsibility execution request, and the current date / time information indicates the policy expiration date. If it has passed, the new policy element and the control policy element are deleted from the policy information based on the third responsibility element.

  As described above, according to the present embodiment, in response to the policy element addition request including each attribute value that restricts the editable range of the policy information ip, the policy information ip is acquired and the policy evaluation request is created. Based on the policy evaluation request and the policy information ip, the policy element addition request is evaluated as permitted or denied, the first and second responsibility elements corresponding to the permission are extracted from the policy information ip, and a new policy element is added according to the first responsibility element. Generate a control policy element according to the second responsibility element, and add the new policy element and the control policy element to the policy information ip. Further, the policy management device 4 autonomously re-edits the policy information ip so that the new policy element and the control policy element are deleted from the policy information ip when the current date and time information has passed the policy expiration date. .

  Therefore, in the first embodiment, document attribute information can be edited autonomously while restricting the editable range of policy information.

(Second Embodiment)
25 and 26 are schematic diagrams showing a configuration example of a use terminal to which the policy management apparatus according to the second embodiment of the present invention is applied, and FIG. 27 is a schematic diagram showing a functional configuration of this policy management apparatus. Therefore, the same parts as those in the above-described drawings are denoted by the same reference numerals and detailed description thereof is omitted, and different parts are mainly described here.

  In other words, the second embodiment is a first modification, in which the policy management apparatus 4 cooperates with the processing of the document editing application unit 9, and specifically replaces the user interface unit 41 of FIG. The event monitoring unit 48, the document attribute editing responsibility execution unit 45d, and the document attribute acquisition unit 44a are provided.

  The event monitoring unit 48 is a functional unit that monitors specific events in the document editing application unit 9. As a specific example, the document state in the document editing application unit 9 is monitored, and when a specific state change occurs, a process for notifying the policy execution unit 42 ′ of an event corresponding to the state change is performed. For example, when the document state changes from the initial state in which the document is opened, an editing event is generated assuming that the document has been edited. For this reason, the event monitoring unit 48 may be mounted outside the apparatus because the means for realizing the monitoring depends on the mounting form of the monitoring target.

  The document attribute acquisition unit 44a is a functional unit for acquiring the document attribute information fda included in the document file fd. Preferable examples of the document attribute information fda include a document status indicating a state such as an initial distribution state or an initial distribution state to a state after editing, a last updater, and the like.

  When the evaluation result information by the policy evaluation unit 44 ′ includes an obligation element for editing the document attribute information, the document attribute editing responsibility execution unit 45d reads the document attribute information fda included in the document file fd based on the responsibility element. It is a functional part to be edited.

  In addition to the function of the policy operation unit 43 of the first embodiment, the policy operation unit 43 ′ constructs a policy file fp from the policy information ip and a function of intermediately intercepting input / output of the document file fd by the document editing application unit 9 And a function to be incorporated into the document file fd. The policy operation unit 43 ′ is not limited to be implemented in the policy management apparatus 4, but can also be implemented as an input / output filter function in the document editing application unit 9. In any case, before the document editing application unit 9 reads out the document file fd, the policy operation unit 43 ′ extracts the policy file fp from the document file fd and excludes the policy file fp from the document editing application unit 9. The operation of delivering the document file fd can be executed. However, in the present embodiment, a case where the policy operation unit 43 ′ is mounted in the policy management apparatus 4 will be described as an example.

  Further, the policy execution unit 42 ′, the policy evaluation unit 44 ′, and the responsibility management unit 45 ′ are slightly modified from the policy execution unit 42, the policy evaluation unit 44, and the responsibility management unit 45 of the first embodiment in accordance with the above configuration. Has been.

  For example, in addition to the function of the policy execution unit 42 of the first embodiment, the policy execution unit 42 ′ transmits a document file read request received from the document editing application unit 9 to the policy operation unit 43 ′, and event monitoring Based on the event information received from the unit 48, it has a function such as a function for creating a policy evaluation request.

  When the policy evaluation unit 44 ′ receives a policy evaluation request from the policy execution unit 42 ′ in addition to the function of the policy evaluation unit 44 of the first embodiment, the policy evaluation unit 44 ′ sends an attribute acquisition request to the document attribute acquisition unit 44a, The document attribute information fda received from the acquisition unit 44a is sent together with the evaluation result to the policy execution unit 42 ′.

  In addition to the function of the responsibility management unit 45 of the first embodiment, the responsibility management unit 45 ′ indicates that the duty execution request received from the policy execution unit 42 ′ indicates editing of the document attribute information for the document attribute editing duty execution unit 45d. In this case, it has a function of sending an obligation execution request to the document attribute editing duty execution unit 45d and sending a completion notice received from the document attribute editing duty execution unit 44d to the policy execution unit 42 '.

Next, the operation of the policy management apparatus configured as described above will be described.
[Step ST51] In the use terminal 1, as shown in FIG. 28, the operator ID “USER02” as the access subject attribute value and the document as the resource attribute value are obtained by the operation of the operator U ′ on the document editing application unit 9. A document file read request including “Open File” as designation information of the file fd and an action attribute value is input to the document editing application unit 9.

  It is assumed that the input of the document file read request is realized by, for example, double-clicking the “open file” menu of the document editing application unit 9 or the document file fd assigned to the document editing application unit 9. . The operator ID “USER02” is preferably registered in advance in the document editing application unit 9 from the viewpoint of simplifying the operation, but may be input in step ST51.

  [Steps ST52 to ST53] The document editing application unit 9 inputs this document file read request to the policy execution unit 42 '. The policy execution unit 42 'inputs this document file read request to the policy operation unit 43'.

  [Steps ST54 to ST56] When the policy operation unit 43 'acquires the document file from the document file storage unit 3 based on the document file read request, the policy operation unit 43' acquires the policy information ip from the document file. The policy information ip is acquired from the document file fd by the same processing as in steps ST6 to ST7 described above.

  [Steps ST57 to ST58] The policy execution unit 42 'acquires the policy information ip from the policy operation unit 43' based on the document file read request.

  [Step ST59] Based on the document file read request, the policy execution unit 42 ′ uses the operator ID “USER02” as the access subject attribute value, the designation information of the document file fd as the resource attribute value, and “act attribute value“ Create a policy evaluation request that includes “Open File”.

  [Step ST60] The policy execution unit 42 'sends the created policy evaluation request and the already acquired policy information ip to the policy evaluation unit 44'.

  Upon receiving the transmitted policy evaluation request and policy information ip, the policy evaluation unit 44 ′ receives the access subject attribute value “USER02”, the resource attribute value “specified information of the document file fd”, and the action attribute value in the policy evaluation request. The “Open File” is compared with the access subject attribute value “USER02”, the resource attribute value “designated information of the document file fd”, and the action attribute value “Open File” in the rule element of the policy information ip. If the comparison results indicate a match, the document file read request is evaluated as Permit.

  [Step ST61] When the evaluation result is “permit”, the policy evaluation unit 44 ′ includes the evaluation result “permit” without including the responsibility element because there is no responsibility element corresponding to this permission. The evaluation result information is sent to the policy execution unit 42 ′.

  [Steps ST62 to ST63] Upon receiving the evaluation result information, the policy execution unit 42 ′ analyzes the presence / absence of a responsible element in the evaluation result information when the evaluation result information includes an evaluation result “Permit”. To do. On the other hand, when the evaluation result information includes an evaluation result “Deny”, the policy execution unit 42 ′ informs the operator U that the document file reading request is rejected via the document editing application unit 9. Notify '. However, in this example, the evaluation result information includes the evaluation result “Permit”, but there is no responsibility element in the evaluation result information. Therefore, the policy execution unit 42 ′ sends the evaluation result “permitted” to the policy operation unit 43 ′.

  [Step ST64] Upon receiving this evaluation result “permitted”, the policy operation unit 43 ′ sends the document file acquired in step ST55 to the policy execution unit 42 ′.

  [Step ST65] The policy execution unit 42 'sends the document file to the document editing application unit 9.

  [Step ST66] Upon receiving the document file fd, the document editing application unit 9 displays the document file fd. As a result, the document file fd can be used by the operator U '.

  [Steps ST <b> 67 to ST <b> 68] The document editing application unit 9 edits the document file fd being displayed by the operation of the operator, and displays the edited document file fd.

  [Steps ST69 to ST70] The document file fd changes its state from the initial state by editing. In response to this state change, the document editing application unit 9 sends to the event monitoring unit 48 a state change notification including document file designation information, state change information of the document file, and operator ID. The sending of the state change notification can be realized by an arbitrary technique. Here, the document editing application has a listener function for notifying the document file fd as a document object of the state change to another object (event monitoring unit 48). This is realized by the configuration provided in the unit 9.

  When the event monitoring unit 48 detects the state change notification, the event monitoring unit 48 compares the state change information in the state change notification with predetermined specific state change information. A state change notification including the information is sent as event information to the policy execution unit 42 ′. Examples of the state change information include overwrite storage (update).

  [Steps ST71 to ST72] The policy execution unit 42 ′, as a request corresponding to the state change information in the event information acquired from the event monitoring unit 48, corresponds to the access request attribute value “ A policy evaluation request including “USER02”, resource attribute value “PolicySetId-00001” and action attribute value “read” is created, and the policy evaluation request and the policy information ip in the policy storage unit 43a are sent to the policy evaluation unit 44 ′. . Here, the policy evaluation request corresponding to the policy browsing request has the same attribute value as the policy evaluation request corresponding to the policy browsing request described above except that it has the access subject attribute value “USER02” indicating the operator U ′. .

  [Step ST73] The operation after step ST72 is the same as the operation of steps ST11 to ST21 described above. However, when editing the document attribute information fda of the document file fd, the following operation is performed.

  In other words, when the policy evaluation unit 44 'receives the policy evaluation request and the policy information ip, the policy evaluation unit 44' sends an attribute acquisition request to the document attribute acquisition unit 44a based on the policy evaluation request.

  [Steps ST74 to ST76] The document attribute acquisition unit 44a acquires the document attribute information fda of the document file fd from the document editing application unit 9 based on this attribute acquisition request. Such document attribute information fda may be written in an arbitrary field of the document file fd, or may be created as a separate file similar to the policy file fp and embedded in the document file fd.

  In any case, the document attribute acquisition unit 44a sends the acquired document attribute information fda to the policy evaluation unit 44 '.

  Note that the document attribute information fda is not limited to being acquired by the document attribute acquisition unit 44a. For example, the document attribute information fda may be a modification obtained by the policy execution unit 42 ′ and included in the policy evaluation request in advance. The policy evaluation unit 44 ′ that has received the policy information may obtain a modification. In such a modification, the document attribute acquisition unit 44a is omitted.

  [Step ST77] In any case, after obtaining the policy evaluation request, the policy information, and the document attribute information fda, the policy evaluation unit 44 ′ obtains the access subject attribute value “USER02” and the resource attribute value “PolicySetId in the policy evaluation request. -00001 ”and the action attribute value“ read ”, the access subject attribute value“ USER01 ”, the resource attribute value“ PolicySetId-00001 ”, and the action attribute value“ read ”in the rule element of the policy information ip are compared with each other. When the comparison results indicate a match, the policy evaluation request is evaluated as permitted (Permit). However, since the access subject attribute values do not match, the policy evaluation request is evaluated as deny.

  Subsequently, the policy evaluation unit 44 ′ sends the evaluation result information including the evaluation result of the rejection “Deny” and the responsibility element corresponding to the evaluation result, and the document attribute information fda to the policy execution unit 42 ′.

  This responsibility element is for editing the document attribute information fda, for example, the responsibility subject attribute value “ModifyDocumentAttributesObligationService (document attribute editing responsibility execution unit 45d)” and the resource attribute value “target document attribute information fda”. ”, An action attribute value“ modify document attributes (change of document attribute information fda) ”, and an obligation supplement attribute value“ value after change ”. For example, the resource attribute value may be a value indicating the last updater, and the responsibility supplement attribute value may be the access subject attribute value “USER02”. Specifically, such responsibility elements can be described using the XPath format or the like.

  [Steps ST78 to ST79] The policy execution unit 42 ′ analyzes whether or not the responsibility element is included in the evaluation result information. When the responsibility element is included in the evaluation result information, the policy execution unit 42 ′ The document attribute information fda is sent to the responsibility management unit 45 ′.

[Step ST80] Upon receiving the responsibility execution request and the document attribute information fda, the responsibility management unit 45 ′ determines the destination of the responsibility execution request and the document attribute editing responsibility execution unit 45d based on the responsibility element in the responsibility execution request. judge. That is, the responsibility management unit 45 ′ selects the responsibility execution entity (document attribute editing responsibility execution unit 45d) indicated by the responsibility execution entity ID “ModifyDocumentAttributesObligationService” as the responsibility entity attribute value included in the responsibility element in the responsibility execution request. Means for determining the destination of the responsibility execution request;
[Step ST81] Thereafter, the responsibility management unit 45 ′ sends the responsibility execution request including the responsibility element and the document attribute information fda to the document attribute editing responsibility execution unit 45d.

  [Steps ST82 to ST83] Upon receiving this responsibility execution request and document attribute information fda, the document attribute responsibility execution unit 45d edits the document attribute information fda based on the responsibility elements in this responsibility execution request, By sending the document attribute information fda to the document editing application unit 9, the document attribute information fda in the document file fd being displayed in the document editing application unit 9 is overwritten with the edited document attribute information fda.

  As a result, the policy management apparatus 4 can autonomously edit the document attribute information fda without making the operator U 'aware of the document content of the document file fd.

  [Steps ST84 to ST85] Thereafter, the document attribute editing duty execution unit 45d sends a duty completion notification indicating completion of editing of the document attribute information fda to the policy execution unit 42 'via the duty management unit 45'.

  [Step ST86] Upon receiving this responsibility completion notification, the policy execution unit 42 'notifies the document editing application unit 9 that the policy browsing request is rejected.

  [Step ST87] Upon receiving this notification, the document editing application unit 9 displays that the policy browsing request has been rejected and notifies the operator U '.

  As described above, according to the present embodiment, each attribute that is sent as event information based on the state change notification sent from the document editing application unit 9 and restricts the editable range of the policy information ip based on this event information. A policy evaluation request including a value is created, the policy evaluation request and the policy information ip are transmitted, and when the policy evaluation request and the policy information ip are received, the document attribute information of the document file fd is acquired from the document editing application unit 9. The policy evaluation request is evaluated to be permitted or rejected based on the policy information ip, the evaluation result information including the evaluation result indicating the rejection and the responsibility element corresponding to the evaluation result, and the document attribute information fda are transmitted. Based on eo, the document attribute information fda is edited, and the edited document attribute information fda is changed to the document editing application unit 9. Delivery, by overwriting the document attribute information fda edited document attribute information fda in the document file fd being displayed in the document editing application unit 9, autonomously edit the document attribute information fda.

  Therefore, in the second embodiment, document attribute information can be edited autonomously while restricting the editable range of policy information.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

  DESCRIPTION OF SYMBOLS 1 ... Usage terminal, 2 ... Operating system part, 2p ... Operating system, 3 ... Document file storage part, 4, 4 '... Policy management apparatus, 4p, 4p' ... Policy management program, 5 ... Storage part, 6 ... Input part 7 ... CPU, 8 ... output unit, 9, 9p ... document application unit, 41 ... user interface unit, 42, 42 '... policy execution unit, 43,43' ... policy operation unit, 43a ... policy storage unit, 44, 44 '... policy evaluation unit, 44a ... document attribute acquisition unit, 45, 45' ... responsibility management unit, 45a ... policy addition duty execution unit, 45b ... policy deletion duty execution unit, 45c ... policy editing duty execution unit, 45d ... document Attribute editing responsibility execution unit, 46 ... encryption processing unit, 46a ... key management unit, 47 ... user authentication unit, 47a ... authentication information storage unit, 48 ... event monitoring unit, fd ... document File, fdc ... content information, fda ... document attribute information, fp ... policy file, eps10, eps13, eps, eps2 to eps5 ... policy set element, ep11, ep13, ep, ep2, ep4, ep5 ... policy element, er11, er12 , Er13, er1 to er5 ... rule elements, eo11a, eo11b, eo13, eo, eo1, eo2, eo4, eo5 ... responsibility elements, ip ... policy information, ipt ... policy template information, ipt '... policy template elements, U, U '... policy operator.

Claims (4)

A policy management device connected to a document file storage means for storing a document file including policy information and managing addition and deletion of policy elements in the policy information;
A rule element including an operator ID as an access subject attribute value corresponding to permission of a policy evaluation request, a policy addition destination ID as resource attribute value, and a policy addition as an action attribute value, and a responsible action attribute corresponding to the permission A policy addition based on policy template information as a value, a first responsibility element including the policy addition destination ID as an obligation resource attribute value, and a control policy based on control policy template information as an obligation action attribute value corresponding to the permission Addition, a second policy element including a control policy addition destination ID as a responsibility resource attribute value, a policy addition destination policy set element including the policy addition destination ID, and a control policy addition destination policy including the control policy addition destination ID Policy storage means for storing policy information comprising a set element;
Means for extracting policy information from a document file in the document file storage means and writing the policy information to the policy storage means;
First request receiving means for receiving an input of a policy element addition request including an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value;
In response to the policy element addition request, policy information in the policy storage means is acquired, and an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value A first evaluation request creating means for creating a policy evaluation request including the policy evaluation request and the acquired policy information;
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value, resource attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and resource attribute value in the rule element of the policy information And a first policy evaluation unit that evaluates the policy element addition request as permission when the comparison result indicates a match with each other.
If the evaluation result by the first policy evaluation means is permission, first and second responsibility elements corresponding to the permission are extracted from the policy information, and the evaluation result includes the evaluation result and the first and second responsibility elements. First evaluation result sending means for sending result information;
The presence / absence of the responsibility element in the evaluation result information is analyzed, and when the first and second responsibility elements are present in the evaluation result information, a responsibility execution request including the first and second responsibility elements is transmitted. 1 duty execution request sending means;
In accordance with the action attribute value in the first responsibility element in the responsibility execution request, based on the policy template information held in advance, the initial value of the new operator ID as the access subject attribute value, the operation name as the action attribute value, A target element including a rule element including a policy expiration date corresponding to a case where the evaluation result by the target element is permitted, and a new policy element ID and a control policy element as resource attribute values corresponding to a result after the policy expiration date A new policy element generating means for generating a new policy element having a third responsibility element including an ID, a policy deletion as an action attribute value, and the new element policy ID;
According to the responsibility action attribute value in the second responsibility element in the responsibility execution request, based on the control policy template information stored in advance, the operator ID as the access subject attribute value, the new element policy ID as the resource attribute value, A rule element including an update of the initial value as an action attribute value, a new policy element ID as a resource attribute value corresponding to a case where the evaluation result by the rule element is permitted, and an update of the initial value as an action attribute value A control policy element generating means for generating a control policy element comprising a fourth responsibility element including the control element policy ID;
Policy element addition means for adding the generated new policy element and control policy element to the policy information;
Second request receiving means for receiving an input of a policy element update request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of the initial value as an action attribute value;
In response to the policy element update request, create a policy evaluation request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of the initial value as an action attribute value. A second evaluation request creating means for sending out the policy evaluation request and the acquired policy information;
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and resource attribute value in the target element in the control policy element of the policy information And a second policy evaluation unit that evaluates the policy element update request as permission when the comparison result indicates a match with each other.
When the evaluation result by the second policy evaluation unit is permission, the fourth responsibility element corresponding to the permission is extracted from the policy information, and evaluation result information including the evaluation result and the fourth responsibility element is transmitted. A second evaluation result sending means;
The presence / absence of a responsibility element in the evaluation result information is analyzed, and if there is a fourth responsibility element in the evaluation result information, a second responsibility execution request is sent to send a responsibility execution request including the fourth responsibility element. Means,
New policy element updating means for updating the initial value of the operator ID as the access subject attribute value of the new policy element based on the action attribute value in the fourth responsibility element in the responsibility execution request;
A third request receiving means for receiving an input of an operation request including an operator ID as an access subject attribute value and an operation name as an action attribute value;
In response to the operation request, a policy evaluation request including an operator ID as an access subject attribute value and an operation name as an action attribute value is created, and the policy evaluation request and the acquired policy information are transmitted. An evaluation request creation means,
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and action attribute value in the target element in the new policy element of the policy information And a third policy evaluation unit that evaluates the operation request as permitted when each of the comparison results indicates a match.
If the evaluation result by the third policy evaluation means is permission, display means for reading a document file corresponding to the policy information corresponding to the permission from the document file storage means and displaying the document file;
When the evaluation result by the third policy evaluation unit is permission, the third responsibility element corresponding to the permission is extracted from the policy information, and the evaluation result information including the evaluation result and the third responsibility element is transmitted. A third evaluation result sending means;
The presence / absence of a responsibility element in the evaluation result information is analyzed, and if there is a third responsibility element in the evaluation result information, a third responsibility execution request is sent to send a responsibility execution request including the third responsibility element. Means,
Based on the action attribute value in the third responsibility element in this responsibility execution request, the policy expiration date and the current date and time information are compared, and if the current date and time information has passed the policy expiration date And a policy element deleting means for deleting the new policy element and the control policy element from the policy information based on the third responsibility element. Document storage means for storing a document file including content information, document attribute information, and policy information; and editing the document file and changing the state of the document file by the editing, the specification information of the document file, the state change A policy management apparatus connected to a document editing means for sending a state change notification including state change information and an operator ID,
Corresponding to rule element including operator ID as access subject attribute value corresponding to permission of policy evaluation request, policy set element ID as resource attribute value and policy browsing as action attribute value, and rejection of policy evaluation request Responsibility including responsibility executing entity ID as responsibility entity attribute value, value indicating document attribute information as responsibility resource attribute value, change of document attribute information as responsibility action attribute value, and changed value as responsibility supplement attribute value Policy storage means for storing policy information comprising an element and a policy set element including the policy set element ID;
Policy extraction means for extracting policy information from the document file while the document file is being read by the document editing means from the document storage means, and writing the policy information to the policy storage means;
When the state change notification is detected, the state change information in the state change notification is compared with predetermined specific state change information, and when both match, the state change notification includes the matched state change information. Event information sending means for sending as event information;
Based on this event information, the operator ID as the access subject attribute value, the policy set element ID in the policy information in the document file corresponding to the specified information as the resource attribute value, and the policy browsing as the action attribute value are included. Means for creating a policy evaluation request and sending out the policy evaluation request and policy information in the policy storage means;
Means for obtaining document attribute information of a document file from the document editing means upon receipt of the policy evaluation request and policy information;
After obtaining the policy evaluation request, the policy information, and the document attribute information, the access subject attribute value, the resource attribute value, and the action attribute value in the policy evaluation request, and the access subject attribute value in the rule element of the policy information The resource attribute value and the action attribute value are compared with each other. If the comparison results indicate a match, the policy evaluation request is evaluated as permitted. If any of the comparison results indicates a mismatch, the policy evaluation request is determined. A means of evaluating
Means for sending an evaluation result indicating rejection and evaluation result information including the responsibility element corresponding to the evaluation result, and document attribute information;
Analyzing whether or not an obligation element is included in the evaluation result information, and when the obligation element is included in the evaluation result information, an obligation executing entity ID as an obligation entity attribute value and document attribute information as a resource attribute value Means for sending an obligation execution request including an obligation element having a value indicating, a change of document attribute information as an action attribute value, and a changed value as an obligation supplement attribute value, and document attribute information;
When the responsibility execution request and the document attribute information are received, the responsibility execution entity indicated by the responsibility execution entity ID as the responsibility entity attribute value included in the responsibility element in the responsibility execution request is determined as the transmission destination of the responsibility execution request. Means,
Means for sending the responsibility execution request including the responsibility element and the document attribute information to a destination of the responsibility execution request;
Upon receipt of this responsibility execution request and document attribute information, the document attribute information is edited based on the responsibility element in the responsibility execution request, and the edited document attribute information is sent to the document editing means, whereby the document Means for overwriting the document attribute information in the document file being displayed by the editing means with the edited document attribute information;
Means for sending a responsibility completion notification indicating completion of editing of the document attribute information after sending the edited document attribute information;
A policy management apparatus comprising: means for notifying the document editing means that a policy browsing request is rejected upon receipt of the responsibility completion notification. A policy management apparatus program connected to a document file storage unit storing a document file including policy information and having a policy storage unit to manage addition and deletion of policy elements in the policy information,
The policy management device;
A rule element including an operator ID as an access subject attribute value corresponding to permission of a policy evaluation request, a policy addition destination ID as resource attribute value, and a policy addition as an action attribute value, and a responsible action attribute corresponding to the permission A policy addition based on policy template information as a value, a first responsibility element including the policy addition destination ID as an obligation resource attribute value, and a control policy based on control policy template information as an obligation action attribute value corresponding to the permission Addition, a second policy element including a control policy addition destination ID as a responsibility resource attribute value, a policy addition destination policy set element including the policy addition destination ID, and a control policy addition destination policy including the control policy addition destination ID Policy information comprising a set element is extracted from the document file in the document file storage means; It means for writing the policy information in the policy storage unit,
First request receiving means for receiving an input of a policy element addition request including an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value;
In response to the policy element addition request, policy information in the policy storage means is acquired, and an operator ID as an access subject attribute value, a policy addition destination ID as a resource attribute value, and a policy addition as an action attribute value A first evaluation request creating means for creating a policy evaluation request including the policy evaluation request and the acquired policy information;
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value, resource attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and resource attribute value in the rule element of the policy information And an action attribute value, and when the comparison results indicate coincidence, the first policy evaluation means for evaluating the policy element addition request as permitted,
If the evaluation result by the first policy evaluation means is permission, first and second responsibility elements corresponding to the permission are extracted from the policy information, and the evaluation result includes the evaluation result and the first and second responsibility elements. First evaluation result sending means for sending result information;
The presence / absence of the responsibility element in the evaluation result information is analyzed, and when the first and second responsibility elements are present in the evaluation result information, a responsibility execution request including the first and second responsibility elements is transmitted. 1 responsibility execution request sending means,
In accordance with the action attribute value in the first responsibility element in the responsibility execution request, based on the policy template information held in advance, the initial value of the new operator ID as the access subject attribute value, the operation name as the action attribute value, A target element including a rule element including a policy expiration date corresponding to a case where the evaluation result by the target element is permitted, and a new policy element ID and a control policy element as resource attribute values corresponding to a result after the policy expiration date A new policy element generating means for generating a new policy element having a third responsibility element including an ID, a policy deletion as an action attribute value, and the new element policy ID;
According to the responsibility action attribute value in the second responsibility element in the responsibility execution request, based on the control policy template information stored in advance, the operator ID as the access subject attribute value, the new element policy ID as the resource attribute value, A rule element including an update of the initial value as an action attribute value, a new policy element ID as a resource attribute value corresponding to a case where the evaluation result by the rule element is permitted, and an update of the initial value as an action attribute value A control policy element generating means for generating a control policy element comprising a fourth responsibility element including the control element policy ID,
Policy element addition means for adding the generated new policy element and control policy element to the policy information;
Second request receiving means for receiving an input of a policy element update request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of the initial value as an action attribute value;
In response to the policy element update request, create a policy evaluation request including an operator ID as an access subject attribute value, a new policy element ID as a resource attribute value, and an update of the initial value as an action attribute value. A second evaluation request creating means for sending out the policy evaluation request and the acquired policy information;
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and resource attribute value in the target element in the control policy element of the policy information And the policy attribute update request, the policy policy update request is evaluated as permitted when the comparison result indicates a match.
When the evaluation result by the second policy evaluation unit is permission, the fourth responsibility element corresponding to the permission is extracted from the policy information, and evaluation result information including the evaluation result and the fourth responsibility element is transmitted. Second evaluation result sending means;
The presence / absence of a responsibility element in the evaluation result information is analyzed, and if there is a fourth responsibility element in the evaluation result information, a second responsibility execution request is sent to send a responsibility execution request including the fourth responsibility element. means,
New policy element updating means for updating the initial value of the operator ID as the access subject attribute value of the new policy element based on the action attribute value in the fourth responsibility element in the responsibility execution request;
Third request receiving means for receiving an operation request including an operator ID as an access subject attribute value and an operation name as an action attribute value;
In response to the operation request, a policy evaluation request including an operator ID as an access subject attribute value and an operation name as an action attribute value is created, and the policy evaluation request and the acquired policy information are transmitted. The evaluation request creation means,
Upon receiving the transmitted policy evaluation request and policy information, the access subject attribute value and action attribute value in the policy evaluation request, and the access subject attribute value and action attribute value in the target element in the new policy element of the policy information And a third policy evaluation unit that evaluates the operation request as permitted when each of the comparison results indicates a match.
If the evaluation result by the third policy evaluation means is permission, display means for reading out the document file corresponding to the policy information corresponding to the permission from the document file storage means and displaying the document file;
When the evaluation result by the third policy evaluation unit is permission, the third responsibility element corresponding to the permission is extracted from the policy information, and the evaluation result information including the evaluation result and the third responsibility element is transmitted. A third evaluation result sending means;
The presence / absence of a responsibility element in the evaluation result information is analyzed, and if there is a third responsibility element in the evaluation result information, a third responsibility execution request is sent to send a responsibility execution request including the third responsibility element. means,
Based on the action attribute value in the third responsibility element in this responsibility execution request, the policy expiration date and the current date and time information are compared, and if the current date and time information has passed the policy expiration date Policy element deletion means for deleting the new policy element and the control policy element from policy information based on the third responsibility element;
Program to function as. Document storage means for storing a document file including content information, document attribute information, and policy information; and editing the document file and changing the state of the document file by the editing, the specification information of the document file, the state change A policy management device program connected to a document editing means for sending a status change notification including status change information and an operator ID, and comprising a policy storage means,
The policy management device;
Corresponding to rule element including operator ID as access subject attribute value corresponding to permission of policy evaluation request, policy set element ID as resource attribute value and policy browsing as action attribute value, and rejection of policy evaluation request Responsibility including responsibility executing entity ID as responsibility entity attribute value, value indicating document attribute information as responsibility resource attribute value, change of document attribute information as responsibility action attribute value, and changed value as responsibility supplement attribute value Policy information including an element and a policy set element including the policy set element ID is extracted from the document file while the document file is being read from the document storage unit to the document editing unit, and the policy information is extracted from the policy file. Policy extraction means for writing to the storage means;
When the state change notification is detected, the state change information in the state change notification is compared with predetermined specific state change information, and when both match, the state change notification includes the matched state change information. Event information sending means for sending as event information,
Based on this event information, the operator ID as the access subject attribute value, the policy set element ID in the policy information in the document file corresponding to the specified information as the resource attribute value, and the policy browsing as the action attribute value are included. Means for creating a policy evaluation request and sending the policy evaluation request and policy information in the policy storage means;
Means for obtaining document attribute information of a document file from the document editing means upon receipt of the policy evaluation request and policy information;
After obtaining the policy evaluation request, the policy information, and the document attribute information, the access subject attribute value, the resource attribute value, and the action attribute value in the policy evaluation request, and the access subject attribute value in the rule element of the policy information The resource attribute value and the action attribute value are compared with each other. If the comparison results indicate a match, the policy evaluation request is evaluated as permitted. If any of the comparison results indicates a mismatch, the policy evaluation request is determined. Means to evaluate
Means for sending evaluation result information including rejection, evaluation result information including the responsibility element corresponding to the evaluation result, and document attribute information;
Analyzing whether or not an obligation element is included in the evaluation result information, and when the obligation element is included in the evaluation result information, an obligation executing entity ID as an obligation entity attribute value and document attribute information as a resource attribute value Means for sending an obligation execution request including an obligation element having a value indicating, a change in document attribute information as an action attribute value, and a changed value as an obligation supplement attribute value, and document attribute information,
When the responsibility execution request and the document attribute information are received, the responsibility execution entity indicated by the responsibility execution entity ID as the responsibility entity attribute value included in the responsibility element in the responsibility execution request is determined as the transmission destination of the responsibility execution request. means,
Means for sending an obligation execution request including the responsibility element and the document attribute information to a destination of the obligation execution request;
Upon receipt of this responsibility execution request and document attribute information, the document attribute information is edited based on the responsibility element in the responsibility execution request, and the edited document attribute information is sent to the document editing means, whereby the document Means for overwriting the document attribute information in the document file being displayed by the editing means with the document attribute information after editing;
Means for sending a responsibility completion notification indicating completion of editing of the document attribute information after sending the edited document attribute information;
Means for notifying the document editing means that the policy browsing request is rejected upon receipt of the responsibility completion notification;
Program to function as.

Images