WO2004029783A2 - Procede et dispositif pour controler des acces a des donnees - Google Patents

Procede et dispositif pour controler des acces a des donnees Download PDF

Info

Publication number
WO2004029783A2
WO2004029783A2 PCT/DE2003/002979 DE0302979W WO2004029783A2 WO 2004029783 A2 WO2004029783 A2 WO 2004029783A2 DE 0302979 W DE0302979 W DE 0302979W WO 2004029783 A2 WO2004029783 A2 WO 2004029783A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
access
processing
user
level
Prior art date
Application number
PCT/DE2003/002979
Other languages
German (de)
English (en)
Other versions
WO2004029783A3 (fr
Inventor
Arno SCHÖNHALS
Lothar Trapp
Harald Herberth
Harald Hammon
Roland Heymann
Siegfried Richter
Walter Grube
Werner Becherer
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2004029783A2 publication Critical patent/WO2004029783A2/fr
Publication of WO2004029783A3 publication Critical patent/WO2004029783A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1012Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to domains
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the invention relates to a method and a device for controlling access (also called access control) to data of a local and / or a data processing unit belonging to a networked data processing system, which is used by several user units.
  • Different user access rights to the data are usually assigned to a user for processing and for calling up data from an individual data processing unit or a data processing unit in a networked data processing system.
  • Access of an engineer or user to the entire data system are by means of access rights in the form of user IDs, e.g. by password, the data restricted by the user, e.g. read only, or unlimited, e.g. Both read and write rights can be used to prevent unauthorized deletion, modification, reading and / or copying of the data.
  • the data e.g. Programs, files, databases, assigned to different processing levels, which in turn can lead to different access rights for one and the same user.
  • Processing levels are understood to mean, for example, the so-called operating system level and / or the user or application level.
  • the processing levels are defined as so-called objects, which in turn can include system and user programs and / or a data volume of a subsystem.
  • the invention is therefore based on the object of specifying a method for controlling access to data of a local and / or a data processing unit associated with a networked data processing system, which is used by a plurality of user units, in which access control is carried out particularly simply and as securely as possible. Furthermore, a particularly suitable device for controlling access to data of a data processing unit is to be specified.
  • the first-mentioned object is achieved according to the invention in that, in a method for controlling access to data of a local and / or a data processing unit belonging to a networked data processing system and which is used by several user units, the data are assigned to different processing levels, the data belonging to user-specific and / or level-specific access rights are stored in an access platform common to all processing levels, and the respective user unit accessing data in one of the processing levels based on the access platform that affects the the underlying access right is assigned to the relevant data.
  • the invention is based on the consideration that a plurality of access rights for one and / or several processing levels should be combined instead of a separate assignment for the most secure and particularly simple access control.
  • Access control should be both level-independent and cross-level.
  • an access platform common to all processing levels is set up, on the basis of which the data of the relevant processing level with the access rights on which it is based are called up when a user unit is requested.
  • the access platform is stored in one of the processing levels so that a simple assignment of access rights can be carried out regardless of the level.
  • the access platform also called role or role register, can be located on a central processing level, e.g. at an operating system level, or at a user-specific processing level, e.g. a plant level, an automation level and / or an application level.
  • the access rights associated with one of the processing levels are expediently controlled by another processing level by means of the access platform. In addition to the level-independent assignment of the access rights, this also enables a cross-level assignment of the access rights.
  • the access rights of the associated and / or other processing levels can be changed, deleted, copied and / or activated using the access platforms.
  • the respective processing level is preferably given different access rights by means of the access platform assigned. In this way, for example, when several user units simultaneously access one and the same data, one user unit is assigned write and read rights and the other user unit only one read right.
  • the second object is achieved according to the invention in a device for controlling access to data of a local and / or a data processing unit belonging to a networked data processing system and which is used by several user units, in that the data are assigned to different processing levels, one being common to all processing levels
  • Access platform is provided for storing user-specific and / or level-specific access rights associated with the data, and the access platform is provided when the respective user unit accesses data in one of the processing levels for assigning the access right on which the relevant data are based to the relevant user unit.
  • various data representing the respective processing level and / or rights for one and the same user can be assigned.
  • one of the processing levels is designed as an operating system.
  • one of the other processing levels is advantageously designed as a user system.
  • the user system is understood to be the subsystems, automation levels, which characterize them and which are generally also referred to as objects.
  • the access platform common to all processing levels is expediently stored in one of the processing levels.
  • the handle platform stored in the operating system.
  • the access platform can be stored at the user level, for example a project or plant level. The structure of the access or access rights is saved according to the structure of the project data and thus remains in the
  • Get project context This makes it possible to maintain the structure of the access rights and thus reusability, particularly in the case of cross-project and thus cross-level data exchange, which significantly reduces the time and administration effort.
  • n number of user units
  • the user unit requesting in each case can log on to another processing level independently of one of the processing levels assigned to them, so that an access right on which the requested data is based, for example only write or write and read rights, is assigned to the user unit.
  • Such an abstract or virtual access platform for a large number of different systems, for example automation systems, partial systems, in a technical system allows the access rights to be controlled, monitored and maintained independently of the system and system, ie without knowledge of the structure and / or objects of the system , Furthermore, such a system-independent access control leads to particularly little effort when converting access rights from one system to another system. Furthermore, in the case of changing user units, the access rights can be updated quickly and easily due to the centrally formed common access platform.
  • FIG. 1 shows schematically a data processing system with several data processing units connected via a data transmission unit
  • FIG. 2 shows schematically an access platform for access control of user units to data of at least one of the data processing units
  • FIGS. 3 and 4 schematically show possible embodiments for an access platform.
  • FIG. 1 shows a data processing system 1 with a plurality of data processing units 4a to 4c, connected via at least one data transmission unit 2, of a technical system 6, e.g. a chemical plant or a power plant.
  • a technical system 6 e.g. a chemical plant or a power plant.
  • the data processing system 1 is, for example, a programmable logic controller or an automation system which, for the control and / or regulation of the technical system 6, comprises automation units in which, on the one hand, measured values MW and message signals MS are preprocessed and converted into process signals PS.
  • control signals SI are sent to components K, e.g. Drives, motors, valves, the technical system 6 delivered.
  • the system 6 is divided into system parts AI to An, which in turn are associated with data processing units 4a.
  • the division of the system 6 and the associated data processing units 4 into the system parts AI to An is exemplified in FIG. 1 by containers.
  • the data processing system 1 has corresponding data processing units for process control and process monitoring 4b, which are shown in FIG. 1 as personal computers. Likewise, the data processing system 1 has an associated data processing unit 4c for the project planning and construction of the technical system 6. Due to the different requirements resulting from the respective function of the data processing unit 4a to 4c, the different data processing units 4a to 4c have different processing levels Vm. Processing levels Vm are understood to mean, for example, an operating system level V8, the system parts AI to An, user level V10, for example an application level.
  • An access platform 12 common to all processing levels Vm, as shown in FIG. 2, is provided for processing and calling up data D of the different processing levels Vm of one of the data processing units 4a to 4c.
  • the data processing units 4a to 4c shown in FIG. 1 can be used by several user units Bn. Depending on the type of user unit Bn, it can be a single user B or a user group BG composed of several users B.
  • the data D are user or utility programs, files, databases, individual signals, for example process signals PS or the like.
  • Each of the processing levels VI to Vm can be determined on the one hand by the data D representing them and on the other hand by the plant parts AI to An representing them. Furthermore, the respective processing level VI to Vm is determined by these assigned access rights Z.
  • access platform 12 For simple access control of a requesting user unit Bn, user-specific and / or level-specific access rights Znm associated with the data D are stored in the access platform 12 common to all processing levels Vm, also called a role or role register.
  • the access platform 12 can be stored in one of the processing levels Vm.
  • the access platform 12 in one of the data processing units 4b or 4c can be stored and can be stored either in the engineering environment or in the process monitoring environment.
  • FIGS. 3 and 4 show different embodiments for the access platform 12 common to all processing levels VI to Vm for several user units B1 to Bn. The operation of the data processing system 1 is explained in more detail below with reference to FIGS. 3 and 4.
  • an access right Z77 or Z78 on which the requested data D is based is assigned to the user unit B7 by means of the access platform 12 on the basis of the user-specific and / or level-specific access rights Znm stored there. That Regardless of the data processing unit 4a to 4c used, the associated access right Z77 and / or Z78 is assigned to the user unit B7 by means of the access platform 12 in the form of a so-called role.
  • the user unit B7 defined as a maintenance technician can thus archive process data and / or exchange hardware in accordance with the assigned access rights Z77 and / or Z78.
  • the user unit B7 can do this from any processing level VI to Vm, i.e.
  • the processing level VI for example one of the data processing units 4a or 4b, is assigned both a write right w and a read right r for one of the user units B1, for example all maintenance engineers of the north installation, combined in a user group BG.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé pour contrôler des accès à des données (D) d'une unité de traitement de données (4) locale et/ou associée à un système de traitement de données en réseau (1), laquelle unité est utilisée par plusieurs unités utilisateur (B1 à Bn). L'objectif de cette invention est de permettre un contrôle d'accès simple et sûr. A cet effet, lesdites données (D) sont affectées à différents niveaux de traitement (V1 à Vm) ; des droits d'accès (Znm), spécifiques à l'utilisateur et/ou au niveau de traitement et associés à ces données (D), sont enregistrés dans une plate-forme d'accès (12) commune à tous les niveaux de traitement (V1 à Vm) et, lorsqu'une unité utilisateur (B1 à Bn) accède à des données (D) d'un des niveaux de traitement (V1 à Vm), le droit d'accès (Znm) relatif aux données concernées (D) est attribué à l'unité utilisateur correspondante (B1 à Bn) à partir de la plate-forme d'accès (12).
PCT/DE2003/002979 2002-09-20 2003-09-08 Procede et dispositif pour controler des acces a des donnees WO2004029783A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE10243774.2 2002-09-20
DE10243774A DE10243774A1 (de) 2002-09-20 2002-09-20 Verfahren und Vorrichtung zur Steuerung von Zugriffen auf Daten

Publications (2)

Publication Number Publication Date
WO2004029783A2 true WO2004029783A2 (fr) 2004-04-08
WO2004029783A3 WO2004029783A3 (fr) 2004-06-24

Family

ID=31896231

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE2003/002979 WO2004029783A2 (fr) 2002-09-20 2003-09-08 Procede et dispositif pour controler des acces a des donnees

Country Status (2)

Country Link
DE (1) DE10243774A1 (fr)
WO (1) WO2004029783A2 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0697662A1 (fr) * 1994-08-15 1996-02-21 International Business Machines Corporation Méthode et système de contrÔle d'accès avancé basé sur des rÔles dans des systèmes d'ordinateurs distribués et centralisés
US5761669A (en) * 1995-06-06 1998-06-02 Microsoft Corporation Controlling access to objects on multiple operating systems
EP1124172A2 (fr) * 2000-02-07 2001-08-16 Emc Corporation Contrôler l'accès à un dispositif de stockage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0697662A1 (fr) * 1994-08-15 1996-02-21 International Business Machines Corporation Méthode et système de contrÔle d'accès avancé basé sur des rÔles dans des systèmes d'ordinateurs distribués et centralisés
US5761669A (en) * 1995-06-06 1998-06-02 Microsoft Corporation Controlling access to objects on multiple operating systems
EP1124172A2 (fr) * 2000-02-07 2001-08-16 Emc Corporation Contrôler l'accès à un dispositif de stockage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SANDHU R S ET AL: "ACCESS CONTROL: PRINCIPLES AND PRACTICE" IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER. PISCATAWAY, N.J, US, Bd. 32, Nr. 9, 1. September 1994 (1994-09-01), Seiten 40-48, XP000476554 ISSN: 0163-6804 *

Also Published As

Publication number Publication date
WO2004029783A3 (fr) 2004-06-24
DE10243774A1 (de) 2004-03-25

Similar Documents

Publication Publication Date Title
DE3938018C3 (de) Informationsverarbeitungssystem und Verfahren zur Bestimmung von dessen Konfiguration
EP0829046B1 (fr) Methode et systeme d'actualisation des programmes-utilisateurs ainsi que des ordinateurs utilisateurs dans un reseau d'ordinateurs
DE4123126C1 (fr)
DE19860069B4 (de) Programmierbare Steuereinrichtung
DE102004062432A1 (de) System und Verfahren zum automatischen Erstellen, Installieren und Konfigurieren von Erweiterungen der Funktionalitäten in den Systemknoten eines verteilten Netzwerks
DE10208530A1 (de) Betriebseinheit, Peripheriegerät und Verfahren zum Betrieb eines Peripheriegeräts
WO2004029783A2 (fr) Procede et dispositif pour controler des acces a des donnees
EP3657285B1 (fr) Inclusion des modules techniques dans un niveau de controle plus haute
EP2899632A1 (fr) Procédé destiné à la mise à jour de gestion d'utilisation d'une application informatique
EP1033647B1 (fr) Procédé pour la transposition d'un système logiciel vers d'autres plateformes
EP1561172B1 (fr) Dispositif offrant l'acces a des donnees
EP1923810A2 (fr) Procédé destiné à la transmission de droits d'accès à des données
DE102019130794A1 (de) Verfahren zur sicheren Inbetriebnahme eines Geräts
DE102016108997A1 (de) Vorrichtung zum Auslesen von Daten aus einem sicherheitskritischen Steuergerät
EP2221694B1 (fr) Procédé de concession d'une justification d'utilisation d'une fonction dans un système d'automatisation industriel comprenant plusieurs unités de commande en réseau et système d'automatisation industriel
DE102020204148A1 (de) Informationsverarbeitungsarchitektur zur Implementierung in ein Fahrzeug
EP1431898A2 (fr) Système d'automatisation et méthode pour la mise en oeuvre d'un tel système
EP3798878A1 (fr) Dispositif et procédé d'exécution sécurisée d'un programme d'automatisation dans un environnement informatique en nuage
DE102012110164B4 (de) Rechneranordnung
EP1674957A1 (fr) Ingénerie distribuée, basée sur des règles
DE102006062093B4 (de) Automatisierungsanlage und Verfahren für exklusive Verbindungen zu Clientrechnern
DE102019217618A1 (de) Industrielles Steuerungssystem in der Automatisierungstechnik zur Reduktion des Schadens durch Ausführung von Schadsoftware
EP3028814B1 (fr) Procede d'affectation d'une courbe de vissage decrivant un processus de vissage a un programme de vissage commandant la courbe de vissage
DE102019217624A1 (de) Industrielles Steuerungssystem in der Automatisierungstechnik mit unabhängig voneinander agierenden Modulen
EP4231256A1 (fr) Système d'accès à une machine

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase