WO2004029783A2 - Procede et dispositif pour controler des acces a des donnees - Google Patents
Procede et dispositif pour controler des acces a des donnees Download PDFInfo
- Publication number
- WO2004029783A2 WO2004029783A2 PCT/DE2003/002979 DE0302979W WO2004029783A2 WO 2004029783 A2 WO2004029783 A2 WO 2004029783A2 DE 0302979 W DE0302979 W DE 0302979W WO 2004029783 A2 WO2004029783 A2 WO 2004029783A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- access
- processing
- user
- level
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000012545 processing Methods 0.000 claims abstract description 103
- 238000013475 authorization Methods 0.000 abstract 1
- 238000012423 maintenance Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
- G06F21/1012—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to domains
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6236—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the invention relates to a method and a device for controlling access (also called access control) to data of a local and / or a data processing unit belonging to a networked data processing system, which is used by several user units.
- Different user access rights to the data are usually assigned to a user for processing and for calling up data from an individual data processing unit or a data processing unit in a networked data processing system.
- Access of an engineer or user to the entire data system are by means of access rights in the form of user IDs, e.g. by password, the data restricted by the user, e.g. read only, or unlimited, e.g. Both read and write rights can be used to prevent unauthorized deletion, modification, reading and / or copying of the data.
- the data e.g. Programs, files, databases, assigned to different processing levels, which in turn can lead to different access rights for one and the same user.
- Processing levels are understood to mean, for example, the so-called operating system level and / or the user or application level.
- the processing levels are defined as so-called objects, which in turn can include system and user programs and / or a data volume of a subsystem.
- the invention is therefore based on the object of specifying a method for controlling access to data of a local and / or a data processing unit associated with a networked data processing system, which is used by a plurality of user units, in which access control is carried out particularly simply and as securely as possible. Furthermore, a particularly suitable device for controlling access to data of a data processing unit is to be specified.
- the first-mentioned object is achieved according to the invention in that, in a method for controlling access to data of a local and / or a data processing unit belonging to a networked data processing system and which is used by several user units, the data are assigned to different processing levels, the data belonging to user-specific and / or level-specific access rights are stored in an access platform common to all processing levels, and the respective user unit accessing data in one of the processing levels based on the access platform that affects the the underlying access right is assigned to the relevant data.
- the invention is based on the consideration that a plurality of access rights for one and / or several processing levels should be combined instead of a separate assignment for the most secure and particularly simple access control.
- Access control should be both level-independent and cross-level.
- an access platform common to all processing levels is set up, on the basis of which the data of the relevant processing level with the access rights on which it is based are called up when a user unit is requested.
- the access platform is stored in one of the processing levels so that a simple assignment of access rights can be carried out regardless of the level.
- the access platform also called role or role register, can be located on a central processing level, e.g. at an operating system level, or at a user-specific processing level, e.g. a plant level, an automation level and / or an application level.
- the access rights associated with one of the processing levels are expediently controlled by another processing level by means of the access platform. In addition to the level-independent assignment of the access rights, this also enables a cross-level assignment of the access rights.
- the access rights of the associated and / or other processing levels can be changed, deleted, copied and / or activated using the access platforms.
- the respective processing level is preferably given different access rights by means of the access platform assigned. In this way, for example, when several user units simultaneously access one and the same data, one user unit is assigned write and read rights and the other user unit only one read right.
- the second object is achieved according to the invention in a device for controlling access to data of a local and / or a data processing unit belonging to a networked data processing system and which is used by several user units, in that the data are assigned to different processing levels, one being common to all processing levels
- Access platform is provided for storing user-specific and / or level-specific access rights associated with the data, and the access platform is provided when the respective user unit accesses data in one of the processing levels for assigning the access right on which the relevant data are based to the relevant user unit.
- various data representing the respective processing level and / or rights for one and the same user can be assigned.
- one of the processing levels is designed as an operating system.
- one of the other processing levels is advantageously designed as a user system.
- the user system is understood to be the subsystems, automation levels, which characterize them and which are generally also referred to as objects.
- the access platform common to all processing levels is expediently stored in one of the processing levels.
- the handle platform stored in the operating system.
- the access platform can be stored at the user level, for example a project or plant level. The structure of the access or access rights is saved according to the structure of the project data and thus remains in the
- Get project context This makes it possible to maintain the structure of the access rights and thus reusability, particularly in the case of cross-project and thus cross-level data exchange, which significantly reduces the time and administration effort.
- n number of user units
- the user unit requesting in each case can log on to another processing level independently of one of the processing levels assigned to them, so that an access right on which the requested data is based, for example only write or write and read rights, is assigned to the user unit.
- Such an abstract or virtual access platform for a large number of different systems, for example automation systems, partial systems, in a technical system allows the access rights to be controlled, monitored and maintained independently of the system and system, ie without knowledge of the structure and / or objects of the system , Furthermore, such a system-independent access control leads to particularly little effort when converting access rights from one system to another system. Furthermore, in the case of changing user units, the access rights can be updated quickly and easily due to the centrally formed common access platform.
- FIG. 1 shows schematically a data processing system with several data processing units connected via a data transmission unit
- FIG. 2 shows schematically an access platform for access control of user units to data of at least one of the data processing units
- FIGS. 3 and 4 schematically show possible embodiments for an access platform.
- FIG. 1 shows a data processing system 1 with a plurality of data processing units 4a to 4c, connected via at least one data transmission unit 2, of a technical system 6, e.g. a chemical plant or a power plant.
- a technical system 6 e.g. a chemical plant or a power plant.
- the data processing system 1 is, for example, a programmable logic controller or an automation system which, for the control and / or regulation of the technical system 6, comprises automation units in which, on the one hand, measured values MW and message signals MS are preprocessed and converted into process signals PS.
- control signals SI are sent to components K, e.g. Drives, motors, valves, the technical system 6 delivered.
- the system 6 is divided into system parts AI to An, which in turn are associated with data processing units 4a.
- the division of the system 6 and the associated data processing units 4 into the system parts AI to An is exemplified in FIG. 1 by containers.
- the data processing system 1 has corresponding data processing units for process control and process monitoring 4b, which are shown in FIG. 1 as personal computers. Likewise, the data processing system 1 has an associated data processing unit 4c for the project planning and construction of the technical system 6. Due to the different requirements resulting from the respective function of the data processing unit 4a to 4c, the different data processing units 4a to 4c have different processing levels Vm. Processing levels Vm are understood to mean, for example, an operating system level V8, the system parts AI to An, user level V10, for example an application level.
- An access platform 12 common to all processing levels Vm, as shown in FIG. 2, is provided for processing and calling up data D of the different processing levels Vm of one of the data processing units 4a to 4c.
- the data processing units 4a to 4c shown in FIG. 1 can be used by several user units Bn. Depending on the type of user unit Bn, it can be a single user B or a user group BG composed of several users B.
- the data D are user or utility programs, files, databases, individual signals, for example process signals PS or the like.
- Each of the processing levels VI to Vm can be determined on the one hand by the data D representing them and on the other hand by the plant parts AI to An representing them. Furthermore, the respective processing level VI to Vm is determined by these assigned access rights Z.
- access platform 12 For simple access control of a requesting user unit Bn, user-specific and / or level-specific access rights Znm associated with the data D are stored in the access platform 12 common to all processing levels Vm, also called a role or role register.
- the access platform 12 can be stored in one of the processing levels Vm.
- the access platform 12 in one of the data processing units 4b or 4c can be stored and can be stored either in the engineering environment or in the process monitoring environment.
- FIGS. 3 and 4 show different embodiments for the access platform 12 common to all processing levels VI to Vm for several user units B1 to Bn. The operation of the data processing system 1 is explained in more detail below with reference to FIGS. 3 and 4.
- an access right Z77 or Z78 on which the requested data D is based is assigned to the user unit B7 by means of the access platform 12 on the basis of the user-specific and / or level-specific access rights Znm stored there. That Regardless of the data processing unit 4a to 4c used, the associated access right Z77 and / or Z78 is assigned to the user unit B7 by means of the access platform 12 in the form of a so-called role.
- the user unit B7 defined as a maintenance technician can thus archive process data and / or exchange hardware in accordance with the assigned access rights Z77 and / or Z78.
- the user unit B7 can do this from any processing level VI to Vm, i.e.
- the processing level VI for example one of the data processing units 4a or 4b, is assigned both a write right w and a read right r for one of the user units B1, for example all maintenance engineers of the north installation, combined in a user group BG.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un procédé pour contrôler des accès à des données (D) d'une unité de traitement de données (4) locale et/ou associée à un système de traitement de données en réseau (1), laquelle unité est utilisée par plusieurs unités utilisateur (B1 à Bn). L'objectif de cette invention est de permettre un contrôle d'accès simple et sûr. A cet effet, lesdites données (D) sont affectées à différents niveaux de traitement (V1 à Vm) ; des droits d'accès (Znm), spécifiques à l'utilisateur et/ou au niveau de traitement et associés à ces données (D), sont enregistrés dans une plate-forme d'accès (12) commune à tous les niveaux de traitement (V1 à Vm) et, lorsqu'une unité utilisateur (B1 à Bn) accède à des données (D) d'un des niveaux de traitement (V1 à Vm), le droit d'accès (Znm) relatif aux données concernées (D) est attribué à l'unité utilisateur correspondante (B1 à Bn) à partir de la plate-forme d'accès (12).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10243774.2 | 2002-09-20 | ||
DE10243774A DE10243774A1 (de) | 2002-09-20 | 2002-09-20 | Verfahren und Vorrichtung zur Steuerung von Zugriffen auf Daten |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004029783A2 true WO2004029783A2 (fr) | 2004-04-08 |
WO2004029783A3 WO2004029783A3 (fr) | 2004-06-24 |
Family
ID=31896231
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2003/002979 WO2004029783A2 (fr) | 2002-09-20 | 2003-09-08 | Procede et dispositif pour controler des acces a des donnees |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE10243774A1 (fr) |
WO (1) | WO2004029783A2 (fr) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0697662A1 (fr) * | 1994-08-15 | 1996-02-21 | International Business Machines Corporation | Méthode et système de contrÔle d'accès avancé basé sur des rÔles dans des systèmes d'ordinateurs distribués et centralisés |
US5761669A (en) * | 1995-06-06 | 1998-06-02 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
EP1124172A2 (fr) * | 2000-02-07 | 2001-08-16 | Emc Corporation | Contrôler l'accès à un dispositif de stockage |
-
2002
- 2002-09-20 DE DE10243774A patent/DE10243774A1/de not_active Withdrawn
-
2003
- 2003-09-08 WO PCT/DE2003/002979 patent/WO2004029783A2/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0697662A1 (fr) * | 1994-08-15 | 1996-02-21 | International Business Machines Corporation | Méthode et système de contrÔle d'accès avancé basé sur des rÔles dans des systèmes d'ordinateurs distribués et centralisés |
US5761669A (en) * | 1995-06-06 | 1998-06-02 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
EP1124172A2 (fr) * | 2000-02-07 | 2001-08-16 | Emc Corporation | Contrôler l'accès à un dispositif de stockage |
Non-Patent Citations (1)
Title |
---|
SANDHU R S ET AL: "ACCESS CONTROL: PRINCIPLES AND PRACTICE" IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER. PISCATAWAY, N.J, US, Bd. 32, Nr. 9, 1. September 1994 (1994-09-01), Seiten 40-48, XP000476554 ISSN: 0163-6804 * |
Also Published As
Publication number | Publication date |
---|---|
WO2004029783A3 (fr) | 2004-06-24 |
DE10243774A1 (de) | 2004-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE3938018C3 (de) | Informationsverarbeitungssystem und Verfahren zur Bestimmung von dessen Konfiguration | |
EP0829046B1 (fr) | Methode et systeme d'actualisation des programmes-utilisateurs ainsi que des ordinateurs utilisateurs dans un reseau d'ordinateurs | |
DE4123126C1 (fr) | ||
DE19860069B4 (de) | Programmierbare Steuereinrichtung | |
DE102004062432A1 (de) | System und Verfahren zum automatischen Erstellen, Installieren und Konfigurieren von Erweiterungen der Funktionalitäten in den Systemknoten eines verteilten Netzwerks | |
DE10208530A1 (de) | Betriebseinheit, Peripheriegerät und Verfahren zum Betrieb eines Peripheriegeräts | |
WO2004029783A2 (fr) | Procede et dispositif pour controler des acces a des donnees | |
EP3657285B1 (fr) | Inclusion des modules techniques dans un niveau de controle plus haute | |
EP2899632A1 (fr) | Procédé destiné à la mise à jour de gestion d'utilisation d'une application informatique | |
EP1033647B1 (fr) | Procédé pour la transposition d'un système logiciel vers d'autres plateformes | |
EP1561172B1 (fr) | Dispositif offrant l'acces a des donnees | |
EP1923810A2 (fr) | Procédé destiné à la transmission de droits d'accès à des données | |
DE102019130794A1 (de) | Verfahren zur sicheren Inbetriebnahme eines Geräts | |
DE102016108997A1 (de) | Vorrichtung zum Auslesen von Daten aus einem sicherheitskritischen Steuergerät | |
EP2221694B1 (fr) | Procédé de concession d'une justification d'utilisation d'une fonction dans un système d'automatisation industriel comprenant plusieurs unités de commande en réseau et système d'automatisation industriel | |
DE102020204148A1 (de) | Informationsverarbeitungsarchitektur zur Implementierung in ein Fahrzeug | |
EP1431898A2 (fr) | Système d'automatisation et méthode pour la mise en oeuvre d'un tel système | |
EP3798878A1 (fr) | Dispositif et procédé d'exécution sécurisée d'un programme d'automatisation dans un environnement informatique en nuage | |
DE102012110164B4 (de) | Rechneranordnung | |
EP1674957A1 (fr) | Ingénerie distribuée, basée sur des règles | |
DE102006062093B4 (de) | Automatisierungsanlage und Verfahren für exklusive Verbindungen zu Clientrechnern | |
DE102019217618A1 (de) | Industrielles Steuerungssystem in der Automatisierungstechnik zur Reduktion des Schadens durch Ausführung von Schadsoftware | |
EP3028814B1 (fr) | Procede d'affectation d'une courbe de vissage decrivant un processus de vissage a un programme de vissage commandant la courbe de vissage | |
DE102019217624A1 (de) | Industrielles Steuerungssystem in der Automatisierungstechnik mit unabhängig voneinander agierenden Modulen | |
EP4231256A1 (fr) | Système d'accès à une machine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
122 | Ep: pct application non-entry in european phase |