WO2014188743A1

WO2014188743A1 - Access control device and access control method and program

Info

Publication number: WO2014188743A1
Application number: PCT/JP2014/052851
Authority: WO
Inventors: 優小杉; 雅之佐藤; 仁志楓; 光義山足
Original assignee: 三菱電機株式会社
Priority date: 2013-05-23
Filing date: 2014-02-07
Publication date: 2014-11-27
Also published as: CN105229662A; JP5980421B2; JPWO2014188743A1; CN105229662B

Abstract

A hierarchy definition management unit (012) stores priority between hierarchy levels. An organization information management unit (013) stores information that indicates pairs of hierarchy elements for each hierarchy level combination. A role allocation management unit (011) stores information by which a condition that permits access is correlated with a specific hierarchy element. A process reception unit (005) inputs, from a user, an operation request requesting access to resources. An F-RBAC unit (006) identifies a hierarchy element corresponding to the user, extracts from the information of the organization information management unit (013) of a hierarchy element that is paired with and is one hierarchy above the identified hierarchy element, on the basis of priority between hierarchy levels, repeats the operation to extract a hierarchy element of a level that is paired with and is one level above the extracted hierarchy element, compares the identified hierarchy element and the extracted hierarchy elements to the hierarchy elements defined by the role allocation management unit (011), and determines whether to allow access.

Description

Access control apparatus, access control method and program

The present invention relates to access control using a hierarchical structure.

As a basic technology for realizing a cloud service and SaaS (Software as a Service), there is “multi-tenant management technology” in which one application program (hereinafter referred to as an application) is shared by a plurality of companies (tenants).
The purpose of the multi-tenant management technology is to reduce hardware (H / W) resources and software (S / W) resources by sharing applications among a plurality of companies, thereby reducing costs.

In the prior art, a flexible access authority can be set by associating a user attribute with an access authority (for example, Patent Document 1).
In Patent Document 1, the “user information table” manages not only users but also attributes such as tenants and departments, and the “access authority assignment table” has what attributes for each authority to perform access control. It manages whether the user can use the application.

JP 2012-69087 A

In multi-tenant applications, not only to develop a new system, but also to make the most effective use of an application that was previously used in a single tenant to reduce development costs, it may be made available in multi-tenancy. .
In addition, an application originally used in a certain building may be made available to other buildings or tenants belonging to other buildings in order to expand the service range.
In other words, since a tenant belonging to a building has moved into another building, it is necessary to set access control for the tenant across the building.
Therefore, it is necessary to change the hierarchical structure of the order of the organization such as the building, tenant, general affairs department, and sales department within the company to the hierarchical structure of the tenant, building, and organization at a certain point in time.

In Patent Document 1, there is no mention of history management and no mention of an organizational hierarchical structure.
If the above request is to be realized based on the technology of Patent Document 1, if the organizational hierarchy structure is changed, all access authority assignments set when the organizational hierarchy structure is changed are all It is necessary to review.

The main object of the present invention is to solve such a problem, and even when the definition of the hierarchical structure is changed, the main object is to minimize the amount of data repair work associated with the change. To do.

An access control apparatus according to the present invention
A hierarchy rank information storage unit for storing hierarchy rank information indicating ranks between hierarchies in a hierarchical structure composed of a plurality of hierarchies;
A hierarchy element information storage unit that stores a hierarchy element information that is a pair of hierarchy elements that are elements constituting a hierarchy, and a pair of hierarchical elements that belong to two different hierarchies is shown for each combination of hierarchies,
An access permission condition information storage unit that stores access permission condition information in which an access permission condition that is a condition for permitting access to an access restriction resource to which access is restricted is associated with a specific hierarchical element;
An access request receiving unit that receives an access request for requesting access to an access restricted resource from a user associated with any one of the hierarchical elements;
The hierarchy element associated with the user is determined, and based on the rank between the hierarchies indicated in the hierarchy rank information, the hierarchy element or the hierarchy element one level above which is paired with the determined hierarchy element A hierarchical element of a lower hierarchy is extracted from the hierarchical element information, and a hierarchical element of the upper hierarchy or a hierarchical element of a lower hierarchy paired with the extracted hierarchical element is extracted from the hierarchical element information. A hierarchy element extractor that repeats the operation until reaching a specific hierarchy,
By comparing the hierarchy element determined by the hierarchy element extraction unit and the extracted hierarchy element with the specific hierarchy element indicated in the access permission condition, access to the access restricted resource is made in response to the access request. And an access permission / rejection determination unit that determines whether to permit or not.

In the present invention, hierarchical rank information indicating the rank between hierarchies is stored, and a pair of hierarchical elements belonging to two different hierarchies stores hierarchical element information indicated for each combination of hierarchies. When a request is made, a hierarchical structure is constructed based on the hierarchical order information and the hierarchical element information, starting from the hierarchical element associated with the user who made the access request.
As described above, in the present invention, since the hierarchical relationship between hierarchies is only defined, and the hierarchical relationship between hierarchical elements is not defined, even if there is a change in the hierarchical structure, it is only necessary to modify the hierarchy order information. The amount of work can be kept to a minimum.

FIG. 3 is a diagram illustrating an example of a system configuration according to the first embodiment. 1 is a diagram illustrating a configuration example of an access control apparatus according to Embodiment 1. FIG. FIG. 3 is a diagram illustrating a configuration example of an operation request according to the first embodiment. The figure which shows the example of the user information managed by the user information management part which concerns on Embodiment 1. FIG. FIG. 6 is a diagram showing an example of access authority information managed by an access authority management unit according to the first embodiment. The figure which shows the example of the role assignment information managed by the role assignment management part which concerns on Embodiment 1. FIG. 6 is a diagram illustrating an example of hierarchy definition information managed by a hierarchy definition management unit according to Embodiment 1. FIG. The figure which shows the example of the information managed by the organization information management part which concerns on Embodiment 1. FIG. FIG. 3 is a diagram illustrating a configuration example of a business logic unit according to the first embodiment. FIG. 3 is a diagram illustrating a configuration example of a business logic information management unit according to the first embodiment. FIG. 4 is a flowchart showing an operation example of a process receiving unit according to the first embodiment. FIG. 4 is a flowchart showing an operation example of an F-RBAC unit according to the first embodiment. FIG. 3 is a flowchart showing an operation example of a business logic unit according to the first embodiment. FIG. 6 is a diagram showing an example of a hierarchical structure change request according to the first embodiment. FIG. 4 is a flowchart showing an operation example of an F-RBAC unit according to the first embodiment. The figure which shows the example of the hierarchy definition information after the hierarchy order change managed by the hierarchy definition management part which concerns on Embodiment 1. FIG. The figure which shows the example of the hierarchy definition information managed by the hierarchy definition management part which concerns on Embodiment 2. FIG. The figure which shows the structural example of the business logic information management part which concerns on Embodiment 2. FIG. The figure which shows the relationship between the user which concerns on Embodiment 1, an affiliation organization, an affiliation building, and an affiliation tenant. FIG. 3 is a diagram illustrating a hardware configuration example of the access control apparatus according to the first embodiment.

Embodiment 1 FIG.
In this embodiment, in order to enable the same application to be shared by various users, data access rights and application use rights (hereinafter referred to as access rights) in a multi-tenant application are efficiently managed. The structure of will be described.
More specifically, in the present embodiment, a configuration that minimizes the amount of data modification work associated with a change even when the definition of the hierarchical structure is changed will be described.

Further, in the present embodiment, a configuration for minimizing information on operation history to be held will be described.
In a company or the like, it is necessary to manage an operation history for application operation and track the history because of internal control.
Therefore, it is necessary to reproduce the hierarchical structure at the past time.
With the technique of Patent Document 1, the amount of data that must be retained as an operation history becomes enormous, but according to the present embodiment, the information of the operation history that is retained can be minimized.

FIG. 1 shows a system configuration example according to the present embodiment.

In FIG. 1,

terminals

001 and 002 are terminal devices arranged in a tenant company that uses a service, and are assumed to be personal computers, mobile terminals, and the like.

Web browsers

001a and 002a are installed in the

terminals

001 and 002.
It is assumed that the user who operates the

terminals

001 and 002 is an employee of another tenant company.
It is also possible to install a plurality of terminals in the same tenant company and use the same application in three or more tenant companies.

The terminal 000 is a terminal device used by a system administrator and an operator who manages the system shown in FIG. 1, and is assumed to be a personal computer, a mobile terminal, or the like.
A web browser 000a is installed in the terminal 000.

The network 003 is a communication path used when the

terminals

001 and 002 use the access control device 004, and may be the Internet and a LAN (Local Area Network).

The access control device 004 determines whether or not to permit access to an access restriction resource whose access is restricted.
In the following, business logic (application) that allows access only to users belonging to a specific organization and users having specific attributes is used as an example of an access restriction resource.

As shown in FIG. 2, the access control device 004 includes a process accepting unit 005, a flexible role-based access control unit (Flexible Role-based Access Control unit; hereinafter referred to as F-RBAC unit) 006, a business logic unit 007, a business logic unit 007, It has a logic information management unit 008, a user information management unit 009, an access authority management unit 010, a role assignment management unit 011, a hierarchy definition management unit 012 and an organization information management unit 013.

In the access control device 004, the process accepting unit 005 receives a request transmitted from the

terminals

001 and 002, and performs the process described later.
For example, the process reception unit 005 receives an operation request (access request) that is a request for requesting access to the access restricted resource from the

terminals

001 and 002.
The process reception unit 005 corresponds to an example of an access request reception unit.

The F-RBAC unit 006 determines the presence / absence of access authority based on the request contents of the

terminals

001 and 002 and information managed in the access control device 004.
The F-RBAC unit 006 corresponds to an example of a hierarchy element extraction unit, an access permission determination unit, and a hierarchy order change unit.

The business logic unit 007 performs business processing such as work management and accounting processing.

The business logic information management unit 008 manages information used by the business logic unit 007.

The user information management unit 009 manages information on users who can operate the application.

The access authority management unit 010 manages access authority for business logic.

The role assignment management unit 011 manages organizations that can access the business logic based on the correspondence between the access authority information and the organization information.
The role assignment management unit 011 corresponds to an example of an access permission condition information storage unit.

The hierarchy definition management unit 012 manages the definition of the organizational hierarchy structure used in the system.
The hierarchy definition management unit 012 corresponds to an example of a hierarchy order information storage unit.

The organization information management unit 013 manages information on the organization that uses the application.
The organization information management unit 013 corresponds to an example of a hierarchical element information storage unit.

It should be noted that a plurality of elements in FIG. 2 can exist and have a redundant structure.

The operation request 201 in FIG. 3 is an example of request contents transmitted from the

terminals

001 and 002.
The operation request 201 includes authentication information such as the user ID and password of the user who issued the operation request 201, operation details for the business logic unit 007, and header information necessary for communication.
In this embodiment, the HTTP (HyperText Transfer Protocol) format is used. However, FTP (File Transfer Protocol) and JMS (Java (registered trademark) Message) are used for the protocol.
Service) or the like can be substituted if it is possible to have the above contents.

The operation request 201 includes a communication header 202, authentication information 203, and operation content 204.
The communication header 202 is header information necessary for communication between the terminal 001 and the access control apparatus 004, and includes information on a request transmission source and a request transmission destination.
The authentication information 203 indicates the authentication information of the request transmission source user, and includes the user ID and password of the user as an example.
The operation content 204 indicates an operation request content to the business logic unit 007 of the request transmission source user, and includes, for example, a business logic type and operation content (data reference, data update, etc.).

FIG. 4 shows an example of user information 301 managed by the user information management unit 009.
The user information 301 holds information on users who use the access control device 004, and each user can be uniquely identified by the user ID.
In addition to the user ID, the user information 301 includes a user name, an organization ID of an organization to which the user belongs, and a password necessary for user authentication.

FIG. 5 shows an example of the access authority information 401 managed by the access authority management unit 010.
The access authority information 401 holds information on the operation authority range of the business logic unit 007 managed by the access control apparatus 004 and the operation authority range of the access control apparatus 004 itself.
For example, whether or not to operate the business logic A and whether or not the access authority can be operated are stored as operable contents.
It should be noted that some restrictions may be imposed on whether or not the operation is possible, for example, only reference is possible.

FIG. 6 shows an example of role assignment information 501 managed by the role assignment management unit 011.
The role assignment information 501 manages the correspondence between the access authority information 401 and the organization information, and holds information indicating which organization can perform the operation.
Note that the authority assignment target can be set not only for the organization but also for the entire building and the entire tenant.
In addition, it is possible to designate the subordinate organization (when the child organization below the designated organization also applies) or directly below (not including the child organization of the designated organization).
Note that the role assignment information can be divided into information on the role itself and information representing the correspondence between the role and the organization.
As shown in FIG. 6, the role assignment information 501 includes an access permission condition which is a condition for permitting access (operation and reference) to an access restriction resource (tenant A business logic, building A business logic) as a specific hierarchical element. It is shown in association with (under T001, under B001).
T001 and B001 are a tenant ID and a building ID, respectively, as shown in FIG.
The role assignment information 501 corresponds to an example of access permission condition information, and the role assignment management unit 011 corresponds to an example of an access permission condition information storage unit as described above.

FIG. 7 shows the hierarchy definition information 601 managed by the hierarchy definition management unit 012.
The hierarchy definition information 601 has an expiration date indicating the order of the entities such as buildings, tenants, and organizations that use the access control device 004, and the period during which the hierarchy structure is valid.
For example, the hierarchy ID: ST001 in FIG. 7 defines a structure in which a building is arranged at the top of the hierarchical structure, a tenant is arranged under the building, and an organization is arranged under the tenant.
In FIG. 7, buildings, tenants, and organizations are listed as examples of hierarchies. For example, it is possible to define an entity called a region in the upper hierarchy of a building or an entity called a branch office under a tenant. It is.
As shown in FIG. 7, the hierarchy definition information 601 indicates the rank between hierarchies in the hierarchy structure, and corresponds to an example of the hierarchy rank information.
The hierarchy definition management unit 012 corresponds to an example of a hierarchy order information storage unit.

FIG. 8 shows information managed by the organization information management unit 013.
The organization information management unit 013 includes building information 701, tenant information 702, organization information 703, building / tenant correspondence information 704, tenant / organization correspondence information 705, and building / organization correspondence information 706.

The building information 701 holds information on a building that uses the access control device 004.
Each building can be identified by a building ID.
In addition to the building ID, attribute information such as a building name and a building location can be held.

The tenant information 702 holds information on a tenant that uses the access control device 004.
Each tenant can be identified by a tenant ID.
In addition to the tenant ID, it is also possible to hold attribute information such as a tenant name and tenant contract details.

The organization information 703 holds information on the organization that uses the access control device 004.
Each organization can be identified by the organization ID.
In addition to the organization ID, it is also possible to hold attribute information such as the organization name and the person in charge (organization head) in the organization.
In addition, about the organization, since a hierarchical structure between organizations can be considered as in the case where a section is placed under the department, the organization (parent organization) corresponding to the upper hierarchy of the organization is also included as information.

The building / tenant correspondence information 704 indicates a correspondence relationship between the building managed by the building information 701 and the tenant managed by the tenant information 702.
The building / tenant correspondence information 704 holds an attribute that uniquely identifies a building and a tenant, such as a building ID / tenant ID.
Also, if the building / tenant correspondence has an expiration date, the expiration date is retained as an attribute.

The tenant / organization correspondence information 705 indicates a correspondence relationship between the tenant managed by the tenant information 702 and the organization managed by the organization information 703.
The tenant / organization correspondence information 705 holds attributes such as a tenant ID / organization ID that can uniquely identify a tenant and an organization.
If the tenant / organization correspondence has an expiration date, the expiration date is stored as an attribute.

The building / organization correspondence information 706 indicates a correspondence relationship between the building managed by the building information 701 and the organization managed by the organization information 703.
The building / organization correspondence information 706 holds an attribute such as a building ID / organization ID that can uniquely identify a building and an organization.
In addition, when the building / organization correspondence has an expiration date, the expiration date is held as an attribute.

In the building / tenant correspondence information 704, the tenant / organization correspondence information 705, and the building / organization correspondence information 706, a pair of hierarchical elements that are elements constituting a hierarchy and are related to each other in two different hierarchies. Are shown for each combination of hierarchies.
Specifically, regarding the building hierarchy and the tenant hierarchy, in the building / tenant correspondence information 704, a pair of B001 which is a hierarchy element of the building hierarchy and T001 which is a hierarchy element of the tenant hierarchy, and B001 which is a hierarchy element of the building hierarchy. And a pair of T002 which is a hierarchical element of the tenant hierarchy is described.
As for the tenant hierarchy and organization hierarchy, in the tenant / organization correspondence information 705, a pair of T001 that is a hierarchy element of the tenant hierarchy and ORGT001 that is a hierarchy element of the organization hierarchy, and T001 that is a hierarchy element of the tenant hierarchy and the organization hierarchy Is described as being equivalent to ORGT002, which is a hierarchical element of
As for the building hierarchy and the organization hierarchy, in the building / organization correspondence information 706, a pair of B001 which is a hierarchy element of the building hierarchy and ORGT001 which is a hierarchy element of the organization hierarchy, B001 which is a hierarchy element of the building hierarchy and the organization hierarchy Is described as being equivalent to ORGT002, which is a hierarchical element of
The building / tenant correspondence information 704, the tenant / organization correspondence information 705, and the building / organization correspondence information 706 correspond to examples of hierarchical element information.
The organization information management unit 013 corresponds to an example of a hierarchical element information storage unit as described above.

FIG. 9 shows the internal configuration of the business logic unit 007.
The business logic unit 007 includes a business logic unit A 801, a business logic unit B 802, and a business logic unit C 803.
For example, the business logic unit A 801 is in charge of different tasks such as employment management, the business logic unit B 802 is accounting management, and the business logic unit C 803 is in / out room management.
The number of logics in the business logic unit 007 is arbitrary, and the number of internal business logics can be increased or decreased in accordance with the increase or decrease in business logic handled by the access control device 004.

FIG. 10 shows the internal configuration of the business logic information management unit 008.
The business logic information management unit 008 includes a business logic A information management unit 901, a business logic B information management unit 902, and a business logic C information management unit 903.
The business logic A information management unit 901 manages information handled by the business logic unit A 801, the business logic B information management unit 902 manages the business logic unit B 802, and the business logic C information management unit 903 manages information handled by the business logic unit C 803.
For example, the business logic A information management unit 901 has an employee list, attendance record, attendance date calendar, etc. used in the work management logic.
Note that the number of internal information can be increased or decreased as in the business logic unit 007.
Further, if there is information that is shared by each information management unit, it can be shared.

Next, the operation when a user using the access control device 004 issues a business logic operation request from his / her terminal will be described.

When the user A belonging to the tenant A operates the business logic A in the access control device 004, the user A uses the Web browser 001a of the terminal 001 to check his / her authentication information and business logic. A request for operation content is issued in the form of an operation request 201.

In the access control device 004, when the operation request is received from the terminal, the request reception unit 005 centrally executes request management and response generation.

The operation of the process accepting unit 005 will be described with reference to the flowchart of FIG.
In the following description, the case where the operation request 201 illustrated in FIG. 3 is received will be described as an example.
FIG. 3 shows an operation request 201 transmitted by the user with the user ID: U001 using the terminal 001 and requesting data reference of the business logic A (business ID: L001).
As shown in FIG. 19, the user A belongs to the organization with the organization ID: ORG001, the organization with the organization ID: ORG001 belongs to the tenant with the tenant ID: T001, and the tenant with the tenant ID: T001 has the building ID: It belongs to the building of B001.
However, the access control device 004 does not hold information in which the hierarchical relationship between hierarchical elements as shown in FIG. 19 is defined in advance, and when an operation request 201 is received, as described later, the F-RBAC unit 006 analyzes the hierarchical relationship between the hierarchical elements using the information shown in FIGS. 7 and 8.

The process accepting unit 005 acquires the authentication information 203 and the operation content 204 from the received operation request 201, outputs the authentication information 203 and the operation content 204 to the F-RBAC unit 006, and performs an operation on the business logic of the requesting user. The F-RBAC unit 006 is inquired of whether it is possible (S101).

Next, the process reception unit 005 determines whether or not the user can operate from the inquiry result of the F-RBAC unit 006 (S102).

If the result of S102 is operable (YES in S102), the process accepting unit 005 delivers the operation content 204 of the operation request 201 to the business logic unit 007 (S103).
Then, the process reception unit 005 returns an operation request result to the business logic unit 007 to the terminal 001a as a response (S104).

On the other hand, if the result of S102 is inoperable (NO in S102), the process accepting unit 005 returns a response indicating that the operation is impossible to the terminal 001a (S105).

Next, with reference to the flowchart of FIG. 12, the operation of the F-RBAC unit 006 for determining whether or not the user can operate will be described.

The F-RBAC unit 006 acquires information necessary for authentication such as a user ID and a password from the authentication information 203 received from the process reception unit 005 (S201).

Next, the F-RBAC unit 006 inquires of the user information management unit 009 about information on the user having the user ID acquired from the authentication information 203 (S202).

Next, the F-RBAC unit 006 verifies whether or not the user authentication is successful (S203).
Specifically, the F-RBAC unit 006 verifies by the following procedure.
The F-RBAC unit 006 confirms from the response of the user information management unit 009 whether there is a user having the user ID acquired in S201.
If there is no corresponding user, authentication is not possible.
If there is a corresponding user, it is determined whether the password acquired from the authentication information 203 matches the password managed by the user information management unit 009.
If the passwords match, authentication succeeds. If they do not match, authentication fails.

If the authentication is successful in S203 (YES in S203), the F-RBAC unit 006 acquires the business ID of the business logic to be operated by the user from the operation content 204 received from the processing reception unit 005, and the access authority A list of access authorities associated with the logic of the business ID is acquired in the management unit 010 (S204).
The F-RBAC unit 006 obtains the record of authority ID: A001 and the record of authority ID: A002 of FIG. 5 based on the business ID: L001 if the operation content 204 of FIG.

Next, the F-RBAC unit 006 obtains information on the current hierarchy order from the hierarchy definition management unit 012 (S205).
In the example of FIG. 7, hierarchical order information in which “building>tenant> organization” is described is acquired.

The F-RBAC unit 006 acquires information on the organization to which the user belongs from the organization information management unit 013 based on the information on the organization ID of the organization to which the user belongs from the user information acquired from the user information management unit 009 (S206). ).
In the case of the operation request 201 in FIG. 3, since the user ID is U001, the organization to which the target user A belongs is the organization with the organization ID: ORG001 from FIG.

Next, the F-RBAC unit 006, based on the hierarchy order information acquired from the hierarchy definition management unit 012 and the organization information acquired from the organization information management unit 013, the building, tenant, The acquisition of organization information is repeated until there is no higher-level organization (S207).
Since the hierarchy order acquired in S205 is “Build>Tenant> Organization”, the F-RBAC unit 006 first forms a hierarchy that is paired with the organization ID: ORG001 in the tenant hierarchy that is one level above the organization. Search for an element.
Specifically, the F-RBAC unit 006 searches the tenant / organization correspondence information 705 in FIG. 8 and extracts the tenant ID: T001 paired with the organization ID: ORG001.
Next, the F-RBAC unit 006 searches the hierarchy order “building>tenant> organization” for a hierarchy element that is paired with the tenant ID: T001 in the building hierarchy that is one hierarchy above the tenant.
Specifically, the F-RBAC unit 006 searches the building / tenant correspondence information 704 in FIG. 8 and extracts the building ID: B001 paired with the tenant ID: T001.

Next, the F-RBAC unit 006 acquires from the role assignment management unit 011 role assignment information that matches the access authority obtained in S204 and the organization, tenant, and building obtained in S206 and S207 (S208).
In the example of FIG. 6, the F-RBAC unit 006 acquires a record with a role assignment ID: R001 and a record with a role assignment ID: R002.

Next, the F-RBAC unit 006 determines whether or not the role assignment acquired in S208 exists (S209).
For organizations, it is checked whether there is an assignment in order from the upper hierarchy.

If the assignment exists in S209, the F-RBAC unit 006 determines that the authentication is successful and returns a success response to the process reception unit 005 (S210).
Since the operation request 201 in FIG. 3 requires data reference, it matches the “role name: only building business logic A can be referred to” in FIG. 6, and the F-RBAC unit 006 succeeds in the process reception unit 005. Returns a response.

If the authentication fails in S203 or the role assignment does not exist in S209, the F-RBAC unit 006 determines that the authentication has failed, and returns a failure response to the process reception unit 005 (S211).

The operation of the business logic unit 007 will be described with reference to the flowchart of FIG.

The business logic unit 007 determines which business logic in the business logic unit 007 is designated from the operation content 204 received from the process reception unit 005, and delivers the operation content to the internal business logic ( S301).
In the following, the operation will be described assuming that the business logic unit A801 in FIG. 9 is designated.

The business logic unit A801 performs an operation while referring to and updating information handled by the business logic A information management unit 901 in the business logic information management unit 008 based on the operation content received from the business logic unit 007 in S301 (S302). .
The business logic unit A 801 returns a response to the processing reception unit 005 via the business logic unit 007 for the result of performing S302 (S303).

Next, the operation when the administrator of the access control device (hereinafter, system user) changes the hierarchical structure of the access control device 004 will be described.

FIG. 14 shows an example of a hierarchical structure change request that is a request that the system user transmits to the access control apparatus 004 using the terminal 000 when the hierarchical structure of the access control apparatus 004 is changed.

A system user who manages the access control device 004 transmits a hierarchical structure change request 1301 to the access control device 004 using the Web browser 000a of the terminal 000.
The hierarchy structure change request 1301 is a request for requesting to change the hierarchy order in the hierarchy definition information 601 of FIG.
In the access control device 004, after the processing accepting unit 005 receives the hierarchical structure change request 1301 and the F-RBAC unit 006 authenticates the system user, the F-RBAC unit 006 changes the hierarchical order in the hierarchical definition information 601. change.
Note that the operation of the process accepting unit 005 and the operation up to the authentication of the F-RBAC unit 006 are the same as S101 to S105 and S201 to S203 described above.
After the hierarchy order is changed, the process reception unit 005 returns a response to the terminal 000.

The operation of the F-RBAC unit 006 when changing the hierarchical structure definition will be described with reference to the flowchart of FIG.

The F-RBAC unit 006 acquires the operation content 1304 describing the hierarchical structure change information from the hierarchical structure change request 1301 received from the process accepting unit 005 (S401).
Next, the F-RBAC unit 006 issues a hierarchical structure definition change request to the hierarchy definition management unit 012 for the operation content 1304 acquired in S401 (S402).
The hierarchy definition management unit 012 changes, for example, the hierarchy definition information 601 in FIG. 7 to the hierarchy definition information 602 in FIG. 16 in accordance with the request received in S402.
In FIG. 16, “tenant>building> organization” is defined as a new hierarchy order.
Further, the hierarchy order “building>tenant> organization” before the change is held in the hierarchy definition information 602 together with the expiration date.
The F-RBAC unit 006 returns the operation result to the process reception unit 005 after the processing of the hierarchy definition management unit 012 is completed (S403).

Further, when the operation request 201 is received after the hierarchy order of the hierarchy definition information is changed by the above procedure, the F-RBAC unit 006 performs the process of FIG. 12 based on the changed hierarchy order.

With the above operation, even if the hierarchical structure of the organization managed in the system changes over time, by having a hierarchical structure definition with an expiration date, only the hierarchical structure definition can be matched to the change in the hierarchical structure definition. It is possible to change.
Further, since the hierarchical structure has an expiration date, it is possible to reproduce the hierarchical structure at a specified time.
In addition, it is not necessary to update the allocation information of access authority, so that changes in data managed by the system can be minimized, and the amount of data including past log information held by the system can be minimized.

In the description of FIG. 11, the hierarchical element is searched in the direction toward the upper hierarchy (S207). Alternatively, the hierarchical element may be searched in the direction toward the lower hierarchy.

As described above, in the present embodiment,
A role assignment management unit for managing role assignment information indicating the correspondence between roles and a plurality of individuals and organizations and roles;
A hierarchy definition management unit that manages the structure of the organization hierarchy and the validity period of the hierarchy structure;
Based on the hierarchical structure definition of the role assignment management part and the hierarchy definition part, the hierarchy is traced in order from the top while interpreting the organizational hierarchical structure, and the role assignment target is compared with the organizational hierarchy position to which the user who uses the system belongs. The tenant access control apparatus, method, and program provided with an access control unit that determines whether access authority to the information managed by the system or use authority of the system is held have been described.

In the present embodiment,
When changing the hierarchical structure of an organization at an arbitrary time, a tenant access control device, method, and program provided with an access control unit that realizes the change of the hierarchical structure in the system by changing the expiration date of the hierarchical structure explained.

In the present embodiment,
It has an access authority management unit that manages access permission for each application in the system,
The tenant access control apparatus, method, and program provided with an access control unit that determines whether or not access is possible based on information on whether or not an access authority management unit can access when an individual uses an application in the system have been described.

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be described.
Operations and configurations other than those described below are the same as those in the first embodiment.

FIG. 17 shows the hierarchy definition information 610 of the hierarchy definition management unit 012 according to this embodiment.
In the hierarchy definition information 610 in FIG. 17, information corresponding to the business logic is added as an attribute, such as a business ID, as compared with the hierarchy definition information 601 in FIG. 7.
In this embodiment, as shown in FIG. 17, the hierarchical structure can be changed for each business logic.
That is, in the hierarchy definition information 610 according to the present embodiment, a hierarchy order is defined for each business logic (access restricted resource).

FIG. 18 shows a business logic definition 910 of the business logic information management unit 008 according to this embodiment.
Unlike FIG. 10, in FIG. 18, a business ID is assigned to each business logic.
When the user transmits a business logic operation request 201 using a terminal, the F-RBAC unit 006 acquires a business ID from the operation request 201 when acquiring the hierarchical order in S205 of FIG. The hierarchical order corresponding to the acquired business ID is acquired, and the acquired hierarchical order is used for the subsequent determination of the presence of access authority.

With such a configuration, the same effect as in the first embodiment can be obtained, and at the same time, the hierarchical structure definition used for each application can be switched.
For this reason, since a common logic can be utilized while consolidating various applications into one system, an effect of increasing the degree of aggregation can be obtained.

As described above, in the present embodiment,
It has a hierarchy definition manager with an organizational hierarchy for each application in the system,
A tenant access control apparatus, method, and program provided with an access control unit that switches the organizational hierarchy structure for each application by the hierarchy definition management unit when an individual uses an application in the system and determines whether access is possible have been described.

Finally, a hardware configuration example of the access control apparatus 004 shown in the first and second embodiments will be described with reference to FIG.
The access control device 004 is a computer, and each element of the access control device 004 can be realized by a program.
As a hardware configuration of the access control device 004, an arithmetic device 1901, an external storage device 1902, a main storage device 1903, a communication device 1904, and an input / output device 1905 are connected to the bus.

The arithmetic device 1901 is a CPU (Central Processing Unit) that executes a program.
The external storage device 1902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
The main storage device 1903 is a RAM (Random Access Memory).
The “˜management unit” illustrated in FIG. 2 is realized by the external storage device 1902 or the main storage device 1903.
The communication device 1904 corresponds to the physical layer of the process reception unit 005.
The input / output device 1905 is, for example, a mouse, a keyboard, a display device, or the like.

The program is normally stored in the external storage device 1902, and is sequentially read into the arithmetic device 1901 and executed while being loaded in the main storage device 1903.
The program is a program that realizes the functions described as “˜unit” (excluding “˜management unit”, the same applies hereinafter) shown in FIG.
Further, an operating system (OS) is also stored in the external storage device 1902. At least a part of the OS is loaded into the main storage device 1903, and the arithmetic unit 1901 executes “OS” while executing “OS” shown in FIG. ”Is executed.
In the description of the first and second embodiments, “determining”, “determining”, “determining”, “extracting”, “collating”, “acquiring”, “ Information, data, and signal values that indicate the results of the processing described as "Settings", "Registering", "Selecting", "Generating", "Receiving", "Outputting", etc. And variable values are stored in the main storage device 1903 as files.
Also, the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 1903 as a file.

The configuration in FIG. 20 is merely an example of the hardware configuration of the access control device 004, and the hardware configuration of the access control device 004 is not limited to the configuration shown in FIG. Also good.

Also, the access control method according to the present invention can be realized by the procedure shown in the first and second embodiments.

000 terminal, 001 terminal, 002 terminal, 003 network, 004 access control device, 005 process acceptance unit, 006 F-RBAC unit, 007 business logic unit, 008 business logic information management unit, 009 user information management unit, 010 access authority management Department, 011 Role assignment management part, 012 Hierarchy definition management part, 013 Organization information management part.

Claims

A hierarchy rank information storage unit for storing hierarchy rank information indicating ranks between hierarchies in a hierarchical structure composed of a plurality of hierarchies;
A hierarchy element information storage unit that stores a hierarchy element information that is a pair of hierarchy elements that are elements constituting a hierarchy, and a pair of hierarchical elements that belong to two different hierarchies is shown for each combination of hierarchies,
An access permission condition information storage unit that stores access permission condition information in which an access permission condition that is a condition for permitting access to an access restriction resource to which access is restricted is associated with a specific hierarchical element;
An access request receiving unit that receives an access request for requesting access to an access restricted resource from a user associated with any one of the hierarchical elements;
The hierarchy element associated with the user is determined, and based on the rank between the hierarchies indicated in the hierarchy rank information, the hierarchy element or the hierarchy element one level above which is paired with the determined hierarchy element A hierarchical element of a lower hierarchy is extracted from the hierarchical element information, and a hierarchical element of the upper hierarchy or a hierarchical element of a lower hierarchy paired with the extracted hierarchical element is extracted from the hierarchical element information. A hierarchy element extractor that repeats the operation until reaching a specific hierarchy,
By comparing the hierarchy element determined by the hierarchy element extraction unit and the extracted hierarchy element with the specific hierarchy element indicated in the access permission condition, access to the access restricted resource is made in response to the access request. An access control apparatus comprising: an access permission / rejection determination unit that determines whether to permit or not.
The hierarchical element information storage unit
Hierarchical element information shown for each combination of hierarchies without including the definition of which hierarchy element is higher and which hierarchy element is lower. The access control apparatus according to claim 1, wherein the access control apparatus is stored.
The access control device further includes:
A hierarchy rank changing section for changing the rank between the hierarchy rank information;
The access permission / rejection determination unit
For the access request received after the rank between the hierarchies in the hierarchy rank information is changed by the hierarchy rank changing unit, the hierarchy element is extracted based on the rank between the hierarchies after the change. The access control apparatus according to claim 1.
The hierarchy order changing unit
4. The access according to claim 3, wherein, when the rank between the hierarchies of the hierarchy rank information is changed, the rank between the hierarchies before the change is held in the hierarchy rank information storage unit together with an expiration date. Control device.
The access permission condition information storage unit
Storing access permission condition information in which an access permission condition is shown in association with a specific user;
The access permission / rejection determination unit
Whether the access request source user determines whether or not the specific user indicated in the access permission condition information corresponds to permit access to the access restricted resource in response to the access request The access control apparatus according to claim 1, wherein it is determined whether or not.
The access control device
We perform access control for multiple access restricted resources.
The hierarchical order information storage unit
For each access restriction resource, the hierarchy order information is stored,
The access request receiver is
Receive an access request requesting access to one of the restricted access resources,
The access permission / rejection determination unit
The access control apparatus according to claim 1, wherein a hierarchy element is extracted based on a rank between hierarchies indicated in hierarchy rank information for an access restricted resource to which access is requested by the access request.
Hierarchical rank information indicating the rank between hierarchies in a hierarchical structure composed of a plurality of hierarchies is read by the computer from the storage area,
The computer reads out from the storage area hierarchical element information, which is a pair of hierarchical elements that are elements constituting a hierarchy and each pair of hierarchical elements belonging to two different hierarchies is shown for each combination of hierarchies. ,
The computer reads from the storage area access permission condition information in which an access permission condition, which is a condition for permitting access to an access restriction resource to which access is restricted, is associated with a specific hierarchical element,
The computer receives an access request for requesting access to an access restriction resource from a user associated with any hierarchical element,
The computer determines a hierarchical element associated with the user, and based on the rank between the hierarchies indicated in the hierarchical rank information, the hierarchy of the hierarchy one level higher than the determined hierarchical element An element or a hierarchical element in the lower hierarchy is extracted from the hierarchical element information, and the hierarchical element in the upper hierarchy or the hierarchical element in the lower hierarchy that is paired with the extracted hierarchical element is the hierarchical element. Repeat the process of extracting from the information until it reaches a specific level,
The computer compares the determined hierarchical element and the extracted hierarchical element with the specific hierarchical element indicated in the access permission condition, and permits access to the access restricted resource in response to the access request. An access control method characterized by determining whether or not.
Hierarchy order information reading processing for reading out hierarchy order information indicating the rank between hierarchies in a hierarchical structure composed of a plurality of hierarchies from the storage area;
Hierarchical element information for reading out from the storage area hierarchical element information that is a pair of hierarchical elements that are elements constituting a hierarchy, and each pair of hierarchical elements belonging to two different hierarchies is indicated for each combination of hierarchies Read processing;
An access permission condition information read process for reading access permission condition information, which is a condition for permitting access to an access restricted resource to which access is restricted, associated with a specific hierarchical element, from the storage area; and
An access request receiving process for receiving an access request for requesting access to an access restricted resource from a user associated with any one of the hierarchical elements;
The hierarchy element associated with the user is determined, and based on the rank between the hierarchies indicated in the hierarchy rank information, the hierarchy element or the hierarchy element one level above which is paired with the determined hierarchy element A hierarchical element of a lower hierarchy is extracted from the hierarchical element information, and a hierarchical element of the upper hierarchy or a hierarchical element of a lower hierarchy paired with the extracted hierarchical element is extracted from the hierarchical element information. Hierarchical element extraction processing that repeats the operation until reaching a specific hierarchy,
By comparing the hierarchical element determined by the hierarchical element extraction process and the extracted hierarchical element with the specific hierarchical element indicated in the access permission condition, access to the access restricted resource is made in response to the access request. A program for causing a computer to execute an access permission determination process for determining whether to permit or not.