CN102804199A - Access control system - Google Patents

Access control system Download PDF

Info

Publication number
CN102804199A
CN102804199A CN2010800245028A CN201080024502A CN102804199A CN 102804199 A CN102804199 A CN 102804199A CN 2010800245028 A CN2010800245028 A CN 2010800245028A CN 201080024502 A CN201080024502 A CN 201080024502A CN 102804199 A CN102804199 A CN 102804199A
Authority
CN
China
Prior art keywords
policy
attribute
tactical comment
access control
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010800245028A
Other languages
Chinese (zh)
Other versions
CN102804199B (en
Inventor
池田龙朗
冈田光司
山田正隆
中沟孝则
西泽实
冈本利夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Corp
Toshiba Digital Solutions Corp
Original Assignee
Toshiba Corp
Toshiba Solutions Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Corp, Toshiba Solutions Corp filed Critical Toshiba Corp
Publication of CN102804199A publication Critical patent/CN102804199A/en
Application granted granted Critical
Publication of CN102804199B publication Critical patent/CN102804199B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

In an access control system (1), a policy implementation device (30), upon receiving an access request from an operator terminal (10), queries of a policy evaluation device (40) the policy attributes required for access to a resource device (20), and sends to the policy evaluation device (40) a policy evaluation request on the basis of the response to this query.

Description

Access control system
Technical field
Embodiment of the present invention relates to the access control system of the control that in decentralized environment, also can conduct interviews expeditiously.
Background technology
In recent years, the importance of controlling the access control technology of information specific or behavior according to authority information improves constantly.For example, the access control that behavior could form is extensively utilized.
As behavior could form access control, for example have to the access control of the authority information of document files as security attribute.In detail, with " reading permission " or behaviors such as " editor's permissions " could form have put down in writing distribute to the user, to the authority information of document files.As this authority information, known access control matrix (Access Control Matrix) or ACL (Access Control List).For example, the method for setting authority information (rule) as " safety container " and to document files is disclosed.
But, in behavior could the access control of form, be difficult to put down in writing the condition in access time of being permitted or visit place etc. or detailed access control contents flexibly such as function restriction.
Therefore, not only utilize the access control that behavior could form in recent years, also utilize the access control of access control policy form.Access control policy is the set of access control rule, discloses the record standard of standard.In the access control of this access control policy form, can put down in writing the detailed function restriction of conditioned disjunction of being permitted.For example in the access control of access control policy form, when the access request accepted document files, judging on the basis that whether should open file, can be restricted to the control of the function etc. of defined in the access control policy.
But; In the access control of access control policy form, need estimate the accessed content corresponding to Policy Decision Point (PolicyDecision Point) request of estimating access control policy from the Policy Enforcement Point (Policy Enforcement Point) of the control that conducts interviews with the policy information of access control.For example, the evaluation of request visit main body (subject) or visit behavior (action) etc.In addition, in general, the authentication of the main body that before access control, conducts interviews, but this moment is different with access control policy etc. uses the situation of certification policy more as the information of the authentication mode that is used to determine to prove the visit main body.
But in the access control of access control policy form, Policy Enforcement Point does not have the information of the needed policy attribute of evaluation of access control policy, therefore, even the request of conducting interviews also disapproves visit sometimes.
Therefore, even the mechanism of the control that need also can conduct interviews expeditiously in this case.
The prior art file
Patent documentation
Patent documentation 1: TOHKEMY 2001-306521 communique
Non-patent literature
Non-patent literature 1:Tim Moses, " eXtensible Access Control Markup Language (XACML) Version2.0 ", [online], [retrieval on May 17th, 2007], the Internet URL:http: //docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-c ore-spec-os.pdt >
Description of drawings
Fig. 1 is the synoptic diagram of structure of the access control system of expression the 1st embodiment.
Fig. 2 is a routine figure of " the policy attribute inquiry " of this embodiment of expression.
Fig. 3 be the expression this embodiment " tactical comment request " one the example figure.
Fig. 4 be the expression this embodiment " policy information " one the example figure.
Fig. 5 be the expression this embodiment " policy information " one the example figure.
Fig. 6 be the expression this embodiment " policy attribute is replied " one the example figure.
Fig. 7 is the process flow diagram of action that is used to explain the access control system 1 of this embodiment.
Fig. 8 is the figure that is used to explain the action of existing access control.
Embodiment
The access control system of embodiment possesses the policy enforcement means and the tactical comment device of the visit that is used for control operation person terminal and resource devices.
Policy enforcement means possess reception from the operator terminal access request acceptance division to the access request of resource devices.
Policy enforcement means possesses policy attribute inquiry portion, is used for when receiving access request, to the visit required policy attribute of tactical comment device inquiry with resource devices.
Policy enforcement means possesses condition of contact information and obtains portion, is used for obtaining the condition of contact information corresponding with this policy attribute when when the tactical comment device receives policy attribute.
Policy enforcement means possesses the tactical comment request section, and it sends the tactical comment request that comprises this condition of contact information to the tactical comment device when obtaining condition of contact information.
Policy enforcement means possesses access control portion, and it replys the visit of control operation person terminal and resource devices according to the tactical comment to the tactical comment request.
The tactical comment device possesses the policy information storage part, and its storage representation is to the policy information of the condition of contact of resource devices.
The tactical comment device possesses policy attribute parsing portion, and it is resolved with the policy attribute from policy enforcement means and inquire about the corresponding strategy attribute according to policy information.
The tactical comment device possesses policy attribute and replys portion, and it replys the policy attribute of resolving through policy attribute parsing portion to policy enforcement means.
The tactical comment device possesses tactical comment and replys portion; It is when receiving the tactical comment request from policy enforcement means; According to the condition of contact information and the policy information that comprise in this tactical comment request, send to this policy enforcement means and to represent that whether the tactical comment of the visit at permit operation person terminal and resource devices is replied.
Below, with reference to the description of drawings embodiment.
< the 1st embodiment >
(structure of access control system)
Fig. 1 is the synoptic diagram of structure of the access control system 1 of expression the 1st embodiment.
Access control system 1 has policy enforcement means 30 and tactical comment device 40, the access control of executable operations person terminal 10 and resource devices 20.In addition, these respectively install 10~40 and connect mutually through network.In addition, as the prerequisite of access control, in tactical comment device 40, stored policy information in advance to resource devices 20.In addition, in this embodiment, policy enforcement means 30 is connected with external authentication supplier 50.
Operator terminal 10 is the end devices by operator's operation.The operator is a purpose to visit specific resource devices 20 via this operator terminal 10.When the 10 access resources devices 20 of operator terminal, " access request " from operator terminal 10 to resource devices 20 is sent to policy enforcement means 30.
Resource devices 20 is the access objects at operator terminal 10.For example in resource devices 20, stored " resource information " that provides by various service providers.For resource devices 20, defined condition of contact in advance through policy information, only to satisfying the access request permits access of the condition of contact corresponding with specific policy attribute.In addition, in the decentralized environment system, there are a plurality of resource devices 20 and operator terminal 10 respectively.
Policy enforcement means 30 is the devices that play a role as so-called Policy Enforcement Point, possesses access request acceptance division 31, policy attribute inquiry portion 32, policy attribute inquiry generation portion 33, condition of contact information obtains portion 34, tactical comment request section 35, access control portion 36.
Access request acceptance division 31 is 10 access request that receive resource devices 20 from the operator terminal.Access request acceptance division 31 is seen the information that accessed resources device 20 is wanted at operator terminal 10 off to policy attribute inquiry portion 32 when receiving access request.
Policy attribute inquiry portion 32, be used for when when operator terminal 10 receives access request to the visit required policy attribute of tactical comment device 40 inquiries with resource devices 20.In a word, these policy attribute inquiry portion 32 prior information of inquiring about the policy attribute that needs for the tactical comment request of stating after carrying out.In addition, policy attribute inquiry portion 32, when the query strategy attribute to the generation of policy attribute inquiry generation portion 33 request strategy attribute queries.
In addition, " authentication mode " inquired about as policy attribute by supposition policy attribute inquiry portion 32 in this embodiment.If supplementary notes comprise cipher authentication or IC-card authentication, organism authentication etc. in authentication mode.Therefore, if the visit to resource devices 20 is then permitted in a certain authentication of policy attribute inquiry portion 32 in whether tactical comment device 40 inquiry is above-mentioned.But, except authentication mode, can certainly other conditions such as place or operating application program classification be applied to policy attribute.
Policy attribute inquiry generation portion 33 generates " the policy attribute inquiry " that is used for the query strategy attribute.The policy attribute inquiry is used for resolving necessary policy attribute according to policy information by tactical comment device 40.About policy information, describe in the back.
This policy attribute inquiry for example becomes the information of structure shown in Figure 2.In detail, through the inquiry of AttributeFindingQuery key element e21 performance policy attribute.AttributeFindingQuery key element e21 has more than one Query key element e22 in sub-key element, discern each Query key element through the QueryId attribute.Query key element e22 has the QueryConditon key element e27 of the condition that expression is used to reduce the scope as the QueryTarget key element e23 and the expression of the policy attribute of the object of wanting to inquire about.In the example of Fig. 2, represented in QueryTarget key element e23 in the Attribute key element of inquiry as the sub-key element of Subject key element e24, had the Attribute key element e25 of AttributeId property value " authentication-method " and " identity-provider-url ", the key element value of e26.If in QueryTarget key element e23, do not specify, then think identical with the implication of inquiring about whole policy attributes that might be fit to.In addition, represented in the example of Fig. 2 that according to the AttributeValue key element e28 of QueryConditon key element e27, the appointment of e29, inquiry is used for condition that the resource devices corresponding with " Resource-1 " 20 carried out the behavior of " read ".Thus, can from policy information, extract the policy attribute that is suitable for this condition.
Condition of contact information obtains portion 34, is used for obtaining " condition of contact information " corresponding with the policy attribute that receives when when tactical comment device 40 receives policy attribute.In this embodiment, obtain portion 34 and use authenticate device as condition of contact information, obtain based on information, as condition of contact information by the authentication mode of policy attribute appointment.
Authenticate device is to be used for the authentication operation whether the person is my device, has multiple authentication mode, carries out the authentication based on single authentication mode or compound authentication mode.At this moment, authenticate device can be connected to come and carries out authentication in phase with the authenticate device of outside or authentication provider.In addition, authenticate device is that the device that is used to carry out general authentication gets final product, and omits about details of apparatus structure etc.
Tactical comment request section 35 is when obtaining portion 34 through condition of contact information and obtained condition of contact information, and " the tactical comment request " that will comprise this condition of contact information sends to tactical comment device 40.The tactical comment request for example is the information of structure shown in Figure 3.At this, condition of contact information representes that with Attribute key element e31, e32, e33 the information corresponding with the access request destination is represented with Attribute key element e34, e35.Promptly; As condition of contact information, write: the cipher authentication mode (" password ") of " User-1 " of Attribute key element e31 through Attribute key element e32 carried out authentication through the external authentication provider of the URL " http://example1.co.jp/login " of Attribute key element e33.And,, asked judgement to the access permission of " read " behavior of Attribute key element e35 to Attribute key element e34 " Resource-1 " as the access request destination.
Access control portion 36 is replied according to the tactical comment to the tactical comment request, the visit of control operation person terminal 10 and resource devices 20.Promptly; Access control portion 36 works as the visit of tactical comment permit operation person terminal 10 and resource devices 20 when replying expression " permission (permit) ", the control of the visit of refusal operator terminal 10 and resource devices 20 when tactical comment is replied expression " refusal (Deny) ".
Tactical comment device 40 plays a role as so-called tactical comment point, possesses that policy information storage part 41, policy attribute parsing portion 42, policy attribute are replied portion 43, tactical comment is replied portion 44.
Policy information storage part 41 is storage representation storeies to " policy information " of the condition of contact of resource devices 20.In addition, policy information also can be stored in the external memory, is written at any time.
In this embodiment, adopt the example of the strategy file of putting down in writing with XML (eXtensible Markup Language) form that policy information is described.This strategy file can be independent document form, also can be included in the form in the document files.In this embodiment, the form that is included in the document files is described.
Policy information for example is the strategy file of Fig. 4 and structure shown in Figure 5.In this embodiment, as the policy description language of standard, having adopted with disclosed XACML V2.0 form in the non-patent literature 1 is the description form of reference.This strategy file has more than one Policy (strategy) key element e42.In addition, as the information that Policy key element e42 is gathered, can have PolicySet key element e41.In addition, also can in the PolicySet key element, comprise the PolicySet key element.Policy key element e42 has Rule (rule) key element e47, in Rule key element e47, has described the substance of access control.At this, strategy file comprises " subject " (main body), " action " (behavior), " resource " (resource), " environment " inscapes such as (environment) as the file of the substance of expression access control.Specifically, " subject " (main body) is the main body that visit is carried out, and e44 representes with the Subjects key element." resource " (resource) is the object that visit is carried out, and e45 representes with the Resources key element." action " (behavior) is the content of the act that visit is carried out, and e46 representes with the Actions key element.The environment that " environment " (environment) expression visit is carried out.Strategy in that this embodiment exemplified is represented is described example, has got rid of information such as NameSpace, data type for the simplification of putting down in writing.
In addition, policy information as an example that is used to permit to the policy attribute of the visit of resource devices 20, is supposed and has been set " authentication mode " and " authentication provider (carrying out the implementer of operator's authentication) be connected destination ".In a word, operator that can access resources device 20 except expression be whose the information, also specified the authentication mode that should implement when confirming the operator and about carrying out the information of authentication by whom.For example in the example of the policy information of Fig. 4 and Fig. 5; According to the Target key element e43 under the Policy key element e42, specified visit main body, access resources and the visit behavior that be made as object through Subjects key element e44, Resources key element e45, Actions key element e46 respectively.For visit main body, the authentication mode and the authentication provider of pair condition have been specified for the Condition key element e48 of the Rule key element e47 of " Rule-1 " through the RuleId value in this appointment.At this, specified in using AttributeId property value certain authentication provider specified and carried out authentication through the cipher authentication mode for Attribute key element e50, the e51 of " identity-provider-url ".In addition, show the value in the authentication service place that is used to discern authentication provider with URL.In addition, the AttributeId property value performance with the Attribute key element e49 that representes authentication mode is " authentication-method ".
In addition, policy information can be provided by directory service of outside etc.In this case, policy information storage part 41 connector that is used for access strategy memory storage (policy store) through directory service etc. waits and installs.
Policy attribute is replied portion 42 when obtaining the policy attribute inquiry from policy enforcement means 30, makes policy attribute parsing portion 43 parses policy attributes, and analysis result is replied to policy enforcement means 30 as " policy attribute is replied ".
Policy attribute parsing portion 43 resolves with the policy attribute from policy enforcement means 30 according to policy information and inquires about the corresponding strategy attribute.At this, policy attribute parsing portion 43 installs with the forms such as access program to local file, obtains policy information from policy information storage part 41.
Specifically, policy attribute parsing portion 43 fetch strategy attribute from the policy information of the resource devices 20 of appointment through the policy attribute inquiry.The policy attribute that policy attribute parsing portion 43 generates is replied for example as shown in Figure 6.Policy attribute is replied through AttributeFindingResponse key element e61 and is showed.AttributeFindingResponse key element e61 has Response key element e62.This Response key element e62 is related with the Query key element e22 of policy attribute inquiry through the CorrelationId attribute.Response key element e62 is the set that comprises the required policy attribute of tactical comment.At this, when not comprising policy attribute value (Attribute key element value), simple expression needs this policy attribute.In addition, when comprising the policy attribute value, the policy attribute value that expression must comprise when carrying out " tactical comment request ".
For example, expression AttributeId property value is " password " for the Attribute attribute of " authentication-method " in Subject key element e63, therefore must select the cipher authentication mode.In addition, when the FunctionId value of Apply key element e64 was " or ", expression was the value that can select.For example; As the AttributeId attribute is the property value of " identity_provider_url "; Can select " http://examplel.co.jp/login " and " http://example2.co.jp/login " the two, need accept authentication through the authentication provider corresponding with certain URL.
In addition, about policy information, can control and whether reply the policy attribute value that is suitable for the policy attribute inquiry.That is, can be to appending the attribute (Quariable attribute) whether expression replys said policy attribute value with the corresponding Attribute key element of this policy attribute.
For example; When with boolean (Boolean) type (adopting " true=ture " and the master data type of " puppet=false " these two values of true value) performance Quariable property value, in the example of Fig. 4, become Quariable property value that kind about the Attribute key element of Subject key element.The Quariable property value of the Attribute key element of this Subject key element is " false ", therefore, even this policy attribute is fit to, the also value of acknowledgment strategy attribute not.If the Quariable property value does not exist, then can return the value of policy attribute, but also can clearly the Quariable property value be made as " true ".In addition, about these criterions as previously mentioned, can be documented in clearly in the strategy, can also preserve as the set information of static state by policy attribute parsing portion.
Tactical comment is replied portion 44 when receiving " tactical comment request " from policy enforcement means 30; According to the condition of contact information and the policy information that comprise in the tactical comment request that receives, with representing that whether " tactical comment is replied " at permit operation person terminal 10 and the visit of resource devices 20 sends to policy enforcement means 30.In a word; Reply in the portion 44 at tactical comment; Rule key element e47, e52 according to each key element that comprises in the tactical comment request and policy information, the tactical comment that will represent " access permission (Permit) " or " access reject (Deny) " is replied and is sent to policy enforcement means 30.
In addition, above-mentioned policy enforcement means 30 and tactical comment device 40 can be the forms that is configured on the same physical unit.In addition, resource devices 20 can be maintained at the inside of policy enforcement means 30.
(action of access control system)
Then, the action of the access control system 1 of this embodiment of flowchart text of use Fig. 7.
At first, through the operation of operator, will send to policy enforcement means 30 (S1) to " access request " of resource devices 20 to operator terminal 10.Thus, policy enforcement means 30 from the operator terminal 10 access request that receive resource devices 20.
What policy enforcement means 30 is to the required policy attribute of visit of 40 inquiries of tactical comment device and resource devices 20 when the access request that receives.Specifically, policy attribute inquiry portion 32 sends to tactical comment device 40 (S2) with the policy attribute inquiry.The inquiry of this policy attribute is generated by policy attribute inquiry generation portion 33, has put down in writing the key element of the policy attribute that becomes query object and has been used to dwindle the condition of its scope.
Tactical comment device 40 is replied portion 42 via policy attribute and is obtained the policy attribute inquiry from policy enforcement means 30.Then, the policy information of resolving storage in policy information storage part 41 is inquired about according to policy attribute by policy attribute parsing portion 43, extracts the policy attribute (S3) that needs.
Then, tactical comment device 40 will have been put down in writing the policy attribute of the information of the policy attribute of resolving through policy attribute parsing portion 43 and reply, and reply portion 42 via policy attribute and send to policy enforcement means 30 (S4).
When receiving policy attribute when replying from tactical comment device 40 through policy enforcement means 30, through policy attribute inquiry portion 32 read out in policy attribute reply in the policy attribute of record.At this,, " cipher authentication " and " external authentication provider be connected destination (URL) " have been read as the policy attribute of necessity.
Then, obtain the condition of contact information (S5) corresponding through policy attribute inquiry portion 32 with policy attribute.At this, through the cipher authentication that specified external authentication provider carries out, the operator at authentication operation person terminal 10 obtains condition of contact information (S6, S7) thus.
Then, policy enforcement means 30 will comprise the tactical comment request that obtains the condition of contact information that portion 34 obtains via condition of contact information and send to tactical comment device 40 (S8).
Tactical comment device 40 is when from policy enforcement means 30 reception tactical comment requests; Reply portion 44 through tactical comment; According to the policy information of storage in condition of contact information that comprises in the tactical comment request and the policy information storage part 41, judge the whether visit at permit operation person terminal 10 and resource devices 20.This result of determination shows with permission (Permit) or refusal (Deny).Then, replying result of determination that portion 44 determines through tactical comment replys as tactical comment and is sent to policy enforcement means 30 (S9).
In policy enforcement means 30, according to reply the visit (S10, S11) of control operation person terminal 10 and resource devices 20 from the tactical comment of tactical comment device 40.
At this moment, under the situation of permits access, can carry out from operator terminal 10 to the visit (S12) of resource devices 20.
(effect of access control system)
As stated; In the access control system 1 of this embodiment; Policy enforcement means 30 to the visit needed policy attribute of tactical comment device 40 inquiries with resource devices 20, will send to tactical comment device 40 when when operator terminal 10 receives access request based on the tactical comment request of Query Result; Therefore, even in decentralized environment, also can conduct interviews control expeditiously.
As supplementary notes, in existing access control system,, therefore tentative more to the situation that the operator carries out authentication through the cipher authentication mode because policy enforcement means does not have the policy information of resource devices.Relative therewith, according to resource devices, do not approve authentication sometimes, and asked authentication based on PKI and IC-card based on the cipher authentication mode.
But in existing access control, policy enforcement means can't be grasped the needed policy attribute of the visit of resource devices, only could visit to the inquiry of tactical comment device.Therefore, as shown in Figure 8, taken place to obtain the condition of contact information (=PKI+IC card) corresponding before, repeatedly the state of affairs of implementation strategy evaluation request with necessary policy attribute at policy enforcement means 30S.Relative therewith; In the access control system 1 of this embodiment; Policy enforcement means 30 is inquired about the policy attribute that obtain to tactical comment device 40 in advance, therefore can cut down the unnecessary processing such as repeating transmission of tactical comment request, can improve the efficient that tactical comment is handled.
It is complicated that the policy information of resource devices 20 becomes, and made up the decentralized environment system of crossing over a plurality of territories.Even under this situation, according to the access control system 1 of this embodiment, as the prerequisite of access control, therefore policy enforcement means 30 can realize high efficiency access control to tactical comment device 40 query strategy attributes.
In addition; In the access control system of this embodiment; Use authentication information as condition of contact information, but also can use GPS (the Global Positioning System) information or the timestamp information at operator terminal to wait the control that conducts interviews in addition.
< other >
The invention is not restricted to above-mentioned embodiment itself, the implementation phase, in the scope that does not break away from its purport, can inscape distortion be specialized.In addition, the appropriate combination through disclosed a plurality of inscapes in the above-mentioned embodiment can form various inventions.For example, the some inscapes of deletion in the whole inscapes that also can from embodiment, represent.And, also can be in different embodiments the appropriate combination inscape.
And; The method of putting down in writing in the above-mentioned embodiment also can be used as the executable program of computing machine, is stored in the storage mediums such as disk (floppy disk floppy disc (registered trademark), hard disk etc.), CD (CD-ROM, DVD etc.), photomagneto disk (MO), semiconductor memory to issue.
In addition, as this storage medium, so long as can stored programme and the storage medium that can read by computing machine, its file layout can be any form.
In addition, also can be used to realize each part of handling of above-mentioned embodiment by MW execution such as (middlewares) such as the OS (operating system) that moves on computers according to the indication that is installed in the program the computing machine from storage medium, database management language, network softwares.
And the storage medium in the above-mentioned embodiment is not limited to and computing machine medium independently, comprises also that download is stored through the program of transmission such as LAN or the Internet or the temporary transient storage medium of storage.
In addition, storage medium is not limited to one, is carrying out under the situation of the processing the above-mentioned embodiment from a plurality of media, is also contained in the storage medium in the above-mentioned embodiment, and dielectric structure can be an arbitrary structures.
And, the computing machine in the above-mentioned embodiment carry out in the above-mentioned embodiment according to program stored in the storage medium each handle, can be personal computer etc. by 1 device that forms, multiple arrangement is carried out that network connects and the arbitrary structures such as system that constitute.
In addition, the computing machine in the above-mentioned embodiment is not limited to personal computer, also comprises the arithmetic processing apparatus that comprises in the messaging device, microcomputer etc., is the general name of unit that can realize the function of above-mentioned embodiment through program.
The explanation of symbol
1 access control system, 10 operator terminals, 20 resource devices, 30 policy enforcement means,
31 access request acceptance divisions, 32 policy attribute inquiry portions, 33 policy attributes inquiry generation portion,
34 condition of contact information obtain portion, 35 tactical comment request section, 36 access control portions, 40 tactical comment devices, 41 policy information storage parts, 42 policy attribute parsing portions, 43 policy attributes reply portion,
44 tactical comments are replied portion, 50 external authentication providers.

Claims (3)

1. an access control system (1), it possesses policy enforcement means (30) and the tactical comment device (40) that is used for control operation person terminal (10) and the visit of resource devices (20), and this access control system is characterised in that,
Said policy enforcement means possesses:
Access request receiving element (31), it receives the access request for said resource devices from said operator terminal;
Policy attribute query unit (32) is used for when receiving said access request, to the visit required policy attribute of said tactical comment device inquiry with said resource devices;
Condition of contact information obtains unit (34), is used for obtaining the condition of contact information corresponding with this policy attribute when when said tactical comment device receives policy attribute;
Tactical comment request unit (35), it sends the tactical comment request that comprises this condition of contact information to said tactical comment device when obtaining said condition of contact information; And
Access control unit (36), it is replied according to the tactical comment to said tactical comment request, controls the visit of said operator terminal and said resource devices,
Said tactical comment device possesses:
Policy information storage unit (41), its storage representation is for the policy information of the condition of contact of said resource devices;
Policy attribute resolution unit (42), it is resolved with the policy attribute from said policy enforcement means and inquires about the corresponding strategy attribute according to said policy information;
Policy attribute response unit (43), it replys the policy attribute of resolving through said policy attribute resolution unit to said policy enforcement means; And
Tactical comment response unit (44); It is when receiving said tactical comment request from said policy enforcement means; According to condition of contact information that comprises in this tactical comment request and said policy information, send expression to this policy enforcement means and whether permit the tactical comment of the visit of said operator terminal and said resource devices to reply.
2. access control system according to claim 1 is characterized in that,
Said policy enforcement means also possesses the unit (33) that generates the policy attribute inquiry be used to inquire about said policy attribute.
3. access control system according to claim 1 and 2 is characterized in that,
Said policy attribute query unit inquiry is as the authentication mode of said policy attribute.
CN201080024502.8A 2009-06-03 2010-06-02 Access control system Active CN102804199B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2009134267A JP4649523B2 (en) 2009-06-03 2009-06-03 Access control system
JP2009-134267 2009-06-03
PCT/JP2010/059366 WO2010140628A1 (en) 2009-06-03 2010-06-02 Access control system

Publications (2)

Publication Number Publication Date
CN102804199A true CN102804199A (en) 2012-11-28
CN102804199B CN102804199B (en) 2015-08-26

Family

ID=43297761

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201080024502.8A Active CN102804199B (en) 2009-06-03 2010-06-02 Access control system

Country Status (3)

Country Link
JP (1) JP4649523B2 (en)
CN (1) CN102804199B (en)
WO (1) WO2010140628A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111695112A (en) * 2019-03-15 2020-09-22 北京数聚鑫云信息技术有限公司 Method and device for dynamically controlling access authority

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102223383B (en) * 2011-07-21 2014-03-26 北京握奇数据系统有限公司 Method and device for controlling access
JP5197843B1 (en) 2011-12-27 2013-05-15 株式会社東芝 Authentication linkage system and ID provider device
US8955041B2 (en) 2012-02-17 2015-02-10 Kabushiki Kaisha Toshiba Authentication collaboration system, ID provider device, and program
US8839375B2 (en) * 2012-05-25 2014-09-16 Microsoft Corporation Managing distributed operating system physical resources

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010023421A1 (en) * 1999-12-16 2001-09-20 International Business Machines Corporation Access control system, access control method, storage medium and program transmission apparatus
US20060265599A1 (en) * 2005-05-17 2006-11-23 Yoichi Kanai Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8406478B2 (en) * 2002-08-08 2013-03-26 Agency for Science, Technology and Research Nanyang Technological University Distributed processing in authentication
JP2005038372A (en) * 2003-06-23 2005-02-10 Ricoh Co Ltd Access control decision system, and access control execution system
JP4442750B2 (en) * 2003-07-31 2010-03-31 日本電信電話株式会社 Information resource use control device and information resource use control system
JP4764614B2 (en) * 2004-04-26 2011-09-07 株式会社リコー Information processing apparatus, operation permission information generation method, operation permission information generation program, and recording medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010023421A1 (en) * 1999-12-16 2001-09-20 International Business Machines Corporation Access control system, access control method, storage medium and program transmission apparatus
US20060265599A1 (en) * 2005-05-17 2006-11-23 Yoichi Kanai Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111695112A (en) * 2019-03-15 2020-09-22 北京数聚鑫云信息技术有限公司 Method and device for dynamically controlling access authority
CN111695112B (en) * 2019-03-15 2023-06-02 北京数聚鑫云信息技术有限公司 Method and device for dynamically controlling access rights

Also Published As

Publication number Publication date
WO2010140628A1 (en) 2010-12-09
JP2010282362A (en) 2010-12-16
CN102804199B (en) 2015-08-26
JP4649523B2 (en) 2011-03-09

Similar Documents

Publication Publication Date Title
US20210200723A1 (en) Accessing objects in hosted storage
US9336406B2 (en) Multiprotocol access control list with guaranteed protocol compliance
US9727577B2 (en) System and method to store third-party metadata in a cloud storage system
US8424102B1 (en) Document access auditing
US11232215B2 (en) Electronic laboratory notebook system and method
US8176283B1 (en) Permissions of objects in hosted storage
US9542563B2 (en) Accessing protected content for archiving
US9338166B2 (en) System and method for a single request and single response authentication protocol
US9773121B2 (en) Security application for data security formatting, tagging and control
EP2695101A2 (en) Protecting information using policies and encryption
Casassa Mont Dealing with privacy obligations: Important aspects and technical approaches
JP2010536107A (en) Data source tracking and data transmission control
US20130325889A1 (en) Local storage of information pedigrees
JP2008299702A (en) Information processing program and information processing system
CN109726041B (en) Method, apparatus and computer readable medium for restoring files in a virtual machine disk
CN102804199B (en) Access control system
US9043342B2 (en) Method and system for policy driven data distribution
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
TWI528209B (en) Apparatus, method, and computer program product thereof for controlling access of a resource
US20080077423A1 (en) Systems, methods, and media for providing rights protected electronic records
US8341177B1 (en) Automated dereferencing of electronic communications for archival
Mohammed et al. Shortcomings of current grid middlewares regarding privacy in HealthGrids
Batcheller et al. The performance of vector oriented data storage strategies in ESRI's ArcGIS
JP2007299251A (en) File access method, client terminal and program
Arnab et al. Performance Implications of a Kernel Level DRM Controller

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant