CN102804199B - Access control system - Google Patents
Access control system Download PDFInfo
- Publication number
- CN102804199B CN102804199B CN201080024502.8A CN201080024502A CN102804199B CN 102804199 B CN102804199 B CN 102804199B CN 201080024502 A CN201080024502 A CN 201080024502A CN 102804199 B CN102804199 B CN 102804199B
- Authority
- CN
- China
- Prior art keywords
- policy
- attribute
- access
- tactical comment
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
According to an embodiment, access control system (1), when policy enforcement means (30) receives request of access from operator's terminal (10), to tactical comment device (40) inquiry to the policy attribute needed for the access of resource devices (20), the tactical comment request based on Query Result is sent to tactical comment device (40).
Description
Technical field
Embodiments of the present invention relate to the access control system that also can to conduct interviews expeditiously in decentralized environment and to control.
Background technology
In recent years, the importance controlling the access control technology of specific information or behavior according to authority information improves constantly.Such as, behavior could extensively be utilized in the access control of form.
Could the access control of form as behavior, such as have the authority information for document files as the access control of security attribute.Specifically, with the behavior such as " reading license " or " editor's license " could form describe distribute to user, authority information to document files.As this authority information, known access control matrix (Access Control Matrix) or Access Control List (ACL) (Access Control List).Such as, the method to document files setting authority information (rule) as " safety container " is disclosed.
But, could in the access control of form in behavior, be difficult to record the access control contents flexibly such as the condition in licensed access time or access place etc. or detailed function restriction.
Therefore, not only utilize behavior could the access control of form in recent years, also utilize the access control of access control policy form.Access control policy is the set of access control rule, discloses the record specification of standard.In the access control of this access control policy form, the function restriction that licensed conditioned disjunction is detailed can be recorded.Such as in the access control of access control policy form, when accepting request of access to document files, determined on the basis that whether should open file, can carry out being restricted to the control of the function of defined in access control policy etc.
But, in the access control of access control policy form, the Policy Enforcement Point (Policy Enforcement Point) controlled from conducting interviews is needed to evaluate access content corresponding with the policy information of access control to Policy Decision Point (PolicyDecision Point) request evaluating access control policy.Such as, the evaluation of request access main body (subject) or access behavior (action) etc.In addition, in general, the certification of the main body that conducts interviews before access control, but now different from access control policy etc., use the situation of certification policy more as the information for determining to prove the authentication mode of accessing main body.
But in the access control of access control policy form, Policy Enforcement Point does not have the information of the policy attribute required for the evaluation of access control policy, therefore, even if the request of conducting interviews also disapproves access sometimes.
Therefore, even if need the mechanism controlled that also can conduct interviews expeditiously in this case.
Prior art file
Patent documentation
Patent documentation 1: Japanese Unexamined Patent Publication 2001-306521 publication
Non-patent literature
Non-patent literature 1:Tim Moses, " eXtensible Access Control Markup Language (XACML) Version2.0 ", [online], [retrieval on May 17th, 2007], the Internet <URL:http: //docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-c ore-spec-os.pdf>
Summary of the invention
The invention provides a kind of access control system, it possesses policy enforcement means for the access of control operation person's terminal and resource devices and tactical comment device, and the feature of this access control system is,
Described policy enforcement means possesses:
Request of access receiving element, it receives the request of access for described resource devices from described operator's terminal;
Policy attribute query unit, for when receiving described request of access, inquires about and the policy attribute needed for the access of described resource devices to described tactical comment device;
Condition of contact information acquisition unit, for when receiving policy attribute from described tactical comment device, obtains the condition of contact information corresponding with this policy attribute;
Tactical comment request unit, it is when obtaining described condition of contact information, sends the tactical comment request comprising this condition of contact information to described tactical comment device; And
Access control unit, it is replied according to the tactical comment for described tactical comment request, controls the access of described operator's terminal and described resource devices,
Described tactical comment device possesses:
Policy information storage unit, it stores the policy information represented for the condition of contact of described resource devices;
Policy attribute resolution unit, it is according to described policy information, resolves and inquires about corresponding policy attribute with the policy attribute from described policy enforcement means;
Policy attribute response unit, its policy attribute that described policy enforcement means response is resolved by described policy attribute resolution unit; And
Tactical comment response unit, it is when receiving described tactical comment request from described policy enforcement means, according to the condition of contact information comprised in this tactical comment request and described policy information, send to represent whether permit that the tactical comment of the access of described operator's terminal and described resource devices is replied to this policy enforcement means.
Further, described policy enforcement means also possesses the unit of the policy attribute inquiry generated for inquiring about described policy attribute.
Further, described policy attribute query unit inquiry is as the authentication mode of described policy attribute.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of the structure of the access control system representing the 1st embodiment.
Fig. 2 is the figure of the example representing this embodiment " policy attribute inquiry ".
Fig. 3 is the figure of the example representing this embodiment " tactical comment request ".
Fig. 4 is the figure of the example representing this embodiment " policy information ".
Fig. 5 is the figure of the example representing this embodiment " policy information ".
Fig. 6 is the figure of the example representing this embodiment " policy attribute response ".
Fig. 7 is the process flow diagram of the action of access control system 1 for illustration of this embodiment.
Fig. 8 is the figure of the action for illustration of existing access control.
Embodiment
The access control system of embodiment possesses policy enforcement means for the access of control operation person's terminal and resource devices and tactical comment device.
Policy enforcement means possesses and receives from the request of access acceptance division of operator's terminal to the request of access of resource devices.
Policy enforcement means possesses policy attribute inquiry unit, for when receiving request of access, inquires about and the policy attribute needed for the access of resource devices to tactical comment device.
Policy enforcement means possesses condition of contact information acquiring section, for when receiving policy attribute from tactical comment device, obtains the condition of contact information corresponding with this policy attribute.
Policy enforcement means possesses tactical comment request unit, and it is when obtaining condition of contact information, sends the tactical comment request comprising this condition of contact information to tactical comment device.
Policy enforcement means possesses access control portion, and it is replied according to the tactical comment for tactical comment request, the access of control operation person's terminal and resource devices.
Tactical comment device possesses policy information storage part, and it stores the policy information represented the condition of contact of resource devices.
Tactical comment device possesses policy attribute analysis unit, and it is according to policy information, resolves and inquires about corresponding policy attribute with the policy attribute from policy enforcement means.
Tactical comment device possesses policy attribute response portion, and it replys the policy attribute of being resolved by policy attribute analysis unit to policy enforcement means.
Tactical comment device possesses tactical comment response portion, it is when receiving tactical comment request from policy enforcement means, according to the condition of contact information comprised in this tactical comment request and policy information, the tactical comment sending the access representing whether permit operation person's terminal and resource devices to this policy enforcement means is replied.
Hereinafter, with reference to the accompanying drawings of embodiment.
< the 1st embodiment >
(structure of access control system)
Fig. 1 is the schematic diagram of the structure of the access control system 1 representing the 1st embodiment.
Access control system 1 has policy enforcement means 30 and tactical comment device 40, the access control of executable operations person's terminal 10 and resource devices 20.In addition, these each devices 10 ~ 40 are connected to each other by network.In addition, as the prerequisite of access control, in tactical comment device 40, store the policy information for resource devices 20 in advance.In addition, in the present embodiment policy enforcement means 30 is connected with external authentication supplier 50.
Operator's terminal 10 is the end devices operated by operator.Operator is to access for the purpose of specific resource devices 20 via this operator's terminal 10.When operator's terminal 10 access resources device 20, be sent to policy enforcement means 30 from operator's terminal 10 to " request of access " of resource devices 20.
Resource devices 20 is access objects of operator's terminal 10.Such as store in resource devices 20 " resource information " that provided by various service provider.For resource devices 20, pre-define condition of contact by policy information, only to the request of access permits access meeting the condition of contact corresponding with specific policy attribute.In addition, in decentralized environment system, there is multiple resource devices 20 and operator's terminal 10 respectively.
Policy enforcement means 30 is the devices played a role as so-called Policy Enforcement Point, possesses request of access acceptance division 31, policy attribute inquiry unit 32, policy attribute query generation portion 33, condition of contact information acquiring section 34, tactical comment request unit 35, access control portion 36.
Request of access acceptance division 31 receives the request of access to resource devices 20 from operator's terminal 10.Request of access acceptance division 31 sends the information of the resource devices 20 that operator's terminal 10 will be accessed when an access request is received to policy attribute inquiry unit 32.
Policy attribute inquiry unit 32, for inquiring about and the policy attribute needed for the access of resource devices 20 to tactical comment device 40 when receiving request of access from operator's terminal 10.In a word, this policy attribute inquiry unit 32 information of inquiry in order to carry out the policy attribute that tactical comment request described later needs in advance.In addition, policy attribute inquiry unit 32, when query strategy attribute to the generation of policy attribute query generation portion 33 request strategy attribute query.
In addition, suppose that policy attribute inquiry unit 32 inquires about " authentication mode " as policy attribute in the present embodiment.If supplementary notes, comprise cipher authentication or IC-card certification, organism authentication etc. at authentication mode.Therefore, if policy attribute inquiry unit 32 to tactical comment device 40 inquire about whether above-mentioned in a certain certification then permit to resource devices 20 access.But, except authentication mode, other conditions such as place or operating application program classification can certainly be applied to policy attribute.
Policy attribute query generation portion 33 generates " the policy attribute inquiry " that be used for query strategy attribute.Policy attribute is inquired about by tactical comment device 40 for resolving necessary policy attribute according to policy information.About policy information, be described later.
The inquiry of this policy attribute such as becomes the information of the structure shown in Fig. 2.Specifically, policy attribute inquiry is showed by AttributeFindingQuery key element e21.AttributeFindingQuery key element e21, has more than one Query key element e22 in sub-key element, identifies each Query key element by QueryId attribute.Query key element e22 has expression as wanting the QueryTarget key element e23 of the policy attribute of the object inquired about and representing the QueryConditon key element e27 for the condition reduced the scope.Illustrate in the Attribute key element of to inquire about in QueryTarget key element e23 as the sub-key element of Subject key element e24 in the example in figure 2, there is the Attribute key element e25 of AttributeId property value " authentication-method " and " identity-provider-url ", the key element value of e26.If do not specify in QueryTarget key element e23, then think identical with the implication of whole policy attributes that inquiry is likely applicable to.In addition, illustrate in the example in figure 2, according to the AttributeValue key element e28 of QueryConditon key element e27, the appointment of e29, inquiry is used for the condition of the resource devices 20 corresponding with " Resource-1 " being carried out to the behavior of " read ".Thereby, it is possible to extract the policy attribute being suitable for this condition from policy information.
Condition of contact information acquiring section 34, for when receiving policy attribute from tactical comment device 40, obtains " condition of contact information " corresponding with the policy attribute received.In the present embodiment, use authenticate device as condition of contact information acquiring section 34, obtain the information based on the authentication mode of being specified by policy attribute, as condition of contact information.
Whether authenticate device is my device for authentication operation person, has multiple authentication mode, perform the certification based on single authentication mode or compound authentication mode.Now, authenticate device can be connected with the authenticate device of outside or certification provider and performs certification in phase.In addition, authenticate device is the device for performing general certification, and the details etc. about apparatus structure is omitted.
" the tactical comment request " that comprise this condition of contact information, when achieving condition of contact information by condition of contact information acquiring section 34, is sent to tactical comment device 40 by tactical comment request unit 35.Tactical comment request is such as the information of the structure shown in Fig. 3.At this, condition of contact information Attribute key element e31, e32, e33 represent, the information corresponding with request of access destination Attribute key element e34, e35 represent.Namely, as condition of contact information, be written with: " User-1 " of Attribute key element e31 has carried out certification by the cipher authentication mode (" password ") of Attribute key element e32 by the external authentication provider of the URL " http://example1.co.jp/login " of Attribute key element e33.Further, as request of access destination, " Resource-1 " to Attribute key element e34 requests the judgement of the access permission of " read " behavior for Attribute key element e35.
Access control portion 36 is replied according to the tactical comment for tactical comment request, the access of control operation person's terminal 10 and resource devices 20.Namely, access control portion 36 carries out the access of permit operation person's terminal 10 and resource devices 20 when tactical comment response represents " license (permit) ", the control of the access of refusal operator terminal 10 and resource devices 20 when tactical comment response represents " refusal (Deny) ".
Tactical comment device 40 plays a role as so-called tactical comment point, possesses policy information storage part 41, policy attribute analysis unit 42, policy attribute response portion 43, tactical comment response portion 44.
Policy information storage part 41 stores the storer represented " policy information " of the condition of contact of resource devices 20.In addition, policy information also can be stored in external memory, is written at any time.
In the present embodiment, adopt with the example of the strategy file of XML (eXtensible Markup Language) form record so that policy information to be described.This strategy file can be independent document form, also can be included in the form in document files.In the present embodiment, the form be included in document files is described.
Policy information is such as the strategy file of the structure shown in Fig. 4 and Fig. 5.In the present embodiment, as the policy description language of standard, the description form that to have employed with the form of XACML V2.0 disclosed in non-patent literature 1 be reference.This strategy file has more than one Policy (strategy) key element e42.In addition, as the information gathered by Policy key element e42, PolicySet key element e41 can be had.In addition, also PolicySet key element can be comprised in PolicySet key element.Policy key element e42 has Rule (rule) key element e47, describes the substance of access control in Rule key element e47.At this, strategy file, as the file of the substance of expression access control, comprises the inscapes such as " subject " (main body), " action " (behavior), " resource " (resource), " environment " (environment).Specifically, " subject " (main body) is the main body that access performs, and represents with Subjects key element e44." resource " (resource) is the object that access performs, and represents with Resources key element e45." action " (behavior) is the content of the act that access performs, and represents with Actions key element e46." environment " (environment) represents the environment that access performs.Illustrate in the present embodiment represent policy depiction example, eliminate the information such as NameSpace, data type in order to the simplification recorded.
In addition, policy information, as an example of the policy attribute for permitting the access to resource devices 20, assuming that set " authentication mode " and " connection destination of certification provider (carrying out the implementer of the certification of operator) ".In a word, can the operator of access resources device 20 be except whose information except representing, further specify the authentication mode that should implement when confirming operator and about the information whom should be carried out certification by.Such as in the example of the policy information of Fig. 4 and Fig. 5, according to the Target key element e43 immediately below Policy key element e42, respectively by Subjects key element e44, Resources key element e45, Actions key element e46 specify be set to object access main body, access resources and access behavior.For herein means fixed access main body, be authentication mode and the certification provider that the Condition key element e48 of the Rule key element e47 of " Rule-1 " specifies the condition of paying by RuleId value.At this, specify and carrying out certification with in certain certification provider specified by Attribute key element e50, the e51 of " identity-provider-url " of AttributeId property value by cipher authentication mode.In addition, the value in the authentication service place for identifying certification provider is showed with URL.In addition, the AttributeId property value of the Attribute key element e49 representing authentication mode is shown as " authentication-method ".
In addition, policy information can be provided by the directory service etc. of outside.In this case, policy information storage part 41 is installed for the connector etc. of access strategy memory storage (policy store) by directory service etc.
Policy attribute response portion 42, when obtaining policy attribute inquiry from policy enforcement means 30, makes policy attribute analysis unit 43 parses policy attribute, is replied by analysis result as " policy attribute response " to policy enforcement means 30.
Policy attribute analysis unit 43 is resolved according to policy information and is inquired about corresponding policy attribute with the policy attribute from policy enforcement means 30.At this, policy attribute analysis unit 43 is installed with forms such as the access programs to local file, obtains policy information from policy information storage part 41.
Specifically, fetch strategy attribute policy attribute analysis unit 43 policy information of resource devices 20 of specifying from being inquired about by policy attribute.The policy attribute response that policy attribute analysis unit 43 generates such as shown in Figure 6.Policy attribute response is showed by AttributeFindingResponse key element e61.AttributeFindingResponse key element e61 has Response key element e62.This Response key element e62 is associated with the Query key element e22 that policy attribute is inquired about by CorrelationId attribute.Response key element e62 is the set of the policy attribute comprised needed for tactical comment.At this, when not comprising policy attribute value (Attribute key element value), simple expression needs this policy attribute.In addition, when comprising policy attribute value, the policy attribute value that must comprise when representing and carry out " tactical comment request ".
Such as, in Subject key element e63, represent that AttributeId property value be the Attribute attribute of " authentication-method " is " password ", therefore must select cipher authentication mode.In addition, when the FunctionId value of Apply key element e64 is " or ", expression is the value that can select.Such as, as the property value that AttributeId attribute is " identity_provider_url ", can select, both " http://example1.co.jp/login " and " http://example2.co.jp/login ", to need to accept certification by the certification provider corresponding with certain URL.
In addition, about policy information, can control whether to reply the policy attribute value being suitable for policy attribute inquiry.That is, the attribute (Quariable attribute) whether expression replys described policy attribute value can be added to the Attribute key element corresponding to this policy attribute.
Such as, when showing Quariable property value by boolean (Boolean) type (adopting " true=ture " of true value and the master data type of " puppet=false " these two values), the Quariable property value become in the example in fig. 4 about the Attribute key element of Subject key element is such.The Quariable property value of the Attribute key element of this Subject key element is " false ", therefore, even if this policy attribute is applicable to, and the also value of not acknowledgment strategy attribute.If Quariable property value does not exist, then can return the value of policy attribute, but also can clearly Quariable property value be set to " true ".In addition, about these criterions as previously mentioned, can be documented in strategy clearly, can also be preserved by the set information of policy attribute analysis unit as static state.
Tactical comment response portion 44 is when receiving " tactical comment request " from policy enforcement means 30, according to the condition of contact information comprised in the tactical comment request received and policy information, will represent whether permit operation person's terminal 10 is sent to policy enforcement means 30 with " tactical comment is replied " of the access of resource devices 20.In a word, in tactical comment response portion 44, according to rule key element e47, the e52 of each key element comprised in tactical comment request and policy information, will represent that the tactical comment response of " access permission (Permit) " or " access reject (Deny) " is sent to policy enforcement means 30.
In addition, above-mentioned policy enforcement means 30 and tactical comment device 40 can be configured in the form on Same Physical device.In addition, resource devices 20 can be maintained at the inside of policy enforcement means 30.
(action of access control system)
Then, use the process flow diagram of Fig. 7 that the action of the access control system 1 of present embodiment is described.
First, by the operation of operator to operator's terminal 10, be sent to policy enforcement means 30 (S1) by " request of access " of resource devices 20.Thus, policy enforcement means 30 receives request of access to resource devices 20 from operator's terminal 10.
Policy enforcement means 30 is when the request of access received, and inquiring about with the policy attribute needed for the access of resource devices 20 to tactical comment device 40 is what.Specifically, policy attribute inquiry is sent to tactical comment device 40 (S2) by policy attribute inquiry unit 32.The inquiry of this policy attribute is generated by policy attribute query generation portion 33, describes the key element of the policy attribute becoming query object and the condition for reducing its scope.
Tactical comment device 40 obtains policy attribute inquiry via policy attribute response portion 42 from policy enforcement means 30.Then, policy attribute analysis unit 43 resolves according to policy attribute inquiry the policy information stored in policy information storage part 41, extracts the policy attribute (S3) of needs.
Then, tactical comment device 40 will describe the policy attribute response of the information of the policy attribute of being resolved by policy attribute analysis unit 43, be sent to policy enforcement means 30 (S4) via policy attribute response portion 42.
When receiving policy attribute response by policy enforcement means 30 from tactical comment device 40, read the policy attribute recorded in policy attribute response by policy attribute inquiry unit 32.At this, as the policy attribute of necessity, read " cipher authentication " and " connection destination (URL) of external authentication provider ".
Then, the condition of contact information (S5) corresponding with policy attribute is obtained by policy attribute inquiry unit 32.At this, the cipher authentication undertaken by specified external authentication provider, the operator of authentication operation person terminal 10, obtains condition of contact information (S6, S7) thus.
Then, the tactical comment request comprising the condition of contact information obtained via condition of contact information acquiring section 34 is sent to tactical comment device 40 (S8) by policy enforcement means 30.
Tactical comment device 40 is when receiving tactical comment request from policy enforcement means 30, by tactical comment response portion 44, according to the policy information stored in the condition of contact information comprised in tactical comment request and policy information storage part 41, determine whether the access of permit operation person's terminal 10 and resource devices 20.This result of determination license (Permit) or refusal (Deny) show.Then, the result of determination determined by tactical comment response portion 44 is sent to policy enforcement means 30 (S9) as tactical comment response.
In policy enforcement means 30, reply according to the tactical comment from tactical comment device 40, the access (S10, S11) of control operation person's terminal 10 and resource devices 20.
Now, when permits access, the access (S12) from operator's terminal 10 to resource devices 20 can be carried out.
(effect of access control system)
As mentioned above, in the access control system 1 of present embodiment, policy enforcement means 30 is when receiving request of access from operator's terminal 10, inquire about and the policy attribute required for the access of resource devices 20 to tactical comment device 40, tactical comment request based on Query Result is sent to tactical comment device 40, therefore, even if control also can be conducted interviews in decentralized environment expeditiously.
Illustrate as a supplement, in existing access control system, because policy enforcement means does not have the policy information of resource devices, therefore tentative situation of carrying out certification to operator by cipher authentication mode is more.On the other hand, according to resource devices, sometimes do not approve the certification based on cipher authentication mode, and request the certification based on PKI and IC-card.
But in existing access control, policy enforcement means cannot be grasped the policy attribute required for the access of resource devices, only could access to the inquiry of tactical comment device.Therefore, as shown in Figure 8, there occurs before policy enforcement means 30S obtains the condition of contact information (=PKI+IC card) corresponding with the policy attribute of necessity, the state of affairs of multiple exercise tactical comment request.On the other hand, in the access control system 1 of present embodiment, policy enforcement means 30 inquires about the policy attribute that obtain in advance to tactical comment device 40, therefore can cut down the process that repeating transmission of tactical comment request etc. is unnecessary, can improve the efficiency of tactical comment process.
The policy information of resource devices 20 becomes complicated, and constructs the decentralized environment system of crossing over multiple territory.Even if in this condition, access control system 1 according to the present embodiment, as the prerequisite of access control, policy enforcement means 30, to tactical comment device 40 query strategy attribute, therefore can realize high efficiency access control.
In addition, in the access control system of present embodiment, employ authentication information as condition of contact information, but the GPS of operator's terminal (Global Positioning System) information or timestamp information etc. also can be used in addition to conduct interviews control.
Other > of <
The invention is not restricted to above-mentioned embodiment itself, implementation phase, in the scope not departing from its purport can by inscape distortion specialize.In addition, various invention can be formed by the appropriately combined of multiple inscape disclosed in above-mentioned embodiment.Such as, some inscapes are deleted in whole inscapes that also can represent from embodiment.And, also can appropriately combined inscape in different embodiments.
And, the method recorded in above-mentioned embodiment also as the executable program of computing machine, can be stored in the storage mediums such as disk (floppy disk floppy disc (registered trademark), hard disk etc.), CD (CD-ROM, DVD etc.), photomagneto disk (MO), semiconductor memory and issues.
In addition, as this storage medium, as long as can storage program and the storage medium that can be read by computing machine, its file layout can be any form.
In addition, a part for each process for realizing above-mentioned embodiment also can be performed by the MW such as the OS (operating system), database management language, network software (middleware) etc. run on computers according to the instruction from storage medium installation program in a computer.
And the storage medium in above-mentioned embodiment is not limited to and computing machine independently medium, also comprise the storage medium downloaded and store by the program of the transmission such as LAN or the Internet or temporarily store.
In addition, storage medium is not limited to one, and when performing the process in above-mentioned embodiment from multiple medium, be also contained in the storage medium in above-mentioned embodiment, dielectric structure can be arbitrary structures.
Further, the computing machine in above-mentioned embodiment performs each process in above-mentioned embodiment according to the program stored in storage medium, can be personal computer etc. by 1 device formed, network connection is carried out to multiple device and the arbitrary structures such as system formed.
In addition, the computing machine in above-mentioned embodiment is not limited to personal computer, and also comprising the arithmetic processing apparatus, microcomputer etc. that comprise in messaging device, is the general name that can be realized the unit of the function of above-mentioned embodiment by program.
The explanation of symbol
1 access control system, 10 operator's terminals, 20 resource devices, 30 policy enforcement means, 31 request of access acceptance divisions, 32 policy attribute inquiry units, 33 policy attribute query generation portions, 34 condition of contact information acquiring section, 35 tactical comment request units, 36 access control portions, 40 tactical comment devices, 41 policy information storage parts, 42 policy attribute analysis units, 43 policy attribute response portions, 44 tactical comment response portions, 50 external authentication providers.
Claims (3)
1. an access control system (1), it possesses policy enforcement means (30) for the access of control operation person's terminal (10) and resource devices (20) and tactical comment device (40), the feature of this access control system is
Described policy enforcement means possesses:
Request of access receiving element (31), it receives the request of access for described resource devices from described operator's terminal;
Policy attribute query unit (32), for when receiving described request of access, inquires about and the policy attribute needed for the access of described resource devices to described tactical comment device;
Condition of contact information acquisition unit (34), for when receiving policy attribute from described tactical comment device, obtains the condition of contact information corresponding with this policy attribute;
Tactical comment request unit (35), it is when obtaining described condition of contact information, sends the tactical comment request comprising this condition of contact information to described tactical comment device; And
Access control unit (36), it is replied according to the tactical comment for described tactical comment request, controls the access of described operator's terminal and described resource devices,
Described tactical comment device possesses:
Policy information storage unit (41), it stores the policy information represented for the condition of contact of described resource devices;
Policy attribute resolution unit (42), it is according to described policy information, resolves and inquires about corresponding policy attribute with the policy attribute from described policy enforcement means;
Policy attribute response unit (43), its policy attribute that described policy enforcement means response is resolved by described policy attribute resolution unit; And
Tactical comment response unit (44), it is when receiving described tactical comment request from described policy enforcement means, according to the condition of contact information comprised in this tactical comment request and described policy information, send to represent whether permit that the tactical comment of the access of described operator's terminal and described resource devices is replied to this policy enforcement means.
2. access control system according to claim 1, is characterized in that,
Described policy enforcement means also possesses the unit (33) of the policy attribute inquiry generated for inquiring about described policy attribute.
3. access control system according to claim 1 and 2, is characterized in that,
Described policy attribute query unit inquiry is as the authentication mode of described policy attribute.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2009134267A JP4649523B2 (en) | 2009-06-03 | 2009-06-03 | Access control system |
| JP2009-134267 | 2009-06-03 | ||
| PCT/JP2010/059366 WO2010140628A1 (en) | 2009-06-03 | 2010-06-02 | Access control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102804199A CN102804199A (en) | 2012-11-28 |
| CN102804199B true CN102804199B (en) | 2015-08-26 |
Family
ID=43297761
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201080024502.8A Active CN102804199B (en) | 2009-06-03 | 2010-06-02 | Access control system |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP4649523B2 (en) |
| CN (1) | CN102804199B (en) |
| WO (1) | WO2010140628A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223383B (en) * | 2011-07-21 | 2014-03-26 | 北京握奇数据系统有限公司 | Method and device for controlling access |
| JP5197843B1 (en) | 2011-12-27 | 2013-05-15 | 株式会社東芝 | Authentication linkage system and ID provider device |
| US8955041B2 (en) | 2012-02-17 | 2015-02-10 | Kabushiki Kaisha Toshiba | Authentication collaboration system, ID provider device, and program |
| US8839375B2 (en) * | 2012-05-25 | 2014-09-16 | Microsoft Corporation | Managing distributed operating system physical resources |
| CN111695112B (en) * | 2019-03-15 | 2023-06-02 | 北京数聚鑫云信息技术有限公司 | Method and device for dynamically controlling access rights |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060265599A1 (en) * | 2005-05-17 | 2006-11-23 | Yoichi Kanai | Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3546787B2 (en) * | 1999-12-16 | 2004-07-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Access control system, access control method, and storage medium |
| JP4433472B2 (en) * | 2002-08-08 | 2010-03-17 | ナンヤン テクノロジカル ユニヴァーシティ | Distributed authentication processing |
| JP2005038372A (en) * | 2003-06-23 | 2005-02-10 | Ricoh Co Ltd | Access control decision system, and access control execution system |
| JP4442750B2 (en) * | 2003-07-31 | 2010-03-31 | 日本電信電話株式会社 | Information resource use control device and information resource use control system |
| JP4764614B2 (en) * | 2004-04-26 | 2011-09-07 | 株式会社リコー | Information processing apparatus, operation permission information generation method, operation permission information generation program, and recording medium |
-
2009
- 2009-06-03 JP JP2009134267A patent/JP4649523B2/en active Active
-
2010
- 2010-06-02 CN CN201080024502.8A patent/CN102804199B/en active Active
- 2010-06-02 WO PCT/JP2010/059366 patent/WO2010140628A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060265599A1 (en) * | 2005-05-17 | 2006-11-23 | Yoichi Kanai | Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010140628A1 (en) | 2010-12-09 |
| CN102804199A (en) | 2012-11-28 |
| JP4649523B2 (en) | 2011-03-09 |
| JP2010282362A (en) | 2010-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200304485A1 (en) | Controlling Access to Resources on a Network | |
| US9686287B2 (en) | Delegating authorization to applications on a client device in a networked environment | |
| US8832047B2 (en) | Distributed document version control | |
| US9769266B2 (en) | Controlling access to resources on a network | |
| US9336406B2 (en) | Multiprotocol access control list with guaranteed protocol compliance | |
| US7774830B2 (en) | Access control policy engine controlling access to resource based on any of multiple received types of security tokens | |
| US10091230B1 (en) | Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines | |
| US8424102B1 (en) | Document access auditing | |
| JP4838610B2 (en) | Document management apparatus, document management method, and program | |
| US8874695B2 (en) | Web access using cross-domain cookies | |
| US9727577B2 (en) | System and method to store third-party metadata in a cloud storage system | |
| US11232215B2 (en) | Electronic laboratory notebook system and method | |
| US20030074356A1 (en) | Scoped access control metadata element | |
| CN102804199B (en) | Access control system | |
| US20140109194A1 (en) | Authentication Delegation | |
| JP2008299702A (en) | Information processing program and information processing system | |
| Meis et al. | Understanding the privacy goal intervenability | |
| Fu et al. | Data correlation‐based analysis methods for automatic memory forensic | |
| US11017029B2 (en) | Data transfer system, data transfer apparatus, data transfer method, and computer-readable recording medium | |
| JP2015028744A (en) | Apparatus, method, and non-transitory computer readable storage medium thereof for controlling access of resource | |
| US20200410083A1 (en) | Controlling use of information submitted to computing systems | |
| JP2020149645A (en) | Information cooperation system and information management method | |
| Sabhanayagam | A comparative analysis to obtain unique device fingerprinting | |
| JP2008225830A (en) | Information management system, terminal equipment, information management method, and program | |
| CN114338069A (en) | System and method for granting access to a user's data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |