Access control system, access control method, storage medium and program transmission apparatus
First Claim
1. An access control system comprising:
- a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, and for evaluating said policy description to determine whether or not said access request is to be permitted;
enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, determining whether said condition can be evaluated or can be established; and
enforcement means for evaluating or establishing said condition that, in accordance with said enforcement function verification means, is capable of being evaluated or established.
1 Assignment
0 Petitions
Accused Products
Abstract
It is one object of the present invention to use an access control process to evaluate under a specific condition an access permission request.
An access control system 100 comprises a resource document 40 in which a policy description is stored; a policy evaluation module 10 for receiving an external request 110 for accessing the data file, for extracting, from the resource document 40, the policy description that is associated with target data for the access request 110, and for evaluating the policy description to determine whether or not the access request 110 is to be permitted; an enforcement function verification module 20 for, when an existing condition can not be evaluated using only the information included in the policy evaluation module 10, determining whether the condition can be evaluated or can be established; and an enforcement module 30 for evaluating or establishing the condition that, in accordance with the enforcement function verification module 20, can be evaluated or established.
278 Citations
19 Claims
-
1. An access control system comprising:
-
a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, and for evaluating said policy description to determine whether or not said access request is to be permitted;
enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, determining whether said condition can be evaluated or can be established; and
enforcement means for evaluating or establishing said condition that, in accordance with said enforcement function verification means, is capable of being evaluated or established. - View Dependent Claims (2, 3, 4)
-
-
5. An access control method, for receiving an external request for accessing a predetermined data file and for evaluating a policy description associated with the data that are to be accessed to determine whether or not said access request is to be permitted, comprising:
-
receiving an access request and obtaining a policy description that is associated with said data that are to be accessed;
evaluating a condition in said obtained policy description;
determining, when a condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said condition is capable of being enforced;
performing said process that satisfies said condition when it is ascertained that said process is capable of being enforced; and
employing, after said process that satisfies said condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A storage medium on which a program is stored that can be read by input means of a computer, said program permitting said computer to perform:
-
a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with said data that are to be accessed;
a process for evaluating a condition in said obtained policy description;
a process for determining, when a condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said condition is capable of being enforced;
a process for performing said process that satisfies said condition when it is ascertained that said process that satisfies said condition is capable of being enforced; and
a process for employing, after said process that satisfies said condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted. - View Dependent Claims (11)
-
-
12. A program transmission apparatus comprising:
storage means for storing a program that permits a computer to perform;
a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with said data that are to be accessed, a process for evaluating a condition in said obtained policy description, a process for determining, when a condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said condition is capable of being enforced, a process for performing said process that satisfies said condition when it is ascertained that said process that satisfies said condition is capable of being enforced, and a process for employing, after said process that satisfies said condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted; and
transmission means for reading said program from said storage means and transmitting said program. - View Dependent Claims (13)
-
14. An access control system comprising:
-
means for storing a policy description including a condition whereby reading of information written by a single source is permitted when format conversion is possible;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function to establish said condition for said format conversion is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
15. An access control system comprising:
-
means for storing a policy description including a condition whereby reading of information is permitted when an electronic watermark is to be embedded in a document to be accessed;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for embedding an electronic watermark to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
16. An access control system comprising:
-
means for storing a policy description including a condition whereby accessing of a target document is permitted when an access history is to be written to said target document;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request. - View Dependent Claims (17)
-
-
18. An access control system comprising:
-
means for storing a policy description including a condition whereby accessing of a target document is permitted when a time stamp of an access is to be written as an access history to said target document;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said time stamp as said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
19. An access control system comprising:
-
a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, and for evaluating said policy description to determine whether or not said access request is to be permitted; and
enforcement function verification means for performing another process to determine whether said condition can be evaluated or can be established.
-
Specification