Access control system and methods
First Claim
1. An access control system, for exercising access control upon the receipt of a request to access an object that is an information resource, comprising:
- an access request determination unit for, in accordance with said access request, employing an access control rule defining an access right for said object to determine whether or not access to said object should be permitted; and
an object storage unit for storing said access control rule for said object, wherein, upon the receipt of a request to access an access control rule, said access request determination unit determines whether or not access to said access control rule should be permitted.
5 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides access control methods, apparatus and systems that employ an access control rule and that does not distinguish between data and the access control rule, so that the same flexible access control that is available for the data can also be provided for the access control rule. In an example embodiment, an access control system comprises: an access controller for, in accordance with the access request, employing an access control rule defining an access right for the object to determine whether or not access to the object should be permitted; and an object storage unit for storing a set of access control rules as objects equivalent to common data objects, wherein, upon the receipt of a request to access an access control rule, the access controller determines whether or not access to the access control rule should be permitted.
78 Citations
23 Claims
-
1. An access control system, for exercising access control upon the receipt of a request to access an object that is an information resource, comprising:
-
an access request determination unit for, in accordance with said access request, employing an access control rule defining an access right for said object to determine whether or not access to said object should be permitted; and
an object storage unit for storing said access control rule for said object, wherein, upon the receipt of a request to access an access control rule, said access request determination unit determines whether or not access to said access control rule should be permitted. - View Dependent Claims (2, 3, 4, 22)
-
-
5. An access control system, for exercising access control upon the receipt of a request to access a specific information resource, comprising:
-
storage means, for storing an access control rule that defines an access right for said specific information resource and a higher level control rule that defines an access right for said access control rule; and
determination means, for employing said higher level control rule, in accordance with a request to access said access control rule, to determine whether access to said access control rule should be permitted, wherein a higher level control rule for controlling access to another access control rule is included as said access control rule stored in said storage means. - View Dependent Claims (6, 7, 8)
-
-
9. An access control system, for receiving a tagged object, having a tag that represents control information for data elements, and for exercising access control for said tagged object, comprising:
-
access control rule storage means, for storing a set of access control rules each for defining an access right for said tagged object; and
an access request determination means, for employing one of said access control rules to determine, in accordance with said access request, whether access to said tagged object should be permitted, wherein said access control rules stored in said access control rule storage means are written as tagged objects, for which said tags each represent control information for controlling the elements of said access control rule, and wherein said access request determination means, in accordance with said access request for said access control rule, determines whether access to said access control rule, which is said tagged object, should be permitted. - View Dependent Claims (10, 11, 13, 14, 23)
-
-
12. A server for receiving an access request from a client and for, in accordance with said access request, processing an object that is the target of said access request comprising:
-
an access request determination unit, for determining, based on an access control rule defining an access right for said object, whether the accessing of said object should be permitted; and
an object processor, for performing corresponding processing for said object in accordance with access permission granted by said access request determination unit; and
an object storage unit for storing, as an object, said access control rule for said object, wherein said access request determination unit, in accordance with an access request for said access control rule, determines whether the accessing of said access control rule should be permitted.
-
-
15. An access control method, for exercising access control upon the receipt of an access request for an object that is an information resource, comprising the steps of:
-
receiving an access request for an access control rule that is an object;
obtaining an access control rule defining an access right for said object targeted by said access request; and
determining, based on said access control rule, whether the accessing of said object should be permitted.
-
-
16. An access control method, for exercising access control upon the receipt of an access request for a tagged object, which has a tag that represents information for controlling elements of data, comprising the steps of:
-
holding information for an access control rule for said tagged object upon said receipt of an access request for said tagged object;
obtaining, upon the receipt of an access request for an un-tagged object, which accompanies said tagged object, said access control rule for said tagged object based on said information that is held at said step of holding said information concerning said access control rule; and
employing said access control rule to determine whether the accessing of said un-tagged object should be permitted.
-
-
17. An access control rule generation method, for generating an access control rule for controlling another access control relative to an access request for an object that is an information resource, comprising the steps of:
-
receiving a request for generating an access control rule, and determining, based on said access control rule relative to said generation request, whether said generation request should be granted; and
generating said access control rule, when said generation request is granted, in accordance with said generation request, and adding information to said access control rule that, relative to said generation request, designates said access control rule.
-
-
18. A storage medium on which input means of a computer stores a computer-readable program, which permits said computer to perform:
-
a process for receiving an access request for an access control rule that is an object;
a process for obtaining an access control rule defining an access right for said object targeted by said access request; and
a process for determining, based on said access control rule, whether the accessing of said object should be permitted.
-
-
19. A storage medium on which input means of a computer stores a computer-readable program, which permits said computer to perform:
-
a process for receiving a request for generating an access control rule that defines an access right for predetermined specific information resource, and determining, based on said access control rule relative to said generation request, whether said generation request should be granted; and
a process for generating said access control rule, when said generation request is granted, in accordance with said generation request, and adding information to said access control rule that, relative to said generation request, designates said access control rule.
-
-
20. A program transmission apparatus comprising:
-
storage means for storing a computer-readable program, which permits said computer to perform a process for receiving an access request for an access control rule that is an object, a process for obtaining an access control rule defining an access right for said object targeted by said access request, and a process for determining, based on said access control rule, whether the accessing of said object should be permitted; and
transmission means for reading said program from said storage means and for transmitting said program.
-
-
21. A program transmission apparatus comprising:
-
storage means for storing a computer-readable program, which permits said computer to perform a process for receiving a request for generating an access control rule that defines an access right for predetermined specific information resource, and determining, based on said access control rule relative to said generation request, whether said generation request should be granted, and a process for generating said access control rule, when said generation request is granted, in accordance with said generation request, and adding information to said access control rule that, relative to said generation request, designates said access control rule; and
transmission means for reading said program from said storage means and for transmitting said program.
-
Specification