Access control decision system, access control enforcing system, and security policy
First Claim
Patent Images
1. An access control decision system comprising;
- an abstraction converting part converting first information indicated by an access decision request into second information being abstract higher than the first information when the access decision request for requesting an access control decision for subject information to be accessed is received;
an access control decision part determining the access control for the subject information by referring a security policy being abstractly regulated based on the second information; and
a decision result sending part sending a decision result showing the access control for the subject information by said access control decision part, to a request originator that sent the access decision request.
1 Assignment
0 Petitions
Accused Products
Abstract
In an access control decision system, first information indicated by an access decision request is converted into second information being higher abstract when the access decision request is received. Next, the access control for the subject information is determined by referring a security policy being abstractly regulated based on the second information and a decision result showing the access control for the subject information is sent to a request originator that sent the access decision request.
-
Citations
47 Claims
-
1. An access control decision system comprising;
-
an abstraction converting part converting first information indicated by an access decision request into second information being abstract higher than the first information when the access decision request for requesting an access control decision for subject information to be accessed is received;
an access control decision part determining the access control for the subject information by referring a security policy being abstractly regulated based on the second information; and
a decision result sending part sending a decision result showing the access control for the subject information by said access control decision part, to a request originator that sent the access decision request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An access control decision method, comprising the steps of:
-
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
-
-
14. A program product for causing a computer to determine an access control, said program product comprising the codes for:
-
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
-
-
15. A computer-readable recording medium recorded with a program for causing a computer to determine an access control, said program comprising the codes for:
-
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
-
-
16. An access control enforcing system, comprising an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy,
wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, and wherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.
-
25. An access control enforcing method, comprising the steps of:
-
determining that a requirement indicated in access control information, the requirement to execute an access, when the access control is enforced to the subject information based on the access control information indicating a control concerning the access to the subject information in accordance to a security policy; and
enforcing the access control to the subject information so as to satisfy the requirement based on a determination result.
-
- 26. A security policy, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
-
42. A computer-readable recording medium recorded with a security policy, said security policy comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
-
43. A security control system, comprising:
-
showing a rule regulating whether or not an operation is allowed, based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information; and
controlling the operation for the subject information in accordance with a security policy regulating that the operation is allowed when a requirement is satisfied.
-
-
44. A security policy regulating method, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
-
45. A security policy, comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
-
46. A computer-readable recording medium recorded with a security policy, said security policy comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
-
47. A system for controlling an operation, comprising:
-
managing subject information directed to the operation; and
a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
-
Specification