System, server, and program for access right management

US 20080222694A1
Filed: 02/08/2008
Published: 09/11/2008
Est. Priority Date: 03/09/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising an access right management device, which is provided in each domain, for creating a resource-sharing policy and performing resource-sharing policy negotiation between a plurality of domain administrators, whereinthe access right management device performs:

for each policy unit of the resource-sharing policy, identifying an access right management device which is a negotiating partner about each policy unit;

generating negotiation information including an identification name of the identified access right management device and the policy unit to be negotiated; and

transmitting the negotiation information to the identified access right management device; and

setting the resource-sharing policy on shared resource when having received an instruction to agree on every policy unit from the identified access right management device to which the negotiation information was sent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Each domain is provided with an access right management device which creates a resource-sharing policy and performs processing for resource-sharing policy negotiation between a plurality of domain administrators. An access right management device that has created a resource-sharing policy identifies, for each policy unit included in the resource-sharing policy, an access right management device that is a negotiating partner to negotiate with about the policy unit in question. The access right management device generates negotiation information including an identification name of the identified negotiating-partner access right management device and the policy unit in question and sends the negotiation information to the negotiating-partner access right management device. Only when all policy units are agreed on by respective identified negotiating-partner access right management devices, the resource-sharing policy is set on shared resources.

Citations

25 Claims

1. A system comprising an access right management device, which is provided in each domain, for creating a resource-sharing policy and performing resource-sharing policy negotiation between a plurality of domain administrators, whereinthe access right management device performs:
- for each policy unit of the resource-sharing policy, identifying an access right management device which is a negotiating partner about each policy unit;
  
  generating negotiation information including an identification name of the identified access right management device and the policy unit to be negotiated; and
  
  transmitting the negotiation information to the identified access right management device; and
  
  setting the resource-sharing policy on shared resource when having received an instruction to agree on every policy unit from the identified access right management device to which the negotiation information was sent.
- View Dependent Claims (2, 3, 4, 5, 6, 8)
- - 2. The system according to claim 1, wherein the access right management device comprises:
    - a policy editing section for creating and editing the resource-sharing policy;
      
      a group management section for storing domain information including identification names of users, domain administrators and the access right management device involved in resource sharing and relations with domains;
      
      a shared resource management section for storing an identification name of shared resource and the domain which are associated with each other;
      
      a negotiation information generation section for extracting from the resource-sharing policy the policy unit to be negotiated with the domain which is a negotiating partner and generating the negotiation information by referring to the group management section and the shared resource management section;
      
      a policy negotiating section for performing negotiation to obtain an agreement with the identified access right management device on the policy unit of the resource-sharing policy; and
      
      a policy enforcement section for setting only an agreed resource-sharing policy on shared resource.
  - 3. The system according to claim 2, wherein when the policy editing section creates a new resource-sharing policy or alters a resource-sharing policy, the negotiation information generation section divides the resource-sharing policy into policy units and, for each policy unit, inquires of the group management section which domain the identification name of a user belongs to, or inquires of the shared resource management section which domain the identification name of a shared resource belongs to, thereby identifying a negotiating partner about the policy unit, and generates negotiation information including a list of identification names of involved access right management devices and at least one policy unit to be negotiated.
  - 4. The system according to claim 2, wherein the policy negotiation section sends the negotiation information generated by the negotiation information generation section to the access right management device included in the negotiation information and when an instruction to agree on the policy unit included in the negotiation information is obtained from the access right management device to which the negotiation information has been sent, a digital signature of a domain administrator of that access right management device is affixed to the policy unit.
  - 5. The system according to claim 4, wherein the policy negotiation section checks for presence of a digital signature and, when determining that the policy unit has been agreed on, updates the resource-sharing policy in question with the agreed policy unit.
  - 6. The system according to claim 1, wherein the shared resource is a virtual shared resource, wherein the system further comprises a virtual resource generation section for generating the virtual shared resource and registering information of generated virtual shared resource in the access right management device.
  - 8. The system according to claim 1, further comprising a conflict verification section for detecting a conflict between the resource-sharing policy and a predetermined restrictive condition.

7. A system comprising:
- an access right management server provided in each domain, which, for each policy unit of a generated resource-sharing policy, identifies a negotiating partner about the policy unit;
  
  generates negotiation information including an identification name of the identified negotiating partner and the policy unit to be negotiated; and
  
  transmits the negotiation information to the identified negotiating partner; and
  
  when having received an instruction to agree on every policy unit from the identified negotiating partner to which the negotiation information was sent, sets the resource-sharing policy on shared resource; and
  
  a client terminal which connects to the access right management server to allow a domain administrator to instruct editing, negotiation and forcedly setting of the resource-sharing policy.
- View Dependent Claims (9)
- - 9. The system according to claim 7, further comprising a conflict verification section for detecting a conflict between the resource-sharing policy and a predetermined restrictive condition.

10. A server, which is provided in each domain, for creating a resource-sharing policy and performing resource-sharing policy negotiation between a plurality of domain administrators, wherein the server performs:
- for each policy unit of the resource-sharing policy, identifying a server which is a negotiating partner about each policy unit;
  
  generating negotiation information including an identification name of the identified server and the policy unit to be negotiated; and
  
  transmitting the negotiation information to the identified server; and
  
  setting the resource-sharing policy on shared resource when having received an instruction to agree on every policy unit from the identified server to which the negotiation information was sent.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The server according to claim 10, comprising:
    - a policy editing section for creating and editing the resource-sharing policy;
      
      a group management section for storing domain information including identification names of users, domain administrators and the server involved in resource sharing and relations with domains;
      
      a shared resource management section for storing an identification name of shared resource and the domain which are associated with each other;
      
      a negotiation information generation section for extracting from the resource-sharing policy the policy unit to be negotiated with the domain which is a negotiating partner and generating the negotiation information by referring to the group management section and the shared resource management section;
      
      a policy negotiating section for performing negotiation to obtain an agreement with the identified server on the policy unit of the resource-sharing policy; and
      
      a policy enforcement section for setting only an agreed resource-sharing policy on shared resource.
  - 12. The server according to claim 11, wherein when the policy editing section creates a new resource-sharing policy or alters a resource-sharing policy, the negotiation information generation section divides the resource-sharing policy into policy units and, for each policy unit, inquires of the group management section which domain the identification name of a user belongs to, or inquires of the shared resource management section which domain the identification name of a shared resource belongs to, thereby identifying a negotiating partner about the policy unit, and generates negotiation information including a list of identification names of involved servers and at least one policy unit to be negotiated.
  - 13. The server according to claim 11, wherein the policy negotiation section sends the negotiation information generated by the negotiation information generation section to the server included in the negotiation information and when an instruction to agree on the policy unit included in the negotiation information is obtained from the server to which the negotiation information has been sent, a digital signature of a domain administrator of that server is affixed to the policy unit.
  - 14. The server according to claim 13, wherein the policy negotiation section checks for presence of a digital signature and, when determining that the policy unit has been agreed on, updates the resource-sharing policy in question with the agreed policy unit.
  - 15. The server according to claim 10, wherein the shared resource is a virtual shared resource, wherein the system further comprises a virtual resource generation section for generating the virtual shared resource and registering information of generated virtual shared resource in the server.

16. An access right management program which runs on an access right management server provided in each domain, for creating a resource-sharing policy and performing resource-sharing policy negotiation between a plurality of domain administrators, wherein the program instructs the access right management server to performs:
- a function of, for each policy unit of the resource-sharing policy, identifying an access right management server which is a negotiating partner about each policy unit;
  
  generating negotiation information including an identification name of the identified access right management server and the policy unit to be negotiated; and
  
  transmitting the negotiation information to the identified access right management server; and
  
  a function of setting the resource-sharing policy on shared resource when having received an instruction to agree on every policy unit from the identified access right management server to which the negotiation information was sent.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The access right management program according to claim 16, wherein the program instructs the access right management server to performs:
    - a policy editing function of creating and editing the resource-sharing policy;
      
      a group management function of storing domain information including identification names of users, domain administrators and the server involved in resource sharing and relations with domains;
      
      a shared resource management function of storing an identification name of shared resource and the domain which are associated with each other;
      
      a negotiation information generation function of extracting from the resource-sharing policy the policy unit to be negotiated with the domain which is a negotiating partner and generating the negotiation information by referring to the group management function and the shared resource management function;
      
      a policy negotiating function of performing negotiation to obtain an agreement with the identified access right management server on the policy unit of the resource-sharing policy; and
      
      a policy enforcement function of setting only an agreed resource-sharing policy on shared resource.
  - 18. The access right management program according to claim 16, wherein when the policy editing function creates a new resource-sharing policy or alters a resource-sharing policy, the negotiation information generation function divides the resource-sharing policy into policy units and, for each policy unit, inquires of the group management function which domain the identification name of a user belongs to, or inquires of the shared resource management function which domain the identification name of a shared resource belongs to, thereby identifying a negotiating partner about the policy unit, and generates negotiation information including a list of identification names of involved access right management servers and at least one policy unit to be negotiated.
  - 19. The access right management program according to claim 18, wherein the policy negotiation function sends the negotiation information generated by the negotiation information generation function to the access right management server included in the negotiation information and when an instruction to agree on the policy unit included in the negotiation information is obtained from the access right management server to which the negotiation information has been sent, a digital signature of a domain administrator of that access right management server is affixed to the policy unit.
  - 20. The access right management program according to claim 19, wherein the policy negotiation function checks for presence of a digital signature and, when determining that the policy unit has been agreed on, updates the resource-sharing policy in question with the agreed policy unit.
  - 21. The access right management program according to claim 16, wherein the shared resource is a virtual shared resource, wherein the program further comprises a virtual resource generation function of generating the virtual shared resource and registering information of generated virtual shared resource in the access right management server.

22. A method for creating a resource-sharing policy and performing resource-sharing policy negotiation between a plurality of domain administrators in an access right management server provided in each domain, comprising:
- for each policy unit of the resource-sharing policy, identifying an access right management server which is a negotiating partner about each policy unit;
  
  generating negotiation information including an identification name of the identified access right management server and the policy unit to be negotiated; and
  
  transmitting the negotiation information to the identified access right management server; and
  
  setting the resource-sharing policy on shared resource when having received an instruction to agree on every policy unit from the identified access right management server to which the negotiation information was sent.
- View Dependent Claims (23, 24, 25)
- - 23. The method according to claim 22, comprising:
    - creating and editing the resource-sharing policy;
      
      storing domain information including identification names of users, domain administrators and the server involved in resource sharing and relations with domains;
      
      storing an identification name of shared resource and the domain which are associated with each other;
      
      extracting from the resource-sharing policy the policy unit to be negotiated with the domain which is a negotiating partner and generating the negotiation information by referring to the domain information, the identification name of the shared resource and the domain;
      
      performing negotiation to obtain an agreement with the identified access right management server on the policy unit of the resource-sharing policy; and
      
      setting only an agreed resource-sharing policy on shared resource.
  - 24. The method according to claim 22, wherein when creating a new resource-sharing policy or altering a resource-sharing policy,dividing the resource-sharing policy into policy units and, for each policy unit,inquiring about which domain the identification name of a user belongs to, or inquiring about which domain the identification name of a shared resource belongs to, thereby identifying a negotiating partner about the policy unit, andgenerating negotiation information including a list of identification names of involved access right management servers and at least one policy unit to be negotiated.
  - 25. The method according to claim 22, wherein the shared resource is a virtual shared resource, wherein the method further comprises generating the virtual shared resource and registering information of generated virtual shared resource in the access right management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Nakae, Masayuki

Granted Patent

US 8,296,821 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/20 for managing network securi...

System, server, and program for access right management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System, server, and program for access right management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links