ACCESS CONTROL DECISION SYSTEM, ACCESS CONTROL ENFORCING SYSTEM, AND SECURITY POLICY

US 20090083831A1
Filed: 11/21/2008
Published: 03/26/2009
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. An access control enforcing system, comprising an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy,wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, andwherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an access control decision system, first information indicated by an access decision request is converted into second information being higher abstract when the access decision request is received. Next, the access control for the subject information is determined by referring a security policy being abstractly regulated based on the second information and a decision result showing the access control for the subject information is sent to a request originator that sent the access decision request.

57 Citations

View as Search Results

32 Claims

1. An access control enforcing system, comprising an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy,wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, andwherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The access control enforcing system as claimed in claim 1, wherein said access control enforcing part further includes an access prohibiting part prohibiting the access to the subject information when the decision result by the requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
  - 3. The access control enforcing system as claimed in claim 2, wherein said access control enforcing part enforces an alternative requirement indicated in the access control information when the determination result by the requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
  - 4. The access control enforcing system as claimed in claim 3, wherein said access control enforcing part further includes an alternative requirement capability determining part determining the alternative requirement indicated in the access control information can be executed when the decision result by said requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
  - 5. The access control enforcing system as claimed in claim 3, wherein said access control enforcing part enforces the access control to the subject information so as to satisfy the requirement by using supplement information indicated in the access control information when the decision result by said requirement capability determining part shows that the access can be executed so as to satisfy the requirement.
  - 6. The access control enforcing system as claimed in claim 1, wherein at least one of a log record, an encryption and store, a protection of integrity of an original, a strict user authentication, a version management, a perfect deletion, and an alarm display is executable as the requirement.
  - 7. The access control enforcing system as claimed in claim 1, wherein at least one of a log record, a label print, an operator print, an image log record, an alarm display, an alarm print, a destination restriction, a confidential transmission, a watermark print, and a digital watermark is executable as the requirement.
  - 8. The access control enforcing system as claimed in claim 1, wherein a log record, a strict user authentication, an alarm display, a private print, an image log record, an identification information print, a label print, a watermark print, a copy suppression pattern print, an identification background pattern, and an alarm print is executable as the requirement.
  - 9. The access control enforcing system as claimed in claim 1, further comprising:
    - an access decision requesting part requesting an access control decision to an access control decision system determining the access control in accordance with the security policy being abstractly regulated in response to an access request to the subject information; and
      
      an access control receiving part receiving access control information sent from the access control decision system corresponding to the access control decision requests,wherein said access control enforcing part enforces the access control to the subject information based on the access control information received by said access control receiving part.

10. An access control enforcing method, comprising the steps of:
- determining that a requirement indicated in access control information, the requirement to execute an access, when the access control is enforced to the subject information based on the access control information indicating a control concerning the access to the subject information in accordance to a security policy; and
  
  enforcing the access control to the subject information so as to satisfy the requirement based on a determination result.

11. A system, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 12. The system as claimed in claim 11, wherein said rule description regulates supplement information to be used when the requirement is executed.
  - 13. The system as claimed in claim 11, wherein the rule description regulates the supplement information being dynamically generated.
  - 14. The system as claimed in claim 11, wherein the supplement information is a character string or image data based on the rule being dynamically generated.
  - 15. The system as claimed in claim 11, wherein said rule description regulates based on a user category shown by the second security attribute of the user whether or not the operation is allowed,wherein information showing whether or not the user is a related person is indicated in said user category based on a management table being different from the rule description and showing a user being the related person to the subject information.
  - 16. The system as claimed in claim 11, wherein said rule description regulates based on an access allowed zone indicated by the second security attribute of the user whether or not the operation is allowed,wherein information showing whether or not the user is a related person is indicated in said access allowed zone based on a management table being different from the rule description and showing a user being the related person to the subject information.
  - 17. The system as claimed in claim 11, wherein said rule description regulates whether or not the operation is allowed when the first security attribute of the subject information is unknown.
  - 18. The system as claimed in claim 11, wherein said rule description regulates an alternative requirement when the requirement is not satisfied.
  - 19. The system as claimed in claim 11, wherein said rule description regulates an access control rule for each first security attribute of the subject information.
  - 20. The system as claimed in claim 19, wherein said rule description regulates an access control list for each second security attribute of the user in the access control rule.
  - 21. The system as claimed in claim 20, wherein said rule description regulates in the access control list whether or not each of a plurality of different image forming processes as the operation is allowed.
  - 22. The system as claimed in claim 21, wherein said rule description regulates a plurality of requirements for each operation.
  - 23. The system as claimed in claim 22, wherein said rule description regulates a plurality of the supplement information for each requirement.
  - 24. The system as claimed in claim 22, wherein said rule description regulates a plurality of the alternative requirements for each requirement.
  - 25. The system as claimed in claim 22, wherein said rule description regulates to allow or not operations to refer to a server document, refer to a property of the server document, obtain an original of the server document, revise the server document, and delete the server document, operations to refer to a portable document, print out the portable document, transmit the portable document by fax, and operations to copy a paper document, transmit the paper document by fax and scan the paper document.
  - 26. The system as claimed in claim 22, wherein said rule description regulates at least one of a log record, an encryption, a tamper-detection, a version management, a perfect deletion, a private print, an image log record, an identification information embedding, a label print, a watermark, a copy suppression pattern, an identification background patter, an alarm display, an alarm print, a confidential print, and an operator print.

27. (canceled)

28. A security control system, comprising:
- showing a rule regulating whether or not an operation is allowed, based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information; and
  
  controlling the operation for the subject information in accordance with a security policy regulating that the operation is allowed when a requirement is satisfied.

29. A security policy regulating method, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.

30. A security policy, comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.

31. A computer-readable recording medium recorded with a security policy, said security policy comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.

32. A system for controlling an operation, comprising:
- managing subject information directed to the operation; and
  
  a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information,wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yoichi Kanai
Original Assignee
Yoichi Kanai
Inventors
KANAI, YOICHI

Granted Patent

US 8,302,205 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/608   Secure printing

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

H04N 1/4413   involving the use of passwo...

H04N 1/4426   involving separate means, e...

H04N 1/444   to a particular document or...

H04N 1/4486   using digital data encryption

H04N 2201/0091   Digital copier; digital 'ph...

ACCESS CONTROL DECISION SYSTEM, ACCESS CONTROL ENFORCING SYSTEM, AND SECURITY POLICY

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL DECISION SYSTEM, ACCESS CONTROL ENFORCING SYSTEM, AND SECURITY POLICY

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links