FILE-ACCESS CONTROL APPARATUS AND PROGRAM

US 20100043070A1
Filed: 09/02/2009
Published: 02/18/2010
Est. Priority Date: 10/29/2007
Status: Active Grant

First Claim

Patent Images

1. A file-access control apparatus designed to control accesses to a document file and comprising a storage device capable of storing document contents, each including an inhibition-type policy and an obligation-type policy, an evaluation control module, a document application unit and an external service unit,wherein the policy evaluation control module comprises:

an executability data acquisition means for acquiring executability data items from the document application unit and the external service unit, respectively, and for holding the executability data items;

an authentication-result acquisition means for acquiring result of authentication of a user and user attribute data, on the basis of a prescribed evaluation data list, on receiving, from the document application unit, event data representing an action made by the user and a document file stored in the storage device;

means for sending evaluation data composed of the executability data, result of authentication and user attribute data, the event data, the inhibition-type policy, and the obligation-type policy on the basis of a prescribed evaluation data list, on receiving the executability data from the executability data acquisition means;

means for comparing the authentication result, user attribute data and event data, all included in the evaluation data sent, respectively with the authentication result, user attribute data and event data, all prescribed in the inhibition-type policy, and for sending evaluation result showing the permission or inhibition prescribed in the inhibition-type policy, when the items included in the evaluation data are identical to the items included in the inhibition-type policy;

obligation-type policy evaluation means for comparing the executability data, event data and evaluation result, all included in the valuation data, with the executability data, event data and evaluation result, all included in the obligation-type policy, and for sending control data including an obligation fulfillment subject and an obligation fulfillment action prescribed in the obligation-type policy, when the items included in the evaluation data are identical to the items included in the obligation-type policy;

control management means for sending the control data on receiving the control data, on the basis of the obligation fulfillment subject included in the control data; and

document-application control means for controlling the document application unit, on the basis of the obligation fulfillment action included in the control data sent from the control management means.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a file-access control system according to an embodiment of this invention, control data in accordance with actions made is imparted, as an obligation-type policy, to a document file. Next, a policy evaluation control unit evaluates and executes the obligation-type policy imparted to the document file in accordance with the action to the document file. The execution of the obligation-type policy includes the controlling of a document application on the basis of an obligation fulfillment action. Therefore, an active control can be performed in accordance with any manipulation made to the document, and the access to the document can be changed.

Citations

9 Claims

1. A file-access control apparatus designed to control accesses to a document file and comprising a storage device capable of storing document contents, each including an inhibition-type policy and an obligation-type policy, an evaluation control module, a document application unit and an external service unit,wherein the policy evaluation control module comprises:
- an executability data acquisition means for acquiring executability data items from the document application unit and the external service unit, respectively, and for holding the executability data items;
  
  an authentication-result acquisition means for acquiring result of authentication of a user and user attribute data, on the basis of a prescribed evaluation data list, on receiving, from the document application unit, event data representing an action made by the user and a document file stored in the storage device;
  
  means for sending evaluation data composed of the executability data, result of authentication and user attribute data, the event data, the inhibition-type policy, and the obligation-type policy on the basis of a prescribed evaluation data list, on receiving the executability data from the executability data acquisition means;
  
  means for comparing the authentication result, user attribute data and event data, all included in the evaluation data sent, respectively with the authentication result, user attribute data and event data, all prescribed in the inhibition-type policy, and for sending evaluation result showing the permission or inhibition prescribed in the inhibition-type policy, when the items included in the evaluation data are identical to the items included in the inhibition-type policy;
  
  obligation-type policy evaluation means for comparing the executability data, event data and evaluation result, all included in the valuation data, with the executability data, event data and evaluation result, all included in the obligation-type policy, and for sending control data including an obligation fulfillment subject and an obligation fulfillment action prescribed in the obligation-type policy, when the items included in the evaluation data are identical to the items included in the obligation-type policy;
  
  control management means for sending the control data on receiving the control data, on the basis of the obligation fulfillment subject included in the control data; and
  
  document-application control means for controlling the document application unit, on the basis of the obligation fulfillment action included in the control data sent from the control management means.
- View Dependent Claims (2, 3, 4)
- - 2. The file-access control apparatus according to claim 1, wherein the policy evaluation control module further comprises policy changing means for changing the inhibition-type policy or the obligation-type policy, either stored in the storage device, on the basis of the obligation fulfillment action included in the control data sent from the control management means.
  - 3. The file-access control apparatus according to claim 2, wherein the policy evaluation control module further comprises external service control means for controlling the external service unit on the basis of the obligation fulfillment action included in the control data sent from the control management means.
  - 4. The file-access control apparatus according to claim 1, wherein the policy evaluation control module further comprises external service control means for controlling the external service unit on the basis of the obligation fulfillment action included in the control data sent from the control management means.

5. A file-access control apparatus designed to control accesses to a document file and comprising a storage device capable of storing document contents, each including an inhibition-type policy and an obligation-type policy, an evaluation control module, a document application unit and an external service unit, wherein the policy evaluation control module comprises:
- an executability data acquisition device configured to acquire executability data items from the document application unit and the external service unit, respectively, and to hold the executability data items;
  
  an authentication-result acquisition device configured to acquire result of authentication of a user and user attribute data, on the basis of a prescribed evaluation data list, on receiving, from the document application unit, event data representing an action made by the user and a document file stored in the storage device;
  
  device configured to send evaluation data composed of the executability data, result of authentication and user attribute data, the event data, the inhibition-type policy, and the obligation-type policy on the basis of a prescribed evaluation data list, on receiving the executability data from the executability data acquisition device;
  
  device configured to compare the authentication result, user attribute data and event data, all included in the evaluation data sent, respectively with the authentication result, user attribute data and event data, all prescribed in the inhibition-type policy, and to send evaluation result showing the permission or inhibition prescribed in the inhibition-type policy, when the items included in the evaluation data are identical to the items included in the inhibition-type policy;
  
  obligation-type policy evaluation device configured to compare the executability data, event data and evaluation result, all included in the valuation data, with the executability data, event data and evaluation result, all included in the obligation-type policy, and to send control data including an obligation fulfillment subject and an obligation fulfillment action prescribed in the obligation-type policy, when the items included in the evaluation data are identical to the items included in the obligation-type policy;
  
  control management device configured to send the control data on receiving the control data, on the basis of the obligation fulfillment subject included in the control data; and
  
  document-application control device configured to control the document application unit, on the basis of the obligation fulfillment action included in the control data sent from the control management device.
- View Dependent Claims (6, 7, 8)
- - 6. The file-access control apparatus according to claim 5, wherein the policy evaluation control module further comprises policy changing device configured to change the inhibition-type policy or the obligation-type policy, either stored in the storage device, on the basis of the obligation fulfillment action included in the control data sent from the control management device.
  - 7. The file-access control apparatus according to claim 6, wherein the policy evaluation control module further comprises external service control device configured to control the external service unit on the basis of the obligation fulfillment action included in the control data sent from the control management device.
  - 8. The file-access control apparatus according to claim 5, wherein the policy evaluation control module further comprises external service control device configured to control the external service unit on the basis of the obligation fulfillment action included in the control data sent from the control management device.

9. A program stored in a computer-readable storage medium and designed for use in a computer which comprises a storage device for storing a document file including a document content, an inhibition-type policy and an obligation-type policy and an external service unit and which is configured to control access to the document file, the program having:
- a first program code for causing the computer to perform a process of acquiring executability data items from the document application unit and the external service unit, respectively, and holding the executability data items;
  
  a second program code for causing the computer to perform a process of acquiring result of authentication of a user and user attribute data, on the basis of a prescribed evaluation data list, on receiving, from the document application unit, event data representing an action made by the user and a prescribed document file;
  
  a third program code for causing the computer to perform a process of sending evaluation data composed of the executability data, result of authentication and user attribute data, the event data, the inhibition-type policy, and the obligation-type policy on the basis of a prescribed evaluation data list, on receiving the executability data from the executability data acquisition means;
  
  a fourth program code for causing the computer to perform a process of comparing the authentication result, user attribute data and event data, all included in the evaluation data sent, respectively with the authentication result, user attribute data and event data, all prescribed in the inhibition-type policy, and sending evaluation result showing the permission or inhibition prescribed in the inhibition-type policy, when the items included in the evaluation data are identical to the items included in the inhibition-type policy;
  
  a fifth program code for causing the computer to perform a process of comparing the executability data, event data and evaluation result, all included in the valuation data, with the executability data, event data and evaluation result, all included in the obligation-type policy, and sending control data including an obligation fulfillment subject and an obligation fulfillment action prescribed in the obligation-type policy, when the items included in the evaluation data are identical to the items included in the obligation-type policy;
  
  a sixth program code for causing the computer to perform a process of sending the control data on receiving the control data, on the basis of the obligation fulfillment subject included in the control data; and
  
  a seventh program code for causing the computer to perform a process of controlling the document application unit, on the basis of the obligation fulfillment action included in the control data sent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Toshiba Solutions Corporation (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation), Toshiba Solutions Corporation (Toshiba Corporation)
Inventors
OKADA, Koji, Okamoto, Toshio, Nakamizo, Takanori, Yamada, Masataka, Nishizawa, Minoru, Ikeda, Tatsuro

Granted Patent

US 8,863,305 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6209   to a single file or object,...

H04L 2463/101   applying security measures ...

FILE-ACCESS CONTROL APPARATUS AND PROGRAM

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

FILE-ACCESS CONTROL APPARATUS AND PROGRAM

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links