Access control system, access control method, storage medium and program transmission apparatus
First Claim
1. An access control system comprising:
- a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted using the existing condition;
wherein said policy evaluation means generates an external condition when the existing condition is such that said policy description can not be evaluated using information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request;
enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, automatically determining whether said external condition can be evaluated or can be established; and
enforcement means for evaluating or establishing said external condition when in accordance with said enforcement function verification means, the external condition is capable of being evaluated or established.
1 Assignment
0 Petitions
Accused Products
Abstract
It is one object of the present invention to use an access control process to evaluate under a specific condition an access permission request. An access control system 100 comprises a resource document 40 in which a policy description is stored; a policy evaluation module 10 for receiving an external request 110 for accessing the data file, for extracting, from the resource document 40, the policy description that is associated with target data for the access request 110, and for evaluating the policy description to determine whether or not the access request 110 is to be permitted; an enforcement function verification module 20 for, when an existing condition can not be evaluated using only the information included in the policy evaluation module 10, determining whether the condition can be evaluated or can be established; and an enforcement module 30 for evaluating or establishing the condition that, in accordance with the enforcement function verification module 20, can be evaluated or established.
327 Citations
19 Claims
-
1. An access control system comprising:
-
a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted using the existing condition;
wherein said policy evaluation means generates an external condition when the existing condition is such that said policy description can not be evaluated using information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request;
enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, automatically determining whether said external condition can be evaluated or can be established; and
enforcement means for evaluating or establishing said external condition when in accordance with said enforcement function verification means, the external condition is capable of being evaluated or established. - View Dependent Claims (2, 3, 4)
writing/alteration target detection means for detecting a data portion in said data file that is a target for writing or alteration, and for issuing an access request to said policy evaluation means; and
writing/alteration execution means for, when in response to said access request access permission is received from said policy evaluation means, writing or altering said data portion, wherein said writing/alteration execution means prepares a desired function by using a plug-in.
-
-
5. An access control method, for receiving an external request for accessing a predetermined data file and for evaluating a policy description including an existing condition, said policy description associated with the data that are to be accessed to determine whether or not said access request is to be permitted using the existing condition, comprising:
-
receiving an access request and obtaining a policy description that is associated with said data that are to be accessed;
evaluating the existing a condition in said obtained policy description;
generating an external condition when the existing condition cannot be evaluated using information used during said attempting to evaluate, the external condition being generated to facilitate an access determination responsive to receipt of the external request;
automatically determining, when the existing a condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
performing said process that satisfies said external condition when it is ascertained that said process is capable of being enforced; and
employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted. - View Dependent Claims (6, 7, 8, 9)
comparing a parameter of said access request with a rule in said policy description, and detecting a matching rule;
evaluating condition portions in said rule that is detected; and
when said condition portions of said rule can not be currently evaluated, collecting said condition portions and moving to a step at which whether a process for satisfying said condition portions is capable of being performed is determined.
-
-
7. The access control method according to claim 6, further comprising:
employing, when a plurality of rules that match said parameter of said access request are detected before the performance of said evaluating said condition portions of said rule in said policy description, a predetermined rule to determine a priority order for evaluating said rule.
-
8. The access control method according to claim 6, wherein said automatically determining whether said process that satisfies said external condition is capable of being performed includes:
-
receiving the set of said external conditions that have been generated at said evaluating said condition in said policy description, for said rule that can not be evaluated based only on information in said policy description, and extracting said external conditions separately;
determining whether a function has been prepared for performing a process that satisfies each of said external conditions; and
calling said function for performing said process that satisfies said external condition when it is ascertained that said function has been prepared.
-
-
9. The access control method according to claim 8, wherein said performing said process that satisfies said external condition in said policy description includes:
-
employing said function that is called at said determining whether said process that satisfies said external condition in said policy description can be enforced, and detecting, based on said external condition, a data portion in a predetermined data file for writing or for alteration;
issuing a request for an access required for said writing or said alteration; and
writing data to said data portion or changing said data portion upon the receipt of access permission in response to said request for said access that is required in order to perform said writing or said alteration.
-
-
10. A storage medium on which a program is stored that can be read by input means of a computer, said program permitting said computer to perform:
-
a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with said data that are to be accessed, said policy description including an existing condition;
a process for evaluating the existing condition in said obtained policy description to determine whether or not said access request is to be permitted using the existing condition;
a process for generating an external condition when the existing condition cannot be evaluated using only information available to the process for evaluating, the external condition being generated to facilitate an access determination responsive to receipt of the access request;
a process for automatically determining, when the existing condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
a process for performing said process that satisfies said external condition when it is ascertained that said process that satisfies said external condition is capable of being enforced; and
a process for employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted. - View Dependent Claims (11)
a process for employing said function that is called at said determining whether said process that satisfies said external condition can be enforced, and for detecting, based on said external condition, a data portion in a predetermined data file for writing or for alteration;
a process for issuing a request for an access required for said writing or said alteration; and
a process for writing data to said data portion or changing said data portion upon the receipt of access permission in response to said request for said access that is required in order to perform said writing or said alteration.
-
-
12. A program transmission apparatus comprising:
-
storage means for storing a program that permits a computer to perform;
a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description including an existing condition, said policy description associated with said data that are to be accessed using the existing condition;
a process for evaluating the existing a condition in said obtained policy description;
a process for generating an external condition when the existing condition cannot be evaluated using only information available to the process for evaluating, the external condition being generated to facilitate an access determination responsive to receipt of the access request;
a process for automatically determining, when the existing condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
a process for performing said process that satisfies said external condition when it is ascertained that said process that satisfies said external condition is capable of being enforced;
a process for employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted; and
transmission means for reading said program from said storage means and transmitting said program. - View Dependent Claims (13)
a process for employing said function that is called at said determining whether said process that satisfies said external condition can be enforced, and for detecting, based on said external condition, a data portion in a predetermined data file for writing or for alteration;
a process for issuing a request for an access required for said writing or said alteration; and
a process for writing data to said data portion or changing said data portion upon the receipt of access permission in response to said request for said access that is required in order to perform said writing or said alteration.
-
-
14. An access control system comprising:
-
means for storing a policy description including a condition whereby reading of information written by a single source is permitted when format conversion is possible;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function to establish said condition for said format conversion is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
15. An access control system comprising:
-
means for storing a policy description including a condition whereby reading of information is permitted when an electronic watermark is to be embedded in a document to be accessed;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for embedding an electronic watermark to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
16. An access control system comprising:
-
means for storing a policy description including a condition whereby accessing of a target document is permitted when an access history is to be written to said target document;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request. - View Dependent Claims (17)
-
-
18. An access control system comprising:
-
means for storing a policy description including a condition whereby accessing of a target document is permitted when a time stamp of an access is to be written as an access history to said target document;
means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said time stamp as said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
means for, when said function to establish said condition is executed, permitting an access in response to said access request.
-
-
19. An access control system comprising:
-
a resource document in which a policy description is stored that is associated with data stored in a data file;
policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted;
using the existing condition, andwherein said policy evaluation means generates an external condition when the existing condition cannot be evaluated using only information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request; and
enforcement function verification means for performing another process to automatically determine whether said external condition can be evaluated or can be established.
-
Specification