Access control system, access control method, storage medium and program transmission apparatus

US 6,647,388 B2
Filed: 12/15/2000
Issued: 11/11/2003
Est. Priority Date: 12/16/1999
Status: Active Grant

First Claim

Patent Images

1. An access control system comprising:

a resource document in which a policy description is stored that is associated with data stored in a data file;

policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted using the existing condition;

wherein said policy evaluation means generates an external condition when the existing condition is such that said policy description can not be evaluated using information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request;

enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, automatically determining whether said external condition can be evaluated or can be established; and

enforcement means for evaluating or establishing said external condition when in accordance with said enforcement function verification means, the external condition is capable of being evaluated or established.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

It is one object of the present invention to use an access control process to evaluate under a specific condition an access permission request. An access control system 100 comprises a resource document 40 in which a policy description is stored; a policy evaluation module 10 for receiving an external request 110 for accessing the data file, for extracting, from the resource document 40, the policy description that is associated with target data for the access request 110, and for evaluating the policy description to determine whether or not the access request 110 is to be permitted; an enforcement function verification module 20 for, when an existing condition can not be evaluated using only the information included in the policy evaluation module 10, determining whether the condition can be evaluated or can be established; and an enforcement module 30 for evaluating or establishing the condition that, in accordance with the enforcement function verification module 20, can be evaluated or established.

327 Citations

19 Claims

1. An access control system comprising:
- a resource document in which a policy description is stored that is associated with data stored in a data file;
  
  policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted using the existing condition;
  
  wherein said policy evaluation means generates an external condition when the existing condition is such that said policy description can not be evaluated using information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request;
  
  enforcement function verification means for, when an existing condition is such that said policy description can not be evaluated using only the information included in said policy evaluation means, automatically determining whether said external condition can be evaluated or can be established; and
  
  enforcement means for evaluating or establishing said external condition when in accordance with said enforcement function verification means, the external condition is capable of being evaluated or established.
- View Dependent Claims (2, 3, 4)
- - 2. The access control system according to claim 1, wherein a plurality of said enforcement means are provided in accordance with the evaluation or the establishment of said existing condition, which can not be evaluated using only said information included in said policy evaluation means;
    - and wherein, when said plurality of enforcement means are provided, said enforcement function verification means further determines whether the external condition that one of said enforcement means has received from said policy evaluation means can be evaluated or established.
  - 3. The access control system according to claim 1, wherein, when access of a different data portion is required in order to evaluate or establish the external condition that is determined by said enforcement function verification means can be evaluated or established, said enforcement means issues, to said policy evaluation means, a request to access said different data portion and upon the receipt of the access request from said enforcement means, as well as upon the receipt of an external access request, said policy evaluation means evaluates a policy description that is associated with data to be accessed.
  - 4. The access control system according to claim 3, wherein said enforcement means includes:

5. An access control method, for receiving an external request for accessing a predetermined data file and for evaluating a policy description including an existing condition, said policy description associated with the data that are to be accessed to determine whether or not said access request is to be permitted using the existing condition, comprising:
- receiving an access request and obtaining a policy description that is associated with said data that are to be accessed;
  
  evaluating the existing a condition in said obtained policy description;
  
  generating an external condition when the existing condition cannot be evaluated using information used during said attempting to evaluate, the external condition being generated to facilitate an access determination responsive to receipt of the external request;
  
  automatically determining, when the existing a condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
  
  performing said process that satisfies said external condition when it is ascertained that said process is capable of being enforced; and
  
  employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The access control method according to claim 5, wherein said evaluating said existing conditions in said policy description includes:
7. The access control method according to claim 6, further comprising:
- employing, when a plurality of rules that match said parameter of said access request are detected before the performance of said evaluating said condition portions of said rule in said policy description, a predetermined rule to determine a priority order for evaluating said rule.
8. The access control method according to claim 6, wherein said automatically determining whether said process that satisfies said external condition is capable of being performed includes:
- receiving the set of said external conditions that have been generated at said evaluating said condition in said policy description, for said rule that can not be evaluated based only on information in said policy description, and extracting said external conditions separately;
  
  determining whether a function has been prepared for performing a process that satisfies each of said external conditions; and
  
  calling said function for performing said process that satisfies said external condition when it is ascertained that said function has been prepared.
9. The access control method according to claim 8, wherein said performing said process that satisfies said external condition in said policy description includes:
- employing said function that is called at said determining whether said process that satisfies said external condition in said policy description can be enforced, and detecting, based on said external condition, a data portion in a predetermined data file for writing or for alteration;
  
  issuing a request for an access required for said writing or said alteration; and
  
  writing data to said data portion or changing said data portion upon the receipt of access permission in response to said request for said access that is required in order to perform said writing or said alteration.

10. A storage medium on which a program is stored that can be read by input means of a computer, said program permitting said computer to perform:
- a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description that is associated with said data that are to be accessed, said policy description including an existing condition;
  
  a process for evaluating the existing condition in said obtained policy description to determine whether or not said access request is to be permitted using the existing condition;
  
  a process for generating an external condition when the existing condition cannot be evaluated using only information available to the process for evaluating, the external condition being generated to facilitate an access determination responsive to receipt of the access request;
  
  a process for automatically determining, when the existing condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
  
  a process for performing said process that satisfies said external condition when it is ascertained that said process that satisfies said external condition is capable of being enforced; and
  
  a process for employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted.
- View Dependent Claims (11)
- - 11. The storage medium according to claim 10, wherein, in order to perform said process that satisfies said external condition, said program permits said computer to perform:

12. A program transmission apparatus comprising:
- storage means for storing a program that permits a computer to perform;
  
  a process for receiving an access request to externally access a predetermined data file, and for obtaining a policy description including an existing condition, said policy description associated with said data that are to be accessed using the existing condition;
  
  a process for evaluating the existing a condition in said obtained policy description;
  
  a process for generating an external condition when the existing condition cannot be evaluated using only information available to the process for evaluating, the external condition being generated to facilitate an access determination responsive to receipt of the access request;
  
  a process for automatically determining, when the existing condition that can not be currently evaluated is present in said policy description, whether a process that satisfies said external condition is capable of being enforced;
  
  a process for performing said process that satisfies said external condition when it is ascertained that said process that satisfies said external condition is capable of being enforced;
  
  a process for employing, after said process that satisfies said external condition has been performed, the evaluation results for all the conditions in said policy description to determine whether or not said access that is requested is to be permitted; and
  
  transmission means for reading said program from said storage means and transmitting said program.
- View Dependent Claims (13)
- - 13. The program transmission apparatus according to claim 12, wherein, in order to perform said process that satisfies said external condition, said program stored in said storage means permits said computer to perform:

14. An access control system comprising:
- means for storing a policy description including a condition whereby reading of information written by a single source is permitted when format conversion is possible;
  
  means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function to establish said condition for said format conversion is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
  
  means for, when said function to establish said condition is executed, permitting an access in response to said access request.

15. An access control system comprising:
- means for storing a policy description including a condition whereby reading of information is permitted when an electronic watermark is to be embedded in a document to be accessed;
  
  means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for embedding an electronic watermark to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
  
  means for, when said function to establish said condition is executed, permitting an access in response to said access request.

16. An access control system comprising:
- means for storing a policy description including a condition whereby accessing of a target document is permitted when an access history is to be written to said target document;
  
  means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
  
  means for, when said function to establish said condition is executed, permitting an access in response to said access request.
- View Dependent Claims (17)
- - 17. The access control system according to claim 16, wherein said function for writing said access history to said document further comprises means for recurrently issuing requests to access a document to write said access history.

18. An access control system comprising:
- means for storing a policy description including a condition whereby accessing of a target document is permitted when a time stamp of an access is to be written as an access history to said target document;
  
  means for, upon the receipt of a predetermined access request that matches said policy description, determining whether a function for writing said time stamp as said access history to said target document to establish said condition is included, and for, when it is ascertained that said function is included, calling and executing said function to establish said condition; and
  
  means for, when said function to establish said condition is executed, permitting an access in response to said access request.

19. An access control system comprising:
- a resource document in which a policy description is stored that is associated with data stored in a data file;
  
  policy evaluation means for receiving an external request for accessing said data file, for extracting, from said resource document, said policy description that is associated with target data for said access request, said policy description including an existing condition, and for evaluating said policy description to determine whether or not said access request is to be permitted;
  
  using the existing condition, and wherein said policy evaluation means generates an external condition when the existing condition cannot be evaluated using only information available to the policy evaluation means, the external condition being generated to facilitate an access determination responsive to receipt of the external request; and
  
  enforcement function verification means for performing another process to automatically determine whether said external condition can be evaluated or can be established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kudoh, Michiharu, Amano, Tomio, Numao, Masayuki
Primary Examiner(s)
Coby, Frantz
Assistant Examiner(s)
NGUYEN, CAM LINH T

Application Number

US09/738,484
Publication Number

US 20010023421A1
Time in Patent Office

1,061 Days
Field of Search

707/9, 707/100, 707/102, 715/513, 715/523, 713/182, 713/201
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

Y10S 707/99939   Privileged access

Y10S 707/99943   Generating database or data...

Access control system, access control method, storage medium and program transmission apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

327 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Access control system, access control method, storage medium and program transmission apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

327 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links