Access control system, access control method, and access control program
First Claim
1. An access control system comprising:
- a knowledge database configured to store(i) information indicative of a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device,(ii) information indicative of a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position, or(iii) information indicative of a relationship between the resource and access destination identification information capable of identifying the resource; and
a policy engine configured to(i) store an access control policy describing at least the group, position, and resource of the information stored in the knowledge database,(ii) generate an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of the access control policy and the information stored in the knowledge database, and(iii) set the access control list in an existing access control device,wherein said knowledge database includesa knowledge storage configured to store(i) information indicative of a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information,(ii) information indicative of a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and(iii) information indicative of a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information.
1 Assignment
0 Petitions
Accused Products
Abstract
A policy storage stores an access control policy as a set of setting information items to make resources (access destinations) shared by an adhoc group. When a part of the access control policy is edited, a policy analyzer updates a rule generated from the edited access control policy. At this time, the rule is updated with use of object knowledge having a data configuration capable of expressing a user as belonging to plural user groups. An access control list setting means updates a part of an access control list, based on the updated rule. Accordingly, an access control list can be generated with respect to a user group including a user who belongs to plural organizations, and the access control list can be updated efficiently.
-
Citations
23 Claims
-
1. An access control system comprising:
-
a knowledge database configured to store (i) information indicative of a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device, (ii) information indicative of a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position, or (iii) information indicative of a relationship between the resource and access destination identification information capable of identifying the resource; and a policy engine configured to (i) store an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, (ii) generate an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of the access control policy and the information stored in the knowledge database, and (iii) set the access control list in an existing access control device, wherein said knowledge database includes a knowledge storage configured to store (i) information indicative of a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information, (ii) information indicative of a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and (iii) information indicative of a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An access control system comprising:
-
a knowledge database configured to store (i) information indicative of a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device, (ii) information indicative of a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position, or (iii) information indicative of a relationship between the resource and access destination identification information capable of identifying the resource; and a policy engine configured to (i) store an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, (ii) generate an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of the access control policy and the information stored in the knowledge database, and (iii) set the access control list in an existing access control device, wherein said policy engine includes a policy analyzer configured to generate an intermediate language as a set of rules including no description depending on a specific access control device, by replacing at least the position and resource among contents written in the access control policy, with access source identification information and access destination identification information, respectively, by use of the information stored in the knowledge database, wherein said knowledge database includes; a knowledge storage configured to store (i) information indicative of a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information, (ii) information indicative of a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and (iii) information indicative of a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information; and update group notification means configured to notify the policy engine of information of a group, position, or resource concerning an updated part of the directional graph, when a directional graph stored in the knowledge storage is updated, said policy engine includes policy specification means configured to specify an access control policy including the information of a group, position, or resource notified by the update group notification means; and said policy analyzer is configured to generate a rule constituting an intermediate language, based on the access control policy specified by the policy specification means. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An access control system comprising:
-
a knowledge database configured to store information indicative of (i) a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device, (ii) a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position, (iii) a relationship between the resource and access destination identification information capable of identifying the resource, and (iv) a relationship between user identification information on each user or device identification information on each device and current position identification information on each user or each device; a policy engine configured to (i) store an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, and describing, as a companion, a user or device overlapping or different from a user or device corresponding to a group, (ii) generate an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of an effective access control policy and the information stored in the knowledge database, and (iii) set the access control list in an existing access control device; and a presence manager configured to (i) maintain information on a current position of each user or each device, and (ii) notify the knowledge database of movement information including at least user identification information on the user who has moved or device identification on the device which has moved and current position identification information capable of identifying a movement destination thereof, when a current position has changed in accordance with a movement of a user or a device, wherein said knowledge database is further configured to (v) update information indicative of a relationship between user identification information on each user or device identification information on each device and the current position identification information on each user or each device, based on the movement information notified by the presence manager, and (vi) notify the policy engine of user identification information or device identification information concerning an updated part, and said policy engine includes policy specification means configured to (i) output information on a group of users or devices and a companion, which is described in each access control policy, (ii) input thereby each user identification information or each device identification information corresponding to the group of users or devices and the companion, (iii) specify an access control policy, based on the user identification information or device identification information and based on the user identification information or device identification information notified by the knowledge database, (iv) output each user identification information or each device identification information corresponding to a group and companion written in the specified access control policy, (v) input thereby current position identification information on each user or each device corresponding to said each user identification information or each device identification information, and (vi) determine an access control policy which is made effective based on the inputted information and based on a condition described in the access control policy. - View Dependent Claims (19)
-
-
20. An access control method comprising:
-
a step in which a knowledge database stores information indicative of (i) a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device, (iii) a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position, or (iii) a relationship between the resource and access destination identification information capable of identifying the resource; a step in which a policy engine (i) stores an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, (ii) generates an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of the access control policy and the information stored in the knowledge database, and (iii) sets the access control list in an existing access control device; and a step in which said knowledge database stores information indicative of (i) a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information, (ii) a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and (iii) a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information.
-
-
21. An access control method comprising:
-
a step in which a knowledge database stores information indicative of (i) a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device, (ii) a relationship between a position as an access source for accessing the resource, and access source identification information capable of identifying the position, (iii) a relationship between the resource and access destination identification information capable of identifying the resource, and (iv) a relationship between user identification information on each user or device identification information on each device and current position identification information on each user or each device; a step in which a policy engine stores an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, and describing, as a companion, a user or device overlapping or different from a user or device corresponding to a group; a step in which a presence manager (i) maintains information on a current position of each user or each device, and (ii) when a current position has changed in accordance with a movement of a user or a device, notifies the knowledge database of movement information including at least user identification information on the user who has moved or device identification information on the device which has moved and current position identification information capable of identifying a movement destination thereof; a step in which said knowledge database (i) updates information indicative of a relationship between user identification information on each user or device identification information on each device and the current position identification information on each user or each device, based on the movement information notified by the presence manager, and (ii) notifies the policy engine of user identification information or device identification information concerning an updated part; a step in which said policy engine (i) outputs information on a group of users or devices and a companion, which is described in each access control policy, (ii) inputs thereby each user identification information or each device identification information corresponding to the group of users or devices and the companion, (iii) specifies an access control policy, based on the inputted user identification information or device identification information and based on the user identification information or device identification information notified by the knowledge database, (iv) outputs each user identification information or each device identification information corresponding to a group and companion written in the specified access control policy, (v) inputs the current position identification information on each user or each device corresponding to said each user identification information or each device identification information, and (vi) determines an access control policy which is made effective based on the inputted information and based on a condition described in the access control policy; and a step in which said policy engine (i) generates an access control list indicative of accessibility/inaccessibility from an access source to an access destination, by use of the access control policy determined as being effective and the information stored in the knowledge database, and (ii) sets the access control list in an existing access control device.
-
-
22. A computer readable medium storing an access control program for making a computer execute a processing,
said computer comprising a policy storage connected to a knowledge database which stores information indicative of: -
a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device; a relationship between a position as an access source of access to the resource, and access source identification information capable of identifying the position;
ora relationship between the resource and access destination identification information capable of identifying the resource, and the policy storage storing an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, wherein said processing includes; a step of generating an access control list indicating accessibility/inaccessibility to an access destination from an access source by use of the access control policy and the information stored in the knowledge database; and a step of setting the access control list in an existing access control devices wherein said knowledge database further stores information indicative of; (i) a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information, (ii) a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and (iii) a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information.
-
-
23. A computer readable medium storing an access control program for making a computer execute a processing,
said computer comprising a policy storage connected to a knowledge database which stores information indicative of: -
a relationship between a group of users or devices that use at least a resource as an access destination, and user identification information or device identification information capable of identifying the user or device; a relationship between a position as an access source for accessing the resource, and access source identification information capable of identifying the position; a relationship between the resource and access destination identification information capable of identifying the resource;
ora relationship between user identification information on each user or device identification information on each device and current position identification information on each user or each device, and said policy storage storing an access control policy describing at least the group, position, and resource of the information stored in the knowledge database, and describing, as a companion, a user or device overlapping or different from a user or device corresponding to a group, wherein said processing includes; (i) an update information input step of inputting user identification information or device identification information concerning an update part in the information indicative of the relationship between user identification information on each user or device identification information on each device and current position identification information on each user or each device; (ii) an identification information input step of outputting information on a group of users or devices and a companion, which is described in each access control policy, thereby to input each user identification information or each device identification information corresponding to the group of users or devices and the companion; (iii) a specify step of specifying an access control policy, based on the user identification information or device identification information inputted in the identification information input step, and based on the user identification information or device identification information inputted by the update information input step; (iv) a current position identification information input step of outputting each user identification information or each device identification information corresponding to a group and companion written in the specified access control policy, thereby to input current position identification information on each user or each device corresponding to said each user identification information or each device identification information; (v) an effective policy determination step of determining an access control policy which is made effective based on the inputted information and based on a condition described in every access control policy; (vi) a list generation step of generating an access control list indicative of accessibility/inaccessibility from an access source to an access destination, by use of the access control policy determined as being effective and the information stored in the knowledge database; and (vii) a step of setting the access control list in an existing access control devices wherein said knowledge database further stores information indicative of; (i) a relationship between a group and user identification information or device identification information, as a directional graph having a path from one group to another group, user identification information, or device identification information, (ii) a relationship between a position and access source identification information, as a directional graph having a path from one position to another position or access source identification information, and (iii) a relationship between a resource and access destination identification information, as a directional graph having a path from one resource to another resource or access destination identification information.
-
Specification