Access authority generation device
First Claim
1. An access authority generation device, comprising:
- a memory comprising;
a policy storing region for storing a first set of authorities having a precedence constraint associated with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;
an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and
a non-permanent storage region; and
a processor connected to the memory,wherein the processor is programmed to;
extract the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role;
when generating and storing a second set of authorities which do not have the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;
first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;
next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the second included object is eliminated from the first object of the process target authority after expansion, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and
generate a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database,wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.
1 Assignment
0 Petitions
Accused Products
Abstract
A precedence constraint solving means generates a set of authorities without a precedence constraint into a temporary storing means from a set of authorities having a precedence constraint extracted for a role. At this moment, the precedence constraint solving means derives an authority in accordance with an order satisfying the precedence constraint from the set of authorities having the precedence constraint and, when an object of the derived authority includes an object of an authority having the same action already generated in the temporary storing means and permission/denial identifiers of both the authorities are different from each other, divides the derived authority into a plurality of authorities having objects of the same granularity as that of the included object, and stores only an authority having a different object from the included object into the temporary storing means.
-
Citations
16 Claims
-
1. An access authority generation device, comprising:
-
a memory comprising;
a policy storing region for storing a first set of authorities having a precedence constraint associated with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;
an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and
a non-permanent storage region; anda processor connected to the memory, wherein the processor is programmed to; extract the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role; when generating and storing a second set of authorities which do not have the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;
first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;
next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the second included object is eliminated from the first object of the process target authority after expansion, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; andgenerate a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database, wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An access authority generation method executed by an access authority generation device having:
-
a memory having;
a policy storing region for storing a first set of authorities having a precedence constraint, in association with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;
an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and
a non-permanent storage region; anda processor connected to the memory, the access authority generation method, comprising; extracting the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role, by the processor; when generating and storing a second set of authorities without the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;
first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;
next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the included second object is eliminated from the first object of the process target authority after expansion, by the processor, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; andgenerating a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, by the processor, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database, wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium storing a program for causing a computer having:
- a policy storing unit for storing a first set of authorities having a precedence constraint, in association with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
a subject assignment storing unit for storing information about a relation between the first role and a subject belonging to the first role;
an object hierarchy storing unit for storing information about an inclusion relation between the database and the plurality of tables; and
a storage unit, to function as;a process target set extracting unit for extracting the first set of authorities having the precedence constraint from the policy storing unit, as the process target set, in association with the first role; a precedence constraint solving unit for generating and storing a second set of authorities without the precedence constraint into the non-permanent storage unit from the process target set extracted for the first role, in association with the first role, the precedence constraint solving unit being configured to; derive an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determine the derived authority, as a process target authority; when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage unit and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, and setting an authority in which the included second object is eliminated from the object of the process target authority after expansion; and store the authority in which the included second object is eliminated from the first object of the process target authority after expansion, into the non-permanent storage unit, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and an access authority generating unit for generating a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database, wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.
- a policy storing unit for storing a first set of authorities having a precedence constraint, in association with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
-
16. An access authority generation device, comprising:
-
a memory comprising; a policy storing region which is configured to store at least one role authority comprising a precedence constraint, each role authority comprising an association between an object, an action, and a permission/denial identifier, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the at least one role authority comprises a first role authority and a second role authority, the first role authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second role authority being associated with the first role and that permits or denies the specific action on the database, and the first role authority having a higher priority than the second role authority; a role association region which is configured to store information associated with the first role and at least one subject; an object hierarchy region which is configured to store information regarding relationships between the database and the plurality of tables; and a non-permanent storage region; and a processor connected to the memory, wherein the processor is programmed to; extract the at least one role authority from the policy storing region to form a process target set, generate at least one non-precedence role authority, which does not include the precedence constraint; store the at least one non-precedence role into the non-permanent storage region; derive an authority according to the precedence constraint from the process target set and determining a process target authority according to the derived authority; when a first object of the process target authority includes a second object of an authority having a same action but a different permission/denial identifier than the object already as stored in the non-permanent storage region, expanding the first object of the process target authority to a granularity of the included second object, setting an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and storing the authority in which the included second object is eliminated after expansion, wherein the first object is the database and the second object one of the plurality of tables, and wherein the generated and stored at least one non-precedence role comprises a third role authority and a forth role authority, the third role authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth role authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and generate at least one subject authority associated with the at least one subject from the at least one non-precedence role authority and the information associated with the first role and at least one subject, wherein each of the at least one subject authority comprises a subject, an object, and action, and a permission/denial identifier, and wherein the generated at least one subject authority comprises a fifth role authority and a sixth role authority, the fifth role authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth role authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.
-
Specification