Access authority generation device

US 9,256,716 B2
Filed: 06/10/2011
Issued: 02/09/2016
Est. Priority Date: 09/22/2010
Status: Active Grant

First Claim

Patent Images

1. An access authority generation device, comprising:

a memory comprising;

a policy storing region for storing a first set of authorities having a precedence constraint associated with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;

a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;

an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and

a non-permanent storage region; and

a processor connected to the memory,wherein the processor is programmed to;

extract the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role;

when generating and storing a second set of authorities which do not have the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;

first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;

next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the second included object is eliminated from the first object of the process target authority after expansion, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and

generate a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database,wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A precedence constraint solving means generates a set of authorities without a precedence constraint into a temporary storing means from a set of authorities having a precedence constraint extracted for a role. At this moment, the precedence constraint solving means derives an authority in accordance with an order satisfying the precedence constraint from the set of authorities having the precedence constraint and, when an object of the derived authority includes an object of an authority having the same action already generated in the temporary storing means and permission/denial identifiers of both the authorities are different from each other, divides the derived authority into a plurality of authorities having objects of the same granularity as that of the included object, and stores only an authority having a different object from the included object into the temporary storing means.

Citations

16 Claims

1. An access authority generation device, comprising:
- a memory comprising;
  
  a policy storing region for storing a first set of authorities having a precedence constraint associated with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
  
  a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;
  
  an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and
  
  a non-permanent storage region; and
  
  a processor connected to the memory,wherein the processor is programmed to;
  
  extract the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role;
  
  when generating and storing a second set of authorities which do not have the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;
  
  first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;
  
  next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the second included object is eliminated from the first object of the process target authority after expansion, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and
  
  generate a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database,wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The access authority generation device according to claim 1, wherein:
    - the memory further has a role hierarchy storing region for storing information about an inheritance relation between roles; and
      
      the processor is programmed to, in the extraction of the process target set, extract and couple the first set of authorities having the precedence constraint stored in the policy storing region in association with the first role and a third set of authorities which have the precedence constraint stored in the policy storing region in association with an inheritance source role of the first role represented by the inheritance relation between the roles, thereby generating the process target set that is configured to be a coupled set of authorities having the precedence constraint.
  - 3. The access authority generation device according to claim 1, wherein the processor is programmed to, in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, discard the process target authority having an object included in an object of an authority having an action previously stored in the non-permanent storage region.
  - 4. The access authority generation device according to claim 1, wherein:
    - the memory further has an action hierarchy storing region for storing information about a relation between the object and an action; and
      
      the processor is programmed to, in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, when an action of the process target authority is not associated with granularity of the first object of the process target authority, expand the first object of the process target authority to a granularity of the included second object and then process.
  - 5. The access authority generation device according to claim 1, wherein the processor is programmed to, in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, when the first object of the process target authority includes an object of the authority having the same action stored in the non-permanent storage region and the permission/denial identifiers of both the authorities are identical to each other, store the process target authority into the non-permanent storage region and delete the authority having the same action and the same permission/denial identifier stored in the non-permanent storage region.
  - 6. The access authority generation device according to claim 1, wherein the processor is programmed to, in the generation of the set of access authorities associated with the subject, integrate a plurality of access authorities having same subjects, objects and permission/denial identifiers and having different actions, into one access authority.
  - 7. The access authority generation device according to claim 1, wherein the processor is programmed to further execute access control based on the generated access authority.

8. An access authority generation method executed by an access authority generation device having:
- a memory having;
  
  a policy storing region for storing a first set of authorities having a precedence constraint, in association with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
  
  a subject assignment storing region for storing information about a relation between the first role and a subject belonging to the first role;
  
  an object hierarchy storing region for storing information about an inclusion relation between the database and the plurality of tables; and
  
  a non-permanent storage region; and
  
  a processor connected to the memory,the access authority generation method, comprising;
  
  extracting the first set of authorities having the precedence constraint from the policy storing region, as a process target set, in association with the first role, by the processor;
  
  when generating and storing a second set of authorities without the precedence constraint into the non-permanent storage region from the process target set extracted for the first role, in association with the first role;
  
  first, deriving an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determining the derived authority, as a process target authority;
  
  next, when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage region and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, set an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and store the authority in which the included second object is eliminated from the first object of the process target authority after expansion, by the processor, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and
  
  generating a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, by the processor, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database,wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The access authority generation method according to claim 8, wherein the memory further has a role hierarchy storing region for storing information about an inheritance relation between roles,the access authority generation method comprising:
    - in the extraction of the process target set, extracting and coupling the first set of authorities having the precedence constraint stored in the policy storing region in association with the first role and the first set of authorities having the precedence constraint stored in the policy storing region in association with an inheritance source role of the first role represented by the inheritance relation between the roles, thereby generating the process target set that is configured to be a coupled set of authorities having the precedence constraint, by the processor,wherein the coupled set of authorities corresponds to the first set of authorities.
  - 10. The access authority generation method according to claim 8, comprising:
    - in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, discarding the process target authority having an object included in an object of an authority having an action previously stored in the non-permanent storage region, by the processor.
  - 11. The access authority generation method according to claim 8, wherein the memory further has an action hierarchy storing region for storing information about a relation between the object and an action,the access authority generation method comprising:
    - in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, when an action of the process target authority is not associated with granularity of the first object of the process target authority, expand the first object of the process target authority to a granularity of the included second object then processing, by the processor.
  - 12. The access authority generation method according to claim 8, comprising:
    - in the generation of the second set of authorities without the precedence constraint into the non-permanent storage region, whenthe first object of the process target authority includes the second object of the authority having the same action stored in the non-permanent storage region and the permission/denial identifiers of both the authorities are identical to each other, storing the process target authority into the non-permanent storage region and deleting the authority having the same action and the same permission/denial identifier stored in the non-permanent storage region, by the processor.
  - 13. The access authority generation method according to claim 8, comprising:
    - in the generation of the set of access authorities associated with the subject, integrating a plurality of access authorities having same subjects, objects and permission/denial identifiers and having different actions, into one access authority, by the processor.
  - 14. The access authority generation method according to claim 8, further comprising executing access control based on the generated access authority by the processor.

15. A non-transitory computer readable medium storing a program for causing a computer having:
- a policy storing unit for storing a first set of authorities having a precedence constraint, in association with a role, wherein a combination of an object, an action and a permission/denial identifier representing whether to permit or deny the action on the object is defined as an authority, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the first set of authorities includes a first authority and a second authority, the first authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second authority being associated with the first role and that permits or denies the specific action on the database, and the first authority having a higher priority than the second authority;
  
  a subject assignment storing unit for storing information about a relation between the first role and a subject belonging to the first role;
  
  an object hierarchy storing unit for storing information about an inclusion relation between the database and the plurality of tables; and
  
  a storage unit, to function as;
  
  a process target set extracting unit for extracting the first set of authorities having the precedence constraint from the policy storing unit, as the process target set, in association with the first role;
  
  a precedence constraint solving unit for generating and storing a second set of authorities without the precedence constraint into the non-permanent storage unit from the process target set extracted for the first role, in association with the first role, the precedence constraint solving unit being configured to;
  
  derive an authority in accordance with an order satisfying the precedence constraint from the process target set associated with the first role, and determine the derived authority, as a process target authority;
  
  when a first object of the process target authority includes a second object of an authority having a same action that has already been generated in the non-permanent storage unit and permission/denial identifiers of both the authorities are different from each other, expanding the first object of the process target authority to a granularity of the included second object, and setting an authority in which the included second object is eliminated from the object of the process target authority after expansion; and
  
  store the authority in which the included second object is eliminated from the first object of the process target authority after expansion, into the non-permanent storage unit, wherein the first object is the database and the second object is one of the plurality of tables, and wherein the generated and stored second set of authorities includes a third authority and a forth authority, the third authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and
  
  an access authority generating unit for generating a set of access authorities associated with the subject from the second set of authorities without the precedence constraint generated for the first role and the information about the relation between the first role and the subject, wherein a combination of a subject, an object, an action and a permission/denial identifier representing whether to permit or deny the subject the action on the object is defined as an access authority, and wherein the generated set of access authorities includes a fifth authority and a sixth authority, the fifth authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the database,wherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.

16. An access authority generation device, comprising:
- a memory comprising;
  
  a policy storing region which is configured to store at least one role authority comprising a precedence constraint, each role authority comprising an association between an object, an action, and a permission/denial identifier, wherein the object is one of a database and a table of a plurality of tables of the database, and wherein the at least one role authority comprises a first role authority and a second role authority, the first role authority being associated with a first role that permits or denies a specific action on a specific table among the plurality of tables of the database, the second role authority being associated with the first role and that permits or denies the specific action on the database, and the first role authority having a higher priority than the second role authority;
  
  a role association region which is configured to store information associated with the first role and at least one subject;
  
  an object hierarchy region which is configured to store information regarding relationships between the database and the plurality of tables; and
  
  a non-permanent storage region; and
  
  a processor connected to the memory, wherein the processor is programmed to;
  
  extract the at least one role authority from the policy storing region to form a process target set,generate at least one non-precedence role authority, which does not include the precedence constraint;
  
  store the at least one non-precedence role into the non-permanent storage region;
  
  derive an authority according to the precedence constraint from the process target set and determining a process target authority according to the derived authority;
  
  when a first object of the process target authority includes a second object of an authority having a same action but a different permission/denial identifier than the object already as stored in the non-permanent storage region, expanding the first object of the process target authority to a granularity of the included second object, setting an authority in which the included second object is eliminated from the first object of the process target authority after expansion, and storing the authority in which the included second object is eliminated after expansion, wherein the first object is the database and the second object one of the plurality of tables, and wherein the generated and stored at least one non-precedence role comprises a third role authority and a forth role authority, the third role authority permitting or denying the specific action on the specific table of the plurality of tables of the database, and the forth role authority permitting or denying the specific action on each of the tables, other than the specific table, of the database; and
  
  generate at least one subject authority associated with the at least one subject from the at least one non-precedence role authority and the information associated with the first role and at least one subject, wherein each of the at least one subject authority comprises a subject, an object, and action, and a permission/denial identifier, and wherein the generated at least one subject authority comprises a fifth role authority and a sixth role authority, the fifth role authority permitting or denying, for the subject, the specific action on the specific table of the plurality of tables of the database, and the sixth role authority permitting or denying, for the subject, the specific action on each of the tables, other than the specific table, of the databasewherein when the granularity of the included second object is not the same as the granularity of the first object of the process target authority and a range represented by the included second object is smaller than a range of the first object of the process target authority, the expanding the first object includes expanding the first object of the process target authority to the same granularity of the included second object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Morita, Yoichiro
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US13/819,060
Publication Number

US 20130160076A1
Time in Patent Office

1,705 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Access authority generation device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Access authority generation device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links