JP4602684B2 - Information processing apparatus, operation permission determination method, operation permission information generation method, operation permission determination program, operation permission information generation program, and recording medium - Google Patents

Description

  The present invention relates to an information processing device, an operation permission determination method, an operation permission information generation method, an operation permission information determination program, an operation permission information generation program, and a recording medium, and more particularly, an information processing device for performing access control on resources and an operation permission determination The present invention relates to a method, an operation permission information generation method, an operation permission determination program, an operation permission information generation program, and a recording medium.

  As a means for controlling access to a document in a document management system, which user can use which operation permission list called an ACL (Access Control List) for each document or each group composed of a set of a plurality of documents. Security rules such as whether to allow operations are managed. However, since such ACL is managed inside each system (for example, as management information in a document management database), it is difficult to apply rules based on a unified policy across a plurality of systems. there were.

On the other hand, information related to access control in a plurality of systems (hereinafter referred to as “access control information”) is used to maintain consistency of access control for resources such as documents not only within one system but over a wider range. A method is also considered in which each application that consolidates to one security server and uses resources determines whether or not various operations can be performed based on a unified access control policy (security policy) in the security server. However, since the operation to be controlled differs depending on the application, management information becomes complicated simply by aggregating access control information in a plurality of systems. Therefore, in the security server, a security policy with a higher level of abstraction is defined, and for each specific determination, the policy description defined for each abstract operation is most appropriate for each application. Access control is performed by applying a simple policy description (for example, whether or not “print output” processing and “download to local PC” can be executed based on the “document output rule” policy).
JP 2003-170715 A

  However, the definition content of a security policy tends to be more fixed than that of the conventional ACL due to the nature of unified and abstract rules for a plurality of systems. Therefore, according to the security policy, there is a problem that flexibility for an exceptional situation that frequently occurs in daily work (for example, when temporarily allowing a specific temporary employee to use a specific document) is impaired.

  In Patent Document 1, an invention for extending the security policy by adding an additional rule to the security policy is described. However, without directly changing a unified rule for a plurality of systems, If the definition can be extended, it is more convenient and safer.

The present invention has been made in view of the above points, and is an information processing apparatus capable of realizing flexible access control, an operation permission determination method, an operation permission information generation method, an operation permission determination program, and operation permission information. An object is to provide a generation program and a recording medium.
The purpose is to provide.

  Accordingly, in order to solve the above-described problem, as described in claim 1, the present invention provides each operation type according to a combination of a classification of a resource to be operated and a classification of a subject operating the resource. The document of the subject is defined based on the definition information in which rules relating to whether or not to permit the operation are defined, and the operation permission information in which the type of the operation permitted for a particular subject with respect to a particular resource is defined. It is characterized by having permission / rejection determination means for executing permission / rejection determination on the operation for.

  In such an information processing apparatus, the operation permission / inhibition determination is performed based on the comprehensively defined first-term definition information and the operation permission information defined for a specific target. Therefore, based on only the definition information. More flexible access control can be performed as compared with the case of permit / denial determination.

  In order to solve the above-mentioned problem, the present invention provides an operation for generating operation permission information in which a type of operation permitted for a specific subject is defined for a specific resource. An information processing apparatus having permission information generating means, wherein a rule relating to permission judgment of the operation is provided for each type of operation according to a combination of a classification of a resource to be operated and a classification of a subject operating the resource. When the application of the operation permission information is prohibited for the rule that can target the specific subject, the specific resource, and the type of the operation targeted by the operation permission information in the defined definition information, The operation permission information is not generated.

  In such an information processing apparatus, it is possible to adjust the relationship with the definition information at the stage of generating the operation permission information, and thus preventing invalid operation permission information from being generated for part or all of the information. Can do.

  In order to solve the above problems, the present invention provides an operation permission determination method, an operation permission information generation method, an operation permission determination program for causing the information processing apparatus to execute the operation permission determination method, An operation permission information generation program for causing the information processing apparatus to execute the operation permission information generation method, or a recording medium on which the operation permission determination program or the operation permission information generation program is recorded may be used.

  According to the present invention, it is possible to provide an information processing apparatus, an operation permission determination method, an operation permission information generation method, an operation permission determination program, an operation permission information generation program, and a recording medium that can realize flexible access control. .

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram showing a configuration example of a document management system according to an embodiment of the present invention. As shown in FIG. 1, the document management system 1 according to the present embodiment includes a security management server 10, a document management server 20, an authentication server 30, a client device 40, a print server 51, a conversion server 52, a distribution server 53, and the like. It is configured by being connected via a network 60 such as the Internet or a LAN (Local Area Network).

  The security management server 10 manages various types of security information (hereinafter referred to as “security information”) for the document, and various operations (viewing, printing, editing, deleting, etc.) on the user's document based on the security information. This is a computer on which a security service 11 that provides an operation permission / rejection determination function for performing permission / rejection determination as a Web service is installed. Various servers (document management server 10, print server 51, conversion server 52, and distribution server 53) that handle documents in the document management system 1 make inquiries to the security service 11, so that each user has authority to operate on the documents. Determine the presence or absence of

  The document management server 20 is a computer on which a document management service 21 that provides document management (storage of documents, provision of means such as search, update, and deletion for stored documents) as a Web service is implemented. The authentication server 30 is a computer on which an authentication service 31 that provides an authentication function for authenticating a user of the document management system 1 as a Web service is installed. The authentication service 31 authenticates the user in response to the authentication request. When the user is authenticated, the authentication service 31 issues an electronic certificate (hereinafter referred to as “ticket”) that proves that the user is authenticated. To do.

  The print server 51, the conversion server 52, and the distribution server 53 are examples of various servers that handle documents managed by the document management server 20. The print server 51 is a computer having a function for causing a printer to print a document. The conversion server 52 is a computer having a function for converting a document into a predetermined data format. The distribution server 53 is a computer on which a function for distributing a document to a predetermined destination is installed.

  The client device 40 is a computer in which an application that uses the functions of the various servers described above is installed. However, the client device 40 is not necessarily a terminal used directly by the user. For example, the client device 40 may be a Web server, and in this case, an application installed in the client device 40 corresponds to a Web application.

  Next, details of the security management server 10 will be described. FIG. 2 is a diagram illustrating a hardware configuration example of the security management server according to the embodiment of the present invention. The security management server 10 in FIG. 2 includes a drive device 100, an auxiliary storage device 102, a memory device 103, an arithmetic processing device 104, and an interface device 105 that are connected to each other via a bus B. Is done.

  A program for realizing processing in the security management server 10 is provided by a recording medium 101 such as a CD-ROM. When the recording medium 101 on which the program is recorded is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. The auxiliary storage device 102 stores the installed program and also stores necessary files and data. The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The arithmetic processing unit 104 executes functions related to the security management server 10 in accordance with a program stored in the memory device 103. The interface device 105 includes, for example, a modem, a router, etc., and is used to connect to the network 60 in FIG.

  FIG. 3 is a diagram showing an example of a security management server function configuration in the embodiment of the present invention. As shown in FIG. 3, the security service 11 in the security management server 10 includes a security service layer 111, an operation permission / rejection determination unit 112, a policy management unit 113, a policy 114, a license issuance unit 115, a license management unit 116, and It consists of a permit management table 117 and the like.

  The security service layer 111 is a layer for exposing security service functions on a network. That is, the security service layer 111 determines a request from the application 41 by analyzing a SOAP message transmitted from the application 41 in the client device 40, and executes a function requested by the application 41 based on the determination result. In order to do this, the operation permission determination unit 112 or the permit issuing unit 115 is called. The security service layer 111 also returns a processing result returned from the called operation permission / rejection determination unit 112 or the permit issuing unit 115 to the application 41 as a SOAP message.

  In response to a request from the application 41, the operation permission / rejection determination unit 112 determines whether the user of the application 41 is permitted to perform various operations on any document based on security information managed in the policy 114, the permit management table 117, and the like. It is a module that has a function for making a determination. The policy management unit 113 is a module for providing an interface for accessing the policy 114 to the higher-level modules (here, the operation permission / rejection determination unit 112 and the permit issuing unit 115).

  The policy 114 classifies the subject (user) who operates the document based on a predetermined standard as information constituting a part of the security information, and the resource (document) to be operated is based on the predetermined standard. In the case of classification, the file defines security rules (rules) for performing permission / refusal determination regarding various operations in accordance with the combination of the subject classification and the resource classification.

  FIG. 4 is a diagram conceptually showing the definition contents of the policy. In the table 1140 of FIG. 4, when a user is classified according to a role and a relationship with a document, and a document is classified according to a state and a confidentiality level, whether or not various operations are permitted for each combination of the user classification and the document classification. Security rules for are shown.

  The role is a parameter for classifying the user according to the role of the user (general employee, managerial employee, temporary employee, etc.) in the organization to which the user such as a company belongs. In Table 1140, the role is specified by the column 1141. . The relationship with the document is a parameter for classifying the user according to whether or not the user is a document related person. In the present embodiment, if the department to which the user belongs and the document management department are the same, the user is considered to be a person concerned with the document, and if the user is different, the user is not a person concerned with the document. Is done. In table 1140, column 1142 identifies the relationship with the document.

  The state is a parameter for classifying the document according to the state in the life cycle of the document. For example, the state includes a state of being created, completed, and discarded. In the table 1140, the state of the document is specified by a column 1143. The confidential level is a parameter for classifying the document according to the confidentiality of the document, and includes, for example, a confidential level such as top secret, secret, and internal secret. In the table 1140, security rules for confidential, confidential, and confidential documents are assigned to the columns 1144, 1145, and 1146, respectively.

  In the figure, each area surrounded by a broken line indicates a unit formed for each combination of the above parameters. For each unit, whether each operation is permitted or not is defined by ○ (permitted) or × (non-permitted) next to the operation name, and the line below the operation name indicates when the operation is performed. The contents of the responsibilities to be imposed are defined. Therefore, from Table 1140, for example, when the document 1 is a secret document and a completed document, and the user A is a general employee and is a person related to the document 1, the user A You can browse, but you know that you have to record the log.

  If the document is further classified by other parameters, for example, document categories (specifications, minutes, reports, etc.), the contents shown in Table 1140 can be defined for each document category. In addition, since the criteria for classifying users and documents are just parameters, various types can be used depending on the circumstances and system of the organization. What is necessary is just to select suitably.

  Returning to FIG. The permit issuing unit 115 is a module in which a function for issuing a new permit is implemented in response to a request from the application 41. Issuing a permit means registering a new permit in the permit management table 117. The permit is security information for permitting a specific user to perform a specific operation for a specific document, and details thereof will be described later. The permit management unit 116 is a module for providing an interface for accessing the permit management table 117 to the upper modules (here, the operation permission / rejection determination unit 112 and the permit issuing unit 115).

  The permit management table 117 is a table for managing permits. FIG. 5 is a diagram showing a configuration example of the permit management table. One record (row) in the permit management table 117 corresponds to one permit. The permit is composed of items such as user designation, document designation, operation type, responsibility, and comment. The user designation is an item for designating the user to whom the permit is applied. For example, by designating one user by the user ID or by designating the department or role, the department or role It is possible to specify a plurality of users classified into the category.

  The document designation is an item for designating a document to which a permit is applied. For example, by specifying one document by a document ID, or by specifying a management department or a document category, A plurality of documents classified into the document category can be designated. The operation type is an item for designating the type of operation permitted by the permit. Responsibility is an item in which the content of the responsibility imposed in the operation permitted by the permit is defined. The comment is an item for recording the reason why the permit is issued, for example. Therefore, for example, the license on the first line in the license management table 117 can be said to be a permit for permitting printing of a document having a document ID “00000ABC” to a user having a user ID “070B2AEC”. . However, according to the permit, it is understood that the user must record a log at the time of printing, and printing is permitted only once until 2004/10/10.

  As described above, the definition (security rule) in the policy 114 is comprehensive and abstract with respect to the authority to operate the document, whereas the definition in the permit can be said to be partial and specific. In the following, an example of constructing a flexible security system using two types of security information having different properties will be described.

  First, as the first embodiment, an example in which permission is determined with priority given to the policy 114 will be described. FIG. 6 is a diagram illustrating a relationship between a policy and a permit in the first embodiment. FIG. 6 shows that when a policy definition for a document classified by a confidential level, a document category, or the like interferes with a permit definition, the permit definition has priority.

  7, 8, and 9 are diagrams illustrating examples of policy definitions in the first embodiment. The policy 114a in FIG. 7 and the like is defined based on XACML (eXtensible Access Control Markup Language) specifications. 7, 8, and 9 show the definitions made in one file divided for convenience. In the policy 114a, the definition corresponding to one security rule corresponds to a Rule definition surrounded by <Rule> tags. In the figure, Rule definition r1 (FIG. 7), Rule definition r2, Rule definition r3 (FIG. 8), Rule definition r4 (FIG. 9), etc. are displayed as Rule definitions. Each Rule definition includes a Target definition surrounded by <Target> tags as an element. For example, the Rule definition r1 includes a Target definition t1.

  The Target definition is a definition for specifying the target (subject, resource, operation) to which the security rule is applied. The Subject definition is enclosed in <Subject (s)> tags, and is enclosed in <Resource (s)> tags. Resource definition, Action definition enclosed in <Action (s)> tags, and the like. The Subject definition is a definition for specifying the classification of the subject to which the security rule is applied. The Resource definition is a definition for specifying a resource classification to which the security rule is applied. The Action definition is a definition for specifying the type of operation to which the security rule is applied. For example, from the target definition t1, the Rule definition r1 is specified to be a security rule that is applied when determining permission / refusal of browsing (operation) of a secret document (resource) by a party (subject).

  The result of the permission / refusal determination when the security rule is applied is specified by the value of the Effect attribute of the Rule definition. That is, if the value of the Effect attribute is “Permit”, the determination result is “permitted”, and if it is “Deny”, the determination result is “not permitted”. For example, since the value of the Effect attribute e1 of the Rule definition r1 is “Permit”, it can be seen that the determination result when the Rule definition r1 is applied is “permitted”. As described above, the Rule definition r1 defines “permission of browsing of secret documents by related parties”.

  One or more Rule definitions can be grouped by a Policy definition surrounded by <Policy> tags. In the figure, Policy definition p1 (FIG. 7), Policy definition p2, Policy definition p3 (FIG. 8), Policy definition p4 (FIG. 9), and the like are displayed as Policy definitions. One Policy definition can include an Obligation definition surrounded by <Obligation (s)> tags, a Description definition enclosed by <Description> tags, and the like. For example, the Policy definition p1 includes an Origin definition o1 and a Description definition d1.

  The Origin definition is a definition for prescribing an obligation to be compulsory when an operation on a resource is permitted, and is commonly applied to all Rule definitions belonging to the Policy definition including the Origin definition. However, in the present embodiment, the Policy definition and the Rule definition correspond one-to-one. This is because, in the specification of XACML, the definition of the definition is defined for each policy definition, but in the present embodiment, it is desired to associate the definition of the definition for each rule definition. The “Obligation definition o1” defines “log recording” as an obligation. Accordingly, the Policy definition p1 defines that “permission of browsing of secret documents by related parties is permitted. However, a log must be recorded when browsing”.

  In the description definition, an explanatory text describing the definition content of the Rule definition in the Policy definition to which the description definition belongs is defined.

  In the Policy definition, a PolicyID attribute is further defined. The PolicyID attribute is an ID for uniquely identifying each Policy definition. For example, the value of the PolicyID attribute i1 of the Policy definition p1 is defined as “Policy1”.

  FIG. 10 is a diagram conceptually showing the policy definition contents in the first embodiment. That is, the table 1140a in FIG. 10 displays the definition contents derived from the description in the policy 114a shown in FIG. As shown in FIG. 10, according to the description in the policy 114a, the type of operation (viewing) according to the combination of the subject classification (document related person or non-related person) and the document classification (confidential, confidential, confidential). , Printing), permission / rejection (O or X), responsibility, and description of definition contents are defined. In FIG. 10, the user roles, document states, document categories, and the like shown in FIG. 10 are excluded, but this is for convenience of explanation.

  Hereinafter, the processing procedure of the security management server 10 in FIG. 3 will be described. FIG. 11 is a flowchart for explaining operation permission / inhibition determination processing by the security management server in the first embodiment.

  In step S110, when the operation permission / rejection determination unit 112 is called based on a permission / rejection determination request from the application 41, the operation permission / rejection determination unit 112 displays the user specified as the permission determination target in the request from the application 41 (current User) and document (current document) classification. In the permission / rejection determination request from the application 41, in addition to the user and the document, the type of operation (current operation) targeted for permission / rejection determination is specified. Proceeding to step S120 following step S110, the operation permission / rejection determination unit 112 obtains a permit (hereinafter referred to as “application permit”) corresponding to the combination of the current user, the current document, and the current operation, and the permit management unit 116. From the permit management table 117, and applying the application permit to determine whether to permit or not.

  If there is an application permit in the permit management table 117 (YES in step S130), the operation permission determination unit 112 transmits the determination result in step S120 to the application 41 via the security service layer 111, and ends the process. . On the other hand, if there is no application permit in the permit management table 117, the permission / rejection determination is executed based on the policy 114a, and the determination result is transmitted to the application 41 (S140).

  Subsequently, the determination target classification process in step S110 will be described in more detail. FIG. 12 is a flowchart for explaining classification processing of a determination target by the operation permission / rejection determination unit.

  In step S111, a permission / rejection determination request is received from the application 41. In the permission determination request, a document ID, a ticket, an operation type, and the like are specified as arguments. The document ID is information for specifying the current document. The ticket is a ticket issued by the authentication service 31 when the application 41 receives user authentication, and is information for specifying the current user. The operation type is information for specifying the current operation (viewing, printing, editing, or deletion).

  Proceeding to step S112 following step S111, a ticket is presented (transmitted) to the authentication service 31 to obtain attribute information (hereinafter referred to as “user profile”) of the current user, and the user of the current user is obtained from the user profile. ID, department, role, etc. are specified (S113) Proceeding to step S114 following step S113, attribute information such as the confidential level, creator, management department, and document category of the current document is acquired based on the document ID. . This attribute information may be acquired from the document management service 21. In the security service 11, only attribute information related to document classification is extracted and managed in advance, and acquired from there. Good.

  In step S115 following step S114, the current user's affiliation document is compared with the management department of the current document to determine whether or not the current user is a related party of the current document (hereinafter referred to as “related party flag”). .) Further, for example, in the policy 114, when the user is classified according to whether or not the user is a document creator, the current user is made current by comparing the user name of the current user with the creator of the current document. It is specified whether or not the document creator (hereinafter referred to as “creator flag”).

  Progressing to step S116 following step S115, the department of the current user identified above, the related party flag and the creator flag (hereinafter referred to as “user classification information”), the document ID of the current document, the document category, The confidential level and the management department (hereinafter referred to as “document classification information”) and the type of the current operation are output as determination target information.

  Next, the operation permission / inhibition determination process based on the permit in step S120 (FIG. 11) will be described. FIG. 13 is a flowchart for explaining an operation permission determination process based on a permit by the operation permission determination unit.

  In step S121, operation target information is received as input information. Subsequent to step S121, step S122 and subsequent steps are loop processing for each permit managed in the permit management table 117 (S122). First, one permit is extracted from the permit management table 117 (current permit) (S123), and the current permit is checked by comparing the user designation, document designation, and operation type with the operation target information in the current permit. It is checked whether the certificate is for the current user, the current document, and the current operation (application certificate) (S124). If the current permit is an application permit (YES in S125), the current operation is permitted and the contents of the responsibility defined in the current permit are output as a determination result (S126).

  On the other hand, if the current permit is not an applicable permit, the process returns to step S122 so as to process the next permit. If none of the permits in the permit management table 117 is an application permit (NO in step S122), it is output as a determination result that there is no application permit.

  Next, the operation permission / rejection determination process based on the policy 114a in step S140 (FIG. 11) will be described. FIG. 14 is a flowchart for explaining an operation permission determination process based on a policy by the operation permission determination unit.

  In step S141, operation target information is received as input information. Subsequent to Step S141, Step S142 and subsequent steps are loop processing for each Policy definition in the policy 114a (S142). First, one Policy definition is processed in the order defined in the policy 114a (S143). Therefore, at first, the Policy definition p1 becomes the Policy definition to be processed (hereinafter referred to as “current Policy definition”). Progressing to step S144 following step S143, the Rule definition (current Rule definition) belonging to the current Policy definition is a Rule definition (applied Rule definition) to be applied to the combination of the current user, the current document, and the current operation. It is determined whether or not. That is, the value of the Subject definition in the Target definition (for example, Target definition t1, hereinafter referred to as “Current Target definition”) belonging to the current Rule definition (for example, Rule definition r1) indicates the classification to which the current user belongs, and the Resource definition The value of indicates the classification to which the current document belongs, and if the value of the Action definition matches the current operation, it is determined that the current Rule definition is an applicable Rule definition. On the other hand, when at least one of them does not correspond, it is determined that the current Rule definition is not an applicable Rule definition, and the process returns to Step S142 to set the next Policy definition as a processing target.

  If it is determined that the current Rule definition is an applicable Rule definition, the process advances to step S145 to execute permission / rejection determination based on the Effect attribute of the current Rule definition, and the contents of the responsibility from the Obligation definition and Description definition belonging to the current Policy definition. Then, a definition content explanation and the like are extracted and output as a processing result together with a determination result of permission / rejection determination.

  If no applicable Rule definition is found in the policy 114a (NO in S142), the determination result is output as indefinite. Whether or not the current operation is actually permitted when the determination result is indefinite may be determined based on the circumstances of the application 41.

  As described above, according to the security management server 10 in the first embodiment, the permission granted in the policy 114 is granted by preferentially applying the definition by the permit to the definition in the policy 114. Thus, a permit can be made to function as information for granting additional authority. Therefore, even if access control is performed based on the policy 114 that cannot easily change the contents because of the nature that uniform security rules are defined across multiple systems, for example, temporary workers are temporarily Flexible access control according to exceptional situations, such as when granting specific authority.

  By the way, in the first embodiment, the relationship between the policy 114 and the permit is fixed such that the permit is always given priority. However, it may not be desirable for the definitions in policy 114 to be easily overwritten by a readily issueable permit. Therefore, as a second embodiment, an example in which the relationship between the definition in the policy 114 and the permit, that is, the priority between the two can be arbitrarily specified will be described. FIG. 15 is a diagram illustrating a relationship between a policy and a permit according to the second embodiment. In FIG. 15, for example, the priority is given to the definition of permit for confidential documents and confidential documents, and the priority is given to definition of policy 114 for confidential documents. It shows that the relationship with the testimony will change.

  16, FIG. 17 and FIG. 18 are diagrams showing examples of policy definitions in the second embodiment. The definition contents of the policy 114b in FIG. 16 and the like are substantially the same as those in the policy 114a (FIG. 7 and the like) in the first embodiment. However, in FIG. 16 and the like, a difference is that a superior attribute is added to each Rule definition. That is, superior attributes sp1, sp2, sp3, and sp4 are added to the Rule definitions r1, r2, r3, and r4, respectively. The “superior” attribute indicates that when interference occurs with a permit for the security rule in the Rule definition, that is, the subject of the Rule definition (subject, resource, operation) is the subject of the permit (user designation, document designation, operation type). Is an attribute for designating whether or not to give priority to the permit, when the value is “TRUE”, the priority is given to the permit, and in the case of “FALSE”, the Rule definition Indicates that priority is given. Therefore, in the policy 114b, the rule definition r2 is defined to prioritize the permit.

  The processing procedure of the security management server 10 in the second embodiment will be described below. FIG. 19 is a flowchart for explaining operation permission / inhibition determination processing by the security management server in the second embodiment.

  In step S210, based on a permission determination request from the application 41, the operation permission / rejection determination unit 112 identifies classifications such as a user (current user) and a document (current document) that are specified as a permission determination target. Details of this processing are as described in FIG. Progressing to step S230 following step S220, the operation permission / rejection determination unit 112 performs the operation permission / rejection determination based on the policy 114b, and whether or not the applied Rule definition in the operation permission / rejection determination gives priority to the permit. Determine.

  When the applied Rule definition gives priority to the permit (YES in S220), the process proceeds to step S240, and the operation permission / rejection determination unit 112 executes the operation permission / rejection determination based on the permit. Details of this processing are as described in FIG. If there is an application permit in the permit management table 117 (YES in step S250), the operation permission determination unit 112 transmits a determination result based on the permit in step S240 to the application 41 via the security service layer 111. End the process. On the other hand, if there is no application permit in the permit management table 117 (NO in step S250), or if the applied Rule definition does not prioritize the permit (No in step S230), the policy 114b in step S220. The determination result based on is transmitted to the application 41 (S270).

  Next, the details of the operation permission / rejection determination based on the policy 114b and the priority determination process with the permit in step S220 will be described. FIG. 20 is a flowchart for explaining an operation permission determination process based on a policy and a priority determination process with a permit by the operation permission determination unit.

  In FIG. 20, the processing from step S221 to S225 is the same as the processing from step S141 to S145 described in FIG. That is, the application rule definition is specified from the rule definitions in the policy 114b, and permission / rejection determination is executed based on the application rule definition.

  Progressing to step S226 following step S225, priority determination with a permit is executed based on the superior attribute of the applied Rule definition. That is, if the value of the superior attribute of the applied Rule definition is TRUE, it is determined that the permit is given priority, and if it is FALSE, it is determined that the permit is not given priority. Thereafter, the result of the operation permission / rejection determination and the result of the priority determination of the permit are output.

  As described above, according to the security management server 10 in the second embodiment, it is controlled whether to give priority to the license for each Rule definition in the policy 114, that is, for each combination of user, document, and operation type. be able to. Therefore, more flexible access control is possible, and deterioration of the security level due to easy issuance of a permit can be prevented.

  By the way, in the second embodiment, since the issued permit is not necessarily prioritized, an invalid permit may be issued for a part or all of it. That is, even if a permit is issued, the operation targeted by the permit is not always permitted. Therefore, an example of adjusting the relationship between the policy 114 and the permit at the stage of issuing the permit will be described as a third embodiment in order to prevent the occurrence of such a situation. FIG. 21 is a diagram illustrating a relationship between a policy and a permit according to the third embodiment. In FIG. 21, it is possible to issue a permit for a secret document or a confidential document, but for a confidential document, it is shown that the issuance of a permit is prohibited. Accordingly, a permit for a secret document and an external secret document is issued. In this case, the permit is preferentially applied.

  22, FIG. 23 and FIG. 24 are diagrams showing examples of policy definitions in the third embodiment. The definition contents of the policy 114c in FIG. 22 and the like are substantially the same as those in the poly 4 114b (FIG. 16 and the like) in the second embodiment. However, in FIG. 22 and the like, the difference is that an overwritable attribute is defined in each Rule definition instead of the superior attribute. That is, overwriteable attributes w1, w2, w3, and w4 are defined in Rule definitions r1, r2, r3, and r4, respectively. The overwritable attribute is an attribute for designating whether or not the rule definition can be overwritten by a permit. When the value is “Permit”, the overwriting by the permit is permitted. When the value is “Deny”, the permit Indicates that overwriting by is prohibited. Therefore, in the policy 114c, it is defined that the rule definition r2 is prohibited from being overwritten by a permit.

  The processing procedure of the security management server 10 in the third embodiment will be described below. FIG. 25 is a flowchart for explaining a permit issuing process by the security management server in the third embodiment.

  In step S310, when the permit issuing unit 115 is called based on the issuance request of the permit from the application 41, the permit issuing unit 115 determines whether or not the requested permit is issued from the application 41. Judgment is based on a Rule definition that interferes with a permit. If a permit can be issued (YES in step S320), the permit issuing unit 115 provides a permit for the user, document, operation type, and the like designated by the application 41. Is registered in the permit management table 117 (S330). On the other hand, if it is determined that the permit cannot be issued (NO in step S320), the permit issuing unit 115 ends the process without issuing the permit.

  Subsequently, the permit issue determination process in step S310 will be described in more detail. FIG. 26 is a flowchart for explaining a process for determining whether or not a permit is issued by the permit issuing unit.

  In step S311, a license issuance request from the application 41 is accepted. In the permit issuance request, values (user designation, document designation, operation type, responsibility, comment, etc.) corresponding to each item constituting the permit are designated as arguments. Subsequent to step S311, S312 and subsequent steps are loop processing for each Rule definition in the policy 114c (S312). First, one Rule definition is processed in the order defined in the policy 114c (S313). Therefore, at first, the Rule definition p1 becomes the Rule definition to be processed (current Rule definition).

  Proceeding to step S314 following step S313, it is determined whether or not the current Rule definition permits a certificate that is requested to be issued (hereinafter referred to as “request certificate”) interferes with the current Rule definition. That is, if the user specification, document specification, and operation type of the request permit are values corresponding to the subject definition, resource definition, and action definition in the target definition belonging to the current rule definition, they are definitions for the same target. Therefore, it is determined that the request permit and the current Rule definition interfere with each other. In other cases, since both are definitions for different objects, it is determined that the request permit and the current Rule definition do not interfere with each other.

  If it is determined that the request permit and the current Rule definition interfere with each other, the process proceeds to step S315, and it is determined whether the current Rule definition can be overwritten by the permit based on the overwrite attribute of the current Rule definition. To do. If overwriting with a permit is not permitted, it is determined that a request permit cannot be issued (S316), and the process ends. On the other hand, if overwriting with a permit is permitted in the current Rule definition (YES in S315), or if the request permit does not interfere with the current Rule definition (NO in S314), the next Rule definition is processed. It returns to step S312 to make it a target. If it is confirmed that interference with the request permit does not occur for all Rule definitions (YES in S312), it is determined that the request permit can be issued (S317), and the process ends.

  That is, in the process of FIG. 26, in consideration of the case where the issuance of a permit that requires a target range (user, document, operation) over a plurality of Rule definitions is required, interference with the Rule definition in all of the ranges. Even if there is interference, it is possible to issue a permit when overwriting with a permit is permitted within the interference range, and at least part of the permit is prohibited from being overwritten If it interferes with the Rule definition, it is determined that it is impossible to issue a permit.

  Note that the permit issued in this way may be applied with priority over the policy 114c in the same manner as the processing described in the first embodiment when determining whether to permit or reject an operation.

  As described above, according to the security management server 10 in the third embodiment, the relationship between the policy 114 and the permit is adjusted at the issuance stage of the permit. Guaranteed to be valid in range. Therefore, trust for the permit can be increased.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to such specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims.・ Change is possible.

It is a figure which shows the structural example of the document management system in embodiment of this invention. It is a figure which shows the hardware structural example of the security management server in embodiment of this invention. It is a figure which shows the security management server functional structural example in embodiment of this invention. It is a figure which shows notionally the definition content of a policy. It is a figure which shows the structural example of a permit management table. It is a figure which shows the relationship between the policy and permit in 1st embodiment. It is a figure which shows the example of a policy definition in 1st embodiment. It is a figure which shows the example of a policy definition in 1st embodiment. It is a figure which shows the example of a policy definition in 1st embodiment. It is a figure which shows notionally the policy definition content in 1st embodiment. It is a flowchart for demonstrating the operation permission determination processing by the security management server in 1st embodiment. It is a flowchart for demonstrating the classification process of the determination target by the operation permission determination part. It is a flowchart for demonstrating the operation permission determination processing based on the permit by the operation permission determination part. It is a flowchart for demonstrating the operation permission determination processing based on the policy by the operation permission determination part. It is a figure which shows the relationship between the policy and permit in 2nd embodiment. It is a figure which shows the example of a policy definition in 2nd embodiment. It is a figure which shows the example of a policy definition in 2nd embodiment. It is a figure which shows the example of a policy definition in 2nd embodiment. It is a flowchart for demonstrating the operation permission determination processing by the security management server in 2nd embodiment. It is a flowchart for demonstrating the operation permission determination process based on the policy by the operation permission determination part, and the priority determination process with a permit. It is a figure which shows the relationship between the policy and permit in 3rd embodiment. It is a figure which shows the example of a policy definition in 3rd embodiment. It is a figure which shows the example of a policy definition in 3rd embodiment. It is a figure which shows the example of a policy definition in 3rd embodiment. It is a flowchart for demonstrating the permit issuing process by the security management server in 3rd embodiment. It is a flowchart for demonstrating the permission decision | availability determination processing of the permit issuing by a permit issuing part.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Document management system 10 Security management server 11 Security service 20 Document management server 21 Document management service 30 Authentication server 31 Authentication service 40 Client apparatus 41 Application 51 Print server 52 Conversion server 53 Distribution server 60 Network 100 Drive apparatus 101 Recording medium 102 Auxiliary storage Device 103 Memory device 104 Processing unit 105 Interface device 111 Security service layer 112 Operation permission / rejection determination unit 113 Policy management unit 114 Policy 115 Permit issuance unit 116 Permit management unit 117 Permit management table B bus

Claims (13)

Storing definition information a rule is defined about the permission determination of the operation for each type of the operation in accordance with the combination of the attribute information of the user operating the attribute information of data managed and the data in the data management device Definition information storage means;
An operation permission information storage means for storing the operation permission information type is defined in the operations that are allowed for a particular user for a particular data;
The definition information storage unit or the operation permission information storage unit searches the attribute information of the user related to permission / rejection determination, the attribute information of the data, and the rule and the operation permission information corresponding to the type of operation. Permission determination means for performing permission determination on the type of the operation on the data by the user based on the rule or the searched operation permission information ,
Each of the rules, including the relationship between identification information indicating dominance relationship in the permission determination of the rules and the operation permission information,
The permission / refusal determination means prioritizes the retrieved operation permission information with respect to the rule based on the superiority / inferiority relationship indicated by the relationship identification information included in the retrieved rule, and performs the permission / rejection determination. An information processing apparatus characterized by determining whether or not . In the case where the operation permission information corresponding to the attribute information of the user, the attribute information of the data, and the type of the operation related to the permission determination is not searched , the permission determination unit is based on the searched rule . the information processing apparatus according to claim 1, wherein performing said permission determination Te. The permission / refusal determination unit is a case where it is determined that priority is given to the operation permission information, and the attribute information of the user, the attribute information of the data, and the type of the operation related to the permission determination when the operation permission information has been retrieved, the information processing apparatus according to claim 1, wherein the benzalkonium execute the permission determination based on the manipulation permission information. The permission determination means, wherein when it is determined the fact that not give priority to the operation permission information, claims 1 to 3 any one claim and executes the permission determination based on the retrieved the rule Information processing device. Stores definition information in which rules relating to permission / inhibition of the operation are defined for each type of operation according to a combination of attribute information of data managed in the data management apparatus and attribute information of a user who operates the data. Definition information storage means;
Operation permission information generating means for generating operation permission information in which the type of operation permitted for the specific user with respect to the specific data is defined ;
Each of the rules includes application permission / rejection information indicating permission / inhibition of application of the operation permission information to the rule,
The operation permission information generating unit searches the rule corresponding to the attribute information of the specific data, the attribute information of the specific user, and the type of the operation from the definition information storage unit, and the searched rule is The information processing apparatus is characterized in that the operation permission information is not generated when the application permission / refusal information includes that the application is not permitted . The operation permission information generation means does not generate the operation permission information when the application permission information included in at least a part of the retrieved plurality of rules indicates that the application is not permitted. The information processing apparatus according to claim 5 . The definition information, the information processing apparatus of claims 1 to 6 any one claim, characterized in that it is defined based on XACML. An operation permission determination method in which a computer executes permission determination for an operation on data managed in a data management device ,
According to the combination of the attribute information of the data and the attribute information of the user who operates the data, the definition information storage means for storing the definition information in which a rule regarding the permission determination of the operation is defined for each type of the operation. A rule search procedure for searching the rule corresponding to the attribute information of the user related to the determination, the attribute information of the data, and the type of operation;
From operation permission information storage means for storing operation permission information in which the type of operation permitted for a specific user for the specific data is defined, user attribute information related to permission / rejection determination, attribute information of the data, And an operation permission information search procedure for searching for the operation permission information corresponding to the type of operation,
A permission determination procedure for performing permission determination on the type of the operation on the data by the user based on the retrieved rule or the retrieved operation permission information,
Each of the rules includes relationship identification information indicating a superiority or inferiority relationship in the permission determination between the rule and the operation permission information,
In the permission / refusal determination procedure, the permission / rejection determination is performed by prioritizing the retrieved operation permission information over the rule based on the superiority / inferiority relationship indicated by the relationship identification information included in the retrieved rule. An operation permission / rejection determination method characterized by determining whether or not . Stores definition information in which rules relating to permission / inhibition of the operation are defined for each type of operation according to a combination of attribute information of data managed in the data management apparatus and attribute information of a user who operates the data. A computer having definition information storage means
Performing an operation permission information generation procedure for generating operation permission information in which the type of operation permitted for the specific user with respect to the specific data is defined;
Each of the rules includes application permission / rejection information indicating permission / inhibition of application of the operation permission information to the rule,
The operation permission information generation procedure searches the rule corresponding to the attribute information of the specific data, the attribute information of the specific user, and the type of operation from the definition information storage unit, and the searched rule is The operation permission information generation method , wherein the operation permission information is not generated when the application permission information including the information indicates that the application is not permitted . An operation permission / rejection determination program for causing a computer to execute permission / rejection determination on an operation on data managed in a data management device,
According to the combination of the attribute information of the data and the attribute information of the user who operates the data, the definition information storage means for storing the definition information in which a rule regarding the permission determination of the operation is defined for each type of the operation. A rule search procedure for searching the rule corresponding to the attribute information of the user related to the determination, the attribute information of the data, and the type of operation;
From operation permission information storage means for storing operation permission information in which the type of operation permitted for a specific user for the specific data is defined, user attribute information related to permission / rejection determination, attribute information of the data, And an operation permission information search procedure for searching for the operation permission information corresponding to the type of operation,
Allowing the computer to execute a permission determination procedure for performing permission determination on the type of the operation on the data by the user based on the retrieved rule or the retrieved operation permission information;
Each of the rules includes relationship identification information indicating a superiority or inferiority relationship in the permission determination between the rule and the operation permission information,
In the permission / refusal determination procedure, the permission / rejection determination is performed by prioritizing the retrieved operation permission information over the rule based on the superiority / inferiority relationship indicated by the relationship identification information included in the retrieved rule. An operation permission / rejection determination program characterized by determining whether A computer-readable recording medium on which the operation permission / inhibition judging program according to claim 10 is recorded. Stores definition information in which rules relating to permission / inhibition of the operation are defined for each type of operation according to a combination of attribute information of data managed in the data management apparatus and attribute information of a user who operates the data. In a computer having definition information storage means,
Executing an operation permission information generation procedure for generating operation permission information in which the type of operation permitted for the specific user with respect to the specific data is defined;
Each of the rules includes application permission / rejection information indicating permission / inhibition of application of the operation permission information to the rule,
The operation permission information generation procedure searches the rule corresponding to the attribute information of the specific data, the attribute information of the specific user, and the type of operation from the definition information storage unit, and the searched rule is The operation permission information generation program , wherein the operation permission information is not generated when the application permission information includes the application permission information . A computer-readable recording medium on which the operation permission / inhibition information generating program according to claim 12 is recorded.

Images