JP2007018309A - Database apparatus, DB access control apparatus, access control system, access control method, and access control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent deterioration in performance of a data access program for accessing a database while reducing a management load when the attribute information is changed in database access control based on attribute information such as a user attribute. To do.
A context storage unit 430 stores attribute information regarding a user who accesses a data object acquired from an attribute management server 200. Further, the policy function storage unit 440 stores a policy function that generates a control condition based on the attribute information stored in the context storage unit 430. The function execution unit 450 executes the policy function when the user accesses the data object with the data access program. The control condition adding unit 460 adds the control condition generated by the policy function to the data access program. The execution unit 470 executes the data access program to which the control condition is added.
[Selection] Figure 1

Description

  The present invention relates to control of access to data managed by a database apparatus.

As a measure to protect information stored in a conventional DB (database) from unauthorized use, the user is registered for each table or view, and the user's access authority is set according to attributes such as the user's affiliation and job title. There was a method. That is, when a user accesses a table or view, the contents of the DB are displayed or hidden depending on the access authority set for the accessed table or view. However, the information managed by the DB has increased, and the number of users who use the DB has increased in proportion to this. Further, according to the conventional measures, it is necessary to make various setting changes even when the attributes such as the job title and affiliation of the user are changed due to personnel changes or organizational changes. For this reason, it has been a heavy burden on the administrator to protect the information stored in the DB from unauthorized use by the above-described measures.
On the other hand, Japanese Patent Application Laid-Open No. 2005-31862 discloses a technique for performing access control by using metadata such as DB table definitions and table column definitions, and directory information managing user attributes. ing. In JP-A-2005-31862, even when there is a change in attribute information such as a user, the access control to the DB is maintained without changing the control information set in the table of the existing DB. Technology is disclosed. In realizing JP-A-2005-31862, it was necessary to interpret a data access program such as a SQL (Structured Query Language) program at the time of access execution and generate an access control condition for the DB by comparing with directory information. . Here, for example, in the case of an SQL program, the access condition is generated as a WHERE clause.
JP 2005-31862 A

The conventional method has a problem that the management load when the attribute information is changed is large.
In the method disclosed in JP-A-2005-31862, it is necessary to interpret the data access program and rewrite the data access program based on the interpretation when executing access to the DB. This processing is complicated in some cases, and there is a problem that the performance of the data access program is lowered.
An object of the present invention is to solve these problems and to minimize processing performed by a DB access control device when executing DB access.

The present invention is a database (database) that manages data objects connected to an attribute management server that manages and stores attribute information related to a business server and a DB access control device that acquires attribute information from the attribute management server via a network. ) In the apparatus, when the business server accesses the data object, a context storage unit that acquires and stores attribute information related to the business server acquired from the attribute management server by the DB access control apparatus from the DB access control apparatus, and attribute information A policy function storage unit that stores a policy function associated with a data object, and a program reception unit that receives a data access program issued by the business server to access the data object. And the above pro When the ram reception unit receives the data access program, the attribute information stored in the context storage unit is input, the policy function stored in the policy function storage unit is executed, and the control condition in which the attribute information is embedded is returned. A function execution unit that outputs the control function, a control condition that is a return value of the policy function output by the function execution unit, and a control condition addition unit that adds the control condition to the data access program, and the control condition addition unit And an execution unit that accesses a data object by executing an access program to which a control condition is added.

  According to the database device of the present invention, the control condition based on the attribute information acquired from the attribute management server is generated by executing the policy function, so that the DB setting is changed when the attribute information is updated. It does not take time to do. Further, since the policy function set in advance is executed, the processing at the time of executing the DB access is not complicated, and the performance of the data access program is not deteriorated.

  Hereinafter, the present invention will be described based on embodiments shown in the drawings.

Embodiment 1 FIG.
First, the first embodiment will be described. In the first embodiment, a method of applying access control based on attribute information to a record (row) of a data object managed by a DB will be described.

  FIG. 1 is a functional block diagram illustrating functions of the access control system 1000 according to the first embodiment. Based on FIG. 1, functions of the access control system 1000 according to the first embodiment will be described.

  The access control system 1000 includes a business server 100, an attribute management server 200, a DB access control device 300, and a database device 400. It is assumed that the business server 100, the attribute management server 200, the DB access control device 300, and the database device 400 are connected via a network.

  When the user 20 accesses the database device 400, the business server 100 receives an instruction from the user 20 and returns a response from the database device 400. The business server 100 accesses a data object managed by the database device 400 by issuing a data access program. Here, it is assumed that the data access program is an SQL program.

The attribute management server 200 manages and stores attribute information. The attribute management server 200 is a directory provided with an interface such as LDAP (Lightweight Directory Access Protocol). The attribute management server 200 can have a function suitable for handling a hierarchical structure such as user information and organization information as shown in FIG. The attribute management server 200 includes an attribute information storage unit 210 and a definition information storage unit 220.
The attribute information storage unit 210 manages and stores attribute information related to the business server 100. The attribute information storage unit 210 manages and stores attribute information related to the user 20 who uses the business server 100, for example. Here, it is assumed that the attribute information storage unit 210 manages and stores user information and organization information regarding the user 20 who uses the business server 100 as attribute information. The definition information storage unit 220 stores definition information of data objects managed by the database apparatus 400, access control information, and the like. Here, it is assumed that the database device 400 is an RDB (Relational DataBase) or the like. Therefore, the definition information storage unit 220 stores table definition information, which is table definition information managed by the database device 400, row control information, and column control information. The definition information storage unit 220 stores the row control information and the column control information in association with the table definition information. The table definition information is more generally data object definition information. The column control information is more generally an access control condition associated with the item (field) of the record, and the row control information is more generally an access control condition for the record based on the record value. is there. Further, the data object is not limited to a table, and may be a view or an index.

The DB access control device 300 controls access from the business server 100 to data objects managed by the database device 400. The DB access control apparatus 300 includes a DB access control execution unit 310 and a DB access control management unit 350.
The DB access control execution unit 310 accesses the data object managed by the database device 400 based on the attribute information related to the business server 100 when the business server 100 accesses the data object managed by the database device 400. To control. The DB access control execution unit 310 includes an attribute acquisition unit 320, an attribute storage unit 330, and an attribute transmission unit 340. The attribute acquisition unit 320 acquires attribute information stored in the attribute information storage unit 210 when the business server 100 accesses a data object managed by the database device 400. First, the business server 100 may acquire attribute information stored in the attribute information storage unit 210, and then the attribute acquisition unit 320 may acquire attribute information from the business server 100. The attribute storage unit 330 stores the attribute information acquired by the attribute acquisition unit 320. The attribute transmission unit 340 transmits the attribute information stored in the attribute storage unit 330 to the database device 400.
The DB access control management unit 350 creates control information when the business server 100 accesses a data object managed by the database device 400 according to an instruction from the administrator 10 or the like. Here, the process performed by the DB access control management unit 350 is called provisioning. The DB access control management unit 350 includes a control information acquisition unit 360, a control information storage unit 370, a function generation unit 380, and a function control unit 390. The control information acquisition unit 360 acquires the control information stored in the definition information storage unit 220. That is, here, the control information acquisition unit 360 acquires the row control information and the column control information stored in the definition information storage unit 220. The control information storage unit 370 stores the control information acquired by the control information acquisition unit 360. The function generation unit 380 generates a policy function based on the control information stored in the control information storage unit 370. The policy function is a function that returns a control condition in which input attribute information is embedded. That is, the function generation unit 380 generates a policy function that returns a control condition based on the control information stored in the control information storage unit 370. The function control unit 390 stores the policy function generated by the function generation unit 380 in the database device 400 in association with the data object. The function control unit 390 associates the policy function with the data object based on the table definition information associated with the control information stored in the control information storage unit 370.

The database device 400 manages and stores data objects. The database device 400 includes a database system such as an RDB, and manages and stores data objects. The database apparatus 400 includes a program reception unit 410, an attribute reception unit 420, a context storage unit 430, a policy function storage unit 440, a function execution unit 450, a control condition addition unit 460, an execution unit 470, a result output unit 480, and a function addition unit 490. Is provided.
The program receiving unit 410 receives a data access program issued by the business server 100. The attribute reception unit 420 receives the attribute information transmitted by the attribute transmission unit 340. The context storage unit 430 stores the attribute information received by the attribute reception unit 420. The database device 400 can manage attribute information for each session by creating a context storage unit for each session that accesses the data object. Alternatively, the database device 400 may manage the attribute information for each session that accesses the data object using the single context storage unit 430. The context storage unit 430 may be realized as a device external to the database device 400. The policy function storage unit 440 stores the policy function associated with the data object by the function control unit 390. The policy function storage unit 440 can store a plurality of policy functions. The policy function storage unit 440 can also store a plurality of policy functions in association with one data object. The function execution unit 450 inputs the attribute information stored in the context storage unit 430 and executes the policy function stored in the policy function storage unit 440. The control condition adding unit 460 adds the return value of the policy function executed by the function executing unit 450 to the control condition of the data access program received by the program receiving unit 410. For example, when the data access program received by the program receiving unit 410 is an SQL program, the control condition adding unit 460 adds the return value of the policy function executed by the function executing unit 450 to the WHERE section. The execution unit 470 executes the data access program to which the control condition adding unit 460 has added the control condition. The execution unit 470 accesses the data object by executing the data access program. That is, the execution unit 470 accesses the data object under the control condition generated based on the control information managed by the attribute management server 200 and the attribute information related to the business server 100.

  Next, an example of the operation of the access control system 1000 according to the first embodiment will be described. FIG. 2 is an example of attribute information stored in the attribute information storage unit 210. FIG. 3 is a sales table 600 which is an example of a data object managed and stored by the database device 400. An example of the operation of the access control system 1000 according to the first embodiment will be described with reference to FIGS.

Here, a process when the employee a521 of the sales department 1 520 in FIG. 2 accesses the sales table 600 in FIG. 3 will be described. In FIG. 3, a month 601 stores information on the month indicating the month. Sales 602 stores the amount of sales. The department 603 stores the name of the department. Here, a flow of operations and processing for performing a control of permitting access only to the same row as the department to which the user 20 belongs to which the department 603 of the sales table 600 accesses is shown.
The processing of the access control system 1000 is realized by dividing into two phases of provisioning, which is advance preparation, and execution of access to a data object.

First, provisioning will be described.
First, the administrator 10 defines the definition information storage unit 220 by associating the row control information and the column control information with the definition information of the sales table 600. Here, it is assumed that the administrator 10 defines row control information that permits access only to rows that are the same as the department to which the user 20 belongs that is accessed by the department 603 of the sales table 600.
FIG. 4 is an example of row control information defined by the administrator 10. In FIG. 4, a code 611 stores index information that uniquely identifies row control information. The table name 612 stores the name of the table associated with the row control information. The column name 613 stores a column name used for control by the row control information. The user attribute 614 stores attribute information used by the line control information for control. The calculation condition 615 stores the calculation contents of the control performed by the row control information. FIG. 4 shows that access to the sales table 600 is permitted when the department 603 that is a column of the sales table 600 and the soshiki (affiliation department) of the user 20 to access are equal.

  Next, the administrator 10 instructs the DB access control management unit 350 to perform provisioning. Upon receiving the provisioning instruction, the DB access control management unit 350 generates a policy function based on the row control information stored in the definition information storage unit 220. Then, the DB access control management unit 350 registers the generated policy function in the policy function storage unit 440. The generation of the policy function will be described later.

After completing the provisioning, the employee a521 who is the user 20 logs in to the business server 100 and accesses the sales table 600. First, the business server 100 acquires the attribute information of the employee a521 from the attribute information storage unit 210. Here, the business server 100 acquires the sales department 1 520 as the department to which the employee a 521 belongs from the attribute information storage unit 210. Next, the business server 100 issues a data access program to the database device 400. On the other hand, the business server 100 instructs the DB access control execution unit 310 to access the sales table 600 and passes the acquired attribute information of the employee a521. Upon receiving an instruction from the business server 100, the DB access control execution unit 310 registers the acquired attribute information in the context storage unit 430. That is, the context storage unit 430 stores the sales department 1 520 as the department to which the employee a521 belongs as attribute information. In addition, the DB access control execution unit 310 instructs the database device 400 to access the sales table 600 using a data access program. The database device 400 inputs the attribute information registered in the context storage unit 430, and executes the policy function stored in the policy function storage unit 440 in provisioning. The database device 400 adds a control condition that is a return value of the executed policy function to the data access program, and executes the data access program. Here, the policy function uses a control condition that the access is permitted only in the same row as the department to which the user 20 that the department 603 accesses has been assigned. That is, the database device 400 executes the data access program with a control condition that permits access to only the same row as the department to which the user 20 belongs to the department 603 accesses the data access program.
In the above, the business server 100 acquires the attribute information of the employee a 521 from the attribute information storage unit 210 and passes it to the DB access control execution unit 310. However, the attribute information acquisition method of the DB access control execution unit 310 is not limited to this, and for example, the DB access control execution unit 310 may acquire directly from the attribute information storage unit 210.

  In FIG. 4 described above, only one row control information exists for one row. When there are a plurality of row control information for one row, it can be dealt with by using the logical product of the respective row control information as a control condition. When it is necessary to treat the control condition as a logical sum, it can be realized by accessing the data object under each control condition and taking the logical sum of the accessed results. Further, when it is necessary to handle the control condition as a logical sum, it can be dealt with by expanding the line control information so that the logical sum of the control conditions can be described. FIG. 5 shows an example in which the line control information is expanded so that the logical sum of the control conditions can be described. In FIG. 5, a code 611, a table name 612, a column name 613, and a user attribute 614 are the same as the code 611, the table name 612, the column name 613, and the user attribute 614 shown in FIG. The calculation condition 615 indicates the calculation contents of the control performed by the row control information or the logical calculation contents of the control condition. The condition a 626 and the condition b 627 store a control condition that is a target of the logical operation when the calculation condition 615 indicates the content of the logical operation. In the example of FIG. 5, in the line where the code 611 is 0001, the code 611 indicates that the logical sum of the control conditions of the lines 0002 and 0003 is obtained. Here, the extension of the row control information has been described only for the logical sum, but is not limited to this and can be applied to the logical product.

Next, the provisioning process will be described in detail.
The DB access control management unit 350 generates a policy function based on the control information stored in the definition information storage unit 220. Here, the DB access control management unit 350 generates a policy function based on the row control information stored in the definition information storage unit 220.

First, the policy function generated by the provisioning process will be described. Here, the policy function will be described based on the row control information shown in FIG. FIG. 6 is a diagram showing an example of a policy function generated based on the row control information shown in FIG.
In FIG. 6, a function unit 710 indicates a policy function. A line number 720 indicates a line number of the function unit 710 that is a policy function. In the following, what number line means the line of the corresponding number of the line number 720.

In FIG. 6, create or replace function shown in the first line is a policy function declaration part. Sales table_row is a function name of the policy function. The second line is a blank line. The third line is a command indicating the start of the execution part of the policy function. The sys_context shown on the fourth line is a command for acquiring attribute information from the context storage unit 430. Here, sokiki is acquired as attribute information by the sys_context command. Gcn is an identifier indicating the context storage unit 430. Moreover, vsoshiki is a variable used in the policy function. That is, the fourth line indicates that the attribute information sokiki is acquired from the context storage unit 430 indicated by gcn and is stored in the variable vsoshiki. The fifth line shows a comment. The part following “Return” shown in the sixth line is a part for generating a return value of the policy function. The vsshiki shown in the sixth line is replaced with the value of the attribute information sokiki acquired in the fourth line. Also, || is a character string combination operator. That is, a character string obtained by combining the division = and a value obtained by substituting the attribute soshiki with the attribute information soshiki and enclosed in quotation marks is returned. That is, in the example shown in FIG. 4, since the value of the attribute information sokiki is sales 1 section 520, the return value is “sales table. Department =“ sales 1 section ””. The seventh line is a command indicating the end of the execution part of the policy function.
That is, the policy function shown in FIG. 6 is “sales table.department =“ sales 1 section ”” in the example in which the employee a521 of the sales 1 section 520 in FIG. 2 accesses the sales table 600 in FIG. Is the return value.
Here, the attribute information soshiki is an attribute name managed by the attribute management server 200 to identify the attribute information. In the return value of the policy function, the attribute information soshiki is replaced with the value stored in the context storage unit 430. The attribute name used to identify the attribute information sokiki is registered when the attribute information is registered from the DB access control execution unit 310 even if it is registered in the DB access control device 300 and the database device 400 in advance. Registration may be performed automatically.

The DB access control management unit 350 registers the generated policy function in the policy function storage unit 440 of the database device 400 in association with the table. The DB access control management unit 350 associates the policy function with the table using, for example, the command shown in FIG. FIG. 7 is an example of a command for associating a table with a policy function. In FIG. 7, a function unit 710 indicates a command for associating a policy function with a table. A line number 720 indicates a line number of the function unit 710.
In FIG. 7, the table name and the policy function name are names of the associated table and policy function, respectively. The policy name is an arbitrary name indicating the connection between the table and the policy function. By using the policy name, the table managed and stored by the database apparatus 400 can have associations with a plurality of policy functions.

  When associating the sales table_row that is the policy function described above with the sales table 600 that is the table, the above command is as shown in FIG. FIG. 8 shows an example in which a table and a policy function are assigned to the command shown in FIG. In FIG. 8, the function part 710 and the line number 720 are the same as the function part 710 and the line number 720 shown in FIG. In FIG. 7, sales table_row policy and sales table_ROW are arbitrary names, and the DB access control management unit 350 can arbitrarily generate them based on the table name and the row control conditions.

  The policy function is executed by the database device 400 when the sales table 600 managed and stored by the database device 400 is accessed by the data access program issued by the business server 100. The policy function outputs a control condition as a return value, and adds the output control condition to the data access program. For example, when the data access program is an SQL program, the policy function adds a control condition to the WHERE area. In the above example, a control condition “WHERE sales table. Department =’ Sales 1 Section ”” is added.

  Next, the flow of operations in which the DB access control management unit 350 performs provisioning will be described. FIG. 9 is a flowchart illustrating an operation in which the DB access control management unit 350 performs provisioning. Based on FIG. 9, an operation in which the DB access control management unit 350 performs provisioning will be described.

  In control information acquisition step S <b> 101, the control information acquisition unit 360 acquires control information for the table from the definition information storage unit 220. Here, the control information acquisition unit 360 acquires row control information for the corresponding table.

  In the control information storage step S102, the control information storage unit 370 stores the control information acquired by the control information acquisition unit 360.

  In function name generation step S103, the function generation unit 380 generates a function name of the policy function based on the row control information. The function generation unit 380 generates a function name based on, for example, the table name and the row control condition stored in the control information storage unit 370. The function generation unit 380 can generate a function name regularly, for example, “table name” + “_ row”.

  In the return value initialization step S104, the function generation unit 380 initializes a variable indicating the return value of the policy function. For example, when the function generation unit 380 evaluates the access control condition as “1 = 1”, the function generation unit 380 initializes the result with a value that is always true.

  The function generation unit 380 repeats the processing from step S105 to step S107 until there is no more row control information stored in the control information storage unit 370. The processing from step S105 to step S107 is a policy function generation step.

  In attribute information extraction step S105, the function generation unit 380 extracts attribute information used for the row control information.

  In the command addition step S106, the function generation unit 380 adds a command for extracting the attribute information value from the context storage unit 430 to the policy function for the extracted attribute information. In the example illustrated in FIG. 6, the command for retrieving the value of attribute information from the context storage unit 430 is a sys_text command.

  In the control condition addition step S107, the function generation unit 380 adds the control condition for the attribute information in the row control information to a variable indicating the return value of the policy function. When there are a plurality of row control information for one row, for example, the control conditions are usually combined by AND. However, with respect to the method for combining the control conditions, it is possible to combine the row control information by logical sum by extending the row control information as shown in FIG.

  When the processing from step S105 to step S107 is completed for all the row control information stored in the control information storage unit 370, the process proceeds to function control step S108. In step S108, the function control unit 390 associates the policy function with the table. For example, the function control unit 390 generates an association command as described above, and executes the generated command.

  In the policy function storage step S109, the policy function storage unit 440 stores the policy function associated with the table by executing the function control unit 390 command.

  Next, a process for executing access to a data object from the business server 100 after provisioning is completed will be described in detail. Here, in the same manner as described above, an example in which the employee a521 logs in to the business server 100 and accesses the sales table 600 will be described.

The employee a 521 who is the user 20 logs in to the business server 100 and accesses the sales table 600. First, the business server 100 acquires the attribute information of the employee a521 from the attribute information storage unit 210. As for the acquisition of attribute information by the business server 100, the attribute information to be acquired is specified based on the data access program issued by the business server 100 or the like, even if it is acquired for a predetermined set of attribute information. It doesn't matter. Here, the business server 100 acquires the sales department 1 520 as the department to which the employee a 521 belongs from the attribute information storage unit 210. That is, the business server 100 acquires the sales section 1 520 as the value of the attribute information sokiki in the policy function described above. Next, the business server 100 instructs the DB access control execution unit 310 to access the sales table 600 and passes the acquired attribute information of the employee a521. That is, the attribute acquisition unit 320 acquires the sales 1 section 520 as the value of the attribute information soshiki. Here, the attribute acquisition unit 320 acquires the attribute information by passing the attribute information acquired from the attribute information storage unit 210 by the business server 100. However, the method by which the attribute acquisition unit 320 acquires attribute information is not limited to this. For example, the DB access control execution unit 310 may acquire the attribute information directly from the attribute information storage unit 210. The attribute storage unit 330 stores the attribute information acquired by the attribute acquisition unit 320. Next, the attribute transmission unit 340 transmits the attribute information stored in the attribute storage unit 330 to the database device 400 and registers it in the context storage unit 430. That is, the context storage unit 430 stores the sales department 1 520 as the department to which the employee a521 belongs as attribute information. Along with the transmission of the attribute information, the DB access control execution unit 310 instructs the database device 400 to access the sales table 600 by a data access program.
While instructing access to the DB access control execution unit 310, the business server 100 issues a data access program to the database device 400. The program receiving unit 410 of the database device 400 receives a data access program issued by the business server 100.
When there is an access instruction from the DB access control execution unit 310 and the execution unit 470 executes the data access program received by the program reception unit 410, the function execution unit 450 associates it with the data object accessed by the data access program. The policy function stored in the policy function storage unit 440 is executed. The control condition adding unit 460 adds the return value of the policy function executed by the function executing unit 450 to the control condition of the data access program. Here, the function execution unit 450 inputs the attribute information stored by the context storage unit 430 when executing the policy function. Then, the policy function outputs a control condition in which the attribute information input as a return value is embedded. For example, when executing the policy function shown in FIG. 6, the function execution unit 450 inputs the sales 1 section 520 stored in the context storage unit 430. Then, the policy function outputs “Sales Table.Department =“ Sales 1 Section ”” as a return value. That is, the control condition adding unit 460 adds “sales table.department =“ Sales 1 Section ”” as a control condition to the data access program.

  FIG. 10 shows an example in which an SQL program is used as a data access program issued by the business server 100. In FIG. 10, a function unit 710 indicates a data access program. The line number 720 indicates the line number of the function unit 710 that is a data access program.

FIG. 11 shows a data access program to which a control condition is added by the control condition adding unit 460 when the business server 100 issues the data access program shown in FIG. In FIG. 11, a function unit 710 indicates a data access program to which a control condition is added. A line number 720 indicates a line number of the function unit 710 that is a data access program to which a control condition is added. That is, when the business server 100 issues the data access program shown in FIG. 10, the execution unit 470 executes the data access program shown in FIG.
By the above-described processing, the department 603 of the sales table 600 is controlled so as to permit the access of the employee a521 only in the same row as the sales department 1 representing the department to which the employee a521 belongs.

Next, an operation when the employee a521 described above is transferred from the sales section 1 to the sales section 2 will be described. Here, provisioning is processed in the same manner as described above.
The transferred employee a 521 logs into the business server 100 and accesses the sales table by a data access program issued by the business server 100. The business server 100 acquires the value of the attribute information “soshiki” that is the department to which the business server 100 belongs from the attribute information storage unit 210. Since the employee a521 has been transferred from the sales section 1 to the sales section 2, the value of the attribute information “soshiki” is the sales section 2. Therefore, the DB access control execution unit 310 registers the sales section 2 as the value of the attribute information “soshiki” in the context storage unit 430. Therefore, the control condition output as a return value by the policy function is “sales table.department =“ Sales Section 2 ””. Therefore, when the data access program is an SQL program, “Sales Table.Department =“ Sales Section 2 ”” is added to the Where clause.

FIG. 12 shows a data access program to which a control condition is added by the control condition adding unit 460 when the business server 100 issues the data access program shown in FIG. That is, when the business server 100 issues the data access program shown in FIG. 10, the execution unit 470 executes the data access program shown in FIG.
For this reason, control is performed so that only the line in which the department 603 of the sales table 600 is equal to the sales section 2 representing the department to which the employee a 521 is one of the attribute information of the employee a 521 is permitted to access the employee a 521. That is, personnel changes can be reflected in the control conditions without changing the policy function.

  Next, the process flow described above will be described. FIG. 13 is a diagram illustrating the above-described processing sequence. The above-described processing flow will be described with reference to FIG.

  In attribute inquiry step S <b> 201, the business server 100 makes an inquiry to the attribute management server 200 in order to acquire attribute information from the attribute information storage unit 210. For example, when making a query for attribute information, the business server 100 sends a query by sending an attribute name or the like managed by the attribute management server 200 to identify the attribute information.

  In attribute response step S202, the attribute management server 200 responds to an inquiry about attribute information from the business server 100.

  In the initialization request step S203, the business server 100 transmits the acquired attribute information to the DB access control execution unit 310. In addition, the business server 100 instructs the DB access control execution unit 310 to register attribute information in the context storage unit 430. Here, this instruction is called an application initialization request.

  In context storage step S <b> 204, the DB access control execution unit 310 registers the value of the acquired attribute information in the context storage unit 430.

  In the registration completion notification step S205, the context storage unit 430 notifies the DB access control execution unit 310 of the attribute information registration result.

  In the initialization completion notification step S206, the DB access control execution unit 310 notifies the business server 100 of the completion of application initialization.

  In the access request step (program receiving step) S207, the business server 100 requests access to the data object by transmitting the data access program to the database device 400. The program receiving unit 410 of the database device 400 receives a data access program.

  In function execution step S208, the function execution unit 450 activates the policy function stored in the policy function storage unit 440.

  In the context information reference step S209, the policy function transmits an inquiry to refer to the attribute information stored in the context storage unit 430.

  In the attribute information notification step S210, the context storage unit 430 notifies the inquired attribute information.

  In the control condition addition step S211, the function execution unit 450 passes the return value of the policy function reflecting the attribute information to the control condition addition unit 460 of the database device 400. The control condition adding unit 460 adds the return value of the policy function to the control condition of the data access program received by the program receiving unit 410.

  In execution step S212, the execution unit 470 executes the data access program in which the control condition adding unit 460 adds the return value of the policy function to the control condition, and transmits the result of accessing the data object to the business server 100.

  As described above, once provisioning is performed, even if the value of a user attribute such as affiliation or job title is changed due to personnel change or the like, the attribute value managed by the attribute management server 200 is changed, so that the database device 400 Changes in attribute values used for control are reflected. Therefore, it is not necessary to change the settings of the data access program and the data object. The process for accessing the data object is only the setting of the user attribute value to the context delivery device. When accessing a data object, there is no need to interpret and rewrite the user's data access program. Therefore, according to the access control system 1000 shown in the first embodiment, when accessing a data object, the processing does not become complicated and the performance of the data access program does not deteriorate.

Embodiment 2. FIG.
In the first embodiment, the implementation of control based on row control information for a table that is a data object has been described. In the second embodiment, a control method based on column control information will be described.

  The functional block diagram of the access control system 1000 according to the second embodiment is the same as the functional block diagram of the access control system 1000 according to the first embodiment shown in FIG. The processing of the access control system 1000 according to the second embodiment is also realized by dividing into two phases of provisioning, which is advance preparation, and execution of access to a data object, as in the first embodiment.

  FIG. 14 is an example of column control information stored in the definition information storage unit 220. FIG. 14 shows the column definition information of the sales table 600 and the presence / absence of an access control condition for each column (data object attribute). A column name 631 is an attribute name of each column of the sales table 600. The data type 632 is a type of data held in each column. The condition 633 is a control condition set for each column. The condition ANY of the month 601 and the department 603 indicates that anyone can access the column. Sales 602 indicates that the condition C01 is applied.

  A control method based on the column control information will be described with reference to FIG. In the following description, as the condition C01, when the value of the attribute information position is “02”, access to the column of sales 602 is permitted, and access to the column of sales 602 is not permitted otherwise. It is assumed that the information is set. When the data access program issued by the instruction of the user 20 having attribute information that is not permitted to access refers to the column of sales 602, the database device 400 returns a value even if it returns a null value, for example. You do n’t have to.

First, provisioning will be described.
FIG. 15 is an example of a policy function that implements control based on column control information. Based on FIG. 15, the policy function generated in the provisioning process will be described.
In FIG. 15, a function unit 710 indicates a policy function. A line number 720 indicates a line number of the function unit 710 that is a policy function.

  The policy function shown in FIG. 15 is almost the same as the policy function shown in FIG. Therefore, the policy function shown in FIG. 15 will be described with respect to portions different from the policy function shown in FIG. In the fourth line, attribute information position is acquired and stored in variable vposition. The sixth and seventh lines return “1 = 1” when the variable vposition is “02”. The 8th and 9th lines return “1 = 2” when the variable vposition is not “02”. That is, the policy function shown in FIG. 6 returns a condition that always takes a true value as a control condition when the variable vposition is “02”, and a control condition when the variable vposition is not “02”. The return value is a condition that always takes a false value.

Next, the policy function is registered in the policy function storage unit 440 in association with the table column. FIG. 16 shows an example of a command for associating a policy function with a table column and registering it in the policy function storage unit 440.
In FIG. 16, a function unit 710 indicates a command for associating a policy function with a table column. A line number 720 indicates a line number of the function unit 710.
In FIG. 16, one parameter is added to the command shown in FIG. The sales table is the table name of FIG. Sales table_sales_col is a function name of the policy function of FIG. The sales table_sales_col policy is the policy name of FIG. 6 and can be arbitrarily generated by the DB access control management unit 350. For example, the DB access control management unit 350 adds a suffix col to indicate that it is a policy function used for column control. The sec_relevant_cols => in the fourth line is an optional parameter that holds the column name for which the parameter shown later is the column control target. Here, it is indicated that this policy function is activated when an attempt is made to access the sales 602 of the sales table 600. A character string including a plurality of column names may be set after sec_relevant_cols =>.

  After the provisioning described above, when the data access program issued by the business server 100 tries to access the sales 602 of the sales table 600, the sales function_sales_col as a policy function is executed. In this case, if the value of the attribute information position of the user 20 who has instructed the business server 100 is “02”, the sales table_sales_col outputs “1 = 1” as a return value. That is, the policy function is a condition that always takes a true value as a control condition. Accordingly, the user 20 is permitted to access the sales 602. On the other hand, if the value of the attribute information position of the user 20 who has instructed the business server 100 is not “02”, the sales table_sales_col outputs “1 = 2” as a return value. That is, the policy function is a condition that always takes a false value as a control condition. Accordingly, the user 20 is denied access to the sales 602.

  Next, an operation of performing provisioning when performing control based on column control information will be described. FIG. 17 is a flowchart illustrating an operation of performing provisioning when performing control based on column control information.

  In the control information acquisition step S301, the control information acquisition unit 360 acquires control information for the table from the definition information storage unit 220. Here, the control information acquisition unit 360 acquires column control information for the corresponding table.

  In the control information storage step S302, the control information storage unit 370 stores the control information acquired by the control information acquisition unit 360.

The function generation unit 380 and the function control unit 390 execute the processing from step S303 to step S311 for each control condition in the column control information stored in the control information storage unit 370. That is, the processing from step S303 to step S311 is executed for each of the different values of the condition 633 in FIG. However, if the value of the condition 633 in FIG.
The processing from step S303 to step S310 is a policy function generation step. Further, the process of step S311 is a function control step.

  In the variable generation step S303, the function generation unit 380 prepares a variable for storing a column name to be a column control target of the table.

  In the column name extraction step S304, the function generation unit 380 extracts the column name to be controlled from the column control information in the table.

  In the column name storage step S305, the function generation unit 380 stores the column name to be controlled by the control condition in a variable.

  In the object determination step S306, the function generation unit 380 confirms whether all the column names to be controlled by the control condition are stored in the variables. If there is an unstored column name, the process returns to step S305 to store the column name in a variable. If all the column names are stored, the process proceeds to step S307.

  In function name generation step S307, the function generation unit 380 generates a function name of a policy function based on column control information and a policy name that associates a table column with a policy function based on column control information. For example, the function generation unit 380 generates a function name based on the table name and the row control condition stored in the control information storage unit 370, as in the first embodiment. For example, the function generation unit 380 can regularly generate the policy function name in this case as “table name” + “_ column name” + “_ col”. Here, when there are a plurality of columns, the column names including “_column name” of “table name” + “_ column name” + “_ col” described above may be connected. In addition, the function generation unit 380 can regularly generate a policy name such as “policy function name” + “_ policy”, for example.

  In attribute name extraction step S308, the function generation unit 380 extracts the attribute name used for the control condition based on the column control information. The function generation unit 380 extracts the attribute information position in the policy function example of FIG.

  In the command addition step S309, the function generation unit 380 adds a command for extracting the attribute information value from the context storage unit 430 to the policy function for the extracted attribute information. In the example illustrated in FIG. 15, the command for extracting the value of attribute information from the context storage unit 430 is a sys_context command.

  In the conditional phrase adding step S310, the function generating unit 380 adds a condition regarding attribute information in the control condition to the policy function. In the example illustrated in FIG. 15, the function generation unit 380 adds a sentence indicated by an “if” sentence. In addition, the function generation unit 380 adds a return value to the policy function based on the added control condition. In the example illustrated in FIG. 15, the function generation unit 380 adds a sentence indicated by a return sentence. In addition, the function generation unit 380 generates another part of the policy function in accordance with the processing generated in this step.

  In function control step S311, the function control unit 390 associates a policy function with a table. For example, the function control unit 390 generates an association command as described above, and executes the generated command.

  In the policy function storage step S312, the policy function storage unit 440 stores the policy function associated with the column by executing the function control unit 390 command.

  The function generation unit 380 and the function control unit 390 execute the process from step S303 to step S311 for all the column control information stored in the control information storage unit 370, and ends the process.

  In the above description, it is assumed that there is one attribute information referred to in one control condition. When a plurality of pieces of attribute information can be referred to in one control condition, a plurality of pieces of attribute information referred to in the control condition to be processed are extracted in step S308, and the processes in steps S309 and S310 are performed as attribute information. This can be realized by repeatedly executing for each.

  The processing for executing access to the data object is the same as in the first embodiment.

  In the second embodiment, as in the case of the first embodiment, regarding the column control, once provisioning is performed, even if the user attribute value such as affiliation or job title is changed due to personnel change or the like, the attribute management server 200 By changing the attribute value managed by, the change of the attribute value used for control of the database apparatus 400 is reflected. Therefore, it is not necessary to change the settings of the data access program and the data object. The process for accessing the data object is only the setting of the user attribute value to the context delivery device. When accessing a data object, there is no need to interpret and rewrite the user's data access program. Therefore, according to the access control system 1000 shown in the second embodiment, when accessing a data object, the processing does not become complicated and the performance of the data access program does not deteriorate.

Embodiment 3 FIG.
In the above-described embodiment, the control based on each of the row control information and the column control information has been described separately. In the third embodiment, a method for performing control combining row control and column control by expanding the policy function and the association between the policy function and the table will be described.

  A method of performing control combining row control and column control is not the column control described in the second embodiment for the value C01 of the condition 633 in the column control information of FIG. This can be realized by associating. In this case, when the business server 100 issues a data access program for accessing the sales 602 for which the column control information is specified, the row control information associated with the column control information C01 is evaluated, and the sales 602 is obtained only in a row satisfying C01. Access to is permitted, and access to sales 602 is not permitted in other rows.

  The functional block diagram of the access control system 1000 according to the third embodiment is the same as the functional block diagram of the access control system 1000 according to the first embodiment shown in FIG. The processing of the access control system 1000 according to the third embodiment is also realized by dividing into two phases of provisioning, which is preparation in advance, and execution of access to a data object, as in the first embodiment.

  The third embodiment will be described using an example in which the row control information illustrated in FIG. 4 is applied to the sales 602 column of the sales table 600.

First, provisioning will be described.
FIG. 18 shows a policy function that realizes control combining row control and column control. The policy function shown in FIG. 18 is the same as the policy function shown in FIG. 6 except for the function name. In addition, the command shown in FIG. 16 is used as a command for associating a policy function with a table column. That is, the same control as the policy function shown in FIG. 6 is associated with the sales 602 column of the sales table 600.

  When the data access program issued by the business server 100 tries to access the sales 602 of the sales table 600, the policy function shown in FIG. 18 which is a policy function is executed. The policy function permits access to the value of sales 602 only for records where the value of the department 603 in the sales table 600 is the same as the value of the attribute information sokiki, and does not permit access to other records. As the value of the sales 602 of the record that does not permit access, the database device 400 may return a null value or no value, for example, as in the second embodiment.

  Next, the provisioning operation in the case of performing control combining row control and column control will be described. FIG. 19 is a flowchart illustrating an operation for performing provisioning in the case of performing control combining row control and column control.

  In control information acquisition step S <b> 401, the control information acquisition unit 360 acquires control information for the table from the definition information storage unit 220. Here, the control information acquisition unit 360 acquires row control information and column control information for the corresponding table.

  In the control information storage step S402, the control information storage unit 370 stores the control information acquired by the control information acquisition unit 360.

  In column control determination step S403, the function generation unit 380 determines whether column control information exists in the control information stored in the control information storage unit 370. The function generation unit 380 proceeds to step S404 when the column control information exists, and proceeds to step S409 when the column control information does not exist.

  In the matrix control determination step S404, the function generation unit 380 determines whether there is row control information associated with the column control information condition stored in the control information storage unit 370. The function generation unit 380 proceeds to step S405 when the line control information exists, and proceeds to step S407 when the line control information does not exist.

  In matrix policy function generation step S405, the function generation unit 380 generates a policy function based on the row control information.

In the matrix function control step S406, the function control unit 390 generates and executes a policy function association command based on the row control information associated with the table and the column.
Steps S405 and S406 are performed according to the flow shown in FIG.

  In the column policy function generation step S407, the function control unit 390 generates a policy function based on the column control information not associated with the row control information.

In the column function control step S408, the function control unit 390 generates and executes a policy function association command based on the column control information associated with the column.
Steps S407 and S408 are performed according to steps S303 to S312 shown in FIG.

  In the row control determination step S409, the function control unit 390 determines whether there is row control information associated with the table and not associated with the column control information. The function control unit 390 proceeds to step S410 when there is row control information associated with the table and not associated with the column control information, and ends the process when there is no row control information.

  In the line policy function generation step S410, the function control unit 390 generates a policy function based on the line control information.

In the row function control step S411, the function control unit 390 generates and executes a policy function association command based on the row control information associated with the table.
Steps S410 and S411 are performed according to the flowchart shown in FIG. 9 described above.

  FIG. 20 is a flowchart detailing the operations in steps S405 and S406 in FIG. FIG. 20 is obtained by replacing the processing in step S308 and step S310 in the flowchart shown in FIG. 17 with processing for row control information associated with the control condition of column control information. Only the differences from the flowchart shown in FIG. 17 will be described with respect to the flowchart shown in FIG.

  Steps S501 to S507 are the same as steps S301 to S307 shown in FIG.

  In attribute name extraction step S508, the function generation unit 380 extracts the attribute name used for the control condition of the row control information associated with the control condition of the column control information.

  Step S509 is the same as step S309 shown in FIG.

  In the conditional phrase adding step S510, the function generation unit 380 adds a condition related to attribute information in the control condition of the row control information associated with the control condition of the column control information to the policy function.

  Step S511 is the same as step S311 shown in FIG.

  In the third embodiment, regarding the control combining row control and column control, as in the first embodiment, once provisioning is performed, user attribute values such as affiliation and job title change due to personnel changes and the like. Even in this case, by changing the attribute value managed by the attribute management server 200, the change of the attribute value used for the control of the database device 400 is reflected. Therefore, it is not necessary to change the settings of the data access program and the data object. The process for accessing the data object is only the setting of the user attribute value to the context delivery device. When accessing a data object, there is no need to interpret and rewrite the user's data access program. Therefore, according to the access control system 1000 shown in the third embodiment, when the data object is accessed, the processing is not complicated and the performance of the data access program is not deteriorated.

Embodiment 4 FIG.
In the above-described embodiment, the DB access control management unit 350 has described the process of generating a policy function based on row control information, column control information, or row control information and column control information in provisioning. In the fourth embodiment, control when attribute information values having a hierarchical structure are input to each control information described above will be described.

As an example of attribute information having a hierarchical structure, the attribute information shown in FIG. 2 is used here. In the attribute information shown in FIG. 2, the organization name sokiki, which is the attribute information of the organization to which the employee belongs, is set with different levels of organization names in the hierarchical structure of the organization such as departments and sections. Under the attribute information having such a hierarchical structure, for example, for the user 20 who directly belongs to the department such as a department manager, the department name such as the sales department or the technical department is given as the organization name sokiki, and the section manager or general member of the department For the user 20 who directly belongs to the section, the name of the section such as the sales section 1 or the technical section 1 may be given as the organization name sokiki. In such a case, each name is set in the context storage unit 430 as attribute information.
When an organization name of a different level is used as attribute information, for example, when access is permitted using the organization name of the department level in the row control information, the DB access control execution unit 310 is allowed access in the control information. It may be necessary to allow access to the departments belonging to the department.

  In order to deal with the above case, the attribute acquisition unit 320 acquires attribute information subordinate to the specified attribute information from the attribute information managed and stored by the attribute information storage unit 210. Then, the context storage unit 430 stores the attribute information subordinate to the specified attribute information. Further, the function generation unit 380 generates a policy function so that the access authority of the upper attribute information is inherited by the lower attribute information.

  The functional block diagram of the access control system 1000 according to the fourth embodiment is the same as the functional block diagram of the access control system 1000 according to the first embodiment shown in FIG. The processing of the access control system 1000 according to the fourth embodiment is also realized by dividing into two phases of provisioning, which is preparation in advance, and execution of access to a data object, as in the first embodiment.

First, the policy function based on the column control information will be described.
The attribute information shown in FIG. 2 has a hierarchical structure in which the sales department 510 is under the head office and the sales section 1 520 and the sales section 2 530 are under the sales section 510. In the sales table 602 of FIG. 3, it is assumed that column control information for permitting access is set when the department to which the accessing employee belongs is the sales department 510. FIG. 21 is an example of a policy function generated based on the above column control information. In FIG. 21, a function unit 710 indicates a policy function. A line number 720 indicates a line number of the function unit 710. A difference between the policy function shown in FIG. 21 and the policy function shown in FIG. 18 will be described.
In FIG. 21, the conditional statement shown in the sixth line connects all the organizations below the sales department 510 with a logical sum. Therefore, in the case of access from an employee belonging to the sales department 510, the conditional expression on the sixth line is satisfied, and “1 = 1” is output as a return value. That is, the policy function shown in FIG. 21 outputs, as a return value, a condition that always takes a true value as a control condition in the case of an access from an employee belonging to the sales department 510. On the other hand, if the access is not from an employee belonging to the sales department 510, the conditional expression on the sixth line is not satisfied and “1 = 2” is output as a return value. That is, the policy function shown in FIG. 21 outputs, as a return value, a condition that always takes a false value as a control condition when the access is not from an employee belonging to the sales department 510.

Next, a policy function based on the row control information will be described.
For the attribute information shown in FIG. 2, the row control information shown in FIG. 4 is applied to the sales table 600 shown in FIG. In this case, when the department to which the employee to access belongs is the sales department 510, it is assumed that the department control 603 of the sales table 600 is row control information that permits reference to a record having a value belonging to the sales department 510. FIG. 22 shows an example of a policy function generated based on the row control information. In FIG. 22, a function unit 710 indicates a policy function. A line number 720 indicates a line number of the function unit 710. Differences between the policy function shown in FIG. 22 and the policy function shown in FIG. 6 will be described.
In FIG. 22, the conditional statement shown in the sixth line connects all the organizations below the sales department 510 with a logical sum. Therefore, in the case of an access from an employee belonging to the sales department 510, the conditional expression on the sixth line is satisfied and “department = 'sales department' OR department = 'sales department 1' OR department = 'sales department 2'" is returned. Output as a value. This return value control condition is satisfied when the department 603 of the sales table 600 has a value belonging to the sales department 510. Therefore, by using this policy function, when the department to which the employee to access belongs is the sales department 510, reference to a record having a value to which the department 603 of the sales table 600 belongs to the sales department 510 is permitted.

  When the attribute information has a hierarchical structure and the attribute information and the immediate value are compared in the row control information and the column control information, it is necessary to perform provisioning by the method described above. Here, the immediate value means a designated value.

  Next, an operation for provisioning based on the value of attribute information having a hierarchical structure will be described. FIG. 23 is a flowchart showing an operation of performing provisioning processing based on the value of attribute information having a hierarchical structure. The flowchart shown in FIG. 23 is a provisioning process in the case where step S107 of the flowchart shown in FIG. 9 which is a provisioning process based on the row control information and a combination of the row control and the column control are performed. It replaces step S510 in the flowchart shown in FIG.

  The function generation unit 380 executes the processing from step S601 to step S607 with respect to the control condition related to the attribute information in the row control information.

In hierarchical structure determination step S601, the function generation unit 380 determines whether or not the control condition related to the attribute information in the row control information includes attribute information having a hierarchical structure. If the function generation unit 380 includes attribute information having a hierarchical structure, the function generation unit 380 proceeds to step S602. If the function generation unit 380 does not include attribute information having a hierarchical structure, the function generation unit 380 proceeds to step S607.
For example, the function generation unit 380 can determine whether or not the attribute information has a hierarchical structure by registering in advance the attribute name of the attribute information having a hierarchical structure in the DB access control management unit 350. Alternatively, the function generation unit 380 can determine whether or not the attribute information has a hierarchical structure by inquiring the attribute management server 200 about the presence or absence of the hierarchical structure for all the attribute information.

  In immediate value comparison determination step S602, the function generation unit 380 determines whether or not the control condition including attribute information having a hierarchical structure includes a comparison between the attribute value and the immediate value. If the function generation unit 380 includes the comparison between the attribute value and the immediate value, the process proceeds to step S603. If the function generation unit 380 does not include the comparison between the attribute value and the immediate value, the function generation unit 380 proceeds to step S607.

  In the attribute management server connection step S603, the function generation unit 380 accesses the attribute management server 200.

  In the attribute value acquisition step S604, the function generation unit 380 refers to the hierarchical structure information of the attribute information, and acquires the attribute value of the node including the immediate value and the attribute value below the node. Here, the node is a section of a node representing attributes such as the head office 500 and the sales department 510 in the attribute information represented by the tree structure shown in FIG. Further, the subordinate is a node connected to a designated node in FIG. 2 and is a node depicted below. The employees a521 and b522 are subordinate to the sales section 1 520. The subordinates of the sales department 510 include the subordinate nodes of the sales 1 section 520 and the sales 2 section 530 and the sales 1 section 520 and the sales 2 section 530, respectively.

  In the conditional phrase addition step S605, the function generation unit 380 expands the control condition related to the attribute information in the row control information as a condition for the attribute information acquired in step S604, and combines them with a logical sum. The function generation unit 380 adds a policy statement to the conditional statement that determines whether or not the conditional statement combined by the logical sum is permitted to access the table. For example, the function generation unit 380 adds an “if” statement shown in the sixth line of FIG. 22 as a conditional statement.

  In the return value adding step S606, the function generating unit 380 adds the conditional statement combined by the logical sum to a variable indicating the return value of the policy function. For example, the function generation unit 380 adds a return statement shown in the seventh line of FIG. 22 as a return value.

  In the direct addition step S607, the function generation unit 380 adds the condition related to the attribute information in the row control information to a variable indicating the return value of the policy function.

  In the fourth embodiment, step S310 in the flowchart shown in FIG. 17 which is a provisioning process for generating a policy function based on the column control information is replaced with a process in which the row control information is replaced with the column control information in FIG. . However, in the flowchart shown in FIG. 17 which is the provisioning process for generating the policy function based on the column control information, the process of step S606 in FIG. 23 is not performed.

  In the fourth embodiment, the control based on the value of attribute information having a hierarchical structure has been described. Once provisioning is performed by the method described in the fourth embodiment, even if the value of a user attribute having a hierarchical structure such as affiliation changes due to personnel changes or the like, the user attribute managed by the attribute management server 200 is changed. The change of the attribute value used for the control of the database apparatus 400 is reflected only by changing the value of. Therefore, it is not necessary to change the settings of the data access program and the data object. The process for accessing the data object is only the setting of the user attribute value to the context delivery device. When accessing a data object, there is no need to interpret and rewrite the user's data access program. Therefore, according to the access control system 1000 shown in the fourth embodiment, when the data object is accessed, the processing is not complicated and the performance of the data access program is not deteriorated.

Embodiment 5. FIG.
In the above-described embodiment, the access control to the data object managed and stored by the database apparatus 400 has been described. However, in order to thoroughly protect data objects managed and stored by the database device 400 from unauthorized use, the result file that stores the search result of the data access program for the data object is the same as that of the data object. Access control needs to be performed. In the fifth embodiment, access control of a result file storing a search result by a data access program for a data object will be described.

FIG. 24 is a functional block diagram of the access control system 1000 according to the fifth embodiment. Only the differences between the functional block diagram of the access control system 1000 shown in FIG. 24 and the functional block diagram of the access control system 1000 shown in FIG. 1 will be described.
The database device 400 further includes a result output unit 480 and a function addition unit 490. The result output unit 480 outputs a result file that stores the result of accessing the data object by executing the data access program by the execution unit 470. The function addition unit 490 adds a policy function to the result file output by the result output unit 480.

  Even when accessing the result file to which the policy function is added, the database device 400 performs access control by the policy function in the same manner as the access to the data object. That is, the access control process when accessing the result file is performed except that the policy function to be executed is not stored in the policy function storage unit 440 but is added to the result file. This is the same as the access execution process to the data object shown in the first embodiment. That is, only a user who is permitted to refer to the policy function added to the result file can refer to the result file.

By performing access control by the policy function for the result file, access control to the data object managed and stored by the database apparatus 400 can be performed for the result file storing the search result by the data access program for the data object. Similar access control is possible.
It is also possible to protect the result file by a method such as encryption.

FIG. 25 is a diagram illustrating an example of an appearance of the access control system 1000 according to the first embodiment.
25, the access control system 1000 includes a server 910, a CRT (Cathode Ray Tube) display device 901, a keyboard (K / B) 902, a mouse 903, a compact disk device (CDD) 905, a database 908, and a system unit 909. These are connected by cables.
Further, the access control system 1000 is connected to the Internet 940 via a local area network (LAN) 942 and a gateway 941.
In the embodiment described above, the “business server 100”, “attribute management server 200”, “DB access control device 300”, and the like are, for example, the server 910. Also, what is described as “database device 400” and “˜storage unit” is, for example, a database 908. In addition, the “manager 10”, the “user 20”, and the like, for example, give an instruction to the business server 100 and the DB access control apparatus 300 using the system unit 909.

FIG. 26 is a diagram illustrating an example of a hardware configuration of the server 910, the database 908, the system unit 909, and the like included in the access control system 1000 according to the first embodiment.
In FIG. 26, a server 910, a database 908, a system unit 909, and the like include a CPU (Central Processing Unit) 911 that executes a program. The CPU 911 includes a ROM 913, a RAM 914, a communication board 915, a CRT display device 901, a K / B 902, a mouse 903, an FDD (Flexible Disk Drive) 904, a magnetic disk device 920, a CDD 905, a printer device 906, and a scanner device 907 via a bus 912. Connected with.
The RAM 914 is an example of a volatile memory. The ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are examples of nonvolatile memories. These are examples of the storage device or the storage unit 120.
The communication board 915 is connected to a FAX machine 932, a telephone 931, a LAN 942, a wireless antenna 943, and the like.
For example, the communication board 915, the K / B 902, the scanner device 907, the FDD 904, and the like are examples of the input unit.
Further, for example, the communication board 915, the CRT display device 901, and the like are examples of the output unit.

Here, the communication board 915 is not limited to the LAN 942 but may be directly connected to the Internet 940 or a WAN (Wide Area Network) such as ISDN. When directly connected to a WAN such as the Internet 940 or ISDN, the access control system 1000 is connected to a WAN such as the Internet 940 or ISDN, and the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system (OS) 921, a window system 922, a program group 923, and a file group 924. The program group 923 is executed by the CPU 911, the OS 921, and the window system 922.

The program group 923 stores a program for executing the function described as “˜unit” in the description of the above-described embodiment. The program is read and executed by the CPU 911.
In the file group 924, what has been described as “determination” in the description of the above-described embodiment is stored as “˜file”.
In addition, the arrow portion of the flowchart described in the description of the above-described embodiment mainly indicates data input / output, and for the data input / output, the data includes a magnetic disk device 920, an FD (Flexible Disk), an optical disk, It is recorded on other recording media such as CD (compact disc), MD (mini disc), DVD (Digital Versatile Disk). Alternatively, it is transmitted through a signal line or other transmission medium.

  In addition, what has been described as the “˜unit” in the description of the above-described embodiment may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented by software alone, hardware alone, a combination of software and hardware, or a combination of firmware.

  In addition, programs for implementing the above-described embodiments are also other disk drives such as a magnetic disk device 920, an FD (Flexible Disk), an optical disk, a CD (Compact Disk), an MD (Mini Disk), a DVD (Digital Versatile Disk), and the like. You may memorize | store using the recording device by a recording medium.

FIG. 3 is a functional block diagram showing functions of an access control system 1000 according to the first embodiment. It is an example of the attribute information which the attribute information storage part 210 memorize | stores. It is a sales table 600 which is an example of a data object managed and stored by the database device 400. It is an example of the line control information defined by the administrator. This is an example in which the row control information is extended so that the logical sum of the control conditions can be described. FIG. 5 is a diagram illustrating an example of a policy function generated based on the row control information illustrated in FIG. 4. It is an example of the command which links | relates a table | surface and a policy function. It is an example which allocated the table | surface and the policy function to the command shown in FIG. It is a flowchart which shows the operation | movement which DB access control management part 350 performs provisioning. This is an example when an SQL program is used as a data access program issued by the business server 100. This is a data access program to which the control condition is added by the control condition adding unit 460 when the business server 100 issues the data access program shown in FIG. This is a data access program to which the control condition is added by the control condition adding unit 460 when the business server 100 issues the data access program shown in FIG. It is the figure which showed the sequence of the process which accesses a data object. 4 is an example of column control information stored in a definition information storage unit 220. It is an example of the policy function which implement | achieves control based on column control information. An example of a command for associating a policy function with a table column and registering it in the policy function storage unit 440 is shown. It is a flowchart which shows the operation | movement which performs provisioning in the case of performing control based on column control information. This is a policy function that realizes control combining row control and column control. It is a flowchart which shows the operation | movement which performs provisioning in the case of performing control combining row control and column control. FIG. 20 is a flowchart detailing the operations in steps S405 and S406 in FIG. It is an example of the policy function produced | generated based on column control information. It is an example of the policy function produced | generated based on line control information. It is a flowchart which shows the operation | movement which performs the process of provisioning based on the value of attribute information with a hierarchical structure. FIG. 10 is a functional block diagram of an access control system 1000 according to a fifth embodiment. 1 is a diagram illustrating an example of an appearance of an access control system 1000 according to Embodiment 1. FIG. 2 is a diagram illustrating an example of a hardware configuration of an access control system 1000 according to Embodiment 1. FIG.

Explanation of symbols

  100 business server, 1000 access control system, 200 attribute management server, 210 attribute information storage unit, 220 definition information storage unit, 300 DB access control device, 310 DB access control execution unit, 320 attribute acquisition unit, 330 attribute storage unit, 340 Attribute transmission unit, 350 DB access control management unit, 360 control information acquisition unit, 370 control information storage unit, 380 function generation unit, 390 function control unit, 400 database device, 410 program reception unit, 420 attribute reception unit, 430 context storage Part, 440 policy function storage part, 450 function execution part, 460 control condition addition part, 470 execution part, 480 result output part, 490 function addition part, 600 sales table, 601 month, 602 sales, 603 department, 610 sales table Line control information, 611 612 Table name, 613 Column name, 614 User attribute, 615 Calculation condition, 626 Condition a, 627 Condition b, 630 Sales table column control information, 631 Column name, 632 Data type, 633 Condition, 901 CRT display device 902 K / B, 903 mouse, 904 FDD, 905 CDD, 908 database, 909 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk unit, 921 OS, 922 window system, 923 program group, 924 file group, 931 telephone, 932 FAX machine, 940 Internet, 941 gateway, 942 LAN.

Claims (15)

In a DB (database) device that is connected via a network to an attribute management server that manages and stores attribute information related to a business server and a DB access control device that acquires attribute information from the attribute management server, and manages data objects.
When the business server accesses a data object, a context storage unit that acquires and stores attribute information about the business server acquired from the attribute management server by the DB access control device, and
A policy function storage unit for storing a policy function associated with a data object, the return value of which is a control condition in which attribute information is embedded;
A program receiving unit that receives a data access program issued by the business server to access a data object;
When the program receiving unit receives the data access program, the attribute information stored in the context storage unit is input, the policy function stored in the policy function storage unit is executed, and the control condition in which the attribute information is embedded is returned. A function execution unit that outputs as a value;
A control condition adding unit that obtains a control condition that is a return value of the policy function output by the function execution unit and adds the control condition to the data access program;
A database apparatus, comprising: an execution unit that accesses a data object by executing an access program to which the control condition is added. The attribute management server manages and stores user attribute information related to a user who uses a business server accessing a data object as the attribute information.
The database apparatus according to claim 1, wherein the context storage unit stores the user attribute information as attribute information. The database apparatus according to claim 1, wherein the policy function storage unit stores a policy function associated with an attribute of a data object. The database device further includes:
A result output unit that outputs a result file when a data object is accessed;
A function addition unit for adding the policy function to the result file output by the result output unit;
When the business server accesses the result file, the context storage unit acquires the attribute information about the business server acquired from the attribute management server by the DB access control device from the DB access control device and stores the attribute information.
The program receiving unit receives a data access program issued by the business server to access the result file,
When the program receiving unit receives the data access program, the function executing unit inputs the attribute information stored in the context storage unit, executes the policy function added to the result file by the function adding unit, and sets the attribute Output the control condition with embedded information as a return value,
The control condition adding unit acquires a control condition that is a return value of the policy function output from the function executing unit, adds the control condition to the data access program,
The database apparatus according to claim 1, wherein the execution unit accesses the result file by executing an access program to which the control condition is added by the control condition adding unit. In a DB access control apparatus that controls access to a data object managed by a DB (database) apparatus connected to an attribute management server that manages attribute information via a network,
A control information acquisition unit for acquiring access control information set for the record of the data object;
A control information storage unit for storing the access control information acquired by the control information acquisition unit;
Based on the access control information stored in the control information storage unit, a function generation unit that inputs attribute information managed by the attribute management server and generates a policy function that returns a control condition in which the attribute information is embedded;
A DB access control apparatus comprising: a function control unit that associates a policy function generated by the function generation unit with a data object and stores the policy function in a DB. The control information acquisition unit acquires access control information set for the fields constituting the record of the data object,
6. The DB access control apparatus according to claim 5, wherein the function control unit associates the policy function generated by the function generation unit with the attribute of the data object and stores the policy function in the DB. When the attribute information managed by the attribute management server has a hierarchical structure, the function generation unit generates a policy function that returns a control condition in which lower attribute information is embedded in the input attribute information. 6. The DB access control device according to claim 5. The function generation unit determines whether to permit access based on the attribute information managed by the attribute management server. When the access is permitted, the function generation unit generates a policy function that always returns a control condition permitting access. 6. The DB access control apparatus according to claim 5, wherein The function generation unit determines whether to permit access based on the attribute information managed by the attribute management server. If the access is not permitted, the function generation unit generates a policy function that always returns a control condition that does not permit access. 6. The DB access control apparatus according to claim 5, wherein An attribute management server that manages and stores attribute information related to the business server, a DB (database) device that manages data objects, and a DB access control that controls access by the business server data access program to the data objects managed by the database device In an access control system in which devices are connected via a network,
The DB access control device
When the business server accesses the data object, an attribute acquisition unit that acquires attribute information about the business server from the attribute management server;
An attribute storage unit for storing attribute information acquired by the attribute acquisition unit;
An attribute transmission unit that transmits the attribute information stored in the attribute storage unit to the database device;
The database device is
An attribute receiver that receives the attribute information transmitted by the attribute transmitter;
A context storage unit for storing attribute information received by the attribute reception unit;
A policy function storage unit for storing a policy function associated with a data object, which is input with attribute information and returns a control condition in which the attribute information is embedded;
A program receiving unit that receives a data access program issued by the business server to access a data object;
When the program receiving unit receives the data access program, the attribute information stored in the context storage unit is input, the policy function stored in the policy function storage unit is executed, and the control condition in which the attribute information is embedded is returned. A function execution unit that outputs as a value;
A control condition adding unit that obtains a control condition that is a return value of the policy function output by the function execution unit and adds the control condition to the data access program;
An access control system comprising: an execution unit that accesses a data object by executing an access program to which the control condition is added. The DB access control device further includes:
A control information acquisition unit for acquiring access control information set for the record of the data object;
A control information storage unit for storing the access control information acquired by the control information acquisition unit;
Based on the access control information stored in the control information storage unit, a function generation unit that inputs attribute information managed by the attribute management server and generates a policy function that returns a control condition in which the attribute information is embedded;
A function control unit that associates the policy function generated by the function generation unit with a data object;
11. The access control system according to claim 10, wherein the policy function storage unit stores a policy function associated with the data object by the function control unit. Access of a DB (database) device that is connected via a network to an attribute management server that manages and stores attribute information related to a business server and a DB access control device that acquires attribute information from the attribute management server and manages data objects In the control method,
When the business server accesses the data object, a context storage step in which the DB access control apparatus acquires attribute information about the business server acquired from the attribute management server from the DB access control apparatus and stores it in the context storage unit;
A policy function storage step of storing a policy function associated with a data object in a policy function storage unit, wherein the return value is a control condition in which attribute information is embedded;
A program receiving step for receiving a data access program issued by the business server to access a data object;
When the data access program is received in the program reception step, the attribute information stored in the context storage unit in the context storage step is input, and the policy function stored in the policy function storage unit is executed in the policy function storage step And a function execution step for outputting a control condition in which attribute information is embedded as a return value,
A control condition adding step of acquiring a control condition that is a return value of the policy function output in the function executing step and adding the control condition to the data access program;
An access control method comprising: an execution step of accessing a data object by executing an access program to which a control condition is added in the control condition addition step. Connected via a network to an attribute management server that manages and stores attribute information related to business servers and a DB access control device that acquires attribute information from the attribute management server, and operates on a DB (database) device that manages data objects In the access control program to
When the business server accesses the data object, a context storage step in which the DB access control apparatus acquires attribute information about the business server acquired from the attribute management server from the DB access control apparatus and stores it in the context storage unit;
A policy function storage step of storing a policy function associated with a data object in a policy function storage unit, wherein the return value is a control condition in which attribute information is embedded;
A program receiving step for receiving a data access program issued by the business server to access a data object;
When the data access program is received in the program reception step, the attribute information stored in the context storage unit in the context storage step is input, and the policy function stored in the policy function storage unit is executed in the policy function storage step And a function execution step for outputting a control condition in which attribute information is embedded as a return value,
A control condition adding step of acquiring a control condition that is a return value of the policy function output in the function executing step and adding the control condition to the data access program;
An access control program causing a computer to execute an execution step of accessing a data object by executing an access program to which a control condition is added in the control condition addition step. In an access control method of a DB access control device that controls access to a data object managed by a DB (database) device connected to an attribute management server that manages attribute information via a network,
A control information acquisition step for acquiring access control information set for the record of the data object;
A control information storage step of storing the access control information acquired in the control information acquisition step in a control information storage unit;
Based on the access control information stored in the control information storage unit in the control information storage step, the attribute information managed by the attribute management server is input, and a policy function is generated that returns the control condition in which the attribute information is embedded. Function generation step,
A function control step of associating the policy function generated in the function generation step with a data object and storing the policy function in a DB. In an access control program that operates on a DB access control device that controls access to a data object managed by a DB (database) device connected to an attribute management server that manages attribute information via a network,
A control information acquisition step for acquiring access control information set for the record of the data object;
A control information storage step of storing the access control information acquired in the control information acquisition step in a control information storage unit;
Based on the access control information stored in the control information storage unit in the control information storage step, the attribute information managed by the attribute management server is input, and a policy function is generated that returns the control condition in which the attribute information is embedded. Function generation step,
An access control program that causes a computer to execute a function control step of associating a policy function generated in the function generation step with a data object and storing it in a DB.

Images