Method of determining access control effect by using policies

7,630,984

11/286948

November 25, 2005

When determining whether or not access by a user should be permitted by using policies, an access control determination device of the present invention expresses the access by the user to the data source with a predetermined path, retrieves an appropriate policy out of stored policies on the basis of the predetermined path, calculates an access permission value on the basis of the predetermined path, calculates an access effect value on the basis of the predetermined path and the policy which the policy retrieving unit has retrieved, and determines whether or not the access by the user to the data source should be permitted on the basis of the access permission value and the access effect value.

Qi, Naizhen (Zama, JP)

International Business Machines Corporation (Armonk, NY, US)

1. A system for determining access control to a structured document, comprising: an access receiving unit coupled to a storage device and configured to express access by a user to a structured document with a predetermined path from the storage device as a path expression upon the user attempting to access the structured document; a policy storing unit coupled to the access receiving unit and configured to store a plurality of policies on a storage device, wherein the plurality of policies comprise a control path expressed with a path language, and a control effect representing whether or not access by the user should be permitted, wherein the plurality of policies is composed of at least one rule; a policy retrieving unit coupled to the storage device and configured to retrieve an appropriate policy out of the plurality of policies on the basis of the predetermined path; and a central processing unit coupled to the policy retrieving unit and configured to: calculate an access permission value on the basis of the predetermined path, wherein the access permission value is a minimum value allowable to permit access to the structured document; calculate an access effect value on the basis of the path expression and the policy retrieved by the policy retrieving unit; and determine whether the access by the user to the structured document should be permitted on the basis of the access permission value and the access effect value, wherein if the access determination unit determines access by the user to the structured document is permitted, providing access to the user to the structured document; wherein: if the plurality of policies are retrieved by the policy retrieving unit, the access-effect-value calculating unit calculates the access effect value by using the plurality of policies retrieved, the central processing unit resolves a control effect conflict by examining the control path, the control effect, and a plurality of access conflict priorities, the access permission value and the access effect value are represented by a character string, and the access determination unit determines whether or not the access should be permitted by comparing the character string values of the access permission value and the access effect value, and the path language comprises Extended Markup Language (XML) Path Language, wherein: the XML Path Language is used for designating a desired part of the structured document, the structured document comprises an embedded index or a non-embedded index, and the XML Path Language determines: a subject type which is receiving access, a subject which is receiving access, the desired part of the structured document which a subject is receiving access, a subject's access permission to the desired part of the structured document when a condition of the subject receiving access and a condition of the desired part of the structured document are satisfied by a data value, wherein the subject's access permission to the desired part of the structured document comprises a determination expression if a data value corresponding to a conditional variable is read out from a structured document and the data value satisfies a content of the determination expression.

2. A method for determining access control to a structured document, comprising: expressing access by a user to a structured document with a predetermined path from a storage device as a path expression upon the user attempting to access the structured document; storing a plurality of policies on a storage device, wherein the plurality of policies comprising a control path expressed with a path language, and a control effect representing whether or not access by the user should be permitted, wherein the plurality of policies is composed of at least one rule; retrieving from the storage device an appropriate policy out of the plurality of policies on the basis of the predetermined path; calculating an access permission value on the basis of the predetermined path using a central processing unit, wherein the access permission value is a minimum value allowable to permit access to the structured document; calculating an access effect value on the basis of the path expression and the policy retrieved using the central processing unit; and determining whether the access by the user to the structured document should be permitted on the basis of the access permission value and the access effect value using the central processing unit, wherein if the access determination unit determines access by the user to the structured document is permitted providing access to the user to the structured document, wherein if the plurality of policies are retrieved by the policy retrieving unit, the access-effect-value calculating unit calculates the access effect value by using the plurality of policies retrieved, wherein the access determination unit resolves a control effect conflict by examining the control path, the control effect, and a plurality of access conflict priorities, wherein the access permission value and the access effect value are represented by a character string, and the access determination unit determines whether or not the access should be permitted by comparing the character string values of the access permission value and the access effect value, and wherein the path language comprises Extended Markup Language (XML) Path Language, wherein: the XML Path Language is used for designating a desired part of the structured document, the structured document comprises an embedded index or a non-embedded Index, and the XML Path Language determines: a subject type which is receiving access, a subject which is receiving access, the desired part of the structured document which a subject is receiving access, a subject's access permission to the desired part of the structured document when a condition of the subject receiving access and a condition of the desired part of the structured document are satisfied by a data value, wherein the subject's access permission to the desired part of the structured document comprises a determination expression if a data value corresponding to a conditional variable is read out from a structured document and the data value satisfies a content of the determination expression.

3. A computer program product for determining access control, the computer program product comprising a computer useable storage medium to store a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform operations, comprising: expressing access by a user to a structured document with a predetermined path from a storage device as a path expression upon the user attempting to access the structured document; storing a plurality of policies on a storage device, wherein the plurality of policies comprising a control path expressed with a path language, and a control effect representing whether or not access by the user should be permitted, wherein the plurality of policies is composed of at least one rule; retrieving from the storage device an appropriate policy out of the plurality of policies on the basis of the predetermined path; calculating an access permission value on the basis of the predetermined path using a central processing unit, wherein the access permission value is a minimum value allowable to permit access to the structured document; calculating unit calculating an access effect value on the basis of the path expression and the policy retrieved using the central processing unit; and determining whether the access by the user to the structured document should be permitted on the basis of the access permission value and the access effect value using the central processing unit, wherein if the access determination unit determines access by the user to the structured document is permitted providing access to the user to the structured document, wherein if the plurality of policies are retrieved by the policy retrieving unit, the access-effect-value calculating unit calculates the access effect value by using the plurality of policies retrieved, wherein the access determination unit resolves a control effect conflict by examining the control path, the control effect, and a plurality of access conflict priorities, wherein the access permission value and the access effect value are represented by a character string, and the access determination unit determines whether or not the access should be permitted by comparing the character string values of the access permission value and the access effect value, and wherein the path language comprises Extended Markup Language (XML) Path Language, wherein: the XML Path Language is used for designating a desired part of the structured document, the structured document comprises an embedded index or a non-embedded Index, and the XML Path Language determines: a subject type which is receiving access, a subject which is receiving access, the desired part of the structured document which a subject is receiving access, a subject's access permission to the desired part of the structured document when a condition of the subject receiving access and a condition of the desired part of the structured document are satisfied by a data value, wherein the subject's access permission to the desired part of the structured document comprises a determination expression if a data value corresponding to a conditional variable is read out from a structured document and the data value satisfies a content of the determination expression.

4. The system of claim 1 , wherein the subject type which is receiving access is selected from the group consisting of: a group, a user, and a function.

5. The system of claim 1 , wherein the subject which is receiving access is selected from the group consisting of: a group identification, a user identification, and a function identification.

6. The system of claim 1 , wherein the desired part of the structured document which a subject is receiving access to is specified by a plurality of elements in the path expression, wherein the plurality of elements are defined as a path value.

7. The system of claim 1 , wherein the subject's access permission to the desired part of the structured document is selected from the group consisting of: access permitted, access denied, and access possible.

8. The system of claim 1 , wherein the subject's access permission to the desired part of the structured document permits access to a plurality of parts of the structured document lower in a hierarchical level than the designated part of the structured document.

9. The system of claim 1 , wherein the subject's access permission to the desired part of the structured document permits access only to the desired part of the structured document.

10. The system of claim 1 , wherein the policy retrieving unit retrieving an appropriate policy out of the plurality of policies on the basis of the predetermined path uses a retrieving method selected from the group consisting of: a tablemap method, a filtering method, an automation method, and a matching method.

11. The method of claim 2 , wherein the subject type which is receiving access is selected from the group consisting of: a group, a user, and a function.

12. The method of claim 2 , wherein the subject which is receiving access is selected from the group consisting of: a group identification, a user identification, and a function identification.

13. The method of claim 2 , wherein the desired part of the structured document which a subject is receiving access to is specified by a plurality of elements in the path expression, wherein the plurality of elements are defined as a path value.

14. The method of claim 2 , wherein the subject's access permission to the desired part of the structured document is selected from the group consisting of: access permitted, access denied, and access possible.

15. The method of claim 2 , wherein the subject's access permission to the desired part of the structured document permits access to a plurality of parts of the structured document lower in a hierarchical level than the designated part of the structured document.

16. The method of claim 2 , wherein the subject's access permission to the desired part of the structured document permits access only to the desired part of the structured document.

17. The method of claim 2 , wherein the policy retrieving unit retrieving an appropriate policy out of the plurality of policies on the basis of the predetermined path uses a retrieving method selected from the group consisting of: a tablemap method, a filtering method, an automation method, and a matching method.

18. The computer program product of claim 3 , wherein the subject type which is receiving access is selected from the group consisting of: a group, the user, and a function.

19. The computer program product of claim 3 , wherein the subject which is receiving access is selected from the group consisting of: a group identification, a user identification, and a function identification.

20. The computer program product of claim 3 , wherein the desired part of the structured document which a subject is receiving access to is specified by a plurality of elements in the path expression, wherein the plurality of elements are defined as a path value.

707/9

7127461 October 2006 Zhu et al.
2003/0014397 January 2003 Chau et al.
2004/0148278 July 2004 Milo et al.
2004/0193607 September 2004 Kudo et al.
2004/0205089 October 2004 Alon et al.
2004/0213086 October 2004 Terzian
2005/0038783 February 2005 Lei et al.
2005/0050010 March 2005 Linden
2005/0055355 March 2005 Murthy et al.
2005/0076030 April 2005 Hada et al.
2005/0229158 October 2005 Thusoo et al.
2005/0262233 November 2005 Alon et al.
2005/0289150 December 2005 Kudo
2006/0080316 April 2006 Gilmore et al.
2006/0106758 May 2006 Chen et al.
2006/0143557 June 2006 Chan et al.

Bo Luo, Dongwon Lee, Wang-Chien Lee, and Peng Liu, “QFilter: Fine-Grained Run-Time XML Access Control Via NFA-Based Query Rewriting”, Proceedings of the Thirteenth ACM International Conference on Information and Knowledge Management (CIKM'04), USA, ACM, Nov. 13, 2004, pp. 543-552. cited by other
Makoto Murata, Akihito Tozawa, and Michiharu Kudo, “XML Access Control Using Static Analysis”, Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03), USA, ACM, Oct. 31, 2003, pp. 73-84 Publication Date: Oct. 31, 2003. cited by other

edspgr.07630984