1. Field of the Invention
The present invention relates to a file-access control apparatus and a program, both designed to perform an access control for protecting document files in an appropriate manner. For example, the invention relates to a file-access control apparatus and a program, which can achieve an active control in accordance with the actions performed on document files and which can alter the control on accesses to document files.
2. Description of the Related Art
In recent years, the access control technology of controlling actions on specific information or processes in accordance with authorization data has become more and more important. This technology provides a system which can receive a request for an action on personal information or for an authorization processes and which can determine, in response to the request, whether the person who has made the request to perform the action should be allowed to perform the action, from the authorization data that person (i.e., subject) has and the access control rule or access control policy that shows the authorization data and an action-permission/rejection pattern.
The access control policy is generally regarded as a set of access control rules. Standard specifications of describing access control policies have been disclosed to the public and are now widely used. (See, for example, Tim Moses, “extensible Access Control Markup Language (XACML) Version 2.0,” [online], [retrieved Oct. 1, 2007], the Internet URL:http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip.) This exemplified standard specification describes some additional elements that define obligations. Each obligation is, generally, described as a “must or should execute specified operations.” In this standard specification, however, each definition for each particular obligation is not defined in detail. Further, neither a guideline for handling the access control policy (including the obligations) nor a method of processing evaluation results is defined in this standard specification.
On the other hand, a method of controlling the access to document files is available, in which the authorization data is given as security attribute. In this method, the authorization data that authorizes the access to, for example, document files, is described as an action-permission/rejection, such as “permit to read” or “deny to modify,” and is allocated to the user. Authorization data of this type is known as “access control matrix” or “access control list.” Jpn. Pat. Appln. KOKAI Publication No. 2005-56418, for example, discloses a method of imparting authorization (rule), as “security container,” to document files.
With the action-permission/rejection system, however, it has become difficult to describe detailed, flexible access control items, such as access time permitted, access locations permitted and more detailed access restriction. Recently, an access control system of access control policy type that can describe more detailed access control contents is required in the field where an access control policy, a license, or the like is required, particularly in the field of ordinary document applications.