1. Field of the Invention
The present invention relates to a method of determining an access control effect by using policies. More particularly, the present invention relates to means for determining an effect when a user attempts to access the data stored in a database server, and a method thereof.
2. Background Art
In order to acquire data to be processed, it has heretofore been conducted to access a database server storing the data. In this access, the user uses a computer terminal, which is a client, acquiring the data by accessing the database server via a Local Area Network (LAN) and/or the Internet. The data stored is described in eXtensible Markup Language (XML) or Hyper Text Markup Language (HTML). Particularly, a document described in XML is referred to as an XML document. The XML document is known as a hierarchically structured document which can be hierarchically structured according to the intention of an information provider. Such XML documents are widely used from a large scale database such as a genome information database to a small scale database such as medical records.
Here, there is a case where an administrator of the database performs settings on the XML documents in which, when a user accesses the database, the access is denied depending on the user. For example, an administrator of a medical records database in a hospital has to perform control so that a patient cannot access the medical records data of his/her own.
Specifically, a method is known in which access control is performed by the use of a rule referred to as a policy. For example, the policy is determined on the basis of names, job titles, sections and the like of users.
Then, by the use of the policy, access control is performed for each file or each folder as the Windows (registered trademark) file system adopts. Thus, it can be prevented that a user or a group of users with no permission access the relevant file or folder.
However, there is a case where the control is demanded in which, for a user, the access to a part of a file is permitted, and the access to the remaining part of the file is denied.
For example, assume that medical records are created as one XML document and stored in a database. In this case, it is preferred that doctors can access the whole medical records information, but interns can access only the diagnostic information of patients. However, with the access control method described above, the policy can be set only on a file-by-file basis. Accordingly, it is impossible to perform access control with respect to a part of the XML document.
As a method for solving such a problem, a control device enabling access for each internal structural unit of an XML document is known (Japanese Patent Laid-Open No. 2001-273285, hereinafter referred to as Patent Document 1). In Patent Document 1, an access control device which controls access for each internal structural unit of a document by incorporating policies into an XML document is disclosed. The XML document of Patent Document 1 includes records which are data of a database, and policies each of which is set for each of the records. When a user accesses a part of the XML document, the access control device reads the incorporated policies and controls the access.
However, this access control device is not suitable when the number of records in the database is large. This is because when the number of records in a database increases, the number of policies for controlling the access to the records also increases, and thus the XML document becomes very large.
For example, with regard to genome information, in some cases, the data size of the record of an XML document becomes one gigabyte or more. In addition, a large number of users of enterprises, academic societies and the like access the XML document. Accordingly, it is necessary to set the policy for each of the large number of users who access the XML document, and the data amount of the policies becomes enormous. Therefore, both of the data amount of the record and the data amount of the policies become enormous, and the file of the XML document becomes very large.
Under the circumstances, a method of separating policies from an XML document and making the policies into a database is known (Naishin Seki, Michiharu Kudo, “Access Control Model Using Pathtables for XML Database”, Computer Security Group, Information Processing Society, Nov. 14, 2003; hereinafter referred to as Naishin Seki). Naishin Seki discloses a method of constructing the policies as a table database (hereinafter referred to as “the tablemap type database”). The tablemap type database is composed of path expressions for designating specific parts of an XML document, and conditions respectively corresponding to the path expressions. When a user makes access, the access control device calculates a path expression corresponding to this access request. Then, the access control device reads out an effect corresponding to the path expression from a table, and determines whether or not the access to the part of the XML document designated by the path expression should be permitted.
When the tablemap type database as described above is used, there is a case where the number of policies (hereinafter, the policy in the case of the tablemap type database is referred to as “the entry”) used to determine whether or not the access by the user to a part of the XML document should be permitted is not one, and a plurality of entries are retrieved. Consider the case where Daniel belonging to the accounting department attempts to make access to /accounting_department/payslip, for example. A system retrieves a policy, “Daniel can access /accounting_department and all the paths under /accounting_department,” as the first policy. The system also retrieves a policy, “Daniel cannot access /accounting_department/payslip,” as the second policy. When a plurality of policies have been retrieved in this way, the plurality of entries are checked individually, and whether or not the access by the user should be permitted is determined. Accordingly, a system in which a large number of policies are set can result in the case where the amount of the entries retrieved by the system becomes massive. In this case, the complexity of computation for determining the accessibility becomes high.
In the meantime, in addition to the tablemap method, there is a method called “the matching method,” in which the access is determined by using policies employing a tree structure. With this method, it is possible to reduce the data amount of the policies as compared to the tablemap method by constituting the policies as tree-structured data.
Even in the case of using the matching method, when the number of retrieved policies is large, the computational complexity required to determine the accessibility becomes high. This will be explained by using FIG. 6. FIG. 6 shows an example as an algorithm used to determine the accessibility in the matching method. Here, in order to designate a part of an XML document, a path language is used. Specifically, Pi is a path (which is an index concerning the object the access to which is controlled by policies, the index including information on the name of a user who is a subject under the control, and on a position in the XML document which is an object the access to which is controlled), and ei in Pi=/e1/e2/e3/ . . . /e1+1 corresponds to a node (which is the user name, or the position in the XML document, described above). The policy includes the path and an access control effect Q. The access control effect is information concerning the accessibility, such as access possible, access impossible, and the like.
FIG. 6 shows an algorithm used when the path is constituted of n nodes, and the number of access control effects (the number of policies) is Q. In this algorithm, the calculation loops the number of times corresponding to the number of the nodes, and in each iteration, the calculation loops the number of times corresponding to the number of the access control effects, so that the total computational complexity becomes n|Q|. In other words, when the access control is performed by using policies, the calculation is performed n|Q| times to determine the access control effect indicating the accessibility. In the case of a database having a large number of policies, or a database having a large number of nodes (which is a huge XML document, and is a database having many Objects described later), the computational complexity becomes enormous, and the efficiency of the database is reduced.