From the viewpoint of computer security, generally, access control of resources that serve as information sources has long been exercised (such as data file or directory). For this access control, the access control rule applied is used to limit the users who are permitted to access predetermined computer resources and to specify which contents users can access (the type of executable process). Based on this rule, an access request submitted by a user is evaluated and a determination is made as to whether access should be granted or refused. a specific example of access control is provided by UNIX, one of the OSs (Operating Systems). In UNIX, access control is implemented by using file system permissions settings and user IDs. Aside from a permission mode entry, a file system permissions setting has three subject parts: owner, owner's group, and all others. These subject parts are further broken down into permissions types used to permit or inhibit the reading of a file (read), the writing of a file (write), and the execution of a file (execute).
Only a root user who owns all of these rights can exercise them without any limitations. In addition, normally only the root user, the super user who possesses all the rights, can access all data and is not limited to only that data which is provided for a user ID. This is determined by the access control rule that is the most significant and fixed. The root user can not assign only a part of his or her rights to another user. Thus, when a strong right that is owned by the root user is to be provided for another user, all the root rights must be allocated.
As another example of access control, application software can control access to an object managed by the software. For example, Notes, by Lotus, is well known as application software that can flexibly control access for multiple classes of objects, such as a database, a view, a form, a document.
The right to change the access control rule employed by Notes is permanently provided only for the role of database manager. That is, a user need only be permitted to assume the role of database manager, so that essentially, everybody can change the access control rule. However, this application software can not provide access control whereby the alteration right is provided only for certain parts of the object classes, but is not provided for others.
As in the above described example, a conventional access control system only provides, for a user, either all access rights afforded by an access control rule, or absolutely no access rights.
Conventionally, BJS is known as a technique concerning a language used to write the access control rule. According to BJS, a rule for controlling access to an access control rule can be managed based on an administration right. There are two types of administration rights: “administer” and “adm-access”. The administer can prepare all the access control rules, including the administration right, and the adm-access can prepare access control rules including rights (“select” and “create”) other than the administer rights and the adm-access right. For example, assume that the following access control rule exists for Alice who has the adm-access right.
<Alice, select, adm-access, strong, table1, Trent>
This access control rule means that Alice can generate or delete an arbitrary access control rule so far as the “select” operation of “table1” is concerned. For example, <Employee, select, +, table1, Alice, strong>can be prepared, which is a rule indicating that Employee holds a right concerning the “select” operation for “table1”, and that the creator of this right is Alice. As another example, assume that the following access control rule exists for Bob who holds the “administer” right.
<Bob, select, administer, strong, table1, Trent>
This access control rule means that Bob can assign the right for preparation of the access control rule to another person, so far as the “select” operation of “table1” is concerned. For example,
<Carol, select, adm-access, strong, table1, Bob>can be prepared, which is a rule indicating that, so far as the “select” operation for “table1” is concerned, Carol has the right to prepare an access control rule for this “select” operation, and that the creator of this rule is Bob.
By using BJS, a rule for controlling access to an access control rule can be written in the above described manner. It should be noted that different formats are employed for writing an access control rule and the administration right, which is a rule for controlling access to an access control rule.