A document described in XML (XML document) can be expressed by a tree structure including elements and attributes. Conditions for this tree structure can be described by use of a schema. Therefore, by use of this schema, it is possible to create such a system as to permit only an XML document having a tree structure satisfying specific conditions (as to the schema, for example, refer to Makoto Murata, “XML[I]-XML Schema and Relax-”, The Institute of Electronics, Information and Communication Engineers, December, 2001, Vol. 84, No. 12, p. 890-894).
In a database handling the XML document (XML database), not only a document is retrieved but also elements and attributes in the XML document can be selectively retrieved while placing limitations thereon. For example, processing such as retrieval of all elements representing paragraphs (elements represented by <p> . . . </p>) is possible. As a method for describing retrieval conditions, the W3C (World Wide Web Consortium) recommendation as XPath is widely used.
Moreover, in the XML database, not only the elements and attributes are retrieved but also a new XML document can be created by use of the retrieved elements and attributes. As a query language including such a function, a specification as XQuery has been designed by the W3C. XQuery uses XPath as a mechanism for retrieving the elements and attributes.
Furthermore, as to a case where it is required, in the XML database, to access the elements and attributes which constitute the XML document, as a concrete example, an XML document expressing a list of employees of a certain company is considered. For each of the employees, his/her annual salary and employee number are indicated. The employee, salary and employee number are assumed to be represented by an employee element, a salary element and a number element, respectively. In an XML database storing such an XML document, no particular limitation is required for an access to the number element. However, in some cases, an access to the salary element must be limited to some people. A description of who can access which elements or attributes is called an access control policy. A user describes the access control policy and gives the policy to the XML database. With respect to an access request for the XML document, the XML database utilizes the given access control policy and decides whether an access to elements or attributes is permitted or denied.
There is XACL (XML Access Control Language) as a language for expressing the access control policy (as to XACL, for example, refer to Michiharu Kudo and Satoshi Hada, “XML Document Security based on Provisional Authorization”, Proceedings of the 7th ACM Conference on Computer and Communications Security, November, 2000, p. 87-96). In language specifications of XACL, described is an algorithm for deciding whether an access is permitted or denied for a given access request. This algorithm performs the decision for one predetermined node. Therefore, when XPath or a retrieval by XPath accesses plural nodes, this algorithm is executed once for any of the nodes.
As described above, in the XML database, it is required to decide whether the access to elements or attributes is permitted or denied for the access request, by use of the given access control policy. In order to improve this performance of the XML database, it is required to perform an access right decision at high speed.
However, an access right decision algorithm described in the language specifications of XACL that is the language for expressing the access control policy is not rapid. Moreover, as described above, in an actual access right decision, processing by this algorithm is repeated for many nodes. Thus, execution performance of the algorithm is not practical.
Note that, in the foregoing conventional technology, XPath and XQuery are enumerated as methods for describing the retrieval conditions of the XML database. However, there are other methods than the above-described, including one similar to XPath (called a path expression) and one similar to XQuery (called a query expression). However, all XML databases by the methods described above are similar to each other in the point that processing is executed taking such a procedure as below.
When
path expression (or query expression including path expression)
XML document
are given,
node in XML document (element/attribute/text)
is retrieved. Thereafter, it is decided whether access to the retrieved node is permitted by referring to
access control policy
Therefore, by any of the methods, if there are, for example, 1000 elements or attributes retrieved, this decision is repeated by 1000 times. Thus, it is a common problem that this processing takes an enormous amount of time.
Consequently, the present invention has an object to realize an access rights analysis in a database handling a data file, in which a structured document such as an XML document is described, without checking the data file itself and/or its node and to improve retrieval performance of the database.