The present invention relates to a system for performing access control and provision of services, more specifically to an access control method that can accommodate a distribution system that enables operations of shared resources and reading of data, such as the provision of services and access to equipment in a wide-area distribution monitoring and control system and in public facilities.
With penetration of networks, such systems are increasing in number that provide data stored in equipment and a computer system and that provide services in response to an operation to the systems. As examples of such systems, there are enumerated a system for performing monitoring/controlling from a remote site and maintenance and an information providing service system that uses public terminals. In such systems, in order to control operations from a plurality of persons and prevent unauthorized data reading, it becomes essential to control accesses to the equipment and the computer system and restrict services to be provided.
As the conventional technology for restricting services, there are, for example, a method for limiting access sources by using an access control list, which is described in “Object Management Group, CORBA® Service: Common Object Service Specification, CORBA Security December 1995 Document Number 95-12-1”, and a method for performing exclusive OR control to avoid competitive operations from a plurality of accessing persons. There is encryption as means for protecting unauthorized reading of data, and particularly encryption where operators are permitted to do the access, in addition to specific operators being permitted, under common agreement among a plurality of operators or consent of a supervisor. As a method for granting such permission, there is a secret distribution sharing method in which decoding of data is made possible only when there exist a plurality of permitted persons etc. This technology is described in “Secret Distribution Sharing Method,” Modern Cryptography and Magic Protocol, separate volume of Mathematical Sciences, pp. 76-83, September 2000, SAIENSU-SHA Co., Ltd.
In the distributed system mentioned above, it is common that authorization/refusal of the operation of equipment is not determined statistically but the property may change according to dynamic factors such as the kinds of participants and a composition of the participants. For example, it is such a case as follows.    A case where a maker person in charge but without an access right is permitted for the access if a maintenance/recovery operation needs to be performed immediately.    A case where even a person having the access right is not permitted to access if a particular person having specific authority is not monitoring the access, as in cases where a trainee is permitted to perform operations under the monitoring of a trainer or where a maker person is permitted to perform maintenance only when a system administrator is monitoring it.    A case where, if a third person enters the system, the monitoring and operations are stopped.
Further, a configuration of a group of apparatuses that operate in cooperation with one another to provide a certain service may change. Moreover, an apparatus to be operated is often operated as a single constituent apparatus because the constituent apparatuses in the configuration are linked with one another in a network. At this time, it is required for the system to perform an exclusive OR control among a plurality of apparatuses sharing resources, such as hardware and a communication path, and to judge whether or not the service can be provided depending on the configuration of the group of apparatuses.
The above-mentioned conventional technology cannot cope with these situations suitably, and hence the following points become problems.
First, in the case where an access right list is changed at each time so that the access right is granted to a person who was not registered originally or the access right is set to an apparatus that underwent change in the configuration, registration of the access right etc. become complicated. On the other hand, a scheme where all operations are performed via a privileged person is beyond capability of the system.
Second, in the case where an authorized person list is modified temporarily by the privileged person and the privileged person forgets about recovering a normal setting or connection of the privileged person is interrupted, the list concerned is not maintained and hence the risk of being illegally accessed is increased. Thus, the conventional technology does not consider restriction of data reading that had been once permitted but has become otherwise when the service user apparatuses and the service providing apparatuses, which are participants, were dynamically changed.
Third, in the conventional technology in which an access control right is set for each of the service providing apparatuses, if the apparatuses have dependency with one another, it is difficult to judge whether the access control shall be done and whether the provision of services is permitted in consideration of these.