1. Field of the Invention
The present invention relates to an access control system, access control method, and access control program, and particularly to an access control system, access control method, and access control program which are capable of performing access control when a user who belongs to plural organizations or the user's device accesses a shared resource.
2. Description of the Related Art
There have been proposals concerning access control systems and functions usable in those systems (for example, refer to JP-A-1999-313102 (page 6, FIG. 1), JP-A-2003-140968 (pages 3 to 6, FIG. 5), JP-A-2003-241901 (pages 3 to 6, FIG. 2), and JP-A-2003-316742 (pages 3 to 6, FIG. 1)).
According to an access control list generation method disclosed in JP-A-1999-313102, an access control list describing accessing subjects and accessed objects are generated from access control rule describing constraint conditions based on types of accessing subjects, types of accessed objects, and organization structures. Further, the access control list generation method includes and uses subject type group information, object type group information, and organization structure information, to generate only those access control lists that satisfy the constraint conditions. The subject type group information relates subjects (which are accessing) directly to subject types, as well as the object type group information relates objects (which are being accessed) directly to object types. The organization structure information expresses relations between the subjects, objects, and organizations, in form of one single tree structure.
A storage disclosed in JP-A-2003-140968 is set on a network and permits only accesses at registered time points from registered locations, and inhibits the other accesses, according to a schedule management table showing when and where specific users exist.
A disk sharing control method disclosed in JP-A-2003-241901 uses a table on which a logical address is assigned to each accessing device and the logical address is converted into a physical address expressing a position on a specific physical disk device. Access control is thereby made possible on the basis of shared status of the physical disk device shared between the accessing devices.
According to an anonymous communication method disclosed in JP-A-2003-316742, user identification information attached to packets is replaced with a user authentication result and a transmission destination. At this time, the method uses an authentication means based on an ID and a password for every user, a means for distinguishing settable contents depending on the authentication result, a means which manages correspondence between a pair of a transmission source and a transmission destination and user authentication information, as a user identification information transmission policy, and a means which provides an interface for setting the user identification information transmission policy.
Conventional access control systems have a problem that access control is impossible from a user group which includes, as a member, a user who belongs to plural organizations. For example, in the access control list generation method disclosed in JP-A-1999-313102, user groups, users who are members of the user groups, and an organization structure between user groups are expressed in the form of a tree structure. Any arbitrary member is compelled to belong to only one user group. Therefore, access control is impossible with respect to any access from a user group which includes, as a member, a user who belongs to plural groups.
When updating an access control list, efficiency in updating of the access control list should preferably be promoted by deleting or generating only such a part of the access control list that needs to be changed. However, according to conventional access control methods and access control devices, it is impossible to specify a range in an access control list that needs to be changed. Therefore, conventional methods and devices have not achieved promoted efficiency in updating of an access control list.