(1) Field of the Invention
This invention relates to a computer program, method, and system for access control, and more particularly to a computer program, method, and system for performing access control to resources in accordance with preset access control information prescribing the access control.
(2) Description of the Related Art
In computer systems, an access control function is a most basic security function that is provided at various levels including Virtual Machine (VM), Operating System (OS), Middle Ware (MW), and application. The access control function determines based on preset access control policies whether to permit or deny accesses to resources, the access control policies specifying “who are allowed to use which resources and what privileges they have”.
FIG. 17 shows conventional setting of access control policies.
An administrator A 901 is authorized to set access control policies for an application A 911, and sets an access control policy 931 specifying that “Taro is allowed to access”, which applies to a user “Taro” 903 who will use the application A 911. An administrator B 902 is authorized to set access control policies for an application B 912, and sets an access control policy 932 specifying that “Taro is not allowed to access”, which applies to the user “Taro” 903 who will use the application B 912.
In this way, an access control policy can be set for each unit of processing for which an access control function is executed.
By the way, for some applications, more specific access rights, for example, according to the hierarchical structure of a structural document may be required. Therefore, there is proposed an access right setting method for easily setting specific access rights, with respect to not only the structural elements of a structural document but also display styles or purposes (for example, Japanese Unexamined Patent Publication No. 2003-281149 (FIG. 1)).
With the conventional access control method, specific access rights can be set at different levels. However, this method has a drawback that administrators individually set access control policies and this causes inconsistency in access rights to resources.
Referring to FIG. 17, consider a case where the user “Taro” 903 accesses a resource X 920. The access control policy 931 set by the administrator A 901 allows the user “Taro” 903 to access the resource X 920. The access control policy 932 set by the administrator B 902 does not allows the user “Taro” 903 to access the resource X 920. That is to say, the user Taro” 903 cannot access the resource X 920 via the application B 912, but can access the resource X 920 via the application A 911. Such inconsistency of the access control policies may produce a big risk in the system.
Therefore, for system security, what is crucial is consistency of access control policies in an entire system.