1. Field of the Invention
This application is based upon and claims the benefit of priority from Japanese Patent Application No. 2007-060581, filed on Mar. 9, 2007, and “A method for access policy negotiation towards secure information sharing crossing over organizations” (Information and Communication System Security, The INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS, Feb. 27 and 28, 2007), the disclosure of which is incorporated herein in its entirety by reference.
The present invention relates to a system, a method, and a program for access right management and, more particularly, to a system, a method, and a program for access right management to establish an agreement efficiently and certainly when a plurality of administrators are present.
2. Description of the Related Art
Most of conventional access right management systems handle users' access to resources such as computers and network equipment in a single organization, as can be seen in the operation of a corporate business-related application, an intracorporate LAN, or the like. In recent years, as more corporate alliances and industry-academy joint researches have been made, there has been increasing interest in sharing resources such as an application server and a storage server across a plurality of organizations, and there have been proposed access right management systems for managing access to such shared resources.
An example of such an access right management system is described in Japanese Patent Application Unexamined Publication No. 2006-92073. When a policy regarding a workflow is formulated, this access right management system assists those who are in charge of the tasks that are the constituent elements of the workflow, in arbitrating the order in which the tasks are executed.
Specifically, when a person in charge of a certain task (workflow source) determines a subsequent task (workflow destination), if there are a plurality of candidates for the workflow destination, then the access right management system creates a place of communication, such as a mailing list, between the person in charge of the workflow source and those in charge of the workflow destination candidates, thereby assisting the person in charge of the workflow source in determining the most suitable workflow destination (suitable to the person in charge of the workflow source). In the place of communication, for example, the number of process steps taken before the task (workflow destination) is complete, price, and the like are negotiated, and one task is determined as the workflow destination according to the judgment of the person in charge of the workflow source.
Another example of the access right management system is described in Japanese Patent Application Unexamined Publication No. 2006-506696, which illustrates a method for concluding a service use policy (federated service agreement) between a service-providing device (donor framework) and a service-using device (receiver framework) in a situation where services are used across network domains. Here, the service use policy means data specifically indicating which service the service-using device is authorized to use among a plurality of services provided by the service-providing device.
According to the access right management method described in Japanese Patent Application Unexamined Publication No. 2006-506696, when the service-using device sends the ID of a service it desires to use to the service-providing device, the service-providing device responds to the service-using device with data (service token) indicating the conditions for using the service, such as a service level. Next, if the service-using device determines that the conditions described in the service token are met, the service-using device affixes its digital signature, indicative of an agreement, to the service token and sends the service token back to the service-providing device. Thereafter, the service-providing device also affixes its digital signature to the service token and responds to the service-using device. In this manner, the service token to which the digital signatures of both of the service-providing device and the service-using device are affixed are thereafter used as a service use policy formulated under the agreement of both devices.
Moreover, Greenwald, “A new security policy for distributed resource management and access control,” Proceedings of the 1996 workshop on New Security Paradigms, 1996, pp. 74-86, and Vimercati and Samarati, “Access Control in Federated Systems,” Proceedings of the 1996 workshop on New Security Paradigms, 1996, pp. 87-99 disclose methods for formulating and enforcing a policy (access policy) regarding access to a shared service resource such as a database when two or more different organizations (domains) share the service resource. According to any of the methods, an administrator of a certain domain is selected as a representative of a group of domains desiring to use a predetermined shared resource, to centrally formulate an access policy.
In general, an access policy is defined as a list of access policy units, each of which is composed of a set of an access subject, an access object, and an access action. When a plurality of domains share a service resource, as in the policy formulation methods disclosed in Greenwald and in Vimercati and Samarati as examples, a specific domain administrator or third party is entrusted with access right management, as to the formulation of an access policy regarding the shared service resource. Such a scheme, therefore, has a problem of allowing the appointed domain administrator to unfairly formulate a policy that is essentially not accepted by other domain administrators.
Accordingly, administrators of domains that are the subjects to share the resource need to negotiate an access policy and reach an agreement. However, when negotiating and agreeing on an access policy, at least the following work needs to be done.
(1) A domain administrator creates a draft access policy and proposes it to other domain administrators.
(2) In the proposed draft access policy, each of the other domain administrators identifies an access policy unit requiring an approval of the domain administrator him/herself, and conducts verification of the identified access policy unit.
(3) Each of the other domain administrators further makes a reaction to the identified access policy unit, such as approving, rejecting, or making a counterproposal, and presents it to the other domain administrators as in (1).
(4) When every access policy unit is approved by all the domain administrators who are required, the access policy in question is kept by every domain administrator as an agreed access policy.
However, the use of any of the above-described conventional access right management methods cannot guarantee that the work of these four steps is performed efficiently and certainly in terms of system, because of the following problems.
A first problem is that the efficiency in the negotiation on an access policy between domain administrators is insufficient.
The reason is as follows. According to the access right management method described in Japanese Patent Application Unexamined Publication No. 2006-92073, the efficiency in negotiation is increased by creating the place of communication where the above-described steps (1) and (3) are performed, but the work of the step (2) is not included. If an access policy including a large number of access policy units is negotiated, there are a large number of irrelevant access policy units, which leads to decreased efficiency in verification.
A second problem is that the presentation of a counterproposal and an alteration after an agreement is established are not considered.
The reason is as follows. The access right management method described in Japanese Patent Application Unexamined Publication No. 2006-506696 is an example of the implementation of the above-described steps (1), (3), and (4), but a method for presenting a counterproposal in the step (3) is not mentioned. In addition, when a domain administrator desires to alter part of the access policy after the step (4), the step (4) needs to be performed again. However, since this access right management method in question does not consider partial alteration, the negotiation according to the step (4), including negotiation on not-to-be-altered part, needs to be performed again.