Along with a growing sense of compliance in recent years, many companies provide thorough access control in their own work systems. As seen in an OS access mechanism such as Unix (trademark) file system, a typical access control rule is described in combination of three items of information including “subject” such as employees using a work system, “object” such as files provided by the work system, and “action” such as read/write which is a method for accessing the object, and is applied to an access control mechanism.
There is a problem that as the numbers of employees and work files increase, a load on a manger for describing and managing the access control rule increases. A role-based access control system (RBAC) is well known as one of the solutions for the above problem. The RBAC access control rule describes sets made of “roles” of the employees such as departments and responsibilities, and object/action as the permitted right to access the roles.
Since an increase in rules can be prevented further by describing the rules in units of role than by describing the rules in units of subject, the load on the manager is reduced. In order to avoid disturbances, the access control rule made of the combination of “subject”, “object” and “action” is called ACL (Access Control List) and the RBAC access control rule is called RBAC policy or simply policy.
In order to apply the set of RBAC policies to the access mechanism, the set of policies needs to be converted into a single ACL description. Since positive policies, that is, only “permitted rights to access” for predetermined roles are described in a conventional RBAC system, the RBAC policies can be converted into a single ACL by simply calculating direct products S×OA of the subject set S having a role associated with each policy and the set OA of object/action and linking them in an arbitrary description order.
However, in the work of the policy management, negative policies, that is, “prohibited rights to access” for predetermined roles may be wanted to be described together.
For example, it may be desired to describe a positive policy for a larger subject set such as “persons in accounting department may access accounting files on the common server (policy 1)” and additionally a negative policy for a smaller subject set such as “persons doubling as another department cannot access accounting files (policy 2)” as an exceptional policy.
The conversion into a single ACL is merely to identify the combination of subject, object and action to be permitted or denied from among the policy set concurrently including the positive policies and the negative policies. Patent Document 1 describes a method for stratifying the policy sets and deciding a combination of subject, object and action to be permitted or denied based on the hierarchy structure.