The present invention relates to access control for a data aggregation, and more particularly to access control for an organized information aggregation such as forms.
Form-type (i.e. document) data is mostly created with the following hierarchical structures. For example, a xe2x80x9cformxe2x80x9d is composed of one or more xe2x80x9crecordsxe2x80x9d, and a xe2x80x9crecordxe2x80x9d is composed of one or more xe2x80x9cfieldsxe2x80x9d. The information such as a form, which has an hierarchically arranged structure, is likely to have different security levels depending on whether it exists alone or plurality of them are aggregated. Such a form-type data is utilized in companies whether utilizing a paper or an electronic infrastructure. This form-type data has the following features.
EData has a strong association between rows and columns.
EData is located two-dimensionally, so that it is possible to know the tendency of respective data once obtaining the information about entire form or whole or part of rows and columns.
EThough data in one cell, as such, is less important, when they aggregate they become more important.
According to these features, it is believed that form-type data needs particular security countermeasures that are different from normal documents. That is exactly access control (security) for an xe2x80x9cinformation aggregationxe2x80x9d.
In banks, for example, requests for monetary processing are brought in from companies with a form-type document. For example, they are a request for salary deposits using plural entry documents. (Table 1 in FIG. 11, being not a salary deposit, is a simple example of plural entry documents.) Though the document shown by Table 1 is a very simple example, on actual documents are listed names of employees subject to a salary deposit, names of banks, names of bank branches, account numbers, salary amount, etc. Among this information, viewing only a cell in a column of xe2x80x9cnames of banksxe2x80x9d alone (for example XYZ bank is written), is common information and is not considered to be so important in terms of security. However, once it is associated with an employee number, a name of bank branch, an account number, and the salary amount, it becomes private information, and makes the security level very high. Hereinafter, we will refer to a lateral row as a xe2x80x9crecordxe2x80x9d, a longitudinal column as a xe2x80x9ccolumnxe2x80x9d, and a cell (rectangular area) of each table as a xe2x80x9cfieldxe2x80x9d.
Also in case of the salary amount, the sole existence of the figure may not become private information because which employee it belongs to is not known, so it""s security level is not considered to be so high. However, an aggregation of salary amounts of all members can become important information as an index representing the company""s circumstances, even though it isn""t known which employee respective salaries belong to, so that it""s security level becomes much higher compared to the salary amount alone.
In banks, many employees can access to this information based on business necessity. However, necessary information varies according to business affairs, and the accessible authority for information or an information aggregation should vary according to a duty position. For example, consider the case of inputting a request for salary deposits for a company to a host database of a bank. In terms of security, even the operators preferably should not see the private information and information showing the scale of business. However, minimum information for an operation necessarily needs to be seen.
Required minimum information for an operator is the information written in one cell. Therefor, the operator necessarily has the authority to read a cell. From the point of view of those who manage the input affairs, they want to avoid operators unnecessarily seeing the information with a high security level. Thus they append access control referred such as xe2x80x9cunreadable to an operatorxe2x80x9d to a record, a column, and a form with higher security levels. This access control method is effective if an operator requests access in units of record, column and form, etc. However, if the operator requests access to several cells, which would result in information equal to that of a record, a column or a form, proper access control can not be done.
Conventional access control lists the information showing what operations the xe2x80x9csubjectxe2x80x9d allows the xe2x80x9cobjectxe2x80x9d (this is called xe2x80x9caccess control listxe2x80x9d), and access is controlled by referring to that list. However, with these methods it was difficult to represent different access control than for an object alone.
Alternatively there is a technique for posting fields of a form. Posting fields of a form is, for example, an operation to create one form (a plural entry form) from plural forms (such as single entry forms) according to a particular rule. With the conventional posting technique, a security level of a complete form is not particularly considered. More specifically, the security level of the form of the posting side is dependent on the security management function of the database saving it, and there could not be found a function for setting a security level based on the security level of the posting side, in terms of an information aggregation such as records and columns of a complete form.
Also in the field of database, research has been done on the difference of security levels between a primitive operation and an operation by a composite function. The primitive operation has a higher security level, thus when an operator with a lower security level than a predetermined level wants to perform a primitive operation on data, the operation can only be performed through a composite function encapsulating it. Namely, this is the management for operations, but not the management for the security level of a data aggregation.
It is therefor an object of the present invention to provide a method and system for access control for an information aggregation in order to solve problems mentioned above.
It is another object of the invention to provide a method and system for performing access control for plural objects which is different from access control for an object alone.
It is a further object of the invention to provide a method and system for performing the management of security levels for a data aggregation.
It is a further object of the invention to provide a method for setting a security level for an information aggregation to perform proper security enforcement.
It is a further object of the invention to provide a program storage media for storing a program for performing a method for management of access control and security levels described above.
In a first aspect of the present invention, an information offering system for providing a controlled information aggregation according to the security level of the information requester, comprises (1) a class manager for storing the information by dividing it into hierarchical classes, wherein each class includes a policy for showing how to treat the information according to the security level, and information generating rules showing how to generate the information; (2) a shared data space for temporarily storing information; (3) an instance generator for generating new information based on the information generating rules and writing it in the shared data space; (4) security enforcement for providing the information with control for complying with the policy relating to the information in the shared data space; and (5) a monitor means for monitoring the writing and generation of the information in the shared data space, wherein the monitor means acquires the information generating rules associated with new information from the class manager and sends the rules to the instance generator when new writing is detected, the monitor means acquires the policy of written information from the class manager based on the class of the information and sends the policy to the security enforcement when the generation is not detected despite the occurance of new writing in the shared data space.
Another aspect of the invention is an information offering method for providing a controlled information aggregation according to the security level of the information requester, using the classes of information which are hierarchically classified and stored, wherein each class includes a policy for showing how to treat the information according to the security level, and information generating rules showing how to generate the information, are provided. The method comprises the steps of: (1) using the class of required information to refer to the information generating rules and generating new information in a shared data space, wherein the shared data space is for temporarily storing information; (2) monitoring whether new information has been written in the shared data space; (3) acquiring the information generating rules associated with new information from its class when the new information has been written; (4) generating new information based on the information generating rules and writing it in the shared data space; (5) acquiring the information written in the shared data space, acquiring the policy from the class of the information, and providing controlled information as complying with all of the policies when no information is generated despite of new writing in the shared data space.
In a further aspect of the invention, a computer readable media for storing a program for providing a controlled information aggregation according to the security level of the information requester, by using the classes of information which are hierarchically classified and stored, wherein each class includes a policy for showing how to treat the information according to the security level, and information generating rules showing how to generate the information, is provided. The computer readable media comprises: (1) a function for using the class of required information to refer to the information generating rules and generating new information in a shared data space, wherein the shared data space is for temporarily storing information; (2) a function for monitoring whether new information has been written in the shared data space; (3) a function for acquiring the information generating rules associated with new information from its class when the information has been written; (4) a function for generating new information based on the information generating rules and writing it in the shared data space; (5) a function for acquiring the information written in the shared data space, acquiring the policy from the class of the information, and providing controlled information as complying with each of all policies when no information is generated despite new writing in the shared data space.
More specifically, the present invention has classes into which information is hierarchically classified, wherein actual information corresponds to an instance of each class. Each class can have xe2x80x9cinstance generating rulesxe2x80x9d and an xe2x80x9cinstance generatorxe2x80x9d. An xe2x80x9cinstance generatorxe2x80x9d generates the instance of the same class or any other class based upon xe2x80x9cinstance generating rulesxe2x80x9d. Within the instance generating rules of class A, for example, is written xe2x80x9cinstances of class A generate an instance of class B if three or more instances of class A aggregatexe2x80x9d, so it can transform the idea of xe2x80x9cinformation aggregationxe2x80x9d into the operation of xe2x80x9cgenerating an instance of the other (or the same) classxe2x80x9d. A sole instance can utilize the conventional access control list. Therefor, it is possible to implement the security for an information aggregation within the conventional framework by using xe2x80x9cinstance generating rulesxe2x80x9d and an xe2x80x9cinstance generatorxe2x80x9d.
The present invention is provided with a method for performing xe2x80x9cinstance generationxe2x80x9d (information generation) recursively. For that purpose, it has a shared data space which allows all instances to be accessible to each class; a monitor for monitoring the shared data space (shared data space monitoring means); and above mentioned instance generator (information generating means). xe2x80x9cInstance Generationxe2x80x9d is performed by repeatedly writing to the shared data space, monitoring by the monitor, and instance generation, as one cycle, until the shared data space becomes static state. With this scheme for implementing recursive cycles, it becomes possible to generate a proper instance even for a class structure having a deep hierarchy, thereby providing proper security control. By replacing xe2x80x9cperforming security enforcement for an information aggregationxe2x80x9d with xe2x80x9cperforming security enforcement as complying with all security policies of classes to which each of all instances belongxe2x80x9d, security enforcement for an information aggregation is implemented.
More specifically, the invention classifies information into hierarchical classes, provides xe2x80x9cinstance generating rulesxe2x80x9d and an xe2x80x9cinstance generatorxe2x80x9d for each class, and replaces the idea of xe2x80x9cinformation aggregationxe2x80x9d with the operation of an xe2x80x9cinstance generationxe2x80x9d, and replaces access control for the information aggregation with xe2x80x9caccess control for a generated instancesxe2x80x9d. Thereby in terms of the method for access control, it becomes possible to use the conventional framework in the form of xe2x80x9caccess control per instancexe2x80x9d. This enables the use of large frameworks of access control such as when granting access control for an information aggregation to a previous system, and enables the control even in the case of forms with a deep hierarchy (security levels) by combining the shared data space and the shared data space monitoring means to enable recursive instance generation.