In a computer, access control using an access authority is executed for the purpose of preventing unauthorized access. An access authority is formed by a combination including a subject as the subject of access, an object as the object of the access, an action as the type of the access, and a permission/denial identifier representing whether to permit or deny the subject to execute the action on the object.
In a computer with a number of subjects, the number of access authorities necessary for access control is huge. Thus, a method for generating access authorities with efficiency by using the concept of role is proposed (e.g., refer to FIG. 20 of Patent Document 1). In this method, in a form without specifying a subject, information of permission or denial of a specific action for a specific object is described as an authority. Moreover, one or more authorities are grouped and each provided with an identifier “role.” On the other hand, the relation between a role and a subject is managed separately. Then, a user such as a manager of the computer generates, for each role, authorities each formed by a combination including an object, an action, and a permission/denial identifier representing whether to permit or deny the action on the object. The generation system expands the authorities generated for each role, for each subject belonging to the role, and thereby generates an access authority for each subject.
For example, it is assumed that there are n-pieces of tables from a table T1 to a table Tn as objects. Moreover, it is assumed that a subject S1 and a subject S2 belong to a role R1. Then, in the case of automatically generating access authorities that permit the subjects S1 and S2 to write into the table T1, the user generates an authority P that permits to write into the table T1, in association with the role R1. When this authority P is inputted, the generation system judges that the subject S1 and the subject S2 belong to the role R1 and generates an access authority that permits the subject S1 to write into the table T1 and an access authority that permits the subject S2 to write into the table T1. Consequently, the user does not need to describe a number of access authorities defining actions that can be permitted for each of the subjects, and a burden on the user is reduced.
[Patent Document 1] Japanese Unexamined Patent Application Publication No. 11-313102
As a method for efficiently describing authorities in a case that objects subjected to access control are hierarchized, there is a method using an inclusion relation in the object hierarchy to describe an authority targeting on an upper object. For example, it is assumed that an object in the upper hierarchy including the aforementioned n-pieces of tables T1 to Tn is database DB. In this case, according to the method described above, an authority that permits to write into the database DB is described when writing into all of the tables T1 to Tn is permitted. Consequently, only one authority is required, though n-pieces of authorities are necessary in a case that tables are targets.
However, according to the method described above, it is impossible to make an authority for some objects among a plurality of objects in the lower hierarchy different from that for the other objects. Thus, there is a method of describing, for some objects among lower-hierarchy objects, another authority competing with an authority for an upper-hierarchy object, and setting a constraint so as to preferentially apply the former authority than the latter authority. A constraint so as to preferentially apply one authority than another authority is called a precedence constraint.
For example, in a case that access by the role R1 to (n−1)-pieces of tables T1 to Tn−1 excluding the table Tn from the aforementioned n-pieces of tables T1 to Tn is permitted, two authorities P1 and P2 as shown below are generated.
Authority P1 (priority 1): an authority associated with the role R1, prohibiting writing into the table Tn.
Authority P2 (priority 2): an authority associated with the Role R1, permitting writing into the database DB.
These two authorities P1 and P2 relate to writing into the table Tn, and compete with each other because one prohibits and the other permits. However, because of the precedence constraint, the authority P1 with a higher priority is applied with respect to writing into the table Tn. Therefore, the subjects S1 and S2 belonging to the role R1 are prohibited from writing into the table Tn. On the other hand, because the authority P2 is applied with respect to writing into the tables T1 to Tn−1, the subjects S1 and S2 belonging to the role R1 are permitted to write into the tables T1 to Tn−1.
By describing an authority by using the inclusion relation of the objects and the precedence constraint as described above, it is possible to reduce the number of necessary authorities, and it is possible to reduce the burden on the user. However, the technique described in Patent Document 1 does not deal with an authority described by using the inclusion relation of the objects and the precedence constraint. Therefore, in a case that the authorities P1 and P2 with the precedence constraint as described in the above example are processed based on the technique described in Patent Document 1, access authorities competing with each other are generated. That is to say, when the authorities P1 and P2 are processed, an access authority that permits writing into the database DB and an access authority competing therewith that prohibits writing into the table Tn are generated for the subjects S1 and S2.
Among the computers executing access control using an access authority, some computers cannot process access authorities competing with each other, and some computers can process the competing access authorities but processes in different manners from the other computers. Therefore, in order to ensure that all of the computers execute accurate access control, there is a need to generate access authorities that do not compete with each other.