The present invention relates to a technique to control access to data stored in a network resource.
Techniques of information access control are essential for preventing information usage for purposes other than the original intent. Conventionally, a rule for access control to a data file is expressed by using a set of three elements: subject, access object and operation on the object by the subject. Specifically, a relationship among the three elements means that an access subject performs a specific operation on an access object. Access control for an access request is performed according to a result of evaluating the set of three elements in the access request. Here, the evaluation result thus obtained as a value of an access control parameter (hereinafter referred to as an access control value) is a binary decision, “access granted” or “access denied.” In short, the access control value is one of the values, 1 or 0.
Japanese Patent Application Publication No. 2001-184264 discloses a technique of conditional access control. This technique not only simply determines whether or not to grant access for an access request, but also grants access if a certain condition is satisfied. Moreover, by using this technique of conditional access control, when a condition to be evaluated requires satisfaction of a different condition, this different condition is also evaluated recursively.
As described above, with the conventional technique, evaluation for access control can be made with predefined conditions. However, the evaluation is made even on the conditional basis, but to the result of the evaluation is a binary decision, “access granted” or “access denied.” In contrast, in fact, access to data stored in a network resource needs to be controlled by using not only the two values of the binary decisions but also an intermediate value in-between, such as 50% of access permission. For example, in some cases in a virtual world, it is desired to grant permission to see the inside of a building with 50% clarity, or to see a product at 30% of the regular size. However, such permission is not possible in the conventional access control based on a binary decision, “access granted” or “access denied.”