| 摘要 |
A system 100 stores policy information in which role identification information, resource group identification information and action information are associated with each other (101), stores user identification information and role identification information in association with each other (102), receives an access request including user identification information for identifying a user of a client device (103), generates access control information based on the policy information and transmits the generated access control information to an access target device (104), acquires address information of a transmission source of the access request (105), and generates communication filter information representing permission for communication relating to an address represented by the acquired address information and transmits the generated communication filter information to a communication filter device specified based on the policy information (106). |
| 主权项 |
1. An access control information generation system comprising:
a central processing unit (CPU); a policy information storing unit, implemented on the CPU, for storing policy information in which role identification information for identifying a role assigned to a user, resource group identification information for identifying a resource group including at least one access target resource that is owned by an access target device and is a resource to be a target of access, and action information representing a type of access to the access target resource are associated with each other; a user information storing unit, implemented on the CPU, for storing user identification information for identifying a user and role identification information for identifying a role assigned to the user in association with each other; an access request receiving unit, implemented on the CPU, for receiving an access request including user identification information for identifying a user of a client device from the client device; an access control information transmitting unit, implemented on the CPU, for generating access control information representing permission for a user identified by user identification information stored in association with the role identification information included in the stored policy information to perform access of the type represented by the action information included in the policy information, and transmitting the generated access control information to the access target device having the access target resource included in the resource group identified by the resource group identification information included in the policy information; an address information acquiring unit, implemented on the CPU, for acquiring address information representing an address for specifying a transmission source of the received access request in a communication network; a communication filter information transmitting unit, implemented on the CPU, for generating communication filter information representing permission for one from among a communication that the address represented by the acquired address information is a transmission source or a communication that the address is a transmission destination, and transmitting the generated communication filter information to a communication filter device relaying communication between the client device and the access target device having an access target resource included in a resource group identified by resource group identification information included in policy information including role identification information stored in association with the user identification information included in the received access request, among the stored policy information; and a communication filter setting completion notice transmitting unit for, in the case of receiving a communication filter setting completion notice representing completion of setting of control of the communication between the access target device and the client device based on the communication filter information from the communication filter device, transmitting the communication filter setting completion notice to the client device having transmitted the access request. |
