| 摘要 |
A computer system can be used by a plurality of permitted users (26), each of whom can play at least one of a plurality of permitted roles, and can run a plurality of applications (28). An access control system (10) is provided, comprising storing means (12) for storing: for each permitted user, attributes (42) of that user; for each permitted role, attributes (44) of that role; attributes (46) of a plurality of permitted associations between the permitted users and the permitted roles; for each application, attributes (48) of that application; and, for each application, at least one access control condition (50), referring to the attributes, that must be satisfied for access to be granted to that application. In the case where at least one of the applications is operable to perform at least one application operation, the storing means may additionally or alternatively store, for the or each such application operation, attributes (48) of that operation and at least one access control condition (50) that must be satisfied for access to be granted to that operation. Accordingly, a fine-grained access control system can be provided, which is focussed on the application level and/or application operation level using arbitrarily complex conditions associated with the applications and/or application operations and referring to the user's capabilities and, where appropriate, features of the applications. <IMAGE> |
