DOCUMENT ACCESS CONTROL SYSTEM, DATA PROCESSING APPARATUS, PROGRAM PRODUCT AND METHOD FOR PERFORMING DOCUMENT ACCESS CONTROL

Abstract

A document access control system for determining whether to allow a client to access a target document file according to a security policy set in a server, the system includes a cache timing determination part for determining the timing for caching policy determination data corresponding to the target document file in the client, a policy determination data obtaining part for obtaining the policy determination data from the server according to a report from the cache timing determination part, a policy determination data storage part for storing the obtained policy determination data in correspondence with the target document file, and a file access control part for controlling access to the target document file according to the policy determination data stored in the policy determination data storage part in a case where the user of the client requests access to the target document file when the client is in an offline mode.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram showing an exemplary configuration of a document access control system according to an embodiment of the present invention;

FIG. 2 is a schematic diagram showing an exemplary configuration of the inside of a security policy server according to an embodiment of the present invention;

FIG. 3 is a schematic diagram showing an exemplary configuration of the inside of the client according to an embodiment of the present invention;

FIG. 4 is a schematic diagram showing an exemplary configuration of an encrypted document file according to an embodiment of the present invention;

FIG. 5 is a schematic diagram showing an exemplary configuration of a security policy managed by the security policy server 1 according to an embodiment of the present invention;

FIG. 6 is a table showing an exemplary configuration of policy determination data according to an embodiment of the present invention;

FIG. 7 is a table showing an exemplary configuration of a monitor log according to an embodiment of the present invention;

FIG. 8 is a sequence diagram showing an exemplary operation of making access (accessing) to a target document file during an online mode according to an embodiment of the present invention;

FIG. 9 is a sequence diagram showing an exemplary operation of caching policy determination data during an online mode according to an embodiment of the present invention; and

FIG. 10 is a sequence diagram showing an exemplary operation of making access (accessing) to a target document file during an offline mode according to an embodiment of the present invention.

Claims

1. A document access control system for determining whether to allow a client to access a target document file according to a security policy set in a server, the system comprising: a cache timing determination part for determining the timing for caching policy determination data corresponding to the target document file in the client;a policy determination data obtaining part for obtaining the policy determination data from the server according to a report from the cache timing determination part;a policy determination data storage part for storing the obtained policy determination data in correspondence with the target document file; anda file access control part for controlling access to the target document file according to the policy determination data stored in the policy determination data storage part in a case where the user of the client requests access to the target document file when the client is in an offline mode.

2. The document access control system as claimed in claim 1, wherein the cache timing determination part monitors generation of the target document file in the client, wherein the policy determination data obtaining part obtains the policy determination data corresponding to the generated target document file.

3. The document access control system as claimed in claim 1, wherein the cache timing determination part periodically instructs updating of the policy determination data corresponding to the target document file, wherein the policy determination data obtaining part obtains the policy determination data corresponding to the target document file.

4. The document access control system as claimed in claim 1, wherein the cache timing determination part receives a designation of the target document file from the user, wherein the policy determination data obtaining part obtains the policy determination data corresponding to the designated target document file.

5. The document access control system as claimed in claim 4, wherein the designated target document file is designated by designation of a folder including the target document file.

6. The document access control system as claimed in claim 1, wherein the policy determination data obtaining part obtains the policy determination data corresponding to the target document file accessed by the user.

7. The document access control system as claimed in claim 1, further comprising: a network status determining part for determining whether the client is online with the server;wherein the access to the target document file is determined based on the policy determination data obtainable by a request to the server when the client is online with the server, wherein the access to the target document file is determined based on the policy determination data stored in the policy determination data storage part when the client is offline with the server.

8. The document access control system as claimed in claim 1, wherein the policy determination data include at least one of document ID data corresponding to a target document, user ID data corresponding to the user of the client, access type data, access authorization data, and access condition data.

9. The document access control system as claimed in claim 1, wherein the policy determination data include at least one of valid period data and valid count data, wherein the access to the target document file is determined based on the valid period data or the valid count data.

10. The document access control system as claimed in claim 1, wherein the target document file is encrypted with an encryption key dedicated to the target document file, wherein the policy determination data include data for decrypting the encrypted target document file.

11. The document access control system as claimed in claim 1, wherein the policy determination data are stored in the client in an encrypted state.

12. The document access control system as claimed in claim 11, wherein the policy determination data are encrypted with an encryption key generated by combining data secretly stored in the policy determination data storage part and unique data of the user of the client.

13. The document access control system as claimed in claim 1, further comprising: a log management part for recording log data indicating access made to the target document file based on the policy determination data during an offline mode.

14. The document access control system as claimed in claim 13, wherein the log management part records the time of the access and compares the time of the access with a previous time of access, wherein the access is denied when the time of access contradicts the previous time of access.

15. The document access control system as claimed in claim 13, wherein the log data are stored in an encrypted state, wherein the log data are encrypted with an encryption key generated by data secretly stored in the log management part or the policy determination data storage part.

16. The document access control system as claimed in claim 13, wherein the log management part transfers the log data recorded during the offline mode the next time the client is online with the server.

17. A program product on which a computer-readable program is stored for causing a computer to perform a document access control method for determining whether to allow a client to access a target document file according to a security policy set in a server, the method comprising the steps of: a) determining the timing for caching policy determination data corresponding to the target document file in the client;b) obtaining the policy determination data from the server according to a report generated in step a);c) storing the obtained policy determination data in correspondence with the target document file; andd) controlling access to the target document file according to the policy determination data stored in step c) in a case where the user of the client requests access to the target document file when the client is in an offline mode.

18. A document access control method for determining whether to allow a client to access a target document file according to a security policy set in a server, the method comprising the steps of: a) determining the timing for caching policy determination data corresponding to the target document file in the client;b) obtaining the policy determination data from the server according to a report generated in step a);c) storing the obtained policy determination data in correspondence with the target document file; andd) controlling access to the target document file according to the policy determination data stored in step c) in a case where the user of the client requests access to the target document file when the client is in an offline mode.