
ç°¡åã«ééããåé¡ã®ãªã¹ããæãåºãããŠãã ãã
- åé¡1-äŸåã¢ã¯ã»ã¹ãªã¹ã
- åé¡2-æš©éã®å§ä»»
- åé¡3-å€æ°ã®ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãæäŸãã
å°ããªçè«çäœè«
ãããããšããããã¯èªè»¢è»ãçºæããã®ã倧奜ãã§ãã ããããè»èŒªãåçºæããã®ã奜ããªäººã¯ãããã«ããéãæ°ããã®ã奜ããªäººãç¶ããŸãã ãããã£ãŠãèªè»¢è»ãçºæãã代ããã«ãããããã¯åé¡ãšæšæºåã«åŸäºããŠããŸãã
ã¢ã¯ã»ã¹å¶åŸ¡ã«é¢ããŠããã¹ãŠã®çš®é¡ã®ã¢ã¯ã»ã¹å¶åŸ¡ã¢ãã«ã¯ã2ã€ã®ã䞊ååé¡ãã«åŸã£ãŠåé¡ãããŸãã
MACïŒå¿ é ã¢ã¯ã»ã¹å¶åŸ¡ïŒ -ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã管çè ã«ãã£ãŠå®£èšçã«èšå®ãããŠããããã·ã¹ãã ã®ãšã³ããŠãŒã¶ãŒã«ãã£ãŠã§ã¯ãªãå Žåã
DACïŒDiscretionary Access ControlïŒ -ãŠãŒã¶ãŒèªèº«ããªããžã§ã¯ãïŒèªåããææè ãã§ãããªããžã§ã¯ãïŒãžã®ã¢ã¯ã»ã¹ãèšå®ããå Žå
ãã«ãã¬ãã« -ç¹å®ã®ãã¢ã¯ã»ã¹ã¬ãã«ãã«é¢é£ããŠã¢ã¯ã»ã¹ãèšå®ãããŠããããã®ãªããžã§ã¯ããæäœããããã«å¿ èŠãªã¢ã¯ã»ã¹ã¬ãã«ã決å®ããèšå·ã§ãªããžã§ã¯ãããã§ã«ããŒã¯ãããŠããå Žåã
ã¢ã¯ã»ã¹ãããªãã¯ã¹ -ãªããžã§ã¯ããšã»ãã¥ãªãã£ããªã³ã·ãã«ã®éã§çŽæ¥ã¢ã¯ã»ã¹ãæ§æãããŠããå Žåã ãã®ã¢ãã«ã®ç¹å¥ãªã±ãŒã¹ã¯ãç§ãã¡ã®èŠãã¿ã®äž»é¡ã§ãã ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ãã«åºã¥ããã¢ã¯ã»ã¹ã¢ãã«ã ãŸããå¥ã®ç¹å¥ãªã±ãŒã¹ããããŸã-æ©èœã«åºã¥ãã¢ã¯ã»ã¹ã¢ãã«ã§ãã ACLã¯ã1ã€ã®ãªããžã§ã¯ãã«å¯Ÿããæš©éãæã€äººã®ãªã¹ãã§ãããCapabilitiesïŒãŸãã¯C-ListïŒã¯ãã»ãã¥ãªãã£ãµããžã§ã¯ãã«é¢é£ããã¢ã¯ã»ã¹æš©ãæã€ãªããžã§ã¯ãã®ãªã¹ãã§ãããšããç¹ã§ç°ãªããŸãã æ¯èŒ1ïŒengïŒ ã æ¯èŒ2ïŒengïŒ
圹å²ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ïŒRBACïŒ -ã¢ã¯ã»ã¹ããŠãŒã¶ãŒã®åœ¹å²ã«é¢é£ããŠæ§æãããŠããå ŽåãããŸããŸãªã·ã¹ãã æ©èœãå®è¡ããæ©èœãšã»ãã¥ãªãã£ãªããžã§ã¯ãã«é¢é£ããæš©å©ãçµã¿åãããŸãã ãã®ã¢ãã«ã«ã¯æšæºããããŸãã
å±æ§ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ïŒABACïŒ -ãªããžã§ã¯ãã®å±æ§ã§ã¯ãªã...ã«é¢ããŠã¢ã¯ã»ã¹ãèšå®ãããŠããå Žåã ãããŠãäœããã®èšå·ãæã€ãªããžã§ã¯ãã«é¢é£ããŠã ABACã«åºã¥ãã¢ã¯ã»ã¹å¶åŸ¡ã®å žåçãªäŸïŒPetrovãããŒãžã£ãŒã¯ãå¥çŽã10äžä»¶æªæºã®å Žåã«ã®ã¿ãèªåçã«å¥çŽã«ã¢ã¯ã»ã¹ããŸãã
ãã®ãã¹ãŠã®èæ¯ã«å¯ŸããŠã ã¢ã¯ã»ã¹ã³ã³ãããŒã«ã»ãã·ã§ã³ãªã©ã®çšèªã¯ãRBACãŸãã¯ABACã®ããããã§å®æçã«å¡ãã€ã¶ãããŸããããã¯ãèªç±ãªè§£éã§ã¯ãã»ãã¥ãªãã£ãµããžã§ã¯ããããã€ãã®ç¹æš©ãæã£ãŠããããç¹å®ã®æäœãå®è¡ããããšãæå³ããŸã1ã€ã®ã»ããã®ã¿ãèš±å¯ããããã®æäœã¯ããã®ã»ãããé¢é£ä»ããããŠããã»ãã¥ãªãã£ã»ãã·ã§ã³ã®äžéšãšããŠå®è¡ãããŸãã
次ã«ãçµç¹ã®ããã¥ã¡ã³ã管çã«é¢äžããïŒãªã³ãŒã«ããïŒã·ã³ãã«ãªECMã·ã¹ãã ã«ã©ã®ã»ãã¥ãªãã£ã¢ãã«ã䜿çšãããŠããããèŠãŠã¿ãŸãããïŒãã¡ãããè€æ°ã®ã»ãã¥ãªãã£ã¢ãã«ãããããšã«ãã§ã«æ°ä»ããŠããŸãïŒã
ã ããïŒ
äžè¬çã«ãå¯ãéãã
ãã®ãã¹ãŠãããç§ã¯2ã€ã®èãããæã£ãŠããŸããïŒ
ã¢ã¯ã»ã¹å¶åŸ¡ã«é¢ããŠããã¹ãŠã®çš®é¡ã®ã¢ã¯ã»ã¹å¶åŸ¡ã¢ãã«ã¯ã2ã€ã®ã䞊ååé¡ãã«åŸã£ãŠåé¡ãããŸãã
- ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ãã人ã«ãã£ãŠ
- ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ãããã®ã«åºã¥ããŠ
æåã®åé¡ã«ããã°ãã¢ãã«ã¯æ¬¡ã®ããã«åŒã³åºãããšãã§ããŸã
MACïŒå¿ é ã¢ã¯ã»ã¹å¶åŸ¡ïŒ -ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã管çè ã«ãã£ãŠå®£èšçã«èšå®ãããŠããããã·ã¹ãã ã®ãšã³ããŠãŒã¶ãŒã«ãã£ãŠã§ã¯ãªãå Žåã
DACïŒDiscretionary Access ControlïŒ -ãŠãŒã¶ãŒèªèº«ããªããžã§ã¯ãïŒèªåããææè ãã§ãããªããžã§ã¯ãïŒãžã®ã¢ã¯ã»ã¹ãèšå®ããå Žå
2çªç®ã®åé¡ã«ãããšãã¢ãã«ã¯æ¬¡ã®ããã«åŒã°ããŸãã
ãã«ãã¬ãã« -ç¹å®ã®ãã¢ã¯ã»ã¹ã¬ãã«ãã«é¢é£ããŠã¢ã¯ã»ã¹ãèšå®ãããŠããããã®ãªããžã§ã¯ããæäœããããã«å¿ èŠãªã¢ã¯ã»ã¹ã¬ãã«ã決å®ããèšå·ã§ãªããžã§ã¯ãããã§ã«ããŒã¯ãããŠããå Žåã
ã¢ã¯ã»ã¹ãããªãã¯ã¹ -ãªããžã§ã¯ããšã»ãã¥ãªãã£ããªã³ã·ãã«ã®éã§çŽæ¥ã¢ã¯ã»ã¹ãæ§æãããŠããå Žåã ãã®ã¢ãã«ã®ç¹å¥ãªã±ãŒã¹ã¯ãç§ãã¡ã®èŠãã¿ã®äž»é¡ã§ãã ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ãã«åºã¥ããã¢ã¯ã»ã¹ã¢ãã«ã ãŸããå¥ã®ç¹å¥ãªã±ãŒã¹ããããŸã-æ©èœã«åºã¥ãã¢ã¯ã»ã¹ã¢ãã«ã§ãã ACLã¯ã1ã€ã®ãªããžã§ã¯ãã«å¯Ÿããæš©éãæã€äººã®ãªã¹ãã§ãããCapabilitiesïŒãŸãã¯C-ListïŒã¯ãã»ãã¥ãªãã£ãµããžã§ã¯ãã«é¢é£ããã¢ã¯ã»ã¹æš©ãæã€ãªããžã§ã¯ãã®ãªã¹ãã§ãããšããç¹ã§ç°ãªããŸãã æ¯èŒ1ïŒengïŒ ã æ¯èŒ2ïŒengïŒ
圹å²ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ïŒRBACïŒ -ã¢ã¯ã»ã¹ããŠãŒã¶ãŒã®åœ¹å²ã«é¢é£ããŠæ§æãããŠããå ŽåãããŸããŸãªã·ã¹ãã æ©èœãå®è¡ããæ©èœãšã»ãã¥ãªãã£ãªããžã§ã¯ãã«é¢é£ããæš©å©ãçµã¿åãããŸãã ãã®ã¢ãã«ã«ã¯æšæºããããŸãã
å±æ§ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ïŒABACïŒ -ãªããžã§ã¯ãã®å±æ§ã§ã¯ãªã...ã«é¢ããŠã¢ã¯ã»ã¹ãèšå®ãããŠããå Žåã ãããŠãäœããã®èšå·ãæã€ãªããžã§ã¯ãã«é¢é£ããŠã ABACã«åºã¥ãã¢ã¯ã»ã¹å¶åŸ¡ã®å žåçãªäŸïŒPetrovãããŒãžã£ãŒã¯ãå¥çŽã10äžä»¶æªæºã®å Žåã«ã®ã¿ãèªåçã«å¥çŽã«ã¢ã¯ã»ã¹ããŸãã
ãã®ãã¹ãŠã®èæ¯ã«å¯ŸããŠã ã¢ã¯ã»ã¹ã³ã³ãããŒã«ã»ãã·ã§ã³ãªã©ã®çšèªã¯ãRBACãŸãã¯ABACã®ããããã§å®æçã«å¡ãã€ã¶ãããŸããããã¯ãèªç±ãªè§£éã§ã¯ãã»ãã¥ãªãã£ãµããžã§ã¯ããããã€ãã®ç¹æš©ãæã£ãŠããããç¹å®ã®æäœãå®è¡ããããšãæå³ããŸã1ã€ã®ã»ããã®ã¿ãèš±å¯ããããã®æäœã¯ããã®ã»ãããé¢é£ä»ããããŠããã»ãã¥ãªãã£ã»ãã·ã§ã³ã®äžéšãšããŠå®è¡ãããŸãã
次ã«ãçµç¹ã®ããã¥ã¡ã³ã管çã«é¢äžããïŒãªã³ãŒã«ããïŒã·ã³ãã«ãªECMã·ã¹ãã ã«ã©ã®ã»ãã¥ãªãã£ã¢ãã«ã䜿çšãããŠããããèŠãŠã¿ãŸãããïŒãã¡ãããè€æ°ã®ã»ãã¥ãªãã£ã¢ãã«ãããããšã«ãã§ã«æ°ä»ããŠããŸãïŒã
ã ããïŒ
- ãŠãŒã¶ãŒã¯ãããã¥ã¡ã³ããäœæããå Žåã¯ç¹ã«ãããã¥ã¡ã³ããžã®ã¢ã¯ã»ã¹ãæ§æã§ããŸãã ãããã£ãŠãã¢ã¯ã»ã¹ã¢ãã«ã¯æ瀺çã«DACãåç §ããŸã
- ãŠãŒã¶ãŒã¯99ïŒ ã®ãŠãŒã¹ã±ãŒã¹ã§èªåã§ã¢ã¯ã»ã¹ãèšå®ãã¹ãã§ã¯ãªãããã管çè ã¯ããã¥ã¡ã³ããžã®ã¢ã¯ã»ã¹ã宣èšçã«èšå®ããŸãïŒããã©ã«ãã®ã¢ã¯ã»ã¹ãªã¹ããæãåºããŠãã ããïŒïŒããã«ã€ããŠã¯æåã®èšäºã§æžããŸããïŒã ãããã£ãŠãã¢ã¯ã»ã¹ã¢ãã«ã¯æããã«MACã«é©çšãããŸã
- ã¢ã¯ã»ã¹ã¯ã¢ã¯ã»ã¹ãªã¹ãã«åºã¥ããŠèšå®ãããããããã®ã¢ãã«ã§ã¯ã¢ã¯ã»ã¹ãããªãã¯ã¹ãç¹ã«ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ããåç §ããŸã
- ãµããžã§ã¯ãé åããã¯ããã¢ã¯ã»ã¹çœ²åã¹ã¿ã³ããããæ©å¯æ§ããªã©ã®ããã¥ã¡ã³ãã®å åããããããããã¢ã¯ã»ã¹ã«åœ±é¿ããŸãããã®çµæãã¢ãã«ã¯Multilevelã«é©çšãããŸãã ãããŠãæåã®èšäºã®åé¡åObjectKindãä»ããã¢ã¯ã»ã¹ã®ååžã¯åãã¿ã€ãã§ã
- ãããŠãã¡ããã圹å²ã ãããããªããã°ã©ãã«ãã©ãã«ãªãã®ã§ããïŒ ãããŠãç§ãã¡ã®ã·ã¹ãã ã§ã¯ãã»ãã¥ãªãã£ã¢ãã«ãRBACã«ãé©çšãããŸãã
- ãããŠãæš©éã®å§ä»»ãå¿ããªãã§ãã ããã ãã®ã·ããªãªã§ã¯ãã¢ãã«ãšã¢ã¯ã»ã¹å¶åŸ¡ã»ãã·ã§ã³ã§ã®æ€èšãå¿ èŠãªãã
äžè¬çã«ãå¯ãéãã
ãã®ãã¹ãŠãããç§ã¯2ã€ã®èãããæã£ãŠããŸããïŒ
- ã¢ãŒããã¯ãã¯ãç¹å®ã®ã·ã¹ãã ã¢ãã«ããµããŒãããã¢ã¯ã»ã¹å¶åŸ¡ãã¿ãŒã³ã®æ°ãæå°éã«æããããã«ãããããããšãè¡ãå¿ èŠããããŸãã
- ããã§èªè»¢è»ãæžãããšãã§ããŸãããç§ã¯å人çã«ç解ããŠããŸãã...
åºæ¬ã¹ããŒã
äžèšã®åé¡ãé©åã«è§£æ±ºããããã«ãæåã®å³ã«å°ãæ»ããŸã
çŸåšã®ã¹ããŒãã«ã¯ããµããžã§ã¯ãé åã®åãªããžã§ã¯ãã®ã¢ã¯ã»ã¹ãªã¹ããå«ãŸããŠããŸãã
çè«çãªéšåãããã©ã®ã¢ã¯ã»ã¹å¶åŸ¡ãã¿ãŒã³ãã»ãã¥ãªãã£ã¢ãã«ããµããŒãããå¿ èŠããããããããŸãã«ç解ããŸããã
ãããã£ãŠãæœè±¡åã®åºŠåããé«ããŸãã ACLã§ã¯ãæš©éãæã€ã»ãã¥ãªãã£ãšã³ãã£ãã£ã®ãªã¹ãã§ã¯ãªãããã®ãªããžã§ã¯ãã«é©çšå¯èœãªã¢ã¯ã»ã¹ã¢ãã«ã®ãªã¹ãã瀺ããŸãã åæã«ãå ¬çã芳å¯ããããšã«ãããACLã¢ãã«ãä»ã®ãã¹ãŠãããåªããŠããããšããµããŒãããŸãã åžžã«ACLã®ã¿ã«åºã¥ããŠãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãèšç®ã§ããå¿ èŠããããŸã ã
ãã®ããã次ã®ããã«ã¹ããŒã ãå€æŽããŸã
以äžãããŒã¿ããŒã¹ã¹ããŒãã§ã¯ãªããã¯ã©ã¹å³ã ããŒã¿ããŒã¹ã§ã¯ã©ã¹ã¹ããŒã ããããã³ã°ããåé¡ã«ã€ããŠã¯ãåŸã»ã©åãäžããŸãïŒ æ¬¡ã®èšäºã§èª¬æããŸã ïŒã çœãéããç¢å°ã¯ç¶æ¿ã§ãã çœæãã®ç¢å°ã¯é¢é£ä»ãã§ãã
æ¢ã«ç解ããããã«ãããã¥ã¡ã³ããžã®ã¢ã¯ã»ã¹ã®ãªã¹ãã¯ããªããžã§ã¯ãã«ãã£ãŠãµããŒããããsecurityAspectãªããžã§ã¯ãã®éå±€ãªã¹ãã«çž®éããŸããâã¢ã¯ã»ã¹ãæäŸããããã®æœè±¡çãªã¡ã«ããºã ã Compositeãã¿ãŒã³ã䜿çšããŠSecurityAspectãå®è£ ããŸããã
SecurityAspectCompositeãšSecurityAspectã®éã®å€å¯Ÿå€ã®é¢ä¿ã«å¯ŸããŠãCompositeãã¿ãŒã³ã®äžéãšã³ãã£ãã£ãæå®ããªãã£ãããšã«æ³šæããŠãã ããã ä»ã®å ŽåïŒCompositeãã¿ãŒã³ãšã¯ç¡é¢ä¿ïŒããã®ãããªäžéãšã³ãã£ãã£ã瀺ããŸãã
ãŸãã SecurityAspectãObjectãåç §ããŠããªããšããäºå®ã«ã泚ç®ããŸãã ããã©ãããã Objectã«ã¯ã«ãŒãSecurityAspectãžã®ãªã³ã¯ãå«ãŸããŠããããã®ãªããžã§ã¯ãã¯ïŒãã®éå±€ãšãšãã«ïŒãã®ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã決å®ããŸãã
å°æ¥ããªããžã§ã¯ãã®ã«ãŒãSecurityAspectïŒããã³ãã®éå±€ïŒã¯ã ACLãæãªããã®æ¹æ³ã§åŒã³åºããŸã ã
ãŠãŒã¶ãŒ
çè«çãªéšåïŒããã³åé¡2ã§æŠèª¬ããèŠä»¶ïŒãããã·ã¹ãã ãŠãŒã¶ãŒã¯è€æ°ã®ç¹æš©ã»ãããæã€ããšãã§ããäžåºŠã«ã¢ã¯ãã£ãã«ããå¿ èŠãããã®ã¯1ã€ã®ã»ããã ãã§ããããšãããããŸããã
ç°¡åãªäŸã¯ãã·ã¹ãã ã®ãŠãŒã¶ãŒãèªåã®ããã«ãäžåžã®ããã«ããããŠéåžžã«å€§ããªäžåžã®ããã«åãããšãã§ããå Žåã§ãïŒç§æžã®å žåçãªã·ããªãªïŒ-ã·ã¹ãã ã®ããžãã¹ããžãã¯ã¯ããŠãŒã¶ãŒããããŸãã¯ã·ã¹ãã å ã®å¥ã®ã¢ã¯ã·ã§ã³ã
ãã®ãã¹ãŠãå³ã«åæ ããŸãã
ã芧ã®ãšãããåãŠãŒã¶ãŒã¯ãé¢é£ä»ããããäžé£ã®ããªã³ã·ãã«ãæã€ããšãã§ããŸããããã«ãããéå±€ã圢æã§ããŸãïŒ è€åãã¿ãŒã³ã䜿çšïŒã æ確ã«ããããã«ãç¹å®ã®å®è£ ïŒçµç¹ã®ããªã³ã·ãã«ïŒãå®è£ ããŸããã çµç¹ã®æ§é ã
ããã«ã ã»ãã·ã§ã³ã¯å³ã«ã衚瀺ãããŸããããã¯ããŠãŒã¶ãŒã®åç §ã«å ããŠããŠãŒã¶ãŒãçŸåšäœæ¥ããŠããããªã³ã·ãã«ãåç §ããŸãã
å°æ¥çã«ã¯ããŠãŒã¶ãŒã§ã¯ãªãã æ ¡é·ã«ã¢ã¯ã»ã¹ãæäŸããŸã ã ããã«ããã 亀æã·ããªãªã®å®è£ ã容æã«ãªããŸãïŒåé¡2ïŒ ã
ãªããžã§ã¯ããžã®çŽæ¥ã¢ã¯ã»ã¹
次ã«ãããã2ã€ã®ã¹ããŒã ãã¯ãã¹ããŠã Principalâsãä»ãããªããžã§ã¯ããžã®çŽæ¥ã¢ã¯ã»ã¹ãå®è£ ããŸãããã
DirectAccessãšããååã®SecurityAspectã®åå«ãäœæããŸãããããã«ã¯ããªããžã§ã¯ããžã®æš©éã®ãªã¹ããšããããã®æš©éãå®éã«å©çšå¯èœãªPrincipalãžã®ãªã³ã¯ã®äž¡æ¹ããããŸãã
ãã®ã¢ãã«ã§ã¯ã åã®èšäºã®ããŒã¿ã¢ãã«ãšã¯ç°ãªããæš©å©ã¯å±æ§ã§ã¯ãªããDirectAccessRightsãä»ããŠDirectAccessã«é¢é£ä»ããããŠããRightãšããå¥ã®ãšã³ãã£ãã£ã«å²ãåœãŠãããŠããããšã«æ³šæããŠãã ããã ããã«ãããå°æ¥çã«ãã®äžé£ã®æš©å©ãç°¡åã«æ¡åŒµã§ããããã«ãªããŸãã
圹å²
åã«çŽæããããã«ãã·ã¹ãã ã«ã¯åœ¹å²ããããŸãã å®çŸãã

ã芧ã®ãšãããæ°ããSecurityAspectãRoleãšããååã§äœæãããŸããããã¯ãä»ã®SecurityAspectãéå±€çã«çµåã§ããŸãïŒ SecurityAspectCompositeããç¶æ¿ãããããïŒã
ããŒã«ã¯æš©å©ã®å®£èšçãªå²ãåœãŠã«æããã䜿çšããããªããžã§ã¯ãACLã§ç€ºãããªãããïŒã¢ãã«ã§ã¯ãããçŠæ¢ããŠããŸãããïŒãããŒã«ãšPrincipal'amiã®éã«æ¥ç¶ãæäŸããå¿ èŠããããŸãã ããã¯PrincipalSecurityAspectsã䜿çšããŠè¡ããŸãã
ããŒã«ã®äœ¿çšã«é¢ãã詳现ïŒ
- ãããã¯ã ã·ã¹ãã æ©èœãžã®ã¢ã¯ã»ã¹ãæäŸãããããããã³ã·ã¹ãã ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãæäŸããããã«äœ¿çšã§ããŸãã
- åè ã®å Žå ãã¢ãã«ã«ã¯ãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã«äœ¿çšãããæš©å©ãšã¯ç°ãªãæš©å©ã®ã»ãããæã€å¿ èŠãªåœ¹å²ãããããããã®åœ¹å²ã¯PrincipalSecurityAspectsã§Pricipalsã«ç»é²ãããŸã
- 2çªç®ã®å Žå ãããŒã«ãã¢ãã«ã§äœæãããããªã³ã·ãã«ã¯PrincipalSecurityAspectsã«ç»é²ããã ããã«ãããã®ããŒã«ãé©çšããããªããžã§ã¯ãã®ACLã«ãç»é²ãããŸãã ãã®å ŽåãããŒã«ã§äœ¿çšãããæš©éã®ã»ããã¯ãDirectAccessã§äœ¿çšãããæš©éãšåãã§ããå ŽåããããŸãã
æãéèŠãªããšïŒ
- åŸæ¥ã®RBACã§ã¯ã Roleãšã³ãã£ãã£ã¯RoleRightsãä»ããŠãªããžã§ã¯ããšãªããžã§ã¯ãã®éã«æ¥ç¶ãå¿ èŠã§ã
- RBACã¯ãããŸãããã ACLãæ¯é çã§ããããããã®æ¥ç¶ã¯ååšããããããã£ãŠãå¿ èŠã«å¿ããŠãããŒã«ãä»ããŠãªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ãæäŸããŸã-ãããã¯ã察å¿ãããªããžã§ã¯ãã®ACL
ããã©ã«ãã®ã¢ã¯ã»ã¹
ãã«ãã¬ãã«ã»ãã¥ãªãã£ã¢ãã«ãå®è£ ããŸãããã ãªããžã§ã¯ãã®æ©èœã«åºã¥ããæš©å©ã®åé ã ObjectKindã«ããŸãã

ã芧ã®ãšããããªããžã§ã¯ãã«ã¯åé¡å±æ§ObjectKindãå«ãŸããããã«ãªããSecurityAspectLeafã®æ°ããçžç¶äººïŒã€ãŸããä»ã®SecurityAspectã®éå±€ãå«ããããšãã§ããªãããšã瀺ããã³ãïŒãObjectKindAccessãšããååã§è¡šç€ºãããŸãã RoleãšPrincipalSecurityAspectã®å Žåã®ããã«ã圌ãšããªã³ã·ãã«éã®éä¿¡ãä¿èšŒãããŸãã
æãéèŠãªããšïŒ
- åŸæ¥ã®ãã«ãã¬ãã«ã§ã¯ãæš©å©ãä»äžããããã®ãªããžã§ã¯ããšã³ãã£ãã£ã«åé¡åãšãã¹ãŠã®
- ACLã¯primaryã§ããããããã«ãã¬ãã«ã¢ãã«ãæ©èœãããªããžã§ã¯ãã«ã€ããŠã¯ã察å¿ããSecurityAspectãACLã«ç»é²ããå¿ èŠããããŸã
äŸåã¢ã¯ã»ã¹ãªã¹ã
ãããŠæåŸã«ã äŸåã¢ã¯ã»ã¹ãªã¹ãã«é¢ããåé¡1ããŸã ãããŸã ã
æ¬è³ªãæãåºãããŠãã ããã1ã€ã®ããžãã¹ããã»ã¹ã«åå ãããªããžã§ã¯ãã¯ãããããç¬èªã®ã¢ã¯ã»ã¹ãªã¹ããæã¡ãå€ãã®å Žåããã®ããã»ã¹ã®ãã¹ãŠã®åå è ãå©çšã§ããå¿ èŠããããŸãã ã€ãŸã ãŠãŒã¶ãŒããªããžã§ã¯ãAãžã®ã¢ã¯ã»ã¹æš©ãæã£ãŠããå ŽåããŠãŒã¶ãŒã¯ãªããžã§ã¯ãBãžã®ã¢ã¯ã»ã¹æš©ãæã£ãŠããå¿ èŠããããŸãïŒéåžžãéãããæš©éã»ããã§ïŒã
å®çŸãã

ãã€ãã®ããã«ãSecurityAspectCompositeããLinkedAccessãšããååã®æ°ããåŸç¶ãäœæããŸããã
ç§Theã¯ããã®SecurityAspectãé¢é£ä»ãããããªããžã§ã¯ãã®ã«ãŒãSecurityAspectããã©ããã ããããšã§ ãããã«ã¢ã¯ã»ã¹ãããã¹ãŠã®ãŠãŒã¶ãŒãããã³çŸåšã®ãªããžã§ã¯ãã«ã¢ã¯ã»ã¹ã§ããããã«ããããšã§ãã LinkedAccessRightsãä»ããŠLinkedAccessã§å®çŸ©ãããæš©éã¯ãé¢é£ä»ãããããªããžã§ã¯ãã«ã¢ã¯ã»ã¹ã§ãã人ã®æš©éãå¶éããããæš©éã®ã»ãããæ¡åŒµããŸãïŒããžãã¹ããžãã¯ã®èŠä»¶ã«å¿ããŠïŒã
次ã¯äœã§ãã
次ã®èšäºã§ã¯ã æåã®èšäºã®å¿ é èŠä»¶ãåæãšããŠã ããããã¹ãŠãããŒã¿ããŒã¹ã«ãããã³ã°ããŸãã
ãäžèšã®åé¡ã®è§£æ±ºçã®èåŸã«ããã¢ãŒããã¯ãã£ãœãªã¥ãŒã·ã§ã³ã¯ãæ€çŽ¢äžã®ãªããžã§ã¯ãã®ãã£ã«ã¿ãªã³ã°é床ã«çµ¶å¯Ÿã«åœ±é¿ãäžããããªããžã§ã¯ãããã³ãªããžã§ã¯ãã®ãªã¹ãïŒå€§ããªãªããžã§ã¯ããå«ãïŒã®æäœé床ã«æå°éã®åœ±é¿ããäžããŸããã
äœãèªã
圹å²ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ã®èšèšãã¿ãŒã³
ã¢ã¯ã»ã¹å¶åŸ¡ã®ãã¿ãŒã³ãšãã¿ãŒã³å³
ã»ãã·ã§ã³ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ã®ãã¿ãŒã³