JP2000148737A - Access control system for decentralized electronic document - Google Patents

Abstract

PROBLEM TO BE SOLVED: To flexibly control access to an electronic document even for a participant group which is too large to be local. SOLUTION: When a local document management device 2a in decentralized environment receives an operation instruction for an electronic document, an access control means 4 judges whether or not an operator participates directly in the electronic document by retrieving communication information records (participant information 7, electronic document information 8, and communication link information 9) and gives permission when the operator participates. If not, it is judged whether or not the operator participates similarly with other records in link relation and permission is decided. Therefore, when the electronic document to be operated is related by a link of communication link information 9, the operator can operate as a direct participant and a request made by an operator having no link relation is rejected.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a distributed electronic document access control system, and more particularly to a distributed electronic document access control system for controlling access to a distributed electronic document or database record on a network.

[0002]

2. Description of the Related Art Generally, an electronic document or database is managed for each file system or database system in one environment (apparatus), and access control to them is also performed for each file system or database system. The authentication of an individual required to access an electronic document or a database may be performed in another environment via a network, but is usually managed centrally in a local network. Then, permission to access the electronic document or database will be given to specific individuals or existing groups.

That is, a personal identifier (I
If a person having D) attempts to read, write, and update an electronic document, whether or not the electronic document matches the personal ID indicated by the attribute of the electronic document, or is included in the member list of the specific group indicated by the attribute The permission for the operation is determined based on whether or not the operation has been performed.

[0004] For example, if a certain electronic document is owned by a specific user, the user can read, write, and update his / her own electronic document. Access control is performed so as not to permit operations on. When there are a plurality of users who operate in connection with a certain electronic document, a group is defined, and permission is given to the group. This allows access control so that anyone who belongs to the group can operate on the shared electronic document, but not users who do not belong to the group can operate the electronic document. That is being done.

[0005] Considering a workflow of a certain company, the workflow is composed of a plurality of tasks, and each task has a link relationship along the task flow. Also, each task may be composed of several sub-tasks in order to perform each task, in which case the link between the task and the sub-task is in a parent-child relationship. Each task constituting the workflow may be performed entirely in one department, but is generally performed across several departments. Therefore, electronic documents or database records created by a task can be referenced or updated by those who are involved in this workflow task in multiple departments, as well as those who belong to a specific individual or group in one department. Need to be shared. To do so, a roster of everyone involved in the workflow needs to be created, and each electronic document or database record needs to have a definition of who and what access is allowed. In this way, it is theoretically possible to judge whether or not permission is granted based on the information defined for each time an electronic document or database record is accessed.

[0006]

However, such a conventional access control has a problem that it is difficult to operate it flexibly. This is because the people involved in an electronic document or database record often do not match the members of an organization such as a company. For example, in one workflow, an electronic document may need to be shared with people from other departments, even with people from other companies over an extranet or the Internet, Defining access for electronic documents or database records, including humans, cannot be done in practice. Moreover, if other companies are involved, some companies may want to keep their involvement secret. It is no longer appropriate to assume that a single organization in a company is physically concentrated in a local environment. That is,
Groups that can be centrally managed in a local environment (equipment) are no longer able to respond.

[0007] The present invention has been made in view of the above points, and a distributed electronic document which can flexibly control access to an electronic document even for a group of participants who cannot be accommodated by a local group. The purpose is to provide an access control system.

[0008]

According to the present invention, in order to solve the above-mentioned problem, an electronic document is operated in a distributed electronic document access control system for controlling access to an electronic document distributed and managed on a network. Personal authentication means for specifying a valid personal identifier of an individual, participant information as a set of personal identifiers, electronic document information as a set of electronic document pointers, and a set of pointers to other communication information records. Communication information record storage means for storing a communication information record including communication link information, and read, write, and update operations for an electronic document pointed to by an electronic document pointer included in the electronic document information are to be performed. Person's personal identifier is Access control means for permitting based on whether the communication information record is included in the participant information of the communication information record itself or included in the participant information of another communication information record in a link relationship with the record and the communication link information; , In a distributed environment, a distributed electronic document access control system is provided.

According to such a distributed electronic document access control system, the access control means, upon receiving an operation command for the electronic document, determines whether or not the operator is directly involved in the electronic document. A search is made for the participant information of the communication information record including the pointer to the electronic document in the electronic document information, and if the operator is included therein, the operator is authenticated by the personal authentication device and confirmed. This gives permission to operate the electronic document. If it is not included in this participant information, search for the participant information of another communication information record that is linked, and if it is included there,
For example, the authentication of the operator is also performed by another personal authentication device, and when the authentication is confirmed, the operation permission for the electronic document is given. As a result, if they are related by a link, they can operate even if they are not directly involved, and even if they are electronic documents or records in an environment different from the environment where the authentication of the operator is performed. . Further, it is possible to reject a request from an operator who has no link relationship.

According to the present invention, the route information that the operator has actually traveled from the personal authentication point to the electronic document to be operated is referred to, and the relationship between the links included in the route information is interpreted. Thus, the permission of the operation can be determined.

According to the present invention, the operation of reading, writing, and updating the electronic document is permitted to extend to the operation of the communication information record itself. Thus, it is possible to prevent a person who is not related to the link from operating including reading the link itself. In this way, for example, when there is a chain of links of a workflow, an operation is permitted for a link having an upstream link (a link having an upstream attribute) of the workflow, but a link having a downstream link is operated. You can restrict access such as not allowing access.

Further, in the present invention, a distance which is the maximum number when tracing a link is set in advance, and the link that can be traversed when judging permission of an operation is limited by the distance. Thus, for example, when there is a long chain of workflow links, it is possible to limit those who can operate within a range that can be grasped by a manager at a certain point.

Further, according to the present invention, in response to a read operation of a communication information record, a position indicated by an actual pointer with respect to a link of the content of the record is determined by:
A link abstraction means for concealing a specific position indicated by the pointer for an operation by replacing the pointer with a pointer to a relay point that returns only the structure is provided. Thus, it is possible to hide where the link destination or a further destination is specifically.

[0014]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a diagram showing a basic configuration of the present invention. Referring to FIG. 1, a distributed electronic document access control system according to the present invention includes a plurality of local document management devices 2a, 2 distributed on a network 1.
, 2n and personal authentication devices 3a,.
m in a distributed environment, each local document management device 2
, 2n include access control means 4 and communication information record storage means 5
And link abstraction means 6. The communication information record storage unit 5 stores a communication information record including participant information 7, electronic document information 8, and communication link information 9.

Here, the personal authentication devices 3a,..., 3m
Is used to determine the personal identifier of the person who performs the operation and to give permission for the operation. In the communication information record storage means 5, the participant information 7 is a set of personal identifiers, the electronic document information 8 is a set of electronic document pointers, and the communication link information 9 is a pointer to another communication information record. The access control means 4 performs a read, write, and update operation on the electronic document pointed to by the electronic document pointer included in the electronic document information 8 so that the personal identifier of the person who attempted to perform the operation includes communication information including the electronic document. Permission is based on whether the record is included in the participant information 7 of the record itself, or is included in the participant information of another communication information record that is linked by the communication link information 9 with the record. Access control to give or not.

That is, when an operation instruction for an electronic document is received,
The access control means 4 searches whether or not the operator is included in the participants of the communication information record including the electronic document, and if the operator is included, the personal authentication device 3a,. After the authentication is performed and confirmed, permission for operation on the electronic document is given. If it is not included in the direct participant, the participant information of another communication information record having a link relationship is searched, and if it is included, the personal authentication device 3a,
.., 3 m, the authentication of the operator is performed, and when it is confirmed there, the operation permission for the electronic document is given. As a result, if the electronic document to be operated is related by the link by the communication information, the operator is not directly involved, and for example, the electronic document in an environment different from the environment in which the authentication is performed. Can be operated, and it becomes possible to reject a request from an operator who is not linked.

Further, the access control means 4 refers to the route information that the operator has actually followed from the personal authentication point to the electronic document to be operated, and determines the relationship between the links included in the route information. It is also possible to determine the permission of the operation by interpreting. As a result, it is possible to give an operation permission also to an individual belonging to the communication information record related by the reverse link.

Further, each link of the communication link information has a link attribute, and the link adopted when judging permission of the operation can be restricted by the value of the link attribute. In this way, for example, when there is a chain of links of a workflow, an operation is permitted for a link having an upstream link (a link having an upstream attribute) of the workflow, but a link having a downstream link is operated. You can apply a restriction such as not to allow.

Further, the access control means 4 can allow the operation of reading, writing, and updating the electronic document to extend to the operation of the communication information record itself. This allows
It is possible to prevent a person who is not related to the link from performing an operation including reading the link itself.

When tracing a link, instead of tracing infinitely, a distance that is the maximum number of links that can be traversed may be set in advance, and the tracing may be performed only within the distance. Therefore, for example, when there is a long chain of workflow links, it is possible to limit those who can operate within a range that can be grasped by a manager at a certain point.

In response to a read operation of a communication information record, the link abstraction means 6 replaces the position indicated by the actual pointer with respect to the link of the content of the record by a pointer to a relay point which returns only the structure of the link. The specific position indicated by the pointer can be hidden for operation. As a result, it is possible to hide where the link destination and the further destination are specifically. For example, the local document management devices 2a, 2b, and 2n are under the control of different companies, and the company of the local document management device 2a is in a link relationship with the company of the local document management device 2b. If there is a link with the company of the local document management device 2n and there is a transaction, the local document management device 2b has a local relationship with the company of the local document management device 2a that has a link relationship with the company of the local document management device 2b. By returning only the relay point of the document management device 2n to the company, the existence of the local document management device 2n can be notified, but it should be concealed that the company with which the transaction is being made is the company of the local document management device 2n. Can be.

Next, a case where the embodiment of the present invention is applied to a distributed document management system will be described as an example. FIG. 2 is a configuration diagram illustrating an example of the distributed document management system. In FIG. 2, it is assumed that an electronic document and a database record are in a distributed environment of two domains A and B for simplicity of illustration. Each of the domains A and B has an access processing unit 11, an individual authentication processing unit 12, and a database 13. The access processing unit 11 includes an access control unit 1
4 and an abstraction processing unit 15. The database 13 includes personal information 16, an electronic document 17, a communication information record 18, and link relay information 1.
9 are stored. The communication information record 18 includes participant information, electronic document information, and communication link information.

Here, for example, in domain A, personal authentication processing section 12 specifies a personal ID, and a generally used method is sufficient. That is, individual I
A pair of D and a password is held, and the user inputs a user ID and a password from the terminal device. The personal authentication processing unit 12 compares this input with the stored personal ID and password to determine whether or not they match. If they match, personal authentication is achieved, the user enters the log-in state, and a series of operations until logout is performed by a person having this personal ID. Also, any operation request made during that time is sent together with the operation command along with the operator's personal ID so that the access processing unit 11 can recognize that this person is requesting. of course,
Even if it is not the personal ID directly, any ID that can uniquely specify the personal ID may be used. For example, it may be replaced with the process ID of the program, but more importantly, it is encrypted. In the form where the personal ID flows directly through the Internet, there may be a person who misuses the individual. But,
Here, for the sake of simplicity and simplicity, the personal ID including the ID replaced in this manner will be referred to as a personal ID. The same applies to other IDs.

In general, in access control, a person who has permission to operate and an electronic document 17 to be operated.
Alternatively, correspondence with database records is indispensable, but in order to make this somewhat flexible, not only one-to-one correspondence but also a method for realizing a many-to-many relationship has conventionally been prepared. As described above, for a set of participants, a group of personal IDs can be defined, and for a set of electronic documents, the element is placed under one directory and the directory is associated with the preceding group. It is. In the present invention, the corresponding items are the participant information that is a set of personal IDs and the electronic document information that is a set of electronic document pointers.

Now, in the present invention, there is a communication information record 18 including both the set of participants and the set of electronic documents and its storage means (communication information record storage means 5 in FIG. 1). This communication information record 18 further includes communication link information. This communication link information is a set of pointers to other communication information records.

It is irrelevant whether the environment having the personal authentication processing section 12 and the database 13 as the storage means described above is single or plural. It is important to have multiple scattered environments. Another important feature is that information in a plurality of environments is not a duplicate of the same content.

Next, as a further specific example, a case where there are three companies, ie, company A, company B and company C, will be described as an example. FIG. 3 is a diagram illustrating an example of connection under three distributed environments. In FIG. A and Y. A belongs to company A and individual X. B and Y. B belongs to company B and individual X. C and Y. C shall belong to Company C. The electronic document AP and the database record AQ exist in the environment of the company A, the electronic document BP and the database record BQ exist in the environment of the company B, and the electronic document CP and the database record CQ exist in the environment of the company C. And

Here, for example, Japanese Patent Application Laid-Open No. H10-63747.
There is a workflow system as described in Japanese Patent Application Publication, that is, a series of tasks that constitute a workflow, each task is associated with a participant and an electronic document, and the tasks are connected by a link to form the entire system. A workflow system that manages the flow and follows a link when accessing another task, but takes an example of a workflow system in which the task is traced while sequentially maintaining the history of the task traced at that time. Each task in the workflow corresponds to a communication information record of the present invention, and the relationship between tasks corresponds to a communication link.

Now, the person involved in the task AT of Company A is an individual X. A, the related electronic document is the electronic document AP, and the person involved in the task BT1 of the company B is the individual X. B, the related electronic document is an electronic document BP, and
The person involved in task BT2 of company Y. B and the associated database record is database record B
Q, and those who are involved in Company CT's task CT are individuals X. C and Y. C, and the related electronic document and database record are the electronic document CP and the database record CQ. Then, task AT and task BT1, and task BT2 and task CT
Are related to the same process by the workflow.

At this time, personal information and communication information records (participant information, electronic document information, communication link information) in the environment of each company are managed by, for example, a relational database, and are stored as follows. . These records are simplified to the minimum information required for the description here.

FIG. 4 is a diagram showing an example of storing records in the database of company A, FIG. 5 is a diagram showing an example of storing records in the database of company B, and FIG. 6 is a diagram showing an example of storing records in the database of company C.

In the database of Company A, a personal information table 31 holding a personal ID and a password as a pair, a participant information table 32 holding a communication ID and a personal ID as a pair, an electronic information holding a communication ID and a document ID as a pair. The document information table 33 and the communication link information table 3 holding the communication IDs of the tasks in a link relationship in pairs
4 is stored.

Similarly, the databases of the companies B and C are
Personal information tables 41 and 51, participant information table 4
2 and 52, electronic document information tables 43 and 53, and communication link information tables 44 and 54.

Here, taking the case of company C as an example, the participant information of the communication information record CT, which is the communication ID appearing in the communication link information table 54, is that the communication ID of the participant information table 52 is CT. Are the personal IDs of the two records, and the electronic document information is the same as the communication ID of the electronic document information table 53.
T is the document ID of the two records, and the communication link information is the other communication ID of the record in which the communication ID of the communication link information table 54 is CT.

In this embodiment, the personal ID and the communication ID are unique IDs on the wide area network. For example, this is an address (hereinafter referred to as a domain) that is an ID that uniquely identifies each database server distributed on the network and a unique ID in the local database.
If both are included, a unique ID can be realized in a wide area.

That is, for example, BT2. B is BT2 in domain B (B's database environment). In addition, when expressing its own domain (database environment), this can be omitted. That is, CT
Formally exists in domain C (C's database). C.

Now, how the user's operation command is processed will be described below. First, the access processing unit 11
The configuration of the access control unit 14 will be described. FIG. 7 is a diagram showing a configuration of the access control unit. The access control unit 14 includes a command syntax check unit 61, a communication information record search processing unit 62, a search distance storage unit 63, a participant search processing unit 64, and a personal authentication confirmation request processing unit 65. I have. Command syntax check unit 61
Analyzes the received operation instruction and checks whether the instruction is a valid instruction. When the operation command is in an appropriate format, the communication information record search processing unit 62 performs a process of searching a communication information record in the database 13 for the operation target specified in the command. The search distance storage unit 63 is an area for temporarily storing the number of links currently being followed when searching for a communication information record. The participant search processing unit 64 performs a process of searching for participant information based on the communication ID. When the operator is found in the search result of the communication information record, the personal authentication confirmation request processing unit 65 performs a process of inquiring the personal authentication processing unit 12 about the authentication of the operator.

First, the place where the operation command is accepted is the access processing section 11 including the access control section 14, and there is no other place to accept the command. The access control unit 14 of the access processing unit 11 does not accept an operation type, that is, an instruction for designating read, write, or update, a personal ID of an operator, and an operation target unless the operation target is designated at the same time. Also, when only the document ID is specified, the operation target is not accepted, and both the communication ID and the document ID must be specified.

Here, the individual X. Consider a case where A refers (reads) to the electronic document BP of Company B. In this case, for the reference operation, the following command including these elements must be transmitted to the access processing unit 11 of Company B. Operation = read, personal ID = X. A, Communication ID = BT1, Electronic Document ID = BP Upon receiving this operation command, the access processing unit 11 inquires of the access control unit 14 whether or not the command can be executed. Execute the instruction only.

The access control unit 14 determines whether or not the operation can be performed as follows. First, in the command syntax check unit 61, it is confirmed that the items of the operation command are arranged in the format as in the above-described example. Then, the attribute of the file with the electronic document ID = BP of the communication ID = BT1 is checked to confirm that the operation is possible. Since a general file system is provided with an attribute indicating read / write permission, it is checked whether or not operation is possible based on the attribute. Here, if it is determined that the operation is impossible, the entire instruction is disallowed, and the processing for this reference operation ends.

Next, in the communication information record search processing section 62, the communication ID = BT
1 is searched, and a personal ID = X. Check if A exists. In this case, there is no such participant information record in the database of domain A, so no permission is given at this stage.

Next, there is a link relationship with this communication information record (communication ID = BT
1 for all communication IDs appearing in the communication information record having the communication ID, a record of the participant information having the communication ID is searched in each domain, and the personal ID = X. Check if A exists. In this example, the link is A
T. A, only the participant search processing unit 64 determines that the communication ID = AT. A record of the participant information having A is searched in the domain A, and the personal ID =
X. Check if A exists. If the presence is confirmed, it is temporarily determined that the operation permission may be issued.

Finally, through the personal authentication confirmation request processing section 65, the confirmation of the operator is made by the operator's personal ID = X. Confirm the personal ID in the personal authentication processing unit 12 of the domain A of A,
If no mistakes, give final permission. As mentioned above,
The personal ID may be actually encrypted in a form that has been authenticated in advance.

Here, for example, if a person from Company C tries to perform the same operation, the communication ID = BT1 is not permitted because no link exists. Also, the personal ID of company A = Y. Even if the person A tries to perform the same operation, the person is not permitted because the communication ID is not a participant of the communication ID = AT that is linked to the communication ID = BT1.

If it is not possible to confirm as a person involved at the direct link destination, it is possible to sequentially follow the link destination from each link destination. In this case, all link destinations will be checked. However, if the link destination is far, the relevance is often low, so that the number of links to be followed can be limited to a certain number. In this case, when the length (distance) of the link exceeds the set value, the search is terminated at that point, and it is determined that the link is not permitted.

In addition to the restriction by the distance, for example, it is possible to set a restriction that only the link existing only on the right side of the communication link information table or only the left side is searched.

Further, information that permits only a specific link to be traced can be added to the communication link information table, examples of which are shown below. FIG. 8 is a diagram showing an example of the extended communication link information table. According to the example of FIG. 8, the communication link information table 44a of the database of the company B is shown, and an attribute can be provided for each communication ID pair having a link relationship. Thus, when tracing a link, it is possible to search only records having a certain value of the attribute, and it is possible to limit the link tracing by the attribute.

By the way, the following information, that is, "operation, personal ID, communication ID, and electronic document ID" are necessary for the determination of operation permission. However, as can be seen from the above description, it is possible to determine whether or not the operation is possible based on the previous three information, except that the file to be operated cannot be specified unless the electronic document ID is specified. is there. Therefore, even if it is attempted to operate the communication information record itself by the command including the three pieces of information from the beginning, it can be understood that the determination as to whether or not the operation is possible can be performed in exactly the same manner.

Now, the operator generally does not suddenly find a specific operation target linked far away.
By sequentially following the link from the communication information record in which the user is involved, the user reaches the record in which the object to be operated exists.

The history of the traversed link is recorded, and this history information is added in addition to the four items required for the operation command, and this can be used for determining whether or not the operation is possible. An example of an operation command including history information added each time a link is followed is shown below. Operation = read, personal ID = X. A, communication ID = BT1, electronic document ID = BP, history = [AT.
A, BT1. B] According to the example of this operation command, AT. BT from A
1. The example at the time of reaching B is shown.

Here, in the above-mentioned example, the AT.
A and BT1. Suppose that a link to B existed, but no record for this link existed in domain B. Then, AT. I can't find A. However, this time, the history = [AT. A, BT1. B], BT1. It can be substituted by checking if there is a chain of links going to B. Otherwise, it is possible to determine whether or not the operation can be performed by exactly the same procedure.

The access control unit 14 described above
Is summarized by the following flowchart. 9 and 10 are flowcharts showing the flow of the processing of the access control unit.
First, since the access control unit 14 receives a command in the form of “operation, personal ID, communication ID, electronic document ID” as an operation command, the access command is analyzed and the operation command is in a correct format. It is determined whether the information is complete, and the validity of the operation command is checked (step S1). Next, it is determined whether the attribute of the electronic document file to be operated by the file system or the like can execute the command (step S2).

If the operation command is valid and the command can be executed, the link distance is set to "0" here (step S).
3), a set of links to be investigated is initialized to empty (step S4). Here, a pair of the specified communication ID and the link distance is added to the surveyed link set (step S5). Next, it is determined whether the surveyed link set is empty (step S6). If the survey link set is not empty, one pair of the communication ID and the link distance is extracted from the survey link set (the pair is deleted from the survey link set) (step S).
7).

Next, the participant information record is searched by the extracted communication ID (step S).
8). Here, it is determined whether the personal ID of the operator exists in the search result (step S9). If the personal ID of the operator exists in the search result, the personal ID is checked by the personal authentication processing unit (step S1).
0). Next, the personal authentication processing unit determines whether or not confirmation has been obtained (step S11). If the confirmation is obtained, it is determined that the operation of the target file is permitted (step S12). Judgment is disapproved,
This process ends (step S13).

If it is determined in step S9 that the operator's personal ID does not exist in the search result, it is necessary to follow another link to check the link distance. Set to distance + 1 (step S
14). Here, it is determined whether the newly set link distance has exceeded a preset value (step S15). Here, when the link distance exceeds the set value, the user does not follow the link any longer and returns to step S6, and examines a participant of the next task to be investigated from the surveyed link set. If it is determined in step S15 that the link distance is equal to or less than the set value, the communication information record is searched by searching the communication link information table using the communication ID extracted earlier and the set attribute ( Step S16). If no attribute is specified, all records are searched. Next, all communication IDs in the search results
And a link distance are added to the set of links to be investigated (step S17). Thereafter, the process returns to step S6.

Also, in the judgments of steps S1 and S2,
If the operation command is not valid or the file attribute of the operation target cannot execute the command even if the operation command is valid, the determination is not permitted, and the process ends at that point. In step S6, even when the set of survey targets is gone,
At that point, the determination is rejected, and the process ends.

Next, as shown in FIG. 3, a description will be given of the case of a workflow in which the task AT started by the company A flows to the task CT of the company C via the two tasks BT1 and BT2 of the company B. I do. The communication link information table of Company B at this time is as shown in FIG.

FIG. 11 is a diagram showing another example of the communication link information table. According to the communication information table 44b of the company B shown in FIG. 11, the task AT of the company A and the task BT1 of the company B have a link relationship, and the tasks BT1 and BT2 of the company B have a link relationship.
Then, the task BT2 of the company B and the task CT of the company C are in a link relationship, and all communication information records are linked.

Now, assume that Company A has a request to know the progress of the work requested to Company B. For this purpose, the communication information records may be sequentially referred to while following the communication links. But,
Company B may not want to know that it has commissioned C for some of its work. In other words, there is an inconsistent request that Company A wants to follow the link to some extent to grasp the situation, but Company B does not want to know where the link is. Here, if the company B does not give permission to the reference command of the communication information record despite the link, the request of the company A cannot be satisfied.

In order to respond to both requests, the abstraction processing unit 15 of the access processing unit 11 performs the following processing. FIG. 12 is a flowchart illustrating the flow of the process of the abstraction processing unit. First, it is determined whether the information to be transmitted from the company B is information representing a domain or an organization (step S21). If the information you are trying to send is not information representing a domain or organization,
This information is transmitted as it is (step S22). If the information to be transmitted is information indicating a domain or an organization, it is next determined whether or not the information has already been registered in the link relay conversion table (step S23). If the information has already been registered in the link relay conversion table, the information is replaced with the abstract value of the link relay conversion table and transmitted (step S24). If the information is not yet registered in the link relay conversion table, one new abstract value is generated, and a pair with this information is registered in the link relay conversion table (step S25). Then, this information is replaced with the generated abstract value and transmitted (step S26).

For example, a communication A from Company A
When a read command of the record of D = BT2 is received, the information of the task “C of another domain” is included in the normal response.
T. However, the abstraction processing unit 15 replaces the “CT.C” part with an abstract value and transmits the result. Assuming that a relay point pointer is used as the abstract value, the abstract value is stored in the link relay conversion table as the link relay information 19, and is transmitted by referring to the relay point pointer corresponding to the task information. You.

FIG. 13 is a diagram showing an example of the link relay conversion table. In FIG. 13, the link relay conversion table 19a includes fields of an original ID and an abstract ID. Here, in the abstract ID, IT
Indicates a relay point, and “101” is an ID newly created so as not to collide with the existing ID. Therefore, when there is such a link relay conversion table 19a, the abstraction processing unit 15
As a value of “CT.C”, “IT101.B” of the relay point pointer is returned as an abstract value.

As described above, there is no method for referring to the contents of the link relay table from the domain A by the processing of the abstraction processing unit 15, so that the company B conceals the existence of the company C from the company A. be able to. On the other hand, Company A does not know that it is Company C, but some task IT101.
It turns out that there is B.

Now, here, communication ID = IT101. A description will be given of what happens when an instruction for referring to the communication information record B is issued.

Originally, CT. C, but refer to IT101. B, the command is sent to the domain B indicated by the replaced ID. Domain B knows that the requested communication ID = IT 101 is an abstract ID. The link relay conversion table 19a is searched, and the real ID is CT. Get C. Then, the communication ID portion of the command requested from A is re-input to CT.
C and is sent to the domain C indicated by the ID.

Domain C returns the result of the requested operation to Domain B. Because the request came from domain B. The abstraction processing unit of domain B replaces all the pointers of the content returned from C as follows, abstracts the link, and returns it to A.

That is, the link relay table is searched,
For those already registered here, the abstract I
Replace with D. On the other hand, if no ID is found as a result of the search, an ID that does not collide with the previous ID is newly created and replaced. The correspondence of the replaced ID is stored in the link relay conversion table.

By the above-mentioned relay processing, relaying is performed for all further links from the record once relayed, but at this time, the name of the link destination is abstracted. As a result, Company A wants to grasp all tasks, and Company B, which is linked to Company A,
It is possible to simultaneously respond to the conflicting demands of wanting to hide the company.

[0069]

As described above, according to the present invention, it is checked whether or not an operator who wants to operate an electronic document or a database record is included in the direct participants, and if so, the operation is permitted and the operation is permitted. If there is no such information, the system is configured to follow the link of the communication information record and to similarly check the link destination. This allows an electronic document or database record in another environment to be operated as an indirect participant as long as the electronic document or database record is linked by a link, for example, across multiple environments. In the case where there is an electronic document to be shared in one workflow having a relationship between tasks, it is possible to flexibly control access to a group of participants that cannot be accommodated in each environment.

Further, it is possible to cope with access control to an electronic document or a database record shared in a workflow that crosses an organization such as a company. It is possible to satisfy the demand.

[Brief description of the drawings]

FIG. 1 is a diagram showing a basic configuration of the present invention.

FIG. 2 is a configuration diagram illustrating an example of a distributed document management system.

FIG. 3 is a diagram illustrating an example of connection under three distributed environments.

FIG. 4 is a diagram showing an example of storing records in a database of a company A;

FIG. 5 is a diagram illustrating an example of storing records in a database of a company B;

FIG. 6 is a diagram illustrating an example of storing records in a database of a company C;

FIG. 7 is a diagram illustrating a configuration of an access control unit.

FIG. 8 is a diagram illustrating an example of an extended communication link information table.

FIG. 9 is a flowchart (part 1) illustrating a processing flow of an access control unit.

FIG. 10 is a flowchart (No. 2) showing the flow of processing of the access control unit.

FIG. 11 is a diagram showing another example of the communication link information table.

FIG. 12 is a flowchart illustrating a flow of processing of an abstraction processing unit.

FIG. 13 is a diagram illustrating an example of a link relay conversion table.

[Explanation of symbols]

 Reference Signs List 1 network 2a, 2b,..., 2n local document management device 3a. Information 11 Access processing unit 12 Personal authentication processing unit 13 Database 14 Access control unit 15 Abstraction processing unit 16 Personal information 17 Electronic document information 18 Communication information record 19 Link relay information 19a Link relay conversion table 31 Personal information table 32 Participant information table 33 Electronic document information table 34 Communication link information table 41,51 Personal information table 42,52 Participant information table 43,53 Electronic document information table 44,54 Communication link information table 44a Communication link information table 44b Communication information table 52 Participant information table 53 Electronic document information table 54 Communication link information table 61 Command syntax check unit 62 Communication information record search processing unit 63 Search distance storage unit 64 Participants Search processing unit 65 Personal authentication confirmation request processing unit

Claims (6)

[Claims] 1. A distributed electronic document access control system for controlling access to electronic documents distributed and managed on a network, comprising: a personal authentication unit for specifying a valid personal identifier of an individual who intends to operate the electronic document; Communication information storing a communication information record including participant information that is a set of personal identifiers, electronic document information that is a set of electronic document pointers, and communication link information that is a set of pointers to other communication information records Record storage means; read, write, and update operations for the electronic document pointed to by the electronic document pointer included in the electronic document information; the personal identifier of the person who attempted to perform the operation is the participant information of the communication information record itself; Or a plurality of access control means for permitting based on the determination as to whether or not the record is included in the participant information of another communication information record in a link relationship with the record and the communication link information. A distributed electronic document access control system. 2. The method according to claim 1, wherein the access control unit refers to route information traversed by the operator from the personal authentication point to the electronic document to be operated, and determines a relationship between links included in the route information. 2. The distributed electronic document access control system according to claim 1, wherein interpretation is performed to determine whether the operation is permitted. 3. The distributed electronic document access according to claim 1, wherein said access control means permits the operation of reading, writing, and updating of the electronic document to extend to the operation of the communication information record itself. Control system. 4. Each link of the communication link information has a link attribute, and a link adopted when determining permission of the operation is limited by a value of the link attribute. 4. The distributed electronic document access control system according to any one of 1 to 3. 5. The method according to claim 1, wherein a distance that is the maximum number of links to be followed is set in advance, and links that can be followed when the permission of the operation is determined are limited by the distance. The distributed electronic document access control system according to claim 1. 6. In response to the read operation of the communication information record, for the link of the content of the record, the position indicated by the actual pointer is replaced by a pointer to a relay point that returns only the structure, thereby reducing the operation. 2. The distributed electronic document access control system according to claim 1, further comprising link abstraction means for concealing a specific position indicated by said pointer.