JP2001195293A - Access controller and access control method and computer readable recording medium with program to be executed by computer - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access controller and method for designating a user group who can participate in a cooperative work, and for keeping the privacy of the data. SOLUTION: A user preserves data to be operated, and accepts an operation request to the data, and judges the authorization/non-authorization of the operation, and registers a user group M being the group of user's identifiers indicating main bodies who can issue the operation requests to the preserved data, and registers an access control list constituted of the identifiers of the data, the operation authority for the data, and the user's identifiers indicating the users having the operation authority, and registers 0 or not less than 1 user's identifiers, and compares a cooperative person group P indicating the whole registered users with an authorized person group Q obtained by extracting the users having the operation authority for the data to be operated from the access control list, and authorizes the operation only when the cooperative person group P is the partial group of the authorized person group Q, and when the cooperative person group P is not a dead group.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an apparatus and method for restricting access to a computer system shared by a specific member in an environment mainly used by the specific member. In particular, the present invention relates to an apparatus and method for restricting access to a computer system that is shared within a group that has a strong relationship of trust, such as a family member.

[0002]

2. Description of the Related Art Personal computers (hereinafter "PCs")
That. ) Is a computer intended to be used by an individual, as the meaning of “personal” is. For personal use, there are usually one set of input devices such as a keyboard and a mouse, and usually one set of output devices such as a display.

[0005] However, it is common for a plurality of users to share one PC and use input devices alternately or to cooperate while consulting with each other even at home. For example, there may be a case where a homepage is searched to determine a destination of a family trip, a case where a sibling cooperates to create an e-mail addressed to a grandparent, or a case where a couple cooperates to keep a household account book. On the other hand, not limited to family members, there may be cases such as completing a school homework in cooperation with friends or creating a homepage in cooperation with friends.

However, a storage device such as a hard disk on a PC that is shared by a plurality of people often has private information that is not desired to be seen by other family members.
For example, the contents of an e-mail sent from a friend of the opposite sex
It is natural that even parents do not want to show. You may also receive emails that you don't want others to see. In addition, it is likely that you do not want to show the completed file to others.
Therefore, when one PC is used jointly at home or the like, there is a strong demand for simultaneously satisfying two conflicting requirements of cooperative work of a plurality of users and management of private documents.

[0005] Such a request cannot be solved only by login management and access restriction to a file system which are often seen in the past. Since a PC is often installed in a living room or the like where a family is shared, the current user who is logged in to the PC often does not match the actual user who is viewing the output of the PC. Because.

For example, it is possible for another family member to look into a place where one person is creating a private mail. It is also conceivable that a parent may come to check the situation while several people are working together on homework. Further, when a specific member leaves during the collaborative work, there is a possibility that some work is performed by another member.

[0007] Therefore, even in the home, when sharing a PC and working, the user changes from moment to moment as shown in FIG. That is, a dynamic change of the user between the collaborative work and the independent work can occur at any time. Therefore, a new access restriction mechanism is required to be able to cope with such a change.

[0008] On the other hand, the use of a PC in an office is usually performed by one person at a time, but a third-party boss or a visitor views the screen from behind the PC. Looking into the case is quite possible. Even in such a case, there are some means for hiding the private information displayed on the display.

One possibility is to turn off the power to the display. Another possibility is to interrupt the screen display using a function provided in the operating system. For example, in "WINDOWS NT" manufactured by Microsoft, the user can use CTRL-A
By simultaneously pressing the three keys of the LT-DEL, the display screen can be hidden instantaneously and the operation can be interrupted. In addition, there is an application tool that switches the display on the display to the specified image data with one key operation, hiding the fact that "there was a game during business hours", etc. It is also considered how to change to the screen.

However, with such a method, the purpose of hiding private information from viewing by others can be achieved, but a transition from an independent operation to a collaborative operation as shown in FIG. 1 is supported. The problem remains in the absence of it. In other words, the user (for example, Mr. A) who has been using the personal computer up to now and the third party (for example, Mr. B) who looked into cannot cooperate using the PC.

The above-mentioned “WIND” manufactured by Microsoft Corporation
"WS NT" as an example, Mr. A is CTRL-AL
The only action options that can be performed after the operation of simultaneously pressing the three keys of the T-DEL are “wait for Mr. B to return and return to the original working state” or logout or shutdown. For this reason, there is a problem that the means used in these office scenes are not suitable for domestic use, such as when the older sister uses it at home and cooperates with the peeping sister.

To cope with such a problem, Japanese Patent Application No. Hei 11-1
Japanese Patent No. 30125 discloses a technique in which a sensor detects the presence of a user who is at a position where the output of a PC can be viewed, and dynamically changes the display state based on the access authority of the detected user.

Specifically, as shown in FIG. 2A, the sensor detects that another user has appeared while one user is browsing information through screens 1 to 4. In this case, as shown in FIG. 2B, the screens 2 and 3 are restricted so as not to be viewed, and if the sensor detects that the other user has left, all of the screens 1 to 4 are viewed as before. It is a method of returning the display output so that it can be performed.

[0014]

However, in such a method, the purpose of hiding private information from viewing by others can be achieved, and the transition from independent work to cooperative work as shown in FIG. 1 is also supported. However, there is a problem in the continuity of the collaborative work.

That is, in part, the short-term continuity of the collaboration is lost. This problem occurs because the screen display is dynamically switched based on the sensor input. In other words, since the user cannot control the display switching on his / her own will, when two people are working together, the screen display is switched every time one person stops from the place, For the user who continues the operation, the screen is frequently switched and the work is interrupted.

Another is the loss of long-term continuity of collaborative work. The problem is that continuity of work cannot be maintained when all the workers are not available. In other words, in the collaborative work, if the work that was originally performed by two users is later performed by one user and data is added, if the other user works again at a different time This is because there is a problem that the other user cannot access the added data.

Regarding the problem of long-term continuity of collaborative work, the well-known operating system "UNI
It is also conceivable that this can be avoided by the directory sharing setting found in “X” and “WINDOWS NT”. In other words, a method is used in which data used during collaborative work is gathered in one directory or folder, and data created in the folder is set so that all collaborators can always access the data. Such a method
This is a common method for sharing documents in offices.

However, "UNIX" and "WINDOWS"
The access authority of "NT" is determined only for the currently logged-in user, and is limited to the access restrictions in a situation where multiple users share the output, such as at home. Had a problem in that it could not cope.

According to the present invention, there is provided an access control apparatus and method capable of designating a set of users who can participate in collaborative work and protecting data privacy. The purpose is to provide.

[0020]

In order to achieve the above object, an access restriction device according to the present invention comprises: a data storage unit for storing data to be operated by a user; An access permission determination unit that determines permission / non-permission of a user set M, which is a set of user identifiers indicating a subject that can issue an operation request for data stored in the data storage unit. A user registration unit for registering, an access control list registration unit for registering an access control list including a data identifier, an operation authority for the data, and a user identifier indicating a user having the operation authority; The system further includes a cooperator registration unit capable of registering one or more user identifiers, and the access permission determination unit includes a user registered in the cooperator registration unit. The collaborator set P is compared with a permitter set Q obtained by extracting users who have operation authority for data to be operated from the access control list, and the cooperator set P is a subset of the permitter set Q, The operation request is permitted only when the cooperator set P is not an empty set.

As described above, the permission / non-permission of operation requests such as reference requests and rewrite requests for data stored in the data storage unit does not depend on who is currently using the system. It depends on the user registered in the set P.

With this configuration, by registering in advance the users who may work together with the collaborator group,
Even if there is a short-term decrease or increase in the number of workers due to a middle seat during the work, frequent switching of the data set displayed on the screen does not occur. Also, even if one of the members takes a day off, by leaving the cooperator set P as it is,
The data created on that day can be accessed by the absent person on the next day. Thus, the continuity of the short-term or long-term collaborative work can be prevented from being impaired.

Further, the access restriction device according to the present invention further includes a data creation unit for creating new data to be stored in the data storage unit, wherein the data creation unit refers to the cooperator set P, It is preferable to add an access control list for new data for each user who is an element of P and register it in the access control list registration unit. This is because access control to the new data cannot be performed unless the access control list is added.

Further, the access restriction device according to the present invention includes a cooperator changing unit that performs a process of adding to the cooperator set P or a process of deleting from the cooperator set P for a user who is an element of the user set M. Preferably, it further includes. By providing the cooperator change unit, the system user himself changes the cooperator set P, so that permission / rejection of the data reference request is instantly changed, and the data set displayed on the screen is instantly changed. Because you can. As a result, the user can instantly hide the private information from the third party coming from behind, and can move from the independent work to the collaborative work with the user coming from behind as shown in FIG. Can be changed.

Further, the access restriction device according to the present invention, when the element of the user set M is two or more,
A user authentication unit for authenticating a user, and an authenticator set R which is a set of a user identifier of the user identified by the user authentication unit.
It is preferable to further include a certifier registration unit for registering the certifier set, and an operation constraint unit for restricting an addition process or a deletion process that can be performed by the collaborator change unit based on the registration content of the certifier set R. This is because the provision of the operation restriction unit can prevent the user from intentionally changing the cooperator set P and viewing the private information of the third party.

Further, in the access restriction device according to the present invention, in the operation restriction unit, the cooperator set P is set to the user set M
, And when the cooperator set P is an empty set, the user who is an element of the authenticator set R is allowed to be added to the cooperator set P, and authentication is performed. It is prohibited to add another user who is not an element of the cooperator set R to the cooperator set P. On the other hand, when the cooperator set P is not an empty set, the user set M of the user set M which is not an element of the cooperator set P is prohibited. The user is allowed to add an arbitrary element to the cooperator set P, and is prohibited from deleting a user who is an element of both the authenticator set R and the cooperator set P from the cooperator set P. Permitting other users who are not elements of the set R but elements of the cooperator set P to be deleted from the cooperator set P, and permitting all elements to be deleted from the cooperator set P Is preferred. This is because the private information of the user can be securely protected.

In the operation restriction unit, the cooperator set P
Is allowed to be replaced with all the elements of the user set M, so that the cooperator set can be assigned to all the registered family members regardless of who is using the family.
In this state, since only data that can be originally viewed by the whole family can be referred to, the privacy problem of the family does not occur. For this reason, even when all the family members are not ready, it is possible to continue the collaborative work of the family members without worrying about privacy.

When the cooperator set P is an empty set,
Since a user who is an element of the certifier set R is allowed to be added to the cooperator set P, and another user who is not an element of the certifier set R is prohibited to be added to the cooperator set P, , Only authorized users can add themselves to the collaborator set P. If the cooperator set P is only yourself, data that can be referred to only by yourself is also displayed, so that private work can be performed.

Further, when the cooperator set P is not an empty set, it is permitted to add any element of the user set M, which is another user who is not an element of the cooperator set P, to the cooperator set P. Therefore, regardless of whether the added user is present or not, anyone can increase the number of collaborator sets P. When the elements of the cooperator set P increase from one to two, from two to three, etc., the data that can be referred to only decreases, and no privacy problem occurs. For this reason, it is possible to perform a collaborative work by adding a person who is not present without worrying about privacy.

Further, it is prohibited to delete a user who is an element of both the certifier set R and the cooperator set P from the cooperator set P, and the user is not an element of the certifier set R, but is deleted.
Is permitted to be deleted from the collaborator set P, the authenticated user deletes the members other than himself from the collaborator set P, and deletes the elements of the collaborator set P from three to two. By reducing to humans, you can refer to the private data of the two groups. Similarly, by reducing the collaborator set P from two to one, it is possible to refer to private data only for oneself.

Further, since the authenticated user cannot delete himself / herself from the collaborator set P, the authenticated user may refer to private data of a third party who remains in the collaborator set P by mistake. Can be prevented.

Further, since all elements are permitted to be deleted from the cooperator set P, all operations on data can be prohibited at any time.

Further, in the access restriction device according to the present invention, the user operates the data display unit for presenting the data permitted to be referred by the access permission determination unit, and the subset of the data set presented by the data display unit. A data selection unit for selecting as a target is further included, so that, when data is selected in the data selection unit, a user added to the cooperator set P by an additional process for the cooperator change unit can process the data. It is preferable to add authority in the access control list. This is so that even if the user is not registered as a collaborator in advance, he or she can join the work from the middle.

Further, the present invention is characterized by software that executes the function of the above-described access restriction device as a processing step of a computer. Specifically, data to be operated by a user is stored. An access restriction method including a step of storing and an operation request for data, and a step of determining permission or rejection of an operation, wherein the set of user identifiers representing a subject that can issue an operation request for the stored data. A step of registering a certain user set M, a step of registering an access control list including a data identifier, an operation authority for the data, and a user identifier indicating a user who has the operation authority, 0 or 1 The method further includes a step of registering the above-mentioned user identifier, and operates from a cooperator set P indicating all the registered users and an access control list. The user who has the operation authority for the data to be elephant is compared with the set of authorized persons Q, and the operation is performed only when the set of cooperators P is a subset of the set of authorized persons Q and the set of cooperators P is not an empty set. The method is characterized in that the method is an access restriction method for permitting a request and a computer-readable recording medium recording such a step as a program.

With this configuration, by loading the program on a computer and executing the program, users who are likely to work together are registered in advance in a group of co-workers, so that a user who is in the middle of work can use the program. Access restrictions that do not cause frequent switching of the data set displayed on the screen even if there is a short-term decrease or increase in staffing, so that the continuity of short-term or long-term collaborative work is not impaired The device can be realized.

[0036]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (Embodiment 1) Hereinafter, an access restriction device according to Embodiment 1 of the present invention will be described with reference to the drawings. FIG. 3 shows Embodiment 1 of the present invention.
1 shows a principle configuration diagram of an access restriction device according to (1). In FIG. 3, reference numeral 31 denotes a data storage unit for storing data to be operated by the user, 32 denotes an identifier indicating the data, an operation authority for the data, and a user identifier indicating the user having the operation authority. An access control list registering section for registering an access control list composed of the following. 41 is a user registering section for storing a maximum participant capable of registering a plurality of user identifiers as a current user as a user set M. , Respectively.

Reference numeral 33 denotes an access permission determining unit for referring to the access control list to determine whether or not operation of the data for which the operation request has been accepted is permitted. Reference numeral 34 denotes a plurality of user identifiers of the cooperator. The collaborator registration units that can be registered as are shown below.

In the access restriction device according to the first embodiment of the present invention, first, as a premise of operation,
It is necessary to store the largest member who may participate in the operation in the user registration unit 41. This is for specifying the user set M and preventing the participation of a third party such as an outsider beforehand.

Next, the data to be operated is registered in advance in association with an access control list indicating the authority to operate the data. Then, referring to the cooperator registration unit 34, the cooperator set P, which is a set of all cooperators registered from the elements of the user set M, and data to be operated are registered in the access control list. The set is compared with a set of authorized persons Q, which is a set of users who are permitted to perform the operation.

If the cooperator set P is a subset of the permitter set Q and the cooperator set P is not an empty set, that is, all cooperators have access authority to the data and at least one cooperator In this state, the user who has issued the operation request for the data to be operated is allowed to operate.

By doing so, it is possible to prevent the occurrence of a collaborator who does not have access authority to the data to be operated, and to prevent the operation for concealing information from outsiders in the collaborative work. It is possible to release the user.

In order to realize finer access control, access authority is controlled by a method as shown in FIG.
FIG. 4 is a block diagram of the access restriction device according to the first embodiment of the present invention.

In FIG. 4, reference numeral 42 denotes an addition or addition of an arbitrary user who is an element of the user set M to the cooperator set P registered in the cooperator registration unit 34 in accordance with the operation of the user. Reference numeral 43 denotes a cooperator changing unit that deletes from the set P, and reference numeral 43 denotes a user authentication unit that specifies a user who is an element of the user set M.

Reference numeral 44 denotes a certifier registration unit for storing the certifier set R specified by the user authentication unit 43, and reference numeral 45 denotes a cooperator change unit in accordance with the certifier set R stored by the certifier registration unit 44. Operation restricting units for restricting the user's operation on the operation 42 are shown.

Here, in the present specification, the cooperator means a user who is a reference for judging data access permission.
The authenticator means a user who has actually been authenticated by the user authentication unit 43.

In FIG. 4, as a prerequisite for the operation, it is necessary for the user to store in the user registration section 41 the largest member who may participate in the operation.
This is for specifying the user set M and preventing the participation of a third party such as an outsider beforehand.

Next, when there is an authentication request from the user in the user authentication section 43, the user or a set of users (the authentication request may be made by a plurality of persons). It is checked whether it is an element or a subset of the user set M, and if it is an element or a subset of the user set M, the authenticator set R is replaced with the element or the subset.

When the authenticator set R is replaced, the operation restricting unit 45 restricts the operations that can be performed by the user in the collaborator changing unit 42. That is, by restricting addition to and deletion from the cooperator set P, the access permission determination unit 33
Is used to control the determination in.

The limitation is performed based on the following five rules. First, an additional process of substituting the user set M into the cooperator set P is always permitted. The range registered in the user set M is the maximum range that can participate in the work, and the set of accessible data is minimized, so that the data can be freely performed without any particular authentication. .

Next, when the collaborator set P is an empty set, a process of adding a user who is an element of the certifier set R to the collaborator set P is permitted, and the user who is not an element of the certifier set R is used. The process of adding a person to the collaborator set P is prohibited. This is because, if the addition of a user who is not an element of the authenticator set R is permitted, anyone can pretend to be another person and private information cannot be protected.

If the cooperator set P is not an empty set, the user set M is not an element of the cooperator set P but
Is permitted to add a user, which is an element of the group, to the collaborator set P. Members who can participate in the work can be freely added within the range registered in the user set M without particularly requiring authentication.

Further, when the cooperator set P is not an empty set, the process of deleting the user who is an element of both the authenticator set R and the cooperator set P from the cooperator set P is prohibited, and the authenticator set P is deleted. Only the process of deleting a user who is an element of the cooperator set P that is not an element of R from the cooperator set P is permitted. This is because when the number of participants is reduced, private information cannot be protected unless there is a member belonging to the authenticator set R among the remaining members.

If the cooperator set P is not an empty set, the process of deleting all elements from the cooperator set P is permitted. If all elements are deleted from the cooperator set P to become an empty set, there is no access right to the data, so that the transfer can be freely performed without any authentication.

In order to facilitate the description of the operation authority of the cooperator set P in the first embodiment, the following four processing modes are defined. First, the “standby mode” indicates that the cooperator set P is an empty set. The “private mode” indicates that the cooperator set P has only one element, and that the element is an element of the user set M.

The "family mode" indicates that the cooperator set P and the user set M match, and the "multiple mode"
Is that the cooperator set P is a true subset of the user set M,
And the number of elements of the cooperator set P is two or more.

In the access restriction device according to the first embodiment, each time there is a reference request for data, the access permission determining unit 33 sets the cooperator set P and the access control list stored in the cooperator registration unit 34. Is compared with the set of permitters Q set by the above, and the reference request is permitted only when the set of cooperators P is a subset of the set of permitters Q and the set of cooperators P is not an empty set.

For this reason, among the cooperator set P including the user a, the data set that can be referred to by the user a is maximum in the private mode and is minimum in the family mode. Therefore, since the operation of adding another user means that the data that can be referred to is reduced, the privacy of the data can be maintained even if the new user is added without being authenticated. In particular, since authentication is not required, members who are not currently participating in the work can be freely added to the cooperator set P.

FIG. 5 shows the rules in the cooperator changing unit 42 with the permission / non-permission of the transition between modes depending on the current mode or the presence or absence of the authentication of the operator. FIG.
, “○” indicates an operation permitted by the cooperator changing unit 42, and “×” indicates an operation not permitted.

In FIG. 5, first, it can be seen that a transition can be made to the family mode at any time. In the family mode, since the collaborator set P and the user set M match,
Since the set of accessible data is minimized, the operation can be performed by the whole family.

Next, in the transition from the standby mode to the private mode, authentication of the individual is required. In the private mode, the data set accessible to the certifier is the largest, so it is necessary to prevent data that can be viewed only by the certifier from being viewed by other users. is there.

Further, authentication is not particularly required for operations in the direction in which the number of cooperators increases. This is because, as the number of cooperators increases, the data that can be viewed decreases, so that it is not necessary to take any measures to maintain the private information of the authenticator.

Further, for the operation in the direction in which the number of cooperators decreases, authentication for confirming that the authenticator exists in the remaining cooperator set is required. If the number of collaborators decreases, the range of data that can be browsed increases, so it is necessary to provide an opportunity for the certifier to determine whether the data can be browsed by a third party. .

The mode can be shifted to the standby mode at any time. In the standby mode, the cooperator set P is an empty set, and has no access authority to data. Therefore, it is possible to shift from any mode without any authentication.

As described above, according to the first embodiment, by distinguishing the concept of the cooperator and the certifier, private information is protected and a work environment that does not impair convenience in the cooperative work is provided. It can be realized.

(Second Embodiment) Next, an access restriction device according to a second embodiment of the present invention will be described with reference to the drawings. FIG. 6 is a configuration diagram of the access restriction device according to the second embodiment of the present invention. In FIG. 6, 61
Denotes a data creation unit for saving new data in the data saving unit.

As shown in FIG. 6, the access restriction device according to the second embodiment has a data creation unit 61 for saving new data in the data saving unit 31 in response to a user request. The unit 61 refers to the cooperator set P, creates an access control list for each user who is an element of the cooperator set P, and describes members who may participate even if they are not currently participating in the cooperator set P. The feature is that an access control list is also created. Therefore, the member who is not currently participating can access the same data at a later date.

For example, work performed only by siblings while keeping it secret from the mother (creating a birthday present for the mother, etc.)
In addition, even when a father is newly added, if the father is registered in the cooperator set P, it is possible to easily participate in the work.

As shown in FIG. 7, a means for designating data to be processed by the user is provided, and a new cooperator is added to the cooperator set P when selecting data to be operated. It is also possible to do. FIG. 7 shows a configuration diagram of the access restriction device in this case.

In FIG. 7, reference numeral 71 denotes a data display unit for displaying data permitted to be referred to on a screen or the like, and reference numeral 72 denotes a user who is not an element of the cooperator set P and selects a subset of the displayed data. The data selection units to be used are shown.

As shown in FIG. 7, the access permission determination unit 3
3, a data display unit 71 for presenting data permitted to be referred to, and a data selection unit for a user who is not an element of the cooperator set P to select a subset of the data set presented by the data display unit 71 as an operation target Before the user who is not an element of the cooperator set P selects data to be operated as an operation target in the data selection unit 72, the cooperator change unit 42 associates the user who is an element of the cooperator set P It can be added to the worker set P so that the data can be processed.

For example, the data selection unit 72 selects data that has been operated only by siblings until now, and only adds a father to the data in the cooperator change unit 42. And the new collaborative father, too.

More specifically, when there is a data reference request from the data display unit 71, the access permission determining unit 33 sets the cooperator set P stored in the cooperator registration unit 34.
Is compared with the permitted set of authorized persons Q defined in the access control list indicating the operation authority to the data, and the set of cooperators P is a subset of the set of permitted persons Q and the set of cooperators P Is permitted only when is not an empty set.

The data creation unit 61 refers to the cooperator set P and, for each user who is an element of the cooperator set P, an identifier indicating new data, an operation authority for the new data,
And an identifier of the user as a set is added to the access control list.

In the data selector 72, the cooperator set P
Before the user who is not an element of the set determines the data to be selected as the operation target, the user operates the cooperator change unit 42 to add the user who is not an element of the set of cooperators P to the set of cooperators P. Can be operated.

As described above, according to the second embodiment, a user who is to be a cooperator is registered as an element of the cooperator set P before the actual processing is performed, whereby It is possible to realize a work environment that does not impair convenience.

(Embodiment 3) Next, an access restriction device according to Embodiment 3 of the present invention will be described with reference to the drawings. FIG. 8 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 8 shows an example of a panel in the case of five families, that is, a user set M = {brother, brother, father, mother, grandfather}. The user authentication unit 43 and the cooperator change unit 42 are shown. Is also used. Each member of the family inserts his / her key into the keyhole, thereby confirming that the user is who he / she is and adding the user to the authenticator set R.

Each keyhole is turned off (O
FF), on (ON), and family (FAMILY). By turning the keyhole to the designated position, an operation on the cooperator changing unit 42 is performed. A set of keyholes indicating the ON state corresponds to the cooperator set P.

The user can instantly switch among the standby mode, the private mode, and the family mode using his / her key.

First, when all the keyholes are in the OFF state, the cooperator set P is in the standby mode in which the set is empty, and the authenticator set R is also in the empty set.

One of the family members (the older brother in FIG. 8) inserts his / her key into his / her keyhole. Authentication is performed by inserting a physical key, and is stored as a set of certifiers R = {brother}. In this state, the cooperator set P is still an empty set.

Next, as shown in FIG. 10, when the elder brother turns the keyhole to the ON state, the mode transits to the elder brother's private mode. That is, the cooperator set P = {elder brother}. In this state, the older brother can perform private work such as reading e-mail addressed to himself, and when interrupting work by using a toilet or the like, rotate the key to transition to the standby mode or the family mode. This prevents the private information from being viewed by other members. However, you must not forget to remove the key in this case. This is because if the key is still inserted, the same operation as that performed by “the elder brother” by another member can be performed.

In the private mode, when the elder's keyhole is turned to the family state as shown in FIG. 11, the keyholes of the other members to which no physical keys are inserted rotate in conjunction with the on state. The older brother's keyhole automatically returns to the on state.
At this point, the cooperator set P matches the user set M, and the cooperator set P = {brother, brother, father, mother, grandfather}
It becomes possible to work in the family mode. In the family mode, only data that can be browsed by the whole family is displayed, and the authority to refer to and change the data created during the family mode is given to the whole family.

In the family mode, the elder brother who is an element of the authenticator set R can freely leave. That is,
By removing the key as shown in FIG. 13 and leaving, the authenticator set R becomes an empty set with the user set M = the cooperator set P = {brother, brother, father, mother, grandfather}. In this state, if another member inserts the key and turns it on, the member can become a new authenticator. For example, when the younger brother inserts the key as shown in FIG. 14, the authenticator set R = {younger brother}.

When the elder brother turns his keyhole off from the state shown in FIG. 13 as shown in FIG. 15, the keyholes of the other members are also turned off in conjunction with it, and the mode shifts to the standby mode.

In the third embodiment, the mode is changed by the physical key and the keyhole, and the authentication by the authenticator is realized. However, the present invention is not limited to this. May be used, or a fingerprint authentication or the like may be used.

For example, when using fingerprint authentication, a mouse device having a fingerprint authentication function (for example, an ID mouse manufactured by Siemens) is used as the representative authentication unit 43.

First, the fingerprint of the finger is compared with the fingerprint data registered in the fingerprint sensor on the upper part of the mouse device, and the identified user ID is registered in the authenticator registration unit 44. When the finger leaves the sensor, the data in the authenticator registration unit 44 returns to an empty set.

Also, one area of the display of the PC is used as the cooperator changing unit 42, and face photo icons and the like for the number of persons included in the user set M are always displayed. Can be changed.

FIG. 16 is a screen image diagram of the access restriction device according to the third embodiment when fingerprint authentication is used. On the same screen of the display, the data display section 7
1 and the cooperator changing unit 42 are displayed. Here, instead of a physical keyhole, an icon imitating the keyhole is displayed, and the on / off state is switched by clicking the mouse. The actual authentication is performed except that the fingerprint sensor on the top of the mouse device detects the user's fingerprint and matches it with the registered fingerprint data, so that only the icon of the user's own keyhole and the icon for the family can be clicked. The processing is the same as the above-described control using the key and the keyhole.

As described above, according to the third embodiment, the private information is clearly distinguished by utilizing the authentication technology such as the physical key and the fingerprint authentication to clearly distinguish the concept of the cooperator and the authenticator. And a work environment that does not impair the convenience of the collaborative work can be realized.

A recording medium storing a program for realizing the access restriction device according to the embodiment of the present invention is shown in FIG.
As shown in the example of the recording medium shown in FIG.
Not only a portable recording medium 172 such as 2-1 or a floppy disk 172-2, but also any other storage device 171 provided at the end of a communication line, or a recording medium 174 such as a hard disk or a RAM of a computer 173 may be used. When the program is executed, the program is loaded and executed on the main memory.

Also, as shown in the example of the recording medium shown in FIG. 17, the recording medium on which the access control list or the like generated by the access control device according to the embodiment of the present invention is recorded is a CD-ROM 172-1 or the like. Floppy disk 1
Not only a portable storage medium 172 such as 72-2, but also another storage device 171 provided at the end of a communication line, and a storage medium 174 such as a hard disk or a RAM of a computer 173.
And may be read by a computer when using the access restriction device according to the present invention, for example.

[0094]

As described above, according to the access restriction device of the present invention, by distinguishing the concept of the cooperator and the authenticator, protection of private information for the user can be achieved while cooperating. It is possible to realize a work environment that does not impair convenience.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram of a user change when sharing a PC.

FIG. 2 is an explanatory diagram of a display state when a conventional user increases or decreases.

FIG. 3 is a principle configuration diagram of an access restriction device according to the first embodiment of the present invention;

FIG. 4 is a block diagram of an access restriction device according to the first embodiment of the present invention;

FIG. 5 is an explanatory diagram of transition between modes in the access restriction device according to the embodiment of the present invention;

FIG. 6 is a configuration diagram of an access restriction device according to a second embodiment of the present invention;

FIG. 7 is a configuration diagram of an access restriction device according to an embodiment of the present invention.

FIG. 8 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 9 is a view showing an example of a key panel in the access restriction device according to the third embodiment of the present invention;

FIG. 10 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 11 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 12 is a view showing an example of a key panel in the access restriction device according to the third embodiment of the present invention;

FIG. 13 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 14 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 15 is an exemplary diagram of a key panel in the access restriction device according to the third embodiment of the present invention.

FIG. 16 is a screen image diagram when fingerprint authentication is adopted in the access restriction device according to the third embodiment of the present invention.

FIG. 17 is an exemplary diagram of a recording medium.

[Explanation of symbols]

31 data storage unit 32 access control list registration unit 33 access permission determination unit 34 collaborator registration unit 41 user registration unit 42 collaborator change unit 43 user authentication unit 44 authenticator registration unit 45 operation restriction unit 61 data creation unit 71 data Display unit 72 Data selection unit 171 Line destination storage device 172 Portable recording medium such as CD-ROM or floppy disk 172-1 CD-ROM 172-2 Floppy disk 173 Computer 174 Recording medium such as RAM / hard disk on computer

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Takahiro Kii 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki-shi, Kanagawa Prefecture Inside Fujitsu Limited (72) Inventor Kazuhiro Oishi 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki-shi, Kanagawa Prefecture No. 1 Fujitsu Limited F-term (reference) 5B082 EA11 GA11 5B085 AE02

Claims (8)

[Claims] An access restriction device including a data storage unit that stores data to be operated by a user, and an access permission determination unit that receives an operation request for the data and determines whether or not the operation is permitted. A user registration unit for registering a user set M, which is a set of user identifiers indicating a subject that can issue an operation request for data stored in the data storage unit; an identifier of the data; An access control list registration unit for registering an access control list including an operation authority and a user identifier indicating a user having the operation authority; and a collaborator registration unit capable of registering zero or one or more user identifiers. Further comprising: a cooperator set P indicating the entire user registered in the cooperator registration unit; The data set to be operated from the control list is compared with a set of authorized persons Q in which users having the operation authority are extracted, and the cooperator set P is a subset of the set of authorized persons Q, and the cooperator An access restriction device wherein an operation request is permitted only when the set P is not an empty set. 2. A data creating unit for creating new data to be saved in the data saving unit, wherein the data creating unit refers to a cooperator set P,
The access restriction device according to claim 1, wherein the access control list relating to the new data is added to each of the users who are members of the cooperator set P and registered in the access control list registration unit. 3. The access according to claim 1, further comprising a cooperator changing unit that performs a process of adding to the cooperator set P or a process of deleting from the cooperator set P for a user who is an element of the user set M. Limiting device. 4. When the number of elements of a user set M is two or more, a user authentication unit for authenticating a user, and an authentication which is a set of a user identifier of the user specified by the user authentication unit A certifier registration unit for registering the certifier set R, and an operation constraint unit for restricting addition processing or deletion processing that can be performed by the collaborator change unit based on the registered contents of the certifier set R. 3. The access restriction device according to 3. 5. The operation restricting unit allows the cooperator set P to be replaced with all elements of the user set M. In addition, when the cooperator set P is an empty set, Permitting a user who is an element of the certifier set R to be added to the cooperator set P, and prohibiting adding another user who is not an element of the certifier set R to the cooperator set P; On the other hand, when the cooperator set P is not an empty set, the user is allowed to add any element of the user set M that is not an element of the cooperator set P to the cooperator set P, and It is prohibited to delete a user who is an element of both the authenticator set R and the cooperator set P from the cooperator set P, and is not an element of the authenticator set R but an element of the cooperator set P Deleting some other user from the set of collaborators P 5. The access restriction device according to claim 4, wherein permission is granted and deletion of all elements from the cooperator set P is permitted. 6. A data display unit for presenting the data permitted to be referenced by the access permission determination unit, and data for allowing a user to select a subset of a data set presented by the data display unit as an operation target Further including a selection unit, at the time when the data is selected in the data selection unit, so that a user added to the cooperator set P by an additional process for the cooperator change unit can process the data, 5. The access restriction device according to claim 4, wherein authority is added to the access control list. 7. An access restriction method comprising: a step of storing data to be operated by a user; and a step of accepting an operation request for the data and determining whether or not the operation is permitted. Registering a user set M, which is a set of user identifiers representing a subject that can issue an operation request for the data, and an identifier of the data, an operation authority for the data, and a user having the operation authority. Registering an access control list comprising a user identifier indicating the user identifier, and a step of registering zero or one or more of the user identifiers. The data set to be operated from the access control list is compared with a set of authorized persons Q in which users having the operation authority are extracted, and the set of cooperators P is compared. How access restriction, characterized in that a subset of the authorized person set Q, and the collaborators set P to allow only operation request if it is not the empty set. 8. A computer storing a program for causing a computer to execute the steps of: storing data to be operated by a user; and accepting an operation request for the data and determining whether or not the operation is permitted. Registering a user set M, which is a set of user identifiers representing a subject that can issue an operation request for the stored data, the readable recording medium; and an identifier for the data, and an operation for the data. Registering an access control list composed of an authority and a user identifier indicating a user having the operation authority; and registering zero or one or more of the user identifiers. From the access control list to the data to be operated Is compared with a set of authorized persons Q that has extracted the user having the operation authority, and the operation is performed only when the set of cooperators P is a subset of the set of authorized persons Q and the set of cooperators P is not an empty set. A computer-readable recording medium recording a program to be executed by a computer for realizing an access restriction method characterized by permitting a request.