JP2002278937A - Management server system for multiple job systems connected to intranetwork - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce a load that a plurality of business systems individually develop user authentication functions. SOLUTION: An authentication data base(DB) 12 stores a first retrieval table showing the corresponding relation of identification information on an operator authority person and the business system which the operator authority person can access. A picture display part 111 causes a client terminal 20 to browse a selected picture with which the operator authority person selects the business system. A management part 113 decides whether access to the business system is permitted to the operator authority person or not by referring to authentication DB based on the business system selected on the selected picture and inputted identification information of the operator authority person. When it is permitted, the user can access a software resource 30 and a hardware resource 40, which can be used in the business system, by referring to authentication DB.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a management system for a plurality of business systems connected to an intranet in a company, and more particularly to hardware resources and software necessary for executing business using each business system. ·wear·
The present invention relates to a management server system for authenticating a user who can access a resource.

[0002]

2. Description of the Related Art Trust banks perform a wide variety of business operations, including, for example, "creation of domestic standing certificate", "management of receivables and payables", "issue of invoice", " Purchase note management, "Bond futures options,""Bond over-the-counter options," etc. are included. These operations are performed by an operator or the like who has an access right to the business system, that is, an access authority, using a business system connected to an intranet in the trust bank.

In a conventional business system connected to such an intranet, a user authentication function is individually developed for each of a plurality of business systems in order to authenticate an access authorized person. However, such individual development of the user authentication function requires a large development burden. In addition, EUC (end-user computing) is progressing, and the number of cases where software required for business systems is purchased from outside is increasing. There are many that do not have. Therefore, every time new software is purchased, it is necessary to add a user authentication function, but the development burden for that function increases.

[0004] The present invention has been made in view of the above-described problems of the conventional example, and has as its object to make it possible for a plurality of business systems to use a common security function, that is, a user authentication function. It is an object of the present invention to provide a management server system that can reduce the burden of developing the user authentication function by the business system.

[0005]

To achieve the above object, the present invention provides a management server system for managing a plurality of business systems connected to an intranet, the management server system corresponding to each of the plurality of business systems. Storage means for storing a first search table indicating a correspondence relationship between identification information set in relation to an operator authorized person provided and a business system accessible to the operator authorized person; Screen presenting means for browsing a selection screen for selecting a business system by the user to a client terminal via an intranet, the selection screen having an input field for an operator authorized person to input identification information, The business system selected on the selection screen browsed on the client terminal and the input in the input field Based on the identification information of the operator authorized person, by referring to the first search table, determine whether to permit the operator authorized person to access the selected business system, based on the determination result And a management means for permitting or denying access to the selected business system.

[0006] In one embodiment of the management server system of the present invention described above, the management server system further comprises first changing means for changing the contents of the first search table, and the storage means further comprises the first changing table. A second search table indicating the correspondence between the identification information of the high-level authority who can access the means and the business system in the first search table changeable by the high-level authority; The presenting means is further configured to browse a screen provided with an input field for inputting identification information of a high-level authority capable of activating the first changing means on the client terminal, and the managing means includes: Further, based on the identification information of the high-level authority inputted on the screen browsed by the client terminal, the high-level authority is referred to by referring to the second search table. So as to allow modification of the content only about modifiable business system in the first lookup table is configured to control the first change means. As a result, the operator authority can be changed.
It is also possible to change the contents of the second search table to change the high-level authority.

Further, in another embodiment of the management server system of the present invention, a plurality of hardware resources stored so as to be usable in each business system are set as one type of hardware resource. In this case, the plurality of hardware resources are assigned an available priority, so that even if one hardware resource becomes unavailable due to a failure or the like, the next priority is assigned. Hardware resources are available. Add, delete,
The priority change can be performed only by a super authority. Furthermore, in another embodiment of the management server system of the present invention, the authority management list indicating the authority status of the operator authorized person stored in the first search table is further identified by valid identification of the high-level authorized person. There is provided a means for displaying or printing out on the client terminal only when information is input. As a result, the high-level authority can obtain the access authority status of the operator authority to the business system.

[0008]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 shows a client-server system having a management server system 10 according to the present invention as a server.
The figure shows a network, in which 20 is a client terminal, 30 is a hardware resource, 40 is a software resource, and 50 is an intranet.
In FIG. 1, only one of these is typically shown, but it goes without saying that each of them is plural. The hardware resource 30 is a logic circuit, a printer, a facsimile machine, and the like, and the software resource 40 is a program and data for executing each task. Each of the hardware resources 30 and the software resources 40 may be shared and used by a plurality of business systems, or may be uniquely used for a specific business system. That is, in the present invention, each task is performed on the intranet 50.
The hardware resource 30 and the software resource 40 are executed commonly or uniquely for each business by being executed by the business system constructed as the above distributed system.

Here, "super authority", "high-level authority", and "operator authority" employed in the management server system of the present invention will be briefly described. The “super authority” is an authority common to all business systems, and the “high-level authority” and the “operator authority” are authorities authorized on a business system basis.

"Super authority" having super authority
Is an administrator who can directly manage the management server system. The authority of the super authority is as follows. -Addition, deletion, freeze, and unfreeze of high-level authority-Addition, deletion, freeze, and unfreeze of operator authority-Addition and deletion of business-Available hardware resources and software
Addition / deletion of resources These rights are executed by the super-authorized person based on the request items described in the “user movement-related request form” notified by the operation manager of each business system. The addition and deletion of the operator authority may be performed by a high-level authority as described below.

The "high-level authority" having the "high-level authority" is appointed by the operation manager of each business system, and can add, delete, freeze, and unfreeze the "operator authority". To make these changes, enter the ID and password of the high-level authority in the ID input field and the password (PW) input field provided on the "startup of business system" screen schematically shown in FIG. The above "1.
Select "Authority Management". As a result, a “change operator authorized person” screen schematically shown in FIG. 3 is displayed. On this screen, for example, an “add” button is selected, and on the screen displayed as a result, the operator authorized person is displayed. By inputting the name, ID and password of the user, an operator authorized person can be added.

An “operator authorized person” having “operator authority” manages his / her own password and executes the authorized business system. On the “Activate business system” screen shown in FIG. 2, for example, “23. Reissue bill” is selected, and the user's ID and password are input. When the entered ID and password are authenticated,
The operator authorized person can access the hardware resources 30 and the software resources 40 necessary for the business system for issuing a bill again, and can execute the business. The client terminal 20 is a PC terminal for a super authorized person, a high-level authorized person, and an operator authorized person, and browses images from the management server system. Note that the PC terminal for the super authorized person may be arranged in the management server system 10.

As shown in FIG. 1, the management server system 10 includes a server 11, an authentication database (DB) 12,
And an operation history database 13. The authentication database 12 stores first and second search tables. The first search table is a comparison table that defines the correspondence between identification information set in relation to an operator authorized person provided for each of a plurality of business systems and a business system accessible by the operator authorized person. It is a table. The operator identification information is, as described above,
It is formed by an ID and a password. The first search table contains hardware resources and software resources that can be used by each business system.
It is stored corresponding to the business system. At this time, one or more hardware resources are stored corresponding to each business system for each type of hardware resource. It is preferable that a plurality of hardware resources be set to one type in consideration of the occurrence of a failure and the use of hardware resources, and in this case, these hardware resources have a priority indicating the order of use. Has been added. Each business system is identified by a business ID, and hardware resources and software resources are also identified by their respective IDs.

On the other hand, the second search table is for specifying a high-level authority who can change the contents of the first search table. Therefore, the high-level authority can change the operator who can execute the specific business system. The second search table stores the correspondence between the identification information of the high-level authority and the business system in the first search table that can be changed by the high-level authority. The identification information of the high-level authority is also composed of an ID and a password.

The authentication database 12 further stores identification information (ID and password) relating to the super authorized person. The super authorized person can add and delete the hardware resources 30 stored in the first search table corresponding to each business system by inputting his / her identification information from the client terminal 20. The priority given to the hardware resource can be changed. It is also possible to change the contents of the second search table, thereby changing the high-level authority. It should be noted that the super authorized person can access the first and second search tables not through the client terminal 20 but through appropriate input means (not shown) in the management server system 10. In this case, It is not necessary to enter the identification information of the super authority. The authentication database 12 also stores change histories of the first and second search tables.

The operation history database 13 stores a history of operation of the business system performed by the operator authorized person using the client terminal 20. The history is accessible only to authorized operator and high-level authorities. The server 11, as shown in FIG.
11, a data changing unit 112 for changing data such as a search table in the authentication database 12, and a management unit 1
13 is provided.

The screen presenting unit 111 is a client terminal 2
A screen that is browsed to 0 is created and presented, and the screen includes the “Activate Business System” screen and the “Change Operator Authorized Person” screen described with reference to FIGS. 2 and 3. Along with the "Change High Level Authority" screen,
An “Access Authority Management List” screen is included.
The “change high-level authority” screen is similar to the “change operator authority” screen shown in FIG. 3, while the “access authority management list” screen is shown in FIG. As described above, ID registration date and time, person in charge ID and name, password validity period, valid and remaining days, comments, administrator I
D and name are included. The “access authority management list” may be displayed on the client terminal 20 or may be output as a hard copy from a printer instead of being displayed.

The data changing unit 112 includes a screen presenting unit 111
On the "Change Operator Authority" screen and the "Change High-Level Authority" screen, valid high-level authority and super-author have attempted to change the data in the first and second search tables. It has a function to execute the change in the case. The determination unit 1 determines whether the user is a valid change authority.
13 is determined. That is, the management unit 113
The second search table stored in the database 12 and the super-authorized person based on the identification information entered in the identification information input fields on the "change of operator authorized person" screen and the "change of high-level authorized person" screen Refer to the identification information of
It is determined whether or not the user is a valid authority. The result of the determination is notified to the data change unit 112, whereby the data change unit 112 allows only the authorized person to execute the screen presentation unit 11.
1, the first and second search tables in the authentication database 12 can be updated.

However, as described above, only the super-authorized person can change the hardware resources and software resources available in each business system stored in the first search table. The management unit 113 also inputs the business system selected on the “startup of business system” screen (FIG. 2) browsed on the client terminal 20 and identification information (ID and password) input fields on the screen. Based on the identification information of the operator, it is determined whether or not the operator is a valid operator authority of the selected business system by referring to the first search table. Then, access to the selected business system, that is, access to the hardware resources 30 and the software resources 40 preset to be used in the business system, is permitted only to the authorized operator authority. .

The management unit 113 further detects when the accessed hardware resource 30 cannot be used due to the occurrence of a failure or the use thereof while the operator authority is executing a business, and detects the hardware resource 30 and performs a first search. Referring to the table, the connection is automatically switched so that the next-priority hardware resource can be used by the operator authority. The history of access to the business system performed by the operator authorized person using the client terminal 20 is stored as electronic data in the operation history database 13 in the management server system 10. The business results stored in the operation history database 13 can also be accessed only by authorized operators and high-level authorities.

When the high-level authority requests presentation of the access authority list illustrated in FIG. 4 on the client terminal 20 and inputs the ID and the password, the Determine whether the password is a valid high-level authority. If it is valid, the screen presenting unit 111 causes the client terminal to display an authority management list indicating the authority status of the operator authorized person stored in the first search table. As described above, the data may be output from the printer. As a result, the high-level authority can obtain the access authority status of the operator authority to the business system.

[0022]

Since the present invention is configured as described above, the user authentication for each business system is collectively performed on the management server system side, so that each hardware resource and each software resource are In addition, there is no need to authenticate the user. In addition, since the results of the business performed using the business system are collectively backed up as electronic data on the management server system side, it is not necessary to individually back up electronic data such as votes created for the business at the client terminal. Furthermore, since hardware resources and software resources are centrally managed,
If hardware such as C and the printer cannot be used due to a failure or the like, it is possible to quickly switch to another hardware.

[Brief description of the drawings]

FIG. 1 is a schematic diagram for explaining a configuration of a management server system according to the present invention.

FIG. 2 is a schematic diagram of a “business system activation” screen presented to a client terminal by the management server system according to the present invention.

FIG. 3 is a schematic diagram of an “change operator authorized person” screen presented to the client terminal by the management server system according to the present invention.

FIG. 4 is a schematic diagram of an “access right management list” screen presented to the client terminal by the management server system according to the present invention.

Claims (6)

[Claims] 1. A management server system for managing a plurality of business systems connected to an intranet, comprising: identification information set in association with an operator authorized person provided for each of the plurality of business systems; Storage means for storing a first search table indicating a correspondence relationship with a business system accessible to an operator authorized person, and a selection screen for the operator authorized person to select a business system, comprising: Screen presenting means for browsing a selection screen provided with an input field for a user to enter identification information to a client terminal via an intranet, a business system selected on the selection screen browsed to the client terminal, Based on the identification information of the operator authority entered in the input field, the first search table See, determine whether to allow access to the business system chosen for the operator authorized person,
A management server system comprising: management means for permitting or denying access to a selected business system based on the determination result. 2. The management server system according to claim 1, wherein said management server system further comprises first changing means for changing the contents of said first search table, and said storage means further comprises: And a second search table indicating the correspondence between the identification information of the high-level authority who can access the change means and the business system in the first search table that can be changed by the high-level authority. The screen presenting means is further configured to browse a screen provided with an input field for inputting identification information of a high-level authority capable of activating the first changing means on the client terminal, The means further refers to the second search table based on the identification information of the high-level authority input on the screen browsed by the client terminal, and A management server system configured to control a first change unit so that an authorized person can change the content of only a business system that can be changed in a first search table. 3. The management server system according to claim 2, wherein the management server system further includes a second change unit for changing the contents of the second search table, and the storage unit further includes a second change unit. The identification information of the super authorized person who can access the changing means of the supermarket is stored, and the screen presenting means further comprises an input field for inputting the identification information of the super authorized person who can activate the second changing means. The management means is further configured to browse the screen provided with the super terminal by referring to the storage means based on the identification information of the super authority entered on the screen browsed by the client terminal. A tube configured to control the second changing means so that an authorized person can change the contents of the second search table. Server system. 4. The management server system according to claim 1, wherein the first search table stored in the storage means includes software resources and hardware resources available in each business system. Is stored in correspondence with the business system, and one or more hardware resources stored in correspondence with each business system are set for each type of hardware resource. A management server system characterized in that when a plurality of hardware resources are set, available priorities are assigned to the plurality of hardware resources. 5. The management server system according to claim 4, wherein the super authorized person can add and delete hardware resources stored in the first search table in correspondence with each business system. A management server system capable of changing a priority assigned to a hardware resource. 6. The method according to claim 2, claim 3, claim 2 or claim 3, claim 4 or claim 4 or claim 3.
6. The management server system according to claim 5, further comprising: an authority management list indicating the authority status of the operator authority stored in the first search table. A means for displaying or printing out on a client terminal only when valid identification information is input.