JP2007094493A - Access control system and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access control system and method capable of dynamically changing access rights. <P>SOLUTION: In the access control system having a slave access controller 12 for controlling access from a computer 16 to the network resources of a file server 13 and a master access controller 11 that either permits or rejects access of the slave access controller 12, the slave access controller 12 notifies, if there is access from the predetermined computer 16 to a preset, predetermined network resource, the master slave controller 11 thereof, and permits the access if the authorization is notified by the master access controller 11, the master access controller 11 implements a permission process for checking to see if the access will be permitted or rejected, and if the result of the process indicates that the access has been authorized, the master access controller 12 informs the slave access controller 11 about this authorization. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access control system and an access control method comprising: an access control slave unit that controls access from a client computer to a network resource managed by a server computer; and an access control master unit that grants access permission to the access control slave unit About.

  Due to recent developments in communication technology, multiple devices such as computers and printers are connected so that they can communicate with each other via wireless or wired transmission paths, and are managed by folders (directories), files managed by server computers, and printer servers. Network resources such as printers can be shared. Such network resources are usually not uniformly accessible to all client computers, but access rights are set for each network resource according to the contents of the network resources, and can be accessed according to the client computer. Network resources and inaccessible network resources. For example, in the case of Windows (registered trademark) share level security, a password character string is preset and stored for each network resource to be disclosed to the network, and only the client computer that has entered the correct password can use the network resource. It is like that.

On the other hand, when the network is communicably connected to an external network, a device called a firewall that controls access from the external network is arranged at the boundary between the network and the external network for the purpose of ensuring security. In this firewall, packets from an external network can pass through the firewall only when the IP address and / or port number is an IP address and / or port number that is preset and stored in the firewall. (For example, Non-Patent Document 1).
Published by Toshiya Kaneshiro, “The secret of TCP / UDP port number reverse lookup 380”, Hidekazu System, published on December 23, 2003

  By the way, depending on the contents of the network resource and the client computer, it is usually set to an inaccessible state (a state without access right), and the client computer may be allowed to access the network resource whenever necessary. . Since the access right setting and the firewall setting described above are fixed, there is an inconvenience that such a case cannot be dealt with.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide an access control system and an access control method capable of dynamically changing an access right.

  As a result of various studies, the present inventor has found that the above object is achieved by the present invention described below. That is, according to one aspect of the present invention, an access that is arranged to be communicable between a server computer that manages a shared network resource and a client computer of the server computer and that controls access from the client computer to the network resource. An access control system comprising: a control slave unit; and an access control master unit that is communicable with the access control slave unit and gives the access control slave unit whether the access is permitted or not, wherein the access control slave unit is a predetermined client The access is notified to the access control master when there is an access to a predetermined network resource set in advance from the computer, and the access is notified when the access control master is notified of the access to the notification. Admit the access control The access control unit executes permission / rejection processing for checking permission / inhibition of access when there is a notification of access from the access control slave unit, and approves access for the notification when the result of the permission / refusal processing is access approval. The access control slave unit is notified.

  And in the above-mentioned access control system, the following aspects are preferable. First, in the above-described access control system, the access control system further includes an approver network terminal used by an approver having the authority to determine whether to permit access to the notification, and a network camera corresponding to the predetermined client computer. As the permission / refusal processing, the control master unit recognizes that the predetermined client computer has accessed the predetermined network resource and that the image relating to the user who uses the predetermined client computer captured by the network camera is approved. One of the approval and disapproval of the input when the access approval or disapproval is input from the input unit of the approver network terminal. One side of the network for the approver Received from the terminal, characterized in that accepting the received as a result of the admission process.

  The access control system may further include an approver network terminal used by an approver having an authority to determine whether to permit access to the notification. The presentation unit of the approver network terminal indicates that the client computer has accessed the predetermined network resource, and either one of approval or disapproval of the access is input from the input unit of the approver network terminal. If the access is accepted, either the approval or disapproval of the inputted access is received from the network terminal for the approver, and the reception is accepted as a result of the permission / rejection process.

  The access control system further includes an approver network terminal used by an approver having an authority to determine whether to permit access to the notification, and the access control master unit performs the predetermined processing as the predetermined processing. The presentation unit of the network terminal for the approver is made to present the telephone number of the telephone related to the user who uses the predetermined client computer that the client computer has accessed the predetermined network resource, and the network for the approver When either one of access approval or disapproval is input from the input unit of the terminal, the access approval or disapproval is input from the approver network terminal, and the reception is received It is characterized in that it is accepted as a result of permission / denial processing.

  The access control system further includes an approver network terminal used by an approver having an authority to determine whether or not to permit access to the notification, and the access control master unit receives the predetermined client computer from the predetermined client computer. The permission / refusal information indicating whether or not to approve the access to the network resource is received from the approver network terminal, further stored in the storage unit, and the permission / refusal processing is executed based on the permission / rejection information.

  Further, in these access control systems described above, the access control master unit includes a permission / rejection processing unit that executes permission / rejection processing for checking permission / inhibition of access when the access control slave device receives the access notification, and the permission / rejection unit. And a notification processing unit for notifying the access control slave device of access approval for the notification when the result of the processing is access approval.

  Further, in these access control systems described above, the access control master unit includes a log information storage unit that stores a log related to the access notification and a log related to the approval of access to the notification, and the access control slave unit Log processing unit that stores a log in the log information storage unit when there is an access notification, and stores a log in the log information storage unit when an access approval for the notification is notified to the access control slave unit And further comprising.

  In these access control systems, the access control slave stores in advance first identification information for identifying the predetermined client computer and second identification information for identifying the predetermined network resource. From the predetermined client computer to the predetermined network resource based on the first identification information and the second identification information stored in advance in the information storage unit from among the information storage unit and the communication signal received from the client computer When the access to the predetermined network resource is detected from the predetermined client computer, the access is notified to the access control master unit, and the access to the notification is approved. The access is granted when notified by Characterized in that it comprises a that access processing unit.

  In these access control systems, the access control slave unit further includes a communication signal collection processing unit that notifies the access control master unit of the access when the client computer accesses the server computer. The access control master unit includes a presentation unit for presenting information, an input unit for inputting information, a support information storage unit for storing information related to the notification of access, and the communication signal of the access control slave unit When there is an access notification from the collection processing unit, the support information storage unit stores information related to the access notification, and first identification information for identifying the predetermined client computer and the predetermined network When the second identification information for identifying the resource is input from the input unit, the support information And further comprising a support processor for presenting the first identification information and the second identification information to the presentation unit on the basis of the information recorded in the 憶部.

  In another aspect of the present invention, communication is arranged between a server computer that manages a shared network resource and a client computer of the server computer, and access to the network resource from the client computer is controlled. In the access control method of an access control system, comprising: an access control slave device that communicates with the access control slave device, and an access control master device that gives the access control slave device permission of access to the access control slave device. A step of notifying the access control master device of the access when the device has accessed a predetermined network resource set in advance from a predetermined client computer, and the access control master device from the access control slave device to the access control master device There was access notification A step of executing permission / refusal processing for checking permission / inhibition of access, and when the result of the permission / refusal processing is approval of access, the access control parent device notifies the access control slave device of access approval for the notification. And a step of allowing the access control slave device to grant the access when the access control master device is notified of the approval of access to the notification.

  In the access control system and the access control method configured as described above, when a predetermined client computer accesses a predetermined network resource of the server computer, the access control slave unit notifies the access control master unit of the access. Since the access is granted when the access approval is obtained from the access control master unit, the access is normally permitted even when accessing the network resource of the server computer from the client computer to which the access is denied. The right can be changed.

Embodiments according to the present invention will be described below with reference to the drawings. In addition, the structure which attached | subjected the same code | symbol in each figure shows that it is the same structure, The description is abbreviate | omitted.
(Configuration of the embodiment)
FIG. 1 is a diagram illustrating a configuration of a network according to the embodiment. FIG. 2 is a block diagram illustrating a configuration of the access control slave device according to the embodiment. FIG. 3 is a block diagram illustrating a configuration of the access control master according to the embodiment. FIG. 4 is a diagram illustrating a configuration of the approver master information table according to the embodiment. FIG. 5 is a diagram illustrating a configuration of an active approver information table according to the embodiment. FIG. 6 is a diagram showing the configuration of the log information table. FIG. 7 is a diagram illustrating a configuration of a computer used by an approver. FIG. 8 is a diagram showing the configuration of the user confirmation information table.

  In FIG. 1, a network 1 includes an access control master device 11, an access control slave device 12, a file server (FS) 13, computers 14 and 16, a confirmation device 15, and a DHCP (Dynamic Host Configuration Protocol) server 17. A DNS (Domain Name System) server 18 and a PDC (Primary Domain Controller) server 19, these access control master unit 11, access control slave unit 12, computers 14 and 16, confirmation device 15, DHCP server 17, The DNS server 18 and the PDC server 19 are connected to each other via a wired or wireless transmission path 20 so that they can communicate with each other. The access control slave unit 12 and the file server 13 are connected to each other via a wired or wireless transmission path 21 so that they can communicate with each other. Is done. These access control master unit 11 and access control slave unit 12 constitute an access control system.

  The DHCP server 17 manages information necessary for connecting to the network 1 such as an IP address, so that the client computer for the DHCP server 17 such as the computers 14 and 16 can dynamically change the IP address when connecting to the network 1. Is a server computer that allocates necessary information such as and collects an IP address at the end.

  The DNS server 18 manages a database describing the correspondence between the host name and the IP address, and searches for the IP address from the host name in response to a request from the client computer to the DNS server 18 such as the computers 14 and 16. The server computer returns the search result to the client computer.

  The PDC server 19 is a server computer that manages information regarding users and security of the network 1 and performs user authentication.

  The file server 13 is a server computer that manages files and provides use of files to the computer 16 in response to a request from the computer 16. File usage includes services such as file browsing, file download (transmission) to the computer 16, file upload (reception) from the computer 16, and file rewriting, depending on the operation of the network 1. One or more services are appropriately selected.

  The computer 16 is a client computer for the file server 13 that receives the use of the file from the file server 13 and can be used by a user who wants to use the file in the file server 13. One or more computers 16 are connected to the transmission line 20, and in the example shown in FIG. 1, the computer (PCA) 16-A used by the user A and the computer (PCB) used by the user B are used. 16-B is shown.

  Here, in this specification, when referring generically, it shows with the reference symbol which abbreviate | omitted the suffix, and when referring to an individual structure, it shows with the reference symbol which attached the suffix.

  The confirmation device 15 is a device for the approver to confirm whether or not the user requesting approval for the use of the file is the user, and is provided in correspondence with the user. In the example shown in FIG. 1, a confirmation device A15-A is provided corresponding to the user A, and a confirmation device B15-B is provided corresponding to the user B. In this embodiment, for example, the confirmation device 15 includes a network camera (PC camera) including an imaging unit that captures an image of a subject and a web server unit that manages and distributes the image of the subject captured by the imaging unit via the network 1. The image (still image or moving image) captured by the network camera is displayed on the computer 14 used by the approver, for example, by a web browser.

  For example, a web camera including an imaging unit that captures an image of a subject and a communication interface unit for communicating with the computer 16 is prepared. The communication interface unit for communicating with the web camera and an object captured by the web camera are prepared. A network camera may be configured by the web camera and the computer 16 by providing the computer 16 with a web server unit that manages images and distributes them via the network 1.

  The access control slave unit 12 detects the access of the computer 16 to the file server 13, and notifies the access control master unit 11 of this access when the detected access is a predetermined type of access. It is a device that controls access to the file server 13 of the computer 16 by passing and blocking the notification according to the access approval and disapproval instructions notified from the access control master unit 11. As shown in FIG. 2, for example, the access control slave device 12 includes an arithmetic processing unit 201, a storage unit 202, a first communication interface unit 203, and a second communication interface unit 204.

  The first communication interface unit 203 is an interface circuit that is connected to the transmission line 20 and transmits / receives communication signals to / from the computer 16 and the access control master unit 11 via the transmission line 20. Based on the data from 201, a communication signal according to the communication protocol of the transmission line 20 is created, and the communication signal from the transmission line 20 is converted into data in a format that can be processed by the arithmetic processing unit 201. The second communication interface unit 204 is an interface circuit that is connected to the transmission line 21 and transmits / receives communication signals to / from the file server 13 via the transmission line 21, and is based on data from the arithmetic processing unit 201. Thus, a communication signal according to the communication protocol of the transmission path 21 is created, and the communication signal from the transmission path 21 is converted into data in a format that can be processed by the arithmetic processing unit 201. For example, TCP / IP (Transmission Control Protocol / Internet Protocol) is used as the communication protocol.

  The storage unit 202 functionally includes a MAC information storage unit 221 that stores MAC information, an IP address information storage unit 222 that stores IP address information, a port number information storage unit 223 that stores port number information, and a command Access including a command information storage unit 224 for storing information and a parameter information storage unit 225 for storing parameter information, and detecting a communication signal from the computer 16 to the file server 13 and controlling passage and blocking of the communication signal Various programs such as a control program, and various data such as data necessary for executing the various programs and data generated during the execution are stored. The storage unit 202 includes, for example, a volatile storage element such as a RAM (Random Access Memory) serving as a so-called working memory of the arithmetic processing unit 201, a nonvolatile storage element such as a ROM (Read Only Memory), MAC information, Equipped with an EEPROM (Electrically Erasable Programmable Read Only Memory) that is a rewritable non-volatile memory device that has sufficient capacity to store rewritable data such as IP address information and port number information. Configured.

  The MAC information is a communication signal that is transmitted from the computer 16 to the file server 13 via the access control slave unit 12 and that needs to be permitted by the access control master unit 11 when passing through the access control slave unit 12. This is information representing a MAC address (Media Access Control Address). In the present embodiment, the MAC address is directly stored in the MAC information storage unit 221 as the MAC information.

  The IP address information is a communication signal transmitted from the computer 16 to the file server 13 via the access control slave unit 12 and requires a permission of the access control master unit 11 when passing through the access control slave unit 12. Is an IP address (Internet Protocol Address). In the present embodiment, the IP address is directly stored in the IP address information storage unit 222 as the IP address information.

  The port number information is a communication signal that is transmitted from the computer 16 to the file server 13 via the access control slave unit 12 and needs to be permitted by the access control master unit 11 when passing through the access control slave unit 12. This is information indicating the port number. In the present embodiment, the port number is directly stored in the port number information storage unit 223 as the port number information. The port number information is set according to the file sharing protocol used in the network 1. For example, when SMB (Server Message Block) is used as the file sharing protocol as in the present embodiment, “137” and “138” are used. And “139”, for example, CIFS (Common Internet File System) is used as a file sharing protocol, and “139” and “445” in the case of NetBIOS over TCP / IP, and for example, CIFS as a file sharing protocol In the case of Direct Hosting of SMB using (Common Internet File System), it is “445”.

  The command information is a communication signal transmitted from the computer 16 to the file server 13 via the access control slave unit 12, and a communication signal that requires permission of the access control master unit 11 when passing through the access control slave unit 12 Information representing a command. In this embodiment, the SMB command is stored as it is in the command information storage unit 224 as command information. Of the SMB commands, what commands are handled as command information is appropriately set by the operation of the network 1. For example, among SMB commands, commands related to folder and file operations such as folder creation (SMB_COM_CREATE_DIRECTORY), folder deletion (SMB_COM_DELETE_DIRECTORY), file open (SMB_COM_OPEN), and file rename (SMB_COM_RENEME) are used as command information. The

  The parameter information is a communication signal that is transmitted from the computer 16 to the file server 13 via the access control slave unit 12 and that needs to be permitted by the access control master unit 11 when passing through the access control slave unit 12. This is information representing a parameter. In this embodiment, since SMB is used, the parameter in the SMB command is directly stored in the parameter information storage unit 225 as parameter information. Of the parameters in the SMB command, what parameters are treated as parameter information is appropriately set according to the operation of the network 1. In the present embodiment, the parameter information is, for example, a folder name or a file name that requires the approval of the approver when the user of the computer 16 accesses.

  The arithmetic processing unit 201 includes, for example, a microprocessor and its peripheral circuits, detects access to the file server 13 of the computer 16, and the detected access is a predetermined type of access. This access is notified to the access control master unit 11, and in response to the notification, the access control master unit 11 passes and blocks the access according to the access approval and disapproval instructions, and the storage unit 202, The first and second communication interface units 203 and 204 are controlled according to the function. The arithmetic processing unit 201 detects the access of the computer 16 to the file server 13, and when the detected access is a predetermined type of access, notifies the access control master 11 of this access, In order to pass and block the access according to the access approval / disapproval instructions notified from the access control master unit 11, functionally, the pass blocking processing unit 211, the MAC comparison unit 212, and the IP address comparison unit 213, a port number comparison unit 214, a command comparison unit 215, a parameter comparison unit 216, and a timer unit 217.

  When the passage blocking processing unit 211 receives a communication signal from the first communication interface unit 203, the passage blocking processing unit 211 temporarily stores the received communication signal in the storage unit 202, and a position indicating the storage position of the communication signal in the storage unit 202 Information is notified to the MAC comparator 212. The passage blocking processing unit 211 instructs the communication signal to pass from any one of the MAC comparison unit 212, the IP address comparison unit 213, the port number comparison unit 214, the command comparison unit 215, the parameter comparison unit 216, and the timer unit 217. When the notification (passage instruction notification) is received, the received communication signal is passed (transferred to the file server 13) and a copy of the passed communication signal is recorded in the first communication interface unit 203 to record a log. To the access control master unit 11 via Then, when the passage blocking processing unit 211 receives a notification (approval request notification) from the timer unit 217 that approval of passage by the approver is necessary, the communication signal that inquires whether or not passage is permitted in the received communication signal. (Passage inquiry signal) is transmitted to the access control master unit 11 using the first communication interface unit 203, and the access control master unit 11 receives the approval and non-approval instructions received via the first communication interface unit 203. Pass and block.

  When the location information related to the received communication signal is notified from the passage blocking processing unit 211, the MAC comparison unit 212 identifies and transmits the communication signal stored in the storage unit 202 based on the notified location information. The original MAC address is extracted, the extracted MAC address of the transmission source is compared with the MAC information stored in the MAC information storage unit 221, and the passage instruction notification to the passage blocking processing unit 211 is compared according to the comparison result. Any one of the notification and the notification of the position information related to the communication signal to the IP address comparison unit 213 is performed.

  When the location information related to the received communication signal is notified from the MAC comparison unit 212, the IP address comparison unit 213 identifies and transmits the communication signal stored in the storage unit 202 based on the notified location information. The original IP address is extracted, the extracted IP address of the transmission source is compared with the IP address information stored in the IP address information storage unit 222, and the passage instruction to the passage blocking processing unit 211 is determined according to the comparison result. Any one of notification and notification of position information related to the communication signal to the port number comparison unit 214 is performed.

  When the location information related to the received communication signal is notified from the IP address comparison unit 213, the port number comparison unit 214 identifies the communication signal stored in the storage unit 202 based on the notified location information. The port number of the transmission destination is extracted, the port number of the transmission destination thus extracted is compared with the port number information stored in the port number information storage unit 223, and the passage to the passage blocking processing unit 211 is performed according to the comparison result. One of notification of instruction notification and notification of position information related to the communication signal to the command comparison unit 215 is performed.

  When the position information related to the received communication signal is notified from the port number comparison unit 214, the command comparison unit 215 identifies the communication signal stored in the storage unit 202 based on the notified position information, and performs SMB , And the command information stored in the command information storage unit 224 is compared. According to the result of the comparison, the notification of passage instruction notification to the passage blocking processing unit 211 and parameter comparison are compared. One of the notifications of the position information related to the communication signal to the unit 216 is performed.

  When the position information related to the received communication signal is notified from the command comparison unit 215, the parameter comparison unit 216 specifies the communication signal stored in the storage unit 202 based on the notified position information, and performs the SMB. The command parameter is extracted, the parameter of the command in the extracted SMB is compared with the parameter information stored in the parameter information storage unit 225, and the notification of the passage instruction notification to the passage blocking processing unit 211 is performed according to the comparison result. And notification of the position information related to the communication signal to the timer unit 217 is performed.

  The timer unit 217 counts a predetermined time from the time when the permission notification is received for each communication signal that is permitted to pass through the access control base unit 11. When the position information related to the received communication signal is notified from the parameter comparison unit 216, the timer unit 217 identifies the communication signal based on the notified position information, and measures the time corresponding to the communication signal. Is notified, a passage instruction notification is notified to the passage blocking processing unit 211, and when the time corresponding to the notified communication signal is not performed, an approval request for the notified communication signal is issued. The notification is notified to the passage blocking processing unit 211. For example, the timer unit 217 identifies the communication signal stored in the storage unit 202 based on the notified position information, and the source MAC address and / or the source IP address and the parameter in the SMB command When an individual timer that counts a predetermined time is generated in correspondence with the set of information, and the position information related to the received communication signal is notified from the parameter comparison unit 216, this is based on the notified position information. The communication signal is specified, the source MAC address and / or the source IP address and the parameter in the SMB command are extracted, and the source MAC address and / or the source IP address and the SMB command are extracted. By searching for the timer corresponding to the set of parameters, the time corresponding to this communication signal is measured. It determines whether or not to notify a passing instruction notification or approval request notification to the passage interrupting processor 211 according to the result of judgment.

  Here, the first identification information for identifying the client computer of the claim corresponds to an example of the MAC address of the transmission source and / or the IP address of the transmission source, and for identifying the network resource of the claim The second identification information corresponds to an example of a parameter in the SMB command. The information storage unit of the claims includes the MAC information storage unit 221, the IP address information storage unit 222, the port number information storage unit 223, and command information. The storage unit 224 and the parameter information storage unit 225 correspond to an example thereof, and the access processing unit of the claims includes the passage blocking processing unit 211, the MAC comparison unit 212, the IP address comparison unit 213, the port number comparison unit 214, the command comparison The unit 215, the parameter comparison unit 216, and the timer unit 217 correspond to examples thereof.

  Returning to FIG. 1, when the access control master unit 11 receives the passage inquiry signal from the access control slave unit 12, the access control parent unit 11 executes permission / rejection processing for checking whether or not the communication signal related to the passage inquiry signal is allowed to pass. Is a device that executes a process of returning the message to the access control slave unit 12. In this embodiment, when the access control master unit 11 receives the passage inquiry signal from the access control slave unit 12, the access control master unit 11 uses the computer 14 used by the approver who has the authority to determine whether or not to allow the communication signal related to the passage inquiry signal to pass. By transmitting a communication signal (approval request signal) for requesting approval of passage of the communication signal and receiving a reply to the approval request signal, the communication signal related to the passage inquiry signal is checked for permission to pass. It returns to the access control slave unit 12. For example, as shown in FIG. 3, the access control master device 11 includes an arithmetic processing unit 101, a storage unit 102, a communication interface unit 103, an input unit 104, and an output unit 105.

  The communication interface unit 103 is an interface circuit that is connected to the transmission line 20 and transmits / receives communication signals to / from the access control slave unit 12 and the computer 14 via the transmission line 20. Based on the data, a communication signal in accordance with the communication protocol of the transmission path 20 is created, and the communication signal from the transmission path 20 is converted into data in a format that can be processed by the arithmetic processing unit 101.

  The storage unit 102 functionally includes an environment information storage unit 121 that stores environment information, an approver master information storage unit 122 that stores approver master information, and an active approver information storage unit that stores active approver information. 123 and a log information storage unit 124 for storing log information, and a permission / refusal processing program for checking whether or not a communication signal related to the passage inquiry signal is allowed to pass according to the passage inquiry signal from the access control slave unit 12 And various data such as data necessary for execution of the various programs and data generated during the execution. The storage unit 102 includes, for example, a volatile storage element such as a RAM serving as a so-called working memory of the arithmetic processing unit 101, a non-volatile storage element such as a ROM, environmental information, approver master information, active approver information, and Consists of an EEPROM that is a rewritable non-volatile storage element, a hard disk that is a relatively large capacity storage device, etc. according to a sufficient capacity to store data that may be rewritten such as log information Is done.

  The environment information is information necessary for communication on the network 1 such as the IP address and work group name of the DHCP server 17, the DNS server 18, and the PDC server.

  The approver master information is information of an approver who has the authority to approve the user's access to the folders and files of the file server 13 from the computer 16, and is user information for identifying the user and the access target. Network resource information for specifying a folder or file and approver information for specifying an approver having the authority to approve the access of the user are configured. In this embodiment, the approver master information is stored in the approver master information storage unit 122 in a table format, and the approver master information table 130 for registering the approver master information is, for example, as shown in FIG. An access device information field 131 for registering an access device identifier that is an identifier for identifying and identifying a computer used by a user, a network resource information field 132 for registering network resource information, and a computer used by an approver are identified and identified. An approval device for registering an approval device information subfield 1331 for registering an approval device identifier, which is an identifier to be used, and information indicating whether or not the approver can execute approval using the computer (approval device state information) An approval information field 133 composed of a status subfield 1332 Is configured to include a field, a record is created in accordance with the set of the access device identifier and network resource information. The approval information field 133 includes an approval device information subfield 1331 and an approval device status from the viewpoint of allowing access from a plurality of approvers by obtaining approval from a plurality of approvers for a set of one access device identifier and network resource information. A plurality of sets with the subfield 1332 are provided.

  The access device identifier is used as user information, and may be an arbitrary code string (including one code) as long as the computer 16 can be identified and identified. Since it is not necessary to newly incorporate an access device identifier in the signal, an existing MAC address, IP address, or the like is preferable, and an IP address is used in this embodiment. In the present embodiment, the network resource information uses a folder name (directory name) or a file name. The approval device identifier is used as the approver information, and may be an arbitrary code string (including one code) as long as the computer 14 can be identified and identified. An address or the like is suitable, and an IP address is used in this embodiment. In this embodiment, the approval apparatus status information is a code (for example, “active” or “attended”) indicating that the approver can execute the approval using the computer, and the approver. Is indicated by a symbol (for example, “sleep”, “absent”, etc.) indicating that the computer is not in a situation where the approval can be executed.

  The active approver information is approved at that time in the approver master information in order to cope with the case where the approver cannot be executed because the approver cannot use the computer 14 due to reasons such as absence or absence. It is the information of the approver who is in a situation where can be executed. In this embodiment, the active approver information is stored in the active approver information storage unit 123 in a table format, and the active approver information table 140 for registering the active approver information is, for example, as shown in FIG. An access device information field 141 for registering an access device identifier, a network resource information field 142 for registering network resource information, and an approval device information field 143 for registering an approval device identifier are configured to include an access device identifier and A record is created according to a combination with network resource information. The approval device information field 143 includes a number of subfields corresponding to the number of the approval device information subfield 1331 (or the approval device status subfield 1332) of the approver master information table 130.

  The log information is information relating to the recording that the computer 16 has accessed the file server 13. In this embodiment, the log information includes access time information indicating the time when the computer 14 accesses the file server 13, user information for identifying the user, approver information for identifying the approver, and the network to be accessed. Network resource information indicating resources, and access contents indicating access contents. In this embodiment, the log information is stored in the log information storage unit 124 in a table format, and the log information table 150 for registering log information is, for example, an access time for registering access time information as shown in FIG. An information field 151, an access device information field 152 for registering an access device identifier, an approval device information field 153 for registering an approval device identifier, a network resource information field 154 for registering network resource information, and an access content for registering access content Each field of the field 155 is configured, and a record is created for each access.

  In this embodiment, for example, the computer 16 requests the file server 13 to access the network resource (in this case, “access request” is registered in the access content field 155), for example. For example, the computer 16 has actually accessed the network resource of the file server 13 (in this case, for example, “access execution” is registered in the access content field 155). Instead of “execution of access”, a file usage form (for example, “browse”, “download”, “upload”, “rewrite”, etc.) may be used.

  By providing each of these fields, the log information table 150 shows who made an access request to what network resource at what time (record (A) in FIG. 6) and who approved the access request ( The record (B) in FIG. 6 and who accessed what network resource at what time (record (C) in FIG. 6) are recorded.

  The arithmetic processing unit 101 is configured to include, for example, a microprocessor and its peripheral circuits, and when receiving a passage inquiry signal from the access control slave unit 12, performs permission / rejection processing for checking passage permission / inhibition in a communication signal related to the passage inquiry signal. And execute a process of returning the result of the permission / refusal process to the access control slave unit 12, and the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 from the input unit 104 Is input to the access control slave unit 12 using the communication interface unit 103, and the storage unit 102, the communication interface unit 103, the input unit 104, and the output unit 105 according to the function according to the control program. Control each. When receiving the passage inquiry signal from the access control slave unit 12, the arithmetic processing unit 101 determines whether or not the communication signal related to the passage inquiry signal is allowed to pass, and executes a process of returning the judgment result to the access control slave unit 12. Therefore, functionally, the initial setting processing unit 111, the approval request processing unit 112, the approval process trigger unit 113, the approval process processing unit 114, the approval request response processing unit 115, and the active approver processing unit 118 When the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 are input from the input unit 104, the access control slave unit 12 uses the communication interface unit 103 to input the information. Functionally, an initial setting processing unit 111 is provided, and the computer 16 To log on Luo file server 13, functionally, and a calendar 116 and a log processing unit (logger) 117.

  When the environment information is input from the input unit 104, the initial setting processing unit 111 stores the environment information in the environment information storage unit 121 of the storage unit 102. When the approver master information is input from the input unit 104, the initial setting processing unit 111 Approver master information is stored in the approver master information storage unit 122 of the storage unit 102, and when an approval device state change request is received from the computer 14, the approval device state is changed and a trigger for starting the active approver processing unit 118 is activated. When the approver processing unit 118 is notified, and the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 are input from the input unit 104, the communication interface unit 103 is used. Processing for registering these pieces of information in the access control slave unit 12 is executed.

  The approval request processing unit 112 detects the passage inquiry signal from the communication signals received by the communication interface unit 103. When the passage inquiry signal is detected, the approval request processing unit 112 temporarily stores the passage inquiry signal in a file called a queue, and sequentially passes the passage inquiry signal. The approval process trigger unit 113 is notified of the detection. Upon receiving notification from the approval request processing unit 112 that a passage inquiry signal has been detected, the approval process trigger unit 113 activates the approval process. The approval process processing unit 114 determines whether or not the communication signal related to the passage inquiry signal is allowed to pass, and notifies the approval request response processing unit 115 of the determination result. The approval request response processing unit 115 temporarily stores the determination result in the queue, and sequentially executes a process of returning the determination result to the access control slave unit 12. When the active approver processing unit 118 receives the activation trigger from the initial setting processing unit 111, the active approver processing unit 118 generates active approver information based on the approver master information stored in the approver master information storage unit 122. The active approver information is stored in the active approver information storage unit 123 and updated.

  The calendar unit 116 counts the year / month / day / hour / minute / second, and when receiving a time inquiry from the log processing unit 117, notifies the log processing unit 117 of the current year / month / day / hour / minute / second. The log processing unit 117 inquires the calendar unit 116 about the current time and stores the log information in the log information storage unit 124.

  The input unit 104 inputs various commands such as an operation start command and various data such as approver master information to the access control master unit 11, as well as MAC information, IP address information, and port number information of the access control slave unit 12. A device for inputting command information and parameter information, such as a keyboard and a mouse. The output unit 105 is a device that outputs commands, data, and the like input from the input unit 104, and is, for example, a display device such as a CRT display, LCD, organic EL display, or plasma display, or a printing device such as a printer.

  Here, the communication unit of the claim corresponds to the approval request processing unit 112, the approval process trigger unit 113, and the approval process processing unit 114 as the permission request processing unit of the claim, and the notification processing unit of the claim The approval request response processing unit 115 corresponds to an example.

  The computer 14 can be used by an approver, and accepts information indicating whether or not to approve use by the user from the approver in response to a request from the access control master device 11, and uses the received information as the access control master device 11. It is a network terminal that notifies One or a plurality of computers 14 are connected to the transmission line 20. In the example shown in FIG. 1, the computer (PCX) 14 -X used by the approver X and the computer (PCY) used by the approver Y are used. 14-Y is shown.

  For example, as illustrated in FIG. 7, the computer 14 includes an arithmetic processing unit 401, a storage unit 402, a communication interface unit 403, an input unit 404, and an output unit 405.

  The communication interface unit 403 is an interface circuit that is connected to the transmission line 20 and transmits / receives communication signals to / from the access control master unit 11 and the confirmation device 15 via the transmission line 20. A communication signal according to the communication protocol of the transmission line 20 is created based on the data from the transmission line 20, and the communication signal from the transmission line 20 is converted into data in a format that can be processed by the arithmetic processing unit 401.

  The storage unit 402 functionally includes a user confirmation information storage unit 421 that stores user confirmation information, and includes various programs and various data such as data necessary for execution of the various programs and data generated during the execution. Remember. The storage unit 402, for example, a volatile storage element such as a RAM serving as a so-called working memory of the arithmetic processing unit 401, a nonvolatile storage element such as a ROM, and data that may be rewritten such as user information. An EEPROM, which is a rewritable non-volatile storage element, and a hard disk, which is a relatively large-capacity storage device, corresponding to a sufficient capacity for storage are provided.

  The user confirmation information is information for confirming whether the user who is requesting approval is the user himself / herself. In this embodiment, for example, the user name of the user and the user name Identifier identifying and identifying the access device identifier (IP address in this embodiment) of the computer 16 used by the user and the confirmation device 15 for confirming whether the user of the user name is the user himself / herself (Confirming device identifier). The confirmation device identifier may be an arbitrary code string (including one code) as long as the confirmation device 15 can be identified and identified. However, in this embodiment, since the confirmation device 15 is a network camera, an IP address is used. . In this embodiment, the user confirmation information is stored in the user confirmation information storage unit 421 in a table format. The user confirmation information table 160 for registering user confirmation information is, for example, as shown in FIG. Each of an access device information field 161 for registering an access device identifier of the computer 16, a user name field 162 for registering a user name, and a confirmation device information field 163 for registering a confirmation device identifier (IP address of the confirmation device 15). A field is configured, and a record is created for each IP address of the computer 16.

  The arithmetic processing unit 401 includes, for example, a microprocessor and its peripheral circuits, and functionally includes a Push reception service unit 411 that activates the web browser unit 412 when receiving an approval request signal from the access control master unit 11. A web browser unit 412 that displays a later-described approval request page on the output unit 405 in order to confirm a user and approve or disapprove, according to a control program, a storage unit 402, a communication interface unit 403, an input unit 404, and The output unit 405 is controlled according to the function.

  The input unit 404 is a device that inputs various commands and various data to the computer 14, and is, for example, a keyboard or a mouse. The output unit 405 is a device that outputs a command, data, or the like input from the input unit 404. For example, the output unit 405 is a display device such as a CRT display, LCD, organic EL display, or plasma display, or a printing device such as a printer.

Next, the operation of this embodiment will be described.
(Operation of the embodiment)
First, before operating the access control master unit 11 and the access control slave unit 12, a user such as a system administrator inputs the environment information and the approver master information using the input unit 104 of the access control master unit 11. . When each of the environmental information and the approver master information is input, the initial setting processing unit 111 of the arithmetic processing unit 101 stores the environmental information and the approver master information in the environment information storage unit 121 of the storage unit 102 and the approver. Each is stored in the master information storage unit 122.

  Then, the user inputs the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 using the input unit 104 of the access control master unit 11. When these pieces of information such as MAC information, IP address information, port number information, command information, and parameter information are input, the initial setting processing unit 111 of the arithmetic processing unit 101 performs the MAC information, IP address information, port number information, A communication signal (setting information signal) containing each information of command information and parameter information and an instruction for registering each information in the storage unit 202 is created, and this setting information signal is transmitted to the access controller using the communication interface unit 103. To the machine 12. When the first communication interface unit 203 receives this setting information signal via the transmission line 20, the arithmetic processing unit 201 of the access control slave unit 12 receives the MAC information, IP address information, port number information, command information, and parameter information. The information is stored in the MAC information storage unit 221, the IP address information storage unit 222, the port number information storage unit 223, the command information storage unit 224, and the parameter information storage unit 225 of the storage unit 202, respectively. As described above, the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 are stored in the storage unit 202 via the access control master unit 11. The input unit and the output unit are not necessarily provided, and the cost can be reduced and the size can be reduced.

  When such information is stored in the access control master unit 11 and the access control slave unit 12, the operation of the access control master unit 11 and the access control slave unit 12 is started.

  When the approver is in a situation where the approval can be executed using the computer 14, the approver transmits a communication signal (approvable notification signal) containing information indicating that the approval is possible to the access control master unit 11. When the initial setting processing unit 111 in the arithmetic processing unit 101 of the access control master device 11 receives this approval possible notification signal, the initial setting processing unit 111 extracts the IP address of the approval possible notification signal and uses the extracted IP address as the approval device in the approval information field 133. The record to be registered in the information subfield 1331 is searched, and “active” is registered in the approval device state subfield 1332 in the searched record in this embodiment. Then, the initial setting processing unit 111 notifies the active approver processing unit 118 of a trigger for starting the active approver processing unit 118. When this notification is accepted, active approver information is generated based on the approver master information stored in the approver master information storage unit 122, and the generated active approver information is stored in the active approver information storage unit 123. To do.

  On the other hand, if the approver becomes unable to execute approval using the computer 14, the approver transmits a communication signal (approval impossible notification signal) containing information indicating that the approval is impossible to the access control master unit 11. When the initial setting processing unit 111 in the arithmetic processing unit 101 of the access control base unit 11 receives this approval disapproval notification signal, the initial setting processing unit 111 extracts the IP address of the approval disapproval notification signal. The record to be registered in the information subfield 1331 is searched, and “sleep” is registered in the approval device state subfield 1332 in the searched record in this embodiment. Then, the initial setting processing unit 111 notifies the active approver processing unit 118 of a trigger for starting the active approver processing unit 118. When this notification is accepted, active approver information is generated based on the approver master information stored in the approver master information storage unit 122, and the generated active approver information is stored in the active approver information storage unit 123. To do.

  Since the initial setting processing unit 111 and the active approver processing unit 118 operate as described above, the active approver information storage unit 123 in the active approver information storage unit 123 is activated substantially in real time depending on whether the approver can execute the approval. Approver information can be updated.

  FIG. 9 is a diagram illustrating a sequence for explaining operations of the user computer, the confirmation device, the approver computer, the access control master, the access control slave, and the file server. 10 and 11 are flowcharts showing the operation of the access control slave unit. FIG. 12 is a flowchart showing the operation of the access control master unit.

  In FIG. 9, the user's computer 16 transmits an access request to the file server 13 in order to use the network resource of the file server 13, for example, a file (C11). The access request communication signal is received by the access control slave unit 12 via the transmission line 20.

  When the communication signal is received, in FIG. 10 and FIG. 11, the passage blocking processing unit 211 in the arithmetic processing unit 201 of the access control slave unit 12 temporarily stores the received communication signal in the storage unit 202. The MAC comparison unit 212 is notified of position information indicating the storage position of the communication signal in the storage unit 202 in 202 (S11).

  Next, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not the communication signal has a MAC address that should be approved for passage (S12). As a result of the determination, if it is determined that the communication signal has a MAC address that should be approved for passage (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S13. As a result, when it is determined that the communication signal does not have a MAC address that should be approved for passage (No), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S23.

  More specifically, in this embodiment, when receiving the notification of the position information related to the received communication signal, the MAC comparison unit 212 in the arithmetic processing unit 201 of the access control slave unit 12 adds the received position information to the received position information. Based on the communication signal stored in the storage unit 202 based on the MAC address of the transmission source in the communication signal is extracted, the extracted MAC address is compared with the MAC information stored in the MAC information storage unit 221; It is determined whether there is MAC information that matches the extracted MAC address in the MAC information. If there is matching MAC information as a result of this determination, the MAC comparison unit 212 determines that the received communication signal is a communication signal having a MAC address that should be approved for passage, and the IP address comparison unit 213. Is notified of the position information related to this communication signal. On the other hand, as a result of this determination, if there is no matching MAC information, the MAC comparison unit 212 determines that the received communication signal is not a communication signal having a MAC address that should be approved for passage, and the communication signal The passage blocking processing unit 211 is notified of the passage instruction and the position information related to the communication signal (passage instruction notification).

  In process S23, the arithmetic processing unit 201 of the access control slave unit 12 transfers the communication signal to the file server 13 using the second communication interface unit 204, and passes the communication signal. More specifically, when the passage instruction notification is received, the passage blocking processing unit 211 extracts the communication signal stored in the storage unit 202 based on the position information related to the communication signal, and uses the communication signal as the second communication. The data is transferred to the file server 13 using the interface unit 204.

  In step S13, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not the communication signal has an IP address that should be approved for passage. As a result of the determination, if it is determined that the communication signal has an IP address that should be approved for passage (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S14, while this determination is made. As a result, if it is determined that the communication signal does not have an IP address that should be approved for passage (No), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S23.

  More specifically, in the present embodiment, upon receiving the notification of the position information related to the received communication signal, the IP address comparison unit 213 in the arithmetic processing unit 201 of the access control slave unit 12 receives the position information that has received this notification. The communication signal stored in the storage unit 202 is identified based on the IP address, the source IP address in the communication signal is extracted, and the extracted IP address and the IP address information stored in the IP address information storage unit 222 are obtained. The IP address information is compared to determine whether there is IP address information that matches the extracted IP address. If there is matching IP address information as a result of this determination, the IP address comparison unit 213 determines that the received communication signal is a communication signal having an IP address that should be approved for passage, and compares the port number. The position information related to this communication signal is notified to the unit 214. On the other hand, if there is no matching IP address information as a result of this determination, the IP address comparison unit 213 determines that the received communication signal is not a communication signal having an IP address that should be approved for passage and passes. The passage processing unit 211 is notified of a passage instruction notification.

  In process S14, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not the communication signal has a port number that should be approved for passage. As a result of the determination, if it is determined that the communication signal has a port number that should be approved for passage (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes step S15, while this determination is made. As a result, if it is determined that the communication signal does not have a port number that should be approved for passage (No), the arithmetic processing unit 201 of the access control slave unit 12 executes step S23.

  More specifically, in the present embodiment, upon receiving the notification of the position information related to the received communication signal, the port number comparison unit 214 in the arithmetic processing unit 201 of the access control slave unit 12 receives the position information that has received this notification. The communication signal stored in the storage unit 202 is specified based on the port number, the port number of the transmission destination in the communication signal is extracted, and the port number information stored in the port number information storage unit 223 is extracted. A comparison is made to determine whether there is port number information that matches the extracted port number in the port number information. If there is matching port number information as a result of this determination, the port number comparison unit 214 determines that the received communication signal is a communication signal having a port number that should be approved for passage, and a command comparison unit. 215 is notified of the position information related to this communication signal. On the other hand, if there is no matching port number information as a result of this determination, the port number comparison unit 214 determines that the received communication signal is not a communication signal having a port number that should be approved for passage, and passes through. The passage processing unit 211 is notified of a passage instruction notification.

  In process S15, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not the communication signal has an SMB command that should be approved for passage. As a result of the determination, if it is determined that the communication signal has an SMB command that should be approved for passage (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S16. As a result of the determination, if it is determined that the communication signal does not have an SMB command that should be approved for passage (No), the arithmetic processing unit 201 of the access control slave unit 12 executes step S23.

  More specifically, in the present embodiment, when receiving the notification of the position information related to the received communication signal, the command comparison unit 215 in the arithmetic processing unit 201 of the access control slave device 12 includes the received position information. Based on the communication signal stored in the storage unit 202 based on this, the SMB command in the communication signal is extracted, and the extracted SMB command is compared with the command information stored in the command information storage unit 224. It is determined whether or not there is command information that matches the extracted SMB command in the information. If there is matching command information as a result of this determination, the command comparison unit 215 determines that the received communication signal is a communication signal having an SMB command that should be approved for passage, and the parameter comparison unit 216. Is notified of the position information related to the communication signal. On the other hand, if there is no matching command information as a result of this determination, the command comparison unit 215 determines that the received communication signal is not a communication signal having an SMB command to be approved for passage, and blocks passage. The processing unit 211 is notified of the passage instruction notification.

  In process S16, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not the communication signal has a parameter in the SMB command to be approved for passage. As a result of the determination, if it is determined that the communication signal has a parameter in the SMB command to be approved for passage (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S17, As a result of this determination, if it is determined that the communication signal is not a communication signal having a parameter in the SMB command that should be approved for passage (No), the arithmetic processing unit 201 of the access control slave unit 12 executes step S23. .

  More specifically, in the present embodiment, when receiving the notification of the position information related to the received communication signal, the parameter comparison unit 216 in the arithmetic processing unit 201 of the access control slave unit 12 includes the received position information. The communication signal stored in the storage unit 202 is identified based on the parameter in the SMB command in the communication signal, and the extracted parameter is compared with the parameter information stored in the parameter information storage unit 225. It is determined whether there is parameter information that matches the parameter in the extracted SMB command in the information. If there is matching parameter information as a result of this determination, the parameter comparison unit 216 determines that the received communication signal is a communication signal having a parameter in an SMB command that should be approved for passage, and the timer unit The position information related to this communication signal is notified to 217. On the other hand, if there is no matching parameter information as a result of this determination, the parameter comparison unit 216 determines that the received communication signal is not a communication signal having a parameter in an SMB command to be approved for passage, A passage instruction notification is sent to the passage blocking processing unit 211.

  In process S17, the arithmetic processing unit 201 of the access control slave unit 12 determines whether or not it is within a predetermined time after receiving the approval of passage. As a result of the determination, if the predetermined time has been exceeded (No), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S18, while if the result of this determination is within the predetermined time In (Yes), the arithmetic processing unit 201 of the access control slave unit 12 executes the process S23.

  More specifically, in the present embodiment, upon receiving the notification of the position information related to the received communication signal, the timer unit 217 specifies the communication signal based on the notified position information, and uses this communication signal. It is determined whether or not the corresponding timer is timing. As a result of this determination, if it is not timed, the timer unit 217 determines that the predetermined time has been exceeded, and notifies the passage blocking processing unit 211 of an approval request notification for the communication signal specified by this position information. To do. On the other hand, if it is determined that the time is being measured, the timer unit 217 determines that it is within a predetermined time, and notifies the passage blocking processing unit 211 of a passage instruction notification. As a result, the computer 16 can access the file server 13 within a predetermined time after obtaining approval by the approver without obtaining approval from the approver, and saves the approval work of the approver. It is not necessary to wait every time until the user obtains approval, and the stress on the user is alleviated. The predetermined time is appropriately set according to the user's business content, the network resource content, and the like, and is set to, for example, 5 minutes, 10 minutes, 30 minutes, 60 minutes, or the like.

  In process S18 (C12 in FIG. 9), the arithmetic processing unit 201 of the access control slave unit 12 transmits a pass inquiry signal for this communication signal to the access control master unit 11 using the first communication interface unit 203. More specifically, upon receiving the notification of the approval request notification, the passage blocking processing unit 211 in the arithmetic processing unit 201 of the access control slave unit 12 creates a passage inquiry signal and sends the passage inquiry signal to the first communication interface unit 203. To the access control master unit 11. This passage inquiry signal identifies and identifies the IP address of the transmission source extracted from the communication signal related to the approval request notification by the passage blocking processing unit 211 and the parameter in the SMB command, the passage inquiry, and the passage inquiry signal. An identifier (passage inquiry signal identifier) is stored. For example, a random number having a predetermined number of digits is used as the passage inquiry signal identifier.

  As described above, the access control slave unit 12 stores the MAC information based on the source MAC address and the source IP address contained in the communication signal from among the communication signals to be accessed from the computer 16 to the file server 13. The communication signal from the computer 16 set in advance is extracted by referring to the MAC information of the unit 221 and the IP address information of the IP address information storage unit 222, and further, the transmission destination stored in the communication signal is extracted. By referring to the port number, the SMB command, and the parameter in the SMB command, the port number information in the port number information storage unit 223, the command information in the command information storage unit 224, and the parameter information in the parameter information storage unit 225, respectively. Access to preset network resources It can be extracted communication signal. For this reason, the access control slave unit 12 can automatically detect access to the file server 13 from the computer 16 that needs the approval of the approver, and when such access is detected, the access control slave unit 12 12 can inquire the access control master unit 11 of whether or not the received communication signal is allowed to pass.

  On the other hand, when the communication interface unit 103 receives the communication signal, the access control base unit 11 uses the approval request processing unit 112 of the arithmetic processing unit 101 to determine whether the communication signal is a passage inquiry signal. If the communication signal is not a passage inquiry signal as a result of the determination, the approval request processing unit 112 notifies the process trigger unit (not shown) corresponding to the communication signal that the communication signal has been received and the communication signal. On the other hand, if the communication signal is a passage inquiry signal as a result of the determination, the approval request processing unit 112 indicates that the passage inquiry signal has been received and the passage inquiry signal. The approval process trigger unit 113 is notified.

  Upon receipt of this notification, the approval process trigger unit 113 receives necessary information such as the IP address of the transmission source, the parameter in the SMB command, and the passage inquiry signal identifier from the communication signal related to the passage inquiry contained in the passage inquiry signal. Take out. Then, the approval process trigger unit 113 activates the approval process processing unit 114 and notifies the approval process processing unit 114 of the extracted information.

  Upon being notified and notified of each information, the approval process processing unit 114 operates as follows in order to obtain an approval to access the file server 13 through the access control slave unit 12 for the communication signal related to the passage inquiry. To do.

  That is, in FIG. 9 and FIG. 12, the approval process processing unit 114 in the arithmetic processing unit 101 of the access control master unit 11 first has an authority to approve the passage of the communication signal related to the pass inquiry from the active approvers. The person is identified (S31).

  More specifically, the approval process processing unit 114 displays the IP address and SMB command parameters that have been notified of the access device information field in the active approver information table 140 stored in the active approver information storage unit 123. 141 and the network resource information 142 are searched for records to be registered, and approval device information is extracted from the approval device information subfield 143 in the searched records. The extracted approval device information is an approval device identifier of the computer 14 used by an approver having the authority to approve passage of the communication signal related to the passage inquiry.

  By using the active approver information in the active approver information storage unit 123 in this way, it is possible to determine whether access is actually permitted when a predetermined computer 16 accesses a predetermined network resource of the file server 13. Approvers can be extracted and identified.

  Next, the approval process processing unit 114 determines whether or not the identified active approver exists (S32).

  If there is no active approver as a result of the determination in the process S32 (No), the approval process processing unit 114 does not approve the passage, that is, receives the notification from the approval process trigger unit 113 and the approval process trigger unit 113. The passage inquiry signal identifier is notified to the approval request response processing unit 115 (S36). By operating in this way, when there is no approver who can actually judge whether or not access is permitted when a predetermined computer 16 accesses a predetermined network resource of the file server 13, the file is transferred from the computer 16. Access to the predetermined network resource of the server 13 is prohibited, and the network resource can be protected.

  On the other hand, if the result of determination in step S32 is that there is an active approver (Yes), the approval process processor 114 determines whether approval has been obtained from all the specified approvers ( S33).

  If approval is obtained from all the approvers as a result of the determination in step S33 (Yes), the approval process processing unit 114 approves the passage and the passage inquiry received from the approval process trigger unit 113. The signal identifier is notified to the approval request response processing unit 115 (S37), and the process ends. By operating in this manner, when a predetermined computer 16 accesses a predetermined network resource of the file server 13, the approval of all the approvers who can actually determine whether access is permitted or not is obtained. Access from the computer 16 to a predetermined network resource of the file server 13 is permitted. For this reason, the network resource can be appropriately protected, and even the computer 16 (user) who is not normally authorized to access the network resource is permitted to use the network resource and the access right is dynamically changed. Can be changed.

  On the other hand, as a result of the determination in step S33, if approval has not been obtained from all the approvers (No), the approval process processing unit 114 performs an approval request process to obtain approval from the active approver. Perform (S34).

  More specifically, the approval process processing unit 114 uses the computer 14 used by the approver who requests approval using the approval device identifier as the destination (transmission destination), and the IP address of the transmission source in the communication signal related to the passage inquiry Then, a communication signal (approval request signal) accommodating the parameter and approval request in the SMB command is created and transmitted to the computer 14 used by the approver requesting approval using the communication interface unit 103 (C13).

  When this approval request signal is received, the computer 14 displays the name of the user who requests approval, the network resource for which access is requested, and information from the confirmation device 15 corresponding to the user who requests approval. More specifically, when receiving the approval request signal, the Push reception service unit 411 of the arithmetic processing unit 401 activates the web browser unit 412 of the arithmetic processing unit 401 and displays, for example, an approval request page shown in FIG. . FIG. 13 is a diagram showing the configuration of the approval request page.

  In FIG. 13, an approval request page 501 includes a message display area 511 for displaying a message for prompting the approver to approve or disapproval, such as “There was an approval request. Please approve or disapprove.” A user name display area 512 for displaying the name of a user who is requesting approval for recognizing a user who is requesting approval, and a network resource which is requesting approval is recognized by the approver. The network resource display area 513 for displaying the network resource for which approval is requested, and information from the confirmation device 15 for allowing the approver to authenticate whether or not the user requesting approval is the user himself / herself. A confirmation device information display area 514 to be displayed, a check box 515 for approval when the use of the network resource by the user is approved, Transmission for transmitting one of the approval signal and the disapproval signal to the access control master 11 in response to the check of the check boxes 515 and 516 when the use of the network resource by the user is not approved. And a button 517.

  When the web browser unit 412 displays the approval request page 501, the user stored in the user confirmation information storage unit 421 based on the IP address (access device identifier) accommodated in the received approval request signal. By referring to the confirmation information table 160, the user name is obtained from this IP address, and the user name is displayed in the user name display area 512. When displaying the approval request page 501, the web browser unit 412 displays network resources in the network resource display area 513 based on the parameters in the SMB command contained in the received approval request signal. The web browser unit 412 stores the approval request page 501 in the user confirmation information storage unit 421 based on the IP address (access device identifier) accommodated in the received approval request signal. By referring to the user confirmation information table 160, the confirmation device information is extracted from the IP address, the confirmation device 15 is accessed based on the retrieved confirmation device information, information is acquired from the confirmation device 15, and the acquired The information is displayed in the confirmation device information display area 514. In this embodiment, since the confirmation device 15 is a network camera, the confirmation device information is the IP address of the network camera, and the web browser unit 412 accesses the network camera using this IP address, and from the network camera. The captured image is acquired, and the acquired image is displayed in the confirmation device information display area 514 (C14).

  The approver compares the user name displayed in the user name display area 512 on the approval request page 501 with the information displayed in the confirmation apparatus information display area 514, and is displayed in the confirmation apparatus information display area 514. The user with the user name from the information stored. In this way, the approval request page 501 displays the name of the user who is requesting approval and the information acquired by the confirmation device 15 corresponding to the user of this user name, so the approver is requesting approval. It is possible to confirm whether or not the user is the user himself / herself, and after confirming that the user is the user himself / herself, the approval or disapproval can be determined.

  In the present embodiment, the fact that there is access to a predetermined network resource from the computer 16 as a predetermined client computer is notified to the output unit 405 in the user name display area 512 and the network resource display area 513 of the approval request page 501. Although displayed, the computer 14 may be further provided with a sound generation unit that outputs sound such as a speaker, and may be separately notified by voice or the like.

  Further, when the approver refers to the network resource displayed in the network resource display area 513 and approves the use of the network resource by the user, the approver uses the input unit 404 to check the check box. If the user does not approve the use of the network resource by the user, the unapproved check box 516 is checked using the input unit 404. Then, the approver operates the transmission button 517 using the input unit 404.

  When the transmission button 517 is operated by the input unit 404, the web browser unit 412 creates an approval signal and transmits it to the access control master unit 11 when the check box for approval is checked. On the other hand, if the check box for disapproval is checked, a disapproval signal is created and transmitted to the access control master unit 11 (C15).

  By operating in this way, the approval request process in the process S33 is executed, and the access control master 11 can obtain approval or disapproval from the approver via the computer 14.

  Upon receiving a reply communication signal from the computer 14, the approval process processing unit 114 determines whether or not approval has been acquired (S34). If the received communication signal is an approval signal, the approval process processing unit 114 determines that the approval has been obtained. On the other hand, if the received communication signal is a disapproval signal, the approval process processing unit 114 is obtained. Decides not to obtain approval.

  As a result of the determination in the process S34, when it is determined that the approval is acquired (Yes), the approval process processing unit 114 returns the process to the process S32, and on the other hand, when it is determined that the approval is not acquired (No). The approval process processing unit 114 notifies the approval request response processing unit 115 of the passage inquiry signal identifier received from the approval process trigger unit 113 to the effect of blocking (S35), and ends the process.

  Upon receiving the notification of blocking, the approval request response processing unit 115 creates a communication signal (non-permission notification signal) that accommodates the blocking and passage inquiry signal identifier, and the communication interface unit 103 sends the generated non-permission notification signal. Is transmitted to the access control slave unit 12 (C16). On the other hand, upon receiving the approval, the approval request response processing unit 115 creates a communication signal (permission notification signal) that accommodates the passage approval and the passage inquiry signal identifier, and uses the created permission notification signal as a communication interface. The data is transmitted to the access control slave unit 12 using the unit 103 (C16).

  By operating in this way, the approval or disapproval of the approver obtained through the computer 14 is transmitted from the access control master unit 11 to the access control slave unit 12.

  9 and 11, when a reply to the passage inquiry signal is received (S19), the passage blocking processing unit 211 in the arithmetic processing unit 201 of the access control slave unit 12 sends a reply of the passage inquiry signal as a non-permission notification signal. It is determined whether there is a permission notification signal (S20).

  If the result of determination in step S20 is a non-permission notification signal (non-permission notification signal), the passage blocking processing unit 211 performs a communication signal blocking process for discarding the communication signal related to the passage inquiry signal (S21). , C17), and the process ends. As a result, access from the computer 16 to the file server 13 is denied, and the network resources of the file server 13 are protected. Here, the passage blocking processing unit 211 is configured to transmit a communication signal notifying that the access to the file server 13 is denied to the computer 16 that is the transmission source of the communication signal related to the passage inquiry signal. May be. This not only protects the files on the file server 13, but also allows the user of the computer 16 who tries to access the file server 13 to recognize that the access has been denied. And it may be configured not only to notify that the access is denied, but also to notify the cause of the denied access such as the absence of the approver or the disapproval of the approver. By notifying the user of the cause of the access refusal, the user can take measures according to the cause such as re-accessing after a while or persuading the approver.

  On the other hand, if the result of determination in step S20 is a permission notification signal (permission notification signal), the passage blocking processing unit 211 sets the timer of the timer unit 217 corresponding to the communication signal related to the passage inquiry signal. (S22) A communication signal passing process for transferring the communication signal related to the passing inquiry signal to the file server 13 using the second communication interface unit 204 is performed (S23, C17), and the process is terminated. As a result, the network resource of the file server 13 can be accessed from the computer 16 after obtaining approval from the approver. For this reason, even if the computer 16 (user) who is not authorized to access network resources is normally permitted to use the network resources, the access rights can be dynamically changed.

  In the above-described embodiment, the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 are input from the input unit 104 of the access control master unit 11, and the access control master unit 11 The access control slave unit 12 is configured to transmit the information to the access control slave unit 12 and store the information in the access control slave unit 12. However, the access control slave unit 12 is further provided with an input unit such as a keyboard, for example. It may be configured such that MAC information, IP address information, port number information, command information, and parameter information are input from the input unit of the slave unit 12 and these pieces of information are stored in the access control slave unit 12. Alternatively, each information of MAC information, IP address information, port number information, command information, and parameter information is input from a computer that is communicably connected to the network 1, such as the computer 14, and the access control slave unit 12 is input from the computer 14. The information may be stored in the access control slave unit 12. Alternatively, a dedicated setting tool for storing the MAC information, IP address information, port number information, command information, and parameter information in the access control slave unit 12 is connected to the access control slave unit 12 directly or via the network 1 However, these pieces of information may be stored in the access control slave unit 12.

  In the above-described embodiment, the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 are input from the input unit 104 of the access control master unit 11 from scratch. Although configured, each of these pieces of information may be created using the access control master unit 11 and the access control slave unit 12.

  More specifically, the access control handset 12 passes all communication signals from the computer 16 to the file server 13 for a predetermined period (for example, a period of about one week or one month) after the operation of the network 1 is started. The copy of the passed communication signal is configured to be transmitted to the access control master unit 11. For example, when a communication signal is received from the first communication interface unit 203, a copy of the received communication signal is created and transmitted to the access control master unit 11 using the first communication interface unit 203, and the received communication signal is stored in a file. The arithmetic processing unit 201 further includes a communication signal collection processing unit 218 (indicated by a broken line in FIG. 2) that is transferred to the server 13 using the second communication interface unit 204.

  Based on the communication signal received from the access control slave unit 12, the access control master unit 11 transmits the source MAC address, source IP address, destination port number, SMB in the communication signal from the computer 16 to the file server 13. And the parameters in the SMB command are stored in the storage unit 102. For example, as indicated by a broken line in FIG. 3, a support processing unit 119 having such a function is further provided in the arithmetic processing unit 101, and a support information storage unit 125 that stores these pieces of information is provided in the storage unit 102. Provide further functionally. When the user inputs the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 from the input unit 104 of the access control master unit 11, the support processing unit 119 stores the information. The MAC address stored in the support information storage unit 125 of the unit 102 is used as MAC information, the source IP address is used as IP address information, the destination port number is used as port number information, and the SMB command is used as command information. Each parameter in the SMB command is presented to the output unit 105 as parameter information. The support processing unit 119 accepts the selection of the MAC address from the presented MAC information and the addition as necessary by the input unit 104 from the user, and the selection of the IP address from the presented IP address information and as necessary. Accept the addition, accept the selection of the port number from the presented port number information and if necessary, accept the addition of the SMB command from the presented command information and add as necessary, and present the parameters From the information, in the SMB command, the selection of the OR meter and the addition as necessary are accepted, and the MAC information, the IP address information, the port for setting the access control slave unit 12 according to the selection and the addition acceptance result Number information, command information, and parameter information are generated. Then, the support processing unit 119 creates a setting information signal based on the generated information and transmits the setting information signal to the access control slave unit 12 using the communication interface unit 103.

  When the access control slave unit 12 receives the setting information signal from the access control master unit 11, the access control slave unit 12 stores the setting information signal in the storage unit 202, and controls the passage and blocking of the communication signal from the computer 16 to the file server 13 as described above. To start.

  Thus, by providing the access control slave unit 12 with the communication signal collection processing unit 218 and the access control master unit 11 with the support processing unit 119 and the support information storage unit 125, the user can obtain the IP address information and the port number. It is not necessary to input information, command information, and parameter information from the input unit 104 of the access control master unit 11 from the beginning, so that it is possible to save input time and to reduce input mistakes.

  In the above-described embodiment, the environment information and the approver master information are input from the input unit 104 of the access control master device 11 and stored in the access control master device 11. Each information of the environment information and the approver master information is input from a computer, for example, the computer 14, transmitted from the computer 14 to the access control master device 11, and stored in the access control master device 11. It may be configured. With this configuration, the input unit 104 is combined with the above-described configuration for inputting and setting the MAC information, IP address information, port number information, command information, and parameter information of the access control slave unit 12 from the computer 14. And the output unit 105 can be omitted, and the cost of the access control master unit 11 can be reduced. Alternatively, a dedicated setting tool for storing environment information and approver master information in the access control master device 11 is connected to the access control master device 11 directly or via the network 1, and these pieces of information are stored in the access control master device 11. You may comprise.

  Further, in the above-described embodiment, the active approver processing unit 118 is configured to generate the active approver information from the approver master information in response to the trigger from the initial setting processing unit 111, but the calendar unit 116 is set in advance. When the set time is reached, the active approver processing unit 118 is notified to that effect, and when the active approver processing unit 118 receives a notification from the calendar unit 116 that the set time is reached, the approver master information. The active approver information may be generated from. The set time is a time corresponding to the attendance time or a time when a predetermined time interval (for example, 1 hour or 2 hours) is left. With this configuration, the load for generating active approver information from the approver master information of the arithmetic processing unit 101 can be made constant. For this reason, since the information processing capability of the arithmetic processing unit 101 can be estimated and the arithmetic processing unit 101 having an appropriate information processing capability can be selected, the operation of the access control master unit 11 can be stabilized. Can do.

  And in the above-mentioned embodiment, it is comprised so that the confirmation apparatus 15 may be provided and the information from this confirmation apparatus 15 may be shown to the computer 14, and the approver who uses the computer 14 is based on the information from this confirmation apparatus 15. It is confirmed whether the user requesting approval is the user himself / herself, but the approver and the user are present on the same floor, etc. If it can be confirmed whether or not, the confirmation device 15 may be omitted. In this case, the user confirmation information table 160 is configured not to include the confirmation device information field 163 but to include the access device information field 161 and the user name field 162, and the approval request page 501 includes a confirmation device information display area. 514, a message display area 511, a user name display area 512, a network resource display area 513, an approval check box 515, a disapproval check box 516, and a send button 517. Is done. As described above, the computer 14 is configured to be able to display that the network resource of the file server 13 has been accessed from the computer 16 in response to the approval request signal from the access control master unit 11. Approval and disapproval of this access Any one of these can be input. Then, similarly to the above-described embodiment, the computer 14 returns either the access approval or the disapproval to the access control main unit 11 when either access approval or disapproval is input. Configured to do.

  By omitting the confirmation device 15, the cost can be reduced and the computer 14 can be configured more simply.

  In the above-described embodiment, the case where the confirmation device 15 is a network camera has been described. However, instead of the network camera, the confirmation device 15 may be a telephone. In this case, in the user confirmation information table 160, the telephone number of the telephone related to the user who uses the computer 16 is used as the confirmation device identifier in the confirmation device information field 163. When displaying the approval request page 501, the web browser unit 412 acquires an image from the network camera serving as the confirmation device 15 and displays the image in the confirmation device information display area 514. By referring to the user confirmation information table 160 stored in the user confirmation information storage unit 421 based on the IP address (access device identifier), the telephone number of the telephone set related to the user can be obtained from this IP address. The telephone number is obtained and displayed in the confirmation device information display area 514. As described above, the computer 14 determines that the network resource of the file server 13 has been accessed from the computer 16 and the telephone number of the telephone set for the user who uses the computer 116 in response to the approval request signal from the access control master unit 11. It is configured so that it can be displayed, and either approval or disapproval of this access can be input. Then, similarly to the above-described embodiment, the computer 14 returns either the access approval or the disapproval to the access control main unit 11 when either access approval or disapproval is input. Configured to do.

  The approver makes a call to the telephone having the telephone number, and checks whether or not the user who is requesting approval is the user himself / herself.

  In offices and the like, since telephones are usually assigned to employees corresponding to users, it is possible to use existing telephones by configuring in this way, and it is not necessary to newly install a confirmation device 15. Can be lowered.

  In addition to displaying the telephone number of the telephone, or instead of displaying the telephone number of the telephone, the computer 14 automatically transfers from the telephone used by the approver to the telephone related to the user seeking approval. May be configured to make a call. In this case, in the user confirmation information table 160, the telephone number of the telephone related to the user who uses the computer 16 is used as the confirmation device identifier in the confirmation device information field 163. When displaying the approval request page 501, the web browser unit 412 acquires an image from the network camera serving as the confirmation device 15 and displays the image in the confirmation device information display area 514. By referring to the user confirmation information table 160 stored in the user confirmation information storage unit 421 based on the IP address (access device identifier), the telephone number of the telephone set related to the user can be obtained from this IP address. In addition, the telephone number is displayed in the confirmation device information display area 514, and a call is made from the telephone used by the approver using the telephone number. Alternatively, instead of displaying this telephone number in the confirmation apparatus information display area 514, a call is made from the telephone used by the approver using this telephone number.

  As described above, the computer 14 is configured to be able to display that the network resource of the file server 13 has been accessed from the computer 16 in response to the approval request signal from the access control master unit 11. Approval and disapproval of this access Any one of these can be input, and a call is automatically made to a telephone number of a telephone set for a user who uses the computer 116. Then, similarly to the above-described embodiment, the computer 14 returns either the access approval or the disapproval to the access control main unit 11 when either access approval or disapproval is input. Configured to do.

  By configuring in this way, it is possible to prevent the approver from making a call to an incorrect telephone number, and to save the approver from making a call.

  Further, in the above-described embodiment, every time the access control master unit 11 receives the passage inquiry signal from the access control slave unit 12, the access control master unit 11 transmits an approval request signal to the computer 14 and either one of the approval signal and the disapproval signal from the computer 14. Although one reply is received, the approver uses the computer 14 to store permission information on whether to approve access from the computer 16 to the network resource of the file server 13 or not. When the access control master unit 11 receives a pass inquiry signal from the access control slave unit 12 based on the permission / rejection information in the storage unit 102, the access control master unit 11 receives the pass inquiry signal from the access control slave unit 12 in advance. It is determined whether or not the computer 16 approves access to the network resource of the file server 13. One of permission notification signal and the non-permission notification signal according to the result of it may be configured to return to the access control handset 12. The permission information includes, for example, an identifier (for example, the MAC address and / or IP address of the computer 16) for identifying and identifying the computer 16, and an identifier (for example, a parameter in the SMB command) for identifying and identifying the network resource. And information indicating approval or disapproval of access, and are configured to be associated with each other. And in order to memorize | store permission information in the permission information storage part 126, for example, as shown with a broken line in FIG. 3, the arithmetic processing part 101 is further provided with the permission information setting process part 120 functionally. For example, when permission information is input from the input unit 404 of the computer 14 and transmitted to the access control master 11 by the arithmetic processing unit 401, the permission information setting processing unit 120 permits or rejects the permission information received by the communication interface unit 103. The information is stored in the information storage unit 126. Further, for example, when permission / rejection information is input from the input unit 104, the permission / rejection information setting processing unit 120 stores the input permission / rejection information in the permission / rejection information storage unit 126. Further, for example, a dedicated setting tool for storing permission / rejection information in the access control master unit 11 is connected to the access control master unit 11 via the network 1, and permission / rejection information is input to the setting tool and transmitted to the access control master unit 11. Then, the permission information setting processing unit 120 stores the permission information received by the communication interface unit 103 in the permission information storage unit 126.

  With this configuration, each time the computer 14 receives an approval request signal from the access control master unit 11, the approver accesses the network resources of the file server 13 from the computer 16 as described in the above embodiment. It is not necessary to perform a procedure for approving or not, and it is possible to save the effort of the approver. On the other hand, the approver can easily change whether to approve access from the computer 16 to the network resource of the file server 13, for example, using the computer 14.

  In the embodiment described above, the access control master unit 11 and the access control slave unit 12 are configured separately, but may be configured integrally.

  In the above-described embodiment, the MAC information, the IP address information, the port number information, the command information, and the parameter information are configured to be stored in the storage unit 202 of the access control slave unit 12. A server computer for managing information may be provided in the network 1, and the access control slave unit 12 may be configured to receive provision of these pieces of information from the server computer. Further, such a server computer may be provided in the access control master unit 11.

  Further, in the above-described embodiment, the approver master information is configured to be stored in the storage unit 102 of the access control master unit 11. However, a server computer that manages this information is provided in the network 1, and the access control master unit is configured. 11 may be configured to receive this information from the server computer.

  In the above-described embodiment, the user confirmation information is configured to be stored in the user confirmation information storage unit 421 of the computer 14. However, the user confirmation information is stored in the storage unit 102 of the access control master unit 11 and is stored in the access control master unit. 11 may transmit the user confirmation information together when transmitting the approval request signal to the computer 14. Alternatively, a server computer that manages user confirmation information may be provided in the network 1, and the computer 14 may be configured to receive provision of user confirmation information from this server computer. Further, such a server computer may be provided in the access control master unit 11.

  Further, in the above-described embodiment, when the access control master device 11 receives the passage inquiry signal from the access control slave device 12, the access control master device 11 automatically executes the processing S31 to S35 shown in FIG. The process S36 or the process S37 is executed, but when the so-called access level is set in the computer 16 as the client computer and the access right is possessed, the process S37 to the process S37 are executed without executing the process S31 to S35. If the user does not have the access right, the processes S31 to S35 are executed, and the process S36 or S37 is executed according to the process result. It may be configured to execute. By configuring in this way, for example, a company officer can access a predetermined network resource without going through the approval flow of processing S31 to processing S35. In addition, only the temporary employee can determine whether or not the approver can access through the above approval flow, and the operation according to the actual situation becomes possible.

Here, an embedded network technology such as EMIT (Embedded Micro Internetworking Technology) (a network technology having a function capable of easily incorporating middleware into a device and connecting to the network; hereinafter referred to as an EMIT system) is portable. IP (Internet Protocol) based external equipment such as telephone, PC (Personal Computer), PDA (Personal Digital Assistant), etc., various equipment (lighting device, air conditioner, power unit, sensor, electric lock, webcam, etc. Hereinafter, the EMIT terminal can be remotely monitored and controlled by accessing the EMIT terminal. For example, by distributing the above-mentioned EMIT terminals in buildings (for detached houses, condominiums, buildings, factories, etc.) and remotely monitoring the status of the EMIT terminals from an external terminal, energy management of the entire building is performed. Or remote meter reading of gas, water and electricity in the building. The EMIT terminal is a built-in device with a microcomputer, and EMIT software is installed. The EMIT software is a built-in type middleware for network connection and does not require a high-speed processor with a very small program size, so that the cost of the network connection function can be reduced. The EMIT system also has various automatic setting functions such as automatic discovery of terminals, and also has security functions such as encryption, authentication, and access control suitable for an embedded environment. Both the parent device and the child device according to the present embodiment are the above-mentioned EMIT terminals, and the communication environment setting at the time of installation can be omitted by an automatic setting function based on the EMIT technology. Good. In addition, communication between the parent device and the child device should be concealed from the functions provided by the system. However, communication for cooperative operation in the system is performed by the built-in security function provided in the EMIT middleware. Of course, even if it is a system that keeps everything safe, it is good.

It is a figure which shows the structure of the network which concerns on embodiment. It is a block diagram which shows the structure of the access control subunit | mobile_unit which concerns on embodiment. It is a block diagram which shows the structure of the access control main | base station which concerns on embodiment. It is a figure which shows the structure of the approver master information table which concerns on embodiment. It is a figure which shows the structure of the active approver information table which concerns on embodiment. It is a figure which shows the structure of a log information table. It is a figure which shows the structure of the computer which an approver uses. It is a figure which shows the structure of a user confirmation information table. It is a figure which shows the sequence for demonstrating operation | movement of a user's computer, a confirmation apparatus, an approver's computer, an access control main | base station, an access control subunit | mobile_unit, and a file server. It is a flowchart (the 1) which shows operation | movement of an access control subunit | mobile_unit. It is a flowchart (the 2) which shows operation | movement of an access control subunit | mobile_unit. It is a flowchart which shows operation | movement of the access control main | base station. It is a figure which shows the structure of an approval request page.

Explanation of symbols

11 Access control parent device 12 Access control child device 13 File server 14 Computer 15 Confirmation device 101, 201, 401 Operation processing unit 102, 202, 402 Storage unit 103, 403 Communication interface unit 104, 404 Input unit 105, 405 Output unit 112 Approval request processing unit 113 Approval process trigger unit 114 Approval process processing unit 115 Approval request response processing unit 116 Calendar unit 117 Log processing unit 118 Active approver processing unit 122 Approver master information storage unit 123 Active approver information storage unit 124 Log information Storage unit 203 First communication interface unit 204 Second communication interface unit 211 Pass blocking processing unit 212 MAC comparison unit 213 IP address comparison unit 214 Port number comparison unit 215 Command comparison unit 216 Parameter comparison unit 217 Timer unit 221 MAC information storage unit 222 IP address information storage section 223 the port number information storage section 224 the command information storage unit 225 the parameter information storage unit 411 Push receiving service unit 412 the web browser unit 421 user confirmation information storage unit

Claims (10)

An access control slave unit that is arranged to be communicable between a server computer that manages a shared network resource and a client computer of the server computer, and that controls access to the network resource from the client computer, and the access control slave unit In an access control system comprising an access control master unit that can communicate with the access control slave unit and is capable of communicating with the access control slave unit,
The access control slave unit notifies the access control master unit of the access when a predetermined client computer accesses a predetermined network resource set in advance, and the approval of access to the notification is the access control. The access is granted when notified from the parent machine,
The access control master unit executes permission / rejection processing for checking permission / inhibition of access when the access control slave device is notified of the access, and when the result of the permission / refusal processing is approval of access, An access control system that notifies access approval to the access control slave unit. An approver network terminal used by an approver having the authority to determine whether to permit access to the notification;
A network camera corresponding to the predetermined client computer,
The access control master unit, as the permission / rejection process, displays an image relating to a user using the predetermined client computer captured by the network camera and that the predetermined network resource has been accessed from the predetermined client computer. When the approver network terminal for approver is presented, and either one of the access approval and disapproval is input from the input unit of the approver network terminal, the access approval and disapproval of the input The access control system according to claim 1, wherein either one is received from the approver network terminal and the reception is accepted as a result of the permission / rejection processing. Further comprising an approver network terminal used by an approver having the authority to determine whether to permit access to the notification;
The access control master unit causes the presentation unit of the approver network terminal to present that the predetermined client computer has accessed the predetermined network resource as the permission / rejection process, and When either one of approval or disapproval of the access is input from the input unit, the access approval or disapproval of the input is received from the network terminal for the approver, and the acceptance process is performed. The access control system according to claim 1, wherein the access control system is received as a result of the following. Further comprising an approver network terminal used by an approver having the authority to determine whether to permit access to the notification;
The access control master device, as the permission / rejection process, determines that the predetermined client computer has accessed the predetermined network resource and the telephone number of the telephone set relating to the user who uses the predetermined client computer. One of the access approval and disapproval of the input when the access approval or disapproval is input from the input unit of the approver network terminal. The access control system according to claim 1, wherein the access control system is received from the approver network terminal and the reception is accepted as a result of the permission / rejection processing. Further comprising an approver network terminal used by an approver having the authority to determine whether to permit access to the notification;
The access control master unit receives permission information on whether to approve access to the predetermined network resource from the predetermined client computer from the approver network terminal, and further stores the permission information in a storage unit. The access control system according to claim 1, wherein the permission / refusal processing is executed based on the access control system. The access control master is
A permission / rejection processing unit that executes permission / rejection processing to check permission / rejection of access when the access notification is received from the access control slave unit;
6. A notification processing unit that notifies the access control slave unit of access approval for the notification when the result of the permission / refusal processing is access approval. 6. The access control system according to item. The access control master is
A log information storage unit for storing a log related to the notification of access and a log related to approval of access to the notification;
When there is a notification of the access from the access control slave unit, the log is stored in the log information storage unit, and when the access control slave unit is notified of the access approval to the access control slave unit, the log information storage unit The access control system according to any one of claims 1 to 6, further comprising a log processing unit that stores a log. The access control slave is
An information storage unit for storing first identification information for identifying the predetermined client computer and second identification information for identifying the predetermined network resource;
An access from the predetermined client computer to the predetermined network resource is detected based on first identification information and second identification information stored in advance in the information storage unit from among communication signals received from the client computer. When the access to the predetermined network resource is detected from the predetermined client computer, the access is notified to the access control master unit, and access approval for the notification is notified from the access control master unit The access control system according to any one of claims 1 to 7, further comprising: an access processing unit that permits the access. The access control slave is
A communication signal collection processing unit for notifying the access control master unit of the access when the client computer is accessed from the server computer;
The access control master is
A presentation unit for presenting information;
An input unit for inputting information;
A support information storage unit for storing information related to the notification of access;
When the access signal is notified from the communication signal collection processing unit of the access control slave unit, information related to the access notification is stored in the support information storage unit, and the predetermined client computer is identified. When the first identification information and the second identification information for identifying the predetermined network resource are input from the input unit, the first identification information and the second identification information are stored based on the information recorded in the support information storage unit. The access control system according to any one of claims 1 to 8, further comprising a support processing unit that presents identification information to the presenting unit. An access control slave unit that is arranged to be communicable between a server computer that manages a shared network resource and a client computer of the server computer, and that controls access to the network resource from the client computer, and the access control slave unit In an access control method of an access control system comprising: an access control master that is communicable with the access control and gives the access control slave to the access control slave,
Notifying the access control master device of the access when the access control slave device has accessed a predetermined network resource set in advance from a predetermined client computer;
A step of executing permission / refusal processing for checking permission / inhibition of access when the access control master is notified of the access from the access control slave;
The access control master device notifying the access control slave device of access approval for the notification when the result of the permission / refusal processing is access approval;
And a step of allowing the access control slave unit to grant the access when the access control master unit is notified of access approval for the notification.

Images