JP2008299702A - Information processing program and information processing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing program allowing acquisition of a history of operation such that it is turned out that the operation is substitution even when performing the substitution of the operation in a system wherein access control is performed. <P>SOLUTION: This information processing program makes a computer function as: a proxy storage means performing control such that an operator identifier for identifying an operator and a substituted person identifier for identifying a substituted person for which the operator can substitute are associated and are made to be stored in a storage device; an authority imparting means imparting authority of the substituted person to the operator based on association stored in the proxy storage means; and a history acquisition means acquiring the history of the operation by the operator imparted with the authority by the authority imparting means together with the operator identifier and the substituted person identifier. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information processing program and an information processing system.

In a document management system or the like, an operation is often carried out. For example, on behalf of the operations of the department head, such as a secretary acting as a surrogate operation, temporarily delegating the work of an absent user, or temporarily using the administrator's authority, etc. Some are done temporarily. In general, in a document management system or the like, access control is performed to ensure security.
What is actually done in order to perform operations on behalf of a document management system or the like where access control is performed is, for example, an account of a user who is desired to be represented (referred to as a delegate) Either tell the password to the proxy user, or create a user with a wide range of access privileges and use the user account with the user who wants to perform the operation.

  As a technology related to these, for example, Patent Document 1 discloses that even if a circulated e-mail is not accepted at the circulation destination and is stagnated, it can be circulated quickly to other circulators or agents. When the circulation mail posted by the electronic mail posting unit in the electronic mail posting / accepting device is received by the electronic mail reception / delivery device, the electronic mail delivery control unit in the electronic mail reception / delivery device Deliver the mail according to the circulation list and deliver the mail to the circulation person, and the circulation stagnation alarm section monitors the time when the circulation mail is forwarded from the delivery destination by the circulation operation, and If the time limit specified in is exceeded, an alarm is sent to the delivery destination. If the list's agent is registered to the agent, if it is not registered to the next circulation target persons, it is disclosed that to deliver the circulation mail.

  Further, Patent Document 2 has a problem of giving a predetermined user the authority to perform proxy drafting processing without giving his / her own login / password. Specify the form class that identifies the form to be requested, the start date and end date that identify the period for requesting proxy drafting, and the proxy drafter user ID that identifies the proxy drafter to be requested for proxy drafting Registered in the electronic form system, and the electronic form system registers with the proxy requester user ID for identifying the proxy requester in the proxy definition table, and the proxy drafter enters the form draft mode of the proxy draft requester. When entering the document drafting mode of the proxy drafting requester, the form that can be drafted by the proxy drafter is selected based on the registered form class, start date, end date, etc. As a list When the proxy drafter selects one of them, a blank form of the electronic form can be acquired, and the user information such as the name, user ID, and affiliation of the proxy draft requester is automatically embedded. In rare cases, it is disclosed that a substitute drafter inputs necessary items and applies for the electronic form as a substitute draft requester.

  Further, Patent Document 3 has a problem of allowing an electronic document to be approved even when there is no approver, means for allowing an approval requester to designate an approver and a proxy approver for the electronic document, If the approver is absent from the device and the proxy approver is present at the device, the approver approves the approver when the approver is present at the device. Means for approving the electronic document, means for confirming presence / absence of the approver and proxy approver in the terminal by sending a ping command to the IP address of the terminal to which the approver and proxy approver logged on, It is disclosed to include means for transmitting an approval request e-mail to a person who makes an approval.

Patent Document 4 aims to enable an administrator to flexibly and temporarily change the access right of each file, and to efficiently perform integrated work and file control of the entire file. In each file included in the overall file of the processing system, an access right management table pointed to by the file directory is provided, temporary access right is managed by them, and the administrator sets the temporary access right command. Is issued, the temporary access right is set in the related upper and lower access right management table entries. After that, even if each user instructs to write, the access right management table is checked by the program. By doing so, temporary access rights are checked over permanent access rights, The general it is disclosed that writing is prohibited.
Japanese Patent Application Laid-Open No. 06-232902 JP 2001-118209 A Japanese Patent Laid-Open No. 2002-083102 Japanese Patent Laid-Open No. 04-344955

By the way, in a system that performs access control, the fact that the operation is performed and no history is left may disable the access control and may cause a security problem.
An object of the present invention is to provide an information processing program and an information processing system in which an operation history can be acquired so that even when an operation is performed, the operation is found to be performed. .

The gist of the present invention for achieving the object lies in the inventions of the following items.
According to the first aspect of the present invention, an agent that controls a computer so that an operator identifier that identifies an operator and an agent identifier that identifies an agent that can be represented by the operator are associated with each other and stored in a storage device. Based on correspondence stored in the agent storage means, authority granting means for granting the authority of the delegate to the operator, and operation authorized by the authority granting means It is made to function as a log | history acquisition means which acquires the log | history of operation by an operator with an operator identifier and an agent identifier.

  According to a second aspect of the present invention, in the first aspect of the invention, the agent storage unit further stores an operation or an operation target that the operator can act on behalf of the agent, and the authority granting unit The operator is given authority for the operation or the operation target stored in correspondence with the operator in the agent storage means.

  The invention of claim 3 is the invention of claim 1 or 2, wherein the agent storage means further stores a period during which the operator can act, and the authority granting means The authority is given within the period stored in the agent storage unit corresponding to the operator.

  According to a fourth aspect of the present invention, in the invention according to any one of the first to third aspects, the authority granting unit grants the authority of the agent to the operator in addition to the authority of the operator. Or the authority of the agent is granted instead of the authority of the operator.

  The invention according to claim 5 is the invention according to any one of claims 1 to 4, wherein the computer is associated with a group identifier for identifying a group and an operator identifier of an operator who is a member of the group. Further operating as an operator / group storage means for controlling to store in a storage device, the operator identifier stored in the agent storage means includes a group identifier for identifying a group including the operator as a member, When the operator identifier stored in the agent storage unit is a group identifier, the authority granting unit is configured to notify an operator who is a member of the group identifier based on the operator / group storage unit. It is characterized by granting the authority of the agent.

  According to a sixth aspect of the present invention, an agent identifier for identifying an operator and an agent identifier for identifying an agent that can be represented by the operator are stored in association with each other. Based on the stored correspondence, authority granting means for granting the authority of the agent to the operator, and the history of operations by the operator authorized by the authority granting means, the operator identifier and It is characterized by comprising history acquisition means for acquiring together with the agent identifier.

  According to the information processing program of claim 1, it is possible to acquire an operation history so that even when an operation is performed in a system performing access control, the operation is determined to be performed. become.

  According to the information processing program of the second aspect, it is possible to permit the operation necessary for the operator who is the agent or the authority for the operation target, instead of permitting all the operations of the agent.

  According to the information processing program of the third aspect, it is possible to permit the operator as the agent for the necessary period of time instead of permitting the operation of the agent indefinitely.

  According to the information processing program according to claim 4, when the operator who is the agent is permitted to operate as the agent and the authority of the operator, or when the operation is permitted only as the agent. You will be able to choose.

  According to the information processing program of the fifth aspect, a group can be permitted as an operator who is an agent.

  According to the information processing system of the sixth aspect, even when an operation is performed in a system that performs access control, an operation history can be acquired so that the operation is proved to be performed. become.

Hereinafter, an example of a preferred embodiment for realizing the present invention will be described with reference to the drawings.
FIG. 1 shows a conceptual module configuration diagram of a configuration example of the present embodiment.
The module generally refers to components such as software (computer program) and hardware that can be logically separated. Therefore, the module in the present embodiment indicates not only a module in a computer program but also a module in a hardware configuration. Therefore, the present embodiment also serves as an explanation of a computer program, a system, and a method. However, for convenience of explanation, the words “store”, “store”, and the equivalent are used. However, when the embodiment is a computer program, these words are controlled to be stored in the storage device. Is to do. In addition, the modules correspond almost one-to-one with the functions. However, in mounting, one module may be composed of one program, or a plurality of modules may be composed of one program. A plurality of programs may be used. The plurality of modules may be executed by one computer, or one module may be executed by a plurality of computers in a distributed or parallel environment. Note that one module may include other modules. Hereinafter, “connection” includes not only physical connection but also logical connection (data exchange, instruction, reference relationship between data, etc.).
In addition, the system or device is configured by connecting a plurality of computers, hardware, devices, and the like by communication means such as a network (including one-to-one correspondence communication connection), etc., and one computer, hardware, device. The case where it implement | achieves by etc. is also included.
Hereinafter, a document management system will be mainly exemplified and described as a system performing access control. Access control here refers to a means for ensuring that an authorized operator can access resources of the document management system only in an authorized manner.
The operator is an operator who operates the document management system. In addition to a person who directly operates the document management system using an input device such as a mouse, a remote client connected by communication means. A person who operates from the above, a person who logs in by a script that describes a series of processing procedures in advance, and the like, including a user, a user, an agent, and the like. Hereinafter, when it is widely used as a technical term such as user management, it may be described as a user.
In addition, the delegate is a person who is represented, that is, a so-called person. For example, when the secretary performs the operation of the department head, the department head is the agent and the secretary is the operator (agent).

In this embodiment, as shown in FIG. 1, the login module 101, the authorization module 102, the operation reception module 103, the processing module 104, the operation history acquisition module 105, the representative storage module 112, the object storage module 114, the operation history A storage module 115 is included.
The login module 101 is connected to the authorization module 102 and executes login processing to the document management system in response to an operation by the operator. Then, the operator is managed by an operator ID (IDentification data) that can uniquely identify the operator in the document management system. Specifically, for example, whether or not the user is a legitimate operator is confirmed according to the login name, password input, and the like of the operator. After confirmation, the operator can use the document management system under the authority given.

  The representative storage module 112 is accessed from the authorization module 102, and stores the operator ID and the agent ID for identifying the agent to whom the operator can proxy. Furthermore, an operation or an operation target that can be performed by the operator as a substitute for the agent may be stored. Further, a period during which the operator can substitute may be stored.

  The authorization module 102 is connected to the login module 101, the operation reception module 103, and the representative storage module 112. Based on the correspondence stored in the representative storage module 112, the operation for which login processing has been performed by the login module 101 is performed. The authority of the delegate is granted to the person. Further, the authority for the operation or operation target stored in the representative storage module 112 corresponding to the operator may be given to the operator. Further, the authority may be given to the operator within the period stored in the representative storage module 112 corresponding to the operator. In addition, the operator's authority may be added to the operator's own authority, or the agent's authority may be granted instead of the operator's own authority. .

  The operation reception module 103 is connected to the authorization module 102 and the processing module 104 and receives an operation by the operator. More specifically, an operation by an operator authorized by the authorization module 102 is accepted, and the accepted operation is passed to the processing module 104. Note that the operations specifically include opening, editing, and deleting an electronic document.

  The processing module 104 is connected to the operation reception module 103, the operation history acquisition module 105, and the object storage module 114, and executes an operation. More specifically, an operation is received from the operation reception module 103, and the operation is performed on an object or the like stored in the object storage module 114. An object refers to an object to be operated in the document management system, and specifically corresponds to an electronic document, a folder, an image file, an audio file, and the like.

  The operation history acquisition module 105 is connected to the processing module 104 and the operation history storage module 115. By monitoring the operation history of the operator authorized by the authorization module 102, for example, the processing module 104, Acquired together with the operator ID and agent ID, and the history is stored in the operation history storage module 115.

The object storage module 114 is accessed from the processing module 104 and stores objects managed by the document management system. It is called so-called database, archive, repository.
The operation history storage module 115 is accessed from the operation history acquisition module 105 and stores an operation history. The contents will be described later with reference to FIG.

FIG. 2 is a conceptual module configuration diagram illustrating the configuration example of the present embodiment viewed from another viewpoint. That is, it is a module configuration example viewed from a viewpoint closer to design.
This embodiment includes a UI processing module 201, a user / group management module 202, an operation history management module 203, an object management module 204, a login state management module 205, and an access right management module 206.
The login module 101, the operation reception module 103, and the processing module 104 shown in FIG. 1 correspond to the UI processing module 201, and the login module 101, the authorization module 102, and the representative storage module 112 are the user / group management module 202, The login status management module 205 and the access right management module 206 correspond, the object storage module 114 corresponds to the object management module 204, and the operation history acquisition module 105 and operation history storage module 115 correspond to the operation history management module 203. Each module is connected to other modules.

The UI processing module 201 is an interface between the operator and the document management system. That is, an operation by the operator is accepted, and processing is instructed to the corresponding module based on the content of the operation. Then, the processing result is presented on a display device or the like. In addition, the object is executed according to the operation content.
The login status management module 205 manages the login status of the operator. That is, login processing to the document management system is performed, and processing such as detecting the currently logged-in operator is performed.

  The user / group management module 202 performs user management and group management. In other words, management regarding the access right of the operator (user) or group of the document management system is performed. And it has the memory | storage device which has matched and memorize | stored group ID which identifies a group, and operator ID of the operator who is a member of the group.

The operation history management module 203 manages an operation history for an object.
The object management module 204 manages an object to be managed and its attribute data.
The access right management module 206 manages access rights for users or groups for each object.

A case where a storage device in the user / group management module 202 is added to the embodiment shown in FIG. 1 will be described. The operator ID includes a group ID unless otherwise specified. Therefore, the operator ID stored in the representative storage module 112 includes a group ID. The storage device in the user group management module 202 and the authorization module 102 are connected, and the storage device is accessed by the authorization module 102.
When the operator ID stored in the representative storage module 112 is a group ID, the authorization module 102 determines whether the group ID and the operator ID stored in the storage device in the user / group management module 202 are the same. Based on the response, the authority of the delegate is granted to the operator who is a member of the group ID. That is, a group ID can be designated as an agent, and operators belonging to that group have an authority to substitute.

The user management table 310 in the user / group management module 202 will be described using the example shown in FIG.
The user management table 310 has a user ID column 311, a user name column 312, and a password column 313, and is used by the login module 101 during an operator login process.
The user ID column 311 stores an operator ID that can identify the operator.
The user name column 312 stores the user name of the operator ID.
The password column 313 stores a password required when the operator logs in.

The group management table 320 in the user / group management module 202 will be described using the example shown in FIG.
The group management table 320 has a group ID column 321, a group name column 322, and a member column 323. When searching for an operator ID belonging to the group ID, the group management table 320 searches for the group ID based on the operator ID. Used in cases. For example, this is used when the authority grant module 102 grants proxy authority, where proxy authority is granted to a group and who belongs to the group is extracted. On the contrary, it is used to search what proxy authority can be given to the operator, and to extract to which group the operator belongs.
The group ID column 321 stores a group ID that can identify a group.
The group name column 322 stores the group name of the group ID.
The member column 323 stores operator IDs belonging to the group. That is, the authorization module 102 extracts the operator ID belonging to the group ID using the member column 323 in the group management table 320.

The proxy operation information table 410 stored in the representative storage module 112 will be described using the example shown in FIG.
The proxy operation information table 410 includes a proxy authority ID column 411, a delegated column 412, an operator column 413, a permission operation column 414, an object column 415, a valid / invalid column 416, a valid period column 417, and a valid operation count column 418. And the password field 419, which is set in advance by the administrator or the like, and the authority grant module 102 grants the proxy authority to the operator according to the contents of the proxy operation information table 410.
In the proxy operation information table 410, for each agent, an operator who can act as a proxy, a permission operation for controlling the range of operations that can be represented, an operation target object, and the like are set.

The proxy authority ID column 411 stores a proxy authority ID that can uniquely identify a combination of proxy authorities.
The agent column 412 stores the operator ID of the agent.
The operator column 413 stores the operator ID of the operator who is the agent.
The permitted operation column 414 stores operations that can be represented. For example, it is possible to set the authority to perform read (read) and write (write) as a proxy, or to set the authority for all operations as a proxy.

The object column 415 stores the document name of the object that is the operation target. Further, not only the document name but also the document class (for example, specifying an extension) may be stored. That is, a set of documents corresponding to the document class may be designated.
The valid / invalid column 416 stores a code designating whether the proxy is valid or invalid. By using an invalid code, the proxy definition itself can be set so as not to have any meaning. Since the proxy definition itself has not been deleted, it can be used when it is desired to use the definition later.
The validity period column 417 relates to conditions related to the expiration date, for example, the expiration date such as “until XX days”, “XX days”, the condition of the operation date and time such as “only at the end of the month”, “only on Monday”, etc. Is remembered.
The number of valid operations column 418 stores the number of valid operations that can be represented. That is, until the number of times, the agent can operate on behalf of the agent.
The password field 419 stores a password when a password is required to perform a proxy operation.

The login status storage table 510 managed in the login status management module 205 will be described using the example shown in FIG.
The login status storage table 510 has a login user column 511 and a proxy authority ID column 512, and stores the proxy authority granted by the authority grant module 102.
The login user column 511 stores the operator ID of the operator who is currently logged in the document management system.
The proxy authority ID column 512 stores a proxy authority ID of an authority that the logged-in operator can proxy. This proxy authority ID is an ID stored in the proxy authority ID column 411 of the proxy operation information table 410. Therefore, in the example of FIG. 5, it is shown that User-2 can proxy User-1 by proxy authority ID: 1.

  The operation history table 610 stored in the operation history storage module 115 will be described using the example shown in FIG. When the operator who has acquired the proxy operation authority performs the proxy operation, the operation history acquisition module 105 stores the operation history information in the operation history table 610 in the operation history storage module 115 as the operation history information. And information such as which operator was operated as a proxy.

The operation history table 610 includes an object column 611, an operator column 612, a delegated column 613, an operation column 614, an operation target item column 615, and an operation time column 616, the contents of which are stored in the operation history storage module 115. Is information stored as an operation history.
The object column 611 stores an object ID that identifies an object that is an operation target.
The operator column 612 stores an operator ID indicating who has performed an operation on the object.
The agent column 613 stores the operator ID of the agent indicating who the operator's operation was performed on behalf of the operator.
The operation column 614 stores an operation performed on the object.
The operation target item column 615 stores more specific items (for example, a monetary amount column) of the object that is the target of the operation.
The operation time column 616 stores the operation time when the operation was performed.

The access right management table 710 stored in the access right management module 206 will be described using the example shown in FIG.
The access right management table 710 has an object ID column 711, a user ID column 712, and an authority column 713, and is used when searching what operation is permitted for an object.
The object ID column 711 stores an object ID.
The user ID column 712 stores an operator ID.
The authority column 713 stores the authority that the operator has for the object.

  An example of processing of the operation reception module 103, the processing module 104, and the operation history acquisition module 105 will be described using the flowchart shown in FIG. Here, it is assumed that the operator has already logged in by the login module 101 and that the authority is given to the operator by the authority granting module 102.

In step S <b> 802, the operation reception module 103 receives an operation by the operator for the target object.
In step S804, the operation reception module 103 sets NULL to the variable X. That is, a state where the variable X is NULL means that the operation is not performed by the operator but is performed by the operator's own authority. Of course, it is not necessary to limit to NULL, and any code indicating the state may be used.

In step S806, the operation reception module 103 determines whether the operator himself has authority for the operation received in step S802. In this determination, if the operator himself has the authority to operate (yes), the process proceeds to step S814. Otherwise (no), the process proceeds to step S808.
The operation history table 610 is used to determine whether the user has authority. That is, an object to be operated is searched from the object column 611, and it is determined whether or not the corresponding operator in the operator column 612 matches, and whether or not the operation in the operation column 614 matches.

In step S808, the operation reception module 103 determines whether or not all checks for whether or not it has proxy authority have been completed. If all the determinations are completed (yes), the process proceeds to step S816 and ends. That is, since it turns out that the operator's own authority and the authority granted to the operator were not possessed, the operation is not executed. On the other hand, if all the checks have not been completed (no), the process proceeds to step S810.
The determination in step S808 uses the login state storage table 510. That is, the determination is made based on whether all the proxy authority IDs stored in the proxy authority ID column 512 of the login state storage table 510 have been checked.

In step S810, the operation reception module 103 determines whether or not the operation can be performed with the authority given to the operator. In this determination, if the operation can be performed (yes), the process proceeds to step S812. Otherwise (no), the process returns to step S808, and the processes of steps S808 and S810 are repeated.
The determination in step S810 uses the proxy operation information table 410. That is, in step S808, a row corresponding to the proxy authority ID in the proxy authority ID column 512 of the login state storage table 510 is extracted, and it is confirmed that the valid / invalid column 416 in the row is valid. Whether the operator ID in the column 413 matches the operator ID of the operator, the operation in the allowed operation column 414 matches the operation to be performed, the object in the object column 415 and the target of the operation (The matching here includes the matching of the document class described above), whether it matches the expiration date in the validity period column 417, or within the number of operations in the valid operation count column 418. It is determined whether or not there is any.
The determination in step S810 is performed based on whether or not the operator inputs a password for proxy authority and whether or not the password matches the password stored in the password field 419 of the proxy operation information table 410. May be. The process related to the password may be performed when security is further ensured.

In step S <b> 812, the operation reception module 103 substitutes a proxy authority account (the operator ID of the person to be delegated) for the variable X. In other words, the operator ID of the agent is substituted for the variable X.
In step S814, the processing module 104 executes the operation received in step S802.

  In step S816, the operation history acquisition module 105 records the value of the variable X in the agent column 613 in the operation history table 610. That is, when the operator himself has authority (yes in step S806), NULL is stored in the delegated person column 613, which means that the operation is performed with the authority of the operator. In addition, when the operator himself does not have authority but has proxy authority (no in step S806 and yes in step S810), the agent's operation field of the agent is displayed in the agent column 613. This means that the person ID is stored and operated as a substitute for the person to be delegated. In addition, according to the operation, it is recorded in other columns (such as the object column 611) in the operation history table 610.

  The hardware configuration of the computer on which the program according to the present embodiment is executed is, for example, as shown in FIG. 9, a general computer, specifically a personal computer, a computer that can be a server, or the like. A CPU 901 that executes programs such as the authorization module 102, the operation reception module 103, the processing module 104, and the operation history acquisition module 105, a RAM 902 that stores the programs and data, a program for starting the computer, and the like are stored. ROM 903, an auxiliary storage device HD 904 (for example, a hard disk can be used), an input device 906 for inputting data such as a keyboard and a mouse, an output device 905 such as a CRT or a liquid crystal display, and a communication network A communication line interface 907 for connecting (for example, a network interface card can be used) and a bus 908 for connecting and exchanging data are configured. A plurality of these computers may be connected to each other via a network.

Among the above-described embodiments, the computer program is a computer program that reads the computer program, which is software, in the hardware configuration system, and the software and hardware resources cooperate with each other. Is realized.
Note that the hardware configuration illustrated in FIG. 9 illustrates one configuration example, and the present embodiment is not limited to the configuration illustrated in FIG. 9, and is a configuration that can execute the modules described in the present embodiment. I just need it. For example, some modules may be configured by dedicated hardware (for example, ASIC), and some modules may be in an external system and connected via a communication line. A plurality of systems shown in FIG. 5 may be connected to each other via communication lines so as to cooperate with each other. In particular, in addition to personal computers, information appliances, copiers, fax machines, scanners, printers, and multifunction machines (image processing apparatuses having two or more functions such as scanners, printers, copiers, and fax machines). Etc. may be incorporated.

In the above embodiment, the data structures shown in FIGS. 3 to 7 are not limited to these data structures, and may be other data structures. For example, the table structure may be a link structure or the like. Further, the data items are not limited to those shown in the drawings, and may have other data items.
In addition, when there are a plurality of authorities necessary for performing the proxy operation, it may be presented so that the operator can select.
Further, when granting proxy authority, the authority granting module 102 grants “operator's own authority and proxy authority” or “delegation authority only” for the authority of the operator. You may do it. In that case, you may show to the operator so that either can be selected.
In addition, when “operator's own authority and proxy authority” is given, the UI processing module 201 presents “operator's own authority” or “proxy authority”. May be.
In addition, the UI processing module 201 can identify the authority of the operator, and if the operation that is not permitted cannot be selected by mistake, the UI processing module 201 presents the authority of the agent currently in possession. You may make it do.

The program described above may be provided by being stored in a recording medium, or the program may be provided by communication means. In that case, for example, the above-described program may be regarded as an invention of a “computer-readable recording medium recording the program”.
The “computer-readable recording medium on which a program is recorded” refers to a computer-readable recording medium on which a program is recorded, which is used for program installation, execution, program distribution, and the like.
The recording medium is, for example, a digital versatile disc (DVD), which is a standard established by the DVD Forum, such as “DVD-R, DVD-RW, DVD-RAM,” and DVD + RW. Standards such as “DVD + R, DVD + RW, etc.”, compact discs (CDs), read-only memory (CD-ROM), CD recordable (CD-R), CD rewritable (CD-RW), etc. MO), flexible disk (FD), magnetic tape, hard disk, read only memory (ROM), electrically erasable and rewritable read only memory (EEPROM), flash memory, random access memory (RAM), etc. It is.
The program or a part of the program may be recorded on the recording medium for storage or distribution. Also, by communication, for example, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wired network used for the Internet, an intranet, an extranet, etc., or wireless communication It may be transmitted using a transmission medium such as a network or a combination of these, or may be carried on a carrier wave.
Furthermore, the program may be a part of another program, or may be recorded on a recording medium together with a separate program. Moreover, it may be divided and recorded on a plurality of recording media. Further, it may be recorded in any manner as long as it can be restored, such as compression or encryption.

It is a conceptual module block diagram about the structural example of this Embodiment. It is a conceptual module block diagram which looked at the structural example of this Embodiment from another viewpoint. It is explanatory drawing which shows the data structural example of a user management table and a group management table. It is explanatory drawing which shows the data structural example of the information table for proxy operations. It is explanatory drawing which shows the data structural example of a login state storage table. It is explanatory drawing which shows the data structural example of an operation history table. It is explanatory drawing which shows the example of a data structure of an access right management table. It is a flowchart which shows the process example by this Embodiment. It is a block diagram which shows the hardware structural example of the computer which implement | achieves this Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 ... Login module 102 ... Authority grant module 103 ... Operation reception module 104 ... Processing module 105 ... Operation history acquisition module 112 ... Representative memory module 114 ... Object storage module 115 ... Operation history storage module 201 ... UI processing module 202 ... User Group management module 203 ... Operation history management module 204 ... Object management module 205 ... Login status management module 206 ... Access right management module

Claims (6)

On the computer,
An agent storage means for controlling an operator identifier for identifying an operator and an agent identifier for identifying an agent that can be represented by the operator to be stored in a storage device;
Based on the correspondence stored in the agent storage unit, authority granting unit for granting the authority of the agent to the operator;
An information processing program that functions as a history acquisition unit that acquires a history of operations performed by an operator authorized by the authorization unit together with an operator identifier and a recipient identifier. The agent storage means further stores an operation or operation target that the operator can perform on behalf of the agent,
2. The information according to claim 1, wherein the authority granting unit grants an authority to an operation or an operation target stored in correspondence to the operator in the agent storage unit. Processing program. The agent storage means further stores a period during which the operator can substitute,
3. The information according to claim 1, wherein the authority granting unit grants an authority to the operator within a period stored in the agent storage unit corresponding to the operator. 4. Processing program. The authority granting means grants the authority of the delegate to the operator in addition to the authority of the operator, or grants the authority of the delegate in place of the authority of the operator. The information processing program according to any one of claims 1 to 3. In the computer,
A group identifier for identifying a group and an operator identifier of an operator who is a member of the group are associated with each other and further functioned as an operator / group storage means for controlling to store in a storage device,
The operator identifier stored in the agent storage means includes a group identifier for identifying a group including the operator as a member,
When the operator identifier stored in the agent storage unit is a group identifier, the authority granting unit, based on the operator / group storage unit, to an operator who is a member of the group identifier, The information processing program according to any one of claims 1 to 4, wherein an authority of the agent is given. An agent storage means for storing an operator identifier for identifying an operator and an agent identifier for identifying an agent to whom the operator can act;
Based on the correspondence stored in the agent storage unit, authority granting unit for granting the authority of the agent to the operator;
An information processing system comprising: a history acquisition unit that acquires a history of operations performed by an operator authorized by the authority granting unit together with an operator identifier and an agent identifier.

Images