JP2010198602A - Access right management device, access right management system, access right management method, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access right management device, wherein a status change for an access right to DB can be grasped by each user in real time, and the status change can be informed to the user side prior to a change of the DB structure, an access right management system with good usability, an access right management method, a program, and a recording medium. <P>SOLUTION: The access right management device for managing the access right to a DB to provide information through the ID information has a means for collectively transmitting the completed implementation information to each user terminal belonging to a group when an access right of a plurality of the grouped user terminals is commonly processed by adding/changing/deleting in a group unit. The access right management device, also, has a means for collectively transmitting the completed implementation information to each user terminal, which belongs to the group, before a change in server configuration occurs. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an access right management apparatus and an access right management system for managing communication of addition / change / deletion of access rights for individual users assigned to a group consisting of a plurality of users in a database (DB) system. , An access right management method, a program, and a recording medium.

  One of basic information security measures for an in-company DB (database) or the like is setting and managing access rights. With this setting, the company prevents information leakage due to unauthorized access to the DB.

  Clicking on an icon opens a DB, for example, a DB such as Lotus Notes DB (Lotus Notes is a registered trademark), and adds / changes / deletes IDs in the access control list in exactly the same way. Thus, access rights are managed. In this case, for example, the DB administrator creates an ACL (Access Control List) in which access right holders who can access the DB are registered, and stores the ACL in the DB server. The DB server refers to the ACL in response to a request for access to its own DB, and permits access to the DB only when the access requester is an access right holder. In addition, in each DB server, ACL creation is not performed, and ACL management (for example, addition / change / deletion of access right holders) is performed in an appropriate management DB server. Operate the DB system in the form of holding a copy of the ACL of the management DB server and updating it as needed, or checking the access right by inquiring the management DB server every time each DB server is accessed There is also.

  In the case of a DB such as Lotus Notes, not only an individual is registered as an access right holder to be registered but also a group may be registered (recorded) in the ACL. In that case, an individual belonging to the registered group becomes a registration target, and an access right is set for that person. That is, it is possible to manage individual access rights of a plurality of grouped user terminals at least in group units. A group address is arbitrarily created for the personal ID for the purpose of belonging to a normal business department, department or section, DB access management, or the like.

  Registration by group address may be registered under a plurality of conditions. For example, Patent Document 1 proposes a technique that facilitates analysis based on an access control level by analyzing group members registered in a group address. Patent Document 2 discloses a technique related to automatic update processing of an access control list under group registration.

  In such a conventional DB, on the access right management side, as exemplified in the operation screen display example of FIG. 12, the access right is added as a personal ID or a group address including the personal IDs as an access control level: administrator, design. Applicable DBs can be viewed by adding them according to the situation such as the editor, editor, creator, reader, or contributor. An access control list change record (log) can be displayed (see the screen display example in FIG. 13).

  By the way, in the conventional DB system, it cannot be said that the response to the user side is sufficient for the current state of the access right management state. The record of addition / change / deletion can be seen on the access right management side by looking at the log as shown in FIG. 13, but there is no communication with the user having the corresponding ID. In addition, since the number of log records is limited, it is not possible to save all the logs over a long period if change recording is frequently performed. As described above, the user side cannot obtain any information on addition / change / deletion of access right, and in particular, when the access right is deleted without the user's clear recognition due to the access right change of the group unit. Has the disadvantage of suddenly failing to open the DB.

Specific examples of problems that occur in such cases are given below. In the Lotus Notes DB operating environment, it was only in September when the days after the change passed that the user A realized that the required bulletin board could not be browsed due to the change of the group address accompanying the organizational change. After the DB administrator made inquiries to various places without knowing it, he finally became able to view the DB by examining the procedure and applying for it one month later. After that, to make sure that this is not the case, click on the bulletin board DB every day to check if it can be viewed. However, the time required for that will be necessary every day. Inconvenience occurred. In addition, since the DB content is displayed by clicking an icon, there is a problem that an icon is created each time the DB is opened, and the location of the necessary DB is unknown.
On the other hand, a change in the configuration of the DB itself, specifically, the fact that the DB itself does not exist due to the movement of the server, or for a DB that is not frequently used, the file is compressed and the capacity archiving process is performed. There is a problem that it cannot be viewed easily.
In such a case, the DB cannot be opened even if the icon is clicked in the same way as when the group address is changed.
Even if the archived information is retrieved, it takes time, so that the necessary information cannot be obtained immediately.
In such a case, if it is known that the server is moved or archived in advance, it becomes possible to back up necessary information.

  The present invention has been made in consideration of the above-mentioned circumstances, and solves the problem of inconvenience seen from the user side, which occurs with the access right management method of the conventional DB system, and enables individual users to It is an object of the present invention to provide an access right management device, an access right management system, an access right management method, a program, and a recording medium capable of grasping in real time changes in the status of DB access rights and changes in DB configuration information.

In order to solve the above-mentioned problems, the present invention is characterized by having the following solution means.
(1) An access right management device that manages an access right to an information providing DB based on ID information assigned to each user terminal, wherein at least the access rights of a plurality of grouped user terminals are When management is performed in units of groups and the common access right addition / change / deletion processing is performed in units of groups, the execution completion information of the processing is displayed as individual users belonging to the group when the processing is completed. It is characterized by comprising notification means for collectively notifying the terminal.

(2) In the access right management device according to (1), in the access right management device, in the information provision DB accessible to the requesting user terminal in response to a notification request from the user terminal. A list can be notified.
(3) Further, in the access right management device according to (2), in the access right management device, an information provision DB accessible to the requesting user terminal is iconified and visually displayed in the user terminal. It can be characterized by being displayed.

(4) The access right management device according to (2) or (3), wherein the access right management device is the accessible information provision DB or accessible at the requesting user terminal. The icons indicating the information providing DBs may be characterized in that they are visually classified and displayed based on the types of individual relevance between each information providing DB and the ID information of the user terminal.
(5) Also, in the access right management device according to (2) or (3), the access right management device may be configured such that the accessible information provision DB or the accessible is accessible at the requesting user terminal. An icon indicating a simple information provision DB is visually classified and displayed for each type of access authority.
(6) The access right management apparatus according to any one of (1) to (5), wherein the DB group address and access history members are contacted before and after the DB configuration is changed. To do.
(7) In the access right management apparatus according to any one of (1) to (5), the configuration is changed at least one week after the notification is notified to the group address and the access history member. And

(8) As a second aspect, the present invention provides an information provision DB connected to each other via a network so that data communication is possible, and the access right management according to any one of (1) to (5) An access right management system comprising: a device; and a plurality of user terminals in which individual access rights to the information providing DB are managed by the access right management device at least in groups and grouped. The terminal includes a communication unit that receives the execution completion information notified from the access right management apparatus through a network, and a display unit that displays the execution completion information on a screen in a predetermined manner. To do.

(9) As a third aspect, the present invention provides the access right management method for the access right management system according to (8), wherein the access right management device uses a common access right for each group. When the addition / change / deletion processing has been completed, the notification means collectively notifies the execution completion information to each user terminal described in (8) belonging to the group. In the user terminal, When the communication means receives the execution completion information notified from the access right management apparatus via a network, the display means displays the execution completion information on a screen in a predetermined manner.

(10) As a fourth aspect, the present invention provides a method for controlling a plurality of user terminals managed and grouped by the access right management device in the access right management system according to (8). A computer-executable access right management program group, the first program included in the program group is configured such that when the notifying unit has completed execution of a common addition / change / deletion process of the access right in the group unit, The step of notifying the individual user terminals belonging to the group collectively of the execution completion information is executed by a computer in the access right management device, and the second program included in the program group The communication means receives the execution completion information notified from the access right management device through a network. , The display unit of the user terminal, characterized in that to execute the respective steps of screen display in the embodiment completion information a predetermined manner, to a computer in each of the user terminals.
(11) The present invention also provides a program recording medium in which the first program or the second program according to (10) described above is recorded in a computer-readable format.

According to the present invention, the access right information is provided, and the change is notified to the user from the DB side. Therefore, the user side knows the access authority information of the individual DB by his / her ID, and does not try to access the DB. However, it is possible to determine whether or not the DB can be browsed.
Further, according to the present invention, it is possible to back up necessary information of the DB by contacting the DB related person before and after the change of the DB configuration occurs.

It is a block diagram showing an example of composition of a network system (including an access right management system) concerning this embodiment. It is the block diagram which showed the example of whole structure of the access right management apparatus (server) which concerns on this embodiment. It is a block diagram explaining the logical structural example of the access right management apparatus which concerns on this embodiment. It is the block diagram which showed the example of whole structure of the user terminal of the access right management system which concerns on this embodiment. It is a conceptual diagram which shows the example of access rights management processing outline | summary, such as expansion | deployment of the access control list in DB. It is explanatory drawing of ID communication, and the example of a display screen in list sending operation. It is a flowchart of the example of a notification process for the access right holder in the access right change process. It is an example of a display on a user terminal of DB related information. It is a figure which shows an example of the screen display in management DB (database which can be browsed with employee ID) (for list sending). It is a figure which shows the example of the content of a notification displayed in a user terminal. It is a conceptual diagram which shows the example of the outline | summary of another access right management processing system. It is an example of the operation screen display of the access right in the conventional DB (addition to the access control list). It is an example of an access control list change record (log) screen display.

  In the conventional system, as described above, as shown in FIG. 12, an access right is added by using a personal ID or a group address in which personal IDs are grouped together as an access control level: administrator, designer, editor, creator, Although it is added according to the situation of readers and contributors, this access right update fact has a difficulty in usability because there is no contact with those having the corresponding ID. However, as described in detail below, in the present embodiment, such addition / change / deletion record (at least one of addition, change, or deletion; the same shall apply hereinafter) is notified to the one having the corresponding ID. Thus, the user can grasp the access right situation of the DB in real time.

[First Embodiment]
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a conceptual diagram schematically showing an example of a network system including a user terminal (information processing terminal device) according to the present embodiment. FIG. 2 is an overall view of an access right management device according to the present embodiment. FIG. 3 is a schematic block diagram illustrating a configuration example, and FIG. 3 is a block diagram illustrating a logical configuration example of the access right management apparatus according to the present embodiment.

The network system shown in FIG. 1 includes a plurality of general-purpose computing devices (110_1 to 110_n) as user terminals, a network printer 210, a gateway 310, a Web server, and an intranet server that functions as an access right management device (hereinafter referred to as the present invention). Focusing on the objective function, it is simply referred to as an access right management device) 410 (within a LAN (Local Area Network)), a remote computer 510 (510_1, 510_2 to 510_m) which is an external Web (Web) server via the Internet, Remote user terminals (not shown) are connected to each other via a network so that data communication is possible.

  The networking environment shown in FIG. 1 is common in offices, enterprise-wide computer networks, intranets and the Internet. Hereinafter, embodiments of the access right management apparatus and related devices will be described in detail by taking this network system as an example. The access right management apparatus 410 also has a well-known user authentication function that will not be described this time (for example, verification based on ID information set for each individual user) and a well-known intranet server function. It functions as a Web server in the LAN, and internal documents and reference data are stored in the form of Web contents in the memory device and can be used from the terminal device.

  In the network system of FIG. 1, an access right management device (for example, an intranet server) 410 for implementing the present embodiment is composed of a personal computer device, and a CPU (Central Processing Unit) 120 ′ is used as a main part. A control unit 120, a system memory (main storage unit) 130, a user input interface (input unit) 160, a display unit, a communication interface (network interface) 170, and a hard disk drive as an external storage device 141 (which will be described in detail later with reference to FIG. 2).

  The control unit 120 includes a CPU 120 ′ and the like, reads a processing execution program and necessary data stored in the external storage device 141, and executes processing to be described later using data from the outside as necessary. The system memory 130 includes a RAM (Random Access Memory) and the like, and is used as a work area for the control unit 120. The user input interface 160 is connected to input devices such as a keyboard 162 and a mouse 161 and supplies input information to the control unit 120. The display unit includes a CRT (Cathode Ray Tube), a liquid crystal display, and the like, and displays an image in accordance with an instruction from the control unit 120. The communication interface 170 is for communicating with other devices (such as the user terminal 110 and each information providing database) via a network such as a LAN. The access right management device 410 is realized by using a personal computer device (which will be described later, the user terminal 110 also uses a similar personal computer device).

The personal computer device as described above includes a user terminal 110, a remote computer 510 (510_1, 510_2 to 510_m) which is an external Web server via the Internet 172, a primary DNS (Domain Name System) not shown,
It operates in a networked environment using logical connections to a plurality of remote computers, such as secondary DNS servers. Each remote computer is a network device such as a personal computer, a server, a router, a network PC, a peer device, and other generally known network nodes.

  The access right management apparatus 410 is positioned as an intranet server, holds an access right DB, and uses a known appropriate user authentication function (not described in this specification) using the access right DB and the access right DB according to the current situation. An access right management function for maintaining (adding / changing / deleting an access control list in the DB) is provided. In the embodiment, the access right management device 410 also includes an information providing DB and functions as a known content server. However, this function is well known and will not be described in detail in this specification. In this specification, the apparatus configuration and processing operation will be described in detail in line with access right management.

  The configuration of the access right management apparatus 410 according to the present embodiment will be described in more detail with reference to the configuration block diagram of FIG. As shown in FIG. 2, the access right management apparatus 410 according to the present embodiment includes a CPU 120 ′ that controls the entire apparatus, a system memory 130 including a ROM (Read-Only Memory) 131 and a RAM 132, a hard disk drive 141, A communication interface (network interface (network I / F)) 170, a display device (display unit) 191, an input unit (160 to 162), and the like are connected via the system bus 121, and a local area network (LAN) is connected by the communication interface 170. It is configured by a well-known computer system that functions as a network device while being connected to the H.171.

  The access right management device 410 as a computer device is connected to the local area network 171 via a communication interface (adapter) 170 when used in a LAN networking environment. Although omitted in FIG. 2, a protocol stack as a component for connecting the communication interface 170 to the system bus 121 is provided. This is a program implemented (stored in the hard disk drive 141) to realize data communication in accordance with a predetermined protocol (for example, one of or both of IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6)). It is a module.

  The system bus 121 couples various system components including a CPU (processing device) 120 ′ and a system memory 130. The system bus 121 employs any combination of a plurality of types of bus structures as appropriate, including a memory bus or memory controller, a peripheral bus, and a local bus using any of various bus architectures.

  The system memory 130 includes a recording medium in the form of volatile and / or nonvolatile memory such as read-only memory (ROM) 131 and random access memory (RAM) 132. A basic input / output system (BIOS) 133, which includes basic routines that help to transfer information between elements within the computer 410, such as at startup, is typically stored in the ROM 131. The RAM 132 is typically loaded with data and / or program modules that are immediately accessible by the CPU 120 'and / or are currently being manipulated by it.

  A user may enter commands and information into the computer 410 using input devices such as a keyboard 162 and pointing device 161, commonly referred to as a mouse, trackball or touch pad. These input devices are connected to the system bus 121 via a user input interface 160 or other suitable mechanism. In an embodiment, the input device is connected to the controller 120 via a user input interface 160 coupled to the system bus 121, but other devices such as a parallel port, a game port, or a universal serial bus (USB). Sometimes connected by an interface and bus structure.

  Further, the access right management device 410 includes various removable / non-removable, volatile / nonvolatile computer-readable recording media. FIG. 2 shows a hard disk drive 141 that reads from or writes to a fixed non-volatile magnetic medium, a floppy disk drive 151 that reads from or writes to a removable non-volatile floppy disk 152, and a CD-ROM. An optical disk drive 155 that reads from or writes to a removable non-volatile optical disk 156 such as an optical medium or the like is shown as an example.

  The hard disk drive 141 is connected to the system bus 121 by a fixed nonvolatile memory interface (non-removable memory interface) 140 that is one of the interfaces, and the floppy disk drive 151 and the optical disk drive 155 are generally one of the interfaces. The detachable nonvolatile memory interface (removable memory interface) 150 is connected to the system bus 121.

  A program group necessary for implementing this embodiment is installed in a state of being installed in advance in a hard disk drive 141 as a recording medium. That is, a part of the storage area of the hard disk drive 141 described above is used as a storage area for computer-readable instructions, data structures, program modules for realizing each function of the access right management device 410, and data. In FIG. 2, an operating system 600, an application program 700, an access right management program 800 and program data 134 are stored in a hard disk drive 141 as a recording medium and loaded onto the system memory 130.

  As these software components, the operating system 600, the application program 700, the access right management program 800, and the program data 134 may all use a common recording medium, but may be appropriately distributed and recorded on each recording medium. That is, in the network environment, the program module shown with respect to the access right management apparatus 410, or a part thereof, can be stored in the remote memory storage device in addition to the storage means of the own apparatus.

  Further, in the same hard disk drive 141, a master DB 900 (access control list (ACL): 910 as a management DB for realizing an access right management function, an employee master DB as a personal information DB storing information related to users: 920) As a group information DB, a correspondence table of group ID (group address) and member ID: 930) is implemented. The hard disk drive 141 is also provided with a content DB 950 for realizing a function (not shown) as a well-known Web server in the LAN.

  In this type of apparatus, a plurality of hard disk drives 141 may be connected to each other depending on the role of data to be stored. In some cases, the individual hard disk drives 141 are multiplexed and two hard disk drives are operated in parallel.

  Incidentally, an access right management device that is a network device is equivalent to a configuration in which a part of the data storage function is shared by a separate server device connected to the network so that necessary data can be referenced as necessary. There are many examples of such systems.

  Next, the configuration of the user terminal 110 in the embodiment will be described. The configuration of the user terminal 110 as a computer device according to this embodiment is mostly the same as the access right management device 410 described above. FIG. 4 shows an example of a configuration block diagram of the user terminal 110. In FIG. 4, the same elements as those in FIG.

  When used as the user terminal 110, the computer includes a microphone 196 and a speaker 197 connected via an input / output peripheral interface 195 as external peripheral output devices. On the other hand, the master DB and the content DB are not provided, but a communication terminal function and an information processing function are provided. The display system comprising the video interface 190 constituting the screen display control means and the display device 191 realizes a multi-window function capable of displaying one or more work windows on the screen of the display device in cooperation with the implementation software. is doing.

  The user operates a graphic user interface (GUI) displayed on the above-described screen by operating an input device (for example, comprising a user input interface 160, a mouse 161, and a keyboard 162), data communication, web page browsing, document Various computer processes including a printing process can be performed. In addition, an access right confirmation control program 800 ′ for grasping the current state of the access right is installed. When logging in to the network system (usually requiring authentication) and connecting to an external network device or the like to use various services, the access right management device 410 sets each of the users. Authentication based on ID information is required.

  When the user terminal 110 is used in a WAN (Wide Area Network) networking environment, the user terminal 110 is further connected to an external network 172 via the gateway 310 to access a remote computer 510 at a remote location. It is possible. The remote computer 510 illustrated in the figure is a Web server, and the Web content 512 is stored in the memory device 511 and is open to the public, and can be used by the user terminal 110. Schedule data managed for each user of the client device and data of a conference scheduled to be held by the user are managed.

  In order to make the above-described user terminal 110, access right management process 410, printer 210, etc. communicable via the network 171, an IP (Internet Protocol) for identifying a device in that network is used. It is necessary to set the address. Incidentally, the number of IP addresses set in this way is limited to one for IPv4, but there is no such limitation for IPv6, and a plurality of types of IP addresses can be set.

  The IP address can be set by a manual and automatic setting function regardless of whether it is IPv4 or IPv6. Of these setting functions, the manual setting function (manual setting, static) is performed according to the setting management program of the user terminal 110, as will be described later. As for the automatic setting function (automatic setting), in the case of IPv4, only an IP address acquired from a DHCP (Dynamic Host Configuration Protocol) server (not shown) installed on the network is set as its own IP address. However, in the case of IPv6, in addition to what is acquired from the DHCP server as its own IP address (stateful), information acquired from a router (not shown) provided on the network or the like (prefix) ), And an IP address generated from a MAC (Media Access Control) address assigned to its own communication interface 170 and set as its own IP address (stateless).

  Next, the access right management process in the access right management system that is the network system according to the present embodiment will be described in detail. In the network system according to the present embodiment, a Notes (registered trademark) DB system is constructed, and the access right management device 410 performs an access right management process (detailed later) of the user of the user terminal 110. In addition, in response to a service provision request from the same user, authentication processing for the access right of the requesting user (not included in the access right management processing in this specification), data communication and Web content for the user after successful authentication Various service providing processes including browsing, document printing, and the like.

  The computer processing in the user terminal 110 and the access right management device 410 in this embodiment is performed by a computer program (operating system (OS), application software, etc.) and a CPU (Central Processing Unit) of the computer (user terminal). It is executed by using a system memory (main storage device) or the like.

  In the following description, the description is made on the assumption that it is implemented on a personal computer that employs Windows (registered trademark) of Microsoft Corporation as the OS. Needless to say, a device may be used.

  The computer program is provided in a form of an auxiliary storage device connected to the computer, a portable storage device such as a floppy disk (registered trademark) or a CD-ROM (Compact Disk Read Only Memory), or a network. It may be provided by being stored in each recording medium such as a main storage device and an auxiliary storage device of another computer, and when executing the computer program, it is loaded onto the system memory of the execution computer and executed. .

  As shown in FIG. 3 (a block diagram showing a logical configuration example), the access right management apparatus 410 includes a communication unit 630, a screen display unit 640, and the like as functions of the installed operating system 600. It has a DB update processing request means 830, an ID setting information acquisition means 840, and an ID authentication means 850 as programs to be executed, and an ACL operation means 810 and a grouping control means as program modules constituting the access right management program 800 820.

  Each means in the illustrated configuration is actually stored in the hard disk 141 which is an external storage unit, and is read into the system memory 130 under the control of the CPU 120 ′ of the control unit 120, and a program for realizing each function It is realized in a form fused with a hardware configuration mainly operating (software). Each function is realized by the CPU 120 ′ of the control unit 120 executing programs on the system memory 130.

  Hereinafter, main operations in the present embodiment will be described in detail. FIG. 5 shows an example of access right management processing such as expansion of an access control list in the DB performed on the access right management device 410 side (intranet server side) in the present embodiment (only the group processing related part is shown and known processing is shown). Is a conceptual diagram. The access right management device 410 performs a change process on the personal ID of the constituent member when the access control of the group ID in the group information DB access right DB is added / changed / deleted. Also, as shown in FIG. 6, when addition / change / deletion is performed from the DB, a notification regarding specific contents such as date and reason is transmitted to the user having the corresponding ID (notification).

  That is, as shown in the ID contact processing conceptual diagram of FIG. 5, when added / changed / deleted from the DB, a user master (personal information list) in which personal IDs are managed and a group in which personal IDs are collected With reference to the information DB (group address), the group address is expanded into individual personal IDs, and these personal IDs are excluded from duplication with those registered only by the personal IDs in the personal information list. Thereafter, to the user terminal 110 having a corresponding ID for each personal ID, information on the addition / change / deletion of the access control list (contact information regarding specific contents such as date and reason) is transmitted as a mail (notification). In this way, the notification of the completion of the change process is automatically made by mail based on the DB that manages the change process. Note that it is easy to communicate in a document other than mail.

  FIG. 7 is a flowchart showing an outline from the access right change to the notification process for the access right holder. When an administrator receives an access right change content input using the input device 160 or an access right change request received from another network device via the network 171 (S11), the access of the corresponding group address (or personal ID) is made. A right addition / change / deletion process (ACL change) is performed (S12). It is determined whether the access authority change process is a group unit (all members) or a specific individual within the group (S13). In the case of a change process for a specific individual within the group (S13 / specific individual within group), the process ends. When the change is made in units (all members) (S13 / all members in the group), the personal ID of the constituent member is expanded based on the group address (S14), and the expanded personal ID and the personal ID in the ACL overlap And matching between duplicate personal IDs is performed (S15).

  Subsequently, for each personal ID for which the access right changing process has been completed, visualization data is generated for the current state of the changed access right (S16). Then, the current access authority change content is notified by e-mail to the e-mail address associated with the processed personal ID (S17). The processing request source is notified that the requested change processing has been completed (S18).

  FIG. 8 shows an example of DB related information notified to the user terminal 110. In the example of FIG. 8, information such as whether the ID is a common position or department or section, whether it is necessary at the group level, or whether it belongs to other departments, is visually displayed. The action to be taken is shown by showing each.

  The access right management apparatus 410 according to the present embodiment authenticates the requesting user when there is a content use request from a computer operating as a client terminal as a function as a content server in addition to the access right management function. The use of the requested content is permitted, but this point is already well-known technology and will not be described here. In addition, in response to a user authentication request from another content server (not shown), the gateway server 310, or the like, a well-known authentication access control function is provided for verifying sent user information and returning an authentication result. Also, the description is omitted.

  As described above, the access right management system according to the present embodiment is an access right management system that eliminates the disadvantages of the conventional system and enables individual users to grasp the change in the status of the DB access right in real time. Therefore, usability is improved from the user side.

[Second Embodiment]
Subsequently, an embodiment different from the first embodiment will be described. In the first embodiment, as described above, the user is notified of the completion of the change directly (meaning automatically following the change process as a trigger) directly from the corresponding DB. In the present embodiment, as a further function using the system described so far, as an additional function from the access right management DB, and indirectly from the request action from the user terminal 110 (in other words, in response to the request). It has the function to be contacted.

  FIG. 9 shows an example of a screen display in the management DB (database that can be viewed by the employee ID) when notification is indirectly made from the access right management device 410. A notification (for example, a link or an icon) is sent by a list sending operation in which the list sending button is pressed.

FIG. 10 shows notifications displayed on the user terminal 110 ((a) is an example when a link is received, and (b) is an example when an icon is received). The user terminal 110 is notified of a list of accessible DBs, so that it can be understood at a glance what DBs it can access. By displaying the link or DB icon, the user can intuitively understand the current state of access rights. By referring to the access right management DB by operating the link or icon, the display of FIG. 8 exemplified above is obtained. What is the DB that I can see in the display of DB related information, and the ID that is the basis for the display is the personal ID You can know various information, such as whether it is a thing or group address, what authority is, and the date of addition (indirect notification).
[Third Embodiment]
In order to reduce or organize the load on the DB server, the server on which the DB is mounted may be moved.
Further, in order to avoid problems such as degradation of the response of the server itself and reduction of the used capacity of the frequently used DB when the infrequently used DB is loaded on the server in a normal state, the DB performs an archiving process. There are things to do.
In such a case, the contents of the DB cannot be opened by normal access.
Before and after the configuration change, the members and the access history (FIG. 13) described in the DB group address (FIG. 12) are contacted before and after the configuration change as in FIG.
If it is before the change, you can backup the necessary contents and check it later.
If there is no such notification, it is possible to prevent the same problem that the necessary DB cannot be seen due to the change of the group address.
The notification before the change is made after at least one week, preferably 2 to 5 days, more preferably 3 to 4 days after notification to the group address and the access history member, so that necessary backup can be taken.
The notification is performed once to three times every day before the start of the change so that a necessary backup is not forgotten.
In addition, the change of DB can be reconfirmed by notifying after the change.
The communication after the change can be thoroughly communicated by performing it every day for one week after the change.

  The following are actual examples when the present embodiment is used.

[Case 1]
In the state of December of a certain year, there is a group address A where a member of the A division is registered and a group address B where a member of the B division is registered. In the bulletin board database, group address A and group address B are registered as “creator authority”, respectively, and members of the A division and the division B could see the bulletin board (database).

  Thereafter, in January of the following year, an access right management system, which is a network management system in the present embodiment, was introduced.

  In April of the same year, the A and B divisions were merged into a C division due to a review of the organization, and the group address C was newly established. The group address C was registered with “author authority” in the bulletin board database. .

In the same year, Group A was deleted from Group C and Group Address B was deleted in June. In addition, each person of Kai Otomo has changed affiliation under the following conditions.
Party A: Department A to Department D Department B: Department B to Department C Department IV: Department D to Department B

  We were informed that the access rights to the bulletin board database were lost in June, and we were able to grasp the change in access rights without delay. However, because it was necessary for us to view the bulletin board, we applied to the database administrator for viewing and were informed that we were allowed to view the database.

  B was informed in April that the bulletin board database can be viewed with the access right at group address C. It was also notified that group address B was deleted in May.

  Tsuji was informed that the bulletin board database can be browsed with the access right at group address C in April. It was also notified that group address B was deleted in June.

  Kai Otomo confirmed the list by operating the send list button to confirm the viewable DB. By comparing the icons, the database icons that cannot be browsed are deleted and only the databases that need to be accessed normally are displayed.

[Case 2]
Otsu made many DB icons, making it difficult to understand the necessary DBs. Therefore, a notification request is sent to the DB icon list by pressing the send button. Since the icons are sent as shown in FIG. 10, the necessary DBs can be easily distinguished from the unnecessary DBs, the unnecessary DB icons can be deleted, and the desktop can be organized. It became so.

[Case 3]
Since Sakai does not know the relationship between each DB and his / her ID and has a problem in performing the business, the classification display visually shown in FIG. 8 is transmitted by operating the DB send button. As a result, the relationship between each DB and one's own ID became clear and business execution became easier.

  In the second embodiment, even when the direct notification function is omitted and only the indirect notification function is used, the access right is commonly added / changed / deleted (added) for each group. , At least one process of change or deletion) is included, and is included in the present invention as having a function of notifying execution completion information. In addition, a function may be provided for notifying when an access right is added / changed / deleted on an individual basis.

  In each embodiment, when used in a WAN networking environment, the access right management device 410 is further connected to an external network 172 via a gateway 310 to be connected to a remote computer (a variety of remote locations). Function server, etc.). Therefore, a configuration in which a part of the functions of the access right management device 410 in this embodiment is shared by an external server device may be employed. For example, all the content supply functions can be entrusted to an external data server, and the service acceptance processing function can be performed externally (the access right management device 410 cooperates to share the access right authentication process).

FIG. 11 is a conceptual diagram showing an outline of a system example in which the external server device includes a part of the functions described above. In the example of FIG. 11, when an access control list is added / changed / deleted by an external device that manages personal ID information and group addresses, the processing content is transferred from the device via a relay server. It is set to be sent. Then, in response to the processing content from the external server device, the access right management device performs the same processing as described above, that is, extracts the personal ID and group address for which the ACL change / addition / deletion target has been completed, and the group The personal ID corresponding to the address change is identified, the ID information is visualized (list data creation, DB icon conversion processing, etc.), and the user terminal of the ID is passed through the relay server. Send mail (notify process completion) and send icon data. Further, in response to a list display request from each user terminal, data corresponding to the requesting user terminal is returned and predetermined DB information is visually displayed.
[Case 4]
Ding got a report that DB arching according to the present invention was performed, and therefore backed up necessary information.
On the other hand, the niece who has not received the benefits of the present invention has opened the DB with the necessary information for the first time in a long time. It took about a week.

As described above, specific examples of the embodiment have been described. However, these are only one aspect of the present invention, and the access right management apparatus, the access right management system, the access right management method, the program, and the recording medium according to the present invention are described. The technical scope of is not limited.
As described above, according to the present invention, it is possible to provide a system in which individual users can grasp a change in the status of DB access rights in real time, and the usability as viewed from the user side can be improved.

  In addition, according to the present invention, since an accessible list is notified from the access right management DB, it is possible to grasp the DB that can be browsed by the user in real time. Moreover, it can confirm again if confirmation operation is carried out to management DB.

  Further, according to the present invention, since the DB icon is displayed, it is possible to grasp which DB is visually without depending on the DB name in addition to the above effect.

  Further, according to the present invention, the relationship between the DB and the ID is visually classified and displayed, so that the user can understand the relationship between his / her ID at a glance.

Further, according to the present invention, the user's authority can be easily understood at a glance by visually displaying each access right type.
According to the present invention, it is easy to back up necessary information to receive notification before and after the change in the configuration of the DB.

  Further, according to the present invention, the use can be expanded as a medium having the invention related to the access right management apparatus.

110 User terminal (personal computer)
120 control unit 120 ′ CPU (processing device)
121 System bus 130 System memory 131 ROM
132 RAM
134 Program data 141 Hard disk drive (external storage device)
152 floppy disk (registered trademark) 156 optical disk 160 user input interface 161 mouse (pointing device)
162 Keyboard 168 (Local) Printer 170 Communication Interface (Network Interface)
171 Local area network 190 Video interface (screen display control means)
191 Display device (monitor)
210 Network Printer 310 Gateway 410 Access Right Management Device (Intranet Server)
600 Operating system 630 Communication means 700 Application program (group)
800 Access right management program 810 ACL operation means 820 Grouping control means 830 DB update processing request means 840 ID setting information acquisition means 850 ID authentication means 900 Master DB (employee master DB)
950 Content DB

JP 2007-257603 A JP 2007-172280 A

Claims (11)

An access right management device that manages the access right to the information providing DB based on ID information assigned to each user terminal,
Managing each access right of a plurality of grouped user terminals at least in group units,
When the common addition / change / deletion processing of access rights in the group unit is performed, the execution completion information of the processing is collectively notified to the individual user terminals belonging to the group when the processing is completed. An access right management device comprising notification means for performing In response to a notification request from the user terminal,
The access right management apparatus according to claim 1, wherein a list of information providing DBs accessible by the user terminal as a request source is notified.   The access right management apparatus according to claim 2, wherein the information providing DB accessible by the requesting user terminal is displayed as an icon on the user terminal.   In the requesting user terminal, the accessible information providing DB or the icon indicating the accessible information providing DB is assigned to each relevance type between each information providing DB and the ID information of the user terminal. 4. The access right management device according to claim 2, wherein the access right management device is visually classified and displayed on the basis thereof.   3. The requesting user terminal, wherein the accessible information providing DB or the icon indicating the accessible information providing DB is visually classified and displayed for each type of access authority. Or the access right management apparatus of 3.   The access right management apparatus according to any one of claims 1 to 5, wherein a contact is made to a group address and an access history member of the DB before and after the DB configuration is changed.   6. The access right management apparatus according to claim 1, wherein the configuration is changed at least one week after the notification is notified to the group address and the access history member. An information providing DB connected to be communicable with each other via a network, the access right management apparatus according to any one of claims 1 to 7, and individual access rights to the information providing DB at least in groups A plurality of user terminals managed and grouped by the access right management device, and an access right management system comprising:
The user terminal receives communication completion information notified from the access right management device through a network;
An access right management system comprising: display means for displaying the execution completion information on a screen in a predetermined manner. An access right management method for an access right management system according to claim 8,
In the access right management apparatus, when the execution of the common addition / change / deletion processing of the access right in the group unit is completed, the notification unit collectively sends the execution completion information to each user terminal belonging to the group. Notify
In the user terminal, when the communication means receives the execution completion information notified from the access right management device through a network,
The access right management method, wherein the display means displays the execution completion information on a screen in a predetermined manner. A computer-executable access right management program group for controlling a plurality of grouped user terminals managed by the access right management device in the access right management system according to claim 8,
The first program included in the program group is:
A step in which the notification means of the user terminal collectively notifies the execution completion information to the individual user terminals belonging to the group when the common addition / change / deletion processing of the access right in the group unit is completed. To the computer in the access right management device,
The second program included in the program group is:
The communication means of the user terminal receiving the implementation completion information notified from the access right management device through a network;
A program group that causes the display unit of the user terminal to cause the computer in each user terminal to execute the step of displaying the execution completion information on a screen in a predetermined manner.   A program recording medium in which the first program or the second program according to claim 10 is recorded in a computer-readable format.

Images