JP2011186769A - Content management system, content management apparatus and access control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a content management system capable of easily performing flexible access control having a high degree of freedom when performing access control to a content. <P>SOLUTION: The content management system includes: a storage means which stores folder definition information indicating the definition of folder hierarchies for managing contents, folder information including data corresponding to the definition of each hierarchy and metadata given to a folder, contents related to the hierarchy of a stored folder and metadata given to the folder, and filter information in which the identification information of the folder definition information, content restriction information and access restriction information are related to information associated with an authenticated user; and an access control means which refers to the filter information on the basis of the information associated with the authenticated user, restricts contents from the identification information of the folder definition information and the content restriction information and performs operation restriction on the basis of the access restriction information. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a content management system, a content management apparatus, and an access control method for managing content.

  Conventionally, when restricting access to stored content, it is generally performed to define an access right corresponding to user identification information and accessible content. In this case, accessible content corresponding to the identification information of the user is acquired by an access request from the user, and the acquired content is provided to the user.

  On the other hand, it is a common practice to manage folders for storing content in a hierarchical structure (folder hierarchy) and organize storage locations in accordance with the contents. In this case, complicated operations such as setting links individually for the contents are required, for example, when it is desired to restrict access to contents of different layers in the upper folder.

  On the other hand, in Patent Document 1, access information describing the relationship between user information, category information describing a relationship between a plurality of categories and file names of files belonging to each category, and a category accessible by the user. A technique for permitting file access based on control information is disclosed.

  However, in the prior art, when the hierarchical structure increases or the number of managed electronic files becomes enormous, the category information becomes enormous, and the user needs a complicated work to create the category information. In addition, since the conventional technology performs access control based on category information, when performing access control on various content groups, it is necessary to set the category information for each group. There is a problem that access control cannot be performed easily. In addition, for example, in a backbone system that handles a large amount of data in a short time, when a large number of users are accessed, the processing load becomes large, so that appropriate access restrictions for the majority of users are required.

  Therefore, the present invention has been made in view of the above problems, and a content management system and content management capable of easily performing flexible and flexible access control when performing access control on content. An object is to provide an apparatus and an access control method.

  A content management system according to an aspect of the present invention is a content management system for managing content, and corresponds to folder definition information indicating a definition for each level of a folder hierarchy for managing content, and the definition for each level. Folder information including metadata and metadata related to the definition of the hierarchy, and contents associated with the hierarchy of the folder to be saved and the metadata attached to the folder Storage means for storing identification information of the folder definition information, content restriction information for restricting content, and filter information associated with access restriction information indicating a processable operation, and user authentication. Based on the authentication means and information about the authenticated user, Referring to filter information, to limit the content from the identification information and the content restriction information of the folder definition information comprises relative restricted content, and access control means for performing operation restriction based on the access restriction information.

  A content management apparatus according to another aspect of the present invention is a content management apparatus that manages content, and includes folder definition information that indicates a definition for each level of a folder hierarchy for managing content, and a definition for each level. And folder information including metadata related to the definition of the hierarchy, and contents associated with the hierarchy of the folder to be saved and the metadata assigned to the folder Storage means for storing identification information of the folder definition information, content restriction information for restricting content, and filter information associated with access restriction information indicating a processable operation in the information related to the authenticated user; Based on the authentication means for performing authentication and information on the authenticated user, Referring to filter information, to limit the content from the identification information and the content restriction information of the folder definition information comprises relative restricted content, and access control means for performing operation restriction based on the access restriction information.

  The access control method according to another aspect of the present invention includes: folder definition information indicating a definition for each level of a folder hierarchy for managing content; data corresponding to the definition for each hierarchy; and folders in the hierarchy Folder information including metadata related to the definition of the hierarchy, content of the folder hierarchy to be saved and content associated with the metadata assigned to the folder, and information related to the authenticated user An access control method in a content management apparatus for managing content comprising storage means for storing identification information of information, content restriction information for restricting content, and filter information associated with access restriction information indicating a process that can be processed An authentication step for performing user authentication and an authenticated user Access control that refers to the filter information based on information about the content, restricts content from the identification information of the folder definition information and the content restriction information, and restricts the restricted content based on the access restriction information Steps.

  According to the present invention, it is possible to provide a content management system, a content management apparatus, and an access control method capable of easily performing flexible and highly flexible access control when performing access control on content. .

The figure which shows an example of the content management system in an Example. The block diagram which shows an example of the hardware constitutions of the server 107 in an Example. The block diagram which shows an example of the function of the content management system in an Example. The figure which shows an example of account information. The figure which shows an example of organization information. The figure which shows an example of user information. The figure which shows an example of the data structure of the data regarding a folder hierarchy. The figure which shows an example of a hierarchy definition and metadata. The figure which shows the example of a screen of the data shown in FIG. The figure which shows an example of filter information. 6 is a flowchart illustrating an example of access control processing for content according to an embodiment.

  Embodiments of a content management system, a content management apparatus (information processing apparatus), and an access control method according to the present invention will be described below in detail with reference to the accompanying drawings.

  In the following embodiment, an information processing apparatus or a multifunction machine having a printer function, a scanner function, a copy function, and a facsimile function mounted in one housing will be described as an example of an apparatus for inputting content. However, the present invention is not limited thereto, and any device such as a scanner device, a facsimile device, a copy device, and a portable terminal can be applied as long as content can be input.

[Example]
<System and hardware>
FIG. 1 is a diagram illustrating an example of a content management system in the embodiment. As shown in FIG. 1, the content management system 100 includes a client (client device) 101, a load balancer (hereinafter also referred to as LB) 103, servers 105 and 107, a database (hereinafter also referred to as DB) 109, and a DB 111.

  The client 101 is, for example, an information processing apparatus or an MFP (Multifunction Peripheral), and issues an instruction to manage content such as an image file, a document file, a moving image file, and a music file on the server side.

  The LB 103 is also a firewall for detecting unauthorized access from a client, and further performs load distribution and performs request distribution processing. The LB 103 has a function of centrally managing requests from an external network and transferring the requests to a plurality of servers having equivalent functions.

  The server 105 manages user information and provides a service for managing user information. The user information includes organization information, a login name and a password used for user authentication.

  The server 107 manages folders and contents. The server 107 performs definition for each level of the folder hierarchy, and defines metadata assigned to the folder. The server 107 searches for folders and contents, and controls access to the contents.

  The DB 109 has a storage unit and manages the content ID, the URL of the content storage location, the content expiration date, and the like. The DB 109 stores user authentication information, content hierarchy information, content metadata, and filter information for restricting access to content. Details of each data will be described later. The DB 111 manages content stored in a folder hierarchy in which folders are hierarchized.

  The client 101 uses a browser to connect to the content management server 100 using a JavaScript (registered trademark) program such as “jQuery.js” or “Ajax framework” or “jsonAPI”, and searches and registers content. Each server and DB shown in FIG. 1 may be configured by arbitrarily combining a plurality of servers and DBs, or may be configured as one server. For example, when the server 105 is incorporated in the server 107, the server 107 has a user authentication function. Further, the DB 109 and the DB 111 may be one, or may be stored separately in three or more DBs.

  The content management system 100 is more suitable for a backbone system that handles a large amount of data in a short time. For example, this is a case where the server 107 is connected to a DB or the like of a basic system that handles a large amount of documents. In the backbone system, a large amount of data is processed in a short time and accessed by a large number of users, so that a large processing load is imposed on the system. By performing flexible access restrictions, which will be described later, on this basic system, unnecessary access can be reduced, processing load can be reduced, and high-speed processing can be performed.

  Next, the hardware configuration of the server in the embodiment will be described. FIG. 2 is a block diagram illustrating an example of a hardware configuration of the server 107 in the embodiment. As illustrated in FIG. 2, the server 107 includes a control unit 201, a main storage unit 203, an auxiliary storage unit 205, an external storage device I / F unit 207, and a network I / F unit 211.

  The control unit 201 is a CPU that controls each device, calculates data, and processes in a computer. The control unit 201 is an arithmetic device that executes a program stored in the main storage unit 203, receives data from the input device or the storage device, calculates and processes the data, and outputs the data to the output device or the storage device.

  The main storage unit 203 is a ROM (Read Only Memory), a RAM (Random Access Memory), or the like, and a storage device that stores or temporarily stores programs and data such as an OS and application software that are basic software executed by the control unit 201 It is.

  The auxiliary storage unit 205 is an HDD (Hard Disk Drive) or the like, and is a storage device that stores data related to application software and the like. The auxiliary storage unit 205 stores a predetermined program via the Internet. The predetermined program can be installed and executed.

  The external storage device I / F unit 207 is an interface between the server 107 and a storage medium 209 (for example, a flash memory or an SD card) connected via a data transmission path such as a USB (Universal Serial Bus).

  Further, a predetermined program is stored in the storage medium 209, and the program stored in the storage medium 209 is installed in the server 107 via the external storage device I / F unit 207, and the installed predetermined program is stored in the server 107. Can be executed.

  The network I / F unit 211 has a communication function connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network) constructed by a data transmission path such as a wired and / or wireless line. This is an interface between the device and the server 107.

  The server 107 may include an input unit and a display unit. The input unit includes a keyboard having cursor keys, numeric input, various function keys, and the like, and a mouse and a slice pad for selecting keys on the display screen of the display unit. The input unit is a user interface for a user to give an operation instruction to the control unit 201 or input data.

  The display unit is configured with a CRT, LCD, or the like, and displays according to display data input from the control unit 201.

<Function>
FIG. 3 is a block diagram illustrating an example of functions of the content management system in the embodiment. In the example illustrated in FIG. 3, the content management system 100 includes a client 101, a server 107, a DB 109, and a DB 111. The client 101 defines a folder hierarchy for managing content, accesses content, and performs editing. Editing includes browsing, creating, updating, and deleting.

  The server 107 includes a user authentication control unit 301, an access control unit 303, and a filter information acquisition unit 305. The user authentication control unit 301 performs user authentication for a user to access the content management system using a Web browser on the client 101.

  The user authentication control unit 301 acquires a login name and password from the client 101 and collates with master data registered in the user authentication information. If authentication of the acquired login name and password succeeds, the user authentication control unit 301 determines that the user is already registered (also referred to as a registered user), and sends an authentication ticket for identifying the user to the client 101. Issue.

  The authentication ticket is a character string including a user ID, an organization ID to which the user belongs, a session ID, and the like. Further, when the user authentication control unit 301 determines that the user who has attempted to log in is not a registered user, the user authentication control unit 301 transmits a login failure response to the client 101. Upon receiving the login failure response, the client 101 displays the login screen again.

  The access control unit 303 receives a content access request from the client 101 used by the user who has successfully logged in. At this time, the access control unit 303 identifies whether or not the user is a login user from the information on the authentication ticket included in the request for accessing the content.

  The access control unit 303 acquires a user ID and an organization ID from the authentication ticket. The access control unit 303 refers to the user authentication information 307 based on the acquired user ID, and acquires the metadata of the corresponding user ID. The access control unit 303 outputs the user ID, organization ID, and metadata to the filter information acquisition unit 305.

  The access control unit 303 acquires filter information corresponding to the registered user from the filter information acquisition unit 305, and specifies identification information of folder definition information corresponding to the registered user. The identification information of the folder definition information is, for example, “CabinetID” (cabinet ID). The access control unit 303 identifies which folder definition information is to be used based on the identification information of the folder definition information, and then identifies the content condition accessible from the filter information and the processable operation.

  The access control unit 303 uses the acquired content condition as a search formula, and acquires content corresponding to the search formula from the content information 311. The access control unit 303 transmits the acquired content and a process that can be processed to the client 101. The acquired content indicates content that can be accessed by the registered user.

  When the filter information acquisition unit 305 acquires the user ID, organization ID, and metadata from the access control unit 303, the filter information acquisition unit 305 refers to the filter information 313 and acquires filter information corresponding to the acquired user ID, organization ID, and metadata. . The filter information acquisition process will be described later. The filter information acquisition unit 305 outputs the acquired filter information to the access control unit 303.

  The user authentication control unit 301, the access control unit 303, and the filter information acquisition unit 305 can be realized by the control unit 201 or the like.

  The DB 109 stores and manages user authentication information 307, folder definition information 309, folder information 310, and filter information 313. The DB 111 stores and manages content information 311.

  The user authentication information 307 includes account information, organization information, and user information. The account information is information such as an account related to user authentication. The organization information is information related to the organization to which the user belongs. The user information holds information such as organization information and metadata about the user. Hereinafter, each information is demonstrated.

  FIG. 4 is a diagram illustrating an example of account information. In the example shown in FIG. 4, the account information is associated with a user ID 401, a login name 403, a password 405, and a group 407 assigned to the user. For example, the user ID “1” has a login name “tanave”. The user ID “3” has a login name “idata” and belongs to the “managers” group.

  FIG. 5 is a diagram illustrating an example of organization information. In the example illustrated in FIG. 5, the organization information is associated with an organization ID 501, an organization name 503, a display name 505 indicating a name displayed on the display, a time zone 507 indicating a location, and a language 509 indicating a language used. For example, the organization ID “1” is the organization name “Company A”, the display name on the display unit is “Company A”, the location is “Tokyo”, and the language used is “Japan”.

  FIG. 6 is a diagram illustrating an example of user information. In the example illustrated in FIG. 6, the user ID 401 is the same identification information as “ID” illustrated in FIG. 4, and the organization ID 501 is the same identification information as “ID” illustrated in FIG. 5.

  In the example illustrated in FIG. 6, user information is associated with a user ID 401, an organization ID 501, a login name 601, a tag (first metadata) 603, a tag (second metadata) 605, and a group 607. For example, the user ID “2” is the organization ID “3”, the login name is “wakamoto”, the first metadata “u_stag — 0” is “sales department”, and the second metadata is “ u_stag_1 ”is“ Yokohama Office ”.

  The user authentication control unit 301 collates the login name and password acquired from the client with the login name and password of the account information shown in FIG. If the verification matches, the user authentication control unit 301 refers to the user information shown in FIG. 6 based on the user ID, acquires the organization ID, and includes the user ID and organization ID in the authentication ticket.

  Next, data related to the folder hierarchy in the embodiment will be described. FIG. 7 is a diagram illustrating an example of a data structure of data related to a folder hierarchy. FIG. 7A illustrates an example of folder definition information. In the example shown in FIG. 7A, the folder definition information 309 is assigned to the folder definition information identifier 700, the organization ID 501, the folder hierarchy title, the folder hierarchy definition 701, and the folders in each hierarchy, and is related to the hierarchy definition. Metadata definition 702 to be added to the content, metadata definition 703 to be given to the content, metadata 704 to be given to the folder, metadata 705 to be given to the content, and the like.

  In the folder hierarchy definition 701, a folder is defined in each hierarchy, and each hierarchy has a meaning. For example, in the folder definition information “2”, “Department name” in layer 1 (layer_0), “Sales person” in layer 2 (layer_1), “Customer name” in layer 3 (layer_2), and Layer 4 (layer_3) "Item name" is defined.

  The metadata definition 702 assigned to the folder is assigned to each hierarchy, and metadata related to the definition of the hierarchy is defined. For example, in the example illustrated in FIG. 7A, “stag — 0” is assigned to the hierarchy 4. “Stag — 0” indicates “processing state”. This means that the metadata indicating the processing state (for example, unprocessed and processed) is assigned to the folder of the hierarchy 3.

  A metadata definition 703 to be given to content defines metadata to be given to content stored in a folder. For example, in the example shown in FIG. 7A, “e_stag — 0” is assigned to the content. “E_stag — 0” is metadata indicating “document type”. This means that the content is provided with metadata indicating the document type (for example, quotation, order, etc.).

  The metadata includes metadata “stag (string-tag)” indicating a character string and metadata “dtag (data-tag)” indicating a date. Other metadata may include “nttag (number tag)” and “btag (boolean tag)”. Further, the metadata given to the folder and the metadata given to the content can be identified. Note that metadata assigned to a folder is associated with content stored in the folder.

  FIG. 7B is a diagram illustrating an example of folder information. The folder information 310 is assigned to each folder by a folder ID 706, an organization ID 501, a folder definition information identifier 700, a parent folder identifier, a level 707 indicating which hierarchy, data 708 corresponding to the definition of each hierarchy, and the folder. Metadata 709 corresponding to the definition of metadata is included.

  Note that each level of folder information also holds data corresponding to folder definitions of levels higher than the own level. For example, “Tokyo headquarters” of “layer_0”, “Wakamoto” of “layer_1”, and “BBB Kogyo” of “layer_2” are held as folder information of the level “2”. As a result, when acquiring data corresponding to the definition of the upper-level folder, it is possible to easily acquire the data without following the parent folder. Further, data corresponding to the definition of the hierarchy may be the name of the folder of the hierarchy.

  The metadata 709 is data corresponding to “stag — 0” 704. Since “stag — 0” 704 defines “processing state”, the metadata 709 is data indicating the processing state. In the example shown in FIG. 7B, the metadata 709 indicates “processed”.

  FIG. 7C illustrates an example of content information. The content information 311 includes a content ID, an organization ID 501, a folder ID 706 indicating which folder is stored, a content title 710, a URL 711 indicating a location where the content is stored, a content size 712, a content metadata 713, and the like. Including.

  The content metadata 713 can be identified from the folder metadata 709. For example, “e_” indicating content metadata is added to the content metadata 713, such as “e_stag”. As a result, it is possible to manage and search the folder metadata and the content metadata separately.

  By having the data structure shown in FIG. 7, it is possible to give meaning to a folder hierarchy and to manage content by assigning metadata to folders in that hierarchy. As a result, the server 107 specifies the folder name, the hierarchy of the folder hierarchy, the metadata given to the folder, the metadata of the content, the content name, or any combination thereof, and the content included in the folder in the folder hierarchy Can be searched.

  Next, the definition of a hierarchy and an example of metadata will be described. FIG. 8 is a diagram illustrating an example of a hierarchy definition and metadata. FIG. 8A shows the definition of a hierarchy. In the example shown in FIG. 8A, the first hierarchy is defined as “department”, the second hierarchy as “sales representative”, the third hierarchy as “customer name”, and the fourth hierarchy as “case name”. It has been. FIG. 8B is a diagram showing the definition of metadata assigned to folders in each hierarchy. In the example shown in FIG. 8B, “state” is defined as metadata in the folder of the fourth hierarchy. Note that metadata such as “location” may be defined in the first layer folder, and “business type” may be defined in the third layer folder.

  FIG. 9 is a diagram illustrating a screen example of the data illustrated in FIG. The display screen 901 includes an area 903 and an area 905. In a region 903, a folder configuration described from the folder definition information 309 and the folder information 310 is drawn. The folder structure of the area 903 is the folder structure of the identification information “2” of the folder definition information shown in FIG.

  For example, as shown in an area 903 in FIG. 9, the Tokyo head office (first level), Wakamoto (second level), BBB Kogyo (third level), and instrument parts orders (fourth level) are drawn in hierarchical order. The The folder structure shown in the area 903 is an example up to the third hierarchy.

  In the area 905 of FIG. 9, the content configuration described from the content information 311 is drawn. Referring to FIG. 7C, “estimator part.pdf”, “order sheet.pdf”, and “delivery form.pdf” are stored in the “instrument part order” folder of folder ID “4”. . As a result, “quotation sheet.pdf”, “order sheet.pdf”, and “delivery sheet sheet.pdf” are drawn in the area 905.

  Next, filter information will be described. FIG. 10 is a diagram illustrating an example of filter information. The filter information shown in FIG. 10 includes a filter ID 1001, identification information 700 for folder definition information, content restriction information (condition) 1003 for restricting content, information about a user (user_condition) 1005, and access restriction information indicating a process that can be processed. 1007 is associated.

  The content restriction information 1003 defines conditions for restricting contents accessible to registered users. The content restriction information can flexibly restrict access to content by combining various conditions such as hierarchy, user metadata, folder metadata, and content metadata.

  In the information 1005 about the user, a condition for specifying a user who performs access restriction is defined. Information about the user 1005 can easily restrict access to various target users by combining various conditions such as a user ID, user metadata, and organization ID.

  In the access restriction information 1007, “TRUE” (processable) and “FALSE” (unprocessable) are defined for the operations of viewing (read), creation (update), update (update), and deletion (delete). Note that the content restriction information 1003, user-related information 1005, and access restriction information 1007 are information set in advance by a system administrator or the like.

  For example, the filter ID “1” indicates that the young book with the user ID “2” has an access right to the content in the “young book” folder of the “layer_1” (hierarchy 2). Further, the young book with the user ID “2” can browse, create, and update the contents of the “young book” folder, but cannot delete the contents.

  The filter ID “2” indicates that the table with the user ID “1” has an access right to all the contents and can perform all processes of browsing, creating, updating, and deleting.

  The filter ID “3” means that all users have access rights to the folder whose business location “u_stag — 1” matches the data corresponding to the layer “0” (first layer). In this way, the content can be narrowed down by using the metadata included in the user information shown in FIG. 6 to check whether the data matches the hierarchical data.

  The filter ID “4” can only be browsed for idata to which metadata “managers” is assigned, for content whose folder metadata is “processed” and whose content metadata is “estimate”. Indicates that In this way, the folder metadata and the content metadata can be used as conditions for narrowing down the content. In addition, it is possible to restrict accessible persons using user metadata.

  Here, referring to the filter information, a process for restricting accessible contents and restricting a process that can be performed will be described with reference to FIGS. For example, it is assumed that the access control unit 303 includes the user ID “2” and the organization ID “3” in the authentication ticket received from the client. The access control unit 303 outputs the user ID “2”, the organization ID “3”, the user metadata “sales department”, and “Yokohama office” to the filter information acquisition unit 305.

  If the organization ID is known, the access control unit 303 may acquire the cabinet ID by referring to FIG. Here, the organization ID “3” corresponds to the cabinet ID “2”.

  The filter information acquisition unit 305 acquires filter information corresponding to the acquired user, organization ID, user metadata, and cabinet ID. For example, the filter information acquisition unit 305 acquires filter information of filter IDs “1” and “3” that are not limited to the user based on the cabinet ID “2” and the user ID “2”. The filter information acquisition unit 305 outputs the acquired filter information to the access control unit 303.

  The access control unit 303 acquires content that matches “condition” included in the acquired filter information from the content information 311. In this example, the access control unit 303 acquires content included in the “Wakamoto” folder of “layer_1” (hierarchy 2) and the “Yokohama sales office” folder of “layer_0” (hierarchy 1).

  The access control unit 303 transmits the acquired content to the client 101 as accessible content. At this time, the access control unit 303 also transmits a processable operation indicated by the access restriction information 1007 included in the filter information to the client 101.

  As a result, flexible access restrictions on content can be performed, and access restrictions can be flexibly given to various users.

<Operation>
Next, the operation of the content management system in the embodiment will be described. FIG. 11 is a flowchart illustrating an example of an access control process for content according to the embodiment. In step S <b> 101, the user attempts to log in to the content management system 100 using the client 101. For example, it is assumed that wakamoto with the user ID “2” has logged in (see FIG. 4).

  In step S102, the user authentication control unit 301 performs an authentication process. The user authentication control unit 301 proceeds to step S103 if the authentication result is a registered user, and returns to step S101 if the authentication result is not a registered user. For example, the authentication ticket includes a user ID “2” and an organization ID “3” (see FIG. 6).

  In step S <b> 103, the user authentication control unit 301 transmits an authentication ticket to the client 101. Thereafter, the client 101 includes an authentication ticket in the request and requests access to the content.

  In step S104, the access control unit 303 acquires filter information with reference to the DB 109 based on the user ID, organization ID, and the like included in the authentication ticket. For example, the access control unit 303 specifies the cabinet ID (identification information of the folder definition information) “2” from the organization ID “3” (see FIG. 7A) and outputs it to the filter information acquisition unit 305. The filter information acquisition unit 305 acquires the content restriction information 1003 included in the filter information of the filter IDs “1” and “3” based on the cabinet ID “2” and the user ID “2” (see FIG. 10).

  In step S105, the access control unit 303 generates a content search formula from the content restriction information 1003. The access control unit 303 generates a search expression “layer_1:“ Wakamoto ”” from the filter ID “1”, and searches “layer_0:“ Yokohama Sales Office ”” (see FIG. 6) from the filter ID “3”. Generate an expression. The access control unit 303 searches for content stored in the DB 111 using the generated search formula.

  In step S106, the access control unit 303 acquires the searched content. In step S <b> 107, the access control unit 303 transmits the acquired content and a processable operation indicated by the access restriction information 1007 to the client 101. For example, in the case of the example of FIG. 10, the access restriction information with the filter ID “1” can be browsed, created, and updated, and the access restriction information with the filter ID “3” can be browsed, created, updated, and deleted. All processing is possible. That is, when the access restriction information of the filter IDs “1” and “3” are different from each other, the access control unit 303 can perform operations based on the different access restriction information on the content searched by the respective search expressions. That's fine.

  As described above, according to the embodiment, when performing access control on content, it is possible to easily perform flexible and highly flexible access control. When the content management system in the embodiment is applied to a backbone system that handles a large amount of data, the object of the present invention can be achieved more.

  The program executed by the server according to the embodiment has a module configuration including the above-described units. As actual hardware, the CPU (processor) reads the program from the storage medium and executes the program. Are loaded on the main memory, and the above-mentioned means are generated on the main memory.

  In addition, this invention is not limited to the said Example as it is, A component can be deform | transformed and embodied in the range which does not deviate from the summary in an implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the above embodiments. For example, some components may be deleted from all the components shown in the embodiments.

101 Client 103 LB
105, 107 Server 109, 111 DB
201 Control Unit 301 User Authentication Control Unit 303 Access Control Unit 305 Filter Information Acquisition Unit 307 User Authentication Information 309 Folder Definition Information 310 Folder Information 311 Content Information 313 Filter Information

JP 2009-110241 A

Claims (9)

A content management system for managing content,
Folder definition information indicating the definition of each folder hierarchy for managing contents, data corresponding to the definition of each hierarchy, and metadata related to the definition of the hierarchy provided to the folders in the hierarchy Folder information to be included, content associated with the hierarchy of the folder to be stored and metadata assigned to the folder, identification information of the folder definition information to information about the authenticated user, and content restriction information for restricting the content Storage means for storing filter information associated with access restriction information indicating operations that can be processed, and
An authentication means for performing user authentication;
Refer to the filter information based on information about the authenticated user, restrict the content from the identification information of the folder definition information and the content restriction information, and restrict the operation based on the access restriction information for the restricted content A content management system comprising: an access control means for performing The content restriction information is defined as any one or a combination of data corresponding to the definition of the hierarchy, metadata given to the folder, or metadata given to the content,
The access control means includes
The content management system according to claim 1, wherein content corresponding to the content defined in the content restriction information is content that can be accessed by an authenticated user.   The content management system according to claim 1, wherein the information related to the user includes at least identification information of the user, organization information to which the user belongs, or metadata given to the user. The access control means includes
4. When there are a plurality of pieces of filter information based on information about an authenticated user, different operation restrictions can be applied to the respective contents restricted based on the respective filter information. The content management system described in 1. A content management device for managing content,
Folder definition information indicating the definition of each folder hierarchy for managing contents, data corresponding to the definition of each hierarchy, and metadata related to the definition of the hierarchy provided to the folders in the hierarchy Folder information to be included, content associated with the hierarchy of the folder to be stored and metadata assigned to the folder, identification information of the folder definition information to information about the authenticated user, and content restriction information for restricting the content Storage means for storing filter information associated with access restriction information indicating operations that can be processed, and
An authentication means for performing user authentication;
Refer to the filter information based on information about the authenticated user, restrict the content from the identification information of the folder definition information and the content restriction information, and restrict the operation based on the access restriction information for the restricted content A content management device comprising: an access control means for performing The content restriction information is defined as any one or a combination of data corresponding to the definition of the hierarchy, metadata given to the folder, or metadata given to the content,
The access control means includes
The content management apparatus according to claim 5, wherein the content corresponding to the content defined in the content restriction information is content that can be accessed by an authenticated user.   The content management apparatus according to claim 5, wherein the information regarding the user includes at least identification information of the user, organization information to which the user belongs, or metadata provided to the user. The access control means includes
8. When there are a plurality of the filter information based on information about an authenticated user, different operation restrictions can be performed on each content restricted based on each filter information. The content management device described in 1. Folder definition information indicating the definition of each folder hierarchy for managing contents, data corresponding to the definition of each hierarchy, and metadata related to the definition of the hierarchy provided to the folders in the hierarchy Folder information to be included, content associated with the hierarchy of the folder to be stored and metadata assigned to the folder, identification information of the folder definition information to information about the authenticated user, and content restriction information for restricting the content And an access control method in a content management apparatus for managing content comprising storage means for storing filter information associated with access restriction information indicating a processable operation,
An authentication step for performing user authentication;
Refer to the filter information based on information about the authenticated user, restrict the content from the identification information of the folder definition information and the content restriction information, and restrict the operation based on the access restriction information for the restricted content An access control method comprising: an access control step.

Images