JP2018106737A - Access management method and access management apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access management method which reduces security risk of an information processing apparatus, and an access management apparatus.SOLUTION: An access management apparatus 16 includes an operation condition holding unit 26, an external account holding unit 22, a determination unit 40, and a log-in processing unit 42. The operation condition holding unit 26 stores operation conditions permitted by an administrator with respect to an access management apparatus 14 to be operated, including a log-in ID applied by a user. The external account holding unit 22 stores log-in ID and password to log in to the access management apparatus. On receipt of a log-in request designating an access management apparatus to be logged in, the determination unit 40 determines that the log-in request satisfies the operation condition. The log-in processing unit 42 acquires a log-in ID and password corresponding to the operation condition satisfied by the log-in request, from the external account holding unit, and logs in to the access management apparatus by use of the acquired log-in ID and password.SELECTED DRAWING: Figure 2

Description

The present invention relates to a data processing technique, and more particularly to a technique for managing user access to an information processing apparatus.

With the development of network technology, access to computer systems via networks has been widely performed. Password authentication is widely used as an authentication means when a user logs in to a computer system. As measures to increase the security of password authentication, the password may be forcibly changed after a certain period of time, or the subsequent login will be refused after a predetermined number of failed password entries. ing.

In the following Patent Document 1, the present applicant has proposed a technique for easily finding unauthorized access without reducing the usability of authorized users.

JP 2006-004333 A

In the password authentication so far, it is necessary to disclose to the user the password of the information processing apparatus (hereinafter also referred to as “work target apparatus”) on which the user should perform the work. Therefore, a security risk may occur in the work target device. For example, the password of the work target apparatus may be leaked from a legitimate user to a malicious third party.

The present invention has been made in view of these problems, and a main object thereof is to provide a technique for reducing the security risk of the information processing apparatus.

In order to solve the above-described problem, an access management method according to an aspect of the present invention provides a work target including a login ID used by an access management apparatus to log in to a work target apparatus and a login ID applied by a user. A step of storing in the first storage area a work condition that is an operation condition for the apparatus and that is permitted by the administrator based on the user's application, and a login request that includes information for designating a work target apparatus that is a login destination. Log-in request receiving step and log-in to the log-in work target apparatus stored in advance in the second storage area when a log-in request that satisfies the work conditions pre-stored in the first storage area is received. Corresponding to the login ID specified in the work condition satisfied by the login request. By logging into the work target device login destination using the login ID and password to perform the log step of enabling the work of the user for work device of the login destination, the.

Another aspect of the present invention is an access management apparatus. This device includes an account holding unit that holds a login ID and a password for logging in to the work target device, and a login ID for logging in to the work target device with respect to the work target device that the user should work on. Yes, a condition holding unit that holds the work conditions for the work target device including the login ID requested by the user and that is permitted by the administrator based on the user's request, and the work target of the login destination A login request receiving unit that receives a login request including information specifying the device from a user, and a login ID that is held in the account holding unit when a login request that satisfies the work conditions held in the condition holding unit is received; Corresponds to the login ID specified in the work condition that the login request is satisfied By logging into the work target device login destination using the login ID and password, and a login processing unit that allows the user's work for work device of the login destination.

Note that any combination of the above-described constituent elements and the expression of the present invention converted between a system, a program, a recording medium storing the program, and the like are also effective as an aspect of the present invention.

  According to the present invention, it is possible to reduce the security risk of the information processing apparatus.

It is a figure which shows the structure of the information processing system of embodiment. It is a block diagram which shows the function structure of the access management apparatus of FIG. It is a flowchart which shows operation | movement of an access management apparatus. It is a flowchart which shows operation | movement of an access management apparatus.

FIG. 1 shows a configuration of an information processing system according to an embodiment. The information processing system 100 is an in-house system, and includes an operator terminal 10, an administrator terminal 12, a work target device 14a, a work target device 14b, a work target device 14c, which are collectively referred to as a work target device 14, and an access. A management device 16 is included.

The operator terminal 10 is an information processing system 100 that should perform work on the work target device 14.
It is a PC operated by an operator or developer (hereinafter unified by the operator). Administrator PC
Reference numeral 12 denotes a PC operated by an administrator of the information processing system 100.

The work target device 14 is a server that is a target of work by an operator of the information processing system 100 (for example, file update, adjustment of various setting values, and the like). For example, it may be a web server, application server, database server, or the like. Moreover, there is no restriction | limiting in the software structure of the work target apparatus 14, The structure which differs between work target apparatus 14a-work target apparatus 14c may be sufficient. For example, the OS of the work target device 14a is UNIX (registered trademark), the OS of the work target device 14b is Linux (registered trademark), and the OS of the work target device 14c is Windows.
It may be ws (registered trademark). Further, there is no restriction on the communication protocol for notifying the command from the operator PC 10 to the work target device 14, and Telnet, SSH, FTP, R
DP etc. may be sufficient.

The access management device 16 accepts an operator's login request for a plurality of work target devices 14 (work target device 14a to work target device 14c in FIG. 1) regardless of the type of the work target device 14. It is determined whether or not the login has been approved by the administrator. If approved, the access management device 16 logs in to the work target device 14 on behalf of the operator, and relays the command transmitted from the operator PC 10 to the work target device 14. In other words, the access management device 16 mediates access from the operator PC 10 to the work target device 14, thereby enabling the operator to work on the work target device 14 while increasing the security strength of the work target device 14.

FIG. 2 is a block diagram showing a functional configuration of the access management device 16 of FIG. The access management device 16 includes an internal account holding unit 20, an external account holding unit 22, an account updating unit 24, a work condition holding unit 26, an application information receiving unit 28, an application information notifying unit 30,
An approval information receiving unit 32, a connection request receiving unit 34, an authentication processing unit 36, a login request receiving unit 38, a determination unit 40, a login processing unit 42, a command receiving unit 44, and a command transfer unit 46 are provided. .

Each block shown in the block diagram of the present specification can be realized in terms of hardware by an element such as a CPU of a computer or a mechanical device, and in terms of software, it can be realized by a computer program or the like. The functional block realized by those cooperation is drawn. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software. For example, each functional block in FIG. 2 may be stored in a recording medium as an access management program and installed in the storage of the access management device 16. When the access management program is activated, a program corresponding to each functional block may be read into the main memory and executed by the CPU.

The internal account holding unit 20 uses a predetermined operator ID and password as an account for permitting the operator to connect to the access management device 16 from the operator PC 10 (hereinafter also referred to as “internal account”). Is a storage area that stores the information in association with each other.

The external account holding unit 22 is an account (specifically, a login ID) predetermined in the work target device 14 as an account for permitting connection to the work target device 14 (hereinafter also referred to as “external account”). And a password combination). For example, the external accounts defined in each of the work target device 14a to the work target device 14c are collectively held. The external account holding unit 22 also holds a privileged user account of the work target device 14 as an external account, and holds, for example, a root password and an administrator password.

When the login account is changed in the work target device 14, the account update unit 24 detects the fact and stores the changed account in the external account holding unit 22. For example, the work target device 14 periodically changes the login account in its own device, notifies the access management device 16 of information indicating the account after the change, and the work target device 14 is based on the notification in the work target device 14. Account changes may be detected. As a modification, the account update unit 24 may periodically access the work target device 14 to change the login account, and store the changed account in the external account holding unit 22.

The work condition holding unit 26 is a storage area that holds conditions for permitting an operator to log in to the work target device 14 (hereinafter, also referred to as “work conditions”).
Work conditions for each of a to work target device 14c are collectively held. The work conditions of this embodiment are used for the operator ID, the work start date and time and the work end date and time for the work target device 14, the host name of the work target device 14, the communication protocol to be used, and the login to the work target device 14. A login ID (such as root) is included.

The application information receiving unit 28 receives information (hereinafter also referred to as “application information”) for applying to the administrator to log in to the work target device 14 from the operator PC 10. This application information includes the same contents as the above-described work conditions. That is, it includes an operator ID, work start date and time, work end date and time, host name of the work target device 14, communication protocol to be used, and login ID used to log in to the work target device 14.

The application information notifying unit 30 transmits the application information received from the operator PC 10 to the administrator PC 12 and causes the administrator to decide whether to approve or reject the application contents of the operator. The approval information receiving unit 32 receives information indicating whether or not the administrator has approved the application content from the administrator PC 12. When the administrator approves the application content, the approval information receiving unit 32 stores the application content of the operator in the work condition holding unit 26 as a work condition.

The connection request reception unit 34 receives a connection request to the access management device 16 from the operator PC 10. In this connection request, an operator account (that is, an internal account) defined in the access management device 16 is designated. Note that the communication protocol between the operator PC 10 and the access management device 16 may be appropriately selected by the operator, for example, Telnet · S.
SH, FTP, RDP, etc. may be used.

The authentication processing unit 36 authenticates the operator. Specifically, it is determined whether or not the operator account specified in the connection request matches the operator account held in the internal account holding unit 20. If they match, the connection request reception unit 34 is notified that the operator has been successfully authenticated. When the authentication of the operator is successful, the connection request reception unit 34 establishes a communication session with the operator PC 10 and notifies the operator PC 10 that the authentication is successful. When the operator PC 10 is notified of the success of authentication, the operator PC 10 displays on the display a designation screen for the work target device 14 as a login destination (in other words, the work target device 14 on which the operator performs work). As a modification, the connection request receiving unit 34 may transmit data of a login destination designation screen to the operator PC 10 and display the data on the operator PC 10 when the authentication of the operator is successful.

The login request reception unit 38 receives a specific work target device 1 from the operator PC 10 through a communication session between the operator PC 10 and the access management device 16 established by the connection request reception unit 34.
4 is received (hereinafter also referred to as “login request”). This login request includes information indicating the work target device 14 (hereinafter also referred to as “designated device”) as the login destination designated by the operator on the login destination designation screen displayed on the operator PC 10. On the other hand, the account (eg, password) of the designated device is not included in the login request.

The determination unit 40 determines whether or not the login request satisfies the work condition stored in the work condition holding unit 26. Specifically, the ID of the operator who is the sender of the login request matches the operator ID of the work condition, and the reception date / time of the login request is in the range from the work start time of the work condition to the work end date / time. If the designated device in the login request matches the connection destination device of the work condition, it is determined that the login request satisfies the work condition.

When it is determined that the login request satisfies the work condition, the login processing unit 42 uses the designated device account held in the external account holding unit 22 even if the designated device account is not included in the login request. Log in to the designated device and establish a communication session between the access management device 16 and the designated device. Specifically, an account (a login ID and a password, such as a root ID and a root password, for example) corresponding to a login ID specified in the work condition is an account predetermined in the designated device from the external account holding unit 22. get. Then, using the communication protocol specified in the work condition, a login request specifying the account acquired from the external account holding unit 22 is transmitted to the specified device.

The command reception unit 44 receives a command for the designated device from the operator PC 10 via the communication session between the operator PC 10 and the access management device 16 established by the connection request reception unit 34. The command transfer unit 46 transfers the command received by the command receiving unit 44 to the designated device via the communication session between the access management device 16 and the designated device established by the login processing unit 42.

The operation of the above configuration will be described below.
FIG. 3 is a flowchart showing the operation of the access management device 16. When the application information receiving unit 28 receives the application information transmitted from the operator PC 10 (Y in S10), the application information notifying unit 30 transmits the application information to the administrator PC 12 (S12). When the approval information receiving unit 32 receives information indicating that the application content has been approved from the administrator PC 12 (Y in S14), the approval information receiving unit 32 stores the application content in the work condition holding unit 26 as a work condition (S16). If information indicating that the application content has been approved is not accepted (N in S14), S16 is skipped. If application information from the operator PC 10 is not accepted (N in S10), S12 to S16 are skipped. When the account update unit 24 detects that the account has been changed in the work target device 14 (Y in S18), the account update unit 24 acquires the changed account from the work target device 14 and stores it in the external account holding unit 22 (S20). . If an account change in the work target device 14 has not been detected (N in S18), S20 is skipped.

FIG. 4 is also a flowchart showing the operation of the access management device 16. This figure shows the continuation of the operation of FIG. When the connection request receiving unit 34 receives the connection request transmitted from the operator PC 10 (Y in S30), the authentication processing unit 36 authenticates the operator based on the connection request. When the operator authentication is successful (Y in S32), the connection request receiving unit 34 notifies the operator P to that effect.
C10 is notified and a login destination designation screen is displayed on operator PC 10 (S34). If the operator authentication has failed (N in S32), S34 is skipped, and if the connection request from the operator PC 10 is not accepted (N in S30), S32 and S34 are skipped.

When the login request reception unit 38 receives the login request transmitted from the operator PC 10 (Y in S36), the determination unit 40 determines whether the login request satisfies the work condition. If the login request satisfies the work conditions (Y in S38), the login processing unit 42 acquires the account of the designated device in the login request from the external account holding unit 22 (S40).
Then, the user logs in to the designated device using the account (S42).

The command receiving unit 44 stands by until a command is received from the operator PC 10 (S4
4 N). When the command receiving unit 44 receives a command transmitted from the operator PC 10 (Y in S44), the command transfer unit 46 transmits the command to the work target apparatus 14 (S
46). If the command received from the operator PC 10 is an end command (for example, “exit” command) (Y in S48), the command receiving unit 44 disconnects the communication session with the operator PC 10 and ends the flow of FIG. If the command received from the operator PC 10 is not an end command (N in S48), the process returns to the command waiting state in S44. If the login request does not satisfy the work conditions (N in S38), or if the login request is not accepted (N in S36), the subsequent processing is terminated by skipping the subsequent processing.

According to the information processing system 100 of the present embodiment, the access management device 16 performs login to the work target device 14 on behalf of the operator or developer. Therefore, the account (particularly the password) of the work target device 14 can be kept secret from the operator and the developer, and the security risk of the work target device 14 can be reduced. For example, it is possible to prevent an account from leaking from an operator or developer to a malicious third party, or an operator or developer from accessing the work target device 14 beyond the range approved by the administrator. . According to the information processing system 100, it is possible not only to discover whether or not there has been unauthorized access from the access log of the work target device 14, but also to prevent unauthorized access in the first place.

Further, the login account for the work target device 14 is periodically changed and stored in the external account holding unit 22 of the access management device 16. Thereby, the security risk of the work target device 14 can be further reduced. In addition, since the access management device 16 absorbs the influence of the login account change in the work target apparatus 14 and the operator and developer are not affected by this, the convenience of the operator and developer can be improved.

In addition, since the access management device 16 collectively performs access control to the work target device 14,
The work target apparatus 14 does not need to determine individual accounts for a plurality of operators and developers. Also, there is no need to set various access rights for these individual accounts. Therefore, the security risk of the work target device 14 can be reduced without changing the work target device 14.

The present invention has been described based on the embodiments. This embodiment is an exemplification, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are also within the scope of the present invention. is there. A modification is shown below.

A first modification will be described. Although not mentioned in the above embodiment, the command receiving unit 44
May monitor whether or not the current date and time has passed the work end date and time defined in the work conditions, and if so, the communication session between the operator PC 10 and the access management device 16 may be disconnected.
Similarly, the command transfer unit 46 monitors whether or not the current date and time has passed the work end date and time of the work condition, and if so, disconnects the communication session between the access management device 16 and the work target device 14. May be. According to this aspect, since the command from the operator is not transferred to the work target device 14 after passing the work end date and time, the work by the operator can be permitted within the range approved by the administrator. .

As another modification, the command reception unit 44 may maintain a communication session between the operator PC 10 and the access management device 16 even when the current date and time passes the work end date and time of the work condition. Similarly, the command transfer unit 46 may maintain a communication session between the access management device 16 and the work target device 14 even when the current date and time passes the work end date and time of the work condition.
Furthermore, the operator may be able to select whether the communication session is to be disconnected or maintained when the current date / time passes the work end date / time of the work condition, and the selection result by the operator is applied to the application information (that is, the work Condition). In this case, the command reception unit 44 and the command transfer unit 46 may determine whether to disconnect or maintain the communication session when the current date / time passes the work end date / time of the work condition according to the work condition. .

A second modification will be described. The access management device 16 may further include a log holding unit, a log output unit, and a log search unit. The log holding unit includes an internal account of the operator, a host name of the work target device 14 as a login destination, and a login account to the work target device 14 (external account).
A log in which the command issued to the work target device 14 and the command issue date / time are associated is held. When the log output unit logs in to the work target device 14 in response to the login request,
The internal account of the operator, the host name of the work target device 14 at the login destination, the work target device 14
Keep your login account as login information. And the command reception part 4
4, when a command is received from the operator PC 10, the command, login information, and the current date and time (that is, command issue date and time) are associated with each other and stored in the log holding unit.

The log search unit receives a search request in which a search keyword is specified from the administrator PC 12. Then, the log stored in the log holding unit is searched based on the search keyword, and information on the log hit in the search is transmitted to the administrator PC 12. According to the second modification, since the access management device 16 collectively manages the access logs over the plurality of work target devices 14, the administrator easily obtains the access logs over the plurality of work target devices 14. be able to. For example,
By making a search request to the access management device 16 using a specific operator ID (specific internal account) as a search keyword, the specific operator can make a plurality of work target devices without inquiring each work target device 14. 14 can be efficiently acquired.

A third modification will be described. The access management device 16 may further include a prohibited command holding unit and a command determination unit. The prohibited command holding unit holds information indicating a prohibited command predetermined as a command that should not be issued to the work target device 14. The prohibited command may include, for example, a command for changing a user password (passwd command or the like) or a command for switching a user account (su command or the like). The command determination unit determines whether the command received from the operator PC 10 matches the prohibited command held in the prohibited command holding unit. If they do not match, the command determination unit determines that the operator P
The command received from C10 is passed to the command transfer unit 46. If they match, the command determination unit suppresses and discards the command received from the operator PC 10 from being passed to the command transfer unit 46. In this case, since the command determination unit is a prohibited command, it may notify the operator PC 10 that transfer to the work target apparatus 14 has been rejected.

In the second modification and the third modification, the operator PC 10 to the access management apparatus 1
6 and the case where the access management device 16 to the work target device 14 are encrypted communication (for example, SSH communication). In this case, the access management device 16 once decrypts the encrypted command received from the operator PC 10, encrypts the decrypted plaintext command again, and transmits it to the work target device 14. Therefore, the log output unit of the second modification stores a log indicating a plaintext command in the log holding unit, and the command determination unit of the third modification compares the plaintext command with the prohibited command. In this way, while maintaining security strength by encrypted communication on the communication path, command storage and comparison with prohibited commands can be realized using plaintext commands.

A fourth modification will be described. In the above embodiment, the access management device 16 includes the external account holding unit 22 and the account update unit 24. As a modification, an information processing device (also referred to as “account management device” here) different from the access management device 16 includes an external account holding unit 22 and an account update unit 24 instead of the access management device 16, and An external account providing unit may be provided. In this case, the login processing unit 42 of the access management device 16 transmits a password request specifying the host name of the work target device 14 that is the login destination and the login ID of the work target device 14 used for login to the account management device. . The external account providing unit of the account management device provides the access management device 16 with a password associated with the login ID specified in the password request.

Any combination of the above-described embodiments and modifications is also useful as an embodiment of the present invention. The new embodiment generated by the combination has the effects of the combined embodiment and modification.

It should also be understood by those skilled in the art that the functions to be fulfilled by the constituent elements recited in the claims are realized by the individual constituent elements shown in the embodiments and the modified examples or by their linkage.

10 operator PC, 12 administrator PC, 14,16 access management device, 20
Internal account holder, 22 External account holder, 24 Account updater,
26 working condition holding unit, 34 connection request receiving unit, 36 authentication processing unit, 38 login request receiving unit, 40 determination unit, 42 login processing unit, 44 command receiving unit,
46 Command transfer unit, 100 Information processing system.

Claims (2)

Access management device
A work condition for the work target device including the ID applied by the user and the work start date and time, and storing the work condition permitted by the administrator based on the user application in the storage area;
A login request receiving step for receiving a login request including information specifying a work target apparatus of a login destination from a user;
When the login request reception date / time received by the login request reception step is after the work start date / time, it is an ID and password stored in advance for logging in to the login target work target device, and ID included in the work conditions stored in the storage area
A login step of logging in to the login target work device using an ID and password corresponding to
Run
An access management method, wherein a password for logging in to the login target work target device is concealed from a user. An account holding unit that holds the ID and password for logging in to the work target device including the password concealed from the user, with respect to the work target device that the user should work on,
A condition holding unit for holding a work condition for the work target device including an ID applied by a user, the work condition permitted by an administrator based on the user's application;
A login request accepting unit that accepts a login request including information specifying a work target device of a login destination from a user;
When the login request is accepted, the ID and password held in the account holding unit and corresponding to the ID included in the work condition held in the condition holding unit
A login processing unit for logging in to the login target work device using D and a password;
An access management apparatus comprising:

Images