JP2019036245A - Information processing device - Google Patents

Abstract

To provide an information processing device capable of managing the authority for using resources and services, which is configured to identify resources and/or services with high probability a user uses and to take over the authority to use the resources and/or services.SOLUTION: The information processing device is control means for controlling the access to resources on the basis of the authority to use the resources on a network. The information processing device performs multi-tenant type management per tenant as management means which is configured to manage by registering users who are accessible to the resources via the control means. The information processing device is configured so as to, when a user included in a tenant is changed to be included in another tenant, identify the authority to be imparted to the user in a tenant after the change on the basis of the exercise status of user's right in the tenant before change.SELECTED DRAWING: Figure 7

Description

  The present invention relates to an information processing apparatus.

  Regarding the use of resources and services provided on a network, management of individual users to whom authority is assigned, usage status of resources and services, the number of licenses for each type of resources and services, and the like is performed. As a management method related to resources and services provided on a network, management may be performed in units called tenants. A user (user) of a resource or service belongs to a tenant, and is assigned an authority to use the resource or service within the scope of a license given to the tenant.

  In Patent Document 1, when a user belonging to an organization uses a service, the usage status of the service can be managed in an organizational unit by managing the device used by the user in association with the organization to which the user belongs. An information management system is disclosed. Patent Document 2 registers a tenant contracted to provide a service, a user belonging to the tenant, and a role indicating the access authority of the user in the licensed service in the user management table, and sets the role for the user. A cloud system that provides a user interface and updates a user management table according to a role set for the user via the user interface is disclosed. Patent Document 3 accepts setting of authority for each service type and sets authority for a service so that the number of users to whom authority is assigned by a license does not exceed the number of users to whom authority can be assigned by a license. An information processing system is disclosed.

Japanese Patent Laid-Open No. 2015-111407 JP 2012-256248 A JP, 2006-027446, A

  When the tenant to which a user belongs is changed, there are cases where it is desired to continue using the resources and services used by the tenant before the change even in the tenant after the change. When this takeover is performed manually by a tenant administrator or the like, a great deal of labor is required. Although it is conceivable to acquire user management information from the tenant before the change and register it mechanically, there are resources and services that the user simply has the authority (not used) in the tenant before the change. It may be wasteful to take over.

  An object of the present invention is to identify a resource or service having a high probability of being used by a user in the management of authority related to the use of the resource or service, and to take over the authority to use the resource or service.

The present invention according to claim 1
First control means for controlling access to the resource based on the authority to use the resource on the network;
First management means for registering and managing users who can access the resource via the first control means;
Apart from the first control means, second control means for controlling access to the resource based on the authority to use the resource on the network;
Second management means for registering and managing users who can access the resource via the second control means;
With respect to a user who has been changed from a management target of the first management unit to a management target of the second management unit, the second control is performed based on information on the use of the resource by the user in the first control unit. A specifying means for specifying the authority to use resources on the network granted to the user in the means;
An information processing apparatus comprising:
The present invention according to claim 2
The identifying means is based on information related to the use of the resource by the user in the first control means, and the user out of the authority to use the resource given to the user in the first control means Identify the authority exercised to use the resource, present the authority information to the administrator of the second control means and the second management means, accept instructions from the administrator, The information processing apparatus according to claim 1, wherein an authority to be given to the user is specified by the control means of 2.
The present invention according to claim 3 provides:
The specifying means presents the authority information to the user, accepts a selection by the user, updates the authority information, and presents the updated authority information to the administrator. The information processing apparatus according to Item 2.
The present invention according to claim 4 provides:
The specifying means is set in the second control means and the authority exercised by the user to use the resource specified based on information on the use of the resource by the user in the first control means 2. The information processing apparatus according to claim 1, wherein an authority to be given to the user in the second control unit is specified based on the authority to use resources on the network.
The present invention according to claim 5 provides:
The specifying means does not correspond to the authority used by the user to use the resource in the first control means among the authority to use resources on the network set in the second control means. 5. The information processing apparatus according to claim 4, wherein the second control unit inquires of the user whether or not the authority is given to the user.
The present invention according to claim 6 provides:
The specifying means is included in the authority to use the resources on the network set in the second control means among the authority exercised by the user to use the resources in the first control means. 6. The information processing apparatus according to claim 4, wherein an authority related to the authority is added to an authority given to the user by the second control unit.
The present invention according to claim 7 provides:
Tenant management means for managing, on a tenant basis, a control function that controls access to the resource based on the authority to use resources on the network, and a management function that manages users who can access the resource using the control function When,
For a user who has been changed from being managed by one tenant to being managed by another tenant, based on information related to the use of the resource by that user in that one tenant, on the network granted to that user in that other tenant A means of identifying authority to use the resources of
An information processing apparatus comprising:
The present invention according to claim 8 provides:
The specifying means includes an authority exercised by the user to use the resource specified based on information on the use of the resource by the user in the one tenant, and a network set in the other tenant. The information processing apparatus according to claim 7, wherein the authority to be given to the user in the other tenant is specified based on the authority to use the above resources.
The present invention according to claim 9 provides:
The specifying means includes the authority that the user has exercised to use the resource in the one tenant, and the authority that is not included in the authority to use resources on the network set in the other tenant. The information processing apparatus according to claim 8, wherein an authority related to the authority is added to an authority given to the user in the other tenant.

According to the first aspect of the present invention, there is provided a configuration for granting authority to use resources on the network given to the user in the second control means without considering the state of exercising the authority of the user in the first control means. In comparison, it is possible to specify a resource or service with a high probability that the user uses the second control means and take over the authority to use the resource or service.
According to the invention of claim 2, the authority set in the second control means as compared with the configuration in which the authority is given in the second control means based only on the user's authority exercise status in the first control means. The authority can be given to the user according to the situation.
According to the invention of claim 3, the user exercises in the second control means as compared with the configuration in which the authority is given in the second control means based only on the user's authority exercise status in the first control means. You can grant the authority you want.
According to the invention of claim 4, in comparison with the configuration in which the authority is given by the second control means based only on the exercise status of the user's authority in the first control means, the authority is newly given in the second control means. Authority that can be granted without setting can be given to the user.
According to the fifth aspect of the present invention, it is compared with the configuration in which the authority is given by the second control means based on the user's authority exercise status in the first control means and the authority set in the second control means. Thus, the authority that the user desires to exercise in the second control means can be given.
According to the invention of claim 6, even when the right corresponding to the right that the user has exercised in the first control means is not set in the second control means, the right to substitute is given to the user. can do.
According to the invention of claim 7, a configuration for granting the authority to use resources on the network granted to the user in the tenant after the change without considering the exercise status of the user's authority in the tenant before the change of the management source Compared to the above, it is possible to specify a resource or service having a high probability of being used by the user in the tenant after the change and take over the authority to use the resource or service.
According to the invention of claim 8, in the tenant after the change, a new authority is newly given in the tenant after the change based on only the exercise status of the user's authority in the tenant before the change of the management source. Authority that can be granted without setting can be given to the user.
According to the invention of claim 9, even when the authority corresponding to the authority exercised by the user in the tenant before the change of the management source is not set in the tenant after the change, the authority to substitute is given to the user. Can be granted.

It is a figure showing the whole information processing system composition of this embodiment. It is a figure explaining the multitenant type management system by the information processing system of this embodiment. It is a figure which shows the hardware structural example of the computer which implement | achieves a tenant management server, a resource provision server, a client terminal, etc. It is a figure which shows the function structure of a tenant management server. It is a figure which shows the function structure of a resource provision server. It is a figure which shows the function structure of a client terminal. It is a flowchart which shows the operation | movement regarding the setting change of the authority at the time of a user's tenant transfer. It is a sequence diagram which shows the acquisition procedure of the role exercise | movement history in the case of using a cloud service. It is a sequence diagram which shows the acquisition procedure of the role exercise | movement history in the case of using a software package. It is a sequence diagram which shows the acquisition procedure of the roll exercise | movement history in the case of using the function of information equipment. It is a figure which shows the function structure of the tenant management server in this modification.

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings.
<Overall configuration of information processing system>
FIG. 1 is a diagram illustrating an overall configuration of an information processing system according to the present embodiment. As illustrated in FIG. 1, the information processing system 100 according to the present embodiment includes a tenant management server 10, a resource providing server 20, a client terminal 30, and an information device 40. Each device is connected via a network 50. 1, the tenant management server 10 and the resource providing server 20 constitute a service environment that provides resources and services on the network 50, and the client terminal 30 includes resources and services on the network 50. Configure a client environment that uses. The information device 40 is included in the service environment from the viewpoint that the function of the information device 40 is regarded as a resource that can be used on the network 50 and the function of the information device 40 is used from the client terminal 30. On the other hand, like the client terminal 30, the information device 40 can be an operation target device that is directly operated by the user via the user interface of the information device 40 itself. Therefore, from this viewpoint, it is included in the client environment.

  The tenant management server 10 is a server that manages authority for a user to use resources on the network 50, and is an example of a management unit. The tenant management server 10 is a server that controls access to resources by the user based on the authority to use resources on the network 50, and is an example of a control unit. Here, the resources on the network 50 refer to hardware, software, data, and the like that can be used by the user via the network. Here, when a service (Web service or cloud service) provided on a network is used, hardware and software used to provide the service are used. Therefore, in this embodiment, the resources on the network 50 include services provided on the network. When operating the information device 40 via the network 50, the function of the information device 40 is included in resources that can be used from the client terminal 30 on the network 50. Details of the tenant and user authority will be described later.

  The resource providing server 20 is a server that provides specific resources via a network, and is an example of a resource providing unit on the network 50. The resource providing server 20 includes a so-called service provider. A service provider is a server that provides a service (Web service or cloud service) via a network. The service as a resource provided by the resource providing server 20 is realized by, for example, processing using an application program (Web application) used via the network 50 or an application program placed in the back end. The Services provided by the resource providing server 20 include provision of hardware resources such as storage and processors, provision of software itself (software package), and the like.

  The client terminal 30 is a terminal device that uses a service provided by the resource providing server 20 via the tenant management server 10. The client terminal 30 is, for example, a personal computer, a portable information terminal such as a tablet terminal or a smartphone, or other information terminal that can connect to the tenant management server 10 via the network 50 and use resources on the network 50. . As described above, in order to use resources on the network 50, functions of the information device 40 are used via the network 50 in addition to using services, hardware resources, and software packages provided by the resource providing server 20. Use is also included.

  The information device 40 is an information processing device that can be connected to the network 50 used by the user, and is a device other than the client terminal 30 and managed by the tenant management server 10. The information device 40 itself has a user interface and, like the client terminal 30, can be an operation target device that is directly operated by the user. The information device 40 is realized by an office device or the like having a communication function for connecting to the network 50, for example. Specific examples include a copier, a scanner, a fax machine, a printer, and a multi-function machine having these functions in combination. In addition, an information terminal such as a personal computer or a tablet terminal shared in the office (not individually associated with the user) may be used as the information device 40. The functions of the information device 40 may be used from the client terminal 30 as resources on the network 50 managed and provided by the tenant management server 10. The information device 40 may be configured to be connected to the client terminal 30 via a LAN different from the network 50.

  The network 50 is a communication network used for data communication between devices constituting the information processing system 100. The type of the network 50 is not particularly limited as long as data can be transmitted and received. For example, the network 50 may be the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like. A communication line used for data communication may be wired or wireless. Further, each device may be connected via a plurality of networks or communication lines. As described above, in the information processing system 100, the client terminal 30 and the information device 40 constituting the user environment may be connected via a LAN different from the network 50. In this case, for example, a network connecting the client environment and the service environment may be constructed by connecting a LAN (LAN router) to which the client terminal 30 and the information device 40 are connected to the network 50.

<Management function of information processing system>
FIG. 2 is a diagram for explaining a multi-tenant type management method by the information processing system of this embodiment. In the present embodiment, the tenant management server 10 manages authority for using resources on the network 50 by a multi-tenant management method. A tenant is a unit for managing the use of resources on the network 50. In the multi-tenant management method, multiple tenants are set and authority is managed for each tenant. Therefore, the tenant management server 10 is an example of a tenant management unit.

  Each tenant has a license for using a service (Web service or cloud service) provided by the resource providing server 20, a license for using a software package that can be used via the resource providing server 20, and the information device 40. A license for using the function is set. A license is a right to use a service or software package granted to a tenant. Licenses are granted to tenants from cloud service providers and software package vendors. The maximum number of users is set according to the license terms.

  Further, one or more users belong to each tenant. In actual operation, a tenant can be set in association with various organizations such as a company, a department within the company, and other groups, based on a usage contract or the like. In this way, the various licenses described above can be managed for each organization corresponding to the tenant, and the use of resources on the network 50 can be controlled. That is, a user belonging to a tenant (hereinafter referred to as a belonging user) and a license set for the tenant are management targets managed by the tenant. The organization in which the tenant is set can use resources on the network 50 in the same manner as each tenant uses dedicated resources provided on a separate system.

  A tenant administrator is set for each tenant, and the tenant administrator assigns roles to users belonging to the tenant. A role is a use authority of a license assigned (given) to a user. The tenant administrator is a person who permits the user to belong to the tenant, sets a role for the tenant's belonging user, and manages the assigned user and the role assigned to each belonging user. The tenant administrator is a person who sets a license in the tenant. A user belonging to a tenant (affiliated user) is a user who is registered in association with the tenant and is permitted to use the license set in the tenant according to the assigned role. The role of each user is determined within the scope of the license set for the tenant. For example, regarding the use of a software package, when the number of licenses set for a tenant is 10, a role for using the software package can be assigned to up to 10 users. In other words, even if there are more than 10 users belonging to this tenant, roles cannot be assigned to more than 10 affiliated users. In addition, when there is a restriction on the service content that can be used with a license set for a tenant with respect to the use of a certain cloud service, a role can be assigned to an affiliated user only for the service content for which a license is set. A role related to the restricted service content cannot be assigned to the affiliated user.

<Hardware configuration of each device>
FIG. 3 is a diagram illustrating a hardware configuration example of a computer that realizes the tenant management server 10, the resource providing server 20, the client terminal 30, and the like. A computer 200 shown in FIG. 3 includes a CPU (Central Processing Unit) 201 that is a calculation means, a main storage device (main memory) 202 that is a storage means, and an external storage device 203. The CPU 201 reads the program stored in the external storage device 203 into the main storage device 202 and executes it. For example, a RAM (Random Access Memory) is used as the main storage device 202. As the external storage device 203, for example, a magnetic disk device, an SSD (Solid State Drive), or the like is used. The computer 200 also includes a display mechanism 204 for performing display output on a display device (display) 210, and an input device 205 for performing an input operation by an operator of the computer 200. For example, a keyboard or a mouse is used as the input device 205. The computer 200 also includes a network interface 206 for connecting to the network 50.

  The configuration of the computer 200 illustrated in FIG. 3 is merely an example, and the configuration is not limited to the configuration example in FIG. For example, the storage device may include a nonvolatile memory such as a flash memory or a ROM (Read Only Memory). In addition, the specific configuration may differ depending on application targets such as the tenant management server 10, the resource providing server 20, the client terminal 30, and the like. For example, when the client terminal 30 is realized by a tablet terminal or the like, a touch panel that combines a touch sensor and a liquid crystal display is used as the input device 205. Further, the tenant management server 10 and the resource providing server 20 may be configured as a single computer 200 as illustrated in FIG. 3, or may be configured to be realized by distributed processing by a plurality of computers 200.

<Functional configuration of tenant management server>
FIG. 4 is a diagram illustrating a functional configuration of the tenant management server 10. As shown in FIG. 4, the tenant management server 10 includes a user registration unit 11, a license management unit 12, a role setting unit 13, a role management unit 14, a license request unit 15, an information storage unit 16, and an operation. A screen generation unit 17 and a transmission / reception control unit 18 are provided. The information storage unit 16 stores information such as belonging users, tenants, licenses, roles, and the like in association with each other. Details of each information will be described later. The functions of the user registration unit 11, the license management unit 12, the role setting unit 13, the role management unit 14, the license request unit 15, the operation screen generation unit 17, and the transmission / reception control unit 18 are, for example, in the computer 200 illustrated in FIG. This is realized by the CPU 201 executing the program. The information storage unit 16 is realized by, for example, the main storage device 202 or the external storage device 203 in the computer 200 shown in FIG.

  The user registration unit 11 is registration means for registering a tenant's affiliated user. Affiliated users are set and registered for each tenant. For example, the user registration unit 11 may register on the condition that the user is authenticated by an authentication server (not shown) connected to the network 50. A general IdP (Identity Provider) may be used as the authentication server. The IdP is a server that performs user personal authentication. Information on the registered belonging user is stored in the information storage unit 16 as user information 166, and correspondence information between the belonging tenant and the user is stored as belonging information 161.

  The license management unit 12 is a management unit that manages a license set for a tenant in association with the tenant. A license is individually set for each tenant. In addition, the license management unit 12 defines a role for a user belonging to each tenant to exercise a license in each tenant. The license information is stored as license information 163 and the role information is stored as role information 165 in the information storage unit 16. The license managed by the license management unit 12 is, for example, a license for using a service (Web service or cloud service) provided by the resource providing server 20 or a software package provided by the resource providing server 20. A license, a license using the function of the information device 40, and the like.

  The role setting unit 13 is a setting unit that sets a role for exercising the license set for the tenant for the user belonging to the tenant. The role is set within the scope of the license managed by the license management unit 12. When it becomes necessary to set a role beyond the scope of the license set for the tenant, it is necessary to respond by changing the license setting by the license management unit 12. For example, when a role needs to be set beyond the scope of the license set for the tenant, for example, when more licenses are set than the number of licenses set due to an increase in the number of users, etc. In some cases, a license with a content different from the content of the license is required.

  The role management unit 14 is a management unit that manages information about roles. Information on roles includes, for example, setting of a new role (granting a role to an affiliated user), deleting a role, information for identifying a tenant to which the role has been exercised (tenant ID), and identifying an affiliated user who has exercised the role Examples include information (user ID), operations performed when the role is exercised, and the date and time when the role is exercised.

  As described above, the tenant management server 10 uses the function of the license management unit 12 to control access to resources by a user belonging to the tenant based on the authority to use resources on the network set for each tenant. Further, the tenant management server 10 registers and manages users who can access resources on the network 50 by using the functions of the user registration unit 11, license management unit 12, role setting unit 13 and role management unit 14.

  The license request unit 15 is a request unit that requests the tenant administrator to request a license for granting a role to a user belonging to the tenant. As will be described in detail later, when the tenant to which the affiliation user belongs is changed, the license request unit 15 obtains the license necessary for assigning the role to the affiliation user and the tenant to which the affiliation user belonged before the change. After the change, the user is identified based on the license owned by the tenant to which the user belongs. In addition, when the tenant to which the affiliated user belongs is changed, the license request unit 15 obtains a license necessary for granting the role to the affiliated user in the tenant to which the affiliated user belongs before the change of the affiliated user. Specify based on the resources actually used (the authority that was exercised).

  Here, as described with respect to the role setting unit 13, a license is set for a tenant, and an authority is assigned to a member user as a role within the range of the license set for the tenant. Therefore, what the tenant administrator actually performs in response to the request from the license request unit 15 is role assignment. However, if the license set for the tenant is insufficient to meet the request from the license request unit 15, it may be necessary to respond by changing the license setting by the license management unit 12.

  In this embodiment, the license request unit 15 acquires an authority corresponding to an authority that the tenant before the affiliation change has when a certain user changes from the affiliation of one tenant to the affiliation of another tenant. To make a request. Therefore, when the user has authority based on the license not set in the tenant after the affiliation change in the tenant before the affiliation change, a request is made to acquire the same authority in the tenant after the affiliation change. When responding to this request, the tenant administrator sets a new license so that the role of the requested authority can be assigned to a new user. Details of processing related to a request for a license accompanying a change of the tenant to which the user belongs will be described later.

The information storage unit 16 is a storage unit that stores information used for managing tenants. Here, the information storage unit 16 stores affiliation information 161, tenant information 162, license information 163, license ownership information 164, role information 165, user information 166, role grant information 167, and role exercise history information 168.
The affiliation information 161 is information in which the user ID is associated with the tenant ID of the tenant to which the user specified by the user ID belongs.
The tenant information 162 is information in which the tenant ID is associated with the tenant attribute information (tenant attribute) specified by the tenant ID.
The license information 163 is information in which the license ID is associated with the attribute information (license attribute) of the license specified by the license ID.
The license ownership information 164 is information in which the tenant ID is associated with the license ID of the license owned (set) by the tenant identified by the tenant ID.
The role information 165 is information in which the license ID is associated with the role ID of the role defined for the license specified by the license ID.
The user information 166 is information in which a user ID is associated with user attribute information (user attribute) specified by the user ID.
The role grant information 167 is information in which the user ID is associated with the role ID of the role assigned to the user specified by the user ID.
The role exercise history information 168 is information in which the role ID and user ID are associated with the role specified by these IDs, the type of operation by the user, and the date and time when the operation was performed.

The user ID is identification information that identifies the user.
The user attribute is information indicating the attribute of the user related to the tenant, and may include information on the user in the organization in which the tenant is set. Specific attribute contents are determined according to, for example, the specifications, operational status, service, and the like of the tenant or the tenant management server 10.
The tenant ID is identification information that identifies a tenant.
The tenant attribute is information indicating the attribute of the tenant, and may include information on an organization in which the tenant is set. Specific attribute contents are determined according to, for example, the specifications, operational status, service, and the like of the tenant management server 10.
The license ID is identification information that identifies a license.
The license attribute is information indicating the attribute of the license set for the tenant, and may include the number of licenses, authority based on the license, contents of restrictions, and the like. Specific attribute contents are determined according to, for example, the types of resources and services that can be used by the license, the contents, and the like.
The role ID is identification information that identifies a role.
The type of operation for a role is information indicating whether a role is set, a role is deleted, or a role is exercised. Information on the date and time when these operations are performed is also included.

  The operation screen generation unit 17 is a screen generation unit that generates an operation screen for accepting an operation of a user belonging to the tenant. The operation screen is generated as a Web page, for example. The operation screen may be divided into an administrator operation screen for use by a tenant administrator and a user operation screen for use by an affiliated user. On the administrator operation screen, for example, operations for the user registration unit 11, the license management unit 12, the role setting unit 13, and the role management unit 14 are accepted. The administrator operation screen is generated when the tenant administrator logs in to the tenant managed by the tenant with the administrator authority, and is sent to the client terminal 30 of the tenant administrator. On the user operation screen, an operation for the function of the license request unit 15 is accepted. The user operation screen is generated when a user belonging to the tenant logs in as a user belonging to the tenant to which the tenant belongs and is sent to the client terminal 30 of the user belonging to the tenant. The operation screen sent to each client terminal 30 is displayed by the display means of the client terminal 30. When the tenant administrator or the affiliated user performs an input operation or the like on the operation screen displayed on the display unit of the client terminal 30, information on the operation content is transmitted from the client terminal 30 to the tenant management server 10. The login is an operation for authenticating a tenant's belonging user using preset account information in order to use resources on the network 50 under the management of the tenant management server 10.

  The transmission / reception control unit 18 is a communication unit for communicating with the resource providing server 20, the client terminal 30, and the information device 40. For example, the transmission / reception control unit 18 controls the network interface 206 shown in FIG. 3 and transmits / receives commands and data to / from the resource providing server 20, the client terminal 30, and the information device 40 via the network 50.

<Functional configuration of resource providing server>
FIG. 5 is a diagram illustrating a functional configuration of the resource providing server 20. As shown in FIG. 5, the resource providing server 20 includes an application execution unit 21 and a transmission / reception control unit 22. The functions of the application execution unit 21 and the transmission / reception control unit 22 are realized, for example, when the CPU 201 executes a program in the computer 200 illustrated in FIG.

  The application execution unit 21 is an execution unit that executes an application program that realizes processing related to resource provision by the resource provision server 20. For example, when the resource providing server 20 is a service provider, the application execution unit 21 executes a process related to a service (Web service or cloud service). When the resource providing server 20 is a server that provides a software package, the application execution unit 21 realizes a function as an LMS (License Management System) server that manages a license for using the software package. The LMS server is a server that confirms the validity of the license of the software package and grants permission for use.

  The transmission / reception control unit 22 is a communication unit for communicating with the tenant management server 10, the client terminal 30, and the information device 40. For example, the transmission / reception control unit 22 controls the network interface 206 shown in FIG. 3 and transmits / receives commands and data to / from the tenant management server 10, the client terminal 30, and the information device 40 via the network 50.

  In the present embodiment, authentication of a user who uses resources provided by the resource providing server 20 is performed by an authentication server (IdP or the like) (not shown). Therefore, as shown in FIG. 5, the resource providing server 20 does not have a means for user authentication. However, an authentication unit may be provided in the resource providing server 20, and user authentication may be performed in each resource providing server 20 without using the authentication server.

<Functional configuration of client terminal>
FIG. 6 is a diagram illustrating a functional configuration of the client terminal 30. As illustrated in FIG. 6, the client terminal 30 includes an operation screen display unit 31, an operation reception unit 32, and a transmission / reception control unit 33. The functions of the operation screen display unit 31, the operation reception unit 32, and the transmission / reception control unit 33 are realized, for example, when the CPU 201 executes a program in the computer 200 illustrated in FIG.

  The operation screen display unit 31 is a means for generating and displaying an operation screen for using a service or software package provided by the resource providing server 20, a function of the information device 40, or the like. For example, the operation screen display unit 31 controls the display mechanism 204 illustrated in FIG. 3 to display an operation screen on the display device 210. The operation accepting unit 32 is means for accepting an operation performed on the operation screen as an operation for using a service, a software package, a function of the information device 40, and the like. The operation receiving unit 32 receives, for example, an operation performed using the input device 205 illustrated in FIG. As an example, when providing services, software packages, functions of the information device 40 using the WWW (World Wide Web), the functions of the operation screen display unit 31 and the operation reception unit 32 are realized by a Web browser. .

  The transmission / reception control unit 33 is a communication unit for communicating with the tenant management server 10 and the resource providing server 20. For example, the transmission / reception control unit 33 controls the network interface 206 illustrated in FIG. 3 and transmits / receives commands and data between the tenant management server 10 and the resource providing server 20 via the network 50.

<Inheritance of authority based on tenant migration>
Next, in the present embodiment, a description will be given of handing over authority when a certain user changes from belonging to one tenant to belonging to another tenant. When a user belonging to one tenant (hereinafter referred to as tenant A) (hereinafter referred to as user a) is changed to belong to another tenant (hereinafter referred to as tenant B), There are cases where the tenant B wants to continue using the resources that have been used. On the other hand, among the resources that the user a has the authority to use in the tenant A before the change, the user a wants to use the resources that have only the authority to use and are not actually used. Otherwise, there is no need to take over the usage authority in the tenant B. On the other hand, if a role is set for a resource with a limited number of licenses that is not used by user a, this may cause other affiliated users who want to use the resource to be blocked. Therefore, in the present embodiment, considering the resource usage record of the user a in the tenant A, the authority that the user a has in the tenant A is related to the highly probable resource that the user a also uses in the tenant B. Regarding authority, a role is also set in Tenant B.

  FIG. 7 is a flowchart illustrating an operation related to authority setting change at the time of user tenant migration. The user a who intends to change his / her tenant inputs identification information (tenant ID) of the tenant A and the migration destination tenant B to which he / she belongs so far (S701). Specifically, for example, the tenant A logs in to the tenant A, and inputs the tenant IDs of the tenant A and the tenant B on the user operation screen generated by the operation screen generation unit 17 of the tenant management server 10. In addition, although it demonstrates as operation | movement which inputs tenant ID in the tenant A before transfer here, you may make it input tenant ID in tenant B of a transfer destination.

  When the tenant IDs of the tenant A and the tenant B are input, the license request unit 15 of the tenant management server 10 uses the authority that the user a has in the tenant A and the resources used by the user a in the tenant B. A list of authorizations (licenses) to be provided is created (S702). Specifically, the license for the role (the authority that the user a has) assigned to the tenant A using the user ID of the user a and the tenant ID of the tenant A is specified and listed. The user ID of the user a can be acquired from the input information at the time of login, and the tenant ID of the tenant A can be acquired from the input information in S701. Further, by referring to the license ownership information 164 stored in the information storage unit 16, the license ID of the license set for the tenant A can be specified from the tenant ID. Then, by referring to the role information 165, the role ID of the role set for the license of the tenant A can be specified. On the other hand, by referring to the role grant information 167, the role ID of the role granted to the user a can be specified. Based on these pieces of information, the license used by the user a in the tenant A and the assigned role are specified.

  Here, consider a case where the license set for the tenant A and the license set for the tenant B are different. For example, when there is a license that is set only in the tenant B, the user a can use resources that were not used in the tenant A if the role of the license is assigned. On the other hand, if there is a license set only in tenant A, if the same license is not set in tenant B, user a will have resources that cannot be used among resources used in tenant A. Therefore, in this embodiment, the license set for the tenant B is further checked and compared with the license set for the tenant A. The tenant ID of tenant B can be acquired from the input information in S701. Then, by referring to the license ownership information 164 stored in the information storage unit 16, the license ID of the license set for the tenant B can be specified from the tenant ID.

  In addition, the authority that the user a had in the tenant A was simply the authority (the role was assigned), and the user a did not use the resource based on the authority. Things may be included. Therefore, in the present embodiment, out of the roles assigned to the user a in the tenant A, the ones that have been used for resources (the ones that have been operated based on the roles) are extracted. By referring to the role exercise history information 168 using the role ID of the role assigned by the tenant A and the user ID of the user a himself as a key, the user a actually allocates resources. The role used for use can be specified.

  Based on the information obtained as described above, a list of licenses necessary for granting a role to the user a in the tenant B is created. In this list, a license used by the user a in the tenant A (a license in which the role of the resource used in the tenant A is defined) is described. In addition, when there is a license set only in the tenant B, a list including licenses set only in the tenant B in addition to the license used by the user a in the tenant A is created.

  Next, the license request unit 15 notifies the tenant administrator of the tenant B of the created license list (S703). The notified list is described, for example, on an administrator operation screen and displayed on the display device of the client terminal 30 of the tenant administrator. The tenant administrator determines a license to assign a role to the user a based on the acquired list. At this time, the tenant administrator performs various operations according to the relationship between the license set for the tenant B and the license requested in the list. For example, the list may include a license that is not set for the tenant B. In such a case, the tenant administrator may acquire a new license to assign a role to the user a, or may decide not to assign a corresponding role in the tenant B. Further, although the license is set for the tenant B, there is a case where the role cannot be simply assigned to the user a. For example, when a role is assigned to the user a, the limit on the number of licenses is exceeded. Even in such a case, the tenant administrator may change the license setting so that the role can be assigned to the user a, or may decide not to assign the corresponding role in the tenant B. good. Furthermore, the role assignment to another user who has already been assigned a role may be changed to user a. What kind of operation is specifically performed in these cases may be determined individually in accordance with the specifications and operation status of the system including the tenant management server 10.

  After the above determination, the tenant administrator performs an operation of assigning a role to the user a using the administrator operation screen displayed on the client terminal 30, and the role is transferred from the client terminal 30 to the tenant management server 10. Instructions for grant are sent. When the role setting unit 13 of the tenant management server 10 receives an instruction sent from the client terminal 30 of the tenant administrator (S704), the role setting unit 13 assigns a role to the user a according to the instruction (S705). Specifically, the role setting unit 13 refers to the license information 163 and the role information 165 to identify the role ID of the role assigned to the user a. Then, the specified role ID and the user ID of the user a are associated with each other and registered in the role grant information 167.

  As described above, in the present embodiment, the license request unit 15 creates a list of licenses to which a role can be assigned to the user a in the tenant B that is the migration destination to which the user a belongs. The role setting unit 13 receives an instruction from the tenant administrator based on the list, and assigns the role of the license specified by the instruction to the user a. Therefore, the license request unit 15 and the role setting unit 13 are examples of specifying means.

  In the above operation example, the list created in S702 is immediately notified to the tenant administrator in S703. On the other hand, the list created in S702 may be first presented to the user a and the user a himself may select a desired license. In particular, when a license that is set only in tenant B is included in the list, the license is not included in the license that user a used in tenant A. Therefore, the user a may be inquired whether the tenant B requests the license. The inquiry to the user “a” is made, for example, by displaying a list on the user operation screen and accepting the selection at the client terminal 30 of the user “a”. The license that is not requested by the selection of the user a is deleted from the list.

<Collecting role exercise history>
Next, collection of role exercise history will be described. In the present embodiment, when the tenant B creates a list of authority (licenses) to be provided to the user a (see S702 in FIG. 7), the user a actually allocates resources by referring to the role exercise history information 168. Identified the role that was being used. Here, a role exercising history acquisition procedure will be described for each of the use of a cloud service, the use of a software package, and the use of the function of the information device 40 as the use of resources based on roles. Here, it is assumed that personal authentication of a user belonging to a tenant is performed by an authentication server provided separately from the resource providing server 20 and the information device 40.

  FIG. 8 is a sequence diagram showing a procedure for acquiring a role exercising history when using a cloud service. The user belonging to the tenant accesses the resource providing server 20 as a service provider that provides a cloud service (S801). Here, the affiliated user accesses the resource providing server 20 using the license set for the tenant based on the role assigned by the tenant to which the affiliated user belongs in the tenant management server 10.

  When the affiliated user tries to access the resource providing server 20, first, an access request sent from the affiliated user's client terminal 30 is transferred to the authentication server 80 (IdP or the like) (S802). Personal authentication is performed (S803). When the personal authentication of the affiliated user is successful and an authentication result is sent from the authentication server 80 to the resource providing server 20 (S804), the affiliated user can use the service provided by the resource providing server 20 (S805). On the other hand, the authentication server 80 uses, as information (authentication log) related to the current authentication process, the user ID used for personal authentication of the user to which the user belongs, the license ID of the license corresponding to the service of the resource providing server 20 to be accessed, The authentication date and time are stored (S806).

  The role management unit 14 of the tenant management server 10 acquires an authentication log from the authentication server 80 at a timing different from the authentication and use of the service (S807). Acquisition of the authentication log is performed by, for example, periodic batch processing in a time zone with a low load such as at night. Then, the role management unit 14 extracts the license ID from the acquired authentication log, refers to the role information 165 stored in the information storage unit 16, and defines the role defined for the license having the extracted license ID. A list of role IDs is acquired (S808). Next, the role management unit 14 extracts the user ID from the authentication log, refers to the role grant information 167 stored in the information storage unit 16 and the list acquired in S808, and the role exercised by the affiliated user Is identified (S809). The role management unit 14 then identifies the user ID and role ID of the identified affiliation user and role, the authentication date and time (role exercise date and imitation) extracted from the authentication log, and the operation type (information indicating the role exercise) Is recorded in the role exercise history information 168 (S810).

  In the above operation, personal authentication of the belonging user is performed using the authentication server 80, but personal authentication may be performed in each resource providing server 20. Further, the tenant management server 10 itself may perform personal authentication. In the latter case, since the authentication log is stored in the tenant management server 10, it is not necessary to separately acquire the authentication log from the authentication server 80 by batch processing or the like as described above.

  FIG. 9 is a sequence diagram showing a procedure for acquiring a role exercising history when using a software package. As a premise, when the software package is activated for the first time, the software package is provided from the resource providing server 20 to the client terminal 30, the license key is authenticated by the LMS server 90, and the user authentication is performed by the authentication server 80. Has been done.

  The user belonging to the tenant activates the software package acquired from the resource providing server 20 in the client terminal 30 (S901). Then, the client terminal 30 transmits the user ID and the license key of the software package to the LMS server 90, and inquires about the validity of the license (S902). The LMS server 90 returns the determination result of the license validity to the client terminal 30 (S903), and notifies the authentication server 80 of the user ID, the license key, and the determination result (S904).

  If the license is valid according to the response from the LMS server 90, the software package can be used in the client terminal 30 (S905). On the other hand, the authentication server 80 includes the user ID acquired from the LMS server 90, the license ID of the license specified from the license key, and the determination date and time as information (authentication log) related to the use of the current software package. Save (S906).

  The role management unit 14 of the tenant management server 10 acquires an authentication log from the authentication server 80 at a timing different from the authentication and use of the software package (S907). Acquisition of the authentication log is performed by, for example, periodic batch processing in a time zone with a low load such as at night. Then, the role management unit 14 extracts the license ID from the acquired authentication log, refers to the role information 165 stored in the information storage unit 16, and defines the role defined for the license having the extracted license ID. A list of role IDs is acquired (S908). Next, the role management unit 14 extracts the user ID from the authentication log, refers to the role grant information 167 stored in the information storage unit 16 and the list acquired in S908, and the role exercised by the affiliated user Is identified (S909). The role management unit 14 then identifies the user ID and role ID of the identified affiliation user and role, the authentication date and time (role exercise date and imitation) extracted from the authentication log, and the operation type (information indicating the role exercise) Is recorded in the role exercise history information 168 (S910).

  In the above operation example, when the software package is activated, an inquiry about the validity of the license is made every time (see S901 and S902). However, the timing condition is set in advance and the condition is satisfied. You may make it inquire at the time of starting. The time condition may be determined based on the expiration date of the license. Further, the inquiry may be made periodically at intervals shorter than the license expiration date.

  FIG. 10 is a sequence diagram illustrating a procedure for acquiring a role exercising history when the function of the information device 40 is used. When the tenant user uses the information device 40, there are a case where the information device 40 is directly operated and used, and a case where the information device 40 is used remotely from the client terminal 30. Here, the former case will be described as an example. In addition, the information device 40 is connected to a device management server 70 that manages the information device 40 via the network 50, and the usage state, the state of the device, and the like are managed.

  When the user belonging to the tenant uses the information device 40, the user belonging to the tenant performs personal authentication by the authentication server 80 via the information device 40. The authentication information of the belonging user is recorded on, for example, an employee ID card using an IC card, and is read by a reading device provided in the information device 40 (S1001). The information device 40 transmits the read authentication information to the authentication server 80 (S1002).

  When personal authentication of the affiliated user succeeds in the authentication server 80 (S1003) and an authentication result is sent from the authentication server 80 to the information device 40 (S1004), the information device 40 is informed about the current authentication process (authentication log). The user ID used in the personal authentication of the affiliated user, the license ID of the license corresponding to the service of the resource providing server 20 to be accessed, and the authentication date and time are stored in a storage means such as a magnetic disk device or a semiconductor memory. (S1005). Then, the affiliated user can use the function related to the license of the information device 40 (S1006). In addition, the information device 40 periodically transmits management information related to usage status, device status, and the like to the device management server 70, and also transmits the authentication log together with the management information (S1007). The device management server 70 stores the management information (including the authentication log) received from the information device 40 (S1008).

  The role management unit 14 of the tenant management server 10 acquires an authentication log from the device management server 70 at a timing different from the authentication and use of the information device 40 (S1009). Acquisition of the authentication log is performed by, for example, periodic batch processing in a time zone with a low load such as at night. Then, the role management unit 14 extracts the license ID from the acquired authentication log, refers to the role information 165 stored in the information storage unit 16, and defines the role defined for the license having the extracted license ID. A list of role IDs is acquired (S1010). Next, the role management unit 14 extracts the user ID from the authentication log, refers to the role grant information 167 stored in the information storage unit 16 and the list acquired in S1010, and has been exercised by the user to which the role belongs. Is identified (S1011). Then, the role management unit 14 identifies the user ID and role ID of the identified belonging user and role, the execution date and time (role exercise date and time) of the operation (job) extracted from the management information, and the operation type (role exercise) Is recorded in the role exercise history information 168 (S1012).

  In the above operation example, the operation in the case where the belonging user directly operates the information device 40 has been described. However, depending on the type of the information device 40, the information device 40 is operated by remote operation from the client terminal 30 of the belonging user. There is a case. In this case, the personal authentication of the affiliated user may be performed by the authentication server 80 using the user ID input when logging in to the tenant A to operate the information device 40 via the tenant A, for example. In such a configuration, even if the information device 40 is not managed by the device management server 70, the tenant management server 10 stores the use history of the information device 40 to obtain information obtained from the use history and the authentication log. Can be recorded in the role exercise history information 168.

  As described above, the role exercising history acquisition procedure has been described for each of the use of the cloud service, the use of the software package, and the use of the function of the information device 40 as the use of the resource based on the role. However, the above operation example is merely an example, and the technique for acquiring the role exercising history is not limited to the above example.

<Modified example of tenant management server>
Next, a modification of this embodiment will be described. FIG. 11 is a diagram illustrating a functional configuration of the tenant management server 10 in the present modification. In the example shown in FIG. 11, the tenant management server 10 includes a user registration unit 11, a license management unit 12, a role setting unit 13, a role management unit 14, a license request unit 15, an information storage unit 16, and an operation. A screen generation unit 17, a transmission / reception control unit 18, and a related license determination unit 19 are provided. The information storage unit 16 includes affiliation information 161, tenant information 162, license information 163, license ownership information 164, role information 165, user information 166, role grant information 167, role exercise history information 168, and license related information 169. Stored. In the configuration shown in FIG. 11, the user registration unit 11, license management unit 12, role setting unit 13, role management unit 14, license request unit 15, information storage unit 16, operation screen generation unit 17 and transmission / reception control unit 18 are This is the same as each functional block shown in FIG. Of the information stored in the information storage unit 16, the affiliation information 161, the tenant information 162, the license information 163, the license ownership information 164, the role information 165, the user information 166, the role grant information 167, and the role exercise history information 168 include This is the same as the information shown in FIG. Accordingly, the same reference numerals are given and description thereof is omitted.

  The license related information 169 is information in which the license ID of each license is associated with a set of licenses that are specified in advance as a highly related license. A highly relevant license set is used at the same time, for example, the type and use of the licensed resource (such as using the result of processing using one resource in processing using another resource). It may be determined based on an attribute such as a large number.

  The related license determination unit 19 is a determination unit that determines another license related to one license (hereinafter referred to as a related license). When the license ID of one license is given, the related license determination unit 19 refers to the license related information 169 stored in the information storage unit 16 and acquires the license ID associated with the given license ID. As an example, the related license determination unit 19 uses the related license to request when the license request unit 15 requests acquisition of a license in the tenant after the change of affiliation in order to take over the license in accordance with the change of the tenant to which the user belongs. Determine the license.

  The operation of license takeover at the time of tenant migration will be further described. Referring to the operation example shown in FIG. 7, consider a case where the user a shifts from the affiliation of the tenant A to the affiliation of the tenant B. As described with reference to S702 in FIG. 7, the license request unit 15 provides the user a with the tenant B after the migration based on the authority that the user a had in the tenant A before the migration and the resources used. Create a list of permissions (licenses). At this time, the license request unit 15 inquires the related license determination unit 19 about the related license of the license included in the created list. The related license determination unit 19 refers to the license related information 169 in response to the inquiry, and if there is a related license, returns the license ID to the license request unit 15. The license request unit 15 adds the related license to the list based on the license ID acquired from the related license determination unit 19. Therefore, in this case, the license request unit 15, the role setting unit 13, and the related license determination unit 19 are examples of the specifying unit.

  The addition of the related license to the list may be performed in order to present a license that replaces the license when the license used by the user a in the tenant A is not set in the tenant B. In addition, since it is unclear whether the related license is a license that the user a desires to use, when the related license is added to the list, the created list is first presented to the user a and desired by the user a himself / herself. A license to be selected may be selected.

  As mentioned above, although embodiment of this invention was described, the technical scope of this invention is not limited to the said embodiment. Various modifications and substitutions of configurations without departing from the scope of the technical idea of the present invention are included in the present invention. For example, as described in the above operation examples, personal authentication, license authentication, authentication log storage, role exercise history information 168 recording, and the like may be replaced with other servers connected to the network 50. . In addition, the present embodiment can be applied to various systems that can manage users and licenses for each tenant by the tenant management server 10.

DESCRIPTION OF SYMBOLS 10 ... Tenant management server 11 ... User registration part 12 ... License management part 13 ... Role setting part 14 ... Role management part 15 ... License request part 16 ... Information storage part 17 ... Operation screen generation part 18 ... Transmission / reception control unit, 19 ... Related license determination unit, 20 ... Resource provision server, 30 ... Client terminal, 40 ... Information device, 50 ... Network, 161 ... Affiliation information, 162 ... Tenant information, 163 ... License information, 164 ... License Ownership information, 165 ... Role information, 166 ... User information, 167 ... Role grant information, 168 ... Role exercise history information, 169 ... License related information

Claims (9)

First control means for controlling access to the resource based on the authority to use the resource on the network;
First management means for registering and managing users who can access the resource via the first control means;
Apart from the first control means, second control means for controlling access to the resource based on the authority to use the resource on the network;
Second management means for registering and managing users who can access the resource via the second control means;
With respect to a user who has been changed from a management target of the first management unit to a management target of the second management unit, the second control is performed based on information on the use of the resource by the user in the first control unit. A specifying means for specifying the authority to use resources on the network granted to the user in the means;
An information processing apparatus comprising:   The identifying means is based on information related to the use of the resource by the user in the first control means, and the user out of the authority to use the resource given to the user in the first control means Identify the authority exercised to use the resource, present the authority information to the administrator of the second control means and the second management means, accept instructions from the administrator, The information processing apparatus according to claim 1, wherein an authority to be given to the user is specified by the second control unit.   The specifying means presents the authority information to the user, accepts a selection by the user, updates the authority information, and presents the updated authority information to the administrator. Item 3. The information processing device according to Item 2.   The specifying means is set in the second control means and the authority exercised by the user to use the resource specified based on information on the use of the resource by the user in the first control means 2. The information processing apparatus according to claim 1, wherein an authority to be given to the user is specified by the second control unit based on the authority to use resources on the network.   The specifying means does not correspond to the authority used by the user to use the resource in the first control means among the authority to use resources on the network set in the second control means. 5. The information processing apparatus according to claim 4, wherein the second control means inquires of the user about whether or not to grant the authority.   The specifying means is included in the authority to use the resources on the network set in the second control means among the authority exercised by the user to use the resources in the first control means. 6. The information processing apparatus according to claim 4, wherein an authority related to the authority is added to an authority to be given to the user by the second control unit. Tenant management means for managing, on a tenant basis, a control function that controls access to the resource based on the authority to use resources on the network, and a management function that manages users who can access the resource using the control function When,
For a user who has been changed from being managed by one tenant to being managed by another tenant, based on information related to the use of the resource by that user in that one tenant, on the network granted to that user in that other tenant A means of identifying authority to use the resources of
An information processing apparatus comprising:   The specifying means includes an authority exercised by the user to use the resource specified based on information on the use of the resource by the user in the one tenant, and a network set in the other tenant. The information processing apparatus according to claim 7, wherein the authority to be given to the user in the other tenant is specified based on the authority to use the above resources.   The specifying means includes the authority that the user has exercised to use the resource in the one tenant, and the authority that is not included in the authority to use resources on the network set in the other tenant. The information processing apparatus according to claim 8, wherein an authority related to the authority is added to an authority granted to the user in the other tenant.

Images