JP5505533B2 - Access control device, terminal device, and program - Google Patents

Description

The present invention relates to an access control device and a terminal device .

  With the recent improvement in security awareness, a security countermeasure system has also been introduced in server devices of server client systems, and it has become possible to make detailed settings such as file and process access restrictions for each user.

  For example, Patent Document 1 discloses an access control program, an information processing apparatus, and an access control method that improve security by restricting access according to combinations of authentication methods and their authentication orders, and further depending on the user. ing.

  In the authentication to the server device, the user inputs authentication information from the client terminal by combining one or more authentication methods (password authentication, card authentication, certificate authentication, biometric authentication, etc.) In response to this, the server device determines the authentication level based on the combination of the input authentication methods and the authentication order, and when accessing the file, the access operation by the user at the authentication level is performed. It is determined whether or not to restrict, and when there is no access right, the access operation is restricted.

  In addition, as a client terminal of a server client system, not only a PC but also a mobile terminal such as a smartphone or a mobile phone has come to be used, and even when such a mobile terminal itself is not used for a certain period of time. There are an increasing number of devices with various security functions, such as remote lock function and remote auto lock function.

JP 2007-156959 A

  In the server client system, an authentication level is set in advance based on a combination of authentication methods and an authentication order in the server client system, and based on the combination of authentication methods input by the server apparatus and the authentication order. An authentication level is determined, and file access control is performed according to the determined authentication level. However, the setting state related to the security of the client terminal is not considered.

  In order to increase security, it is necessary to frequently input a password at the client terminal. However, particularly in a portable terminal where the input is inconvenient, the lock function requiring the password input may be released due to the troublesome operation. If the client terminal in such a state is used, it becomes possible to easily access the server device, and no matter how much the security on the server device side is improved, the overall security cannot be improved.

An object of the present invention is to enable level management by reflecting the setting state on the terminal device side.

Claim 1 is an access control device for controlling access to various information resources, wherein level storage means for storing level information set for each user, and a user who accesses the information resource is authorized A determination unit that determines whether or not the user is a user, and an acquisition unit that acquires relative information according to a setting state in the terminal device used by the user when the determination unit determines that the user is a regular user. Change means for reading level information set for the user from each level information stored in the level storage means, and changing the level information based on relative information acquired by the acquisition means; , characterized by comprising a an access control means for controlling the access permission for the various information resources on the basis of the changed level information in said changing means.

Claim 5 is a terminal device that accesses an information management device that manages various information resources , wherein an acquisition means for acquiring a setting state in the terminal device, and a user using the terminal device receives the information Level for controlling to change the level information of the user set on the information management device side based on the setting state in the terminal device acquired by the acquisition unit when accessing the management device and control means, the respect to the access to the information management apparatus from the terminal apparatus, an access control means for controlling the access permission for the information resource based on the changed level information which is controlled by said level control means And.

According to the present invention, Ru be reflected level management at the time of accessing the setting state of the terminal device side.

  In addition, the operability of the user of the client terminal can be improved.

FIG. 1 is a diagram showing a network configuration example of a server client system to which an access control system according to an embodiment of the present invention is applied. FIG. 2 is a diagram illustrating a configuration example of an access control system according to an embodiment. FIG. 3 is a block diagram illustrating a hardware configuration example of the server apparatus and the client terminal according to the embodiment of the present invention. FIG. 4 is a diagram illustrating an example of a security level management table provided in the server apparatus. FIG. 5 is a diagram illustrating an example of a user management table provided in the server device. FIG. 6 is a diagram illustrating an example of a terminal lock setting table provided in the client terminal. FIG. 7 is a diagram illustrating an example of the unlock number input screen of the client terminal. FIG. 8 is a diagram illustrating an example of a terminal lock setting screen of the client terminal. FIG. 9 is a diagram illustrating an example of a login authentication setting table included in the client terminal. FIG. 10 is a diagram illustrating an example of a login authentication setting screen of the client terminal. FIG. 11A is a diagram illustrating an example of a login authentication input screen of the client terminal when the login authentication setting is “input every time”. FIG. It is a figure which shows an example of the login authentication input screen of a client terminal in case it is set to "Keep previous value". FIG. 12 is a diagram showing an operation flowchart of connection software executed by the client terminal and the computer of the server device and the access control program according to the embodiment of the present invention.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram showing a network configuration of a server client system to which an access control system according to an embodiment of the present invention is applied.

  The server client system includes a server device 10 and a plurality of client terminals 20 connected on a network N composed of a LAN (Local Area Network) or a WAN (Wide Area Network). The client terminal 20 includes various types such as a desktop type, a laptop type, a notebook type, and a portable terminal type. A relay device 30 having a wireless function is provided on the network N, and a mobile terminal type client terminal 20 having a wireless function such as a smartphone or a mobile phone is connected to the network N via the relay device 30. It has come to be.

FIG. 2 is a diagram illustrating a configuration example of the access control system according to the present embodiment.
The access control system is assumed to be a thin client system in which a desired application program is activated and executed on the server device 10 side by remote operation from the client terminal 20. The client terminal 20 uses a mobile phone that is a mobile terminal type. The client terminal 20 has a function of locking (hereinafter referred to as a terminal lock function) when it has not been operated for a certain period of time, and has a built-in thin client connection program (hereinafter referred to as connection software).

  In the thin client system, input information such as a key output signal and a mouse output signal according to a user operation of the client terminal 20 is transmitted to the server device 10 as an event signal each time it occurs. The server device 10 executes processing by executing an application program (text creation processing program, Web browser program, spreadsheet processing program, mail processing program, etc.) corresponding to the event signal from the client terminal 20. The drawing data for display generated along with this is transferred as screen update information to the client terminal 20 each time the drawing is updated, and is displayed on the display device of the client terminal 20.

  In other words, each client terminal 20 in this access control system mainly has an input function according to a user operation such as a keyboard and a mouse and an output function to a display device (including a printer in a type other than the portable terminal type). As a function, it does not have at least various application functions and data file management functions that the server device 10 has. And the data file produced | generated with the various processes started and performed in the server apparatus 10 according to the input information of the operation input (input event) from the client terminal 20 is fundamentally in the said server apparatus 10 Alternatively, it is stored and stored for each user account or as a shared file in a storage device such as a magnetic disk managed and managed by the server device 10.

FIG. 3 is a block diagram illustrating a hardware configuration example of the server device 10.
The server device 10 includes a CPU 11 serving as a computer. The CPU 11 is connected to a ROM 12, a RAM 14, a VRAM 15, a display device 16, an input device 17 such as a keyboard and a mouse, and a client I / O via a bus 12. F (interface) 18 is connected.

  The CPU 11 controls the operation of each part of the circuit using the RAM 14 as a working memory in accordance with a system program or various application programs stored in advance in the ROM 13, via a key input signal from the input device 17 or a communication I / F 18. The various programs are activated and executed in accordance with input information of a processing command (input event) corresponding to a user operation from the client terminal 20 received.

  In this server device 10, drawing data for client display is stored in the RAM 14 for each client in accordance with an application program activated and executed in accordance with input information from the client terminal 20 (not shown). And is compressed and then transferred from the communication I / F 18 to the client terminal 20 as image personal information and displayed. Note that drawing data to be displayed on the display device 16 of the server device 10 itself is generated on the VRAM 15.

  In this server device 10, various data generated according to an application program that is activated and executed according to input information from the client terminal 20 is stored in an external storage device (not shown) in association with the user ID, for example. The

  The ROM 13 further stores an access control program according to an embodiment of the present invention, which will be described in detail later, for controlling permission of access to the information resources of the server device 10 from the client terminal 20. The RAM 14 further stores a management table for that purpose. The ROM 13 may be constituted by a rewritable flash memory. In that case, a management table or the like may be stored in the ROM 13.

  FIG. 4 is a diagram showing an example of the security level management table 141 stored in the RAM 14 (or the ROM 13 constituted by a flash memory).

  The security level management table 141 defines a security level as a reference for permitting access to the information resource of the server device 10 for each information resource. That is, accessible information resources are defined for each security level.

  Here, in this example, the information resource is created by the user himself who wants to access, such as “own data” which he / she owns, “group data” shared by the group to which the user belongs, It includes “important data” that can be accessed only by a predetermined specific person, and “systems” that can be accessed only by extremely limited persons such as system administrators such as programs and data related to the system. In FIG. 4, “◯” indicates that operation is possible, “×” indicates that operation is not possible, access is prohibited, “RW” indicates that reading and writing are possible, “R” indicates that reading is possible, and “W” indicates that writing is possible, Each is shown.

  The security level management table 141 itself belongs to the “system” information resource, and can be operated only by a very limited person such as a system administrator. In this example, the security bell has seven levels. However, the present invention is not limited to this, and it is a matter of course that a larger number of information resources may be classified.

  FIG. 5 is a diagram showing an example of the user management table 142 stored in the RAM 14 (or the ROM 13 configured with a flash memory).

  Each user of the client terminal 20 can belong to a group, and is managed by this user management table 142 together with a default security level.

  That is, in this user management table 142, passwords, groups, and default security levels are registered in correspondence with the user IDs of the respective users. This user management table 142 also belongs to the “system” information resource, and can be operated only by a very limited person such as a system administrator. However, the password is automatically rewritten by the program according to the setting of each user made at an arbitrary time.

  The user ID “admin” is a system administrator, belongs to all groups, and has the highest default security level “7”.

  The hardware configuration of the client terminal 20 is the same as that of the server apparatus 10 shown in FIG. Therefore, a new drawing is not used by attaching reference numerals in parentheses to FIG.

  That is, the client terminal 20 includes a CPU 21 as a computer, and a ROM 23, a RAM 24, a VRAM 25, a display device 26, an input device 27, and a communication I / F 28 are connected to the CPU 21 via a bus 22.

  The CPU 21 controls the operation of each part of the circuit using the RAM 24 as a working memory in accordance with a system program stored in advance in the ROM 23, and is a server device received via a key input signal from the input device 27 and the communication I / F 28. The system program is activated and executed in response to an application response signal from 10 or screen update information. In the client terminal 20 that is a communication terminal type, the communication I / F 28 is configured as a communication device that performs wireless communication.

  Various data generated by executing the application program in the server device 10 is appropriately stored in an external storage device (not shown) of the server device 10 and appropriately stored in the client terminal 20 as screen update information for display. Come forward. In the client terminal 20, the compressed data is decompressed, written in the VRAM 25, and displayed on the display device 26.

  The ROM 23 further stores connection software corresponding to an access control program for controlling permission of access to the information resources of the server device 10 from the client terminal 20, and the RAM 24 further includes A management table and the like are stored. The ROM 23 may be constituted by a rewritable flash memory. In this case, a management table or the like may be stored in the ROM 23.

  FIG. 6 is a diagram showing an example of the terminal lock setting table 241 stored in the RAM 24 (or the ROM 23 configured with a flash memory).

  In the example of the terminal lock setting table 241, if the setting data of the terminal lock function is “setting ON”, the relative level is “0”, and if the setting data is “setting OFF”, the relative level is “−1”. It is registered. This value is set in advance, but may be configured to rewrite the value by communicating with the server device 10 when the connection software is activated. The access control program executed by the computer in the server apparatus 10 reflects the setting data relating to the security for the client terminal on the security level of the client terminal 20 (user) managed by the user management table 142, and the server The access permission to the information resource of the device 10 is controlled. Details thereof will be described later.

  As described above, the client terminal 20 has a terminal lock function for locking when it has not been operated for a certain period of time. FIG. 7 is a diagram illustrating an example of the unlock number input screen 262 displayed on the terminal screen 261 of the display device 26. The terminal lock function can be unlocked when the user inputs a number registered by the input device 27 on the unlock number input screen 262.

  FIG. 8 is a diagram illustrating an example of the terminal lock setting screen 263 displayed on the terminal screen 261 of the display device 26. The setting of the terminal lock function can be set by the user selecting either “set” or “cancel” on the terminal lock setting screen 263, and the setting data is stored in the RAM 24 (or the ROM 23 configured by a flash memory). Registered in a predetermined area. When “set” is selected, the setting is “setting ON” in the terminal lock setting table 241, and when “cancel” is selected, the setting is “setting OFF” in the terminal lock setting table 241. is there.

  If the terminal lock function is set to “cancel”, the security is weaker than when “set” is set. That is, in the case of the “release” setting, the client terminal 20 is in a security state weaker than the security level managed by the user management table 142 of the server device 10. Therefore, in the terminal lock setting table 241, a negative value is set as the relative level value for the “cancel” setting.

  FIG. 9 is a diagram showing an example of the login authentication setting table 242 stored in the RAM 24 (or the ROM 23 constituted by a flash memory).

  In the example of the login authentication setting table 242, the relative level is “0” if the login authentication setting data is set to “input every time”, and the relative level is “−2” if the “previous value” is set. If the “input is omitted” setting, the relative level is registered as “lowest” (for example, “−6” when using seven levels of security levels as shown in FIG. 4). This value is set in advance, but may be configured to rewrite the value by communicating with the server device 10 when the connection software is activated. The access control program executed by the computer in the server apparatus 10 reflects the setting data relating to the security for the client terminal on the security level of the client terminal 20 (user) managed by the user management table 142, and the server The access permission to the information resource of the device 10 is controlled. Details thereof will be described later.

  FIG. 10 is a diagram illustrating an example of the login authentication setting screen 264 displayed on the terminal screen 261 of the display device 26. The login authentication setting can be set by the user selecting “input every time”, “leave the previous value”, or “omit input” on the login authentication setting screen 264, and the setting data is stored in the RAM 24 ( Alternatively, it is registered in a predetermined area of the ROM 23) constituted by a flash memory. The case where “input every time” is selected is the state of “input every time” in the login authentication setting table 242, and the case where “keep previous value” is selected is “previous time” in the login authentication setting table 242 This is a state of setting “leave value”, and a case where “omit input” is selected is a state of “omit input” in the login authentication setting table 242.

  The connection software executed on the computer of the client terminal 20 is in accordance with the setting data of the login authentication setting registered in a predetermined area of the RAM 24 (or the ROM 23 configured with a flash memory) according to the server connection operation by the user. A login authentication input screen is displayed on the terminal screen 261 of the display device 26.

  FIG. 11A is a diagram showing an example of a login authentication input screen 265 when the setting data of the login authentication setting is “input every time”. The user inputs a user ID and a password, respectively. There must be.

  On the other hand, FIG. 11B is a diagram showing an example of the login authentication input screen 265 when the login authentication setting data is set to “leave the previous value”, and each of the user ID and password includes The previously entered value is automatically entered. The user ID and password can be used as they are, or edited, that is, another value can be input. Therefore, the “leave previous value” setting is weaker than the “input every time” setting. That is, in the case of the setting “leave the previous value”, the client terminal 20 is in a security state weaker than the security level managed by the user management table 142 of the server device 10. Therefore, in the login authentication setting table 242, a negative value is set as the relative level value of the “leave the previous value” setting.

  When the login authentication setting data is set to “Omit input”, even the login authentication input screen 265 is not displayed. Therefore, the security is weaker than the “leave the previous value” setting. Therefore, in the login authentication setting table 242, the lowest value is set as the relative level value of the “input is omitted” setting.

  Next, the operation of the access control system configured as described above will be described.

  FIG. 12 is a diagram showing an operation flowchart of connection software executed by the client terminal and the computer of the server device and the access control program according to the embodiment of the present invention.

  That is, when the connection software is activated on the computer (CPU 21) of the client terminal 20, first, the setting state of the terminal lock function stored in the RAM 24 (or the ROM 23 constituted by the flash memory) is acquired (step S201). At this time, if the acquired setting data of the terminal lock function is “setting ON” setting, the lock release number input screen 262 is displayed on the terminal screen 261 of the display device 26 and the lock No. When the number registered by the input device 27 is input by the user, the lock is released. If the acquired setting data of the terminal lock function is “setting OFF”, since it is not locked in the first place, the operation proceeds to the next operation without doing anything.

  Thereafter, when the user performs a predetermined server connection operation, a login input process corresponding to the setting data of the login authentication setting stored in the RAM 24 (or the ROM 23 constituted by the flash memory) is executed (step S202).

  At this time, if the login authentication setting data is set to “input every time”, the login authentication input screen 265 is displayed on the terminal screen 261 of the display device 26, and the user ID and password by the operation of the user input device 27 are displayed. Accept the input and start the login process. In this login process, the input user ID and password are transmitted as login information to the server device 10 via the communication I / F 28 and wait for reception of an authentication result from the server device 10.

  If the setting is “leave previous value”, the login authentication input screen 265 is displayed on the terminal screen 261 of the display device 26. In this case, however, the previous value is displayed in the already input state. This previous value can be edited as it is. And according to a user's operation, a login process is performed using the last value or the edited value as login information.

  If the “input is omitted” setting is set, the login process is automatically started using the default value stored in advance as the login information.

  On the other hand, in the computer (CPU 11) of the server apparatus 10, an access control program that performs connection authentication using a user ID and password, which is a general authentication method, and restricts resource access according to the security level is activated. When the login information (user ID, password) is received from the client terminal 20 (step S101), the received login is referred to by referring to the user management table 142 stored in the RAM 14 (or the ROM 13 configured with a flash memory). Login authentication processing is performed using the information, and the authentication result is returned to the client terminal 20 (step S102). If authentication fails (NG), the process returns to step S101 and waits for login information again. On the other hand, if the authentication is successful (OK), the reception of the relative security level from the client terminal 20 is awaited.

  In the client terminal 20, when NG is received as an authentication result from the server device 10 (step S203), the process returns to the step S202 and the login process is performed again.

  On the other hand, when OK is received as an authentication result from the server device 10 (step S203), a relative security level is calculated (step S204). That is, in accordance with the setting state of the terminal lock function acquired in step S201, the relative level value is read from the terminal lock setting table 241 stored in the RAM 24 (or the ROM 23 configured with a flash memory), and the step S202 is performed. The value of the relative level is read out from the login authentication setting table 242 stored in the RAM 24 (or the ROM 23 constituted by the flash memory) in accordance with the contents of the login authentication setting acquired in step S2. Then, the two read relative level values are added, and the result is calculated as a relative security bell. When the read relative level value is the lowest value, the lowest value is set as the relative security level.

  For example, when the user ID is “userA”, if the setting data of the terminal lock function is “setting OFF” and the login authentication setting data is “set to leave the previous value”, the relative level is “−1”, respectively. Since it is “−2”, the relative security level is “−3”.

  If the relative security level is calculated in this way, it is transmitted to the server device 10 (step S205). After that, the process proceeds to normal processing similar to that executed by the conventional client terminal (step S206).

  In the server device 10, when the relative security level is received (step S103), the default security level corresponding to the user ID included in the login information of the user used in the authentication process is read from the user management table 142, The read default security level and the received relative security level are added, and the result is calculated as an effective security bell. However, if the received relative security level is the lowest value, the lowest value is set as the effective security level.

  For example, when the user ID is “userA”, if the terminal lock function setting data is “setting OFF” and the login authentication setting data is “leave previous value”, the relative security level is “ Since the default security level is “5”, the effective security level is “5 + (− 3)” and “2”.

  If the effective security level is calculated in this way, the security bell of the user (client terminal 20) is reflected in the security system so as to be the calculated effective security level (step S105). This may be performed, for example, by registering the value in an area for registering the effective security level for each user provided in a predetermined area of the RAM 14 (or the ROM 13 constituted by a flash memory), or by managing the user management. It is also possible to add an effective security level item to the table 142 and register it there.

  Thereafter, the routine proceeds to the same normal processing as that executed by the conventional server device (step S106). However, when there is an access request to the information resource of the server device 10 from the client terminal 20, the computer (CPU 11) of the server device 10 performs the security according to the effective security level that is the security level at the time of execution. According to the definition in the level management table 141, access permission is controlled.

  For example, in the example of the user (client terminal 20) of “user A”, the security level is treated as “2” even though the default security level is “5”. Although the important data can be viewed and the group data can be rewritten, since the access is from the client terminal 20 with weak security, control is performed so that only the user's own data can be accessed.

  As described above, the security level preset in the server device 10 is changed so that the security of the server device 10 is strengthened according to the setting state at the time of use related to the security of the client terminal 20, so that the use of the client terminal 20 The state can be reflected in the security management, and the security management can be strengthened. Therefore, even if the user sets the security strength of the client terminal 20 to be weak, damage against theft can be prevented to a minimum.

  Further, since the security level preset in the server device is changed so that the security of the server device 10 becomes stronger according to the setting state at the time of use related to the security of the client terminal 20, the security may be changed strongly. In this case, the user terminal of the client terminal 20 can simplify the setting state during use, so that the operability of the user of the client terminal 20 can be improved. That is, there is an advantage that it is possible to reduce the labor for authentication only by changing the setting of the client terminal 20 according to the importance of the information resource to be accessed.

  Furthermore, the security for the client terminal 20 can effectively use the security provided by the client terminal 20 by including the lock function of the operation for the client terminal 20 and the function for specifying the login data input method at the time of login authentication. Therefore, it is not necessary to provide new security separately.

  In addition, since the effective security level is calculated by adding the relative security level value based on the security level value defined in the user management table 142, the calculation is simple and the load on the server device 10 is reduced. Must not.

  The calculation of the effective security level is not limited to the method of adding the relative security level (“0” or a negative value) to the default security level, but the relative security level (and the terminal lock setting table). Even if the effective security level is calculated by multiplying the default security level by setting the value of 241 and the login authentication setting table 242) to a decimal value equal to or smaller than “1”, the same effect can be obtained. it can. In this case, it is assumed that as the relative security level (and the relative level) is larger, the access authority is increased, that is, the security is weakened.

  In addition, the relative security level is transmitted from the client terminal 20 to the server device 10, but the relative level value corresponding to the setting data read from the terminal lock setting table 241 and the login authentication setting table 242 from the client terminal 20. May be transmitted to the server device 10, and the server device 10 may obtain the relative security level according to the received relative level value.

  Further, the setting data itself relating to the security for the client terminal 20 stored in the RAM 24 (or the ROM 23 constituted by a flash memory) is transmitted to the server device 10, and the terminal lock setting table 241 and login authentication are transmitted to the server device 10. A table corresponding to the setting table 242 may be prepared, and the server device 10 may obtain the relative security level according to the received setting data.

  Further, the terminal lock function and the login authentication function have been described as examples of the security function of the client terminal 20, but the security function of the client terminal 20 includes a remote lock function and the like, and a security function that can be set by the user Any number may be used, and the number is not limited to two, and any number may be used.

  In the above embodiment, the thin client system has been described. However, any method may be used as long as the client terminal 20 accesses the server apparatus 10 and has a security function. The client terminal 20 is not limited to a mobile terminal type such as a smartphone or a mobile phone, but may be a desktop type, a laptop type, a notebook type, or the like.

  Furthermore, although only data is used as the information resource subject to access control of the server apparatus 10, various other information resources such as process activation, browsing permission to the WEB site, and protocol restrictions can be controlled.

  Note that each processing method by the access control system described in the embodiment, that is, each method such as processing by the client terminal and the server device shown in the flowchart of FIG. 12, is a program that can be executed by a computer. , Stored in a storage medium of an external storage device such as a memory card (ROM card, RAM card, etc.), magnetic disk (floppy disk, hard disk, etc.), optical disk (CD-ROM, DVD, etc.), semiconductor memory, etc. it can. Then, the computer (CPU) of the server device or the client terminal reads the program stored in the storage medium of the external storage device into the RAM, and the operation is controlled by the read program. The access control function can be realized, and the same processing can be executed by the method described above.

  Further, program data for realizing each of the above methods can be transmitted as a program code form on a communication network, and the program data can be transmitted from a computer device (program server) connected to the communication network. It is also possible to implement the access control function described above by fetching and storing it in a ROM (flash memory) and reading it into a RAM, or directly fetching and storing it in a RAM.

  The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the scope of the invention when it is practiced. Furthermore, the one embodiment includes inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. For example, even if some constituent requirements are deleted from all the constituent requirements shown in one embodiment or some constituent requirements are combined in different forms, the problems described in the column of the problem to be solved by the invention If the effects described in the column “Effects of the Invention” can be obtained, a configuration in which these constituent requirements are deleted or combined can be extracted as an invention.

10 ... Server device 11, 21 ... CPU
12, 22 ... Bus 13, 23 ... ROM
14, 24 ... RAM
15, 25 ... VRAM
16, 26 ... Display device 17, 27 ... Input device 18, 28 ... Communication I / F
DESCRIPTION OF SYMBOLS 20 ... Client terminal 30 ... Relay apparatus 141 ... Security level management table 142 ... User management table 241 ... Terminal lock setting table 242 ... Login authentication setting table 261 ... Terminal screen 262 ... Unlock number input screen 263 ... Terminal lock setting screen 264 ... Login authentication setting screen 265 ... Login authentication input screen N ... Network

Claims (10)

An access control device for controlling access to various information resources,
Level storage means for storing level information set for each user ;
Determining means for determining whether a user accessing the information resource is a regular user;
When it is determined that the user is a regular user by the determination unit, an acquisition unit that acquires relative information according to a setting state in the terminal device used by the user;
Change means for reading level information set for the user from each level information stored in the level storage means, and changing the level based on the relative information acquired by the acquisition means;
And access control means for controlling the access permission for the various information resources on the basis of the changed level information in said changing means,
An access control device comprising: The setting state is a setting state as to whether or not the terminal lock function for locking the terminal device when the terminal device has not been operated for a predetermined time is set as valid,
The acquisition means acquires relative information for lowering the level of the level information when the terminal lock function is not set as valid.
The access control apparatus according to claim 1. The determination means determines whether or not the user is an authorized user based on whether or not authentication information transmitted from a terminal device used by the user matches authentication information registered in advance for the user. To determine the
The access control apparatus according to claim 1 or 2, characterized by the above. The setting state enables an automatic authentication function in which authentication information transmitted by the terminal device is stored in the terminal device and automatically transmitted without an input operation by a user using the terminal device. It is a setting state whether or not it is set,
The acquisition means acquires relative information for lowering the level of the level information when the automatic authentication function is enabled;
The access control apparatus according to claim 3. A terminal device that accesses an information management device that manages various information resources ,
Acquisition means for acquiring a setting state in the terminal device;
When a user using the terminal device accesses the information management device, the level information of the user set on the information management device side is obtained by the terminal device acquired by the acquisition unit. Level control means for controlling to change based on the setting state;
For access to the information management apparatus from the terminal device, and access control means for controlling the access permission to said information resource based upon said level control means and the change level information that is controlled by,
A terminal device comprising: The setting state is a setting state as to whether or not the terminal lock function for locking the terminal device is set as valid when the terminal device has not been operated for a predetermined time,
The level control means, when the terminal lock function is not set as valid, controls to lower and change the level of the level information of the user,
The terminal device according to claim 5. The setting state enables an automatic authentication function in which authentication information transmitted by the terminal device is stored in the terminal device and automatically transmitted without an input operation by a user using the terminal device. It is a setting state whether or not it is set,
The level control means, when the automatic authentication function is enabled, controls to lower and change the level of the level information of the user;
The terminal device according to claim 5 or 6, wherein The level control means controls the information management device to change level information when the terminal device accesses the information resource in the information management device;
The access control means controls access to an information resource whose access permission is controlled based on the change level information in the information management device.
The terminal device according to claim 5, wherein: A program for controlling a computer of an access control device that controls access to various information resources ,
The computer,
Level storage means for storing level information set for each user ;
Determining means for determining whether a user accessing the information resource is a regular user;
An acquisition means for acquiring relative information according to a setting state in a terminal device used by the user when the determination means determines that the user is an authorized user;
Change means for reading level information set for the user from each level information stored in the level storage means, and changing the level information based on relative information acquired by the acquisition means,
Access control means for controlling the access permission for the various information resources on the basis of the changed level information in said changing means,
A computer-readable program designed to function as a computer. A program for controlling a computer of a terminal device that accesses an information management device that manages various information resources ,
The computer,
Acquisition means for acquiring a setting state in the terminal device;
When a user using the terminal device accesses the information management device, the level information of the user set on the information management device side is obtained by the terminal device acquired by the acquisition unit. Level control means for controlling to change based on the setting state;
For access from the terminal device to the information management device, access control means for controlling access permission to the information resource based on the change level information controlled by the level control means;
A computer-readable program designed to function as a computer.

Images