JP2005020310A - Information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a security system excellent in reliability and convenience by building radio communication network with a plurality of radio relay units capable of radio transmission with high directivity and an authentication system capable of arbitrarily setting authentication data in authenticating. <P>SOLUTION: In a BCP system 2, the radio communicating network with a plurality of radio relay units ST simultaneously unifies management of a terminal network consisting of a plurality kinds of terminals and a content management network consisting of a plurality kinds of contents for managing various kinds of information. An authentication system provided with a various authentication data registration BCP database 48 and a policy management section 44 for arbitrarily extracting a plurality items of authentication data from the database and arbitrarily setting an extracting timing is incorporated into a BCP database system 14. An collating function for collating the various data about clients and terminals with authentication data in authentication is built in the policy management section. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention constructs a wireless communication network with a plurality of wireless relay units capable of wirelessly transmitting various information signals with high directivity and, for example, personal authentication (personal identity) according to the security level, authentication environment or authentication purpose. By introducing an authentication system that can arbitrarily set a plurality of types of authentication data used for collation), for example, construction of a local network system using a commercially available mobile terminal, location information management (flow line) The present invention relates to a high-security information management system that can realize the construction of a system at a low price with high reliability and convenience.
[0002]
[Prior art]
Conventionally, an information management system for security management of various types of information (for example, business information and personal information) is known. For example, Patent Document 1 discloses an information processing system including various processing devices connected to a network. Techniques for supporting security state control and management have been disclosed. According to this technology, an operator can operate the terminal according to the management menu of the security system, thereby creating an information security policy, introducing a security system according to the information security policy, and managing the operation.
[0003]
For example, Patent Document 2 discloses a technique for policy management of various interfaces incorporated in a communication device (router or the like). According to this technique, it is possible to collectively manage each corresponding interface in response to a management operation request from a client terminal.
[0004]
Further, for example, Patent Document 3 discloses a technique for providing various types of information selected by a client from an information providing server constructed on a communication network. According to this technique, the client can display various types of information in a desired layout on the browser of the client terminal only by logging in to the information providing server once from the terminal (single sign-on).
[0005]
Further, for example, Patent Literature 4 discloses a technique for providing various types of information required by a client from an information providing server constructed on a communication network. According to this technology, the client only logs in to the information providing server once from the terminal (single sign-on), and eliminates unnecessary information from various information, and only the various information required by the client is displayed on the client terminal. Can be displayed in any browser.
[0006]
[Patent Document 1]
JP 2001-273388 A
[Patent Document 2]
JP 2002-271326 A
[Patent Document 3]
JP 2002-312090 A
[Patent Document 4]
JP 2002-312391 A
[0007]
[Problems to be solved by the invention]
By the way, the existing communication network is constructed by connecting the repeaters (base stations) of each terminal (for example, a fixed telephone or a PC: Personal Computer) with a wire, and therefore wiring work is separately required when constructing the network. , It will cost that much. In addition, since it is necessary to secure a space for routing the wiring, depending on the construction environment of the communication network, the routing of the wiring becomes complicated, and a space for routing the wiring has to be secured separately. In this case, not only labor and time are required for wiring operation, but also the cost is increased accordingly.
In order to solve such problems, it is conceivable to construct a wireless communication network. However, it is difficult to isolate the antennas (radio wave shielding) between the wireless interfaces, so communication between the wireless communication networks is difficult. May interfere with each other and may not be able to maintain a stable communication state.
[0008]
In recent years, with the liberalization of communication, portable terminals of various communication formats have become widespread, and networks using these portable terminals have also diversified. In this case, it is necessary to smoothly connect different networks to each other, but various relays (base stations) corresponding to communication frequency bands of mobile terminals (for example, mobile phones and PHS (Personal Handyphone System)) are installed. Therefore, it takes time and effort to install it.
[0009]
Furthermore, in recent years, various mobile terminals (for example, mobile phones, PHS, PDA (Personal Digital Assistants), etc.) have been widely used. Construction of private network systems using such mobile terminals, mobile terminals Needs such as the construction of a system for managing the flow of employees and the construction of a system for collaborating with outside employees are increasing based on the positional information obtained from the above.
As an example of an information management system that meets this need, a local PHS system (“PRIMANET: product name” manufactured by Sumitomo Electric Co., Ltd.) in which a portable terminal is integrated into a LAN (Local Area Network) is known.
[0010]
However, a conventional radio base station (for example, PHS) used in such a local PHS system has a limited number of terminals that can communicate with one base station. Then, it is necessary to install a plurality of base stations in the same place, which increases the cost.
[0011]
Further, in the above-mentioned local PHS system, authentication data (for example, ID (Identification) data, telephone number data, etc.) of the calling party PHS cannot be grasped / managed. There is a risk of easily intruding into the local PHS system or obtaining various types of information easily, making it difficult to ensure high security.
Furthermore, in the existing on-site PHS system, when registering / deleting / changing the telephone number of each mobile terminal, it is necessary to request a specialized supplier each time. In this case, the operation of the local PHS system must be temporarily stopped or interrupted while the specialist contractor registers, deletes, or changes the telephone number, and it becomes difficult to maintain smooth business efficiency. End up. Furthermore, since registration / deletion / change of the telephone number must be performed, for example, every time the organization is changed or personnel changes are made, expenses for the addition are cumulatively added.
[0012]
Further, in such a local PHS system, the login and access method is only key input of the portable terminal, and voice input of the terminal user is not permitted. In this case, if voice input is possible, for example, a visually impaired person or a person unfamiliar with terminal operation can easily access a desired management menu and various information by only his / her voice input. As a result, the system utilization efficiency can be greatly increased. However, the current situation is that no consideration is given to such advantages in conventional information management systems.
[0013]
Furthermore, in the conventional information management system as described above, policy management processing and authentication processing are performed on a browser of a client terminal (fixed terminal) installed at a predetermined location, and management menus and various types displayed on the browser The information is limited to text information and image information (still images, moving images). Further, when a client accesses from a terminal, a combination of a client name for identifying the client person {namely, ID (identification)} and a password for confirming that the person who entered it is the person himself / herself is used. Generally, identity verification is performed. For example, an ID card may be used instead of an ID input, such as a bank card, or a password may be used when the password is a number.
[0014]
In such information management systems, authentication processing is performed on the assumption that authentication data such as passwords and personal identification numbers is information that only the person knows, but depending on the type of authentication data, it may be easily deciphered. In addition to being at risk of being impersonated by others (lack of reliability), there is the inconvenience that if you forget the authentication data, you cannot access the target information (convenient) Lack of sex). In recent years, authentication data has been required in various systems, and it is dangerous to use the same authentication data. Therefore, a plurality of types of authentication data must be stored, and the client The burden of is large (lack of convenience).
[0015]
In this case, if personal characteristics (for example, voiceprint, fingerprint, face type, iris, name, job title, etc.) that makes the distinction from others remarkable are applied as authentication data, it is safer. Although authentication processing can be realized, in the conventional information management system, authentication processing is performed separately depending on the type of authentication data. For example, when performing voiceprint authentication and fingerprint authentication, each authentication data is processed separately by a voiceprint authentication system or a fingerprint authentication system. For this reason, if the number of types of authentication increases, the number of systems must be increased by that amount. As a result, the construction cost of the entire system increases, and there is a problem that practicality and economy are lacking.
[0016]
In addition, the authentication process that uses an ID card improves security, but if the ID card is inadvertently forgotten or lost, not only is there inconvenience that the target information cannot be accessed (lack of convenience). There are also many cases in which ID numbers are deciphered and used illegally (lack of reliability).
Also, in the current authentication process, authentication with similar contents is repeated over a long period of time, and the authentication contents are often in a state where it is easy for an outsider to grasp. Such a problem can be solved by changing the authentication content, but every time the authentication content is changed, the entire information management system has to be updated again, which requires cost and labor (convenience). lack of).
[0017]
The present invention has been made to solve such problems, and its purpose is to construct a wireless communication network with a plurality of wireless relay units capable of wirelessly transmitting various information signals with high directivity. In addition, by introducing an authentication system that can arbitrarily set a plurality of types of authentication data used when performing personal authentication (person verification) according to the security level, authentication environment, or authentication purpose, for example, a commercially available mobile phone An object of the present invention is to provide a high-security information management system capable of realizing a construction of a local extension network system using a terminal and a construction of a location information management (flow line management) system at a low price with high reliability and convenience.
[0018]
[Means for Solving the Problems]
In order to achieve such an object, the present invention can simultaneously and centrally manage a terminal network composed of a plurality of types of terminals including external lines and extensions and a content management network composed of a plurality of types of contents for managing various types of information. A possible information management system (BCP system) 2, which is a management base system (BCP base system) 14 that centrally manages various authentication data assigned to the client and the terminal, and the client issues an access request from the terminal. The input / output unit 16 that determines permission or disapproval of the access request based on the various authentication data centrally managed by the management base system, and the access request permitted by the input / output unit. Distribute access request destinations to at least one of terminal network and content management network The location information and movement status of the switching system 60 and each terminal constituting the terminal network are monitored in real time, and when the access request destination is distributed to the terminal network by the switching system, the access request of the client from the terminal network And an access request destination control system 62 for specifying, calling, and connecting a terminal matching the above.
In such an invention, when the client issues an access request from the terminal, the input / output unit can wirelessly transmit various information signals corresponding to the access request to a predetermined access request destination. A plurality of relay units ST are provided, and a wireless communication network is constructed by the plurality of wireless relay units.
Further, the management base system includes at least authentication data registration means (BCP database) 48 for registering various authentication data, and various authentications registered in the authentication data registration means when performing authentication for the client and the terminal. Authentication data extraction / setting means (policy management unit) 44 capable of arbitrarily extracting a plurality of authentication data from the authentication data and arbitrarily setting the extraction timing of the plurality of authentication data. The authentication data extraction / setting unit has a verification function for verifying various data related to the client and the terminal and authentication data when authenticating the client and the terminal. Yes.
The wireless relay unit includes a plurality of transmission / reception units (200, 202, 204, 206, 208, 210) that perform transmission / reception of a radio signal according to a frequency band used by each of a plurality of types of terminals, and a plurality of transmission / reception units, respectively. The provided transmission / reception antennas (P1, P2, P3, P4, P5, P6), the antenna control circuit 212 for controlling the wireless transmission direction when wirelessly transmitting the wireless signal via the transmission / reception antenna, and the wireless signal A terminal identification code for managing an access request destination based on a routing circuit 214 for selecting a route for wireless transmission to the access request destination and various terminal identification codes (IP address, MAC address, etc.) attached to the radio signal A management circuit 216; and a protocolization circuit 218 that converts an information signal into a signal corresponding to a predetermined communication protocol; And output circuitry (LAN dedicated input-output circuit) 220 is provided for inputting and outputting to the switching system information signal converted to a predetermined communication protocol by the protocol circuit.
In an environment in which a wireless communication network is constructed by a plurality of wireless relay units, the antenna control circuit passes through a transmission / reception antenna so as to wirelessly transmit a wireless signal to the wireless relay unit on the route selected by the routing circuit. Thus, the wireless transmission direction of the wireless signal transmitted wirelessly is controlled.
In this case, a radio signal wirelessly transmitted from a transmission / reception antenna of a certain radio relay unit is taken into the transmission / reception unit from a transmission / reception antenna of a predetermined radio relay unit via each radio relay unit selected by the routing circuit. Thereafter, the signal is converted into a signal corresponding to a predetermined communication protocol by the protocolization circuit and sent out from the input / output circuit to the switching system.
In addition, each of the plurality of transmission / reception units communicates with the outside via a transmission / reception antenna and a demodulation circuit 222 that demodulates a radio signal taken into the transmission / reception unit from the transmission / reception antenna and obtains an information signal. A modulation circuit 224 that modulates possible radio signals and a transmission / reception circuit 226 that transmits / receives radio signals via a transmission / reception antenna are provided.
Further, the wireless relay unit is provided with a connector portion 228 that can be detachably fitted into an existing power supply outlet or socket provided on the premises or outside the premises. Is inserted into a power supply outlet, socket, or the like, so that the wireless relay unit can be set inside or outside the campus.
In such an invention, the various authentication data includes at least biometric identification data, object identification data, and timed identification data. The biometric identification data includes at least a voice print and a face indicating the personal characteristics of the client. Various types of data, such as type, palm print, fingerprint, iris, vein, writing movement when signing, terminal key and button timing when the client presses the terminal, stamping pressure and stamping speed, etc. The identification data includes at least the IP address and MAC address assigned to the terminal, telephone number, electronic seal, driver's license number, ID card and key used when the client logs in via the terminal, and identification number Various types of data obtained from signage are applicable, and the timed identification data includes at least the name, age, Place, family structure, belonging to the company name, department, job title, permanent address, place of birth, birthday, hobbies, various types of data of the e-mail address is applicable.
Here, the various data related to the client includes at least various data obtained from the personal characteristics and features of the client, and the various data related to the terminal includes at least various data obtained from the identification marker used by the client. The authentication data extraction / setting unit extracts the plurality of authentication data at various timings arbitrarily selected from at least every predetermined time, every predetermined day, every predetermined month, and every predetermined year, The number and type of authentication data extracted are changed regularly or irregularly according to various timings.
[0019]
DETAILED DESCRIPTION OF THE INVENTION
As shown in FIG. 1, the information management system of the present invention is connected to a network so that terminals can communicate with each other, and manages a terminal network composed of a plurality of types of terminals including external lines and internal lines, and various information. And a content management network composed of a plurality of types of content are controlled so that they can be centrally managed at the same time, and various information signals corresponding to access requests from a certain terminal are directed to a predetermined access request destination A plurality of wireless relay units ST capable of wireless transmission are provided, and a wireless communication network can be constructed by the plurality of wireless relay units ST. Such a wireless communication network itself constitutes a single network and can communicate with each other, and an information management system 2 {BCP (Business Communication Platform) as described later. It is also possible to communicate via a) system}.
[0020]
The plurality of radio relay units ST include a plurality of transmission / reception units (200, 202, 204, 206, 208, 210), transmission / reception antennas (P1, P2, P3, P4, P5, P6), an antenna control circuit, respectively. 212, a routing circuit 214, a terminal identification code management circuit 216, a protocolization circuit 218, and an input / output circuit (LAN dedicated input / output circuit) 220 (all of which will be described later).
[0021]
In this case, by controlling the radio transmission direction of the transmitting / receiving antennas (P1, P2, P3, P4, P5, P6) by the antenna control circuit 212 in an environment where a radio communication network is constructed by a plurality of radio relay units ST. The transmission / reception units (200, 202, 204,...) Are transmitted from the transmission / reception antennas (P1, P2, P3, P4, P5, P6) of the predetermined radio relay unit ST via the respective radio relay units ST selected by the routing circuit 214. 206, 208, 210), converted into a signal corresponding to a predetermined communication protocol by the protocolizing circuit 218, and sent from the input / output circuit (LAN dedicated input / output circuit) 220 to the switching system 60 (described later). It is.
[0022]
In addition, the information management system of the present invention introduces a multi-terminal communication system 100 capable of simultaneous communication with a plurality of mobile terminals (for example, PHS 10-1... 10-n) and an authentication system as described later. As a result, for example, the construction of a local network system using a commercially available portable terminal and the construction of a location information management (flow line management) system can be realized at a low price and with convenience while ensuring high security. It has become. Here, the external line and the internal line mean high-level concept terminals including an external line and an internal line fixed telephone, a mobile phone (PHS), a PDA, and a fixed terminal (PC: Personal Computer).
[0023]
Such a multi-terminal communication system 100 includes a common antenna 102, a signal input / output circuit 104, a modulation circuit 106, a demodulation circuit 108, and a protocolization circuit 110 (all of which will be described later). A radio signal captured from the antenna 102 (for example, an access request radio signal sent from a terminal 4, 6, 8, 10-1,. After being sent to the demodulation circuit 108 and demodulated into an information signal (access request), it is converted into a signal corresponding to a predetermined communication protocol by the protocolizing circuit 110. On the other hand, the information signal is sent to the modulation circuit by the signal input / output circuit 104 and modulated into a radio signal, and then sent out from the common antenna 102 to the outside.
[0024]
Further, the information management system includes an exchange system 60, an access request destination control system 62, and an address management unit 64 (all of which will be described later). According to this configuration, the access request destination is assigned to at least one of the terminal network and the content management network according to the access request of the client. In particular, when the access request destination is assigned to the terminal network, the terminal network The terminal that matches the client access request is called from the inside.
In the following description, in order to make the description easy to understand, the terminal network is divided into a client terminal network and an access request destination terminal network, and terminals (client terminals 4, 6, 8,. 10-1... 10-n, 12), when the client issues an access request, the information management system matches the access request from the access request destination terminal network (access request destination terminals 76, 78, 80, 82). , 84).
[0025]
Hereinafter, an information management system according to an embodiment of the present invention will be described with reference to the accompanying drawings. In the following description, the configuration of the information management system 2 and the content management network will be described first, and then the switching system 60, the access request destination control system 62, and the address management unit 64 added to the information management system 2 will be described. Next, the multi-terminal communication system 100 will be referred to, and finally, a radio communication network constructed by a plurality of radio relay units ST will be described in detail.
[0026]
As shown in FIG. 1, the information management system 2 {BCP (Business Communication Platform) system} of the present embodiment includes a plurality of clients and a plurality of terminals 4, 6, 8, 10-1. A management base system (BCP base system) 14 that centrally manages various authentication data assigned to each, and a client issues an access request from any terminal 4, 6, 8, 10-1... 10-n, 12. When the access request is permitted by the input / output unit 16 and the input / output unit 16 for determining whether the access request is permitted or not based on various authentication data centrally managed by the BCP base system 14 Each access request destination content 18, 20, 22, 24, constituting the management network 6, 28 call various information from the API and a (Application Programming Interface) unit 30. As the client terminal, for example, a fixed telephone 4, a fixed terminal (PC: Personal Computer) 6, a mobile PC 8, a PHS 10-1... 10-n, a PDA 12, and the like can be assumed. A user who uses the terminals 4, 6, 8, 10-1,.
[0027]
When the client issues an access request from the terminals 4, 6, 8, 10-1... 10-n, 12, the input / output unit 16 converts the access request into a transmission signal corresponding to a predetermined communication protocol. Repeater 32 is provided, and the access request includes at least a voice access request from the terminals 4, 6, 8, 10-1... 10-n, 12 and a terminal 4, 6, 8, 10- 1... 10-n, 12 and access requests by browsers (key input, browser display screen input, etc.) are included.
[0028]
Communication protocols include, for example, H323, SIP (Session Initiation Protocol), TCP / IP (Transmission Control Protocol / Internet Protocol), and SMTP (Simple Mail Transfer Protocol) capable of communication between various systems (LAN) and between personal computers. ), SNMP (Simple Network Management Protocol) and other protocols (hereinafter referred to as standard protocols) can be applied.
[0029]
The repeater 32 receives a voice access request from the terminals 4, 6, 8, 10-1... 10 -n, 12 and a browser access request from the terminals 4, 6, 8, 10-1. Are transmitted to the BCP base system 14 together. In particular, when a voice access request is made, the repeater 32 converts the voice data into an IP packet and outputs it to the switching system 60. In this case, in the access by the browser, the access request is the transmission signal D corresponding to the standard protocol, and is transmitted as it is from the repeater 32 to the BCP base system 14.
[0030]
On the other hand, in the access by voice, the signal format S of the access request does not correspond to the standard protocol, and therefore cannot be transmitted from the repeater 32 to the BCP base system 14 as it is. For this reason, the repeater 32 is provided with a CTI (Computer Telephony Integration) unit 34 for converting the voice signal S into a transmission signal corresponding to the standard protocol. Is converted into a transmission signal corresponding to the standard protocol by the CTI unit 34 and sent to the BCP base system 14.
[0031]
In addition, as a transmission signal corresponding to the standard protocol, for example, HTML (Hypertext Markup Language), XML (Extensible Markup Language), XHTML (Extensible Hypertext Markup Language), VB can be used. .
In practice, the output signal from the repeater 32 is sent to the BCP base system 14 via the switching system 60, but the switching system 60 will not be described in detail here.
[0032]
The BCP base system 14 configured as described above is configured so that when a client issues an access request from the terminals 4, 6, 8, 10-1. The API unit 30 determines whether or not the user has the right to access 22, 24, 26, and 28 (hereinafter referred to as “access right”) based on various authentication data and determines that the access right exists. Various information called from the access request destination contents 18, 20, 22, 24, 26, 28 are output to the client terminals 4, 6, 8, 10-1... 10 -n, 12 via the input / output unit 16. .
[0033]
In the present embodiment, the various authentication data includes at least biometric identification data, object identification data, and timed identification data.
The biometric identification data includes, for example, a voice print, a face pattern, a palm print, a fingerprint, an iris, a vein, a writing motion wrinkle at the time of signature, a client terminal 4, 6, 8, 10-1. This corresponds to various types of data such as the terminal key and button stamping timing, the stamping pressure, and the stamping speed when keying n, 12. Such biometric data is positioned as a physical feature (biometrics) that is not shared by clients, and it is difficult to counterfeit, and is not stolen or forgotten (no need to remember), so it is reliable and convenient This is effective when a high security system is required. In addition, the stamping timing, the stamping pressure, and the stamping speed exhibit remarkable distinctiveness due to differences in the wrinkles and finger usage among clients.
[0034]
On the other hand, as the object identification data, for example, IP addresses and MAC (Media Access Control) addresses, telephone numbers, electronic seals, driving licenses assigned to the terminals 4, 6, 8, 10-1,. Various data obtained from an identification marker such as an ID card, a key, and a personal identification number used when a client logs in via a terminal. In this case, in particular, the IP address, the MAC address, the telephone number, and the personal identification number can be easily assigned to each of the terminals 4, 6, 8, 10-1,.
[0035]
The time identification data includes various data such as a client's name, age, address, family structure, company name, department, job title, family register, place of birth, birthday, hobby, and email address. Such timed identification data represents the identity of the individual client involved with a certain time or place restriction, and at the same time, the data is never forgotten, so a highly reliable and convenient security system is available. It is effective when necessary.
[0036]
In this case, it is possible to realize a simple and reliable security system in consideration of individual client features by arbitrarily combining these biometric identification data, object identification data, and timed identification data. In the present embodiment, security management (that is, authentication data combination processing) is performed by a policy management unit (authentication data extraction / setting means) 44 described later. Further, the various types of authentication data listed here are examples, and other types of authentication data can be used according to the purpose of use or the usage environment.
[0037]
The input / output unit 16 includes at least a proxy server mechanism 36 that performs relay processing between the client terminals 4, 6, 8, 10-1... 10 -n, 12 and the BCP base system 14, and the terminal 4. , 6, 8, 10-1... 10-n, 12, filtering the access request and performing a permission / refusal decision process for the access request, and a part of the program built in the BCP base system 14 And a cache mechanism 40 that stores and processes the permission / refusal decision for the access request from the terminals 4, 6, 8, 10-1... 10-n, 12 at high speed (see FIG. 2).
[0038]
The cache mechanism 40 stores a part of the security management program of the policy management unit 44 to be described later, and when the client issues an access request from the terminals 4, 6, 8, 10-1... 10-n, 12. .., 10-n, 12 for the client and the terminals 4, 6, 8, 10-1, 10-n, 12 (initial authentication (client authentication (person verification), terminal authentication)). For example, assuming that the information management system 2 according to the present embodiment is built in a certain company, the company accesses the company from the outside via the terminals 4, 6, 8, 10-1... 10-n, 12. In this case, the access request always passes through the input / output unit 16.
[0039]
In this case, the authentication data of the client and the terminals 4, 6, 8, 10-1... 10-n, 12 is used as part of the security management program of the policy management unit 44 in the cache mechanism 40 of the input / output unit 16. Store the initial authentication processing program. Specifically, biometric identification data indicating the personal characteristics of clients (company employees, company members such as parts), and allocated to terminals 4, 6, 8, 10-1... 10-n, 12, for example. Various authentication data such as object identification data such as an IP address, MAC address, electronic seal stamp, and timed identification data indicating the identity of the client are stored in the cache mechanism 40.
[0040]
As a result, when the client issues an access request from the terminals 4, 6, 8, 10-1... 10-n, 12, before the access request is processed by the BCP base system 14, the cache mechanism of the input / output unit 16 is processed. 40 enables client authentication and terminal authentication to be performed in advance. That is, based on various authentication data of the clients and terminals 4, 6, 8, 10-1... 10-n, 12, whether the client that issued the access request is a corporate member or not, the terminal 4 used for the access request. , 6, 8, 10-1... 10-n, 12 can be identified efficiently and quickly in advance (initial authentication). Note that when initial authentication is performed by the cache mechanism 40, control such as “what type of authentication data is used at what timing” is performed by a policy management unit 44 described later. .
[0041]
In this case, if access permission / inhibition determination is performed only by terminal authentication, “spoofing” due to theft of the terminal may not be completely prevented, so the client and the terminals 4, 6, 8, 10-1... 10-n , 12 are preferably used to determine whether access is permitted or not. As a result, when the client is a company member and the terminals 4, 6, 8, 10-1... 10-n, 12 used by the client are authenticated as company belonging terminals, The access request is granted by mechanism 38, otherwise it is denied. Only when the access request is permitted by the input / output unit 16, the BCP base system 14 determines whether or not it has an access right to access the access request destination content 18, 20, 22, 24, 26, 28. When an authentication process is executed based on various types of authentication data and it is determined that there is an access right, various information called by the API unit 30 from the access request destination contents 18, 20, 22, 24, 26, 28 is input / output. The data is output to the client terminals 4, 6, 8, 10-1 to 10 -n, 12 via the unit 16. As a result, by the initial authentication as described above, unauthorized access by an external access person into the BCP system 2 (inside the company) can be prevented in advance, and high security can be maintained and secured.
[0042]
The API unit 30 has an interface function for calling routines of various applications of the access request destination contents 18, 20, 22, 24, 26, 28, and the client is a terminal 4, 6, 8, 10-1,. When an access request is issued from 10-n, 12, when the BCP base system 14 determines that there is an access right, the API unit 30 sends various information from the access request destination contents 18, 20, 22, 24, 26, 28. call.
The BCP base system 14 includes at least an ACL (Access Control List) management unit 42 as a content setting management unit, a policy management unit 44, an input / output unit 46, and an authentication data registration unit according to the present embodiment. And a BCP database 48 having the functions as described above.
[0043]
The ACL management unit 42 sets and manages the access request destination contents 18, 20, 22, 24, 26, and 28 that the client can access from the terminals 4, 6, 8, 10-1. ing. More specifically, the ACL management unit 42 is a server (for example, content servers 18a, 20a, 22a, 24a, 26a) that can be accessed for each client and for each terminal 4, 6, 8, 10-1,. 28a), access request destination contents 18, 20, 22, such as various networks 18b, 20b, 22b, 24b, 26b, 28b and various content databases 18c, 20c, 22c, 24c, 26c, 28c managed by this server. Various information related to 24, 26, and 28 is managed, and various information to be managed is registered in the BCP database 48 in an access list table format (see FIG. 3).
[0044]
The policy management unit 44, which is an authentication data extraction / setting unit of the present embodiment, allows the client to access the access request destination from the terminals 4, 6, 8, 10-1... 10-n, 12 based on various authentication data. An authentication process for determining whether or not the user has the right to access the contents 18, 20, 22, 24, 26, and 28 is executed and managed (final authentication after initial authentication; hereinafter referred to as final authentication). That is, the policy management unit 44 is configured to be able to respond to security measures from various approaches in the environment where the information management system (BCP system) 2 of the present embodiment is constructed. As an example of a security measure, the client and the terminals 4, 6, 8, 10-1,..., 10-n, 12 are grouped for each access authority according to what kind of access request destination content is permitted. Efficient use of the network required by the environment (corporate, organization, etc.) that builds the BCP system 2, the amount and quality of resources in the environment, or the business content in that environment Is done.
[0045]
In this embodiment, an application example of security measures is shown in FIG. 1, and the policy management unit 44 has a plurality of types of contents (for example, personnel management LAN 18, attendance management LAN 20, accounting management) constructed in a certain company. The presence of the access right to the access request destination content (LAN 22, order management LAN 24, patent management LAN 26, location information management LAN 28, etc.) based on various authentication data clients and terminals 4, 6, 8, 10-1. -Execute authentication processing for n and 12. In this case, various types of authentication data used for the authentication process are registered in the BCP database 48.
[0046]
More specifically, the policy management unit 44, which is an authentication data extraction / setting unit of the present embodiment, arbitrarily selects a plurality of authentication data from various authentication data (see FIG. 5) registered in the BCP database 48. Data is extracted, and the client requests access requested content 18, 20, 22, 24, 26 from any terminal 4, 6, 8, 10-1,..., 10-n, 12 based on the extracted authentication data. , 28 is executed to determine whether or not the user has the right to access.
[0047]
In the authentication process in this case, for example, the personal characteristics and features of the client obtained when the client issues an access request from the terminals 4, 6, 8, 10-1. Various data (for example, various data related to the object) obtained from (for example, electronic seal stamps and driver's license numbers), and various types of authentication data as described above (biometric identification data, object identification data, time identification data related to a client registered in advance) Etc.). Such a collation function can be built (programmed) in the policy management unit 44, and collation as described above is performed by such a collation function.
[0048]
Before, during or after execution of the authentication processing by the policy management unit 44, the ACL management unit 42 described above is configured such that the client is a terminal 4, 6, 8, 10-1 based on the access list table of FIG. ... Access request destination contents 18, 20, 22, 24, 26, 28 that can be accessed from 10 -n, 12 are set (for example, △ × Taro has access rights to the personnel management LAN 18, and the authority level is 1 Set to).
[0049]
Further, the number and type of authentication data extracted by the policy management unit 44 and the extraction timing can be arbitrarily set. For example, it is possible to change the number and type of authentication data extracted at various timings arbitrarily selected from daily, monthly, and yearly, or change it every predetermined time of the day. Specifically, the number and type of authentication data extracted are changed regularly or irregularly at the extraction timing every day or every month, or every predetermined time (fixed time or irregularly) within a day. The number and type of authentication data extracted are changed regularly or irregularly at the extraction timing. This prevents the same authentication process from being repeated as before, making it difficult for outsiders to grasp the authentication contents, thereby preventing leakage of the authentication process contents and ensuring high security. It becomes possible.
[0050]
Note that the access request destination contents 18, 20, 22, 24, 26, and 28 shown in FIG. 1 are examples thereof, and are not limited to the following, and can be arbitrarily set according to the purpose of use and the use environment. It is possible to build content.
The personnel management LAN 18 is a network 18b managed by the personnel management server 18a, and various information such as personnel changes and organizational changes are registered in the personnel database 18c.
The attendance management LAN 20 is a network 20b managed by the attendance management server 20a, and various types of information such as work hours and work contents are registered in the attendance database 20c.
The accounting management LAN 22 is a network 22b managed by the accounting management server 22a. For example, various types of information such as budget settings at the end of the period and sales targets are registered in the accounting database 22c.
The ordering management LAN 24 is a network 24b managed by the ordering management server 24a. For example, various information such as past transition data of the product ordering quantity and estimation of the expected ordering quantity for this year is registered in the ordering database 24c. Has been.
The patent management LAN 26 is a network 26b managed by the patent management server 26a. For example, various information such as a list and contents of patent applications and a lawsuit record concerning patent infringement are registered in the patent database 26c.
The location information management LAN 28 is a network 28b managed by the location information management server 28a, and for example, various information such as flow lines (current location and movement status on and off the premises) of members (company employees and parts) are located. It is registered in the information database 28c.
[0051]
Also, the input / output unit 46 of the BCP base system 14 is called from the access request destination contents 18, 20, 22, 24, 26, 28 by the API unit 30 when the policy management unit 44 determines that the access right exists. Various information is output to the client terminals 4, 6, 8, 10-1 to 10 -n, 12 through the input / output unit 16. As a result, the client can confirm the contents of the target access request destination contents 18, 20, 22, 24, 26, 28 from the terminals 4, 6, 8, 10-1,. It becomes possible to change.
[0052]
The BCP database 48 of the BCP base system 14 stores the access request destination contents 18, 20, 22, 24, 26, and 28 that the client can access from the terminals 4, 6, 8, 10-1... 10-n, 12. Access list table (see FIG. 3) set for each client and each of the terminals 4, 6, 8, 10-1... 10-n, 12 and for each client and terminal 4, 6, 8, 10-1. The various authentication data (see FIG. 5) assigned to 12 can be registered.
[0053]
In the access list table, various types of information related to the access request destination contents 18, 20, 22, 24, 26, and 28 managed by the ACL management unit 42 are shown for each client and terminals 4, 6, and 6, as shown in FIG. 8, 10-1... 10-n, 12 are set separately. This figure shows a part of the access list table. The names, titles, affiliations, and clients of the president, senior managing director, and human resources department (such as general manager, section manager, general manager, and chief) The IP address and telephone number of the terminal to be used (such as a personal computer or PHS) are set. Also, access request destination contents 18, 20, 22, 24, 26, 28 that can be accessed by clients using the terminals 4, 6, 8, 10-1.
[0054]
Further, in the access list table, client access rights and authority levels for the access request destination contents 18, 20, 22, 24, 26, and 28 are defined in advance. The authority level is divided into five levels of 1 to 5, and the responsible ability for the access request destination contents 18, 20, 22, 24, 26, and 28 can be understood according to the level. For example, in the case where the title is the president △ × Taro, the president Taro has a terminal with an IP address “123.456.789.001” (for example, a fixed terminal 6) or a terminal with a telephone number “070-xxx-0001” ( For example, PHS10-n) is distributed, and President Taro issues an access request from the distributed terminal. In this case, the authority level of President Taro is the access right “present” and the authority level “1” for all access request destination contents 18, 20, 22, 24, 26, and 28.
[0055]
For example, as shown in FIG. 4, the authority levels are set in five stages from “1” having the highest authority level to “5” having the lowest authority level.
The client with the authority level “5” is “denied (contents cannot be confirmed)” for access to the access request destination content and has no access right.
The client with the authority level “4” is permitted only to “inquire (confirm)” to the access request destination content, and “delete, insert, update” is not permitted for the content of the content.
The client of the authority level “3” can make “update (predetermined content update)” and “query” of the content of the access request destination content.
In addition to the authority levels “4” and “3”, the client having the authority level “2” can “insert (add)” new contents into the access request destination content.
In addition to the authority levels “4”, “3”, and “2”, the client with the authority level “1” can “delete (change / rewrite)” the contents of the access request destination content.
[0056]
Therefore, President Taro of authority level “1” can “delete” the contents of the access request destination contents 18, 20, 22, 24, 26, and 28 using his / her own terminal (fixed terminal 6 or PHS 10-n). I understand that I can do it. In addition, for example, X □ Saburo Human Resources Manager has access right “Yes” for all access request destination contents 18, 20, 22, 24, 26, 28, but the authority level for the personnel management LAN 18 is “3”. Only “update” of the content is permitted. The authority levels for the attendance management LAN 20 and the accounting management LAN 22 are “4”, respectively, and it can be seen that only “inquiries” are permitted for these access request destination contents.
As described above, the ACL management unit 42 centrally manages various information related to the access request destination contents 18, 20, 22, 24, 26, and 28 based on the access list table registered in the BCP database 48.
[0057]
Such access request destination contents 18, 20, 22, 24, 26, and 28 often manage various types of information including relatively important contents. It is not desirable for security to obtain various information.
Therefore, the policy management unit 44 of the BCP base system 2 arbitrarily extracts a plurality of authentication data from various authentication data registered in the BCP database 48 at an arbitrary timing, and based on the extracted authentication data. Thus, an authentication process is executed to determine whether the client has the right to access the access request destination contents 18, 20, 22, 24, 26, 28 from the terminals 4, 6, 8, 10-1,. To do.
[0058]
Various types of authentication data are described in an authentication data table as shown in FIG. 5 and registered in the BCP database 48, for example. In the authentication data table of the figure, as an example, biometric identification data such as voice prints, face patterns, palm prints, fingerprints, irises, veins, and writing motion wrinkles at the time of signature, which indicate the personal characteristics of the client, Object identification data such as IP address, MAC address, phone number (fixed phone, mobile phone, PHS), electronic seal, driver's license number, key, and name, title, affiliation, permanent address, place of birth, Time-limited identification data such as hobbies are illustrated. The registration of authentication data can be performed at an arbitrary timing. For example, it can be registered in advance before the authentication process, or other authentication data can be additionally registered during the authentication process. . The authentication data may be registered by directly accessing the BCP database 48, or each client may access the BCP base system 14 from the terminals 4, 6, 8, 10-1... 10-n, 12. You may register.
[0059]
Each piece of authentication data indicates the characteristics of the individual client, and each client performs registration processing by itself. In this case, if it is a voiceprint, the dynamic pattern of the words uttered by the client is registered. In the case of a face type, a static pattern of a characteristic part (for example, the position of eyes, nose and mouth) in the client's face is registered. Similarly, the static pattern of the characteristic part is registered for palm print, fingerprint, and iris. In addition, since there is an individual difference between the clients regarding the writing exercise habit at the time of signing, dynamic patterns such as the locus and writing speed during the writing exercise are registered.
The dynamic pattern means authentication data patterned in a certain motion. For example, in the biometric identification data, a voice print, a vein, a writing motion discipline, and the like are applicable. On the other hand, the static pattern means that a constant pattern that does not change is used as authentication data, and corresponds to biometric identification data, object identification data, and timed identification data other than the dynamic pattern.
[0060]
In this case, particularly in voiceprint authentication, it is preferable to unify the client words registered in the authentication data table as authentication data into the same type. This is because the standard for distinguishing from others is ambiguous even if words that are disjoint and ununiform are registered. In this case, when the client issues an access request by voice from the terminals 4, 6, 8, 10-1... 10-n, 12, a message that gives a uniform response from the client is sent to the terminal. Send it back. Specifically, if you send a message saying "Please say your name", the client will always reply with your name in response to the message. For example, △ × Taro president should respond “Sankaketaro” or “Sankake”.
In order to perform the authentication process on the voiceprint pattern of the response, a dynamic pattern of “Sankaketaro” or “Sankake” may be registered as a voiceprint of the authentication data. Similarly, the voice pattern data of other clients register the dynamic pattern of the name of the client. By doing so, it is possible to perform comparison with another person on the basis of the pronunciation characteristics of the name at the time of voiceprint authentication, so that the comparison authentication standard becomes clear and it is possible to ensure highly reliable security.
In order to realize this routine, for example, a message “Please say your name” may be registered in the internal memory (not shown) of the policy management unit 44 or the BCP database 48.
[0061]
Further, when the target access request destination content 18, 20, 22, 24, 26, 28 is specified by voice, for example, “Please say the name of the access request destination content.” If you want to specify, please respond with “Personnel”. “If you want to specify the attendance management LAN 20, please respond with attendance”. Then, if the client desires access to the personnel management LAN 18, for example, the client should respond to this message “Jinji”. Therefore, also in this case, the dynamic pattern “Jinji” is registered as a voice print of the authentication data, and “Human Resources (Jinji is specified when the personnel management LAN 18 is designated in the internal memory of the policy management unit 44 or the BCP database 48”. Please reply). " Since the same routine may be registered for the other access request destination contents 20, 22, 24, 26, and 28, the description thereof will be omitted.
[0062]
Further, the policy management unit 44 extracts the authentication data necessary for the current authentication process from a plurality of types of authentication data registered for each client in this way. In this case, the number and type of extraction of authentication data are increased or decreased according to the authority level of each client set in the access list table (see FIG. 3). That is, the number and type of extraction of the authentication data are increased or decreased according to the type of the access request destination contents 18, 20, 22, 24, 26, and 28 that the client wants to access.
[0063]
At the highest authority level “1”, the highest security must be secured for the access request destination contents 18, 20, 22, 24, 26, and 28. There is a need to do more. In this case, for example, authentication data corresponding to the authority level “1” may be extracted by arbitrarily combining identification data of a living body, an object, and a time limit. As an example, voice prints, fingerprints, irises, keystrokes (terminal key and button stamping timing and stamping pressure and stamping speed) are extracted from the biometric identification data, and the IP address, A telephone number, a personal identification number, and the like may be extracted, and a name, age, department, job title, e-mail address, etc. may be extracted from the timed identification data.
[0064]
At the medium authority level “3”, it is only necessary to secure medium security for the access request destination contents 18, 20, 22, 24, 26, and 28. If it is appropriate. In this case, for example, two identification data are arbitrarily selected from each identification data of a living body, an object, and a time limit, and authentication data corresponding to the authority level “3” is extracted by arbitrarily combining the selected identification data. Just do it. As an example, a voice print and a fingerprint may be extracted from the biometric identification data, and a name, age, department, post, e-mail address, etc. may be extracted from the timed identification data.
[0065]
At the lowest authority level “5”, the access request destination contents 18, 20, 22, 24, 26, and 28 cannot be seen. Therefore, sufficient authentication data can be extracted if the user can be authenticated at least. In this case, for example, a voiceprint may be extracted from the biometric identification data, and either an IP address or a telephone number may be extracted from the object identification data.
[0066]
Here, assuming that the manager of X □ Saburo of the personnel department issues an access request from the terminal to the personnel management LAN 18 (see FIG. 1) (authentication permitted by the input / output unit), the ACL management unit is 42 in the access list table. Based on this, it is recognized that the manager X □ Saburo has an access right to the personnel management LAN 18 and the authority level is “3” (see FIG. 3). At this time, the policy management unit 44 extracts a voiceprint and a fingerprint from the biometric identification data, extracts a telephone number from the object identification data, and enters a standby state for authentication processing. Then, when the voice print or fingerprint (in fact, a pattern obtained by converting the voice print or fingerprint into an electrical signal) is transmitted via the input / output unit 16, these voice prints and fingerprints are stored in the authentication data table ( It is authenticated whether or not it matches the voiceprint or fingerprint pattern (voiceprint: dynamic pattern S-3, fingerprint: static pattern T-3) extracted from FIG. At the same time, authentication of the telephone number (070-xxx-0013) of the terminal used by General Manager X □ Saburo is also performed. In this authentication process, when the voiceprint, fingerprint pattern, and telephone number match each other, the client who issued the access request is authenticated as the head of X □ Saburo, and the head of × □ Saburo Access is also authenticated using.
[0067]
In this case, it can be assumed that the X □ Saburo General Manager uses another person's terminal (for example, ○ △ Hanako Human Resources Manager: see Fig. 3), but even in such a case, it is registered in the authentication data table. Since client authentication is performed based on the various authentication data, it is possible to accurately authenticate that the person who is accessing using another person's terminal is the head of X □ Saburo.
[0068]
As described above, when the policy management unit 44 determines that the access right exists, a signal to that effect is transmitted from the input / output unit 46 to the API unit 30. At this time, various information called from the access request destination contents 18, 20, 22, 24, 26, 28 by the API unit 30 is sent from the input / output unit 46 via the input / output unit 16 to the client terminals 4, 6, 8. , 10-1... 10-n, 12 are output. As a result, the client can confirm the contents of the target access request destination contents 18, 20, 22, 24, 26, 28 from the terminals 4, 6, 8, 10-1,. It becomes possible to change.
On the other hand, when a client tries to access content that is higher than his / her access authority, for example, when a manager of Hanako Human Resources Manager tries to access the attendance management LAN 20, the access right of Hanako Personnel Manager of the attendance management LAN 20 Is “none” (see FIG. 3), this access request is permitted. Such permission / denial processing may be performed directly by the ACL management unit 42 that manages the access list table, or may be performed by the policy management unit 44 in response to a command from the ACL management unit 42. good. The information management system (BCP system) 2 can be arbitrarily set according to the environment in which the information management system (BCP system) 2 is constructed and the purpose of use.
[0069]
A routine for calling various information from the access request destination contents 18, 20, 22, 24, 26, 28 by the API unit 30 is performed from the gateway 50 through the routers 52 to the target access request destination contents 18, 20, 22, 24. , 26 and 28, the load is relatively large and time is required. Therefore, in order to improve access efficiency, it is preferable to construct an information sharing system 54 in the BCP system 2.
The information sharing system 54 can store / update link information (for example, address, latest progress, contents, etc.) of various access request destination contents 18, 20, 22, 24, 26, 28 in real time. The link information is always feedback-controlled by the API unit 30. In this case, since the contents can be confirmed in a short time before accessing the target access request destination contents 18, 20, 22, 24, 26, and 28, if it is a simple inquiry request (access request) The access request destination contents 18, 20, 22, 24, 26, and 28 can be made in time by the link information fed back from the information sharing system 54 without accessing the contents. As a result, the load on the API unit 30 is reduced and the response time to the client is also shortened, so that the business efficiency by the BCP system (information management system) 2 of the present embodiment can be improved.
[0070]
Further, in the present embodiment, the information sharing system 54 distributes various schedule information to each of the clients and terminals 4, 6, 8, 10-1... 10-n, 12 by a desired distribution method. The schedules A, B, C, D, E... Can be managed. More specifically, the schedules A, B, C, D, E... Managed by the information sharing system 54 are determined at a predetermined timing (for example, real time, timing according to the purpose of use) by the information distribution circuit of the input / output unit 16. ). Then, when it is confirmed that the corresponding schedule information exists during the search, the information distribution circuit uses the distribution method in which the corresponding schedule information is pre-selected and the target client and terminals 4, 6, 8, 10- 1... 10-n, 12 are distributed.
In order to execute such a routine, the CTI unit 34 provided in the input / output unit 16 is controlled to function as an information distribution circuit. The CTI unit 34 uses the delivery method in which the schedule information corresponding to the schedule A, B, C, D, E... (See FIG. 6) is selected in the message memo (see FIG. 7). 6, 8, 10-1... 10 -n, 12 are distributed.
[0071]
In various schedules A, B, C, D, E..., Various schedule information can be entered / added / modified as shown in FIG. In the figure, schedules A, B, C, D, E, etc. of a personnel management meeting, an attendance management meeting, an accounting management meeting, an ordering management meeting, a content meeting, etc. are illustrated, and these schedules A, B, C are illustrated. , D, E... Are registered in the BCP database 48. Note that the schedule information of each schedule A, B, C, D, E... Can be arbitrarily set according to the environment in which the information management system (BCP system) 2 is constructed and the purpose of use. In the figure, as an example, the schedule A of the personnel management conference is shown, and the content of the conference, the conference location, the conference date, the conference start time and the end time can be set. Further, in the information delivery setting item, it is possible to set a routine for delivering the schedule information. In the figure, as an example, an example in which delivery is repeated every Tuesday is shown. In addition, alarms can be distributed before the start of the conference as necessary. In the figure, as an example, alarms are set to be delivered 1 hour before and 30 minutes before the start of the conference.
[0072]
In addition, in the message memo, for example, as shown in FIG. 7, a distribution method for clients and terminals 4, 6, 8, 10-1... 10 -n, 12 is defined. It is possible to set repeat settings and whether or not an alarm is necessary. For example, it can be seen that President △ × Taro demands that the schedule information be repeatedly delivered every Tuesday in both voice and text, and also requests an alarm before the start of the conference.
[0073]
Here, assuming that the schedule information of the personnel management meeting is distributed, the CTI unit 34 searches various schedules A, B, C, D, E (see FIG. 6) in real time, for example. When it is confirmed that the schedule information related to the personnel management meeting is distributed, the corresponding schedule information is displayed on the client and terminals 4, 6, 8, 10-1 based on the distribution method selected in the message memo (see FIG. 7). ... delivered to each of 10-n and 12. In the example of FIG. 7, the schedule information of the personnel management meeting is distributed to the clients attending the personnel management meeting, and the breakdown is a client other than the president of △ × Taro (□ × Jiro Senior Managing Director, × □ It is set to be distributed to Saburo Human Resources Department Manager, ○ △ Hanako Human Resources Division Manager, XX Kazuo Personnel Manager, XX Pure Personnel Manager, etc.). Therefore, the CTI unit 34 distributes the schedule information only to the corresponding client according to the setting condition.
As described above, the information sharing system 54 delivers meeting information and the like to the corresponding client in advance, thereby making it possible to improve the efficiency of business communication.
[0074]
Here, an example of the operation of the information management system (BCP system) 2 as described above will be described. In this description of operation, each access request destination content of the content network is transmitted from the client terminals 4, 6, 8, 10-1... 10-n, 12 through the input / output unit 16, the switching system 60, and the BCP base system 14. The process until the access to 18, 20, 22, 24, 26, and 28 will be described. However, the detailed description of the exchange system 60 will be described later.
[0075]
Assuming now that the manager of △ Hanako of the personnel department issues a request for access to the personnel management LAN 18 from the PHS 10-1 by voice, the initial authentication processing program for the manager of △ Hanako and the PHS 10-1 operates. At this time, Hanako Hanako's personal authentication and PHS 10-1 terminal authentication are performed by the cache mechanism 40 of the input / output unit 16. Then, when the Hanako section manager is a member of the personnel department and the PHS 10-1 is authenticated as the terminal of the person, the input / output unit 16 permits the Hanako section manager's access request, The exchange system 60 sends the Hanako section manager's access request to the BCP base system 14.
[0076]
At this time, if it is confirmed by the ACL management unit 42 of the BCP base system 14 that the section manager Hanako has access rights to the personnel management LAN 18 and the authority level is “4”, the policy management unit 44. Extracts the authentication data corresponding to the authority level “4”. For example, a voice print and a fingerprint are extracted from the biometric identification data, and a telephone number is extracted from the object identification data.
[0077]
Subsequently, a message “Please say your name” is sent from the BCP base system 14 to the PHS 10-1. At this time, Mr. Hanako
When responding “Hanako”, the policy management unit 44 collates whether or not the response pattern (voice print) matches the dynamic pattern S-4 registered in the authentication data table. Then, when it is confirmed that the collation matches, “Please say the name of the access request destination content” is prefaced, and “If you specify HR management LAN 18, respond with HR. Please send a message to the PHS 10-1.
[0078]
At this time, if the Hanako section manager responds with “Jinji”, the policy management unit 44 again confirms that the response pattern (voice print) matches the dynamic pattern S-4 registered in the authentication data table. Check whether or not. When it is confirmed that the verification matches, a message “please apply the fingerprint to a predetermined reader” is sent and the fingerprint authentication is performed. In this fingerprint authentication, it is checked whether or not the fingerprint of Hanako Hanako applied to the reader matches the static pattern T-4 registered in the authentication data table. Further, the telephone number authentication for the PHS 10-1 is also performed during the routine as described above.
[0079]
When all the authentication processes are completed, that is, when the policy management unit 44 determines that there is an access right, a signal to that effect is transmitted from the input / output unit 46 to the API unit 30. At this time, various information called from the personnel management LAN 18 by the API unit 30 is output from the input / output unit 46 to the PHS 10 via the input / output unit 16. As a result, the Hanako section manager can inquire about the contents of the target personnel management LAN 18 from the PHS 10-1.
[0080]
The configuration of the BCP system 2 and the content management network has been described in detail above. The BCP system 2 further includes an exchange system 60, an access request destination control system 62, an address management, as shown in FIG. A portion 64 is provided.
The address management unit 64 is constructed in the BCP base system 14 and stores the addresses of the terminals 4, 6, 8, 10-1... 10-n, 12 constituting the access request destination terminal network and the content management network. The addresses of the access request destination contents 18, 20, 22, 24, 26, and 28 that are configured can be managed simultaneously. In this case, the exchange system 60 and the access request destination control system 62 specify the access request destination based on each address managed by the address management unit 64.
[0081]
Specifically, the address management unit 64 extracts a terminal (each address such as an IP address and a telephone number) in the access list table (see FIG. 3) managed by the policy management unit 44 or the ACL management unit 42 and directly extracts it. It can be managed. For example, according to the management table shown in FIG. 8, each address such as an IP address and a telephone number is managed in association with each client's name (pattern 1, 2, 3, 4,...). In this case, when the access request destination is specified by the switching system 60 and the access request destination control system 62, the access request destination is specified by directly referring to the management table without going through the policy management unit 44 or the ACL management unit 42. Therefore, the specific process can be speeded up.
The management data table shown in FIG. 8 is registered in the BCP database 48.
[0082]
Further, the exchange system 60 can distribute the access request destination to at least one of the access request destination terminal network and the content management network based on the client access request permitted by the input / output unit 16. . More specifically, the exchange system 60 is controlled to start after the initial authentication (client authentication, terminal authentication) is completed by the input / output unit 16. In this case, as shown in FIG. 9C, the exchange system 60 sends a predetermined question and message to the client terminals 4, 6, 8, 10-1... 10-n, 12 (see FIG. 9A). And an automatic response mechanism 60a that receives a response message (see FIG. 9B) returned from the terminal 4, 6, 8, 10-1... 10-n, 12 by the client, and received by the automatic response mechanism 60a. An access request destination distribution mechanism 60b that distributes the access request destination to at least one of the access request destination terminal network and the content management network based on the response message is provided. Note that at least one is a concept that assumes a case of accessing one or both of the access request destination terminal network and the content management network.
[0083]
The automatic response mechanism 60a is a client (for example, Hanako ○ △
The question message for the access request destination of the personnel manager is sent to the terminal of the Hanako personnel manager (for example, PHS 10-1). In this case, for example, as shown in FIG. 9 (a), a question and answer message such as “Please input the access request destination by voice and key input” may be transmitted. As the question message, for example, voice data, character (still image, moving image) data, or both data formats can be arbitrarily combined depending on the purpose of use, and such a question message is stored in the exchange system database 60c. Can be registered in advance.
[0084]
Here, for example, when Hanako Human Resources Manager makes an outside or internal phone call to XX Pure Personnel Manager, at least, such as “Marukake Junichi” “Marukake” “Junichi” “Marukake Shinin” A response message including the name “◯ × Junichi” should be input by voice or key input (see FIG. 9B).
At this time, the address management unit 64 sends the response pattern “○ × Junichi” inputted by the voice of Hanako Human Resources Manager, and the name patterns 1, 2, 3, of each client registered in the management table (see FIG. 8). 4 is collated. In such collation processing, the nominal patterns 1, 2, 3, 4... Of the management table are compared with the response patterns, and when it is confirmed that they match each other, the access request destination may be XX pure one-person manager. Identified. The response messages are sequentially registered in the exchange system database 60c.
[0085]
On the other hand, when the access request destination telephone number (070-xxx-0043) is key-inputted (see FIG. 9B), the address management unit 64 stores the key-input telephone number and the telephone registered in the management table. Check with the number. Then, when it is confirmed that they match each other, it is specified that the access request destination is a terminal of XX pure person manager (for example, PHS 76: see FIG. 1). Note that the telephone numbers input by the keys are sequentially registered in the exchange system database 60c.
In addition, by registering the question message and the response message in the exchange system database 60c, it becomes possible to manage when and where the access request is issued together with its history.
[0086]
As described above, when the access request destination partner (Ox pure single clerk) and the terminal (PHS 76) are specified by the automatic response mechanism 60a, the access request destination is assigned to the access request destination terminal network and the access request destination distribution mechanism 60b. Sorted to at least one of the content management networks. Specifically, the access request destination allocation mechanism 60b searches the management network of the access request destination terminal network and the content management network to which the PHS 76, which is identified by the automatic response mechanism 60a, belongs to XX. Based on the search results, the access request destinations are distributed. In this case, in the distribution process, the monitoring result of the access request destination control system 62 is taken into consideration.
[0087]
The access request destination control system 62 monitors the location information and the movement state of each access request destination terminal 76, 78, 80, 82, 84 constituting the access request destination terminal network in real time. When the request destination is distributed to the access request destination terminal network, the access request destination terminals 76, 78, 80, 82, 84 matching the client access request are identified and called from the access request destination terminal network. Controlled to connect.
[0088]
More specifically, the access request destination control system 62 is provided with an access request destination monitoring mechanism 62a as shown in FIG. 9 (d), and the access request destination monitoring mechanism 62a performs the access request destination terminal network. The position information and the movement state of each terminal (access request destination terminals 76, 78, 80, 82, 84) are monitored in real time via the respective repeaters 66, 68, 70, 72, 74. Therefore, if each terminal is within the area of any one of the repeaters 66, 68, 70, 72, 74, the terminal position of the access request destination is specified in real time. For example, if the PHS 76, who is the chief HR manager, is within the area of the repeater 66, the position information is transmitted from the repeater 66 to the access request destination control system 62 in real time. Further, for example, even when the PHS 76, which is a XX pure HR manager, moves from the area of the repeater 68 to the area of the repeater 66, the movement state of the PHS 76 that has moved with the passage of time is successively transmitted.
[0089]
At this time, based on the position information and the movement state (monitoring result) output from the access request destination control system 62, the access request destination distribution mechanism 60b has a PHS 76 of XX pure affiliation manager belongs to the access request destination terminal network. The access request of the client, Hanako Personnel Section Manager, who is the client, is distributed to the access request destination terminal network (the request for making an outside line call or an extension call to the pure person manager). In such a distribution process, the monitoring result output from the access request destination control system 62 is sequentially registered in the control system database 62c, and the access request destination terminals 76, 78, 80, 82, and 84 are timed. It is possible to manage the position information and the movement state according to the history together with the history.
In addition, when the access request of the manager of Hanako Human Resources is distributed to the content management network, the subsequent process has already been described above, and the description thereof will be omitted.
[0090]
As described above, when the access request destination is distributed to the access request destination terminal network by the access request destination allocation mechanism 60b of the switching system 60, the access request destination control mechanism 62b is activated in synchronization with the access request destination terminal network. The terminal that matches the access request from the Hanako Personnel Section Manager (△ × PHS 76, who is the head of Pure Personnel) is identified and called out.
[0091]
At this time, if the access request destination terminal (○ × PHS 76 who is a pure HR manager) is currently in use, the access request destination control mechanism 62b sends a notification to that effect to the PHS 10-1 of Hanako Human Resources Manager. (See FIG. 10A). As a notification to that effect, a message such as “the access request destination terminal is currently in use. Please access again after a while” may be transmitted. When the access request destination PHS 76 is set to reject incoming calls, the access request destination control mechanism 62b sends a notification to that effect to the PHS 10-1 of Hanako Personnel Section Manager (see FIG. 10B). ). As a notification to that effect, a message such as “This access request has been denied” may be sent. As the message, for example, voice data, character (still image, moving image) data, or both data formats can be arbitrarily combined depending on the purpose of use, and can be registered in the control system database 62c in advance.
[0092]
Here, the operation of the exchange system 60 and the access request destination control system 62 will be described with specific examples.
As shown in FIG. 11, when Hanako Human Resources Manager issues an access request from PHS 10-1 (○ × Request to make an outside or extension call to a pure HR manager), access is made by BCP system 2 (switching system 60). The request destinations are distributed, and the PHS 76, which is a XX pure person manager, is called through the repeater 66. This state is controlled by the access request destination control system 62 (access request destination control mechanism 62b), and if the △ Hanako Human Resources Manager wishes to transfer to the □ Saburo Human Resources Department, the ○ × Pure Personnel Manager is the PHS76. The menu button 76a is pressed to display a menu screen on the display 76b. At this time, menu items such as (1) transfer, (2) hold, and (3) simultaneous call are displayed on the display 76b (see FIG. 12A), and the access request destination control mechanism 62b displays the menu items in the PHS 76. A message such as “Enter the desired menu item by voice or key input.” Is output as a voice.
[0093]
Now, ○ △ Hanako Personnel Section Manager wants to transfer to X □ Saburo Human Resources Department (PHS78), so ○ × Pure Personnel Manager inputs key on the corresponding dial button ▲ 1 ▼ (input with dial button 76c) ) Or enter “Tenso” by voice. The input signal at this time is transmitted to the access request destination control mechanism 62b, and its history is registered in the control system database 62c. Subsequently, a message such as “Please input the phone number of the transfer destination or the name of the transfer destination client by voice or key input” is output to the PHS 76 from the access request destination control mechanism 62b and output as text (FIG. 12B). reference). At this time, XX pure single-person manager is "Kakeshi""Kakeshika"
“Voice” may be input, or the telephone number (070-xxx-0013) of the PHS 78 may be input. The input signal is transmitted from the repeater 66 to the access request destination control mechanism 62 b, and the history is registered in the control system database 62 c and transferred to the PHS 78 of the □ Saburo HR manager via the repeater 68. During this transfer process, Hanako Human Resources Manager PHS 10-1 is maintained in a standby state by the access request destination control mechanism 62b. Then, when the XX Pure Personnel Manager cuts the PHS 76, XX Hanako Personnel Manager PHS10-1 and XXSaburo Human Resources Manager PHS78 can talk to each other (end of the transfer process).
[0094]
For example, in the case where the above three parties wish to make a simultaneous call, the XX pure person-in-chief may key-in the corresponding dial button (3) or input “sound-in-law” by voice. At this time, a message such as “Please input the phone number or transfer destination client name that you want to make a simultaneous call by voice or key input” is output from the access request destination control mechanism 62b to the PHS 76 by voice and text. Repeat voice input or key input.
Further, when the voice data (IP packetized voice data) IP packets are sent from the switching system 60 to the repeaters 66 and 68 described above, the repeaters 66 and 68 convert the IP packets into IP packets. The audio data is converted into audio data and output to each PHS 76, 78.
[0095]
The configuration of the BCP system 2 and the content management network, and the switching system 60, the access request destination control system 62, and the address management unit 64 added to the information management system 2 have been described in detail. Further, a multi-terminal communication system 100 as shown in FIGS. 1 and 13 is introduced.
The multi-terminal communication system 100 inputs and outputs a common antenna 102 capable of simultaneous communication with a large number of terminals (for example, mobile terminals such as PHS 10-1... 10-n) and signals received and transmitted via the common antenna 102. A signal input / output circuit 104 to be controlled; a modulation circuit 106 that modulates a radio signal that is transmitted via the common antenna 102 and can communicate with a plurality of terminals; a demodulation circuit 108 that demodulates the radio signal to obtain an information signal; A protocolization circuit 110 for converting the information signal into a signal corresponding to a predetermined communication protocol.
[0096]
A radio signal captured from the common antenna 102 (as described above, an access request radio signal issued by the client from the terminals 4, 6, 8, 10-1,... 10-n, 12) is transmitted by the signal input / output circuit 104. After being sent to the demodulation circuit 108 and demodulated into an information signal (access request), a signal corresponding to a predetermined communication protocol (standard protocol such as TCP / IP, SMTP, SNMP, etc. as described above) by the protocolization circuit 110 Is converted to On the other hand, the information signal is sent to the modulation circuit 106 by the signal input / output circuit 104 and modulated into a radio signal, and then sent out from the common antenna 102 to the outside.
[0097]
The wireless signal is a signal format in which various information signals are carried on a carrier wave when the signal is transmitted wirelessly, and the information signal is a signal format of the access request itself. As the signal format of the access request itself, for example, a command such as “I want to access the personnel management LAN 18 of the content management network” or “I want to call the PHS 76 of the access request destination terminal network” can be assumed.
[0098]
In addition, as a modulation method for modulating an information signal into a radio signal by the modulation circuit 106, for example, an analog modulation method or a digital modulation method can be applied. Here, for example, amplitude modulation (AM: Amplitude Modulation), frequency modulation (FM: Frequency Modulation), or the like can be selected as the analog modulation method. As digital modulation methods, for example, ASK (Amplitude Shift Keying), FSK (Frequency Shift Keying), PSK (Phase Shift Keying), QAM (Quadrature Amplitude Modulation, etc.) can be selected. Note that many other modulation schemes are known, and any modulation scheme can be applied according to the usage environment and purpose of the BCP system 2.
[0099]
The demodulation circuit 108 is an element that restores (demodulates) an information signal (access request) from the carrier wave of the wireless signal. As a demodulation method, for example, a signal modulated by a digital modulation method used in a mobile phone is demodulated. In this case, it is possible to select a synchronous method or an asynchronous method. In the synchronization method, for example, character synchronization (synchronization is performed by adding a synchronization code indicating a data start position before data), frame synchronization (synchronization is performed by adding a synchronization signal such as a flag sequence before and after the frame), etc. It is possible to select a method. In the asynchronous system, it is possible to select a method of synchronizing by adding special signals such as a start bit and a stop bit before and after data. Many other demodulation methods are known, and any demodulation method can be applied according to the usage environment and purpose of the BCP system 2.
[0100]
Although not shown in particular, the common antenna 102 has a plurality of reception lines built therein, and a portable terminal (for example, PHS10) that can simultaneously communicate with one multi-terminal communication system 100 by adding the reception line. −1... 10-n) can be increased.
Note that since the signal input / output circuit 104 can use commercially available elements as appropriate, detailed description thereof is omitted.
[0101]
The flow of the radio signal after being captured by such a multi-terminal communication system 100 includes the configuration of the BCP system 2 and the content management network described above, the switching system 60 added to the information management system 2, and the access request destination control. Since the operation is the same as that of the system 62 and the address management unit 64, the description thereof is omitted.
[0102]
As described above, the information management system 2 and the content management network, the switching system 60 added to the information management system 2, the access request destination control system 62, the address management unit 64, and then the multi-terminal communication system 100 have been described. The information management system (BCP system) 2 of the present embodiment is further configured as follows.
[0103]
That is, as shown in FIGS. 1 and 14 (a) and 14 (b), the input / output unit according to the present embodiment has clients connected to terminals (for example, terminals 4, 6, 8, 10-1... 10-n, 12) When an access request is issued from 12), a plurality of wireless relay units ST capable of wirelessly transmitting various information signals corresponding to the access request to a predetermined access request destination are provided. A radio communication network can be constructed by the radio relay unit ST.
[0104]
The wireless relay unit ST includes a plurality of transmission / reception units (200, 202, 204, 206, 208, 210) that perform transmission / reception of radio signals according to frequency bands used by each of a plurality of types of terminals, and a plurality of transmission / reception units. Transmission / reception antennas (P 1, P 2, P 3, P 4, P 5, P 6) provided respectively, an antenna control circuit 212 for controlling a wireless transmission direction when wireless signals are wirelessly transmitted via the transmission / reception antennas, and wireless signals Terminal that manages an access request destination based on a routing circuit 214 that selects a route for wirelessly transmitting a request to the access request destination and various terminal identification codes (IP address, MAC address, etc.) attached to the radio signal A code management circuit 216 and a protocolization circuit 21 for converting an information signal into a signal corresponding to a predetermined communication protocol When the input-output circuit (LAN dedicated input-output circuit) 220 is provided for inputting and outputting to the switching system 60 information signal converted to a predetermined communication protocol by the protocol circuit.
[0105]
In an environment in which a wireless communication network is constructed by such a wireless relay unit ST, the antenna control circuit 212 wirelessly transmits a wireless signal toward the wireless relay unit ST on the route selected by the routing circuit 214. The wireless transmission direction of the wireless signal transmitted wirelessly through the transmitting / receiving antennas (P1, P2, P3, P4, P5, P6) is controlled.
[0106]
The plurality of transmission / reception units (200, 202, 204, 206, 208, 210) include a 1.9 GHz band transmission / reception unit 200 for PHS, an 800 MHz band transmission / reception unit 202 and a 1.5 GHz band transmission / reception unit 204 for mobile phones, and a wireless LAN. 2.4 GHz band transmission / reception unit 206 and 5 GHz band transmission / reception unit 208, and UWB (Ultra Wide Band) band transmission / reception circuit 210 for wireless communication for the next generation are included. These are merely examples, and it is possible to add an arbitrary frequency band transmission / reception circuit according to the construction environment and purpose of use of a wireless communication network by a plurality of wireless relay units ST.
[0107]
As shown in FIG. 15, each of the plurality of transmission / reception units (200, 202, 204, 206, 208, 210) demodulates a radio signal taken into the transmission / reception unit from the transmission / reception antenna, thereby obtaining an information signal. A modulation circuit 224 that modulates an information signal into a radio signal that can communicate with the outside via a transmission / reception antenna, and a transmission / reception circuit 226 that transmits / receives a radio signal via the transmission / reception antenna. Yes.
[0108]
In this case, the modulation scheme applied to the modulation circuit 224 differs depending on the frequency band of the plurality of transmission / reception units (200, 202, 204, 206, 208, 210). For example, a π / 4 shift QPSK (Quadrature Phase Shift Keying) may be applied as the modulation circuit 224 of the 1.9 GHz band transmission / reception unit 200 for PHS.
As the modulation circuit 224 of the 800 MHz band transmission / reception unit 202 and the 1.5 GHz band transmission / reception unit 204 for a cellular phone, an orthogonal frequency division multiplexing (OFDM) or spread spectrum method (direct spreading, frequency hopping, etc.) is used. Apply it. As the modulation circuit 224 of the 2.4 GHz band transmission / reception unit 206 and the 5 GHz band transmission / reception unit 208 for wireless LAN, a direct spreading method (2.4 GHz band) or OFDM (5 GHz band) may be applied.
[0109]
The terminal identification code management circuit 216 rewrites the destination of the MAC address described in the wireless signal that has arrived at its own location to the MAC address of the wireless relay unit ST to be sent next, and transfers the source to its own MAC address. It has a function.
The input / output circuit (LAN dedicated input / output circuit) 220 can input / output the information signal to / from transmission lines L1, L2, and L3 described later, and includes a plurality of transmission / reception units (200, 202, 204, 206, 208, 210) is set to a bandwidth (for example, 5 GHz band) that can cover the amount of information transmitted and received.
[0110]
Further, the wireless relay unit ST is provided with a connector portion 228 that can be detachably fitted to an existing power supply outlet or socket provided on the premises or outside the premises. By fitting the unit 228 into a power supply outlet, socket, or the like, the wireless relay unit ST can be easily set inside or outside the campus.
[0111]
Specifically, for example, as shown in FIGS. 16 (a) and 16 (b), if the connector portion 228 is detachable with respect to a light bulb socket 232 provided on a ceiling (wall) 230 inside or outside the campus, The radio relay unit ST can be easily attached to the indoor ceiling 230 by simply screwing the connector portion 228 into the light bulb socket 232. For example, as shown in FIGS. 17A and 17B, if the connector part 228 is detachable with respect to the outlet 234 provided inside or outside the campus, the connector part 228 is simply fitted into the outlet 234. Thus, the wireless relay unit ST can be easily attached to the outlet 234.
[0112]
Here, a wireless communication network environment (see FIG. 14A) constructed by a plurality of wireless relay units ST is assumed. Under this environment, for example, when the client issues an access request from the terminal (PHS) 10-1 to the access request destination terminal or the content management network terminal (see FIG. 1), the information signal corresponding to the access request is displayed in the PHS10. Is received by the PHS 1.9 GHz band transmission / reception unit 200 via the transmission / reception antenna P1 of the radio relay unit ST covering the area where -1 is located, modulated by the modulation circuit 202 into a radio signal, and then the transmission / reception antenna Wirelessly transmitted from P1. At this time, the radio signal is received by the 1.9 GHz band transmission / reception unit 200 from the reception antenna P1 of the central radio relay unit ST via the radio relay unit ST selected by the routing circuit 214. Then, after being demodulated into an information signal by the demodulating circuit 222, it is converted into a signal corresponding to a predetermined communication protocol by the protocolizing circuit 218, and sent from the LAN dedicated input / output circuit 220 to the switching system 60 via the transmission lines L2 and L3. Sent out. Since the subsequent flow of the information signal sent to the exchange system 60 is the same as that already described above, the description thereof is omitted.
[0113]
In addition, since it is the same when there is an access request from other terminals 4, 6, 8, 10-2. However, the wired fixed terminals 4 and 6 cannot directly access the wireless relay unit ST. In this case, for example, a wireless gateway GW may be interposed.
[0114]
As described above, according to the present embodiment, for example, a plurality of authentication data arbitrarily selected from a plurality of types of authentication data used when performing personal authentication (person verification) according to the security level, authentication environment, or authentication purpose. And extracting a plurality of authentication data arbitrarily, it is possible to realize a highly reliable and convenient security system.
[0115]
That is, it is possible to prevent dangers such as being easily deciphered or stolen and pretending to be someone else. Further, in the authentication data (biometric identification data, object identification data, timed identification data) in the present embodiment, it is very unlikely that the contents will be forgotten, so that the target information cannot be accessed. . For example, as shown in FIG. 14, when the client enters the room, the card is passed through the card reader 302 of the verification unit 300, the PIN number button 304 is operated, the fingerprint is input to the fingerprint reading unit 306, and then the face type detection sensor 308 In a series of authentication processes in which type authentication is performed, changing the contents of the card read by the card reader 302 or changing the code number makes it difficult to decipher and steal the authentication data, thereby preventing so-called “spoofing”. be able to.
In addition, even if you forget the PIN number of the PIN number button 304 or if you have lost your card, the identity verification can be performed reliably by other authentication processes, so that high security can be maintained. Can do.
[0116]
Furthermore, according to the authentication system of the present embodiment, it is not necessary to store a plurality of types of authentication data as in the prior art, so that the burden on the client can be reduced. For example, as shown in FIG. 14 and FIG. 15, the identity verification can be performed without the client being conscious in a series of flows from entering the room to starting work at the desk. That is, the client and terminal are identified in a series of flows from the verification process by the verification unit 300 at the time of entering the room to the login of the personal computer 310 at the desk and the access request from the terminal (mobile phone, PHS, etc.) 312. Done.
[0117]
In addition, by simply installing (installing) the authentication program of this embodiment in the system (in this embodiment, the information management system), a plurality of authentication data can be arbitrarily extracted from a plurality of types of authentication data. In addition, the extraction timing of a plurality of authentication data can be arbitrarily set. For this reason, the authentication of the same content is not repeated over a long period of time, and as a result, it becomes difficult for outsiders to grasp the authentication content and maintain high security. Construction costs and labor can be greatly reduced.
[0118]
Furthermore, according to the present embodiment, since the wireless relay units ST can be connected to each other wirelessly, the conventional wiring work is not necessary, and the cost can be reduced accordingly. In addition, each wireless relay unit ST can be easily set on or off the premises simply by fitting the connector portion 226 into a power supply outlet or socket, so that a conventional space for wiring is provided. It becomes unnecessary, and the cost can be reduced accordingly. As a result, for example, it is possible to realize the construction of a local network system using a commercially available mobile terminal, the construction of a location information management (flow line management) system, and the like at low cost and with good convenience.
[0119]
Further, according to the present embodiment, the antenna control circuit 212 controls the radio transmission direction of the transmission / reception antennas (P1, P2, P3, P4, P5, P6), thereby easily isolating the transmission / reception antennas. Can take. According to this, radio signals communicated between the radio communication networks can always be maintained in a stable communication state without interfering with each other as in the prior art.
[0120]
Further, according to the present embodiment, by introducing the multi-terminal communication system 100 capable of simultaneous communication with a plurality of mobile terminals (for example, PHS10-1... 10-n), for example, a commercially available mobile terminal is used. It is possible to provide a high-security information management system that can realize the construction of the local network system and the construction of the position information management (flow line management) system at a low cost and with good convenience.
In this case, there is no restriction on the number of terminals that can make a call with one multi-terminal communication system 100, and a plurality of base stations are installed in the same place as in the past even in a busy place such as a downtown area. There is no need. As a result, it is possible to solve the problem that the installation cost increases as in the prior art.
[0121]
Further, according to the present embodiment, by centrally managing various authentication data such as IP address, telephone number, personal characteristics (voice print, face type, palm print, fingerprint, iris, name, title, etc.), for example, In addition, it is possible to provide a high-security information management system capable of simultaneously and collectively realizing the construction of a local network system using a commercially available portable terminal and the construction of a location information management (flow line management) system.
[0122]
Furthermore, according to the present embodiment, it is possible to realize integration with a local PHS system through an exchange system 60 that complies with a standard protocol for exchanging data such as voice and characters in real time on an IP network, for example. Furthermore, since a commercially available PHS terminal can also be used, it is inexpensive and enables high-speed access.
In addition, in the past, the contractor had to be entrusted to a specialist, so the specialist PHS system must be temporarily stopped or interrupted while the specialist is registering, deleting, or changing the telephone number. The problem that it becomes difficult to maintain smooth business efficiency, and the registration / deletion / change of the telephone number must be done, for example, every time the organization changes or personnel changes. There was a problem that was added cumulatively. However, according to the present embodiment, it is possible to independently register, delete, and change telephone numbers on the premises and off-site within the information management system, and as a result, it is possible to maintain smooth business efficiency. , Can realize a significant reduction in expenses.
[0123]
Furthermore, according to the present embodiment, the registration and change of the telephone numbers on the premises and outside the premises can be performed independently, so that the telephone number of the client can be set with uniformity for each department. For example, if the phone number of the Human Resources Department is unified to “3”, it is possible to differentiate it from other departments. Since departments can be narrowed down, it is possible to reduce the burden of search processing.
[0124]
In addition, according to the present embodiment, even when an access request is made by voice from the terminal, the voice signal S can be converted into a signal that can be transmitted over the network. Even a simple person can easily access a desired management menu and various kinds of information only with his / her voice input, and as a result, the utilization efficiency of the system can be greatly increased.
[0125]
Furthermore, according to the present embodiment, since the number and type of authentication data used for authentication processing can be changed at an arbitrary timing, it becomes possible to prevent leakage of authentication contents, and as a result, higher Security can be ensured.
[0126]
【The invention's effect】
According to the present invention, a wireless communication network is constructed by a plurality of wireless relay units capable of wirelessly transmitting various information signals with high directivity, and personal authentication is performed according to, for example, a security level, an authentication environment, or an authentication purpose. By introducing an authentication system that can arbitrarily set multiple types of authentication data used when performing (personal verification), for example, construction of a local network system using a commercially available mobile terminal, location information management ( It is possible to provide a high-security information management system that can realize the construction of a flow line management system at a low price with high reliability and convenience.
[Brief description of the drawings]
FIG. 1 is a diagram showing an overall configuration of an information management system according to an embodiment of the present invention.
2 is a diagram showing an internal configuration of an input / output unit of the information management system of FIG. 1;
FIG. 3 is a view showing the contents of an access list table.
FIG. 4 is a diagram showing the authority level of the client for the access request destination content and its contents.
FIG. 5 is a view showing the contents of an authentication data table.
FIG. 6 is a diagram showing a configuration example of a schedule registered in a BCP database.
7 is a diagram showing a configuration example of a message memo that defines a method for distributing schedule information corresponding to the schedule in FIG. 6;
FIG. 8 is a diagram showing a configuration example of a management table in which client terminals are associated with names of clients.
9A is a diagram showing a configuration example of a question message sent to a client terminal, FIG. 9B is a diagram showing a state in which the client is inputting a response message from the terminal, and FIG. The figure which shows the structure of an exchange system, (d) is a figure which shows the structure of an access request destination control system.
10A is a diagram showing an example of notification sent when the access request destination terminal is in use, and FIG. 10B is a diagram when the access request destination terminal is set to reject incoming calls. The figure which shows the example of a notification transmitted.
FIG. 11 is an operation explanatory diagram of an exchange system and an access request destination control system.
12A is a diagram illustrating an example of menu items when performing transfer, hold, and simultaneous call, and FIG. 12B is a diagram illustrating an example of a message output when performing transfer.
FIG. 13 is a diagram showing a configuration of a multi-terminal communication system introduced in an information management system.
FIG. 14A is a diagram showing an example of construction of a wireless communication network constructed by a plurality of wireless relay units, and FIG. 14B is a diagram showing an internal configuration of the wireless relay unit.
FIGS. 15A and 15B are diagrams showing an internal configuration of a transmission / reception unit.
FIGS. 16A and 16B are views showing a state in which the wireless relay unit is set in a socket for a light bulb.
FIGS. 17A and 17B are views showing a state in which the wireless relay unit is set in an outlet.
FIG. 18 is a view showing a state in which a client receives an identity verification when entering a room.
FIG. 19 is a view showing a state in which a client receives an identity verification after entering a room.
[Explanation of symbols]
2 Information management system (BCP system)
4, 6, 8, 10-1 ... 10-n, 12 terminals
14 Management base system (BCP base system)
16 I / O unit
44 Policy Management Department (Authentication data extraction / setting means)
48 BCP database (authentication data registration means)
60 exchange system
60a Automatic response mechanism
60b Access request destination allocation mechanism
62 Access request destination control system
62a Access request destination monitoring mechanism
62b Access request destination control mechanism
100 Multiple terminal communication system
102 Common antenna
104 Signal input / output circuit
106 Modulation circuit
108 Demodulator
110 Protocolization circuit
200, 202, 204, 206, 208, 210 Transmission / reception unit
212 Antenna control circuit
214 Routing circuit
216 Terminal identification code management circuit
218 Protocol circuit
220 I / O circuit (LAN dedicated I / O circuit)
222 Demodulator circuit
224 modulation circuit
226 transceiver circuit
228 Connector part

Claims (12)

An information management system capable of simultaneously and centrally managing a terminal network composed of a plurality of types of terminals including external lines and extensions and a content management network composed of a plurality of types of content for managing various types of information,
A management base system for centrally managing various authentication data assigned to each of a plurality of clients and a plurality of terminals;
An input / output unit that determines permission or disapproval of an access request based on various authentication data centrally managed in the management base system when an access request is issued from an arbitrary terminal by a client;
An exchange system that distributes the access request destination to at least one of the terminal network and the content management network based on the access request permitted by the input / output unit;
The location information and movement status of each terminal constituting the terminal network are monitored in real time, and when the access request destination is assigned to the terminal network by the switching system, the access request of the client from the terminal network An access request destination control system for identifying and calling and connecting a terminal that matches
The input / output unit includes a plurality of wireless relay units capable of wirelessly transmitting various information signals corresponding to the access request to a predetermined access request destination when the client issues an access request from the terminal. A wireless communication network is constructed by the plurality of wireless relay units,
The management base system includes at least
Authentication data registration means for registering the various authentication data;
When performing authentication for the client and the terminal, a plurality of authentication data are arbitrarily extracted from various authentication data registered in the authentication data registration means, and the plurality of authentication data extraction timings are extracted. And an authentication data extraction / setting means capable of arbitrarily setting the authentication system,
The authentication data extraction / setting means has a verification function for verifying various data related to the client and the terminal and the authentication data when performing authentication for the client and the terminal. Characteristic information management system. The wireless relay unit includes
A plurality of transmission / reception units that transmit and receive the radio signals according to the frequency band used by each of the plurality of types of terminals;
A transmitting / receiving antenna provided in each of the plurality of transmitting / receiving units;
An antenna control circuit for controlling a wireless transmission direction when wirelessly transmitting the wireless signal via the transmitting / receiving antenna;
A routing circuit for selecting a route for wirelessly transmitting the wireless signal to the access request destination;
A terminal identification code management circuit for managing the access request destination based on various terminal identification codes attached to the radio signal;
A protocolization circuit for converting the information signal into a signal corresponding to a predetermined communication protocol;
An input / output circuit for inputting / outputting the information signal converted into a predetermined communication protocol by the protocolization circuit to / from the switching system;
In an environment where a wireless communication network is constructed by the plurality of wireless relay units, the wireless signal wirelessly transmitted from the transmission / reception antenna of a certain wireless relay unit passes through each wireless relay unit selected by the routing circuit. The signal is received by the transmitting / receiving unit from the transmitting / receiving antenna of a predetermined wireless relay unit, converted into a signal corresponding to a predetermined communication protocol by a protocolization circuit, and sent from the input / output circuit to the switching system. The information management system according to claim 1, wherein: The wireless relay unit is provided with a connector part that can be detachably fitted to an existing power supply outlet or socket provided on the premises or outside the premises. The information management system according to claim 1, wherein the wireless relay unit can be set on the premises or outside the premises by being fitted into a power supply outlet or a socket. In each of the plurality of transmission / reception units,
A demodulation circuit for demodulating the radio signal taken into the transmission / reception unit from the transmission / reception antenna to obtain the information signal;
A modulation circuit that modulates the information signal into the radio signal that can communicate with the outside via the transmitting and receiving antenna;
The information management system according to claim 1, further comprising: a transmission / reception circuit that transmits and receives the wireless signal via the transmission / reception antenna. In an environment where a wireless communication network is constructed by the plurality of wireless relay units, the antenna control circuit wirelessly transmits the wireless signal toward the wireless relay unit on the route selected by the routing circuit. 5. The information management system according to claim 1, wherein a wireless transmission direction of the wireless signal wirelessly transmitted through the transmission / reception antenna is controlled. The exchange system includes
When the access request is permitted by the input / output unit, an automatic response mechanism that sends a predetermined question message to the client terminal and receives a response message returned from the terminal by the client;
An access request destination distribution mechanism that distributes the access request destination to at least one of the terminal network and the content management network based on the response message received by the automatic response mechanism; The information management system according to any one of claims 1 to 5. In the access request destination control system,
An access request destination monitoring mechanism that monitors in real time the location information and the movement state of each terminal constituting the terminal network;
An access request destination control mechanism for specifying and calling a terminal that matches the access request of the client from the terminal network when the access request destination is assigned to the terminal network by the switching system; The information management system according to any one of claims 1 to 6, characterized in that The information management according to any one of claims 1 to 7, wherein the access request includes at least a voice access request from the terminal and an access request from a browser of the terminal. system. The management base system is provided with an address management unit that simultaneously manages an address of each terminal constituting the terminal network and an address of each content constituting the content management network,
The said switching system and the said access request destination control system identify the said access request destination based on each address managed by the said address management part, The any one of Claims 1-8 characterized by the above-mentioned. Information management system. The various authentication data includes at least biometric identification data, object identification data, and timed identification data,
The biometric identification data includes at least a voice print, a face pattern, a palm print, a fingerprint, an iris, a vein, a writing motion box when signing the terminal, and a terminal key or button when the client presses the terminal. Various types of data such as stamping timing, stamping pressure and stamping speed
The object identification data includes at least an IP address or MAC address assigned to the terminal, a telephone number, an electronic seal, a driver's license number, an ID card or key used when a client logs in via the terminal, a password Applicable to various data obtained from number identification markers.
The timed identification data includes at least various data such as name, age, address, family structure, company name, department, title, permanent address, place of birth, date of birth, hobby, and email address indicating the client's identity The information management system according to any one of claims 1 to 9, wherein: The various data related to the client includes at least various data obtained from personal characteristics and features of the client,
11. The information management system according to any one of 1 to 10, wherein the various data related to the terminal includes at least various data obtained from an identification marker used by the client. The authentication data extraction / setting unit extracts the plurality of authentication data at various timings arbitrarily selected from at least every predetermined time, every predetermined day, every predetermined month, and every predetermined year, and The information management system according to any one of claims 1 to 11, wherein the number and type of authentication data extracted are changed regularly or irregularly according to the various timings.

Images