JP2005084811A - Access controller, server control method and storage medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it possible to secure the convenience of a user, and to improve security performance for significant data. <P>SOLUTION: This access controller is provided with an arithmetic means for preliminarily ranking data preserved in a server 3 corresponding to its significance, and for calculating a predetermined arithmetic value by calculating a significance rank value 45 of each accessed data and a browsing time and an identifying means for re-identifying a user when the calculated value exceeds a preliminarily decided predetermined value. A timing for re-identifying the user is decided according to the significance of the data. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to access control for a user's server in a computer network system.

  Conventionally, when a user computer connected to a network accesses a server connected to the same network, user authentication is performed to determine whether the user has authority to use the server (conventional example 1). . As typical user authentication, there is a method of inputting a user ID and a password.

  Further, Patent Document 1 proposes a method of improving security by setting an expiration date from the first access to the server and performing user authentication again when the expiration date has passed. ing. Further, Patent Literature 2 describes a method for setting an accessible valid time for each server data (Web page in Patent Literature 2).

JP-A-9-146824 JP 2002-278930 A

  However, in the method of Conventional Example 1 described above, once user authentication is performed on the server, the user can continue to use the server forever.

  In Patent Document 1, an expiration date is set to improve security. However, highly important data and less important data are mixedly input in the server. In the method of Patent Document 1, there is a problem in securing the security of highly important data when the validity period is set long, and conversely when the validity period is set short. There is a problem that the user's convenience is impaired because the user is required to re-authenticate even though the data which is not so important is accessed.

  Further, in Patent Document 2, when a user accesses a plurality of data, the data may not be able to be viewed unless the data with a short effective time is accessed first. There was a problem that the order was limited.

  The present invention has been made in view of the above-described problems. When a user accesses a plurality of data existing on a server, the security of the data is ensured without impairing the convenience of the user. Objective.

  In order to achieve the above object, the present invention is an access control device for a server that stores data and has an authentication function, wherein the data has an importance rank value that evaluates its importance, and is accessed. Calculating means for calculating a predetermined calculated value by calculating the importance rank value and the browsing time for each data, and authenticating means for requesting re-authentication of the user when the calculated value exceeds a predetermined value An access control device or the like characterized by comprising:

  According to the present invention, the data stored in the server is ranked in advance according to its importance, and the timing for requesting re-authentication of the user is determined based on the importance rank value and browsing time of the accessed data. So, when accessing important data, set the viewing time to a short time to request user re-authentication, and when accessing less important data, make the viewing time longer. The user is re-authenticated by setting the time, thereby ensuring the convenience for the user and improving the security for important data.

Embodiments of an access control apparatus, a server control method, and a storage medium according to the present invention will be described below.
FIG. 1 is a schematic configuration diagram of a system including an access control apparatus according to an embodiment of the present invention.
In FIG. 1, 1 is a network. Reference numeral 2 denotes a plurality of user PCs, and each user PC 2 is connected to the network 1. Reference numeral 3 denotes a server, which is also connected to the network 1. Reference numeral 4 denotes a data storage connected to the server 3.

  A data display module 21 operates in the user PC 2, and a data control module 31 operates in the server 3. Through the exchange between the data display module 21 and the data control module 31, the user can browse the data stored in the server, which will be described later. For example, when browsing data by the Web method, the data control module 31 corresponds to a Web server, and the data display module 21 corresponds to a Web browser.

  Reference numeral 32 denotes an access management module which also operates in the server 3. Reference numerals 41, 42, and 43 are data 1, data 2, and data 3 stored in the data storage 4. 44 is user authentication information, and 45 is importance information. These are also stored in the data storage 4.

  The basic operation of the user PC 2 and the server 3 described above, the data display module 21 using the Web browser as an example, and the data control module 31 using the Web server as an example is already known. Only the parts related to the present invention will be described.

FIG. 2 is a schematic diagram for explaining the user authentication information 44.
The contents of the user authentication information 44 are a pair of user ID 441 and password 442, and there are as many users as the number of authorized users. When the user is authenticated by the server 3, the user ID and password are entered, but whether the data transmitted to the server correctly matches one of the user ID 441 and password 442 entered in the user authentication information 44. User authentication is performed depending on why.

FIG. 3 is a schematic diagram for explaining the importance information 45.
In the importance information 45, importance rank values 451 for the respective data 41, 42, 43 stored in the data storage 4 are added. In this embodiment, the importance rank value 451 is ranked in three stages of 1 to 3, and the greater this value, the higher the importance.

FIG. 4 is a flowchart for explaining a server control method according to the embodiment of the present invention.
First, step S0 is a step that is performed first, and a value (hereinafter referred to as a browsing time value) N that the access management module 32 has for managing browsing time for all users is an initial value of 0. Is substituted for step S1.

  Subsequently, in step S1, the data control module 31 determines whether there is an access from the user. As a result of this determination, if it is determined that there is access, the process proceeds to step S2. On the other hand, if it is determined that there is no access as a result of the determination in step S1, the process waits in step S1.

  Subsequently, Step S2 is a step executed when there is an access from the user in Step S1, and in the access management module 32, whether or not the value of the browsing time value N of the accessed user is greater than 0. Determine. As a result of this determination, if it is determined that the browsing time value N of the accessing user is greater than 0, the process proceeds to step S7. On the other hand, as a result of the determination in step S2, if it is determined that the browsing time value N of the accessed user is 0, the process proceeds to step S3.

Subsequently, step S3 is a step performed when the browsing time value N of the user who has accessed in step S2 is 0 or less, and executes the user authentication input operation.
Specifically, the data control module 31 of the server 3 sends data of a user authentication screen as shown in FIG. 5 to the data display module 21 of the user PC 2 so that the user authentication screen is displayed on the screen of the user PC 2. Then, the user enters his / her user ID in the user ID entry field 51 and his / her password in the password entry field 52 and presses an OK button 53. Thereby, the entered user ID and password are transmitted to the server 3.

  Subsequently, step S4 is a step in which the access management module 32 evaluates whether the user ID and password input in step S3 are correct. In the access management module 32, the user ID and password input in step S3. It is determined whether the user ID 441 and the password 442 entered in the user authentication information 44 shown in FIG. As a result of this determination, if it is determined that the user ID and the password match, it is determined that the user is a registered user, and the process proceeds to step S6. On the other hand, as a result of the determination in step S4, if it is determined that no user ID and password match, the process proceeds to step S5.

  Step S5 is a step executed when the user ID and the password do not match in step S4, and the data control module 31 displays an access disapproval display as shown in FIG. When the user who has confirmed that has pressed the OK button 61, the process returns to step S1.

  On the other hand, step S6 is a step executed when the user ID and the password match in step S4. In the access management module 32, an initial value set in advance for the browsing time value N is substituted, and step S7 is executed. Proceed to

Subsequently, step S7 is a step executed when the browsing time value N is larger than 0 in step S2 and after the initial value is set as the browsing time value N in step S6. Subtraction time measurement is started from the time value N according to the importance rank value 451 (see FIG. 3) of the data that the user is going to access.
Specifically, when the importance rank value of the data is 1, the browsing time value N is subtracted with the passage of the real time, and when the importance rank value of the data is 2, the passage of the real time The browsing time value N is subtracted at twice the speed, and when the importance rank value of the data is 3, the browsing time value N is subtracted at a speed three times that of the real time. Thereafter, the process proceeds to step S8. Note that this time subtraction is continued until a new setting is made for the browsing time value N even when the process proceeds to another step.

Subsequently, step S8 is a step that is executed after the time measurement of the subtraction of the browsing time value N is started in step S7, and displays the data that the user is trying to access.
Specifically, the data control module 31 reads out necessary data from the data storage 4 and sends it to the data display control module 21 of the user PC 2. The data display module 21 that has received the data displays this data on the monitor of the user PC 2. Thereafter, the process returns to step S1 to wait for the next data access.

Next, an actual access method will be described with a specific example.
Here, a case where a user permitted to access the server browses data for 10 minutes, 5 minutes, and 10 minutes in the order of data 3, data 1, and data 2 shown in FIG. 3 will be described as an example. . The importance rank value of the data is 2, 3, and 1 in the browsing order. Further, it is assumed that the initial value used for the browsing time value N used in step S6 is 30 minutes.

First, in step S0, 0 is set to the browsing time value N of all users.
Then, when the user accesses the data 3, in step S1, it is determined that there is an access, and the process proceeds to step S2. Here, the browsing time value N is evaluated. However, since 0 is set in the browsing time value N in step S0, the determination is 0 or less, and the process proceeds to step S3.

  Subsequently, in step S3, a user ID and a password for user authentication are input, and then in step S4, it is determined whether the user ID and the password match. Since this user is a registered user, it is determined that the user ID and the password match, and then the process proceeds to step S6, where the initial value of 30 minutes is substituted into the browsing time value N.

  Subsequently, in step S7, time subtraction at the double speed of the real time is started from the browsing time value N (here, 30 minutes) corresponding to the importance rank value 2 of the data 3. Subsequently, in step S8, the data 3 is browsed for 10 minutes.

  Next, when the user tries to access the data 1 after 10 minutes from the start of browsing the data 3, the access operation is determined in step S1, and the process proceeds to step S2. Subsequently, in step S2, the viewing time value N at that time is 10 minutes obtained by subtracting 10 minutes elapsed from the initial value of 30 minutes at a double speed (the calculation formula is 30 minutes-10 minutes × 2 times = 10 minutes). Therefore, it is determined in step S2 that it is greater than 0, and the process jumps to step S7 without proceeding to step S3 for performing user authentication. Subsequently, in step S7, time subtraction at a triple speed is started from 10 minutes of the browsing time value N at that time in correspondence with the importance rank value 3 of the data 3. Subsequently, in step S8, browsing of the data 1 is performed for 5 minutes.

  Next, when the user tries to access the data 2 after 5 minutes have passed since the browsing of the data 1 is started, the access operation is performed in step S1 and the process proceeds to step S2. Subsequently, in step S2, the browsing time value N at that time minus 10 minutes at the start of browsing the data 1 minus 5 minutes elapsed at 3 times speed (calculation formula is 10 minutes-5 minutes × (3 times = −5 minutes), it is determined that the determination in step S2 is 0 or less, and the process proceeds to step S3 to perform user authentication again. The subsequent procedure is the same from the middle of the access in the data 3 (the part of user authentication), and the description is omitted.

  Through the procedure described above, the time for accessing the server varies depending on the importance of the data. In other words, when accessing data with a low importance rank value, it can be accessed for a long time, but as data with a higher importance rank value is accessed, the time that can be accessed decreases. Since it is necessary to perform authentication, the security level can be improved.

  In the above-described embodiment, the check at the browsing time value N is performed only after the user has accessed, but the browsing time value N is always checked and immediately after the browsing time value N becomes zero. If used in combination with a method for requesting re-authentication of the user, the last viewed data will not remain displayed, and the security level can be further improved.

  In the above-described embodiment, the server data is browsed by the Web method. However, the data stored in the server may be accessed from the user PC by file sharing. However, in this case, it is necessary to install both software for displaying the data list and software for browsing the contents of data in the user PC 2. Further, the present invention may be configured as an apparatus, a system, or a method implemented by software, regardless of the configuration of the above-described embodiment.

  In addition, each means constituting the access control device according to the above-described embodiment and each step (step S0 to step S8 in FIG. 4) of the server control method are executed by a program stored in a RAM or ROM of a computer. Can be realized. This program and a computer-readable storage medium storing the program are included in the present invention.

It is a schematic block diagram of the system containing the access control apparatus in embodiment of this invention. It is a schematic diagram explaining user authentication information. It is a schematic diagram explaining importance information. It is a flowchart for demonstrating the control method of the server in embodiment of this invention. It is the figure which showed the user authentication screen. It is the figure which showed the access denial display screen.

Explanation of symbols

1 Network 2 User PC
3 Server 4 Data storage 21 Data display module 31 Data control module 32 Access management module 41 Data 1
42 Data 2
43 Data 3
44 User authentication information 45 Importance information 51 User ID entry field 52 Password entry field 53 OK button 61 OK button 441 User ID
442 Password 451 Importance Rank Value

Claims (3)

A server access control device for storing data and having an authentication function,
The data has an importance rank value that evaluates its importance, and a calculation means that calculates a predetermined calculation value by calculating the importance rank value and browsing time for each accessed data,
An access control apparatus comprising: an authentication unit that requests re-authentication of the user when the calculated value exceeds a predetermined value. A server control method for storing data and having an authentication function,
The data has an importance rank value that evaluates its importance, and a calculation step of calculating a predetermined calculation value by calculating the importance rank value and browsing time for each accessed data,
An authentication step for requesting re-authentication of a user when the calculated value exceeds a predetermined value. A server control method comprising: A storage medium storing a program for causing a computer to execute each step in the server control method according to claim 2.

Images