JP2006268571A - Access control device, access control method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access control device capable of efficiently controlling an access made by a user using a plurality of access rights differently for different purposes. <P>SOLUTION: The access control device 4 comprises an authentication information storage part 40 for storing a login ID and a password for each of the roles the user concurrently play, a user discrimination part 20 for discriminating a user by collating a login ID and a password obtained from a terminal device 2 with the content of the authentication information storage part 40, an authentication information reference part 30 for referencing all the login IDs related to the discriminated user from the authentication information storage part 40, an order of trials determination part 50 for arranging the referenced login IDs in a predetermined order, and an access trial part 70 for transferring an access request from the terminal device 2 to a server device 6 while using the login IDs in the arranged order, and returning the information obtained in correspondence with the request to the terminal device 2. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access control apparatus and method, and more particularly to a technique for controlling access to an information resource performed by a user who uses a plurality of access rights.

  In a conventional information processing system, a technology for controlling access for each user is realized in order to keep the confidentiality of information resources (data) and to avoid accidents such as deletion of important data due to erroneous operations as much as possible.

  FIG. 13 is a conceptual diagram illustrating a typical example of an information processing system that performs such control. The information processing system 100 includes a terminal device 101 and server devices 102 and 103 connected via a network 104. The server devices 102 and 103 hold information resources such as content and web page information in association with access right information indicating users with access rights, and identify the user of the terminal device 101, thereby validating the user. Provide access to information resources only to users with sufficient access rights.

  Conventionally, identification of a user is widely performed by authentication using a user-specific login ID and password.

  In recent years, for example, a workflow system has been put into practical use in which a user proceeds with overall processing while performing predetermined processing (browsing, updating, approval, etc.) according to a role for information resources such as slip data and form data.

  In a workflow system, one user often serves a plurality of roles. Therefore, it is preferable in terms of the confidentiality and security of information resources to use the user's access right for each role. For this purpose, for example, the login ID and password of the number of concurrent roles are determined for one user, and when one of them is entered, the role of the user is identified at the same time as the authentication of the user. Access is controlled according to the role.

  FIG. 14 is a specific example of user information used for such control. This user information is stored in the user information table 200, the user ID is held in the group ID column 201, and the user also serves in the ID column 202, password column 203, and information resource column 204. The login ID corresponding to each role, the encrypted password, and the address of the information resource permitted to access in that role are stored.

  According to this specific example, the user “G0001234” uses one of the login IDs “0000001”, “0040024”, and “0070523” corresponding to the role that the user “G0001234” corresponds to the current role and the password. By inputting, it is authenticated, and the access right to the information resource corresponding to the role can be obtained.

Note that it is extremely complicated for a user to safely manage and use a plurality of login IDs and passwords. Therefore, a single login ID and password are used for user authentication, and after successful authentication, the user explicitly selects a role, thereby reducing the complexity described above and at the same time A technique for performing appropriate workflow processing while controlling access for each is disclosed (see, for example, Patent Document 1).
Japanese Patent Laid-Open No. 2003-256629

  However, according to the above-described conventional technology, although it is sufficient that one user only needs to manage one login ID and password, the complexity of explicitly selecting a role remains for the user. . Especially in the situation where one user advances work while switching roles one after another, the procedure of reselecting the role every time switching changes the speed of work, and as a result, the work efficiency of the entire system is impaired. There is also.

  The present invention has been made to solve the above problems, and efficiently controls access performed by a user who uses a plurality of access rights (for example, a user who has a plurality of roles in a workflow system). It is an object to provide an access control apparatus.

  An access control apparatus according to the present invention is an access control apparatus that controls access to an information resource performed by a user who uses a plurality of access rights, and stores authentication information for each of the plurality of access rights. Storage means, user identification means for identifying the user using identification information acquired from the outside, and attempts to access the information resource using the stored authentication information one after another when identification is successful Access trial means.

  According to this configuration, once a user is identified, access to the information resource is attempted using authentication information corresponding to all access rights of the user. Excellent convenience and quick operability are exhibited in that any one of the access rights that can be used by the user can be obtained simply by inputting (for example, login ID and password) and receiving identification.

  The identification information is any one of the authentication information, and the user identification unit identifies the user by comparing the identification information with the stored authentication information. May be.

  According to this configuration, since the user can be identified using any one of the authentication information (for example, the most easily remembered or happened to be remembered), the identification information is separated from the authentication information. It is possible to provide the user with excellent convenience and quick operability without the need for setting.

  In addition, the access control device further includes ticket transmission means for transmitting to the user terminal device ticket information for specifying authentication information used successfully for access, and the terminal device includes the access control device. The ticket information received from the terminal device is recorded, and when the subsequent access is requested, the ticket information is transmitted to the access control device, and the user identification means is specified by the ticket information received from the terminal device. The user may be identified by comparing authentication information with the stored authentication information.

  According to this configuration, since the identification of the user is performed using the ticket information, after the ticket information is obtained, the user can use it simply by trying to access a desired information resource. A very good convenience and quick operability that one of the access rights can be obtained.

  The access control device may further include usage result information transmitting means for transmitting usage result information representing authentication information successfully used for access to the terminal device of the user.

  According to this configuration, since the login ID successfully used for access can be displayed on the user's terminal, the user can surely and easily know which access right he / she has obtained. .

  Further, the access control device further includes history information storage means storing history information representing the frequency or time-series order of authentication information used successfully for access, and the stored authentication information. Trial order determining means for arranging in order of increasing frequency or newly used order indicated by the history information, wherein the access trial means uses the stored authentication information in the order of arrangement by the trial order determining means. You may attempt to access the resource.

  According to this configuration, authentication information that is considered to be more important for the user can be preferentially used because it is used for accessing the information resource in order from frequently used authentication information and newly used authentication information.

  In addition, when the access attempt unit succeeds in accessing the information resource using one of the stored authentication information, the access attempt unit may suppress access attempted using the remaining authentication information.

  According to this configuration, since the access after the time when the information resource is obtained is suppressed, it is possible to reduce the amount of communication traffic and the processing time.

  Further, the user uses an access right for each of a plurality of roles concurrently held by the user, and the authentication information has an access right for each of the plurality of roles in a computer system in which the user holds the information resource. It may be a set of login ID and password for logging in.

  This configuration is suitable, for example, for controlling access performed by a user who has multiple roles in the workflow system when the computer system functions as a workflow system. This is because in a workflow system, one user often serves multiple roles.

  The user uses an access right for each of a plurality of computer systems holding information resources to be accessed, and the authentication information includes a login ID for the user to log in to each of the plurality of computer systems. And a set of passwords.

  In this configuration, for example, when the plurality of computer systems function as a network banking system, an airline ticket reservation system, a network mail order system, etc., access controlled by a user having access to each system is controlled. It is suitable for doing. Once a user has been identified using any one of the login ID and password pairs for each system (for example, the one that is most memorable or the one that happened to be remembered), You can also enjoy the extremely good convenience of being able to log in.

  In addition, the present invention can be realized not only as such an access control device, but also as an access control method including steps executed by characteristic means included in such an access control device. It can also be realized as a program for causing a computer to execute these steps. Needless to say, such a program can be distributed via a recording medium such as a CD-ROM or a transmission medium such as the Internet.

  The access control device of the present invention stores authentication information corresponding to each access right that a single user uses properly, and once a user is identified, the authentication information corresponding to all the access rights of that user Any access right that can be used by the user simply by entering a single piece of identification information (for example, a set of login ID and password) and receiving identification. Excellent convenience and quick operability that one can be obtained.

  An access control device according to an embodiment of the present invention is provided by connecting a terminal device and a server device, and receives user authentication on the server device corresponding to each of a plurality of roles shared by a single user. The login ID and the password, which are authentication information for storing, are stored. This access control device identifies the user by checking the login ID and password stored in the login ID and password received from the terminal device. Then, while sequentially using all the login IDs and passwords of the identified users, the access request received from the terminal device is transferred to the server device.

Hereinafter, the access control apparatus will be described in detail with reference to the drawings.
(overall structure)
FIG. 1 is a functional block diagram showing the overall configuration of an information processing system including this access control apparatus. The information processing system 1 includes a terminal device 2, a first communication network 3, an access control device 4, a second communication network 5, and a server device 6.

  The access control device 4 includes a first communication unit 10, a user identification unit 20, an authentication information reference unit 30, an authentication information storage unit 40, a trial order determination unit 50, a history information storage unit 60, an access trial unit 70, and history information update. Unit 80 and a second communication unit 90.

  The access control device 4 may be realized by a computer system including, for example, a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), a hard disk device, a network adapter, and the like (not shown). In this case, the functions of the first communication unit 10 and the second communication unit 90 are realized by a network adapter, and the functions of the authentication information storage unit 40 and the history information storage unit 60 are realized by a hard disk device. The functions of the information reference unit 30, the trial order determination unit 50, the access trial unit 70, and the history information update unit 80 are realized by the CPU executing programs stored in the ROM using the RAM as a working memory. Is done.

  Of course, the access control device 4 can also be realized as a one-chip IC (Integrated Circuit) that integrates the functions of the individual components.

(Authentication information)
FIG. 2 is a specific example of authentication information stored in the authentication information storage unit 40. This authentication information is stored in the authentication information table 400, the group ID column 401 holds the user ID, and the ID column 402 and the password column 403 store the login ID and the encryption corresponding to each role that the user also serves. Passwords are stored.

  In addition, in order to uniformly process users who do not share roles (playing only a single role), a user having one ID and password as shown in the user “G0002955” is included in the authentication information. It does not matter.

(History information)
FIG. 3 is a specific example of history information stored in the history information storage unit 60. This history information is stored in the history information table 600, the group ID column 601 holds the user ID, and the ID column 602 holds the login IDs used for access by the user in a chronological order up to a predetermined number. Is done.

(Operation)
Hereinafter, the operation of the access control device 4 will be described in detail including the cooperative operation with the terminal device 2 and the server device 6.

  FIG. 4 is a flowchart illustrating an example of a cooperative operation of the terminal device 2, the access control device 4, and the server device 6. This operation is started when the access control device 4 receives information requesting information resources stored in the server device 6 (in this example, page A request information) from the terminal device 2. The page A request information is, for example, an operation in which a user clicks a link to page A or inputs a URL (Uniform Resource Locator) of page A on a web browser operating on the terminal device 2. Sent by.

  If page A request information is received, the user identification part 20 will transmit login prompt information to the terminal device 2 via the 1st communication part 10 (S10). This login prompt information is information prompting the user to input a login ID and a password. When the terminal device 2 receives the login prompt information, for example, the terminal device 2 displays a login prompt having a login ID and password input fields on the screen of the above-described web browser (S20). As seen in the flowchart, in this example, the login prompt is displayed before the page A is displayed after the link to the page A is clicked.

  5A and 5B are examples of a login prompt displayed on the terminal device 2. FIG. Here, an example is shown in which a login prompt is displayed at the bottom of the screen and at a pop-up.

  For example, the user inputs one set of a login ID and a password stored in the authentication information storage unit 40 as identification information for identifying the user at the login prompt. The terminal device 2 transmits the login ID and password received from the user to the access control device 4 (S21).

  The user identification unit 20 collates the login ID and password received from the terminal device 2 with each of the login ID and password stored in the authentication information storage unit 40. If there is a matching login ID and password, the user of the terminal device 2 is identified as the user indicated by the group ID corresponding to the login ID.

  If the identification is successful, the authentication information reference unit 30 refers to all login IDs corresponding to the identified user from the authentication information storage unit 40 (S30).

  The trial order determination unit 50 arranges the login IDs referred to by the authentication information reference unit 30 in the order of new use based on the recording order in the history information storage unit 60 (S40).

  The access trial unit 70 selects one login ID in the order arranged by the trial order determination unit 50, and transmits the page A request information to the server device 6 together with the login ID and the corresponding password (S50).

  The server device 6 authenticates the user with the login ID and password received from the access control device 4, and then processes the page A request information as follows. If the authentication is successful, the contents of page A are returned, and if the authentication fails, access rejection response information is returned.

  In response to a response from the server device 6, the access trial unit 70 indicates whether or not the content of page A is obtained for each used login ID, and if the content of page A is obtained, Do not record to buffer memory.

  The reference history update unit 80 newly records in the history information storage unit 60 the login ID that has succeeded first in acquiring the contents of the page A in association with the group ID indicating the user, and corresponds to the user. If there are more login IDs than the predetermined number, the old ones are deleted (S70).

  The access trial unit 70 uses the ticket 2, page A information, and ID usage result information (in this example, page A uses ID2) to indicate the login ID (ID2 in this example) that succeeded first in acquiring the contents of page A. Information indicating that access is possible even if ID3 is used) is returned to the terminal device 2 (S80). Here, the ticket may be, for example, index information indicating a position included in the authentication information of the login ID that has succeeded in acquiring the page first, and may be expressed using well-known cookie information. .

  The terminal device 2 stores the ticket received from the access control device 4 (S90), displays the content of the received page (S92), and displays the received ID usage result information (S93). For example, the ticket is stored in a cookie data file (not shown) provided in the terminal device 2.

  6A and 6B are examples of the ID use result displayed on the terminal device 2 in this operation example, and page A is accessed using ID2 and can be accessed even using ID3. It represents that. Here, an example is shown in which the ID usage results are displayed at the bottom and pop-up of the screen. For convenience of explanation to be described later, page A includes a link to page B.

  As described so far, the access control device 4 stores login IDs and passwords corresponding to a plurality of roles shared by a single user, and is given an arbitrary login ID and password. To identify the user. Then, since the access request received from the terminal device is transferred to the server device sequentially using the login ID and password corresponding to all the roles of the identified user, the user inputs one login ID and password. It is possible to obtain any one access right from among the roles held by itself.

  In addition, since the login ID that has been successfully accessed is displayed, the user can surely and easily know which role the user has gained.

  Next, following the above operation, an operation when the user requests page B will be described.

  FIG. 7 is a flowchart showing an example of a cooperative operation of the terminal device 2, the access control device 4, and the server device 6 in that case. This operation is started when the access control device 4 receives the page B request information from the terminal device 2 following the operation of FIG. The page B request information is transmitted, for example, when the user clicks on a link to page B included in page A (see FIGS. 6A and 6B).

Hereinafter, description of the same matters as the operations in FIG. 4 will be omitted, and differences will be mainly described.
After transmitting the page B request information, the terminal device 2 transmits the stored ticket to the access control device 4 instead of the ID and password (S22).

  When the user identification unit 20 receives the ticket, the user identification unit 20 collates, for example, the login ID indexed by the ticket with the login ID stored in the authentication information storage unit 40, and the login ID indexed by the ticket is the authentication information. When included in the storage unit 40, the user of the terminal device 2 is identified as the user indicated by the group ID corresponding to the login ID.

  After the user is identified, the same operation as in FIG. 4 proceeds. When receiving the new ticket, the terminal device 2 updates the old ticket information with the received ticket (S91).

  FIGS. 8A and 8B are examples of the ID use result displayed on the terminal device 2 in this operation example, and page B is accessed using ID3 and can be accessed even using ID1. It represents that. Here, an example is shown in which the ID usage results are displayed at the bottom and pop-up of the screen. For convenience of explanation to be described later, page B includes a link to page C.

  As described above, the access control device 4 stores the ticket indicating the login ID used for access in the terminal device 2, and specifies the login ID by the ticket received from the terminal device 2 at the next access. Thus, the user is identified, so that it is not necessary for the user to input the login ID and password every time access is performed, and the speed of processing is improved.

  In addition, as described above, once a user is identified, an access request is transferred using login IDs and passwords corresponding to all the roles of the user. ), It is possible to obtain an access right of any one of the roles concurrently held by itself, and the excellent convenience and quickness can be obtained.

  Next, following the above operation, an operation when the user requests page C will be described.

  FIG. 9 is a flowchart illustrating an example of a cooperative operation of the terminal device 2, the access control device 4, and the server device 6 in that case. This operation is started when the access control device 4 receives the page C request information from the terminal device 2 following the operation of FIG. The page C request information is transmitted, for example, when a user clicks on a link to page C included in page B (see FIGS. 8A and 8B).

The operation of FIG. 9 is substantially the same as the operation of FIG. 7 in that a ticket is used.
FIGS. 10A and 10B are examples of the ID use result displayed on the terminal device 2 in this operation example. The page C is accessed using ID2, and the ID that can be used to access the page C is shown. It represents that this is only ID2. Here, an example is shown in which the ID usage results are displayed at the bottom and pop-up of the screen.
(Modification)
Although the present invention has been described based on the embodiments, it is needless to say that the present invention is not limited to the above-described embodiments. The following cases are also included in the present invention.

  In the embodiment, the history information storage unit 60 holds a predetermined number of login IDs used for access for each user in chronological order, and the trial order determination unit 50 refers to the history information storage unit 60 to determine the user's Although the login IDs are arranged in the order in which they are used more recently, the following modifications can be considered.

  For example, the history information storage unit 60 may store the number of uses (frequency) for each login ID for each user as history information, and the trial order determination unit 50 may arrange the user's login IDs in order of the number of uses.

  FIG. 11A is a specific example of such history information. This history information is stored in the history information table 610, the group ID column 611 holds the user ID, the ID column 612 holds the login ID corresponding to each role shared by the user, and the number of times of use A column 613 holds the number of times the user has used the login ID.

  According to this configuration, the data amount of history information can be reduced as compared with the embodiment. Since login IDs are used in descending order of the number of uses over the long term, this is suitable when it is desired to reduce the amount of memory in a situation where there is little time fluctuation of the login ID usage trend.

  In addition, for example, the history information storage unit 60 holds the number of times of use for each user ID information resource and login ID as history information, and the trial order determination unit 50 requests the user login ID for the requested information resource. You may arrange in order of use frequency.

  FIG. 11B is a specific example of such history information. This history information is stored in the history information table 620, the ID of the user is held in the group ID column 621, and the address of the information resource accessible by the user in at least one role is held in the information resource column 622. The ID column 623 holds a login ID that can access the information resource, and the use count column 624 holds the number of times the user has accessed the information resource using the login ID.

  According to this configuration, the login IDs are used in the order of the number of times of use for each information resource. Therefore, when the usage tendency of the login ID is greatly different for each information resource, the usage tendency is more faithfully reflected. Is preferred.

  In the embodiment, the access trial unit 70 transfers access requests using all login IDs in the order arranged by the trial order determination unit 50 (see S50 in FIG. 4). When the corresponding information is obtained, transfer using the subsequent login ID may be suppressed.

  FIG. 12 is a flowchart showing an example of such an operation. The access trial unit 70 selects one login ID in the arranged order (S51), transfers an access request using the login ID (S52), and only when access is denied (S53: YES), the next Forward further requests using the login ID.

  According to this configuration, since the transfer of the request after the point when the requested information is obtained is suppressed, it is possible to reduce the amount of communication traffic and the processing time.

  In the embodiment, the user inputs any one of the login ID and the password stored in the authentication information storage unit 40 as identification information for identifying himself / herself. It is not limited to the set of login ID and password stored in the storage unit 40. For example, it is obvious that a group of a group ID stored in the authentication information storage unit 40 and a single password (not shown) can be used as identification information for identifying a user. Furthermore, PKI (Public Key Infrastructure) information having identity authenticity that is highly difficult to impersonate may be used as identification information.

  Further, in the embodiment, the example of the user who uses the access right for each concurrent role is used, but the scene in which the access control device of the present invention exhibits an excellent effect is not limited to this example. For example, the access control apparatus according to the present invention can effectively control access performed by a user who uses different access rights for each computer system. In other words, considering that each of these computer systems specifically functions as a network banking system, an airline ticket reservation system, a network mail order system, etc., the user can set a login ID and a password for each system. After receiving the identification using any one of them (for example, the one that is most easily remembered or the one that happened to be remembered), it is possible to enjoy the extremely excellent convenience of being able to log in to any system.

  The functions described in the embodiment and this modification are realized as an LSI (Large Scale Integration), which is an integrated circuit, by a combination of a program and hardware resources such as a CPU, RAM, ROM, and nonvolatile memory. Also good. Each function may be individually made into one chip, or all or some of a plurality of functions may be made into one chip.

  As an example of integration, the access control device 4 in FIG. 1 may be an integrated circuit. An integrated circuit may be called an IC (Integrated Circuit), a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

  The circuit is not limited to an integrated circuit or LSI, and may be realized by a dedicated circuit or a general-purpose processor. An FPGA (Field Programmable Gate Array) capable of storing a program after the manufacture of the LSI or a reconfigurable processor capable of reconfiguring the connection and setting of the circuit cells in the LSI may be used.

  Furthermore, if integrated circuit technology that replaces LSI appears as a result of progress in semiconductor technology or other derived technology, it is naturally also possible to perform integrated circuit integration of the above functions using that technology. Biotechnology can be applied as a possibility.

  The access control device according to the present invention is used as a device for efficiently controlling access performed by a user who uses a plurality of access rights, for example, a gateway server for identifying a user and transferring an access request in a workflow system. it can.

1 is a functional block diagram showing an overall configuration of an information processing system including an access control device according to an embodiment of the present invention. It is a figure which shows an example of the authentication information memorize | stored in the authentication information storage part. It is a figure which shows one specific example of the historical information memorize | stored in the historical information storage part. It is a flowchart which shows an example of operation | movement. It is a figure which shows an example of the login prompt displayed on (A) and (B) terminal device. (A) And (B) It is a figure which shows an example of the ID use result displayed on a terminal device. It is a flowchart which shows an example of operation | movement. (A) And (B) It is a figure which shows an example of the ID use result displayed on a terminal device. It is a flowchart which shows an example of operation | movement. (A) And (B) It is a figure which shows an example of the ID use result displayed on a terminal device. It is a figure which shows the modification of (A) and (B) log | history information. It is a flowchart which shows the modification of operation | movement. It is a figure which shows the typical example of the conventional information processing system which performs access control according to a user. It is a figure which shows one specific example of the conventional user information used for the access control according to a user.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Information processing system 2 Terminal apparatus 3 1st communication network 4 Access control apparatus 5 2nd communication network 6 Server apparatus 10 1st communication part 20 User identification part 30 Authentication information reference part 40 Authentication information storage part 50 Trial order determination part 60 History information storage unit 70 Access trial unit 80 Reference history update unit 80 History information update unit 90 Second communication unit 100 Information processing system 101 Terminal device 102 Server device 104 Network 200 User information table 400 Authentication information table 600, 620 History information table

Claims (10)

An access control device that controls access to information resources performed by a user who uses multiple access rights,
Authentication information storage means for storing authentication information for each of the plurality of access rights;
User identification means for identifying the user using identification information acquired from the outside;
An access control unit comprising: an access trial unit that attempts to access the information resource by using the stored authentication information one after another when the identification is successful. The identification information is any one of the authentication information,
The access control apparatus according to claim 1, wherein the user identification unit identifies the user by comparing the identification information with the stored authentication information. The access control device further includes:
Ticket transmitting means for transmitting to the user terminal device ticket information for identifying authentication information successfully used for access;
The terminal device records the ticket information received from the access control device, and transmits the ticket information to the access control device when requesting subsequent access,
The said user identification means identifies the said user by collating the authentication information specified by the ticket information received from the said terminal device, and the said stored authentication information. The access control apparatus according to 1. The access control device further includes:
The access control apparatus according to claim 1, further comprising: usage result information transmitting means for transmitting usage result information representing authentication information successfully used for access to the terminal device of the user. The access control device further includes:
History information storage means for storing history information representing the frequency or time-series order of authentication information successfully used for access;
Trial order determining means for arranging the stored authentication information in the order of the frequency indicated by the history information or in the order of newly used;
The access control apparatus according to claim 1, wherein the access trial unit attempts to access the information resource using the stored authentication information in the order of arrangement by the trial order determination unit. The access trial means suppresses an access attempted using the remaining authentication information when the information resource is successfully accessed using one of the stored authentication information. The access control apparatus according to 1. The user uses different access rights for each of the multiple roles that he / she serves concurrently,
The authentication information is a set of a login ID and a password for allowing the user to log in to the computer system holding the information resource with an access right corresponding to the role. The access control device described in 1. The user uses different access rights for each computer system holding the information resource to be accessed,
The access control apparatus according to claim 1, wherein the authentication information is a set of a login ID and a password for the user to log in to each of the computer systems. An access control method for controlling access to information resources performed by a user who uses multiple access rights,
A user identification step of identifying the user using identification information acquired from outside;
An access control method comprising: an access attempt step that attempts to access the information resource using authentication information stored in the storage means one after another when the identification is successful. A program for realizing an access control device for controlling access to an information resource performed by a user who uses multiple access rights,
A program for causing a computer to execute the steps included in the access control method according to claim 9.

Images