JP2007157024A - Apparatus and method for managing access right, and program therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access right management apparatus enabling reduction of the labor of a manager, when a plurality of Web sites are provided in a computer system and when a large amount of user registration having a different access right to each Web site is to be performed. <P>SOLUTION: In an access right management apparatus 1, the manager registers which user group can access which Web site. A Web side manager registers, to a user group, which Web page the user group is accessible to among the Web pages transmitted from the own Web site managed by the Web site manager. A user group manager registers a subgroup. A subgroup manager registers the access right in regard to a job performed by users in the own subgroup managed by the subgroup manager, and the subgroup manager allots the job to the users in the own subgroup managed by the subgroup manager. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access authority management apparatus, an access authority management method, and a program thereof that manage user access authority to each of a plurality of websites.

Conventionally, in a situation where a plurality of websites used for different purposes are installed, when performing user registration so that the user can access all websites, each website has a database for user registration, The administrator registers user identification information (ID) and password in each database. The website is a name indicating a set unit of web pages transmitted from the web server to the terminal on the communication network. Setting up a website means connecting a web server to a communication network so that it can be connected from a terminal. A database for user registration is connected to the web server. Patent Document 1 is disclosed as a mechanism for registering users who can access a web server.
JP 2004-54779 A

  Here, when registering different access authority for each user for each content to be transmitted, such as a web page that can be browsed and a web page that can be registered, among the web pages transmitted on one website, In addition to simply registering user identification information and passwords, it is necessary to register detailed access authority information for each user that indicates what kind of information can be accessed on which website. . Therefore, as the number of users increases, the work for administrator user registration becomes enormous. Moreover, since the access authority about the same user was separately registered with respect to several websites, the effort for user registration was applied to the administrator.

  Therefore, the present invention provides an access authority management apparatus that can reduce the labor of an administrator when a plurality of websites are provided in a computer system and a large number of user registrations with different access authorities to each website are performed. It is an object to provide an access authority management method and its program.

  In order to achieve the above object, the present invention provides an access authority management apparatus that manages access authority to each of a plurality of information transmission / reception apparatuses. From a system administrator terminal, the user group identification information and the user group Content information in the information transmission / reception device is received from the user group access right first registration means for accepting a combination with the identification information of the information transmission / reception device to which the user belongs and registered in the user group management table, and the information transmission / reception device manager terminal. The first transmission content identification information for identifying the information and the access authority to the content information are received, and the received information is associated with the combination of the registered user group identification information and the information transmission / reception device identification information, User group access right second registration to be registered in the user group management table The identification information of the user belonging to the user group, the identification information of the information transmitting / receiving device accessible by the user, the first transmission content identifying information for specifying the content information in the information transmitting / receiving device, and the content information The user access right registration means for associating and registering the access authority in the user management table, the user identification information, the information transmitting / receiving apparatus identification information, and the first transmission content identification information stored therein A request is received from a user terminal belonging to the user group, the user management table is referred to based on the access request, and stored in the access request based on the access request and information stored in the user management table. The access permitting access to the content information corresponding to the first transmitted content identification information Seth authorization unit, an access authority management device, characterized in that it comprises a.

  The present invention also relates to an access authority management apparatus that manages access authority to each of a plurality of information transmission / reception apparatuses, and transmits and receives information identifying user groups and information accessible to users belonging to the user groups from a system administrator terminal. The first transmission content for identifying the content information in the information transmitting / receiving device from the user group access right first registering means for accepting the combination with the device identification information and registering it in the user group management table and the information transmitting / receiving device manager terminal The identification information and the authority to access the content information are received, and the received information is registered in the user group management table in association with the combination of the registered user group identification information and the information transmitting / receiving apparatus identification information. User group access right second registration means and user group A user registration unit that accepts a combination of identification information of a user group registered in the user group management table and identification information of a user belonging to the user group from an administrator terminal, and registers the user group in the user management table; and the user group Identification information of the information transmission / reception device registered in the user group management table from the administrator terminal, and second transmission content identification information specified more finely than the first transmission content identification information for the content information in the information transmission / reception device, A user who receives an access authority to the content information and registers the received information in the user management table in association with a combination of user group identification information and user identification information registered by the user registration unit. Registered by the access right registration means and the user access right registration means. A request for access to the content information, the access request storing the identification information of the user, the identification information of the information transmission / reception device of the access destination, and the second transmission content identification information is received, and based on the access request By referring to the user management table, based on the access request and the information stored in the user management table, access to the content information corresponding to the second transmission content identification information stored in the access request is permitted. An access authority management device comprising access permission means.

  The present invention also relates to an access authority management apparatus that manages access authority to each of a plurality of information transmission / reception apparatuses, and transmits and receives information identifying user groups and information accessible to users belonging to the user groups from a system administrator terminal. The first transmission content for identifying the content information in the information transmitting / receiving device from the user group access right first registering means for accepting the combination with the device identification information and registering it in the user group management table and the information transmitting / receiving device manager terminal The identification information and the authority to access the content information are received, and the received information is registered in the user group management table in association with the combination of the registered user group identification information and the information transmitting / receiving apparatus identification information. User group access right second registration means and user group From an administrator terminal or a subgroup administrator terminal, identification information of a user group registered in the user group management table, identification information of a subgroup belonging to the user group, and identification information of a user belonging to the subgroup User registration means for accepting the combination and registering it in the user management table; identification information of the information transmitting / receiving device registered in the user group management table from the user group manager terminal or subgroup manager terminal; and information transmission / reception thereof The second transmission content identification information specified more finely than the first transmission content identification information and the access authority to the content information are received for the content information content in the device, and the received information is registered by the user registration means User group identification information and subgroup identification information And a user access right registration means for registering in the user management table in association with a combination of the user identification information, and an access request to the content information registered by the user access right registration means, the user identification information And the access request storing the identification information of the information transmitting / receiving device of the access destination and the second transmission content identification information, and based on the access request and the information stored in the user management table, the access request And an access permission means for permitting access to the content information corresponding to the second transmission content identification information stored in the access authority management device.

  In the present invention, the access authority management apparatus receives a subgroup registration request including identification information of the user group from the user group manager terminal, generates the identification information of the subgroup, and Subgroup generation means for registering the identification information of the user group included in the subgroup registration request and the generated identification information of the subgroup in association with each other in the user group management table.

  According to the present invention, identification information of an information transmitting / receiving device registered in the user group management table and contents of content information in the information transmitting / receiving device are specified from the user group manager terminal or the sub group manager terminal. Accepts job authority information including the second transmission content identification information, access authority to the content information, and job job identification information that handles information corresponding to the content information, and registers the job authority information in the job management table The user access right registration unit receives a combination of the job authority information and the user identification information, and associates the received user identification information with the received user identification information in the user management table. The job authority information is registered, and the access permission means adds the content information registered by the job registration means. An access request that accepts an access request storing user identification information, identification information of an access destination information transmitting / receiving device, and second transmission content identification information; and information stored in the access request; and the user Based on the information stored in the management table, access to the content information corresponding to the second transmission content identification information stored in the access request is permitted.

  According to the present invention, the user group access right first registration means is registered in the user group management table in association with a combination of user group identification information and information transmission / reception apparatus identification information. In addition, a new combination of the identification information of the other information transmission / reception process different from the information transmitting / receiving apparatus in the combination and the identification information of the user group is received from the system administrator terminal and registered in the user group management table. It is characterized by that.

  In addition, the present invention provides a login request receiving means for receiving a login request including identification information of a user group or a subgroup and identification information of an information transmitting / receiving device from the user terminal via a communication network, and the login to the user terminal is completed. When the login completion recording means for transmitting the information and storing the login completion information and the identification information of the information transmission / reception device included in the login request receives a login request that becomes the identification information of another information transmission / reception device again. Re-login necessity determination means for determining whether re-authentication is necessary by receiving login completion information transmitted to the user terminal from the user terminal and comparing it with the stored login completion information; And the access permission means includes the access request and the access request when the second authentication is not required. Serial based on the information stored in the user management table, and permits access to the content information.

  The present invention also relates to an access right management method in an access right management device for managing the right of access to each of a plurality of information transmitting / receiving devices, wherein the user group access right first registration means is configured to receive a user group The combination of the identification information and the identification information of the information transmitting / receiving device accessible by the user belonging to the user group is received and registered in the user group management table, and the user group access right second registration means is received from the information transmitting / receiving device administrator terminal. The first transmission content identification information for specifying the content information in the information transmitting / receiving device and the access right to the content information are received, and the received user group identification information and the information transmitting / receiving device identification information are received. The user group management table in association with the combination The first access content for specifying the identification information of the user belonging to the user group, the identification information of the information transmitting / receiving apparatus accessible by the user, and the content information in the information transmitting / receiving apparatus The identification information and the access right to the content information are registered in association with each other in the user management table, and the access permission means includes the user identification information, the information transmission / reception device identification information, and the first transmission content. An access request storing identification information is received from user terminals belonging to the user group, and the user management table is referred to based on the access request, and based on the access request and information stored in the user management table Content information corresponding to the first transmission content identification information stored in the access request An access right management method and permits the access.

  The present invention is also a program that is executed by a computer of an access authority management apparatus that manages access authority for each of a plurality of information transmitting / receiving apparatuses, and belongs to the user group identification information and the user group from a system administrator terminal. A user group access right first registration process for accepting a combination with identification information of an information transmitting / receiving device accessible by a user and registering it in the user group management table, and content information in the information transmitting / receiving device from an information transmitting / receiving device manager terminal The first transmission content identification information to be identified and the right to access the content information are received, and the received information is associated with a combination of the registered user group identification information and the information transmitting / receiving apparatus identification information, and the user User group actions to be registered in the group management table Second registration processing, identification information of users belonging to the user group, identification information of information transmission / reception devices accessible by the user, and first transmission content identification information for specifying content information in the information transmission / reception devices; A user access right registration process for registering the access authority to the content information in the user management table in association with each other, the user identification information, the information transmitting / receiving apparatus identification information, and the first transmission content identification information And from the user terminals belonging to the user group, referring to the user management table based on the access request, based on the access request and information stored in the user management table, Access to the content information corresponding to the first transmission content identification information stored in the access request. And permissions process that permits a program for executing a computer.

  According to the present invention, the system administrator registers which user group can access which information transmitting / receiving device, and the information transmitting / receiving device administrator can access which information in each information transmitting / receiving device each user group can access. Register for. Thereby, since the access authority of the user is registered for each user group, the labor of each administrator is reduced.

  Further, according to the present invention, the user group administrator sets the access authority for the user group managed by the user group within the range of the access authority set by the system administrator or the information transmission / reception apparatus administrator for the user group. To do. As a result, each user group administrator only needs to set the access authority for only the users belonging to his / her user group, so that the access authority registration process is distributed, and the access authority registration effort is reduced.

  In addition, according to the present invention, the sub-group administrator sets the access authority for the sub-group managed by the system administrator or the information transmission / reception apparatus administrator to the user group, This is performed within the range of access authority set by the user group administrator for the subgroup. As a result, each sub-group administrator only needs to set the access authority for users belonging to his / her sub-group, so the access authority registration process is distributed, and the access authority registration effort is reduced.

  According to the present invention, the access authority to the plurality of information transmitting / receiving apparatuses is managed by one access authority management apparatus. In other words, each administrator can determine which user group or subgroup can access which information transmission / reception device and information in the information transmission / reception device even when the number of information transmission / reception devices increases in the computer system. Since only the registration is required, the labor for registering access authority is reduced.

  Hereinafter, an access authority management apparatus according to an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration of a computer system according to the embodiment. From this figure, in the computer system, reference numeral 1 denotes an access authority management device for managing the authority of user access to each of a plurality of websites. Reference numeral 2 denotes a system administrator terminal (hereinafter, system administrator terminal) of a computer system comprising a plurality of web servers and the access authority management apparatus 1. Reference numeral 3 denotes a terminal of a website manager who manages each website. Reference numeral 4 denotes a user group administrator's terminal (hereinafter referred to as a UG administrator terminal) that manages the user group, and reference numeral 5 denotes a subgroup administrator's terminal (hereinafter referred to as an SG administrator) that manages subgroups set in the user group. Terminal), and reference numeral 6 denotes a user terminal (hereinafter referred to as a user terminal) belonging to a user group or subgroup.

  The user group is a user unit set for each organization such as a company, for example. A subgroup is a unit of users belonging to a subgroup installed in a user group, for example, a department or section installed in a company. Further, the system administrator terminal 2 and the website administrator terminal 3 do not refer to specific terminals in the computer system, but are PCs used when the system administrator or website administrator logs into the computer system. Are the system administrator terminal 2 and the website administrator terminal 3. In addition, there may be user terminals 6 that do not belong to the subgroup in the user group.

  The access authority management device 1 includes a communication processing unit 11 that transmits and receives information to and from each terminal connected via a communication network, and a control unit (login request receiving unit) 12 that controls each processing unit of the access authority management device 1. Site access right registration unit (user group access right first registration means) 13 for performing registration processing as to which website a user group can access, registration of which web page a user group can access in one website In-site access right registration unit (user group access right second registration means) 14 for performing processing, and access permission determination unit (access permission) for determining permission or non-permission of access from the user terminal 6 to the website (that is, web server) Means, login completion recording means, re-login necessity determination means) 15 UG registration unit 16 that performs user group (UG) registration processing, SG registration unit 17 that performs registration processing of subgroups belonging to the user group, user registration unit (user registration means) 18 that performs registration processing for each user, job registration A job registration unit (job registration unit) 19 that performs processing, an access authority setting unit (user access right registration unit) 20 that sets access authority for each user, and a database 21 that stores various tables are provided.

FIG. 2 is a diagram illustrating a relationship among a web server, a website, and an information transmission / reception device.
In the present embodiment, the website is a collective name of web pages (content information) transmitted by one web server, or a set of web pages transmitted for each different management entity in one web server. Or a collective unit name of web pages transmitted by a plurality of web servers. That is, a set unit of web pages in one or more web servers managed by the management entity is a website. The function of the web server corresponding to one website is an information transmitting / receiving device.

FIG. 3 is a diagram showing an outline of processing of the computer system.
Next, an outline of the computer system will be described.
In the computer system, the access authority management apparatus 1 performs a registration process of an access authority for a user group and an access authority for a user, and determines whether access to a plurality of websites is permitted or not. Here, the system administrator of the computer system performs registration processing (site access right registration processing) as to which Web site each user group can access to the access authority management apparatus. In addition, the website administrator uses the access authority management device to register a user group that can access the website managed by the website administrator and a web page that the user group can access in the website (intra-site access right registration process). Against. As described above, for example, this user group is an organization such as a company. Each user may belong to any one of a plurality of user groups, and may belong to any group among subgroups belonging to the user group. A subgroup is a unit of a user such as a department or section in a company.

  Also, the user group administrator performs access authority registration processing (subgroup access authority registration processing) for the subgroups in the user group for the access authority management apparatus 1, and the user group administrator or subgroup administrator The access authority management apparatus 1 is registered with the access authority of the users belonging to the group (job registration process). That is, the user group manager or the sub group manager determines the access authority assigned to each user within the range of access authority given by the system administrator or website administrator, and performs the registration process.

FIG. 4 is a diagram showing a work flow of each administrator in the computer system.
(1) First, the website administrator applies for user group registration. In this application, a user group name, user group manager information (name, department), and the like are provisionally registered in the access authority management apparatus using a web page.
(2) Next, the website administrator makes an application for setting the site access right for the user group that has applied for registration in the process of (1). In this application, information for identifying a user group, a website ID of a website that can be accessed by the user group, and the like are provisionally registered in the access authority management apparatus using a web page.

(3) Next, the system administrator approves user group registration based on the application (1). In this process, the registration request temporarily registered in the access authority management device 1 in (1) by the system administrator is displayed on the monitor of the system administrator terminal 2 using a web page, and a display button on the monitor is displayed. Press to give registration instructions. As a result, a user group ID is generated, and the user group ID and the application information provisionally registered in the access authority management device 1 are stored in another data table or the like by the processing of the access authority management device 1.
(4) Next, the system administrator approves the site access right setting based on the application (2). In this process, the registration application temporarily registered in the access authority management device 1 in (2) by the system administrator is displayed on the monitor of the system administrator terminal 2 using a web page, and the display button on the monitor is pressed. To give registration instructions. Thereby, the application information temporarily registered in the access authority management apparatus 1 is stored in another data table or the like by the process of the access authority management apparatus 1.

(5) When the approval of the site access right setting by the system administrator is completed, the website administrator next sets the in-site access right. In this process, the website administrator is a process of registering what information can be accessed for a user group that can access the website managed by the website administrator. At this time, the website administrator accesses the access authority management apparatus 1, displays the in-site access authority setting screen on the monitor using the web page, and performs registration. Then, the registered information is stored in the database 21 by the processing of the access authority management device 1.
(6) Next, the user group manager registers each user in the user group managed by the user group manager. In this process, the user group manager inputs information such as the name and department of each user into the web page and registers them in the access authority management apparatus 1. The registered information is stored in the database 21 by the processing of the access authority management device 1.
(7) Next, the user group manager registers a subgroup belonging to the user group managed by the user group manager. In this process, the user group manager inputs the name of the subgroup and the information of users belonging to the subgroup on the web page and registers them in the access authority management apparatus 1. The registered information is stored in the database 21 by the processing of the access authority management device 1.

(8) Next, the sub group manager performs job registration processing. In this process, the sub-group administrator registers the access authority necessary for performing a certain job among the access authorities granted to the sub-group by the system administrator, the website administrator, and the user group administrator ( Job registration). In other words, the access authority consisting of a combination of the contents of a web page transmitted on a predetermined website and information such as whether the web page can be browsed and information registered using the web page is registered in units of duties. In this process, the subgroup manager registers at least the job identification information and the access authority information in the access authority management apparatus 1 using a web page. The registered information is stored in the database 21 by the processing of the access authority management device 1.
(9) Next, the access authority of the job unit registered by the subgroup manager in (8) is set for the user (job setting). In this process, the subgroup administrator registers the identification information of the users belonging to the subgroup and the identification information of the duties in the access authority management apparatus 1 using a web page. The registered information is stored in the database 21 by the processing of the access authority management device 1.
Note that (10) and (11) in FIG. 4 are job registration processing and job setting processing by the user group manager. This process is the same as the processes (8) and (9). As described above, the job group registration and job setting process may be performed by the user group administrator.

FIG. 5 is a data structure showing the first user group management table.
As shown in this figure, a first user group management table (hereinafter referred to as a first UG management table) includes a user group ID, a website ID, and the contents of a web page transmitted on the website (first transmission contents identification information). ), An authority indicating what kind of access to the contents of the web page is stored in association with each other. In other words, in this first UG management table, which user group can access which website, and which web page indicates which of the web pages transmitted on the accessible website can be accessed, and which web page It holds information on whether such access is possible. The correspondence relationship between the user group ID and the website ID in the first UG management table is registered based on the site access right setting process by the system administrator in (4) described above. In addition, the correspondence relationship between the user group ID, the website ID, the contents, and the authority in the first UG management table is registered based on the above-described site access right setting process by the website administrator in (5). .

FIG. 6 is a data structure showing the second user group management table.
As shown in this figure, the second user group management table (hereinafter referred to as the second UG management table) includes a user group ID, a subgroup ID, a website ID, and the contents of the web page transmitted on the website (first (Transmission content identification information) and an authority indicating what kind of access to the web page can be stored in association with each other. In other words, in this second UG management table, which subgroup belonging to which user group can access which website, and information indicating which contents of the web pages transmitted on the accessible website can be accessed. It holds information on how to access web pages. Each piece of information registered in the second UG management table is registered based on the subgroup registration process by the user group manager (7) described above. This subgroup registration process may be performed by a subgroup administrator.

FIG. 7 is a data structure showing the first user management table.
As shown in this figure, the first user management table is a table that stores a user ID, a user group ID, and a subgroup ID in association with each other. That is, the first user management table indicates a user group to which the user belongs and a subgroup in the user group. This first user management table is registered based on the user registration process by the user group administrator (6) described above.

FIG. 8 shows a data structure showing the job management table.
As shown in this figure, the job management table includes job identification information, a website ID, the content of the web page transmitted on the website (first transmission content identification information), and details that further define the content. It is a table that stores the contents (second transmission content identification information) and the authority indicating what kind of access is possible to the web page in association with each other. In other words, the job management table can access which web page the user can access according to the job given to the user, and which web page indicates which of the web pages transmitted by the accessible website. It holds information on how to access web pages.

FIG. 9 shows the data structure of the second user management table.
As shown in this figure, the second user management table is a table that stores a user ID and job identification information in association with each other. In other words, this second user management table is a table showing duties assigned to each user.

FIG. 10 is a data structure showing the third user management table.
As shown in this figure, the third user management table includes the user ID, the website ID, the contents of the web page transmitted on the website, the detailed contents that further define the contents, and how to access the web page. This is a table for storing the authority indicating whether or not it can be accessed in association with each other. In other words, the third user management table allows the user to access which web page the user can access, and which web page indicates which of the web pages transmitted by the accessible website, and how to access the web page. Holds information on whether or not it can be accessed successfully. That is, by assigning duties to users as shown in the table of FIG. 9, not only is the access authority to a predetermined web page in the website granted, but also the websites for each user as shown in the table of FIG. You may make it grant the access authority to the predetermined information directly.
In the present embodiment, each of the above tables is stored in the database 21 of the access authority management apparatus 1, but they may be stored in separate databases.

Next, the details of the processing flow for registration of access authority in the computer system (4) to (11) will be described in order. It is assumed that the processes (1) to (3) have been completed in advance. Further, it is assumed that information (user name, password, etc.) of the system administrator, website administrator, and user administrator is registered in the access authority management apparatus 1 in advance.
FIG. 11 is a diagram showing a site access right setting screen. This screen is a screen that is displayed on the monitor on the system administrator terminal 2 by accessing the access authority management device 1 from the system administrator terminal 2 when the system administrator performs the site access right setting (4) described above. It is. In this site access right setting screen, a user group ID and a user group name are displayed, and a field for setting access permission is provided so that users in the user group can access. On the site access right setting screen, the system administrator registers which websites the user group can access, thereby specifying websites that users belonging to the user group can access.

FIG. 12 is a diagram showing a processing flow of site access right setting.
First, the system administrator uses the system administrator terminal 2 to access the access authority management apparatus 1 and instructs the display of the list for which the site access right setting application has been made in the process (2). Then, the site access right registration unit 13 of the access right management apparatus 1 reads the application information stored in the database 21 and transmits a web page displaying the contents to the system administrator terminal 2. When this web page is displayed on the monitor of the system administrator terminal 2, the system administrator selects one site access right setting application (step S101). Thereby, the access authority management apparatus 1 transmits the web page of the site access authority setting screen (step S102). Then, a site access right setting screen is displayed on the monitor of the system administrator terminal 2 (step S103).

  Next, when the system administrator presses the confirmation button on the site access right setting screen (step S104), the access authority management device 1 transmits a web page of the site access right setting confirmation screen to the system administrator terminal 2 ( Step S105). Then, on this confirmation screen, the system administrator presses the registration button (step S106). Then, the system administrator terminal 2 transmits the user group ID, the website ID, and the like held in the HTML text on the web page of the site access right setting screen to the access authority management apparatus 1. Next, the site access right registration unit 13 of the access right management apparatus 1 associates the received user group ID with the website ID and registers them in the first UG management table (step S107). Thereby, the site access right setting is completed, and which user group can access which website is registered in the access authority management apparatus 1. In this site access right setting process, in addition, authentication as to whether or not the user is a system administrator, determination as to whether or not the transition source screen is normal, and the like are performed.

  FIG. 13 is a diagram showing a site access right setting screen. This screen is used when the website administrator performs the access authority setting in (5) described above to access the access authority management apparatus 1 using the website administrator terminal 3, and the website administrator terminal 3 It is a screen displayed on a monitor. In this in-site access right setting screen, a user group ID and a user group name are displayed, and a field for setting which contents of the web page the user in the user group can access is displayed. Is provided. In this field, a non-selection field (a) for displaying a list of contents of all web pages transmitted on the website and authority to access the web page, and a web page selected by the website administrator There is a selection field (b) for displaying a list. By specifying the content of information accessible to users belonging to the user group on the site access right setting screen, the website administrator can determine which content information on which website the user belonging to the user group can access. You can register.

FIG. 14 is a diagram showing a processing flow for setting access rights within a site.
First, the website manager uses the website manager terminal 3 to access the access authority management apparatus 1 and instructs the display of the list in which the site access authority setting has been registered in the process (4). Then, the in-site access right registration unit 14 of the access right management apparatus 1 reads the registered information of the site access right setting stored in the database 21 and displays the web page displaying the contents thereof as the website administrator. Transmit to terminal 3. When this web page is displayed on the monitor of the website manager terminal 3, the website manager selects a user group for which one site access right is set (step S201). Thereby, the access authority management apparatus 1 transmits the web page of the in-site access authority setting screen to the website administrator terminal 3 (step S202). Then, a site access right setting screen is displayed on the monitor of the website manager terminal 3 (step S203).

  Next, the website administrator selects items to be assigned to the user group from the list displayed in the non-selection field (a) on the in-site access right setting screen, that is, the website name, information in the website, and its access authority. Is selected (step S204). Then, the selected item is displayed in the selection column (b). When the combination of the contents of the accessible web page and the access authority is selected, a confirmation button is pressed (step S205). Then, the access authority management device 1 transmits a web page of the confirmation screen for setting the access authority in the site to the system administrator terminal 2 (step S206). On this screen, a list selected by the website administrator is displayed. Then, on this confirmation screen, the website administrator presses the registration button using an input device such as a mouse (step S207). Then, the website manager terminal 3 uses the user group ID, the website ID, the identification information of the contents of the web page, the access authority, etc., which are stored in the HTML text on the web page of the in-site access right setting screen. Is transmitted to the access authority management apparatus 1.

  Next, the site access right registration unit 13 of the access right management apparatus 1 determines the user group ID and the web from the combination of the received user group ID, the website ID, the identification information of the content of the web page transmitted by the web server, and the access right. The site ID is read and registered in the first UG management table in which they are already registered in association with the identification information and access authority of the contents of the web page transmitted by the web server (step S208). As a result, the access right setting in the site is completed, and which user group user can register in the access authority management apparatus 1 what type of web page transmitted by which website can be accessed. . In this intra-site access right setting process, other authentication such as whether the access to the access right management apparatus 1 is a website administrator is performed.

  FIG. 15 shows a user registration screen. This screen is used to access the access authority management device 1 using the UG administrator terminal 4 when the user group administrator registers a user belonging to the user group managed by the user group administrator, and on the monitor of the UG administrator terminal 4 It is a screen to be displayed. In this user registration screen, the user group ID and the user group name are displayed, and the user name of the user belonging to the user group and the attribute information of the user (affiliation department and contact information, subgroup information, user (Such as the job function to be set to).

FIG. 16 is a diagram showing a processing flow of user registration.
The user group manager registers each user who belongs to the user group managed by the user group with respect to the access authority management apparatus 1. First, the user group manager accesses the access authority management apparatus 1 using the UG manager terminal 4 and makes a user registration request (step S301). Then, the user registration unit 18 of the access authority management device 1 transmits the web page of the user registration screen to the UG manager terminal 4 (step S302). Then, a user registration screen is displayed on the monitor of the UG manager terminal 4 (step S303). On the user registration screen, an input field for user name and user attribute information and a user group name are displayed. On the user registration screen displayed on the monitor of the UG administrator terminal 4, the user group manager inputs a user name, user attributes, and the like, and presses a confirmation button (step S304). Then, the UG administrator terminal 4 transmits the input user name, user attribute, and user group ID to the access authority management apparatus 1. When the user registration unit 18 of the access authority management apparatus 1 receives the information transmitted from the UG manager terminal 4, the user registration unit 18 generates a user ID (step S305). Then, the user registration unit 18 registers the generated user ID and the received user group ID, user name, and user attribute information in the first user management table of the database 21 in association with each other (step S306). In FIG. 7, the first user management table shows a state in which only the user ID and the user group ID are associated with each other. Through the above processing, user registration is completed, and information on users belonging to the user group is registered. In addition, in this user registration processing, authentication such as whether or not the access to the access authority management device 1 is a user group manager is performed.

FIG. 17 shows a subgroup registration screen.
This screen accesses the access authority management device 1 using the UG administrator terminal 4 when the user group administrator registers the subgroup belonging to the user group and sets the access right to the subgroup. It is a screen displayed on the monitor of the UG manager terminal 4. In this subgroup registration screen, set the subgroup name entry field, the subgroup administrator name and its attribute entry field, and the contents of the web page of which website can be accessed by the users in the sub group. A column to do is provided. In this column, a non-selection column (c) for displaying a list of in-site access rights set for the user group to which the sub-group belongs by the processing of (5) above, and a user group administrator from among them There is a selection field (d) for displaying a list of access rights within the site selected by. On the subgroup registration screen, the user group administrator must enter the information of the subgroup administrator and specify the site access rights to be given to the subgroup among the site access rights given to the user group. Thus, it is possible to register which user can access which web page of which website in the subgroup.

FIG. 18 is a diagram showing a processing flow of subgroup registration.
First, the user group manager accesses the access authority management apparatus 1 using the UG manager terminal 4 and makes a subgroup registration request (step S401). Then, the SG registration part 17 of the access authority management apparatus 1 transmits the web page of a subgroup registration screen to the UG administrator terminal 4 (step S402). At this time, the SG registration unit 17 reads the in-site access right associated with the ID of the user group to which the user group administrator belongs and is registered in the first UG management table, and sets the in-site access right in the non-selection field ( c) is transmitted to the UG manager terminal 4 as information to be displayed. Then, in the non-selection column (c), a subgroup registration screen displaying the in-site access right given to the user group is displayed on the monitor of the UG manager terminal 4 (step S403).

  Next, the user group manager inputs the subgroup manager name and the attribute information of the subgroup manager on the subgroup registration screen. Further, an item to be assigned to the subgroup is selected from the list displayed in the non-selection column (c) (step S404). Then, the selected item is displayed in the selection column (d). When the site access right assigned to the subgroup is selected, the user group administrator presses a confirmation button (step S405). Then, the access authority management apparatus 1 transmits the web page of the confirmation screen for subgroup registration to the UG manager terminal 4 (step S406). On this screen, the in-site access right selected by the user group manager and the information of the sub group manager are displayed. Then, on this confirmation screen, the user group administrator presses the registration button (step S407). Then, the UG administrator terminal 4 is held in the HTML text on the web page of the subgroup registration screen and the information on the subgroup manager input on the subgroup registration screen and the information on the selected access right in the site. A user group ID, a website ID, and the like are transmitted to the access authority management apparatus 1.

  Next, when the access authority management apparatus 1 receives the information transmitted from the UG administrator terminal 4, the SG registration unit 17 generates a subgroup ID (step S408). Then, the SG registration unit 17 registers the generated subgroup ID and the information received from the UG administrator terminal 4 in the second UG management table stored in the database 21 in association with each other (step S409). In the second UG management table of FIG. 6, the user group ID, the subgroup ID, the website ID, the in-site access right (the contents of the accessible web page among the information transmitted by the website, and the web page of the contents) (Access authority indicating what kind of access is possible) is registered in association with each other. As a result, the subgroup registration process is completed, and which subgroup users can register in the access authority management apparatus 1 as to what type of web page transmitted by which website can be accessed. . In the subgroup registration process, authentication of whether or not the access to the access authority management apparatus 1 is a user group manager is performed. The subgroup registration and resetting process may be performed using the user registration screen (FIG. 15) in the above-described user registration process, or may be performed on the following subgroup belonging user setting screen (FIG. 19). It may be.

FIG. 19 is a diagram showing a subgroup belonging user setting screen.
This screen is a screen that is displayed on the monitor of the UG administrator terminal 4 by accessing the access authority management device 1 using the UG administrator terminal 4 when the user group administrator sets the users belonging to the subgroup. is there. In this subgroup belonging user setting screen, fields for selecting subgroup manager information (such as the manager name) and users belonging to the subgroup are provided. In this column, a user who has been registered on the above-described user registration screen and displays a user list of a user group to which the user group administrator belongs, and a user group administrator selects from among these are displayed. There is a selection field (f) for displaying a list of selected users. The user group manager registers which user among the users belonging to the user group the user belonging to the subgroup by selecting a user belonging to the subgroup on the subgroup belonging user setting screen.

FIG. 20 is a diagram showing a processing flow for setting a subgroup belonging user.
When the user group manager ends the above-described subgroup registration process, the user group manager sets the users belonging to the subgroup. First, the user group manager accesses the access authority management apparatus 1 using the UG manager terminal 4 and makes a subgroup affiliation user setting request (step S501). Then, the SG registration unit 17 of the access authority management apparatus 1 transmits the web page of the subgroup belonging user setting screen to the UG manager terminal 4 (step S502). At this time, the SG registration unit 17 reads the user ID, the user name, and the like that are associated with the ID of the user group to which the user group administrator belongs and is registered in the first user management table, and does not select the user name, etc. The information to be displayed in the column (e) is transmitted to the UG manager terminal 4. Then, in the non-selection column (e), a subgroup belonging user setting screen displaying all users in the user group to which the user group manager belongs is displayed on the monitor of the UG manager terminal 4 (step S503).

  Next, the user group manager selects a user belonging to the sub group from the list displayed in the non-selection column (e) on the sub group belonging user setting screen (step S504). Then, the selected item is displayed in the selection field (f). When a user belonging to the sub group is selected, the user group manager presses a confirmation button (step S505). Then, the access authority management apparatus 1 transmits the web page of the confirmation screen for subgroup belonging user setting to the UG administrator terminal 4 (step S506). On this screen, a list of users selected by the user group manager is displayed. Then, on this confirmation screen, the user group administrator presses the registration button (step S507). Then, the UG administrator terminal 4 uses the ID of the user selected on the subgroup belonging user setting screen, the user group ID, the subgroup ID, etc. held in the HTML text of the web page of the subgroup belonging user setting screen. Is transmitted to the access authority management apparatus 1.

  Next, when the access authority management apparatus 1 receives the information transmitted from the UG administrator terminal 4, the SG registration unit 17 determines the user ID from the user ID, user group ID, and subgroup ID received from the UG administrator terminal 4. And the user group ID are registered, and the received subgroup ID is associated and registered in the first user management table in which the combination is already registered (step S508). Note that the first user management table of FIG. 7 shows a state in which a user ID, a user group ID, and a subgroup ID are registered in association with each other. As a result, the subgroup belonging user setting process is completed, and the users belonging to the subgroup are registered. In this subgroup belonging user setting process, authentication of whether or not the access to the access authority management apparatus 1 is a user group manager is performed. Further, the subgroup manager may perform the subgroup affiliation user setting process.

FIG. 21 is a diagram showing a job registration screen.
This screen is used to access the access authority management device 1 using the SG administrator terminal 5 when the subgroup administrator sets the detailed access right to the web page used by the user performing the predetermined function. And a screen displayed on the monitor of the SG manager terminal 5. In the present embodiment, the job registration process may be performed by a subgroup administrator or a user group administrator. In this job registration screen, the website selection field, the field for selecting the content of the web page transmitted by the website, the field for inputting the job title, and the content of the web page transmitted by the website are further detailed. A non-selection field (g) for displaying a list of the detailed contents defined in the above and its access authority, and a selection field for displaying a list of combinations of the detailed contents and the access authority selected by the subgroup administrator from the non-selection field (H) exists. The sub-group manager registers the job to be registered and the job that can be accessed to the web page with the detailed content in the web page with the content transmitted by which web site.

FIG. 22 is a diagram showing a processing flow for job registration.
Next, the subgroup manager performs job registration. First, the subgroup manager accesses the access authority management apparatus 1 using the SG manager terminal 5 and makes a job registration request (step S601). Then, the job registration unit 19 of the access authority management apparatus 1 transmits a web page of the job registration screen to the SG manager terminal 5 (step S602). At this time, the job registration unit 19 reads the in-site access right associated with the user group to which the subgroup manager belongs and the ID of the subgroup and registered in the second user management table, and the in-site access right The SG administrator terminal as information to be read from a table or the like that defines the detailed contents of the detailed contents and the access authority that define the contents of the accessible web page shown in FIG. To 5. Then, in the non-selection column (g), a job registration screen holding information on the detailed contents of the in-site access right that can be set for the subgroup to which the subgroup manager belongs is displayed on the monitor of the SG manager terminal 5 ( Step S603).

  Next, on the job registration screen, the sub-group manager selects a website to be accessed according to the job and the content of information transmitted on the website, and inputs the job name in the job name input field. Then, detailed content information that defines the content of the selected information in more detail is displayed in the non-selection column (g). Then, the subgroup manager selects the detailed contents of the access right in the site that can be accessed by the user as a job from the list displayed in the non-selection column (g) (step S604). Then, the selected item is displayed in the selection column (h). When the detailed content of the access right within the site is selected, the subgroup manager presses a confirmation button (step S605). Then, the job registration unit 19 of the access authority management apparatus 1 transmits a web page of a job registration confirmation screen to the SG manager terminal 5 (step S606). In this confirmation screen, the website name selected by the subgroup manager, the contents of the web page transmitted by the website, the job name, and the detailed contents of the web page accessible as the job are displayed. Then, on this confirmation screen, the subgroup administrator presses the registration button (step S607). Then, the SG administrator terminal 5 includes the ID of the website selected on the job registration screen, the content of the information transmitted on the website, the detailed content of the information that can be accessed by the job among the information on the content, The access authority and the like are transmitted to the access authority management apparatus 1.

  Next, when the access authority management apparatus 1 receives the information transmitted from the SG administrator terminal 5, the job registration unit 19 associates the received information and registers it in the job management table (step S608). In the job management table of FIG. 8, the job name, the website ID, the content of the web page transmitted on the website, the detailed content of the web page that can be accessed by the job among the web pages of the content, It shows a state in which an access authority indicating what kind of access can be made to the detailed contents is registered in association with each other. This completes registration (duty registration) of what access to which web page in which website can be performed in the duties performed by the users belonging to the subgroup. In the job registration process, authentication of whether or not the access to the access authority management apparatus 1 is a subgroup manager is performed.

FIG. 23 is a diagram showing a job setting screen.
This screen is used to access the access authority management apparatus 1 using the SG administrator terminal 5 when the subgroup administrator assigns the job registered in the job registration described above to the user belonging to the subgroup, and the SG administrator terminal. 5 is a screen displayed on the monitor 5. The job setting process may be performed by a subgroup manager or a user group manager. In this job setting screen, there are provided columns for selecting a website name to be accessed in the job, the contents of the web page transmitted by the website, the job name, and a user belonging to the subgroup. In this column, a non-selection column (i) for displaying a list of users in the subgroup registered by the above-mentioned subgroup belonging user setting screen and a list of users selected by the subgroup administrator from among them are displayed. There is a selection field (j). The sub-group manager registers which job is assigned to which user belonging to the sub-group by selecting a user to which the job is assigned on the job setting screen.

FIG. 24 is a diagram showing a processing flow of job setting.
When the above-described job registration process is completed, the subgroup manager performs a job setting process for assigning jobs to users belonging to the subgroup managed by the subgroup manager. First, the subgroup manager accesses the access authority management apparatus 1 using the SG manager terminal 5 and requests a job setting (step S701). At this time, in order to specify which job is set for the user, the job is selected on the web page. Then, the access authority setting unit 20 of the access authority management apparatus 1 transmits a web page of a job setting screen for the selected job to the SG manager terminal 5 (step S702). At this time, the access authority setting unit 20 reads the user ID and user name associated with the ID of the subgroup managed by the subgroup administrator and registered in the first user management table. The name is transmitted to the SG administrator terminal 5 as information to be displayed in the non-selection column (i). In the non-selection column (i), the job setting screen displaying all users in the subgroup to which the subgroup manager belongs is displayed on the monitor of the SG manager terminal 5 (step S703).

  Next, the subgroup manager selects a user to whom a job is assigned from the list displayed in the non-selection field (i) on the job setting screen (step S704). Then, the selected item is displayed in the selection column (j). When the user to whom the job is assigned is selected, the subgroup manager presses a confirmation button (step S705). Then, the access authority management apparatus 1 transmits the web page of the job setting confirmation screen to the SG administrator terminal 5 (step S706). On this screen, a list of users selected by the subgroup manager, that is, users to whom duties are assigned, is displayed. Then, on this confirmation screen, the subgroup administrator presses the registration button (step S707). Then, the SG administrator terminal 5 displays the user ID of the user selected on the job setting screen, the job identification information (job name, job ID, etc.) held in the HTML text of the web page of the job setting screen. To the access authority management apparatus 1.

  Next, when the access authority management device 1 receives the information transmitted from the SG administrator terminal 5, the access authority setting unit 20 reads the user ID and job identification information received from the SG administrator terminal 5, and the second user Registration is performed in association with the management table (step S708). The second user management table in FIG. 9 shows a state where the user ID and job name are registered in association with each other. As a result, the job setting process ends, and the assignment of the job to the user ends. In the job setting process, other authentication such as whether or not the access to the access authority management apparatus 1 is a subgroup manager is performed. The job setting process may be performed using the user registration screen (FIG. 15) in the above-described user registration process. In this case, the user group manager selects a job from the non-selection column and performs registration.

  In addition to the method of granting the access authority to the website to each user by the job setting as described above, the access authority to the website may be individually given to each user. For example, the access authority setting screen is a screen for setting access authority for one user in the subgroup, and is assigned to the user from the list of detailed contents of the web page transmitted by the website using this screen. Select the details and give a registration instruction. Then, the access authority setting unit 20 of the access authority management apparatus 1 includes a user ID, a website ID that can be accessed by the user, and the contents of a web page that can be accessed by the user among the contents of the web page transmitted by the website. The detailed contents defining the contents in detail and the access authority indicating what kind of access is possible to the web page are received from the SG administrator terminal 5, and they are associated with each other in the third user management table (FIG. 10). ).

  Thereby, the access authority to the website for each user of the subgroup is set. When the user accesses the website, the access permission determination unit 15 of the access authority management device 1 determines whether the access is permitted based on the access authority registered in the second user management table or the third user management table. judge.

FIG. 25 is a diagram showing a user setting change screen.
This screen is a screen that is displayed on the monitor of the UG administrator terminal 4 by accessing the access authority management device 1 using the UG administrator terminal 4 when the user group administrator changes the settings of the users belonging to the user group. It is. On this user setting change screen, a user group ID, a user group name, a user ID, a user name, a user group name to which the user belongs, a subgroup name, a department, a contact address, and the like are displayed.

FIG. 26 is a diagram showing a processing flow for changing user settings.
The user group manager can change the information set for the user on the user setting change screen. The user group manager accesses the access authority management apparatus 1 using the UG manager terminal 4 and makes a user setting change request (step S801). Then, the user registration unit 18 of the access authority management apparatus 1 transmits the web page of the user setting change screen to the UG manager terminal 4 (step S802). Then, a user setting change screen is displayed on the monitor of the UG manager terminal 4 (step S803).

  Next, when the user group administrator changes the information such as the subgroup and department in the user setting change screen and presses the confirmation button (step S804), the access authority management apparatus 1 displays the user setting change confirmation screen. The web page is transmitted to the UG manager terminal 4 (step S805). Then, on this confirmation screen, the user group administrator presses the registration button (step S806). Then, the UG administrator terminal 4 transmits the user ID, the user group ID, the sub group ID, and the like held in the HTML text of the web page of the confirmation screen to the access authority management apparatus 1. These pieces of information are registered in the first user management table (step S807), and the user setting change ends.

  In addition, when a user who belongs to a user group or a sub group is newly granted access authority to another website, that is, the user group ID, website ID, and website are already added to the first UG management table. A combination of information of website access rights (access rights indicating the contents of the web page and what kind of access to the web page) indicating the accessible web page among the web pages transmitted by is registered, and In the case of registering another combination of information, the same processing as the above-described (4) user access right setting processing may be performed again. In addition, the same processing can be repeated for the site access right setting, user registration, subgroup registration, job registration, job setting, etc., when a user is newly given access authority to another website. .

  By the above processing, the system administrator registers which user group can access which website, and the website administrator can access which web page of the web pages transmitted by the website managed by the system administrator. Is registered for the user group, the user group administrator registers the subgroup, and the subgroup administrator registers the access authority for the duties of the users in the subgroup that he / she manages, and the subgroup The administrator assigns duties to users in subgroups managed by the administrator. As a result, each administrator sequentially registers the access authority within the given range, so even when a large number of users use a computer system having a plurality of websites, the amount of access authority registration processing Are distributed, and the process of assigning access rights to the users of each administrator can be reduced. In addition, registration of user access authority for a plurality of websites can be performed by one access authority management device. Therefore, even when a website is further added to the computer system, it is not necessary to provide the function of a user access authority management device to the added website, thereby reducing the effort for system construction. Can be reduced.

Next, a user's website access process will be described.
The user accesses the website and enters the login ID and password to be authenticated. Then, the user terminal 6 displays the website of the website on the monitor. At this time, the web server that transmits the web page of the website transmits the user ID received when accessing the home page from the user terminal 6 to the access authority management apparatus 1. Then, the access permission determination unit 15 of the access authority management apparatus 1 reads the job identification information registered in the second user management table using the user ID as a key, and registers it in the job management table in association with the job. The web site ID, the content of the web page accessible on the website indicated by the web site ID, the detailed content, and the access authority are read. Then, the access permission determination unit 15 of the access authority management apparatus 1 holds the read various information as an access authority management object in the memory area allocated to the user. When the user uses the user terminal 6 to specify a web page to be transmitted by the website, the user terminal 2 transmits an access request to the access authority management device 1.

  This access request stores at least the user ID, identification information indicating the content of the web page, and identification information indicating the detailed content. Then, the access permission determination unit 15 of the access authority management apparatus 1 includes information stored in the access request and information included in the access authority management object (identification information indicating the contents of the web page and identification information indicating the detailed contents). And compare. If the comparison results match, in the access authority management object, the access permission with the access authority registered in association with the identification information indicating the content of the web page and the identification information indicating the detailed contents is displayed. Send to site. Then, the web server corresponding to the website transmits the web page designated by the user terminal 6 to the user terminal 6. The access authority includes web page browsing permission (R: Read), web page writing permission (W: Write), and the like. The user terminal 6 obtains a cookie from the web server when accessing the website. This cookie is managed in the database 21 of the access authority management apparatus 1 in association with the user ID.

  In the above-described website access processing, the access permission is determined using the duties assigned to the users belonging to the subgroup, but the assignment is made to the users not belonging to the subgroup. It may be possible to determine whether the user who does not belong to the subgroup can access from the user terminal 6 by the same process as described above. In addition, when the user ID stored in the access request, the contents of the web page to be accessed, the detailed contents, etc. are compared with the information recorded in the user management table without using the job information, Access permission may be determined using the access authority registered in the user management table in association with the user ID, the contents of the web page to be accessed, and the detailed contents.

  In addition, the user can access a plurality of websites based on the detailed access authority assigned to the user. At this time, when logging in to one website, a cookie is held in the user terminal 6, so that when a user tries to display a web page of another website, the function of the accessed website is controlled. The holding web server acquires a cookie (information storing user ID, access history information, etc.) from the user terminal 6 and stores the cookie and the cookie stored in the database 21 when accessing the transition source website. Are compared. If the user ID and information indicating access to a series of websites are held and matched in the two cookies, access to other websites can be logged in without authentication. By the above processing, the user can access without re-authentication when sequentially changing the access to the website to which other access authority is given.

  The access authority management apparatus described above has a computer system inside. The process described above is stored in a computer-readable recording medium in the form of a program, and the above process is performed by the computer reading and executing this program. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of a computer system. It is a figure which shows the relationship between a web server, a website, and information transmission / reception. It is a figure which shows the process outline | summary of a computer system. It is a figure which shows the work flow of each administrator in a computer system. It is a data structure which shows a 1st user group management table. It is a data structure which shows a 2nd user group management table. It is a data structure which shows a 1st user management table. It is a data structure which shows a job management table. It is a data structure which shows a 2nd user management table. It is a data structure which shows a 3rd user management table. It is a figure which shows a site access right setting screen. It is a figure which shows the processing flow of a site access right setting. It is a figure which shows a site access right setting screen. It is a figure which shows the processing flow of site access right setting. It is a figure which shows a user registration screen. It is a figure which shows the processing flow of user registration. It is a figure which shows a subgroup registration screen. It is a figure which shows the processing flow of subgroup registration. It is a figure which shows a subgroup affiliation user setting screen. It is a figure which shows the processing flow of a subgroup affiliation user setting. It is a figure which shows the job registration screen. It is a figure which shows the processing flow of job registration. It is a figure which shows the duties setting screen. It is a figure which shows the processing flow of duties setting. It is a figure which shows a user setting change screen. It is a figure which shows the processing flow of a user setting change.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Access authority management apparatus, 2 ... System administrator terminal, 3 ... Website administrator terminal, 4 ... UG administrator terminal, 5 ... SG administrator terminal, 6 ... User terminal

Claims (9)

An access authority management apparatus that manages access authority to each of a plurality of information transmitting / receiving apparatuses,
A user group access right first registration means for accepting a combination of identification information of a user group and identification information of an information transmitting / receiving device accessible by a user belonging to the user group from a system administrator terminal, and registering it in the user group management table; ,
From the information transmission / reception device manager terminal, the first transmission content identification information for specifying the content information in the information transmission / reception device and the access right to the content information are received, and the received information is the identification information of the registered user group And a user group access right second registration means for registering in the user group management table in association with the combination of the identification information of the information transmitting / receiving device,
Identification information of users belonging to the user group, identification information of information transmission / reception devices accessible by the user, first transmission content identification information for specifying content information in the information transmission / reception devices, and access authority to the content information And a user access right registration means for registering them in the user management table in association with each other,
An access request storing the identification information of the user, the identification information of the information transmitting / receiving device, and the first transmission content identification information is received from a user terminal belonging to the user group, and the user management table based on the access request The access permission means for permitting access to the content information corresponding to the first transmission content identification information stored in the access request based on the access request and the information stored in the user management table When,
An access authority management device comprising: An access authority management apparatus that manages access authority to each of a plurality of information transmitting / receiving apparatuses,
A user group access right first registration means for accepting a combination of identification information of a user group and identification information of an information transmitting / receiving device accessible by a user belonging to the user group from a system administrator terminal, and registering it in the user group management table; ,
From the information transmission / reception device manager terminal, the first transmission content identification information for specifying the content information in the information transmission / reception device and the access right to the content information are received, and the received information is the identification information of the registered user group And a user group access right second registration means for registering in the user group management table in association with the combination of the identification information of the information transmitting / receiving device,
User registration means for accepting a combination of identification information of a user group registered in the user group management table and identification information of a user belonging to the user group from a user group manager terminal and registering in the user management table;
Second transmission content specified by the user group manager terminal in more detail than the first transmission content identification information for the identification information of the information transmission / reception device registered in the user group management table and the content information in the information transmission / reception device. The identification information and the access authority to the content information are received, and the received information is associated with the combination of the identification information of the user group registered by the user registration unit and the identification information of the user in the user management table. User access right registration means to register;
An access request for access to content information registered by the user access right registration means, wherein the access request stores user identification information, identification information of an access destination information transmitting / receiving device, and second transmission content identification information. Accepting, referring to the user management table based on the access request, and corresponding to the second transmission content identification information stored in the access request based on the access request and information stored in the user management table An access permission management device comprising: access permission means for permitting access to content information to be performed. An access authority management apparatus that manages access authority to each of a plurality of information transmitting / receiving apparatuses,
A user group access right first registration means for accepting a combination of identification information of a user group and identification information of an information transmitting / receiving device accessible by a user belonging to the user group from a system administrator terminal, and registering it in the user group management table; ,
From the information transmission / reception device manager terminal, the first transmission content identification information for specifying the content information in the information transmission / reception device and the access right to the content information are received, and the received information is the identification information of the registered user group And a user group access right second registration means for registering in the user group management table in association with the combination of the identification information of the information transmitting / receiving device,
Identification information of a user group registered in the user group management table, identification information of a subgroup belonging to the user group, and identification information of a user belonging to the subgroup from a user group manager terminal or a subgroup manager terminal A user registration means for accepting a combination of and registering in the user management table;
From the first transmission content identification information about the identification information of the information transmitting / receiving device registered in the user group management table and the content information in the information transmitting / receiving device from the user group manager terminal or the subgroup manager terminal. Further, the second transmission content identification information specified in detail and the access authority to the content information are received, and the received information is registered with the user group identification information, the subgroup identification information, and the user's registration information. User access right registration means for registering in the user management table in association with a combination with identification information;
An access request for access to content information registered by the user access right registration means, wherein the access request stores user identification information, identification information of an access destination information transmitting / receiving device, and second transmission content identification information. An access permission means for permitting access to content information corresponding to the second transmission content identification information stored in the access request based on the access request and the information stored in the user management table;
An access authority management device comprising: After receiving a subgroup registration request including identification information of the user group from the user group manager terminal, the identification information of the user group included in the subgroup registration request is generated by generating identification information of the subgroup. Subgroup generating means for associating the generated identification information of the subgroup with the user group management table in association with each other,
The access authority management device according to claim 3, further comprising: The second transmission content that specifies the identification information of the information transmitting / receiving device registered in the user group management table and the content information content in the information transmitting / receiving device from the user group manager terminal or the subgroup manager terminal A job registration means for receiving job authority information including identification information, access authority to the content information, and job job information that handles information corresponding to the content information, and registering the job authority information in the job management table. Prepared,
The user access right registration means accepts a combination of the job authority information and the user identification information, registers the job authority information in the user management table in association with the received user identification information,
The access permission unit is an access request to the content information registered by the job registration unit, and stores user identification information, identification information of an information transmission / reception device to be accessed, and second transmission content identification information The access request is received, and based on the information stored in the access request and the information stored in the user management table, the content information corresponding to the second transmission content identification information stored in the access request The access authority management device according to claim 3 or 4, wherein access is permitted. The user group access right first registration means includes:
In the user group management table, when the combination of the identification information of the user group and the identification information of the information transmitting / receiving device is already registered in association with each other, other information transmission / reception different from the information transmitting / receiving device in the combination The new combination of the process identification information and the user group identification information is received from the system administrator terminal and registered in the user group management table. The access authority management device described. Login request receiving means for receiving a login request including identification information of a user group or subgroup and identification information of an information transmitting / receiving device from the user terminal via a communication network;
Login completion information is transmitted to the user terminal, and login completion information is stored in the login completion information;
When the identification information of the information transmission / reception device included in the login request receives again a login request that becomes the identification information of another information transmission / reception device, the login completion information transmitted to the user terminal is received from the user terminal. Re-login necessity determination means for determining whether or not re-authentication is necessary by comparing with the stored login completion information,
The access permission means permits access to content information based on the access request and information stored in the user management table when re-authentication is not required. 6. The access authority management device according to 6. An access authority management method in an access authority management apparatus that manages access authority to each of a plurality of information transmitting / receiving apparatuses,
User group access right first registration means accepts a combination of user group identification information and identification information of an information transmitting / receiving device accessible by a user belonging to the user group from the system administrator terminal, and registers it in the user group management table And
The user group access right second registration means receives, from the information transmission / reception apparatus manager terminal, first transmission content identification information for specifying content information in the information transmission / reception apparatus and access authority to the content information. Information is registered in the user group management table in association with a combination of identification information of the registered user group and identification information of the information transmitting / receiving device,
User access right registration means, identification information of users belonging to the user group, identification information of information transmission / reception devices accessible by the user, first transmission content identification information for specifying content information in the information transmission / reception devices, Corresponding access authority to the content information and registering it in the user management table,
An access permission means accepts an access request storing the identification information of the user, the identification information of the information transmitting / receiving device, and the first transmission content identification information from a user terminal belonging to the user group, and based on the access request And referring to the user management table, based on the access request and the information stored in the user management table, access to the content information corresponding to the first transmission content identification information stored in the access request. An access right management method characterized by permitting. A program to be executed by a computer of an access authority management device that manages access authority to each of a plurality of information transmitting and receiving devices,
A user group access right first registration process for receiving a combination of identification information of a user group and identification information of an information transmitting / receiving device accessible by a user belonging to the user group from a system administrator terminal, and registering it in the user group management table; ,
From the information transmission / reception device manager terminal, the first transmission content identification information for specifying the content information in the information transmission / reception device and the access right to the content information are received, and the received information is the identification information of the registered user group And a user group access right second registration process for registering in the user group management table in association with a combination of information and identification information of the information transmitting / receiving device,
Identification information of users belonging to the user group, identification information of information transmission / reception devices accessible by the user, first transmission content identification information for specifying content information in the information transmission / reception devices, and access authority to the content information And a user access right registration process for registering them in the user management table in association with each other,
An access request storing the identification information of the user, the identification information of the information transmitting / receiving device, and the first transmission content identification information is received from a user terminal belonging to the user group, and the user management table based on the access request Access permission processing for permitting access to the content information corresponding to the first transmission content identification information stored in the access request based on the access request and the information stored in the user management table When,
A program that causes a computer to execute.

Images