JP2007249912A - Shared resource management system, shared resource management method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily manage authority to use shared resources while maintaining firmness of security as much as possible. <P>SOLUTION: In this shared resource management system, an authority management server 1 for managing shared resources shared by a plurality of users is provided with a temporary authorization request receiving section 102 receiving a request to give authority to use the shared resources to a proxy user who temporarily uses the shared resources instead of the user who usually uses the shared resources, and a temporary authorization processing section 103 processing to store temporary use authority information DTC which is information showing that the proxy user is authorized only for a predetermined period, into a storage section 101 for authority information and the like, based on the request. The authority management server 1 is further provided with an authentication processing section 106 discriminating whether the proxy user should be authorized to use the shared resources based on the temporary use authority information DTC of the proxy user when there is a request to use the shared resources from the proxy user. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a system and method for managing resources shared by a plurality of users.

  In recent years, with the spread of networks, various resources have been shared (shared) by a plurality of users. For example, hardware resources such as printers or hard disks, software resources such as business applications or game software, and data resources such as data in files or databases are shared.

  Each user operates his or her personal computer and uses these resources via a communication line. However, if unlimited use of a shared resource (hereinafter referred to as “shared resource”) is allowed without limitation, the shared resource may be illegally used, which may cause a security problem. Or, shared resources may be used in an incorrect way, resulting in a system malfunction or data corruption.

  Therefore, methods such as those described in Patent Documents 1 and 2 have been proposed in order to be able to use shared resources safely. According to the method described in Patent Document 1, information of a terminal connected from a network relay device is transmitted to a network management apparatus, and the network management apparatus displays information indicating access permission / prohibition according to the information of the terminal. A reply is sent to the network relay device, and the port connecting the terminal to the network relay device is set to be usable / unusable based on the access permission / prohibition information. By such a method, the availability of the port of the network relay device is set according to the terminal information managed by the network management device, so that security is ensured without preventing the use of a legitimate terminal.

  According to the method described in Patent Document 2, if the MAC address acquired by the MAC address acquisition unit is registered in the address registration unit, an IP address providing unit that provides the PC with an IP address corresponding to the MAC address is provided. When a PC using an IP address other than the IP address provided by the IP address providing unit is detected, the connection of the PC to the LAN is cut off. By such a method, PCs that are not permitted to connect to the LAN can be excluded from the LAN.

As described above, the methods described in Patent Documents 1 and 2 are methods for performing restriction on a device basis, but there are also methods for performing restriction on a user basis. The most representative method is a method in which a user account is given to each user and whether or not the shared resource can be used is determined for each user account. Such a method is employed in various network OS (Operating System) such as UNIX (registered trademark), Microsoft Windows (registered trademark), and Apple MAC-OS.
JP 2002-141916 A JP 2005-101957 A

  By the way, if the security of the shared resource is to be managed firmly, the conditions such as a personal computer that can access the shared resource should be strictly limited. In addition, the use authority (access right) of the shared resource given to the user account should be kept to the minimum necessary.

  For example, the authority to use a shared resource should be given only to users who use it on a daily basis, and should not be given to users who rarely use it.

  However, doing so may be cumbersome for business purposes. This is because a user who does not use a shared resource on a daily basis or a user who has never used a shared resource may be asked to act on behalf of a task that requires the shared resource. In such a case, the administrator must perform an operation to temporarily give the authority to use the shared resource to the user acting on behalf of the business. Furthermore, when the work is over, the right to use must be revoked promptly to improve security.

  As described above, in the conventional method, the administrator is forced to perform troublesome work in order to improve security.

  In view of such problems, an object of the present invention is to make it possible to easily manage the authority to use shared resources while maintaining the robustness of security as much as possible.

  A shared resource management system according to the present invention is a shared resource management system that manages a shared resource that is a resource shared by a plurality of users, instead of a user who has the authority to use the shared resource. Based on the right grant request, a right temporary grant request accepting unit that accepts a right grant request that is a request that the right should be given to a surrogate user who is a user who wants to use the shared resource temporarily, Authorization processing means for performing processing for storing authorization information, which is information indicating that the authorization is given to the proxy user only for a predetermined period, in the storage means, and use that is a request to use the shared resource When the request is from the proxy user, the proxy user is notified based on the authorization information stored in the storage means. It determines whether may be used to co-resources for, and having a a use permission determination means.

  Preferably, the authority temporary grant request accepting unit accepts a request that the authority should be given only during a use permission period that is a period during which the shared resource may be used as the right grant request of the shared resource, The authority grant processing means stores, in the storage means, information indicating that the authority is given to the proxy user only during the use permission period as the authority grant information.

  Or, it has a device status information acquisition means for acquiring device status information indicating the status of the device from the device of the proxy user, the authority temporary grant request accepting means, together with the right grant request of the shared resource, A device condition that is a condition of a device that is allowed to access the shared resource is received, and the use permission / non-permission determining unit determines whether or not the proxy user may use the shared resource. The determination is made based on the device status information and the device condition of the proxy user acquired by the above.

  According to the present invention, it is possible to easily manage the use authority of the shared resource while maintaining the robustness of security as much as possible.

  1 is a diagram illustrating an example of the overall configuration of the resource sharing system RKS, FIG. 2 is a diagram illustrating an example of a hardware configuration of the authority management server 1, and FIG. 3 is an example of a functional configuration of the authority management server 1. FIG.

  As shown in FIG. 1, the resource sharing system RKS includes an authority management server 1, a business server 2, a general terminal device 3A, a specific area terminal device 3B, an external terminal device 3C, a printer 4, an entrance / exit management system 5, and The router 6 is configured.

  The authority management server 1, the business server 2, the general terminal device 3A, the specific area terminal device 3B, the printer 4, the entrance / exit management system 5, and the router 6 are installed in an organization such as a government office, a company, or a school. Used by users belonging to institutions. These are connected to each other via a communication line. Thereby, an intranet INW is formed. Hereinafter, a case where the intranet INW is constructed and used in the company X will be described as an example.

  One employee ID CR is distributed to each employee of company X. An IC tag storing the employee number of the employee is embedded in the employee ID CR. Furthermore, each employee is given one user account necessary for logging in to the intranet INW. In this embodiment, an employee number is used as the user account name (user ID).

  The business server 2 manages various applications and data used when employees of the company X conduct business. Some of these applications and data are shared resources shared by multiple employees. The shared resource may be generally called “shared resource” or “shared resource”. The business server 2 is installed in a management department that manages the in-house system of the company X.

  The printer 4 is a printing device such as a laser printer, an inkjet printer, or a multifunction device having a network function, and performs printing processing based on a print command from the general terminal device 3A, the specific area terminal device 3B, or the external terminal device 3C. I do. The printer 4 is also used by a plurality of employees. That is, it is one of the shared resources in the intranet INW.

  The general terminal device 3A, the specific area terminal device 3B, and the external terminal device 3C are all clients for using the shared resources in the intranet INW. That is, the employee can use the shared resources such as the shared application, data, and printer 4 described above by operating any one of these terminal devices. A personal computer or a workstation is used as the general terminal device 3A, the specific area terminal device 3B, and the external terminal device 3C. Hereinafter, these terminal devices may be collectively referred to as “terminal device 3”.

  A plurality of general terminal devices 3A are installed on a floor (that is, a general floor) in the building of the company X where any employee can enter and exit freely.

  A plurality of specific area terminal devices 3B are installed in a security room in the building of company X. The “security room” is a specific area in which employee entry / exit management is strictly performed, and is used for handling confidential information. Security rooms may only be allowed to enter certain employees.

  The general terminal device 3A and the specific area terminal device 3B are shared by a plurality of employees. That is, the general terminal device 3A and the specific area terminal device 3B are also shared resources. Also, applications (software) and data stored in the hard disk are shared resources.

  The external terminal device 3C is used outside the company X. The employee can use the shared resources in the intranet INW by connecting the external terminal device 3C to the intranet INW via the Internet or a public line, even from outside or at home.

  Thus, various shared resources exist in the intranet INW. As shown in FIG. 2, the authority management server 1 includes a CPU 10a, a RAM 10b, a ROM 10c, a hard disk 10d, a display 10e, a keyboard 10f, a communication interface 10g, and the like. ) Is managed centrally. It also manages employee user accounts. That is, the authority management server 1 corresponds to a domain controller if the network configuration of the resource sharing system RKS is a Windows domain.

  The hard disk 10d includes an authority information storage unit 101, a temporary authority grant request receiving unit 102, a temporary authority grant processing unit 103, an authentication request accepting unit 104, a terminal attribute information acquiring unit 105, and an authentication processing unit as illustrated in FIG. Programs and data for realizing functions such as 106 are installed. These programs and data are loaded into the RAM 10b as necessary, and the programs are executed by the CPU 10a.

  Returning to FIG. 1, the entrance / exit management system 5 includes an IC card reader 51, an entrance admission / rejection determination device 52, an automatic opening / closing gate 53, and the like, and performs management processing related to entrance / exit of a security room by an employee. The IC card reader 51 and the automatic opening / closing gate 53 are connected to a room entry permission / rejection determination device 52.

  The IC card reader 51 is an IC card reader for reading the employee number from the employee ID CR, and is installed at the entrance of the security room. The entry permission / rejection determination device 52 has an entry permission table and an entry / exit log file in which employee numbers of employees allowed to enter the security room are entered. Performs processing such as recording results. The automatic opening / closing gate 53 opens and closes the gate or door of the entrance / exit based on a command from the entry permission / denial determination device 52.

  When the employee enters the security room, the IC card reader 51 reads the employee number stored in his / her employee ID CR. Then, the IC card reader 51 transmits the read employee number to the entry permission / rejection determination device 52. When the transmitted employee number is described in the entry permission table, the entry permission / rejection determination device 52 permits the entry of the employee and instructs the automatic opening / closing gate 53 to open the gate. . Then, the gate of the automatic opening / closing gate 53 is opened, and the employee can enter the security room. On the other hand, if the transmitted employee number is not described in the entry permission table, the entry of the employee is refused. In this case, the employee is informed that he cannot enter the room by outputting an alarm sound. Furthermore, as a result of the determination as to whether to permit or reject the entry, the entry permission / rejection determination device 52 adds the employee number of the employee and the date and time of determination to the entry / exit log file as entry log information.

  Further, when the employee leaves the security room, the IC card reader 51 reads his / her employee number. Then, the IC card reader 51 transmits the read employee number to the entry permission / rejection determination device 52. The room admission / rejection determination device 52 gives an instruction to the automatic opening / closing gate 53 to open the gate, and additionally writes the employee number, the date and time of leaving the room, etc., as the room leaving log information.

  4 shows an example of the user account table TLA, FIG. 5 shows an example of the shared resource authority table TLB, FIG. 6 shows an example of the temporary authority table TLC, and FIG. 7 shows an example of the temporary authority setting screen HG1. FIG.

  Next, processing contents of each unit of the authority management server 1 shown in FIG. 3 will be described in detail. The authority information storage unit 101 includes a user account table TLA, a shared resource authority table TLB, and a temporary authority table TLC. Information on employee user accounts and information on use authority of shared resources in the intranet INW. Remember and manage.

  As shown in FIG. 4, employee information DTA for each employee is stored in the user account table TLA. The employee information DTA includes information related to the user account of the employee, work attributes, and settings of the terminal device 3 related to the employee information DTA.

  In the employee information DTA, “employee number” is an employee number used as the user account name of the user account of the employee. “Name” is the name of the employee. The “password” is a keyword that is input when logging into the intranet INW, and is known only to the employee himself / herself.

  “Affiliation department name” and “Title name” are respectively the name of the department to which the employee belongs and the title given to the employee.

  “MAC address” and “IP address” are a MAC address and an IP address assigned to the terminal device 3 that the employee uses on a daily basis, respectively. The “serial number” is a manufacturing number assigned to the terminal device 3 by the manufacturer of the terminal device 3. “E-mail address” is an e-mail address used by the employee for his / her duties.

  The employee information DTA is operated by a person who operates and manages the resource sharing system RKS (hereinafter referred to as “administrator”) or an employee having a predetermined position, and operates the general terminal device 3A or the specific area terminal device 3B. As a result, the contents are set and stored in the user account table TLA.

  The shared resource authority table TLB stores usage authority information DTB for each shared resource in the intranet INW, as shown in FIG. The usage authority information DTB includes information on the fixed usage authority of the shared resource related to the usage authority information DTB.

  In the usage authority information DTB, the “resource code” is identification information for identifying the shared resource from other shared resources. “Existence location” indicates the name of the device where the shared resource exists or the path in the device. It may be indicated by a network path corresponding to a so-called Windows network such as “¥¥ Device1 ¥ common ¥ editor.exe”, or may be indicated by a URL (Uniform Resource Locator). The “resource name” is the name of the shared resource, and is used to make it easy for the user (employee) to know what the shared resource is.

  “Available employee” is an employee number of an employee who can use the shared resource. That is, it indicates the employee number of the employee who is given the authority to use the shared resource. In principle, only employees with the employee number shown here can use the shared resource. In addition, by specifying the department name or job title for the available employees, the authority to use the shared resources for multiple employees who belong to a specific department or multiple employees who have a specific job title at once. Can give.

The “use terminal condition” is a condition required for the terminal device 3 that uses the shared resource. In the present embodiment, it is assumed that the following conditions (condition 1) to (condition 4) can be requested.
(Condition 1) Computer virus protection software is functioning effectively.
(Condition 2) The personal firewall is functioning effectively.
(Condition 3) The USB function is not provided or stopped. In other words, USB cannot be used.
(Condition 4) A removable disk drive (for example, a floppy disk drive or an MO disk drive) capable of writing data is not provided or is not functioning. In other words, data cannot be written to the removable disk.

  Only one of these conditions can be requested, or a plurality of conditions can be requested. If you do not have the necessary conditions, you do not need to request. It is assumed that condition identification codes “C001” to “C004” are assigned to (condition 1) to (condition 4), respectively.

  The usage authority information DTB is set and stored in the shared resource authority table TLB when an administrator or an employee having a predetermined position operates the general terminal device 3A or the specific area terminal device 3B.

  In the temporary authority table TLC, as shown in FIG. 6, temporary use authority information DTC regarding the use authority of the shared resource temporarily (temporarily) given to the employee is stored.

  By the way, an employee who conducts business using a certain shared resource often has other employees act on his / her behalf. However, as described above, in principle, the shared resource can be used only by employees indicated in the usage authority information DTB of the shared resource. Therefore, the other employee who has received the request may not be able to perform the business unless he / she is authorized to use the shared resource. Therefore, by setting the temporary use authority information DTC, it is possible to temporarily give the use authority to employees who do not have the use authority on a daily basis.

  The temporary use authority information DTC is set as follows and registered in the temporary authority table TLC by the authority temporary grant request receiving unit 102 and the authority temporary grant processing unit 103 in FIG.

  An administrator or an employee having a predetermined title temporarily uses the authority by operating the general terminal device 3A or the specific area terminal device 3B as in the case of setting the employee information DTA or the usage authority information DTB. Specify the shared resource to give

  Specifically, for example, when an administrator receives a request to temporarily give use authority to an employee who does not have use authority for a certain shared resource, he / she inputs a predetermined command to the general terminal device 3A. Then, a temporary authority setting screen HG1 as shown in FIG. 7 is displayed on the display of the general terminal device 3A.

  Here, the administrator enters the resource code of the shared resource and the employee number of the employee who temporarily gives the authority to use the shared resource in the text boxes TX11 and TX12, respectively. When the shared resource is uniquely determined only by the location, the network path or URL may be input instead of the resource code. Alternatively, it may be possible to input one that is easy for the administrator to input.

  In the text box TX13, the validity period of the usage authority temporarily given is entered. For example, if you are asked to perform work during tomorrow's working hours, enter "9:00 am to 5:00 pm" accordingly. If you have a task that can be performed in 30 minutes, enter "30 minutes from the start of use".

  Furthermore, by operating the check boxes CB11 to CB14, a condition required for the terminal device 3 that uses the shared resource is selected. Specifically, since the check boxes CB11 to CB14 correspond to (Condition 1) to (Condition 4) described above, the administrator clicks the check box corresponding to the necessary condition. select. Only one condition can be selected, or a plurality of conditions can be selected. If there are no conditions, do not select anything.

  Then, the administrator inputs necessary items in the text boxes TX11 to TX13 and selects necessary conditions in the check boxes CB11 to CB14, and then presses an OK button BN11. Then, the general terminal device 3A sends the authority temporary grant request information DTY indicating the input contents, the condition identification code of the selected condition, and a request for setting temporary use authority to the authority management server. 1 to send.

  The authority temporary grant request receiving unit 102 of the authority management server 1 receives the authority temporary grant request information DTY and gives a command to the temporary authority grant processing unit 103 to set the temporary use authority information DTC.

  The temporary authority grant processing unit 103 generates a new record in the temporary authority table TLC, and stores the authority code request information DTY in each of the resource code, temporary authority acquirer, validity period, and used terminal conditions fields of the record. Stores the indicated resource code, employee number, validity period, and condition identification code. Further, the date and time when the record is generated is stored in the set date and time field. The record obtained in this way becomes temporary use authority information DTC. As can be seen from the above description, the temporary use authority information DTC indicates to whom the use authority of which shared resource is granted for which period.

  8 and 9 are flowcharts illustrating an example of the flow of access right authentication processing. The authentication request reception unit 104, the terminal attribute information acquisition unit 105, and the authentication processing unit 106 in FIG. 3 determine whether or not the employee can use the shared resource that the employee is about to use. For this purpose, that is, the process for access right authentication, is executed according to the procedure shown in the flowcharts of FIGS. 8 and 9, for example.

  The employee operates the terminal device 3 to log in to the intranet INW and designates a shared resource that the employee wants to use. When the terminal device 3 accepts the designation (# 731 in FIG. 8), the usage request information DTS indicating the resource code of the shared resource, the employee number of the employee, the IP address of the terminal device 3 itself, etc. , To the device having the shared resource (# 732). Thereby, the use of the shared resource is requested.

  When the device having the shared resource (for example, the business server 2) receives the use request information DTS from the terminal device 3 (# 721), the resource code of the shared resource indicated therein, the employee number of the employee, Access right authentication request information DTN indicating the IP address of the device itself and the IP address of the terminal device 3 is transmitted to the authority management server 1 (# 722). Thereby, a request for access right authentication is made.

  In the authority management server 1, the authentication request reception unit 104 receives access right authentication request information DTN from a device having a shared resource (# 701). Then, the terminal attribute information acquisition unit 105 accesses the terminal device 3 of the employee who desires to use the shared resource based on the IP address indicated in the access right authentication request information DTN, and Information on the current state is requested (# 702).

  When receiving the request from the authority management server 1 (# 733), the terminal device 3 checks the current status of its hardware and software (# 734). In the present embodiment, it is checked whether or not each of the above (condition 1) to (condition 4) is met. Then, the terminal status information DTT indicating the condition identification code of the matching condition is returned (notified) to the authority management server 1 (# 735). In this way, the terminal attribute information acquisition unit 105 acquires information related to the current state of the terminal device 3 (# 704).

  The authentication processing unit 106 of the authority management server 1 calls the use authority information DTB and temporary use authority information DTC of the shared resource from the shared resource authority table TLB (see FIG. 5) and the user account table TLA (see FIG. 6), respectively. (# 703) Based on this information and the terminal state information DTT acquired by the terminal attribute information acquisition unit 105, the validity of having the employee use the shared resource is determined as follows.

  It is checked whether or not the called use authority information DTB indicates the employee number of the employee (the employee number indicated in the access right authentication request information DTN received in step # 701) (# 705 in FIG. 9). ). If the employee number is indicated, it is understood that the use right (access right) of the shared resource is given to the employee.

  If it is determined that the right to use is given (Yes in # 706), check whether the terminal device 3 used by the employee satisfies the conditions necessary for using the shared resource. (# 707). That is, it is checked whether or not all the condition identification codes of the use terminal conditions indicated in the use authority information DTB called in step # 703 are indicated in the terminal state information DTT acquired in step # 704. If all are shown, it can be determined that the conditions necessary to use the shared resource are satisfied.

  As a result of the check in Steps # 705 and # 707, the employee is authorized to use the shared resource, and the terminal device 3 used by the employee satisfies the necessary conditions. If it is found (Yes in # 706 and Yes in # 708), it is determined that it is valid for the employee to use the shared resource (# 713). That is, access right authentication is given.

  On the other hand, when it is determined that the use authority is not given (No in # 706), the same check as in steps # 705 and # 707 is performed based on the temporary use authority information DTC extracted in step # 703.

  That is, by checking whether the employee number of the employee is indicated in the temporary use authority information DTC, it is checked whether the employee is authorized to use the shared resource. (# 709). However, if the current date does not correspond to the valid period indicated in the temporary use authority information DTC, it is determined that the use authority is not given regardless of the presence or absence of the employee number.

  If it is determined that the right to use has been granted (Yes in # 710), check whether the terminal device 3 used by the employee satisfies the conditions necessary for using the shared resource. (# 711). That is, it is checked whether or not all the condition identification codes of the use terminal conditions indicated in the temporary use authority information DTC are indicated in the terminal state information DTT acquired in step # 704. If all are shown, it can be determined that the necessary conditions are met.

  As a result of the check in steps # 709 and # 711, the employee is authorized to use the shared resource, and the terminal device 3 used by the employee satisfies the necessary conditions. If it is found (Yes in # 710 and Yes in # 712), it is determined that the employee is authorized to use the shared resource, and access right authentication is given (# 713).

  Upon receiving the access right authentication for the employee, the device having the shared resource permits the employee to use the shared resource (# 723), and starts providing the resource (# 724).

  If neither the use authority information DTB nor the temporary use authority information DTC indicates that the employee is authorized to use the shared resource (No in # 706 and No in # 710) ) Refuse to let the employee use the shared resource. Then, this is notified to the requesting terminal device 3 via the device having the shared resource. The same applies when the terminal device 3 does not satisfy the necessary conditions (No in # 708 or No in # 712).

  By the way, as described above, the use authority given to the employee by the temporary use authority information DTC is temporary. Therefore, the temporary use authority information DTC becomes unnecessary after the end indicated in the valid period field has passed. Therefore, the authority information storage unit 101 periodically checks each temporary use authority information DTC stored in the temporary authority table TLC, and deletes the temporary use authority information DTC that has expired. To do.

  FIG. 10 is a flowchart showing an example of the overall processing flow of the authority management server 1. Next, the processing flow of the authority management server 1 when responding to a request from another device will be described with reference to the flowchart of FIG.

  In FIG. 10, the authority management server 1 waits for a request from another device (# 12) while providing a management service such as a use authority (No in # 11). When the request is received (Yes in # 14), the following processing is performed according to the type of the request.

  When the authority management server 1 receives the authority temporary grant request information DTY (Yes in # 15), the authority management server 1 generates temporary use authority information DTC based on the authority temporary grant request information DTY, and stores it in the temporary authority table TLC (FIG. 6) (# 16). In other words, a process of granting temporary use authority of the shared resource to an employee who needs to use the shared resource temporarily is performed.

  When the use request information DTS is received (Yes in # 17), a process is performed to determine whether or not the employee who is going to use the shared resource from now can accept it (# 18). That is, access right authentication processing is performed. The procedure of such processing is as described above with reference to FIGS.

  When other requests are received (No in # 17), processing according to the request is performed as usual (# 19). For example, when a login authentication is requested for an employee who is logging in to the intranet INW, the employee is selected based on the employee information DTA stored in the user account table TLA (see FIG. 4). Determine whether you can log in.

  Further, the authority management server 1 performs the temporary use authority information DTC accumulated in the temporary authority table TLC every time a predetermined time elapses (Yes in # 13) in parallel with the processing for the request from another device. Is checked and unnecessary items are deleted after the end of the effective period (# 20).

  According to the present embodiment, when it becomes necessary to temporarily use a shared resource for a user who does not have the authority to use a certain shared resource, only the temporary use authority information DTC is generated, and the usage authority is limited for a period of time. Can be granted. In other words, it is possible to easily manage the usage rights of shared resources while maintaining the robustness of security, eliminating the need to temporarily grant usage rights and canceling them when they are no longer needed. .

  In this embodiment, the authority management server 1 centrally manages the shared resources. However, when the network configuration of the resource sharing system RKS is P2P (Peer to Peer), the device having the shared resources is unique. You may make it manage. In this case, the function of the authority management server 1 may be configured in each device.

  It is also possible to provide a type of use authority (access right) for the shared resource so that the type of use authority to be given can be changed for each user. For example, if the shared resource is a file, the usage rights that are only allowed to read the contents of the file, the usage rights that are only allowed to read and change the contents of the file, and all of the files An access right or the like that allows the work may be provided, and a type of use right according to the user attribute (for example, job title, department, or technical level) may be granted.

  In this embodiment, in order to authenticate the security room occupant, an IC tag storing an employee number is provided on the employee ID CR, and the employee number is read from the employee ID CR using an IC card reader. However, a magnetic stripe storing the employee number may be provided on the employee ID CR, and the employee number may be read from the employee ID CR using a magnetic card reader. Alternatively, the occupant may be authenticated by performing biometric authentication using a fingerprint authentication device or a vein authentication device.

  In this embodiment, the case where conditions such as (condition 1) to (condition 4) can be imposed on the terminal device 3 has been described as an example. However, other conditions can be imposed. For example, it may be imposed on the condition that the IP address of the terminal device 3 is a private address. Or you may impose the conditions regarding specifications, such as the calculation speed of CPU of the terminal device 3, the capacity | capacitance of RAM, or a communication speed.

  When an employee who has been granted temporary use authority information DTC ends the use of the shared resource or logs out of the intranet INW, the temporary use authority information DTC is immediately deleted regardless of whether or not the validity period remains. You may make it do. Alternatively, the valid period field of the temporary use authority information DTC may be set as “from ** year ** month ** day ** to the end of use of the shared resource".

  In addition, the configuration of the whole or each part of the resource sharing system RKS, the intranet INW, the authority management server 1, the processing content, the processing order, the configuration of the database, and the like can be appropriately changed in accordance with the spirit of the present invention.

It is a figure which shows the example of the whole structure of a resource sharing system. It is a figure which shows the example of the hardware constitutions of the server for authority management. It is a figure which shows the example of a functional structure of the server for authority management. It is a figure which shows the example of a user account table. It is a figure which shows the example of a shared resource authority table. It is a figure which shows the example of a temporary authority table. It is a figure which shows the example of a temporary authority setting screen. It is a flowchart explaining the example of the flow of an access right authentication process. It is a flowchart explaining the example of the flow of an access right authentication process. It is a flowchart which shows the example of the flow of the whole process of the authority management server.

Explanation of symbols

1 Authority management server (shared resource management system)
101 Authority information storage unit (storage means)
102 Authority temporary grant request receiving unit (temporary authority grant request receiving means)
103 Authority temporary grant processing part (authorization grant processing means)
105 Terminal attribute information acquisition unit (device state information acquisition means)
106 Authentication processing unit (use permission determination means)
DTC temporary use authority information (authorization information)
DTT terminal status information DTY authority temporary grant request information

Claims (5)

A shared resource management system that manages shared resources, which are resources shared by multiple users,
Authority to accept a right grant request, which is a request that the authority should be given to an alternate user who wants to temporarily use the shared resource instead of the user having the authority to use the shared resource A temporary grant request receiving means;
Authorization processing means for performing processing for storing authorization information, which is information indicating that the authorization is given to the proxy user for a predetermined period, in a storage means based on the authorization request;
When the use request, which is a request to use the shared resource, is received from the proxy user, the shared user is allowed to share the shared resource based on the authorization information stored in the storage means. Use permission determining means for determining whether or not the resource may be used;
A shared resource management system characterized by comprising: The authority temporary grant request accepting unit accepts a request that the authority should be given only during a use permission period that is a period during which the shared resource may be used as the right grant request of the shared resource,
The authorization processing means stores information indicating that the authorization is given to the proxy user only during the use permission period as the authorization information in the storage means.
The shared resource management system according to claim 1. Device status information acquisition means for acquiring device status information indicating the status of the device from the device of the surrogate user;
The authority temporary grant request accepting unit accepts a device condition that is a condition of a device that may be allowed to access the shared resource together with the right grant request of the shared resource,
The use permission / non-permission determining unit determines whether or not the proxy user may use the shared resource based on the device status information and the device condition of the proxy user acquired by the device status information acquiring unit. To determine,
The shared resource management system according to claim 1 or 2. A shared resource management method for managing a shared resource that is a resource shared by a plurality of users,
Accepting a right granting request that is a request that the authority should be given to an alternate user who is a user who wants to temporarily use the shared resource instead of the user having the authority to use the shared resource;
Based on the right granting request, the right granting information, which is information indicating that the right is given to the proxy user only for a predetermined period, is stored in a storage unit;
When the use request, which is a request to use the shared resource, is received from the proxy user, the shared user is allowed to share the shared resource based on the authorization information stored in the storage means. Determine whether the resource can be used,
A shared resource management method characterized by the above. A computer program used for a computer that manages shared resources, which are resources shared by a plurality of users,
Processing for accepting a right granting request that is a request to give the authority to an alternate user who wants to temporarily use the shared resource instead of a user having the authority to use the shared resource When,
Based on the right grant request, a process for storing in a storage means authorization information that is information indicating that the authority is given to the proxy user for a predetermined period;
When the use request, which is a request to use the shared resource, is received from the proxy user, the shared user is allowed to share the shared resource based on the authorization information stored in the storage means. A process for determining whether or not the resource may be used;
A computer program for causing a computer to execute.