JP2007299053A - Access control method and access control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an access control method and an access control program that can prevent unauthorized users' unauthorized access to resources. <P>SOLUTION: The access control method has the steps of identifying a user whose terminal is networked, identifying a networked resource, identifying one or more approvers authorized to approve the user's access to the resource and the number of approvers required to approve the access, detecting the connection status of networked terminals to recognize approvers whose terminal is networked and the number of approvers whose terminal is connected, and approving the user's access to the resource if the number of approvers whose terminal is networked is not smaller than the number of approvers required to approve the access. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an access control method and an access control program, and in particular, an access control method capable of dynamically changing permission of access to a user's resource according to a connection status of a licensor's use terminal to a network, and It relates to an access control program.

  Here, the resource is given as a generic term for hardware, software, data, and the like that can be used in a network system by a terminal connected to the computer network system. Examples of hardware include various peripheral devices (devices) such as a printer and a scanner that can be accessed via a network. Software programs and data such as application programs, plug-in software, and device drivers are handled as resources in units of files or file groups. Files are classified according to storage locations indicated by directories, that is, folders. Here, a folder representing a file group is also included in the resource category. In addition, when the user or the licensee's terminal is connected to the network, the user or the licensee is appropriately expressed as being on the network. When newly connected, it is expressed as appearing on the network as appropriate. Furthermore, a server, a terminal, a peripheral device, etc. connected to the network are appropriately expressed as nodes.

  In recent years, in computer network systems introduced by companies, it has become common to share resources such as hardware, software, data, etc. in network systems among multiple users for effective use of resources. ing. On the other hand, in order to protect resources accessed by a plurality of users, access rights to the users' resources are set to limit the range in which the users can operate on the resources. The access right is set for each resource or for each user, for example, and the access is disabled when the user tries to execute an operation in a range or mode exceeding the access right given to the user.

  Various methods for setting access rights have been proposed. For example, in the invention described in Japanese Patent Laid-Open No. 2003-60667, an access control server that controls access to resources of each terminal connected to the network is arranged in the network. The access control server stores the accumulated access time for each terminal. When the accumulated access time exceeds a predetermined maximum access time, the accessing terminal is notified and the access is disabled. The access control server also monitors the access date and time for each terminal. When the accessing date and time are out of the predetermined accessible period, the accessing terminal is notified to disable the access.

JP 2003-60667 A

  In the conventional access control method, one administrator sets the access right for the user's resources. In such a case, an administrator can perform unauthorized actions to tamper with information related to access rights, etc., and unauthorized users can gain unauthorized access to resources, possibly resulting in the risk of information leakage. There was a problem that there was. Also, even if the administrator does not cheat, while the administrator is not monitoring the access status on the network, unauthorized users gain access to the resource illegally, for example, by impersonating a third party. Thus, there is a problem that there is a risk of information leakage. When the administrator does not exist on the network, it is preferable to disable access to the user's resources, but this impairs the flexibility and convenience of the system.

  The present invention has been made to solve the above-described problems, and an object thereof is to provide an access control method and an access control program capable of preventing unauthorized access to an unauthorized user's resources.

  In order to solve the above technical problem, an access control method and an access control program according to the present invention include a step (step) in which a user terminal is connected to a network, and a connection to the network. Alternatively, a step (step) of identifying a resource stored in a device connected to the network, one or a plurality of licensors who have the authority to permit the user to access the resource, and permission to access A step (step) of identifying the number of required licensees, one or a plurality of the licensees in which a terminal to be used is connected to the network by detecting a connection state of the terminals connected to the network, and the network A step (step) of identifying the number of licensors to which the terminal used is connected, and Granting the user access to the resource when the number of licensees connected to the terminal for use is greater than or equal to the number of licensees required to grant access; It is made to have. As a result, access is permitted only when the number of licensors on the network is greater than the number of licensors that are required to permit access among the licensors that permit access to the user's resources. Therefore, the licensor can constantly monitor the access to the user's resource on the network, and the access to the resource having a highly confidential content can be monitored by a plurality of licensors. It is possible to improve the security of the system by preventing unauthorized access to.

  The access control method according to the present invention includes a step of transmitting information related to the resource to the user on condition that access to the resource of the user is permitted. As a result, at least resources such as folders and files stored in devices connected to the network cannot be confirmed unless access to those resources is permitted, further preventing unauthorized access by users. Thus, the safety of the system can be further improved.

  Further, the access control method according to the present invention encrypts information related to a resource by using a public key or a secret key corresponding to the secret key or public key of the user, and uses the encrypted resource related information to the user. Is to be sent to. As a result, the resource-related information can be read only by the terminal that stores the secret key or public key that can decrypt the encrypted resource-related information. Even if the related information is acquired, it is not possible to check the resource for which access is permitted, so that unauthorized access by a third party can be prevented and the system safety can be further improved.

  Further, the access control method according to the present invention includes a step of detecting a request to leave the network by one of the licensors who has the authority to grant access to the user's resources, and a licensor having a use terminal connected to the network. If the number obtained by subtracting 1 from the number of people is less than the number of licensors required to grant access, the user is forced to disable access to the resource after a predetermined grace period. And a step of notifying that. As a result, a time during which the user can execute an appropriate process on the resource that cannot be accessed is secured, and the user can be prevented from suffering an unexpected disadvantage.

  Further, the access control method according to the present invention includes a step of detecting a request to leave the network by one of the licensors authorized to grant access to the user's resources, and an access log for the user's resources from the network. And a step of notifying the licensee requesting withdrawal. As a result, the licensee can browse the progress of access to resources having management obligations and check the presence or absence of unauthorized access, thereby further improving the security of the system.

  The access control method and the access control program according to the present invention include a step (step) in which a user terminal is connected to a network and a device connected to the network or connected to the network. A step (step) of identifying a resource to be stored, one or a plurality of licensors who have the authority to grant the user access to the resource, and the number of licensors required to grant the access. A step (step) of identifying, a connection state of a terminal connected to the network, and one or a plurality of the licensors whose terminal is connected to the network, and the terminal where the terminal is connected to the network The process of identifying the number of licensors (steps) and 1 Inquires a plurality of the licensors whether or not to approve the user's access to the resource, and the number of the licensors who approve the user's access to the resource, A step of granting access to the resource of the user when the number is greater than the number of licensees required for granting access. As a result, among the licensors who grant access to the user's resources, the number of licensors that exist on the network and have approved the access is greater than or equal to the number required to permit access Access is permitted only to the user, so that the licensor who is aware of the user's access to the resource (multiple licensors for access to resources with highly confidential content) constantly monitors the access on the network. As a result, monitoring of unauthorized access to the user's resources is strengthened, and the safety of the system can be further improved.

  Further, the access control method according to the present invention includes a step of transmitting environment information for using the resource to the user after permitting the user to access the resource. As a result, since the user cannot use the resource unless access to the resource is permitted, unauthorized access by the user can be further prevented and the security of the system can be further improved.

  Further, the access control method according to the present invention encrypts environment information using a public key or a secret key corresponding to a user's secret key or public key, and transmits the encrypted environment information to the user. It is a thing. As a result, the environment information can be read only by a terminal in which the private key or public key that can decrypt the encrypted environment information is stored. It is possible to prevent and improve the safety of the system.

  According to the present invention, access to a user's resource is made only when the number of licensors existing on the network is greater than or equal to a predetermined number among licensors who are authorized to grant access to the user's resources. The licensor can constantly monitor access to the user's resources on the network, and access to resources with highly confidential content can be monitored by multiple licensors. Thus, the system can be improved by preventing unauthorized access to the user's resources.

Embodiment 1 FIG.
FIG. 1 is a diagram showing an example of the configuration of a computer network system to which an access control method according to the present invention is applied. In FIG. 1, 1 is a network realized as a LAN, for example, 2 is a server connected to the network 1, 3 is a terminal connected to the network 1, and 4 is a peripheral device such as a printer or scanner connected to the network 1. It is. In this computer network system, the terminal 3 and the peripheral device 4 can be arbitrarily connected to or disconnected from the network 1.

  FIG. 2 is a diagram showing an example of the configuration of a server that implements the access control method according to the present invention. In FIG. 2, 11 is a network interface unit that controls communication with the network 1, 12 is a keyboard connected to the server 2, an input unit such as a mouse and a display unit such as a display. , An input / output interface unit 13 that controls the components in the server 2 provided as a CPU and the like, and a storage unit 14 provided as an HDD (hard disk drive), ROM, RAM, and the like.

  15 is an access monitoring unit that monitors the connection status of the node to the network 1 and the access status to the resource of the terminal 3, and 16 is based on the access right setting information indicating the content of the access right to the user's resource and the connection status of the node. An access determination unit that determines whether or not access to the user's resource is possible, 17 is a message processing unit that executes generation of information related to access to the user's resource and transmission / reception of the related information to / from the terminal 3; Reference numeral 18 denotes an encryption / decryption unit that performs encryption of a message transmitted from the message processing unit 17 and decryption of a message received by the message processing unit 17. Reference numeral 19 denotes information input by an administrator via an input unit. An access information registration unit for registering access right setting information based on the user resource 20 It is a file management unit access executes output control of the file based on the access permission information indicating that it is licensed for. In this embodiment, it is assumed that only the administrator of the server 2 can perform operations such as registration, update, and deletion of access right setting information. That is, the user's terminal cannot change the access control environment on the network. The access monitoring unit 15, the access determination unit 16, the message processing unit 17, the encryption / decryption unit 18, the access information registration unit 19, and the file management unit 20 are loaded into, for example, a program stored in a ROM or a RAM. It can be realized by executing the program by the CPU.

  21 is an access state storage unit that stores information relating to the connection state of the node to the network 1 and the access state to the resource of the node, and 22 is an access information storage unit that stores access right setting information and access permission information for each resource. 23 is a key information storage unit for storing information related to public / private keys for executing encryption / decryption, and 24 is a file for storing various files such as data, application programs, plug-in software, metadata, and device drivers. A file storage unit for storing. The access state storage unit 21 is configured to be able to store at least information related to the access status for a predetermined period so that an access log for the user's resource can be generated.

  The access monitoring unit 15 detects the connection state (connected or disconnected) of the node to the network 1 using a predetermined discovery protocol. The discovery protocol is an active method, a passive method, or a combination of these. An active discovery protocol, for example, broadcasts a signal over the network 1 and requests a response from the node. Also, the passive discovery protocol simply listens to the network 1 and waits until it receives a notification from the node. For example, a discovery protocol such as SSDP (Simple Service Discovery Protocol) or WS-Discovery (Web Service Discovery) is used to detect the connection status of the peripheral device 4. Information indicating the connection state of the node to the network 1 detected by the access monitoring unit 15 is registered in the access state storage unit 21. When the access monitoring unit 15 detects the connection of a new terminal to the network 1, the message processing unit 17 extracts access right setting information related to the terminal, and access management information indicating the access range and access conditions for the terminal Is generated. This access management information will be described later.

  The access determination unit 16 accesses the user's resource based on the information indicating the connection state of the node to the network 1 stored in the access state storage unit 21 and the access right setting information stored in the access information storage unit 22. Determine whether or not. When access is permitted, access permission information indicating that the user is permitted to access the resource is generated and registered in the access information storage unit 22.

  The file storage unit 24 stores environment information such as metadata and device drivers required when the terminal 3 uses the peripheral device 4 connected to the network 1. The metadata is composed of information such as hardware ID, compatibility ID, instance ID, transport address, authentication parameter, and the like. The device driver functions as a translator that associates (maps) the command of the application program in the terminal 3 with a specific device command that can be read by the peripheral device 4. As will be described later, these pieces of environment information are transmitted to the terminal 3 by the message processing unit 17 when access to the peripheral device 4 of the terminal 3 is permitted.

  FIG. 3 is a diagram illustrating an example of a data structure of the access right setting information. As shown in FIG. 3, access right setting information is registered for each resource. One resource may have one or more access right setting information. The access right setting information includes 1a) user, 2a) licensor, 3a) number of required licensors, 4a) presence / absence of inquiry to licensor, 5a) accessible period, 6a) accessible mode, and 7a) user. Notification information 8a) It is composed of information related to the forced termination postponement time.

  In the area related to the user (1a), one or a plurality of users who can acquire the access right to the resource are registered. In the area related to the licensor (2a), one or a plurality of licensors who can permit access to the registered user's resources are registered. In the area related to the number of required licensees (3a), the number of licensees required to grant the user access to the resources is registered. Information indicating whether or not it is necessary to inquire the licenser via the network as to whether or not to approve access to the user's resource is registered in the area related to the presence or absence (4a) of inquiry to the licensee.

  When “No” (no need for inquiry) is registered as the presence / absence of inquiry to the licensee (4a), the number of required licensees (3a) among the licensees registered as the licensee (2a) If the terminals used by the number of licensors registered as) are connected to the network, access to the resources of the user registered as the user (1a) is permitted. In other words, access is granted on condition that a predetermined number of licensees are in a state in which access to user resources on the network can be monitored. Further, when “Yes” (necessary for inquiry) is registered as the presence / absence of inquiry (4a) to the licensor, the number of necessary licensors among the licensors registered as the licensor (2a). If the number of licensors registered as (3a) exists on the network 1 and approves access to the user's resources in response to an inquiry from the server 2, the user registered as user (1a) Access to other resources will be granted. That is, access is granted on condition that a predetermined number of licensees are in a state where access can be monitored and the access is approved.

  In the area related to the accessible period (5a), a period during which the resource can be accessed is registered. In the area related to the accessible mode (6a), the mode of operations that can be executed on the resource is registered. Information indicating whether or not access permission information needs to be transmitted to a user who is permitted to access a resource is registered in the area related to the presence / absence of notification to the user (7a). In the area related to the forced termination grace time (8a), a grace time that is given to the user until the access becomes impossible when the permission of access to the resource is canceled is registered.

  FIG. 3 shows an example of access right setting information registered for the resource R1. In Example 1, the user (1a) is “A, B, C, D, E”, the licensee (2a) is “D, E, X, Y, Z”, and the number of required licensees (3a ) Is “2”, and the presence / absence of inquiry to the licensee (4a) is “Yes”. Under such setting conditions, when any one of the user A, the user B, the user C, the user D, and the user E requests access to the resource R1, the licensee If any one of D, Licensee E, Licenser X, Licenser Y, and Licenser Z exists on the network 1 and approves the inquiry related to the license from the server 2, the user Access to the resource R1 is granted. Note that the user whose terminal is connected to the network 1 may be recognized as only one of the user and the licensee, or may be recognized as both the user and the licensee. is there.

  The information related to the accessible period (5a) indicates that the user can be granted access to the resource R1 in the period from January 2006 to June 2006. The information according to the accessible mode (6a) indicates that the operations that can be executed on the resource R1 are Read and Write. Since the presence / absence of notification to the user (7a) is “present”, if access to the resource R1 of the user is permitted, the server 2 transmits access permission information to the user. Since the forced termination grace time (8a) is “1 minute”, for example, when one of the licensors requests to leave the network and the access permission for the resource R1 is revoked, the access is actually inaccessible. By this time, the user can operate the resource R1 for 1 minute.

  In Example 2, the user (1a) is “GA” (group A), the licensee (2a) is “GX” (group X), and the required licensee number (3a) is “1”. The presence / absence of inquiry to the licensee (4a) is “none”. Under such setting conditions, when any one user belonging to the user group (user class) A requests access to the resource 1, it belongs to the licensor group (licensor class) X. If any one licensee exists on the network, the user's access to the resource R1 is licensed. The information relating to the accessible period (5a) indicates that there is no restriction, that is, access can be granted at all times. The information according to the accessible mode (6a) indicates that the only operation that can be performed on the resource R1 is Read. Since the presence / absence of notification to the user (7a) is "None", the server 2 does not need to transmit access permission information to the user even if the user's access to the resource R1 is permitted. Since the forced termination grace time (8a) is “5 minutes”, the user can operate the resource R1 for 5 minutes even if the permission is canceled. If the access permission information is not transmitted to the user, the access management information needs to be transmitted to the user in advance so that the user can confirm the existence of a resource that can be permitted.

  FIG. 4 is a diagram illustrating an example of the data structure of the access permission information. As shown in FIG. 4, access permission information is registered for each resource. For one resource, access permission information is registered for each user who is permitted to access the resource. The access permission information includes information relating to 1b) a user, 2b) a licensee, and 3b) an accessible mode. Since the contents of the information registered in each area are the same as the contents of the corresponding information in the access right setting information, the description thereof is omitted.

  In Example 1, the user (1b) is “A”, the licensee (2b) is “X, Y”, and the accessible mode (3b) is “R, W”. This means that the access to the resource R1 of the user A is permitted by the licensee X and the licensee Y. User A can execute Read and Write operations on the resource R1. In Example 2, the user (1b) is “B”, the licensor (2b) is “Z”, and the accessible mode (3b) is “R”. This means that the licensee Z permits the user B to access the resource R1. User B can execute a read-only operation on the resource R1.

  The access right setting information shown in FIG. 3 is registered in the access information storage unit 22 by the administrator of the server 2 using input / output means connected to the server 2. The access permission information shown in FIG. 4 is generated by the access determination unit 16 and registered in the access information storage unit 22. The access determination unit 16 permits the user to access the resource for each resource based on the connection state of the node stored in the access state storage unit 21 and the access right setting information stored in the access information storage unit 22. It is determined whether or not access permission information is generated. That is, the access permission information is dynamically changed according to the connection state of the node to the network 1 and the like. For example, in the example 1 of FIG. 3, when the user A requests access to the resource R1, the licensor X and the licensor Y exist on the network 1 and the access is approved in response to the inquiry. Then, access permission information as in Example 1 of FIG. 4 is generated. However, if either one of the licensor X or the licensor Y leaves the network 1, the permission for the access is canceled and the access permission information as in Example 1 in FIG. 4 is deleted from the access information storage unit 22. The

  FIG. 5 is a diagram showing an example of the configuration of a terminal that implements the access control method according to the present invention. In FIG. 5, 31 is a network interface unit for controlling communication with the network 1, 32 is a keyboard connected to the terminal, input means such as a mouse and display means such as a display. An input / output interface unit 33 to be controlled, a control unit 33 provided as a CPU or the like to control components in the terminal 3, and a storage unit 34 provided as an HDD, ROM, RAM or the like.

  35 is an access monitoring unit that monitors the connection state of the node to the network 1 and the access state of the terminal 3 to the resource, and 36 is a message process that executes transmission / reception of information related to access to the resource with the server 2. , 37 is an encryption / decryption unit that encrypts a message transmitted from the message processing unit 36 and decrypts a message received by the message processing unit 36, and 38 is an environment such as metadata or a device driver from the server 2. An environment setting unit 39 that builds an environment for acquiring information and using the peripheral device 4, and 39 is a file management unit that executes file input / output control and the like. The access monitoring unit 35, the message processing unit 36, the encryption / decryption unit 37, the environment setting unit 38, and the file management unit 39 execute, for example, a program stored in the ROM or a program loaded in the RAM by the CPU. This is possible.

  Reference numeral 40 denotes an access state storage unit that stores information relating to the connection state of the node to the network 1 and the access state to the resource of the terminal 3, and 41 denotes an access that stores access management information indicating the access range, conditions, and permission state. An information storage unit 42 is a key information storage unit that stores information relating to a public key, a secret key, etc. for executing encryption / decryption, and 43 is an environment information that stores environment information for using the peripheral device 4 A storage unit 44 is a file storage unit that stores various files. The application program in the terminal 3 reads environment information from the environment information storage unit 43 and transmits / receives information such as commands to / from the peripheral device 4.

  FIG. 6 is a diagram illustrating an example of a data structure of access management information registered for each terminal. As shown in FIG. 6, access management information is registered for each resource. The access management information is composed of information related to 1c) licensors, 2c) number of required licensors, 3c) whether or not the licensor is approved, 4c) accessible period, 5c) accessible mode, and 6c) permission status.

  In the area related to the licensee (1c), a licensee who can grant access to the resource is registered. In the area related to the number of required licensees (2c), the number of licensees necessary for granting access to resources is registered. Information indicating whether or not the approval of the licensee according to the inquiry from the server 2 is necessary to grant the access to the resource is registered in the area related to whether or not the licensee is approved (3c). In the area related to the accessible period (4c), a period during which access to the resource can be granted is registered. In the area related to the accessible mode (5c), the mode of operations that can be executed on the resource is registered. Information indicating the permission state of access to the resource is registered in the area related to the permission state (6c). There are three permission states (6c): "permitted" for which access is permitted, "waiting for permission" waiting for the approval of the licensor, and "unlicensed" where a predetermined number of licensors are not present on the network. Have a state. Information relating to the above-mentioned licensee (1c), number of licensees required (2c), approval / disapproval of licensee (3c), accessible period (4c), and accessible mode (5c) are received from the server 2. Generated based on access management information. The information related to the permission state (6c) is generated based on the access permission information received from the server 2.

  When the access monitoring unit 15 of the server 2 detects that the user's terminal 3 is newly connected to the network 1, the access monitoring unit 15 transmits the access right setting information stored in the access information storage unit 22 to the terminal 3. Extract related access right setting information. From the extracted access right setting information, the message processing unit 17 obtains the licensor (2a), the number of required licensors (3a), the inquiry presence / absence to the licensor (4a), the accessible period (5a), and the accessible mode ( The information related to 6a) is extracted and transmitted to the terminal 3 as access management information. Further, the access determination unit 16 of the server 2 accesses the user's resources based on the connection state of the node stored in the access state storage unit 21, the presence / absence of an access request from the user, the approval of the licensee, and the like. Is determined to be permitted, access permission information is generated and registered in the access information storage unit 22. The message processing unit 17 transmits access permission information to the terminal 3.

Next, an operation related to the access control method according to the present invention will be described.
FIG. 7 is a flowchart showing an access control process in the server when a terminal is newly connected to the network. Here, in order to facilitate understanding of the description, the processing of the server 2 when the user A's terminal 3A is connected to the network 1 will be described. Both the user A and the terminal 3A do not represent specific users and terminals, but represent arbitrary users and terminals.

  The server 2 monitors the connection state of the node to the network 1 using the access control monitoring unit 15, and determines whether or not the terminal 3A of the user A is newly connected to the network 1 (step S1). ). If it is detected that the terminal 3A is newly connected to the network 1, information indicating that the terminal 3A of the user A is newly connected to the network 1 is registered in the access state storage unit 21 (step S2). . Note that the user A can usually connect the use terminal 3A to the network 1 by logging in to the server 2 that manages the network 1 using a user ID and a password. In such a case, the server 2 can recognize that the terminal 3A is connected to the network 1 by the login of the user A, without using the discovery protocol.

  Next, the server 2 extracts access right setting information related to the user A from the access right setting information stored in the access information storage unit 22 (step S3). If the access right setting information related to the user A is extracted, the message processing unit 17 is used to extract necessary information to generate access management information and transmit the generated access management information to the terminal 3A. . (Step S4).

  Next, the server 2 uses the access determination unit 16 to associate the user A with the access right setting information associated with the user A and the connection state of the node stored in the access state storage unit 21. The access permission information to be generated is generated and registered in the access information storage unit 22 (step S5). A detailed algorithm for generating access permission information will be described later.

If the access permission information is registered, the access permission information registered in the access information storage unit 22 is referred to by referring to the information related to the presence / absence (7a) of notifying the user of the access right setting information related to the user A. Among them, access permission information that needs to be notified is transmitted (step S6). At this time, for example, the following message is displayed on the display of the terminal 3A of the user A.
“Folder F5 is accessible.”
“Access to printer P3.”
When access to the peripheral device 4 of the user A is permitted, the environment such as metadata and device drivers related to the peripheral device 4 stored in the file storage unit 24 in the server 2 together with the access permission information. Information is transmitted to the terminal 3A.

  If the connection of the new terminal 3A to the network 1 is not detected in step S1, it is determined whether or not to end the access control (step S7). When the access control ends, the process ends. If the access control is not terminated, the process returns to step S1 to continue monitoring the network 1.

  Regarding the transmission of the access management information in step S4 and the transmission of the access permission information and the environment information in step S6, these information may be encrypted before transmission. In this case, the server 2 uses the encryption / decryption unit 18 to encrypt the information to be transmitted to the user A using the public key (or secret key) of the server 2 and to encrypt the ciphertext of the user A. Transmit to terminal 3A. The terminal 3A of the user A uses the encryption / decryption unit 37 to decrypt the received ciphertext using the secret key (or public key) of the terminal 3A, and obtains the obtained information as the message processing unit 36. Output to.

  When the access management information or the access permission information is received, the terminal 3A uses the message processing unit 36 to generate access management information in a predetermined format based on the acquired information and to store the access management information in the access information storage unit. 41. When environment information such as metadata and device drivers is received together with access permission information, the environment setting unit 38 is used to register the environment information in the environment information storage unit 43. As a result, it is possible to use the peripheral device 4 connected to the network 1 using the application program stored in the file storage unit 44 of the terminal 3A.

In the above description, the generation and transmission of access management information or access permission information related to the user A is executed when the terminal 3A is connected to the network 1. However, after the user A appears on the network, the access range of the user A naturally changes when the licensor's terminal is connected to the network 1. Therefore, even after the terminal 3A of the user A is connected to the network 1, the step S5 and the step S6 are periodically executed, and the access permission information stored in the access information storage unit 22 and the access information storage unit 41 are stored. It is necessary to update the permission status (6c) of the stored access management information. When the access permission information is updated, the following message, for example, is displayed on the display of the user's terminal for the resource for which the presence / absence of notification to the user (7a) is “present”. .
“Folder F2 is now accessible.”
The case where the access range changes as the licensor leaves the network will be described in detail later.

  Next, generation of access permission information will be described. Here, a case where permission for access to the resource R of the user A is determined will be described as an example. Both user A and resource R do not represent specific users and resources, but represent arbitrary users and resources. FIG. 8 is a flowchart showing an algorithm for generating access permission information. If the user A and the resource R are specified, the access right setting information related to the resource R and the user A is searched from the access right setting information stored in the access information storage unit 22, and the licensee (2a ), Information relating to the number of required licensees (3a) and the presence / absence of inquiry to the licensee (4a) is detected (step S11).

  Next, based on the connection state of the node stored in the access state storage unit 21, the licensee to which the terminal in use is connected to the network 1 is specified (step S 12). If the licensors existing on the network 1 are specified, it is determined whether or not the number of licensors existing on the network 1 is equal to or greater than the required number of licensors (step S13). If the number of licensors existing on the network 1 is equal to or greater than the required number of licensors, it is determined whether or not there is an inquiry (4a) to the licensor (step S14).

  If the presence / absence of the inquiry to the licensee is “Yes” in step S14, it is determined that the access to the resource R of the user A is in the license standby state (step S15). This means that if there are more licensors on the network than the required number of licensors, and the number of licensors who approve access in response to an inquiry exceeds the number of required licensors, the user This means that access to the resource R of A is permitted.

  In step S14, when the presence / absence of the inquiry to the licensee (4a) is “none”, it is determined that the access to the resource R of the user A is in the licensed state (step S16). In step S13, if the number of licensors existing on the network 1 is less than the required number of licensors, it is determined that access to the resource R of the user A is in an unlicensed state (step S17). The server 2 uses the access determination unit 16 to generate access permission information indicating whether the access to the resource R of the user A is in a permission state, a permission standby state, or a state where permission cannot be granted. Register in the information storage unit 22.

  For example, when access right setting information as shown in Example 2 of FIG. 3 is registered for the user A (belonging to the user class A), if the licensor X exists on the network 1, Access to the resource R of the user A is determined to be in a licensed state, and access permission information indicating that it is in a licensed state is registered in the access information storage unit 22. Further, when access right setting information as shown in Example 1 of FIG. 3 is registered for the user A, the licensor X and the licensor Y among the licensors D, E, X, Y, and Z. Is present on the network 1, it is determined that the access to the resource R of the user A is in the permission standby state, and access permission information indicating that it is in the permission standby state is registered in the access information storage unit 22.

  In the present embodiment, on the condition that the access request for the resource R of the user A is received, the server 2 transmits a query message regarding the permission of the access to the related licensee. The user A refers to the permission state (6c) of the access management information stored in the access information storage unit 41, and when the resource R desired to be accessed is in the permission standby state, the user A makes an access request for the resource R. Send to server 2.

  FIG. 9 is a flowchart showing an access control process in the server when an access request is received. The server 2 determines whether or not an access request for the resource R is received from the terminal A used by the user A (step S21). When the access request for the resource R of the user A is received, the access right setting information related to the resource R and the user A is searched from the access right setting information stored in the access information storage unit 22, Information relating to the licensor (2a) and the required number of licensors (3a) is detected (step S22).

Next, based on the connection status of the node to the network 1 stored in the access status storage unit 21, the licensed person existing on the network 1 is identified among the detected licensed persons (step S23). If the licensors existing on the network 1 are specified, it is determined whether or not the number of licensors is equal to or greater than the required number of licensors (step S24). If the number of licensors existing on the network 1 is greater than or equal to the required number of licensors, whether or not each licensor present on the network 1 is authorized to access the resource R of the user A An inquiry is made about (Step S25). At this time, for example, the following message is displayed on the display of the licensor's terminal.
“A tries to access folder Fm.
Do you want to allow it? (Yes, No) "

When a predetermined time elapses or when responses from all licensors who have sent messages related to inquiries are received, it is determined whether or not the number of licensors who approve the access is greater than or equal to the required number of licensors. (Step S26). If the number of licensors who approve the access is more than the required number of licensors, the user A is notified that access to the resource R of the user A is permitted (step S27). At this time, for example, the following message is displayed on the display of the terminal A used by the user A.
“Access to resource R has been granted.”
Further, the server 2 generates access permission information indicating that access to the resource R of the user A is permitted, and registers the access permission information in the access information storage unit 22 (step S28).

If the number of licensors who approve the access is less than the required number of licensors in step S26, the user A is notified that access to the resource R is denied (step S29). At this time, for example, the following message is displayed on the display of the terminal A used by the user A.
“Access to resource R is denied.”
In addition, if the process of step S28 or step S29 is complete | finished, a process will be returned to step S21.

  In step S21, when the access request for the resource R is not received from the terminal A used by the user A, it is determined whether or not to end the access control (step S30). When the access control ends, the process ends. If the access control is not terminated, the process returns to step S21 to continue monitoring the network 1.

  Next, an access control process when the licensee leaves the network will be described. In this embodiment, when the licensor requests to leave the network 1, access to the resource that cannot be accessed due to the licensor's withdrawal from the network 1 has been granted so far. A configuration is adopted in which the user can continue the operation on the resource until a predetermined grace period elapses. Here, in order to facilitate understanding of the explanation, a case where a request for leaving the network 1 is transmitted from the use terminal 3X of the licensee X will be described as an example. The licensor X and the user A and resource R described later do not represent specific licensors, users, and resources, but represent arbitrary licensors, users, and resources.

  FIG. 10 is a flowchart showing an access control process associated with licensor withdrawal. The server 2 monitors the network 1 using the access monitoring unit 15 and determines whether or not a disconnection request from the network 1 is received from the use terminal 3X of the licensor X (step S31). When a request to leave the network 1 is received from the terminal 3X, the access permission information related to the licenser X is searched from the access permission information stored in the access information storage unit 22, and the resource R, user A and licensor GX (GX represents a set of licensors) are detected (step S32). Of course, there may be a plurality of combinations of the resource R, the user A, and the licensee GX. In this case, the following steps S33 to S37 are executed for each combination.

If the resource R and the user A are specified, the access right setting information related to the resource R and the user A is searched from the access right setting information stored in the access information storage unit 22, and the number of required licensees Information related to (3a) and the forced termination postponement time (8a) is detected (step S33). Next, it is determined whether or not the number of other licensors excluding the licensor X from the licensor set GX is less than the required number of licensors (step S34). If the number of other licensors is less than the required number of licensors, the user A's permission to access resource R is cancelled. Therefore, the user A is notified that access to the resource R is disabled after the forced termination grace period has elapsed (step S35). At this time, for example, the following message is displayed on the display of the terminal A used by the user A.
"Access to resource R is disabled after 1 minute (access to resource R is forcibly terminated after 1 minute)"

In addition, the licensee X is notified that the access to the resource R of the user A becomes impossible after the forced termination grace period has elapsed (step S36). At this time, for example, the following message is displayed on the display of the terminal 3X used by the licensee X.
"User A's access to resource R will be disabled after 1 minute."
Note that a message about all users whose access has been permitted by the licenser X may be displayed as follows, for example.
“There are 3 accessors. All access will be forcibly terminated in 3 minutes.”

  When a message regarding forced termination is notified to the user A and the licensee X and a predetermined forced termination grace time elapses, the user A and the user A in the access permission information stored in the access information storage unit 22 The access permission information indicating that the access to the resource R is permitted is deleted. (Step S37). In step S34, if the number of other licensors is equal to or greater than the required number of licensors, the processing from step S35 to step S37 is not executed. If the processing from step S33 to step S37 is completed for all combinations of the resource R, the user A, and the licenser GX retrieved from the access permission information, the access log related to the resource that is permitted to be accessed by the licenser X Is transmitted to the licensee X (step S38). At this time, for example, an access log as shown in FIG. 11 is displayed on the display of the use terminal 3X of the licensee X.

  After transmitting the access log to the licensee X, the process returns to step S31. If it is determined in step S31 that a request to leave the network 1 is not received from the terminal 3X, it is determined whether or not to end access control (step S39). When the access control ends, the process ends. If the access control is not terminated, the process returns to step S31 to continue monitoring the network 1.

  As described above, according to the first embodiment, the licensor (2a) who permits access to the user's resources from the access right setting information stored in the access information storage unit 22 and the number of required licensors (3a). And detecting the connection state of the node to the network 1 to identify the number of licensors existing on the network among the licensors, and determining the number of licensors existing on the network. Since it is configured to permit access to the user's resources only when the number of required licensees is greater than or equal to the required number of licensees, the licensor constantly monitors the access to the user's resources on the network and is highly confidential. It is possible to monitor access to resources with multiple licenses, and unauthorized access to user resources It is possible to improve the safety of the system to prevent access. Further, the present invention can be used in an environment where a group works through a network. According to the present invention, an inappropriate operation of one member in a group on a resource shared by the group can be monitored by a predetermined number of other members in the group. This prevents the entire group from suffering unforeseen disadvantages due to inappropriate modification of data or programs by some members.

  In addition, since it is configured to permit access to user resources only when the number of licensors that exist on the network and authorize access to user resources is greater than or equal to the required number of licensors, Since the licensee who recognizes the access to the resource of the user constantly monitors the access on the network, the monitoring of the unauthorized access to the resource of the user is enhanced and the safety of the system can be further improved.

  Also, the access management information and access permission information are encrypted using the public key (or secret key) corresponding to the user's private key (or public key), and the encrypted access management information and access permission information are used. Since the encrypted access management information and access permission information can be decrypted, the access management information and access permission information can be transmitted only to a terminal that stores a secret key (or public key) that can be decrypted. Since it can be read, even if a third party impersonates a user and obtains access management information and access permission information, the third party cannot confirm resources within the scope of access. It is possible to improve the security of the system by preventing unauthorized access.

  In addition, when the licensor requests to leave the network, it is configured to notify the user that access to the resource is forcibly disabled after a predetermined grace period has elapsed. The time for which the user can execute an appropriate process for a certain resource is secured, and the user can be prevented from suffering an unexpected disadvantage.

  In addition, when the licensor requests to leave the network, the licensor has a management obligation because the licensor is notified of the access log related to the resource that the licensor has been permitted to access. Since it is possible to check the presence or absence of unauthorized access by browsing the progress of access to resources, the safety of the system can be further improved.

  In addition, since the environment information for using the resource is configured to be transmitted to the user after the user's access to the resource is permitted, the user must use the resource unless access to the resource is permitted. Therefore, it is possible to further prevent unauthorized access by the user and further improve the security of the system.

  In addition, since the environment information is encrypted using a public key (or secret key) corresponding to the user's secret key (or public key), the encrypted environment information is transmitted to the user. Environment information can be read only by a terminal that stores a private key (or public key) that can decrypt the encrypted environment information. For example, a third party can impersonate the user and obtain the environment information. Even so, resources cannot be used by a third party, so that unauthorized access by a third party can be prevented and the security of the system can be further improved.

Embodiment 2. FIG.
In the access control method according to the first embodiment, when access terminal 3A of user A is connected to network 1, all access right setting information related to user A extracted from the access right setting information. The access management information is generated and transmitted to the user A. On the other hand, the access control method according to the second embodiment permits the user A from the access right setting information related to the user A when the user A's terminal 3A is connected to the network 1. Only the access right setting information related to the resource R that is in the state or the waiting state for permission is different in that the access management information is generated and transmitted to the user A.

  FIG. 12 is a flowchart showing an access control process in the server when a terminal is newly connected to the network. The server 2 uses the access control monitoring unit 15 to monitor the connection status of the nodes to the network 1, and monitors whether the terminal A used by the user A is newly connected to the network 1 (step). S41). If it is detected that the terminal 3A is newly connected to the network 1, information indicating that the terminal 3A of the user A is newly connected to the network 1 is registered in the access state storage unit 21 (step S42). .

  Next, access right setting information related to the user A is extracted from the access right setting information stored in the access information storage unit 22 (step S43). If the access right setting information related to the user A is extracted, the access determination unit 16 is used to determine the permission state or permission for the user A based on the connection state of the node stored in the access information storage unit 21. A resource in a standby state is specified (step S44). If one or a plurality of resources in the permission state or the permission standby state are specified for the user A, only the access right setting information related to the specified resources is accessed using the message processing unit 17. Management information is generated, and the generated access management information is transmitted to the terminal 3A (step S45). If one or more resources that are in a licensed state for user A are identified, access permission information related to user A is generated and registered in access information storage unit 22 (step S46).

  If the connection of the new terminal 3A to the network 1 is not detected in step S41, it is determined whether or not to end the access control (step S47). When the access control ends, the process ends. If the access control is not terminated, the process returns to step S41 to continue monitoring the network 1.

  As described above, according to the access control method according to the second embodiment, on the condition that the user's access to the resource is in the permission state or the permission standby state, the access management information and Since it has been configured to transmit access permission information, at least for resources such as folders and files stored in devices connected to the network, users will not be allowed to access the resource unless it is in a permission state or a permission standby state. Therefore, it is possible to further prevent unauthorized access by the user and further improve the security of the system. That is, only the authorized user can see the storage location and type of resources available on the network on the display of the terminal in use.

  An access control program comprising program codes for executing the steps described in the flowcharts shown in FIGS. 7 to 10 and 12 is an information storage medium such as a CD-ROM or DVD-ROM in which the access control program is stored. Or by downloading from an external server in which the access control program is stored. The access control program read from the information storage medium or downloaded from an external server is installed in a storage means in a terminal device provided as a personal computer, for example. By executing the access control program installed in the storage means by the CPU in the terminal device, the access control method described in the first embodiment and the second embodiment can be realized. The access control program according to the present invention may be incorporated in a network OS such as Windows (registered trademark), UNIX (registered trademark), or Linux, or may be realized as application software operating on the network OS. A terminal is connected to a network managed by the server by logging in to a server operating on such a network OS through authentication with a user ID and a password.

  Note that the access control method and the access control program described in the first embodiment and the second embodiment are not intended to limit the present invention, but are disclosed for the purpose of illustration. The technical scope of the present invention is defined by the description of the scope of claims, and various design changes can be made within the technical scope of the invention described in the scope of claims.

  The present invention can be widely applied to access control in a network system including a server, a terminal, a peripheral device, and the like and a network to which these devices are connected.

It is a figure which shows an example of a structure of the computer network system to which the access control method by this invention is applied. It is a figure which shows an example of a structure of the server which implement | achieves the access control method by this invention. It is a figure which shows an example of the data structure of access right setting information. It is a figure which shows an example of the data structure of access permission information. It is a figure which shows an example of a structure of the terminal which implement | achieves the access control method by this invention. It is a figure which shows an example of the data structure of access management information. It is a flowchart which shows the access control process in a server when a terminal is newly connected to the network. It is a flowchart which shows the algorithm which produces | generates access permission information. It is a flowchart which shows the access control process in the server at the time of receiving an access request. It is a flowchart which shows the access control process accompanying a licensee withdrawal. It is a figure which shows an example of an access log. It is a flowchart which shows the access control process in a server when a terminal is newly connected to the network.

Explanation of symbols

1 network, 2 server, 3 terminal, 4 peripheral device, 11 network interface unit, 12 input / output interface unit, 13 control unit, 14 storage unit, 15 access monitoring unit, 16 access determination unit, 17 message processing unit, 18 encryption / Decryption unit, 19 access information registration unit, 20 file management unit, 21 access state storage unit, 22 access information storage unit, 23 key information storage unit, 24 file storage unit, 31 network interface unit, 32 input / output interface unit, 33 control means, 34 storage means, 35 access monitoring part, 36 message processing part, 37 encryption / decryption part, 38 environment setting part, 39 file management part, 40 access state storage part, 41 access information storage part, 42 key Information storage unit, 43 Environmental information storage unit, 44 File storage unit

Claims (10)

Identifying the user whose terminal is connected to the network;
Identifying a resource connected to the network or stored in a device connected to the network;
Identifying one or more licensors authorized to grant access to the resource of the user and the number of licensors required to grant access;
A step of detecting a connection state of a terminal connected to the network and identifying one or a plurality of the licensors whose terminals are connected to the network and the number of the licensors whose terminals are connected to the network; When,
Granting the user access to the resource when the number of licensees connected to the network is greater than or equal to the number of licensees required to grant access. An access control method comprising: The access control method according to claim 1, further comprising: transmitting information related to the resource to the user on condition that the user is permitted to access the resource. Using the public key or private key corresponding to the user's private key or public key to encrypt information related to the resource, and transmitting the encrypted resource-related information to the user. The access control method according to claim 1. Detecting a leave request from the network by one of the licensors authorized to grant access to the resource of the user;
When the number obtained by subtracting 1 from the number of licensees connected to the network using the terminal is less than the number of licensees required for granting access, the user is given a predetermined grace period. The access control method according to claim 1, further comprising a step of notifying that access to the resource is forcibly disabled after the elapse of time. Detecting a leave request from the network by one of the licensors authorized to grant access to the resource of the user;
The access control method according to claim 1, further comprising a step of notifying the licenser who requests to leave the network of an access log for the resource of the user. Identifying the user whose terminal is connected to the network;
Identifying a resource connected to the network or stored in a device connected to the network;
Identifying one or more licensors authorized to grant access to the resource of the user and the number of licensors required to grant access;
A step of detecting a connection state of a terminal connected to the network and identifying one or a plurality of the licensors whose terminals are connected to the network and the number of the licensors whose terminals are connected to the network; When,
Inquiring to the one or more licensors whose terminals are connected to the network whether or not to authorize the user to access the resource;
Granting the user access to the resource when the number of licensees authorizing access to the resource is greater than or equal to the number of licensers required to grant access. And an access control method. 7. The method according to claim 1, further comprising: transmitting environmental information for using the resource to the user on condition that access to the resource by the user is permitted. Access control method. 8. The environment information is encrypted using a public key or a secret key corresponding to the user's secret key or public key, and the encrypted environment information is transmitted to the user. Access control method. Identifying the user whose device is connected to the network;
Identifying a resource connected to the network or stored in a device connected to the network;
Identifying one or more licensors authorized to grant access to the resource of the user and the number of licensors required to grant access;
Detecting a connection state of a terminal connected to the network and identifying one or a plurality of the licensors whose terminals are connected to the network and the number of the licensors whose terminals are connected to the network; When,
Granting the user access to the resource when the number of licensees connected to the network is greater than or equal to the number of licensees required to grant access; An access control program comprising: Identifying the user whose device is connected to the network;
Identifying a resource connected to the network or stored in a device connected to the network;
Identifying one or more licensors authorized to grant access to the resource of the user and the number of licensors required to grant access;
Detecting a connection state of a terminal connected to the network, and identifying one or a plurality of the licensors whose terminals are connected to the network, and the number of the licensors whose terminals are connected to the network; ,
Inquiring one or a plurality of the licensors whose use terminals are connected to the network as to whether or not to authorize the user to access the resource;
Granting the user access to the resource when the number of licensees authorizing access to the resource is greater than or equal to the number of licensers required to grant access. And an access control program.

Images