JP2008117007A - Remote access controller - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enhance an access regulation to a business information system (Enterprise System), and to improve the verification facility of access content. <P>SOLUTION: This invention relates to the remote access controller connected to a terminal for operation for performing the maintenance operations of a plurality of management object devices in the business information system or the like and each of the management object devices according to the transmission of a control instruction based on the operation of a user. This device receives operation application information including the designation of the execution scheduler and operation content of the maintenance operation, and registers the applied maintenance operation and the approval state in the operation schedule information. When receiving an operation execution request including the designation of the execution scheduler of the maintenance operation, this device transfers a command transmitted from the terminal for operation to the management object device under such conditions that the maintenance operation with the designated execution scheduler targeted has been already approved. The content of the maintenance operation to be executed by the command is recorded as log information, and whether or not the executed operation content is within the range of the applied operation content is decided. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a system operation of a device connected to a communication network, and particularly relates to a maintenance operation of a business information system.

  Business information systems that support the operation of companies and public facilities, so-called enterprise systems, are now the foundation of organizations of various sizes. The business information system supports complicated organization management by outputting higher value-added information after totaling, accumulating, analyzing and processing data obtained from node terminals and databases.

Such a business information system requires various maintenance operations such as operation monitoring, failure handling, function expansion and function change even after operation. Normally, a client company that introduces a business information system entrusts this maintenance work to an external management company or another internal organization. Management company SE (System
Engineers often perform maintenance work by remotely logging in to a business information system.
JP 2004-213475 A

  By the way, the SOX (Sarbanes-Oxley) law recently enacted in the United States strongly urges corporate managers and accounting auditors to guarantee the validity of public information. Following this, the Japanese version of the SOX method is scheduled to be introduced in Japan, and there is an urgent need to establish a system that can handle the Japanese version of the SOX method.

  In view of such a social background, the present inventor focused on remote access to a business information system by a management company, strengthened access control to the business information system and verified access contents, in particular, predetermined rules and approvals. Recognized that it is necessary to verify whether access based on. Furthermore, it was thought that the maintenance work can be made more efficient by using the verification result.

  The present invention is an invention that has been completed based on recognition of the above problems of the present inventor, and its main purpose is information security and verification of work contents when a system connected to a device connected to a communication network is remotely operated. It is to provide a technique for improving the quality.

An aspect of the present invention is a remote access control device connected to each of a work terminal and a management target device that perform system operation of the management target device by transmitting a control command based on a user operation.
This apparatus receives work application information including designation of the person who is scheduled to perform the system work executed by the system operation and the contents of the system work, and registers the requested system work together with the approval status in the work schedule information.
When a work execution request including the designation of a person who is scheduled to perform system work is received, the control command sent from the work terminal is managed on the condition that the system work for the designated person scheduled for execution has been approved. Transfer to the target device. The contents of the system operation executed by the control command are recorded as log information, and it is determined whether or not the executed work contents are within the range of the requested work contents.

  The system operation referred to here may be an operation for remotely executing a system operation as a so-called maintenance operation such as a maintenance / inspection such as a failure management of the management target device, a failure investigation, a periodic inspection, etc. .

Another aspect of the present invention is also a remote access control device connected to each of a work terminal and a managed device that perform system operation of the managed device by transmitting a control command based on a user operation.
This apparatus receives a work execution request including a designation of a person who is scheduled to perform a system work executed by a system operation, and transfers a control command transmitted from the work terminal to the management target apparatus. The contents of the system operation executed by the control command are recorded as log information and the access tendency to the management target device as the trend information, respectively, and the access contents in the time zone when the system work is executed match the access tendency in that time zone. Judgment is made.

Still another aspect of the present invention is also a remote access control device connected to each of the management target device and a work terminal that performs system operation of the management target device by transmitting a control command based on a user operation.
This apparatus receives a work execution request for system work executed by a system operation, and transfers a control command transmitted from the work terminal to the management target apparatus. Then, the contents of the system operation executed by the control command are recorded as log information, and it is determined whether the work contents satisfy the conditions defined in the maintenance contract.

  It should be noted that any combination of the above-described components, and the present invention expressed by a method, system, recording medium, and computer program are also effective as an aspect of the present invention.

  According to the present invention, it is possible to improve information security and work content verification in a business information system.

FIG. 1 is a hardware configuration diagram showing the relationship between the remote access control device 100 and various business information systems.
An operational environment 300 shown in the figure shows a business environment of a certain company A. Hereinafter, people, devices, and the like belonging to the operation environment 300 are referred to as “operation side”. The maintenance execution environment 200 indicates a business environment of a certain company B. A person or device belonging to the maintenance execution environment 200 will be referred to as a “development side” below. In company A, various business information systems are operated, and the maintenance work is entrusted to company B. That is, regarding the maintenance work, company A is the client side and company B is the service side. In the following, the company A is also referred to as “consignment company” and the company B is also referred to as “consignment company”. Various companies such as securities firms, banks, government offices, and transportation can be entrusted companies. On the other hand, the trustee company is the so-called system integrator (System
Integrator).

The operating environment 300 of the company A includes three types of business information systems, a financial information system 310, a customer information system 312, and an inventory management system 314, and one or more operation side approval terminals 320. The financial information system 310 is a system for managing the financial information of the company A. The customer information system 312 is a system for managing customer information of the company A. The inventory management system 314 is a system that manages the inventory status of the products of the company A. The operation side approval terminal 320 is a general PC (Personal
Computer) terminal. The operation side approval terminal 320 does not necessarily belong to the operation environment 300, and may be a portable terminal such as a notebook PC.

The maintenance execution environment 200 includes a plurality of work terminals 202 such as work terminals 202a, 202b, and 202c, and one or more development-side approval terminals 204. The work terminal 202 and the development side approval terminal 204 are also general PC terminals equipped with a web browser. The development-side approval terminal 204 may also be a portable terminal such as a notebook PC.
Each business information system is connected to the Internet 330 via the remote access control device 100. The work terminal 202 and the development-side approval terminal 204 are connected to the remote access control apparatus 100 via the Internet 330.

Various business systems in the operational environment 300 are appropriately subjected to maintenance work even after operation. Although some of the maintenance work is performed in the operation environment 300 such as a backup tape replacement work, most of the maintenance work is performed by remote access from the work terminal 202. Hereinafter, the user who performs the remote maintenance work is simply referred to as “worker”. The worker is usually the SE of company B in many cases. The operator operates one of the work terminals 202 to remotely log in to the remote access control apparatus 100. Then, the target business information system is accessed via the user interface provided by the remote access control device 100. In other words, the remote access control device 100 centrally manages access to various business information systems.
From the viewpoint of enhancing information security, it is desirable that the communication path between the work terminal 202 and the remote access control device 100 is a secure communication path by VPN (Virtual Private Network) or the like.

The remote access control device 100 accepts a remote login request from the work terminal 202. Then, remote login is permitted on condition that both of the following three determinations are affirmative.
1. Whether the worker is a registered user (hereinafter referred to as “user authentication”)
2. Whether the worker has applied in advance for performing maintenance work (hereinafter referred to as "application determination")
3. The maintenance work requested by the worker includes an approver using the development-side approval terminal 204 (hereinafter referred to as “development-side approver”) and an approver using the operation-side approval terminal 320 (hereinafter referred to as “operation-side approver”). ”) (See“ Approval Judgment ”)
There are exceptions to the above process, but the details including such exceptions will be described later. First, the application and approval of maintenance work by the worker will be described.

FIG. 2 is a sequence diagram showing a process for application and approval of work.
The worker must apply for the scheduled work date and time, the work content, etc. before performing the maintenance work. The user of the work terminal 202, that is, the worker first accesses the remote access control apparatus 100 for work application (S10). The remote access control device 100 is an HTML (Hyper for application screen 250).
Text Markup Language) data is transmitted (S12). The user interface of the application screen 250 will be described later with reference to FIG.

  The application screen 250 is displayed on the work terminal 202 (S14). When the user inputs data indicating application contents on the application screen 250 (S16), the input data is transmitted to the remote access control apparatus 100 as work application information (S18). The remote access control device 100 registers this work application information in the work schedule information as a work schedule (S20). The data structure of the work schedule information will be described later with reference to FIG. The remote access control device 100 transmits an e-mail to each of the development-side approval terminal 204 and the operation-side approval terminal 320 to notify that a new work application has been made (S22, S24).

  The development-side approver of the development-side approval terminal 204 accesses the remote access control device 100 to determine whether approval is possible (S26). The remote access control device 100 transmits the HTML data of the development side approval screen 270 (S28). The user interface of the development-side approval screen 270 will be described later with reference to FIG. The development-side approval screen 270 is displayed on the development-side approval terminal 204 (S30). When the user, that is, the development-side approver inputs approval / disapproval on the development-side approval screen 270 (S32), development-side approval information indicating approval / disapproval is transmitted to the remote access control device 100 (S34). The remote access control device 100 updates the approval status of the applied work according to the approval / disapproval (S36).

On the other hand, the operation side approver of the operation side approval terminal 320 also accesses the remote access control apparatus 100 for approval determination (S38). The remote access control device 100 transmits the HTML data of the operation side approval screen 340 and displays the operation side approval screen 340 (S40, S42). The user interface of the operation side approval screen 340 will be described later with reference to FIG. When the user, that is, the operation side approver inputs approval approval / disapproval on the operation side approval screen 340 (S44), operation approval information indicating approval approval / disapproval is transmitted to the remote access control device 100 (S46). The remote access control device 100 updates the approval status of the applied work according to the approval / disapproval (S48).
In this way, an application for work, approval by the development side approver (hereinafter simply referred to as “development side approval”), and approval by the operation side approver (hereinafter simply referred to as “operational approval”) are made. The approver on the development side is the person in charge at the contracting company, and the approver on the operation side is the person in charge at the outsourcing company. Accordingly, the approval on the development side is judged from the standpoint of the trustee company, and the approval on the operation side is judged from the standpoint of the contracting company.

  More precisely, in S10, S26, and S38, the user ID and password of the worker, the approver on the development side, and the approver on the operation side are also transmitted. The remote access control device 100 performs user authentication to determine whether the received user ID and password are already registered, and does not transmit HTML data such as the application screen 250 unless the user authentication is successful. Hereinafter, information for uniquely identifying a user such as a user ID or a password is referred to as “user identification information”.

  Instead of actively notifying work applications as in S22 and S24, a list of work applications awaiting approval may be displayed when each approver accesses the remote access control device 100. The approver may select a work application to be approved from the list, and display the development-side approval screen 270 and the operation-side approval screen 340.

  When a work application is made in S18, the remote access control apparatus 100 notifies only one of the development side approval terminal 204, for example, not the development side approval terminal 204 and the operation side approval terminal 320, for example. Also good. Then, the operation-side approval terminal 320 may be notified on the condition that the development-side approval has been made. In this case, since the operation side approver has only to make a determination about the work application that has been approved by the development side, there is an effect that the load caused by the approval determination is reduced.

  In the case of a business information system that allows access only by user authentication using a password or the like, the leakage of the password directly leads to the crisis of the business information system. Patent Document 1 discloses an access rule that is subject to access approval by an administrator in addition to user authentication using an ID and a password. Such an access rule is an effective technique for preventing unauthorized access to the business information system, but only a decision from the standpoint of the approver on the development side is made.

However, even if the approver on the development side approves, the scheduled work date and time may be inconvenient when viewed from the operation side. For example, if the maintenance work is executed in a time zone where the processing load is expected to increase, the processing efficiency of the entire business information system is greatly reduced. According to the remote access control device 100 of the present embodiment, such a situation can be appropriately dealt with by granting the approval right to the operation side approver. That is, it is possible to make multifaceted approval judgments from different positions of the trustee and the trustee.
Next, after describing the application screen 250 in S14, the development-side approval screen 270 in S30, and the operation-side approval screen 340 in S42, processing steps when the worker performs maintenance work will be described.

FIG. 3 shows an application screen 250 displayed on the work terminal 202.
When the remote access control apparatus 100 is accessed for a work application, an application screen 250 shown in FIG. The application screen 250 is displayed as a web page on the work terminal 202.

  In the worker name column 252, the worker name is input in a selection format. For example, when the user “Nobuyuki Aino” of the work terminal 202 logs in to the remote access control apparatus 100, “Nobuyuki Aino” is displayed in the worker name column 252. The user can also specify another worker in the worker name column 252. That is, “Nobuyuki Aino” can apply for work on behalf of another worker as well as an application for performing work by himself.

In the subject area 254, the subject of the work application is input. The system name area 256 designates a business information system to be worked, and the target name area 258 designates a node to be worked, that is, a management target device. In the figure, among the plurality of devices included in the financial information system 310 (ID: 04), the web server (ID: 14) is the management target device. The work type area 260 indicates a work type (work ID). Maintenance tasks have various purposes, such as troubleshooting, investigation, operation monitoring, testing, release work, and so on. The maintenance work is thus classified into a plurality of types (hereinafter simply referred to as “work types”). Here, the release work of work ID: 04, that is, the work of updating the software installed in the web server is designated. In the development side communication area 262, the communication items to the development side approver are input in the operation side communication area 264 in the free description format. The work date / time area 266 shows the scheduled work date / time.
The worker clicks the application button 268 after inputting data in each item shown on the application screen 250. The input data is transmitted to the remote access control apparatus 100 as work application information. The remote access control apparatus 100 assigns an “application ID” to the applied work and registers it in the work schedule information.

FIG. 4 shows a development side approval screen 270 displayed on the development side approval terminal 204.
When the development-side approval terminal 204 accesses the remote access control apparatus 100 for approval determination, the development-side approval terminal 204 displays a development-side approval screen 270 shown in FIG. The development side approval screen 270 is displayed as a web page on the development side approval terminal 204.

  The application information area 274 shows a part of the application contents input on the application screen 250, in other words, a part of the work application information. The display content of the communication item area 284 corresponds to the content input in the development side communication area 262 of the application screen 250. On the other hand, the content input in the operation side communication area 264 of the application screen 250 is not displayed in the application information area 274. In this way, only the information necessary for determination is extracted from the work application information from the standpoint of the development side approver and displayed. According to such a method, even when the content of the work application information is complicated, it is possible to reduce time and effort when the development side approver confirms the application content.

  Further, in the related information area 272, related information of the “financial information system (04)” specified as part of the work application information is displayed. The remote access control device 100 holds such various related information. Here, the “financial information system (04)” is a system operated by a consignment company “Murano Co., Ltd.”, and this company is associated with information that the company has a business relationship since 1998 as seen from the consignment company. It has been. Thus, the remote access control apparatus 100 selectively provides related information that contributes to the approval judgment of the development side approver among the related information about the information included in the work application information. In the case of the figure, the remote access control device 100 is set to provide related information such as “company name” and “year of transaction start” to the development side approver for the work information system to be worked. .

  In the approver name area 276, the approver name of the development side approver is input. In the communication column 278, communication items for the worker are input. The approval button 280 is an approval button, and the rejection button 282 is a rejection button. When either the approval button 280 or the rejection button 282 is clicked, the description information in the approver name area 276 and the communication field 278 and the development side approval information indicating approval / disapproval are transmitted to the remote access control apparatus 100 (FIG. 2). S34). The contents of the communication column 278 may be transmitted to the work terminal 202 by e-mail.

FIG. 5 shows an operation side approval screen 340 displayed on the operation side approval terminal 320.
When the operation side approval terminal 320 accesses the remote access control apparatus 100 for approval determination, the operation side approval terminal 320 displays an operation side approval screen 340 shown in FIG. The operation side approval screen 340 is displayed as a web page on the operation side approval terminal 320.

  The application information area 344 shows a part of the application content input on the application screen 250, in other words, a part of the work application information. The display content of the communication item area 346 corresponds to the content input to the operation side communication area 264 of the application screen 250. On the other hand, the content input in the development side communication area 262 of the application screen 250 is not displayed in the application information area 274. In the application information area 344, the name of the worker who actually performs the maintenance work is not displayed. This is because information on when and what work is performed is important for the contracting company, but it is considered that the person who performs the work is not so important information.

  In the related information area 342, related information of “Web server (14)” specified as part of the work application information is displayed. Here, the “web server (14)” includes “maximum connectable number”, “installed CPU”, “average usage rate of CPU of the device during a predetermined period”, “size of installed memory” Is associated. In the example shown in the figure, related information of “Web server (14)” is provided on the operation side approval screen 340 for the operation side approver.

The approver name area 348 is an area for inputting the approver name of the operation side approver. In the communication column 350, communication items for the worker are entered. The approval button 352 is an approval button, and the rejection button 354 is a rejection button. When either the approval button 352 or the reject button 354 is clicked, operation-side approval information indicating the contents of the approver name area 348 and the communication field 350 and approval / rejection is transmitted to the remote access control apparatus 100 (FIG. 2). S46). The contents of the communication column 350 may be transmitted to the work terminal 202 by e-mail.
Next, processing when actually starting the maintenance work will be described.

FIG. 6 is an example of a sequence diagram illustrating a process of remote login processing to the business information system.
When the operator operates the work terminal 202 to access the remote access control apparatus 100, the remote access control apparatus 100 displays a login screen on the work terminal 202. The worker designates user identification information and a business information system to be accessed, and transmits a work execution request to the remote access control device 100 (S50). The remote access control device 100 first performs user authentication with reference to the received user identification information (S52). If user authentication fails (N in S52), access is denied (S62), and the work terminal 202 is notified of the refusal (S64). If the user authentication is successful (Y in S52), a determination is made as to whether the access source user has applied for some maintenance work with the current date and time as the scheduled work date, that is, an application determination is executed (S54). . If the application has not been made (N in S54), access is denied (S62).

  If the application has been completed (Y in S54), it is determined whether the work application has been approved by the operation side (S56). If the operation side approval has not been made (N in S56), access is denied (S62). If the operation side has been approved (Y in S56), it is determined whether the development side has been approved (S58). If the development side approval is not made (N in S58), the access is denied (S62). If it has not been approved by the development side (Y in S58), access is permitted (S60), and the fact is notified to the work terminal 202 (S64).

Through the above processing, the operator remotely logs in to the remote access control device 100. Thereafter, the remote access control device 100 provides a user interface screen to the work terminal 202. The worker accesses the business information system and eventually the management target device via the user interface screen. The access protocol may be a known communication protocol such as Http, Telnet, or Ftp. For example, the remote access control device 100 is a GUI (Graphical
A dedicated web page for performing maintenance work on the management target device may be displayed on the work terminal 202 using the User Interface. Alternatively, a dedicated CUI (Character-based
A command may be transmitted to the management target apparatus on the (User Interface) screen.
Thus, the remote access control apparatus 100 is operated by the operation on the user interface screen of the work terminal 202. For example, when an input is made to a button or edit box on the web page, the work terminal 202 transfers operation data corresponding to the input content to the remote access control device 100. The remote access control device 100 performs various processes corresponding to the operation data. That is, the operation data transmitted from the work terminal 202 to the remote access control device 100 is a control command for operating the remote access control device 100.

Whether GUI or CUI, maintenance work is performed by transmitting various commands from the work terminal 202 to the management target device via the remote access control device 100. The remote access control apparatus 100 records this command and a response from the management target apparatus as log information. Further, the remote access control device 100 may record an actual screen operation by the worker as a moving image.
The remote access control apparatus 100 has a function of verifying log information afterwards. The log information and the verification method will be described later with reference to FIGS. 9 and 10.

  As described above, if the operation side approval is made on the premise of the development side approval, the development side approval determination process in S58 is not required in the remote login process.

FIG. 7 is a functional block diagram of the remote access control device 100.
Each block shown here can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and in software it is realized by a computer program or the like. Draw functional blocks. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.

  The remote access control device 100 includes a user interface processing unit 110, a data processing unit 150, and a data holding unit 180.

For example, the user interface processing unit 110 transmits screen data to the work terminal 202, the development-side approval terminal 204, and the operation-side approval terminal 320, and receives various data from these terminals. In addition, the command from the worker is transferred to various business information systems, or the data from each business information system is received and transferred to the work terminal 202. Thus, the user interface processing unit 110 is in charge of the entire user interface for accessing the business information system.
The data processing unit 150 executes various types of data processing based on the data acquired from the user interface processing unit 110. The data processing unit 150 also serves as an interface between the user interface processing unit 110 and the data holding unit 180.
The data holding unit 180 is a storage area for holding various data.

User interface processing unit 110:
The user interface processing unit 110 includes an application communication unit 120, a work communication unit 136, and a notification unit 140.
The application communication unit 120 is responsible for communication related to application / approval of work to the development-side approval terminal 204 and the operation-side approval terminal 320. The application communication unit 120 includes a work application reception unit 122, an approval reception unit 124, and an application transmission unit 130. The work application receiving unit 122 receives work application information from the work terminal 202 (S18 in FIG. 2). Of the application transmitting unit 130, the development side application transmitting unit 132 transmits the work application information to the development side approval terminal 204 (S28 in FIG. 2), and the operation side application transmitting unit 134 transmits the work application information to the operation side approval terminal 320. Transmit (S40 in FIG. 2). Among the approval receiving units 124, the development side approval receiving unit 126 receives the development side approval information (S34 in FIG. 2), and the operation side approval receiving unit 128 receives the operation side approval information (S46 in FIG. 2).
The work communication unit 136 receives a work execution request from the work terminal 202. In addition, a command for maintenance work is received and transferred to the management target apparatus.
The notification unit 140 notifies the work terminal 202 or the like of various types of information related to the processing result of the remote access control device 100. The skip notification unit 142 of the notification unit 140 notifies the development-side approval terminal 204 of an e-mail that “skip approval” described later has been executed. The verification notification unit 144 of the notification unit 140 notifies the analysis result of the log information. The analysis of log information will also be described later.

Data holding unit 180:
The data holding unit 180 includes a work schedule holding unit 182, a log holding unit 184, a trend holding unit 186, a contract holding unit 188, a schedule holding unit 190, a related information holding unit 192, and a user information holding unit 194.
The work schedule holding unit 182 holds the execution schedule of the applied maintenance work as work schedule information. The data structure of the work schedule information will be described in detail with reference to FIG. The log holding unit 184 holds a command transmitted from the work terminal 202 and a response from the business information system as log information when executing the maintenance work. In this embodiment, log information is recorded for each worker. The log information will be described in detail with reference to FIG.

  The trend holding unit 186 holds trend information indicating a statistical trend of maintenance work. This trend information is generated by aggregating log information. For example, in the past six months, the trend information refers to “the ratio of the time during which maintenance work is performed” to the web server A of the financial information system 310 at “12:00 to 18:00” on Monday. The statistical information is aggregated from various viewpoints such as “total number of transmission commands” and “probability that maintenance work is performed”. The trend information will also be described later in relation to FIG. 10 (a) and FIG. 10 (b).

Generally, a maintenance contract called an SLA (Service Level Agreement) is exchanged between a consignment company and a consignment company. SLA is a quality assurance contract for maintenance work.
For example, when software of a certain web server is updated, that is, when a “release work” is performed, the web server to be worked is removed from a load balancer that performs load balancing among a plurality of web servers, and then the web Work must be done in the order of stopping server services. Moreover, the contract content that the operation monitoring operation | work for 30 minutes or more must be performed every Friday about a certain web server is also considered. The contract holding unit 188 holds an SLA indicating qualitative and quantitative execution conditions for such maintenance work as execution condition information.
In addition, from the viewpoint of internal control, division of roles and business flow for system operation may be defined by internal regulations. From such a point of view, the execution condition information held by the contract holding unit 188 may be set with an execution condition based on in-house regulations as well as the SLA.

  Some maintenance operations are routine tasks that are executed according to a predetermined schedule. The schedule holding unit 190 holds schedule information as a maintenance work execution schedule. The related information holding unit 192 holds related information in association with various data that can be included in the work application information. The related information is as described in relation to FIG. 4 and FIG. The user information holding unit 194 holds regular user information in which a user ID is associated with a password. Only users registered in the regular user information pass user authentication.

Data processing unit 150:
The data processing unit 150 includes a work schedule registration unit 152, a work recording unit 154, an access control unit 160, an approval determination unit 162, a user authentication unit 176, and a work verification unit 164.
The work schedule registration unit 152 registers the applied maintenance work in the work schedule holding unit 182. When a work application is made, an application ID for uniquely identifying the application is given. In the work schedule information, an application ID, a work schedule date, work contents, a worker name, an approval state, and the like are associated. Therefore, when the development-side approval information and the operation-side approval information are received, the work schedule information is updated. The work recording unit 154 records the work contents of the maintenance work. The log recording unit 156 of the work recording unit 154 records log information, and the trend recording unit 158 aggregates the log information to generate trend information, which is recorded in the trend holding unit 186.

  The access control unit 160 relays or blocks data transmission / reception between the business information system and the work terminal 202. The approval determination unit 162 performs application determination and approval determination. The user authentication unit 176 performs user authentication with reference to regular user information. The access control unit 160 sets whether to allow access through user authentication, application determination, and approval determination (development-side approval determination and operation-side approval determination) (see S60 and S62 in FIG. 6). That is, the communication path from the maintenance execution environment 200 to the management target device is set to open / close.

The work verification unit 164 is a functional block that performs post-verification of maintenance work based on log information. The work verification unit 164 is for detecting an abnormality with respect to unauthorized access or access that is suspected of being unauthorized, and for checking the business condition of the contracted company based on the execution result of the maintenance work. The state determination unit 174 is included. Specific functions of the state determination unit 174 will be described later.
The abnormality determination unit 166 includes an application verification unit 168 that determines whether the maintenance work is compatible with the contents of the application for work, a tendency determination unit 170 that determines whether the maintenance work is compatible with the past access tendency, A contract verification unit 172 that determines whether or not the product conforms to the SLA is included. Details of these functions will be described later.

FIG. 8 is a data structure diagram of work schedule information in the work schedule holding unit 182.
The application ID column 210 shows an application ID. When the work application information is received, the work schedule registration unit 152 assigns a unique application ID and registers the work application information. The worker ID column 212 indicates the user ID of the planned worker. The application date column 214 indicates the date on which the work application is made, and the work date / time column 216 indicates the scheduled work date / time.

The development-side approval column 218 indicates the status of the development-side approval, the approval status column 220 indicates approval status as “O”, “-” indicates unapproved, “x” indicates rejection, and the approval date / time column 222 indicates approval. Indicates the date and time. The operation side approval column 224 indicates a state regarding the operation side approval, the approval state column 226 indicates an approval state of approved, unapproved, or rejected, and the approval date / time column 228 indicates an approval date / time.
The work type column 230 indicates the work type. The system ID column 232 indicates the ID of the business information system that is the work target, and the node ID column 234 indicates the ID of the management target device, that is, the node that is the target of the maintenance work.

  In the figure, in “application ID: 1”, a failure handling work “work type: 01” has been applied, and has been approved by both the development-side approver and the operation-side approver. The release work of “application ID: 2” is rejected by the operation side approver. The investigation work of “application ID: 3” is approved by the development side approver but not approved by the operation side approver. On the other hand, the test operation of “application ID: 4” has been approved by the operation side but not by the development side. Therefore, under normal circumstances, the test work of “application ID: 4” cannot be executed as it is, but in a predetermined situation, the maintenance work can be executed without waiting for the development side approval. In this way, permitting maintenance work with only operation-side approval without going through development-side approval is called “skip approval”.

The operation side approver is assumed to be an SE dispatched from the contracting company to the operation site of the business information system, or an administrator of the consigning company. Since the business information system is usually operated 24 hours a day, 365 days a year, a plurality of operation side approvers respond to operations on a shift basis. Therefore, the operation side approver is in a position where it is easy to quickly review work applications.
On the other hand, the development side approver is assumed to be the supervisor of the worker in the contracting company. Therefore, the development side approval may not be obtained unless the working hours of the development side approver.

However, some maintenance operations require an immediate response, such as a failure response. In such a case, skip approval is effective. When the skip approval is made, the skip notification unit 142 notifies the development side approval terminal 204 of the fact that the skip approval has been made later by e-mail or the like. In the present embodiment, it has been described that when a work application is made, the fact is notified to the development-side approval terminal 204 and the operation-side approval terminal 320 (S22 and S24 in FIG. 2), but as described above, the approver May be a passive processing method of browsing work waiting for approval when accessing the remote access control device 100. When such a passive processing method is adopted, the skip approval notification is particularly effective for raising the attention of the developer on the development side.
Further, when the development side approver does not approve within a predetermined time, an alarm notification may be sent to the development side approval terminal 204 to make the approval required.

The conditions that allow skip approval are:
1. Being an application for a given work type, for example, a highly urgent maintenance work such as handling a failure,
2. 2. The time from the application date / time to the scheduled start date / time of the operation is a predetermined time or less, for example, a highly urgent maintenance operation. 3. The worker has explicitly applied for skip approval at the time of work application. It can be either an application by a pre-designated worker, for example, an application by an experienced and reliable worker, or a combination thereof.
In addition, if it is possible to prove to the development side approver that approval has been obtained in advance by telephone or the like, skip approval may be possible.

  Note that the work schedule registration unit 152 appropriately deletes, from the work schedule information, maintenance work that has passed the scheduled work date and time, and maintenance work that has already been completed, among the works registered in the work schedule information.

FIG. 9 is a data structure diagram of log information in the log holding unit 184.
In this embodiment, log information is created as a separate file for each worker. The access date / time column 240 indicates the date / time when the remote access control device 100 received a command transmitted from the work terminal 202 to the business information system. The command column 242 indicates the name of the transmitted command, the target column 244 indicates the command transmission destination, and the message column 246 indicates the message output from the managed device. In addition, command parameters, business information system names of access destinations, and the like may be recorded.
Note that the log recording unit 156 can also acquire the screen displayed on the work terminal 202 as video information, and can record it in the log holding unit 184 in association with time information and operation instruction information. For example, if the remote access control device 100 is a model that provides the user interface screen itself of the work terminal 202, the remote access control device 100 can record an operation such as movement or click of the operator's mouse as a moving image. However, in the present specification, such a moving image recording function is not particularly described in detail.

The log information shown in the figure corresponds to the release work of “application ID: 2” shown in FIG. First, an operator remotely logs in to the remote access control apparatus 100 by command A at 2:35 on October 14, 2006. Command A is a login command. At 2:38, the command B is transmitted to the load balancer of “node ID: 1”, and the web server that is the management target device of “node ID: 4” is excluded from the management target. Command B is a command for changing the management target of the load balancer. At 2:40, the load balancer has completed removal from the list of managed devices.
Thereafter, the web server is registered in the load balancer again after stopping the web server, updating the module, restarting, executing a plurality of types of tests, and checking the operation. After the above access, the operator logs out from the remote access control device 100 by command H at 3:45.
At 3:50 on the same day, the operator logs in to the remote access control device 100 again.

The type of maintenance work can be determined from the log information depending on what command is executed and in what order. This is because, as described in connection with SLA, a specific work procedure is set for the maintenance work according to the work type.
Alternatively, the work type can be specified by detecting a unique command for each maintenance work. For example, the command D for updating the module is a command specific to the release work. Therefore, when the command D is recorded between the login and the logout, it can be estimated afterwards that the release work has been executed.

Based on such log information, it is verified whether an unauthorized access or an access that is suspected of being unauthorized has occurred from the following three types of viewpoints.
1. Verification based on work application (hereinafter referred to as “application verification”)
The application verification unit 168 verifies whether the requested work content matches the actual work content based on the log information. For example, the application verification unit 168 detects an abnormality if the worker has transmitted a module update command even though the requested work is an investigation work. Alternatively, an abnormality may be detected if the command execution order assumed for the maintenance work that has been applied is not consistent with the order of commands in the maintenance work actually executed. Anomaly detection is also performed when remote login has not occurred at the scheduled work date and time, or when the user has not logged out after the scheduled work end time.

2. Verification based on SLA (hereinafter referred to as “contract verification”)
Conventionally, it has been difficult to confirm whether the execution conditions in the SLA are observed in the maintenance work of the business information system. The contract verification unit 172 verifies whether the execution conditions indicated in the SLA and the actual work content are compatible based on the log information. For example, for the release work, a processing procedure may be defined so that the management target device is removed from the load balancer and the work is started. In addition, in the case of a securities company business information system, after the software update is completed, it may be required to confirm the operation of a buy order, a sell order, and a contract confirmation for a predetermined brand. If such a procedure is not observed in the command in the executed work, the contract verification unit 172 detects an abnormality. In addition, if the contract content requires that a predetermined test operation must be executed 10 times or more per month, the contract verification unit 172 is abnormal when the number of test operations executed per month is less than 10 times. To detect.

3. Verification based on access tendency (hereinafter referred to as “trend verification”)
Maintenance work for business information systems is usually performed outside business hours, and there are times when access is likely to occur and times when it is difficult to occur. The trend recording unit 158 records such an access trend as trend information. The trend determination unit 170 compares the trend information with the log information and detects an access that is different from a general access trend. The tendency verification will be further described with reference to FIG.

In any case, the verification notification unit 144 notifies the development side approval terminal 204 and the operation side approval terminal 320 of the content of the abnormality detection. The access control unit 160 may forcibly block the communication path to the business information system when an abnormality is detected.
Note that log information for a plurality of workers, not for each worker, may be recorded in one file. Further, log information may be recorded for each management target device. There are various variations on how to collect log information.

FIG. 10A is a diagram in which the access amount is graphed based on the trend information.
In the present embodiment, the trend information is tabulated on a day-of-week basis, and further, for one day, 0: 00 to 6: 00, 6: 00 to 12: 00, 12: 00 to 18: 00, 18: 00 It is divided into four time zones of 24:00. The figure shows an average value of the number of commands transmitted to a certain management target device C in the past six months. According to the figure, the most commands are sent during the time zone from 18:00 to 24:00 on Friday, but no commands are sent during the time zone from 00:00 to 12:00 on Monday. . Access to the management target device C tends to concentrate on Wednesday morning and Friday night to Saturday morning.
In the figure, T ₂ is the upper limit verification value of the access quantity, T ₁ denotes a lower verification value.

FIG. 10B is a diagram in which the access amount is graphed based on the log information.
The figure shows the number of commands transmitted to the management target device C for the log information for the past week. In accordance with the trend information, the trend determination unit 170 classifies the log information for each day of the week, and further divides one day into four time zones and totals the access amount.
In the figure, V ₂ is the upper limit verification value of the access quantity, V ₁ denotes the lower limit verification value.
The trend determination unit performs the trend verification process by the following method based on T ₁ , T ₂ , V ₁ , and V ₂ .

The trend determination unit 170
1. In the trend information, the access amount is T ₂ or more, and in the log information, the access amount is V ₁ or less. It is detected whether there is a time zone in which the access amount is T ₁ or less in the trend information and the access amount is V ₂ or more in the log information. Above 1. Is a condition for detecting a time zone in which there is a possibility that maintenance work is not performed this week, although it is usually a time zone when the amount of access is large. Is a condition for detecting a time zone in which there is a possibility that an unauthorized access has occurred in a time zone where the access amount is usually small.
According to FIG. 10A and FIG. The above conditions apply on Fridays from 18:00 to 0:00, 2. This condition is Wednesday 18:00 to 0:00. Therefore, when such a time zone exists, an abnormality is detected.

  Note that the trend verification process may be executed only for a specific type of command, for example, a remote login command, instead of all commands. Further, trend verification may be performed not on the amount of commands but on the number of executions of a specific type of maintenance work. Alternatively, the trend verification may be limited to a specific worker or a specific business information system. With the time from login to logout as work time, trend verification may be performed based on the ratio of work time in each time zone. Further, the access tendency may be totaled not by day of the week, but by date, month, or any time zone such as business days and non-business days. As described above, whether or not the access content in the time zone in which the maintenance work is performed and the access tendency in the time zone can be determined based on various evaluation conditions.

FIG. 11 is another example of a sequence diagram showing the process of remote login processing to the business information system.
As shown in FIG. 6, access from the work terminal 202 is permitted after a determination process of user authentication, application determination, and approval determination (development-side approval and operation-side approval). However, the above-described skip approval may be performed, and approval may not be required for routine maintenance work. Such routine maintenance work is registered in the schedule information of the schedule holding unit 190. The schedule information has a data structure that does not include information on the application date column 214, the development side approval column 218, and the operation side approval column 224 in the data structure of the work schedule information.

In the figure, the contents of the processes indicated by S50 to S64 are the same as the contents of the processes denoted by the same reference numerals in FIG. 6, and therefore the description will focus on differences from the processes shown in FIG. First, when the user authentication is successful (S52), the access control unit 160 determines whether or not the maintenance work specifying the worker at the current time is registered in the schedule information (S70). If the maintenance work with the current time as the scheduled work time is registered in the schedule information (Y in S70), the process is skipped to S60 and the access permission is set. That is, for routine maintenance work, the worker can access the management target apparatus without applying for work. Of course, access to a managed device different from the managed device specified in the schedule information is not permitted.
As a modified example, when a routine system operation work is registered as schedule information in the schedule holding unit 190, the remote access control device 100 of the remote access control device 100 becomes a predetermined time before the work start time registered in the schedule information. An application automatic generation unit (not shown) may automatically generate work application information. Also by such a method, it is possible to make the management target apparatus accessible even when the worker does not apply for a routine work.

  Even if the work has been applied (Y in S54) and approved by the operation side (Y in S56) and the development side approval has not been obtained (N in S58), the maintenance work can be skip approved. If the skip notification unit 142 notifies the development side approval terminal 204 that the skip approval has been made (S74), the access permission setting is made (S60). Although not shown in the figure, if the development side approver has already rejected the work application in S58, the skip approval cannot be executed and the access is rejected (S62).

  The remote access control device 100 according to the present embodiment not only verifies the legitimacy of access to the business information system based on the log information, but also analyzes the log information in order to increase the efficiency of maintenance work in the contracting company. It also has a function to do. Such analysis of log information is executed by the state determination unit 174. The analysis of log information by the state determination unit 174 is executed from the following viewpoints.

1. Whether maintenance work of the same type has occurred by a plurality of workers in the same time zone. For example, in the time zone of 18:00 to 20:00 on Thursday, the worker D is the management target device E and the worker F is It is assumed that the management target device G and the worker H are performing maintenance work on the management target device I. Assume that all of these maintenance operations are test operations. In such a situation, for example, it is considered that the work efficiency is higher when the operator D performs the test work for the three managed devices together.

The state determination unit 174 refers to the log information or the trend information generated from the log information and determines whether there is a time zone in which the same work is duplicated among a plurality of workers. This can be detected by comparing log information for a plurality of workers. When the log information on a predetermined number, for example, two or more workers, is referred to and maintenance work of the same work type occurs in the same time zone, the verification notification unit 144 will check the time zone and related workers. The name, management target device name, work type, etc. are notified to the development side approval terminal 204 or the like.
In the trustee company, business efficiency can be improved by changing the division of roles among workers based on such notification.

2. Is the time required to perform the maintenance work too long? Usually, the maintenance work has a fixed procedure, so the work time can be estimated to some extent. The state determination unit 174 refers to the log information and detects a maintenance work whose work time exceeds a predetermined upper limit time. The verification notification unit 144 notifies the development-side approval terminal 204 of the execution date and time of the maintenance work, the name of the worker, the work content extracted from the log information, and the like. The work time may be measured, for example, as the time from when the login command is input until the logout command is input.
The trustee company can determine what kind of situation and what kind of worker maintenance work is inefficient based on such notification. The upper limit time may be provided according to the type of maintenance work, or may be provided for each worker. For example, if you are an experienced worker, set the upper time limit to a shorter time, and for inexperienced workers, set a longer upper time limit. It is possible to identify “too much maintenance work”.

3. For the same type of maintenance work, what is the variation in the work time by the worker? The state determination unit 174 is based on log information and trend information generated from the log information. Index how much time varies between workers. Simply, the average required time for each worker regarding the test work may be listed, or the average required time may be classified according to the years of experience and the position of the worker. For example, if the job title is low, workers with a short average required time may be listed as promotion candidates. The verification notification unit 144 notifies the development side approval terminal 204 of the verification result.
In the trustee company, the unit price per worker can be determined depending on how much work time is required by the worker to perform the same work. Further, if the worker who has a short work time required for the test work, that is, the worker who is used to the test work is preferentially assigned to the test work, it is possible to improve the work efficiency of the entire contracting company.

4). Whether or not there is an operator whose work time zone is biased The state determination unit 174 detects a work time zone for each worker based on log information and trend information generated from the log information. For example, it is assumed that the worker J tends to concentrate on Tuesday morning. The state determination unit 174 specifies a particularly high load time zone or a particularly low load time zone based on the upper limit verification values T ₁ and V ₁ and the lower limit verification values T ₂ and V ₁ . The verification notification unit 144 notifies the development-side approval terminal 204 of information related to the work time zone for each worker.
In the trustee company, the load on the worker J can be leveled by shifting a part of the worker's work on Tuesday morning to another time zone based on such notification. Such data is an objective and effective material for reviewing the operation schedule and SLA content, and thus contributes to improving the working environment of busy SE.

  Furthermore, it is assumed that the state determination unit 174 detects that the work by the worker K is not generated much in the morning on Tuesday when the worker J is busy. In this case, by transferring a part of the work on Tuesday morning of the worker J to the worker K, it is possible to distribute the load among the workers.

5. Is there a worker whose work is biased to a specific maintenance task? Normally, if only a test operation is performed, the worker becomes familiar with the test operation. However, on the other hand, skills may be biased to specific tasks. The state determination unit 174 detects an operator whose work content is biased based on log information or trend information generated from the log information. For example, referring to the trend information for each worker, it is assumed that a worker K in which the ratio of the test work is 70% or more among the maintenance work executed in a predetermined period is detected. The verification notification unit 144 notifies the development-side approval terminal 204 of the name of the worker whose work content is biased and the work type.
The trustee company can consider that the skills of the worker K are diversified by reviewing the duties of the worker K based on such notification. That is, it becomes easy to realize rational job rotation based on objective data. In the case of the above example, a part of the test work performed by the worker K may be transferred to the worker L who has not experienced the test work.

As described above, the state determination unit 174 can generate various data that contributes to the improvement of the business efficiency of the trustee company by analyzing the log information. The above data can also be used in combination. For example, when the work content is biased toward the test work and the time required for the test work is very short, it can be said that the worker is sufficiently proficient in the test work. In such a case, a part of the test work may be transferred to another worker. When the work load of the contracted company as a whole is high, the current work efficiency is improved by intensively assigning test work to workers who are proficient in the test work, and when the overall work load is low, By actively assigning the test work to workers who are not familiar with the test work, the work may be assigned so that future work efficiency can be improved.
As described above, the two purposes of directly improving business efficiency and improving future business efficiency can be balanced according to the situation in accordance with the analysis result of the log information by the state determination unit 174.

The remote access control device 100 has been described based on the embodiments.
In principle, the remote access control apparatus 100 is configured to easily prevent unauthorized access to the business information system because the double permission between the development side and the operation side is used as an access permission condition. With the operation of prior work application and approval at an arbitrary timing, security management of the business information system can be realized without putting an excessive psychological burden on the worker and the approver.
In addition, information that contributes to each decision of the development-side approver and the operation-side approver is selectively provided from the requested work content and related information, so the load associated with the approval decision of each approver is reduced. It can be further reduced.

  Furthermore, since approval for the development-side approver can be skipped depending on the situation, it is easy to cope with highly urgent maintenance work. Since the developer approver is notified that the skip approval has been made, the developer approver can check the work content afterwards. Further, if the routine maintenance work scheduled is not required to be applied for, it is possible to reduce the burden on the operator.

  The remote access control device 100 can record an access history as log information, and can index a long-term access tendency as trend information from the log information. It is possible to verify whether the maintenance work is normally performed in view of the applied work contents, trend information, work conditions indicated in the SLA, and the like. In particular, in the past, it was difficult to verify that the SLA was observed even if the SLA was exchanged. Since the contract verification unit 172 of the remote access control device 100 can compare and verify the actual work performed with the SLA, the contracting company externally confirms that its own business information system is properly maintained. It will be easier to prove. In addition, the mechanism that makes it easy to prove that the SLA is being observed has an effect that the contracting company can easily appeal that it can provide high-quality services.

  Furthermore, the remote access control device 100 can contribute to the improvement of business efficiency in the trustee company by actively utilizing the log information. As described above, by examining the workload and skills of workers from various perspectives, the work efficiency of the entire contracting company is maximized even at sites where a large number of workers manage many business information systems. It becomes easy to take measures for.

  In addition, the remote access control apparatus 100 can centrally manage access to a plurality of business information systems. Therefore, it is easy to apply a uniform access policy to a plurality of business information systems. In the present embodiment, the maintenance work will be described focusing on a one-to-one relationship such as the consigning company A and the consigning company B, but the consigning company B undertakes maintenance work for a plurality of consigning companies. The same applies to the case. For example, suppose company B is undertaking maintenance work not only for company A but also for the business information system of company M. In this case, the worker of the company B uses the remote access control apparatus 100 corresponding to the access destination company, out of the remote access control apparatus 100 for the company A and the remote access control apparatus 100 for the company M. Access the business information system. Further, by collecting the log information of the remote access control device 100 for company A and the remote access control device 100 for company M, the log information for company B can be verified.

  In this embodiment, the server, database, and the like in the business information system have been described as management target devices. However, the present invention is not limited to the business information system, but can be applied to remote maintenance of general communication devices such as routers.

  In the above, this invention was demonstrated based on the Example. The embodiments are exemplifications, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are within the scope of the present invention. .

The function of the approval input unit described in the claims is mainly realized by the approval receiving unit 124 in this embodiment. The function of the work request receiving unit described in the claims is mainly realized by the work communication unit 136 in the present embodiment. The first threshold value and the second threshold value described in the claims are expressed as T ₁ and V ₂ in the present embodiment, and the third threshold value and the fourth threshold value described in the claims are the present values. In the embodiment, it is expressed as T ₂ and V ₁ .
In addition, it should be understood by those skilled in the art that the functions to be fulfilled by the constituent elements described in the claims are realized by the individual functional blocks shown in the present embodiment or their linkage. .

Various aspects of the invention grasped from the above embodiments and modifications will be exemplified below in the form including those already described in the claims.
First, the following invention is grasped in relation to the process of approval on the development side and approval on the operation side.

A1. Connected to each of the management target device and a work terminal that performs a system operation of the management target device by transmitting a control command based on a user operation,
From the work terminal, a work application receiving unit that receives work application information including designation of a person who is scheduled to perform a system work performed by a system operation;
To the development side approval terminal of the development side approver who judges whether system work can be performed as the development side manager, the development side application unit that sends the work application information,
From the development-side approval terminal, a development-side approval receiving unit that receives development-side approval information indicating approval / disapproval for the work application information;
An operation side application unit that transmits the work application information to an operation side approval terminal of an operation side approver who determines whether or not system work can be performed as an operation side person in charge;
From the operation side approval terminal, an operation side approval receiving unit that receives operation side approval information indicating approval / disapproval of the work application information;
A work request receiving unit that receives a work execution request including designation of a person who is scheduled to perform system work from the work terminal;
Referring to the work schedule information, it is determined whether or not the system work for the execution person designated in the work execution request has been approved by each of the development side approver and the operation side approver. An approval determination unit to
An access control unit that transfers a control command transmitted from the work terminal to the management target device, with the access permission condition being approved by both the development-side approver and the operation-side approver,
A remote access control device comprising:

  A2. The access control unit is a control transmitted from the work terminal when an application for a system work is made with a setting capable of skipping approval by the development-side approver, regardless of whether the development-side approver has approved. The remote access control device according to A1, wherein the command is transferred to the management target device.

A3. A post-notification unit for notifying the development-side approval terminal that the skip is made when the development-side approver skips the approval and the access to the management target device is permitted;
The remote access control device according to A1 or A2, further comprising:

A4. The development side application unit extracts a part of the information that contributes to the judgment of the development side approver from the work application information and transmits it to the development side approval terminal,
The operation side application unit extracts information of a part different from the part from the work application information as information that contributes to the determination of the operation side approver and transmits it to the operation side approval terminal. The remote access control device according to any one of A1 to A3.

A5. A related information holding unit for holding related information for information included in the work application information,
The development-side application unit selects relevant information that contributes to the judgment of the development-side approver from the related information of the work application information, and transmits it to the development-side approval terminal.
The operation side application unit selects related information different from the selected related information from the related information of the work application information as information contributing to the determination of the development side approver and transmits the selected information to the operation side approval terminal The remote access control device according to any one of A1 to A4, wherein:

A6. Connected to each of the management target device and a work terminal that performs a system operation of the management target device by transmitting a control command based on a user operation,
From the work terminal, a work application receiving unit that receives work application information including designation of a person who is scheduled to perform a system work performed by a system operation;
An approval input unit that accepts input of approval / disapproval for the applied system work,
A work schedule registration unit for registering the requested system work in the work schedule information together with its approval status;
A work request receiving unit that receives a work execution request including designation of a person who is scheduled to perform system work from the work terminal;
An approval determination unit that refers to the work schedule information and determines whether or not the system work for the scheduled execution person specified in the work execution request has been approved;
An access control unit that transfers a control command transmitted from the work terminal to the management target device as an access permission condition that it is approved;
A schedule holding unit that holds schedule information in which a work execution schedule for the management target device is determined in advance;
The access control unit transfers a control command transmitted from the work terminal to the management target device regardless of whether or not the system work registered in advance in the schedule information has been approved. Remote access control device.

  Moreover, the following invention is grasped | ascertained regarding the improvement of work efficiency.

B1. Connected to a work terminal and a plurality of managed devices that perform system operation of the managed device by transmission of a control command based on a user's operation,
A work request receiving unit for receiving a work execution request for a system work executed by a system operation from the work terminal together with designation of a scheduled work person and a management target device to be a work target;
After receiving the work execution request, an access control unit that transfers a control command transmitted from the work terminal to the management target device specified by the work execution request;
A log recording unit for recording the contents of the system operation executed by the control command as log information;
A work verification unit that refers to the log information and determines whether or not the same system work is generated by a plurality of workers in the same time zone;
A verification notification unit for notifying an external device of a worker performing the same system work in the same time zone;
A remote access control device comprising:

B2. Connected to the work terminal and the management target device for operating the system of the management target device by transmitting a control command based on a user operation,
A work request receiving unit for receiving a work execution request for a system work executed by a system operation from the work terminal together with a designated work person;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
A log recording unit for recording the contents of the system operation executed by the control command as log information;
Referring to the log information, a work verification unit for detecting system work whose work time is longer than a predetermined upper limit time;
A verification notification unit for notifying an external device of the detected system work and the worker;
A remote access control device comprising:

B3. A time limit is set for each of multiple types of system work,
The remote access control apparatus according to B2, wherein the work verification unit determines whether the system work detected from the log information is longer than a corresponding upper limit time.

B4. Connected to the work terminal and the management target device for operating the system of the management target device by transmitting a control command based on a user operation,
A work request receiving unit for receiving, from the work terminal, a work execution request for a system work to be executed by a system operation together with a designated work person;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
For each of a plurality of workers capable of performing system work, a log recording unit that records the contents of the system operation executed by the control command as log information;
With reference to the log information, for the same work, a work verification unit that indexes variation in work time among the plurality of workers,
A remote access control device comprising:

B5. Connected to the work terminal and the management target device for operating the system of the management target device by transmitting a control command based on a user operation,
A work request receiving unit for receiving, from the work terminal, a work execution request for a system work to be executed by a system operation together with a designated work person;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
For each of a plurality of workers capable of performing system work, a log recording unit that records the contents of the system operation executed by the control command as log information;
With reference to the log information, for a predetermined worker, a work verification unit that indexes the deviation of the work time zone,
A remote access control device comprising:

  B6. The work verification unit refers to log information about a plurality of workers, detects a time zone in which the number of control commands transmitted for the first worker is greater than a first threshold, and in that time zone The remote access control device according to B5, wherein a second user in which the number of control commands transmitted is smaller than a second threshold is specified.

B7. Connected to the work terminal and the management target device for operating the system of the management target device by transmitting a control command based on a user operation,
A work request receiving unit for receiving a work execution request for a system work executed by a system operation from the work terminal together with a designated work person;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
For each of a plurality of users capable of performing system work, a log recording unit that records the contents of the system operation executed by the control command as log information;
A work verification unit that refers to the log information and indexes the bias of the type of system work executed by a predetermined user;
A remote access control device comprising:

It is a hardware block diagram which shows the relationship between a remote access control apparatus and various business information systems. It is a sequence diagram which shows the processing process about the application and approval of work. It is a figure which shows the application screen displayed on a work terminal. It is a figure which shows the development side approval screen displayed on a development side approval terminal. It is a figure which shows the operation side approval screen displayed on an operation side approval terminal. It is an example of the sequence diagram which shows the process of the remote login process to a business information system. It is a functional block diagram of a remote access control apparatus. It is a data structure figure of work schedule information in a work schedule holding part. It is a data structure figure of the log information in a log holding part. (A) It is the figure which graphed the access amount based on tendency information. (B) It is the figure which graphed the access amount based on log information. It is another example of the sequence diagram which shows the process of the remote login process to a business information system.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 Remote access control apparatus, 110 User interface processing part, 120 Application communication part, 122 Work application receiving part, 124 Approval receiving part, 126 Development side approval receiving part, 128 Operation side approval receiving part, 130 Application sending part, 132 Development side Application transmission unit, 134 Operation side application transmission unit, 136 Work communication unit, 140 Notification unit, 142 Skip notification unit, 144 Verification notification unit, 150 Data processing unit, 152 Work schedule registration unit, 154 Work recording unit, 156 Log recording unit 158 Trend recording unit, 160 Access control unit, 162 Approval determination unit, 164 Work verification unit, 166 Abnormality determination unit, 168 Application verification unit, 170 Trend determination unit, 172 Contract verification unit, 174 Status determination unit, 176 User authentication unit 180 data retention 182 Work schedule holding unit, 184 Log holding unit, 186 Trend holding unit, 188 Contract holding unit, 190 Schedule holding unit, 192 Related information holding unit, 194 User information holding unit, 200 Maintenance execution environment, 202 Work terminal, 204 Development side approval terminal, 250 application screen, 270 Development side approval screen, 300 operating environment, 320 operation side approval terminal, 340 operation side approval screen.

Claims (9)

Connected to each of the management target device and a work terminal that performs a system operation of the management target device by transmitting a control command based on a user operation,
From the work terminal, a work application receiving unit that receives work application information including a person who is scheduled to perform a system work that is a work executed by a system operation and designation of the contents of the system work;
An approval input unit that accepts input of approval / disapproval for the applied system work,
A work schedule registration unit for registering the requested system work in the work schedule information together with its approval status;
A work request receiving unit that receives a work execution request including designation of a person who is scheduled to perform system work from the work terminal;
An approval determination unit that refers to the work schedule information and determines whether or not the system work for the scheduled execution person specified in the work execution request has been approved;
An access control unit that transfers a control command transmitted from the work terminal to the management target device as an access permission condition that it is approved;
A log recording unit for recording the contents of the system operation executed by the control command as log information;
A work verification unit that compares the work schedule information with the log information to determine whether the executed system work content is within the scope of the requested system work content;
A remote access control device comprising: The work application receiving unit receives the work application information including designation of a scheduled work period,
The log recording unit records the log information including an execution date and time of system work,
2. The remote access according to claim 1, wherein the work verification unit compares the work schedule information with the log information to determine whether or not a system work is being performed within a work schedule period. Control device. Connected to each of the management target device and a work terminal that performs a system operation of the management target device by transmitting a control command based on a user operation,
A work request receiving unit for receiving a work execution request including designation of a person who is scheduled to perform a system work, which is a work executed by a system operation, from the work terminal;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
A log recording unit for recording the contents of the system operation executed by the control command as log information;
A work trend recording unit that records an access trend to the management target device as trend information;
A work verification unit that refers to the trend information and the log information, and determines whether or not the access content in the time zone in which the system work is performed and the access tendency in the time zone are based on a predetermined evaluation condition;
A remote access control device comprising: From the work terminal, a work application receiving unit that receives work application information including designation of a person who is scheduled to perform system work;
An approval input unit that accepts input of approval / disapproval for the applied system work,
A work schedule registration unit for registering the requested system work in the work schedule information together with its approval status;
An approval determination unit that refers to the work schedule information when the work execution request is received, and determines whether or not the system work for the scheduled execution person specified in the work execution request has been approved; Further comprising
The remote access control device according to claim 3, wherein the access control unit transfers a control command transmitted from the work terminal to the management target device using an access permission condition as approval. .   According to the trend information, the work verification unit has a larger number of control commands than the second threshold according to the log information in a time zone when the number of control commands transmitted is smaller than the first threshold. 5. The remote access control apparatus according to claim 3 or 4, wherein it is determined that the access content and the access tendency are incompatible.   According to the trend information, the work verification unit has a smaller number of control commands transmitted than the fourth threshold value according to the log information in a time zone in which the number of control commands transmitted is larger than the third threshold value. 6. The remote access control apparatus according to claim 3, wherein it is determined that the access content and the access tendency are in an inconsistent relationship. Connected to each of the management target device and a work terminal that performs a system operation of the management target device by transmitting a control command based on a user operation,
As a maintenance contract for the managed device, a contract holding unit that holds execution condition information that defines execution conditions related to the contents of system work executed by system operation;
A work request receiving unit for receiving a work execution request for system work from the work terminal;
An access control unit that transfers a control command transmitted from the work terminal to the management target device after receiving the work execution request;
A log recording unit for recording the contents of the system operation executed by the control command as log information;
A work verification unit that compares the execution condition information with the log information and determines whether the executed work content satisfies the execution condition related to the content of the system work;
A remote access control device comprising: From the work terminal, a work application receiving unit that receives work application information including designation of a person who is scheduled to perform system work;
An approval input unit that accepts input of approval / disapproval for the applied system work,
A work schedule registration unit for registering the requested system work in the work schedule information together with its approval status;
An approval determination unit that refers to the work schedule information when the work execution request is received, and determines whether or not the system work for the scheduled execution person specified in the work execution request has been approved; Further comprising
The remote access control device according to claim 7, wherein the access control unit transfers a control command transmitted from the work terminal to the management target device using an approval as an access permission condition. . In the execution condition information, the number of accesses of a predetermined system operation in a specified period is defined,
The remote access control according to claim 7 or 8, wherein the work verification unit determines whether or not the predetermined system operation has been executed more than the access times in the designated period with reference to the log information. apparatus.

Images