JP2009080561A - External device management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an external device management system incapable of using a USB memory or the like outside a use range thereof. <P>SOLUTION: This external device management system has: an operation log information receiving part for receiving operation log information in each client terminal; a use range information setting part for acquiring attribute information of a user, based on user identification information in the operation log information from the client terminal, and for setting use range information of an external device, using the acquired attribute information of the user; and a use propriety determination part for acquiring the attribute information of the user, based on the user identification information in the operation log information from the client terminal, and for determining the use propriety of the external device, by comparing the acquired attribute information of the user with the use range information of the external device. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

The present invention determines the range of use of an external recording medium such as a USB memory (portable semiconductor storage device) or a computer terminal by using operation log information, thereby determining the range of use of the external recording medium or computer terminal. The present invention relates to an external device management system that makes it impossible to use beyond that.

  Organizations such as companies take various measures to prevent information leakage from the organization. For example, there is a method of preventing information leakage by setting access authority to a file containing personal information or confidential information so that only a user having the authority can access the file. The following Patent Document 1 and Patent Document 2 exist as such conventional techniques.

  There are various causes for the occurrence of information leakage, but the most common reason is that a malicious third party copies a file used for business, etc., to an external recording medium such as a USB memory. This is the case where a file used for business or the like is copied to a personal computer terminal from a file server or client terminal and the file is leaked to the outside.

  Such a case cannot be prevented by a simple access authority check as described above. This is because a user who has access rights to a file may perform the actions described above, and generally the password used for the file is often not complicated, and the third party who obtained the file must enter the password. This is because it may be deciphered.

  Therefore, as described in Patent Document 3 below, there exists a system that prevents a predetermined fraud from being performed in the first place. That is, it is a system that prevents information leakage by making it impossible to perform operations such as file copying to an external recording medium or a computer terminal. In addition to Patent Document 3, there is a case where a method of uniformly prohibiting use of an external recording medium such as a USB memory in terms of software or hardware may be employed.

  In the case of Patent Document 3, by setting a file copy operation to an external recording medium or a computer terminal as an illegal act, such an operation cannot be performed uniformly, which is beneficial from the viewpoint of preventing information leakage. It is. Also, in the method of prohibiting the use of an external recording medium such as a USB memory in terms of software and hardware, the external recording medium cannot be used, which is beneficial from the viewpoint of preventing information leakage.

  However, an external recording medium such as a USB memory can easily carry information and use the information on another computer terminal. Therefore, it is highly convenient, and it is prohibited to use the information uniformly as described above. In some cases, business efficiency may decrease.

  For example, in the case of the development department, a single user uses a computer terminal that performs normal work and a computer terminal for experimental environment, and the computer terminal for experimental environment is directly connected to the computer terminal for normal work via the network. There are many cases where data cannot be transferred. When transferring files from a computer terminal that conducts normal work to a computer terminal for an experimental environment, apply to the department in charge of system management in advance for permission to use an external recording medium such as a USB memory. The file is moved using an authorized USB memory.

JP 2000-29751 A JP 2006-23924 A JP 2005-222216 A

  As described above, in the past, too much emphasis was placed on information leakage. In general, external recording media such as USB memories are uniformly prohibited from being used. Even in exceptional cases, the USB memory to be used must be pre-installed in the system. I had to apply to the department that oversees management, which was extremely complicated.

  Therefore, as in the past, an external recording medium such as a USB memory can be used without performing a complicated procedure such as application to the department in charge of system management in advance, while information from the external recording medium can be used within an appropriate range. A security system that can prevent leakage is desired. That is, a management system that solves the conflicting problems of ease of daily work and prevention of information leakage is desired.

  In addition, an external recording medium such as a USB memory may be shared between users in the same department. In that case, after a user stores a confidential file in the USB memory, another user may use the same USB memory. If the confidential level of the confidential file stored by the first user is high and the user forgets to delete the confidential file from the USB memory after use, another user who uses the same USB memory later Even if there is no authority to access the confidential file, the confidential file stored in the USB memory can be accessed. This is because, in the conventional access authority management as described above, the secret level is not reflected when the secret file is copied to the USB memory. Even if it is reflected, it is necessary to perform a task for setting the confidential level separately for the confidential file. Even if it is automatically reflected, there is a file with a high confidential level in the USB memory. It is known that it is remembered. This is a security problem.

  As described above, in the above-described conventional management system, even users in the same department may be able to access files that cannot be accessed by themselves because of different access rights. Therefore, when a file is stored in an external recording medium such as a USB memory, the access authority level of the user who has stored the file in the external recording medium such as a USB memory is preferably set in the external recording medium itself. However, such a management system does not exist and is awaited.

  In view of the above problems, the present inventor has made the following invention.

  The invention of claim 1 is an external device management system that determines whether or not an external device can be used by using operation log information in a client terminal, and the external device management system receives operation log information in each client terminal. Based on the user identification information in the operation log information receiving unit and the operation log information from the client terminal, the attribute information of the user is acquired, and the use range information of the external device is set using the acquired attribute information of the user. Based on the use range information setting unit and user identification information in the operation log information from the client terminal, acquire the attribute information of the user, and compare the acquired attribute information of the user with the use range information of the external device An external device management system having an availability determination unit that determines whether or not the external device can be used. .

  By configuring as in the present invention, it is possible to determine the use range information of the external device from the operation log information, and to determine whether or not the external device can be used based on it. As a result, the external device can be automatically used in an appropriate range without applying for an external device such as a USB memory in advance.

  The invention of claim 2 is an external device management system that determines whether or not an external device can be used by using operation log information in a client terminal, and the external device management system receives operation log information in each client terminal. An operation log information receiving unit, a user information storage unit that stores attribute information including at least information used for determination of access authority in association with user identification information, and at least an external device identification information and usage range information are stored. Based on the user identification information in the operation log information when the file is stored in the external device received from the external device information storage unit and the client terminal, the attribute information of the user is acquired from the user information storage unit, The acquired attribute information is used as the usage range information of the external device, and is stored in the operation log information. Based on the use range information setting unit stored in the external device information storage unit in association with the device identification information, and the identification information of the external device received from the client terminal connected to the external device or the external device, The usage range information of the external device is acquired from the external device information storage unit, and the user attribute information of the user is received based on the user identification information received from the client terminal connected to the external device or the external device. An availability determination unit that acquires from an information storage unit and determines whether or not the client terminal connected to the external device or the external device is usable using the acquired usage range information of the external device and user attribute information; Is an external device management system.

  The above-described invention can also be configured as in the present invention, and an equivalent technical effect can be obtained.

  In the invention of claim 3, the use range information setting unit further stores the acquired use range information in the external device information storage unit in association with the identification information of the external device. When the usage range information stored in the device information storage unit is stored, the usage range information already stored is compared with the acquired usage range information, and the strict usage range information is stored in the external device. The external device management system stores information in the external device information storage unit in association with identification information.

  A plurality of files may be stored in the external device. In such a case, a plurality of users may be using the external device. Then, it is possible to improve the security by setting the strictest usage range information among the usage range information of the file stored in the external device as the usage range information of the external device.

  The invention according to claim 4, wherein the availability determination unit further receives, from the client terminal connected to the external device, operation log information indicating that the external device is connected to the client terminal. When the information is received by the operation unit, the user device information is acquired from the external device information storage unit based on the identification information of the external device included in the operation log information, and the user identification included in the operation log information is acquired. Based on the information, the attribute information of the user is acquired from the user information storage unit, and the client terminal connected to the external device or the external device using the acquired usage range information of the external device and the attribute information of the user An external device management system for determining whether or not a device can be used.

  The determination of whether or not an external device can be used can be configured as in the present invention. That is, by receiving the information as operation log information from the client terminal connected to the external device and performing processing based on the identification information of the external device and the user identification information in the operation log information, it is possible to easily determine whether or not the device can be used. realizable.

  6. The invention of claim 5, wherein the availability determination unit further transmits a determination result to the client terminal connected to the external device or the external device, and the client terminal connected to the external device or the external device. Is an external device management system that, upon receiving a determination result of availability from the external device management system, controls the availability of the external device according to the determination result.

  By using the present invention, it becomes possible to execute control according to the determination result of availability on the client terminal or the external device itself.

  7. The external device management according to claim 6, wherein when the client terminal connected to the external device or the external device cannot be connected to the external device management system, the external device management is performed so as not to permit use of the external device. System.

  In the first place, there are cases where it is not possible to make an inquiry to the external device management system from the client terminal connected to the external device or the external device itself. This is because an external device management system generally has a configuration that does not accept external access through a firewall or the like in order to prevent unauthorized access. For this reason, when the external device management system cannot be accessed in the first place, it is preferable that the external device is regarded as being in a use-disallowed state and the use-disapproval control is performed.

  8. The invention according to claim 7, wherein when the operation log information is received by the operation log information receiving unit when the file is deleted from the external device, the use range information setting unit further includes the external device in the operation log information. The operation log information storage unit stores operation log information indicating that the file is stored in the external apparatus, other than operation log information indicating that the deleted file is stored in the external apparatus based on the identification information of Based on the user identification information in each acquired operation log information, obtain the attribute information of those users from the user information storage unit, and set the strictest user attribute information as the usage range information of the external device The external device management system stores the information in the external device information storage unit in association with the identification information of the external device.

  Files may be deleted from external devices. In that case, it is preferable to appropriately change the use range information of the external device accordingly.

  In the invention according to claim 8, the external device management system further determines that each client terminal displayed on a display device of a predetermined computer terminal when the user determines that the external device cannot be used. The external device management system includes a warning notification unit that highlights the determined operation screen information of the user among the operation screen information.

  By configuring as in the present invention, an administrator or the like who monitors the display screen of the list of operation screen information of each client terminal confirms the unauthorized operation of the user by confirming the highlighted display. Can be allowed to monitor.

  The invention according to claim 9 is an external device management system that determines whether or not an external device can be used by using operation log information in a client terminal, wherein the external device management system receives operation log information in each client terminal. An operation log information receiving unit; a user information storage unit that stores attribute information including at least information used to determine access authority in association with user identification information; external device access target identification information and use range information of an external device; An external device information storage unit for storing at least the user attribute information of the user based on user identification information in the operation log information received from the client terminal when the file is stored in the external device And using the acquired attribute information as usage range information of the external device, The usage range information setting unit stored in the external device information storage unit in association with the external device access target identification information of the external device in the operation log information, received from the client terminal connected to the external device or the external device, Based on the external device access target identification information, the usage range information of the external device is acquired from the external device information storage unit, and the user identification information received from the client terminal connected to the external device or the external device is included in the user identification information. Based on the acquired attribute information of the user from the user information storage unit, and using the acquired usage range information of the external device and the attribute information of the user, the client terminal connected to the external device or the external device An external device management system having an availability determination unit for determining availability.

  Instead of performing processing based on identification information for identifying the external device itself as in the second aspect of the invention, as in the present invention, an external device connected to the external device (for example, a USB terminal) Further, the processing can be executed based on the external device access target identification information for identifying the drive name and the like.

  The invention of claim 10 is an external device management system that determines whether or not a portable semiconductor memory device can be used by using operation log information in a client terminal, and the external device management system receives an operation log from each client terminal. An operation log information receiving unit that receives information, a user information storage unit that stores attribute information including at least information used to determine access authority, in association with user identification information, identification information of a portable semiconductor memory device, and Indicates that an external device information storage unit that stores at least usage range information of a portable semiconductor storage device and a file stored in the portable semiconductor storage device as operation contents among operation log information received from the client terminal About the operation log information that contains the information, the user identification information and the portable type from the operation log information Conductor storage device identification information is extracted, based on the extracted user identification information, attribute information corresponding to the user identification information is acquired from the user information storage unit, and the acquired attribute information is used by the external device. Among the operation range information received from the client terminal as the operation content, as the range information, the usage range information setting unit stored in the external device information storage unit in association with the extracted identification information of the portable semiconductor storage device In the case of operation log information including information indicating that the portable semiconductor storage device is connected to the client terminal, the identification information and user identification information of the portable semiconductor storage device are extracted from the operation log information. Based on the extracted identification information of the portable semiconductor memory device, the use range information of the portable semiconductor memory device is stored in the external device information storage unit. Based on the acquired user identification information, the attribute information of the user is acquired from the user information storage unit, and by comparing the usage range information of the acquired portable semiconductor storage device with the attribute information of the user, A portable semiconductor memory device comprising: a usability judgment unit that judges whether or not the portable semiconductor memory device can be used and transmits a determination result to a client terminal connected to the portable semiconductor memory device. Connected to the external device management system receives the determination result of availability from the external device management system, and when the determination result indicates permission to use, performs control to permit access to the portable semiconductor memory device, and the determination result is not used. In the case of permission, it is an external device management system that performs control to deny access to the portable semiconductor memory device.

  In the case where the external device is a portable semiconductor memory device such as a USB memory, the same technical effects as those of the above-described invention can be obtained even if configured as in the present invention.

  The invention of claim 11 is an operation log information receiving unit that receives operation log information in each client terminal, acquires attribute information of the user based on user identification information in operation log information from the client terminal, Use range information setting unit that sets the use range information of the external device using the acquired user attribute information, acquires the user attribute information based on the user identification information in the operation log information from the client terminal, and acquires This is an external device management program that functions as an availability determination unit that determines the availability of the external device by comparing the attribute information of the user and the usage range information of the external device.

  The external device management system according to claim 1 can be realized by causing the computer terminal to read and execute the security program of the present invention.

  The invention of claim 12 is an external device management program for causing a computer terminal having a storage device and a computing device to function, wherein the storage device includes attribute information including at least information used for determination of access authority, as user identification A user information storage unit that stores the information in association with information, and an external device information storage unit that stores at least identification information and usage range information of the external device. Based on user identification information in the operation log information received from the client terminal and stored in the external device, the log information is received from the operation log information receiving unit, the attribute information of the user of the storage device Acquired from the user information storage unit, and the acquired attribute information is used as the usage range information of the external device. A use range information setting unit to be stored in the external device information storage unit of the storage device in association with identification information of the external device in the information; and the external device received from the client terminal connected to the external device or the external device Based on the identification information, the usage range information of the external device is acquired from the external device information storage unit of the storage device, and is received from the client terminal connected to the external device or the external device, based on the user identification information And acquiring the user attribute information from the user information storage unit of the storage device, and using the acquired usage range information of the external device and the user attribute information, the client terminal connected to the external device or the An external device management program comprising: an availability determination unit that determines whether or not an external device can be used.

  The external device management system according to claim 2 can be realized by causing the computer terminal to read and execute the security program of the present invention.

  The operation range information is used by the external device management system of the present invention to set a use range for the external device. If the user is within the use range, the external device can be used. Can be disabled. Even if the external device is lost by this, the third party who acquired it cannot use the file recorded there on his computer terminal, while employees are lent by the company It is possible to copy to a laptop computer via an external device.

  Thus, according to the external device management system of the present invention, it is possible to achieve both the prevention of information leakage and the ease of daily work.

  Further, by using the present invention, since information on the range of use of the external device is stored in the external device information storage unit, information such as which department is used can be found.

Further, since the use range of the external recording medium is set according to the access authority level (attribute information) of the user who has stored the file in the external recording medium, the access is lower than the access authority level (attribute information) of the user. Users with authority levels (attribute information) cannot use the external recording medium. Therefore, even when an external recording medium is shared between users in the same department, it is possible to prevent information leakage.

  An overall conceptual diagram of the external device management system 1 of the present invention is shown in FIG. A conceptual diagram of the system configuration of the external device management system 1 of the present invention is shown in FIG.

  The external device management system 1 of the present invention is such that a predetermined program is read and processed in a computer terminal or server (hereinafter referred to as “management server 2”) used by an administrator who manages each client terminal 3. Realized. The management server 2 preferably records what program is being executed in each client terminal 3, what operation has been performed, and the like. Therefore, each client terminal 3 has information such as the program name and file name executed on the client terminal 3 periodically or at a predetermined timing such as when a new program or file is executed or terminated. The client terminal 3 has a function of transmitting information on the program name and file name to the management server 2. The function of transmitting program name and file name information can be extracted by extracting the program name and file name being executed by the arithmetic unit 20 of the client terminal 3, or by extracting and transmitting the program name and file name in the memory. Good. That is, so-called operation log information may be transmitted from the client terminal 3 to the management server 2. In the present specification, programs, files, data, and the like are collectively referred to as “files”.

  The management server 2 and the client terminal 3 store an arithmetic device 20 such as a CPU that executes program arithmetic processing, a storage device 21 such as a RAM or a hard disk that stores information, processing results of the arithmetic device 20, and the storage device 21. And a communication device 24 that transmits and receives information to be transmitted and received via a network such as the Internet or a LAN. Each function (each unit) realized on the computer is executed when a unit (program, module, etc.) for executing the process is read into the arithmetic unit 20. When using the information stored in the storage device 21 in the processing, each function reads the corresponding information from the storage device 21 and uses the read information for processing in the arithmetic device 20 as appropriate. The computer may include an input device 23 such as a keyboard, a mouse, and a numeric keypad, and a display device 22 such as a display (screen). FIG. 3 schematically shows an example of the hardware configuration of the management server 2. Further, the management server 2 may have its functions distributed in a plurality of computer terminals or servers.

  Each means in the present invention is only logically distinguished in function, and may be physically or practically the same area.

  The management server 2 includes an operation log information receiving unit 4, an operation log information storage unit 5, a user information setting unit, a user information storage unit 7, a usage range information setting unit 8, an external device information storage unit 9, and a usability determination unit 10. Have

  The operation log information receiving unit 4 receives operation log information in the client terminal 3 from each client terminal 3 regularly or irregularly. The received operation log information is stored in an operation log information storage unit 5 (to be described later) together with the date and time and information for identifying which client terminal 3 is the operation log information. Note that the operation log information may be information indicating the operation content in each client terminal 3, for example, information indicating a user operation of the client terminal 3 such as “file copy”, “file selection”, “drive addition”, and the like. Is applicable. When the management server 2 receives operation log information from each client terminal 3, it may be received via a network, or the operation log information is recorded on a recording medium such as a DVD in the client terminal 3, and the recording medium is stored in the recording medium. It may be read by the management server 2 and received by reading operation log information therefrom.

  The operation log information storage unit 5 stores the operation log information received from each client terminal 3 by the operation log information receiving unit 4. The operation log information includes information for identifying the client terminal 3, information indicating the operation content, the name of the file or application that is the operation target of the operation content, information indicating the location of the file or application, date and time, and numerical values. Information is included. FIG. 5 shows an example of operation log information. The operation log information is preferably stored for each client terminal 3 or each user (login name or the like). In addition, when associating the information indicating the operation content with the date and time, it may be performed at the client terminal 3, may be performed when the operation log information is received by the management server 2, or an operation log information storage unit This may be done when storing in step 5. FIG. 6 shows an example of the operation log information storage unit 5. FIG. 6 shows a case where operation log information is stored for each computer name (3 client terminals).

  The user information acquisition unit 6 monitors the operation log information received by the operation log information receiving unit 4, and stores the operation log information received by the operation log information receiving unit 4 and the operation log information storage unit 5. For the operation log information, it is determined whether the operation content of the operation log information is information indicating that the file is stored in the external device, and in the case of information indicating that the file is stored in the external device, The user identification information of the user who performed the operation is extracted from the operation log information, and the attribute information of the user is acquired from the user information storage unit 7 (described later) based on the user identification information.

  The user information storage unit 7 stores user attribute information in association with user identification information. In this attribute information, information that can be used for determining access authority and information indicating user attributes are stored, for example, information indicating a department, job title, and access authority (for example, “level 1”, “level 3”). Etc.). FIG. 7 schematically shows an example of the user information storage unit 7.

  In the case of the operation log information in FIG. 6, the operation content and the storage location are referred to in the operation log information, the operation content is “paste file”, for example, and the storage location is “removable disk”, for example. In this case, it can be determined that the file is stored in the external device. In this case, the user information acquisition unit 6 extracts user identification information (“login name” in FIGS. 5 and 6, but any information that can identify the user may be used) from the operation log information. To do. For example, user identification information “12345” is extracted. And from the user information storage part 7 (refer FIG. 7), the information used for determination of access authority, such as a affiliation and a title, is acquired as attribute information of the said user (user identification information "12345").

  The use range information setting unit 8 includes, in the operation log information received from each client terminal 3 by the operation log information receiving unit 4 and the operation log information stored in the operation log information storage unit 5, as a content of the operation, When the operation content indicating storage is included, the use range information for the external device is set using the user attribute information acquired by the user information acquisition unit 6. The set use range information is stored in the external device information storage unit 9 in association with identification information (such as a serial number) of the external device.

  The external device corresponds to an external recording medium such as a USB memory, a computer terminal such as a laptop computer, or a network attached storage. Also, a device such as a mobile phone, PHS, PDA, or smartphone may be used.

  More specifically, when the user information acquisition unit 6 refers to the operation content of the operation log information received by the operation log information receiving unit 4 and detects that the operation content is, for example, “file pasting” (or When the operation log information stored in the operation log information storage unit 5 is searched at a specific timing and it is detected that the operation content is “paste file”), the user who performed the operation from the operation log information The user identification information is extracted. The user information acquisition unit 6 acquires user attribute information from the user information storage unit 7 based on the user identification information. When the user attribute information is acquired in this way, the use range information setting unit 8 sets the user attribute information as the use range of the external device. For example, when the attribute information of the user is “Sales Department XX Section ○ G” and the title is “Group Leader”, the usage range information of the external device is “Sales Department XX Section ○ G” And set "Group Leader". The set use range information is stored in the external device information storage unit 9 in association with identification information (such as a serial number) of the external device. By setting in this way, the external device has its usage range information so that only users who are “sales department XX section ◯ G” and satisfy the conditions of “group leader” can access. Is set.

  As described above, various information such as affiliation, job title, and access authority level can be used as usage range information, but it is also possible to select and set one or more of them. is there. Accordingly, it is possible to selectively use a plurality of units such as only an affiliation with respect to a certain external device and an affiliation, job title and access authority level with respect to another external device. This selection can be set by, for example, when an external device is inserted into the client terminal 3, an inquiry request is displayed on the client terminal 3 from the management server 2, and the user selects or inputs accordingly. .

  The external device information storage unit 9 stores information for identifying an external device (external recording medium, computer terminal, etc.), for example, the serial number of the external recording medium and the computer terminal name, and the usage range set by the usage range information setting unit 8. Such information is stored. FIG. 8 shows an example of the external device information storage unit 9.

  When the external device is connected to a predetermined computer terminal or network, the usability determination unit 10 identifies the external device stored in the external device information storage unit 9 as to whether or not the external device is usable. The determination is made based on the information and the user identification information of the user who connected the external device. In addition, the usability determination unit 10 transmits the determination result to the client terminal 3 and the external device connected to the external device. Alternatively, as a result of the determination, when an external device that cannot be used by the user is connected, a warning to that effect may be sent to an administrator terminal used by a predetermined administrator.

  Next, an example of a processing process in the external device management system 1 according to the present invention will be described with reference to the flowchart of FIG. 4, the conceptual diagram of the system configuration of FIG. In the following description, the case where a USB memory is used as the external device will be described.

  First, a process of storing in advance information on the usage range (usage range information) for each USB memory in the external device information storage unit 9 will be described.

  The operation log information of the client terminal 3 is transmitted from each client terminal 3 to the management server 2 periodically or at a predetermined timing. The operation log information is received by the operation log information receiving unit 4 (S100).

  The operation log information received by the operation log information receiving unit 4 is stored in the operation log information storage unit 5. In general, the operation log information includes information for identifying the client terminal 3, user identification information, date and time information, and the like. By receiving them, they are stored in the operation log information storage unit 5 in association with each other.

  Further, the user information acquisition unit 6 stores the file in the USB memory so that the operation content of the operation log information received by the operation log information receiving unit 4 is “paste file” and “removable disk” is the storage destination. It is determined whether or not an operation indicating “?” Is included (S110). Alternatively, the user information acquisition unit 6 searches the operation log information stored in the operation log information storage unit 5 at a predetermined timing, the operation content of the operation log information is “paste file”, and “removable disk” is the storage destination. It is determined whether or not an operation indicating that the file is stored in the USB memory is included, and the included operation log information is extracted.

  For example, when the operation log information is shown in FIG. 9A, the operation content is “select file” and the storage location is not the USB memory (removable disk), so that the next operation log information is directly received. On the other hand, when the operation log information is FIG. 9B, the operation content is “Paste file” and the storage location is also a USB memory (removable disk). It is determined that the file is stored.

  If it is determined that the file is stored in the USB memory, the user information acquisition unit 6 extracts user identification information from the operation log information (S120). In the case of FIG. 9B, the login name “12345” is extracted. Based on the extracted user identification information “12345”, the user information storage unit 7 is searched to obtain attribute information of the user (S130). When the user information storage unit 7 is shown in FIG. 7, “Affiliation: Sales Department XX Section ○ G” and “Position: Group Leader” are acquired as information used for determining access authority among the user attribute information.

  When the user information acquisition unit 6 acquires the attribute information of the user whose file is stored in the USB memory in this way, the usage range information setting unit 8 sets “Affiliation: Sales Department ○ as the usage range information for the USB memory. “Section ○ G” and “Position: Group Leader” are set. The use range information set here is information used for determination of access authority among the attribute information, for example, name, affiliation, title, access authority level, and the like.

  Specifically, the use range information setting unit 8 extracts “XXXxxxxxxxXX” as information on a file storage location (identification information such as a USB serial number) from the above-described operation log information. The serial number of the USB memory is the information used for determining access authority among the attribute information acquired by the user information acquisition unit 6. In the above case, “affiliation: sales department XX section ○ G”, “position: “Group leader” is associated and stored in the external device information storage unit 9. At this time, information such as whether to use both affiliation and job title or whether to use them may be received from the client terminal 3 and stored. In this way, the usage range information for each USB memory is set in the external device information storage unit 9 (S140).

  In addition, as the usage range information for the USB memory, when the usage range information of the USB memory that already has the serial number is stored in the external device information storage unit 9, it is already stored as the usage range information of the serial number. The information may be compared with the newly used usage range information of the USB memory, and any strict usage range information may be stored as the usage range information of the serial number. Strict use range information refers to information that is already stored as serial number use range information and newly stored use range information of the USB memory. This means that use range information satisfying conditions such as a small number of users or a high use level monitoring level is stored as use range information of the serial number.

  In the above description, the external device information storage unit 9 shows the use range information stored in association with the serial number of the USB memory. However, the external device information storage unit 9 stores the USB serial number and the usage number. Information other than the range information may be stored.

  In the above description, the serial number of the USB memory is used. However, in addition to the serial number, information for identifying the USB memory is stored in advance in the USB memory so that the USB memory can be identified. Anyway. Further, when there is originally no serial number of the USB memory or information for identifying the USB memory, the USB memory can be determined to be unusable in the first place. Further, the information for identifying the USB memory can be configured to be stored together when a certain file is stored in the USB memory for the first time.

  FIG. 10 schematically shows the determination process of the usage range information of the USB memory as described above.

  In this way, the file names and use range information are stored in the external device information storage unit 9 for the serial numbers “XXXxxxxxxxXX”, “YYYyyyyyyyYY”, and “ZZZzzzzzzzZZ” of each USB memory (FIG. 6). FIG. 11 schematically shows the external device information storage unit 9 in this state.

  By doing so, it is possible to manage for each USB memory which file is originally stored in each client terminal 3 and for each USB memory, and the usage range information of the USB memory is also stored in the USB memory. Are stored in the external device information storage unit 9 in association with the serial number.

  Next, a process for determining whether or not a file in the USB memory can be used when the USB memory is inserted into the client terminal 3 will be described. This process is roughly divided into two processes.

  The first process is a process when the client terminal 3 transmits operation log information to the management server 2, and the second process is an operation log from the client terminal 3 to the management server 2. This is processing when information is not transmitted. A specific example of the first process is a case where a USB memory is inserted into the client terminal 3 under an experimental environment, which is different from the client terminal 3 used by the user for normal business. All client terminals 3 transmit operation log information to the management server 2. A specific example of the second process is a case where a USB memory is inserted into a user's personal computer terminal. Hereinafter, these two cases will be described.

  First, the case of the first process will be described.

  When it is detected that the USB memory has been inserted into the client terminal 3 (for example, the client terminal 3 under the experimental environment) (S200), the client terminal 3 detects that the USB memory has been inserted into the operation content of the operation log information and the USB. Operation log information including the serial number of the memory and user identification information of the user who performed the operation is transmitted to the management server 2.

  The operation log information receiving unit 4 of the management server 2 receives the operation log information and stores it in the operation log information storage unit 5. The usability determining unit 10 monitors the operation log information received by the operation log information receiving unit 4, and determines whether the operation content of the operation log information includes information indicating “insertion of USB memory”. To do. If it is determined that the operation content of the operation log information does not include information indicating “insert USB memory”, the operation log information receiving unit 4 waits to receive the next operation log information.

  Further, when it is determined that the operation content of the operation log information includes information indicating “USB memory insertion”, the use is within the use range stored in the external device information storage unit 9. Is determined (S210). For example, user identification information (login name), USB memory serial number, and the like are extracted from the received operation log information. Then, the usability determination unit 10 acquires the use range information of the USB memory from the external device information storage unit 9 based on the serial number of the USB memory.

  In addition, the usability determination unit 10 determines from the user information storage unit 7 the user attribute corresponding to the user identification information based on the user identification information (login name) extracted from the operation log information. Get information.

  Then, the usage range information of the USB memory is compared with the attribute information of the user, and it is determined whether the user is included in the usage range information, that is, whether the user has access authority (S220).

  For example, if the operation log information received by the operation log information receiving unit 4 is that shown in FIG. Then, the external device information storage unit 9 is searched based on the serial number “XXXxxxxxxxXX” of the USB memory, and information on the usage range “used department is“ sales department XX section ○ G ”and“ group leader ”” is extracted.

  Next, the availability determination unit 10 searches the user information storage unit 7 based on the user identification information “12345”, and acquires attribute information of the user. If it does so, it can acquire that it is "sales department XX section ◯ G" and "group leader". When these are compared by the usability determining unit 10, they can be determined to be within the use range because they are the same. That is, it can be determined that the user has access authority.

  Further, as a determination as to whether or not it is within the use range, information (access authority level) indicating access authority may be set for each job title, and comparison may be made based on the information. For example, the title “group leader” is set to “level 3” and the title “department manager” is set to “level 5” in the external device management system 1 in advance, and the availability determination unit 10 sets the access authority levels “level 3” and “level 3”. By comparing “Level 5”, it may be determined whether or not it is within the range of use (in this case, the external device information storage unit 9 may store the information of the job title or associate it with it) Access authority level may be stored).

  That is, when “group leader” is set as the use range, the access authority level is “level 3”. When the user's title is “General Manager”, the access authority level is “5”. Therefore, since the access authority level of the user is higher, it can be determined that the user is within the usage range.

  Conversely, when the user's job title is “general employee” and the access privilege level associated with the job title is “level 1”, the user's access privilege level is lower, so the user is not in the range of use. , Can be determined.

  As a result of the determination in the usability determining unit 10, when it is determined that it is within the use range, the usability determining unit 10 transmits a USB memory use permission control instruction to the client terminal 3 (S230). . The client terminal 3 that has received this control instruction permits access to the USB memory.

  On the other hand, for example, when the user identification information is “23456”, “planning department XX section ○ G” and “section manager” are acquired as user attribute information, and therefore it cannot be determined that the user is within the use range. That is, it can be determined that there is no access authority. Then, the usability determination unit 10 transmits a control instruction for prohibiting the use of the USB memory to the client terminal 3 (S240). The client terminal 3 that has received this control instruction does not permit access to the USB memory. For example, in the client terminal 3 into which the USB memory is inserted, a message such as “This USB memory cannot be used” is displayed, and control that cannot refer to the information in the USB memory is performed. Alternatively, control for deleting a file stored in the USB memory may be performed.

  Next, the case of the second processing method will be described. In this case, this is a processing method when the user inserts the USB memory into a computer terminal such as a personal computer terminal that does not transmit operation log information to the management server 2.

  In this case, in the USB memory, in addition to the file pasted by the user, when it is detected that the USB memory is inserted into the computer terminal, the user name of the inserted computer terminal is acquired, and the serial number of the USB memory is acquired. In addition, a module and a program (collectively referred to as “control program”) for executing an inquiry to the management server 2 from the computer terminal are provided.

  When it is detected that a USB memory has been inserted into a computer terminal (for example, a personal computer terminal of a user) (S200), a control program for the USB memory is read from a predetermined storage area of the computer terminal into which the USB memory has been inserted. User identification information of a user using a computer terminal is acquired. Then, by transmitting the acquired user identification information and the serial number of the USB memory to the management server 2, an inquiry about permission / non-permission of use of the USB memory is performed.

  In general, the management server 2 is secured by a firewall or the like. Therefore, access from other than a predetermined computer terminal is not permitted. Therefore, the computer terminal cannot be connected to the management server 2 in the first place. For this reason, even if an inquiry is made, connection to the management server 2 or its network is not permitted, and timeouts are almost always caused. When such a result is received by the computer terminal, the control program for the USB memory determines that the USB memory is not used by an appropriate computer terminal, and executes a process for not permitting the use of the USB memory. For example, in the client terminal 3 into which the USB memory is inserted, a message such as “This USB memory cannot be used” is displayed, and control that cannot refer to the information in the USB memory is performed. Alternatively, control for deleting a file stored in the USB memory may be performed.

  As a result of the inquiry by the control program of the USB memory, if the computer terminal is private, but the management server 2 can be accessed due to reasons such as applying to a department that supervises system management in advance, the management server 2 2, based on the serial number of the USB memory received from the computer terminal, the usability determination unit 10 extracts the usage range information of the USB memory from the external device information storage unit 9. For example, when the user name is “12345” and the serial number “XXXxxxxxxxXX” of the USB memory, the availability determination unit 10 searches the external device information storage unit 9 based on the serial number “XXXxxxxxxxXX” of the USB memory and uses the same. The range information “the department used is“ sales department XX section ○ G ”and“ group leader ”” is extracted.

  Next, the usability determination unit 10 acquires the attribute information of the user from the user information storage unit 7 based on the user name “12345” received from the computer terminal, as described above. Then, the acquired user identification information is compared with the USB memory usage range information to determine whether the user is included in the USB memory usage range information.

  As a result of the determination, when the attribute information of the user name “12345” is “sales department XX section ◯ G” and “group leader”, it can be determined that the user is within the use range (S220). The determination unit 10 transmits a USB memory use permission control instruction to the computer terminal (S230). Upon receiving this control instruction, the USB memory control program of the computer terminal permits access to the USB memory.

  On the other hand, for example, when the user identification information is “23456”, “planning department XX section ○ G” and “section manager” are acquired as user attribute information, and therefore it cannot be determined that the user is within the use range. That is, it can be determined that there is no access authority. Then, the usability determining unit 10 transmits a control instruction for not permitting use of the USB memory to the computer terminal (S240). The client terminal 3 that has received this control instruction does not permit access to the USB memory. For example, in a computer terminal in which a USB memory is inserted, a message such as “This USB memory cannot be used” is displayed, and control that cannot refer to information in the USB memory is performed. Alternatively, control for deleting a file stored in the USB memory may be performed.

  By doing this, even when the user uses the USB memory in different client terminals 3, the use range is automatically set and the use permission / denial determination process is executed. As described above, the user does not need to make a prior application for a USB memory to a department that supervises system management in advance. In addition, the usage range of the USB memory is determined based on the operation log information in the management server 2, and the user can use the USB memory appropriately within the usage range, while the user outside the usage range can use the USB memory. If so, the USB memory cannot be used. Therefore, it is possible to prevent information leakage.

  In the description of the first method and the second method described above, the case where the user's affiliation and the user's title storing the file in the USB memory are used as the use range information. May be just. Information indicating access authority may be numerical. In the case of the information indicating the access authority as described above, the information indicating the access authority expressed as the user attribute information is stored in the user information storage unit 7, and the process is performed based on the information.

  In the above description, the usage range is determined based on whether or not the usage range is “Sales Department XX Section ○ G” and “Group Leader”. It can be determined that it is within the range of use if it is a user of “XX Section ○ G” and “Group Leader” or higher. For example, the “sales department” and “department manager” are naturally users who have higher access authority than the above user, and therefore can be determined to be within the usage range. Also, in the case of “Planning Department XX Section ○ G” and “Group Leader”, since the affiliation is different, even if the title is the same, it is not considered to be within the range of use (when both the affiliation and the title are used).

  Each affiliation, title, etc. may be represented by a code. Further, the upper and lower relationships may be stored in a predetermined storage area in advance, and the determination process may be executed based on the relationship.

  In the above-described first embodiment, the case where the use range information setting unit 8 sets the use range for the external device when the file is stored in the USB memory has been described. However, when the file is deleted from the USB memory, The usage range information setting unit 8 may be configured to set new usage range information for the external device.

  In this case, the user information acquisition unit 6 includes an operation indicating that the file is to be deleted from the USB memory, such as “delete file” as the operation content and “removable disk” as the save destination in the operation log information. Determine if it is. When the operation log information is determined, the use range information setting unit 8 extracts the operation log information stored in the operation log information storage unit 5 based on the serial number of the USB memory in the operation log information. The operation log information may be information within a predetermined period or may be information for the entire period.

  This indicates that the operation log information for the files other than the file deleted in the operation log information extracted as described above is stored in the USB memory such as “paste file”. Select operation log information. For each selected operation log information, the same processing as in the first embodiment is executed (that is, the attribute information of the user is acquired from the user information storage unit 7 based on the user identification information of each operation log information, The USB memory usage range is set based on this, and if the usage range has already been set, the most severe usage range is set.) As a result, even when the file is deleted from the USB memory, it is possible to reset appropriate use range information.

  In the first and second embodiments described above, the external device information storage unit 9, the use range information setting unit 8, and the usability determination unit 10 execute processing based on the serial number of the USB memory. For example, the processing may be executed based on the identification information of the USB terminal when inserted into the client terminal 3 instead of the serial number of the memory. In other words, the process may be executed based on identification information of the configuration (including both physical configuration and logical configuration) that is an access target of the external device, such as USB terminal identification information and drive name, instead of the external device itself. good. The identification information of the configuration to be accessed by the external device is referred to as “external device access target identification information” in this specification.

  In this case, the external device information storage unit 9 may not be originally stored in the management server 2 but may be configured by inserting a USB memory into the client terminal 3. In other words, when the USB memory is inserted into the USB terminal of the client terminal 3, the user identification information stored in the USB memory is extracted by searching the operation log information storage unit 5 for each file stored in the USB memory. Based on this, the user attribute information is acquired from the user information storage unit 7. Based on the acquired attribute information of each user, the use range information setting unit 8 sets use range information for the USB memory (setting processing is the same as in the first and second embodiments). Then, the external server information storage unit 9 is configured by the management server 2 by storing the identification information of the USB terminal into which the USB memory is inserted and the set use range information in association with each other.

  By configuring the external device information storage unit 9 in this manner, based on the identification information of the USB terminal of the client terminal 3, the usage range information of the USB memory is extracted from the external device information storage unit 9, and the USB memory The usability judging unit 10 judges whether or not the user can use. When the management server 2 transmits the determination result to the USB memory or the client terminal 3 into which the USB memory is inserted, the use control of the USB memory can be performed.

  In addition to the above-described first to third embodiments, when the client terminal 3 tries to use an external device that cannot be used by the user, it is the display device 22 or the administrator terminal (each client terminal) of the management server 2. A warning notification unit (not shown) for issuing a warning control instruction for displaying information on an attempt to use an external device that cannot be used by the user on the display device 22 of the computer terminal used by the The apparatus management system 1 may be provided.

  That is, the warning notification unit notifies the warning control instruction when the usability determination unit 10 determines that the user is not within the use range.

  Which user is the operation log information received from the client terminal 3 used by the user can be determined based on the user identification information or the client terminal identification information in the operation log information. Is possible.

  An example of warning display by the warning notification unit is shown in FIGS. FIG. 13 shows a state where a message “User XXX is trying to use an inappropriate external device” is displayed on the screen of the display device 22. FIG. 14 shows each client terminal in the administrator terminal. A screen for displaying a list of operation screen information displayed on the display device 22 of No. 3 is displayed, and the operation screen information of the user (a user determined not to be in the use range) is highlighted. is there. For highlighting, change the frame color of the user's operation screen information, change the thickness of the frame, blink the operation screen information or the frame, enlarge the operation screen information, and display the operation screen information in a separate window There is a pop-up display etc., but it is not limited to them. FIG. 15 shows a case where the operation screen information of the user is enlarged and displayed. FIG. 16 shows a case where the operation screen information of the user is displayed in a pop-up in another window.

  The warning notification unit is configured to display a warning display on the display device 22 of the management server 2 or the display device 22 of the administrator terminal in order to display a warning display instruction, a function for controlling the display device 22 of the management server 2 or Notify the administrator terminal. Accordingly, a computer terminal such as an administrator terminal that has received the warning display instruction performs the warning display as described above on the display device 22 based on the display. This warning display instruction may include identification information of the user or the client terminal 3, contents of warning display, and the like.

  In this case, the management server 2 receives the operation screen information displayed on the display device 22 from each client terminal 3, transmits them to the administrator terminal, and displays a list on the display device 22 of the administrator terminal. ing. Therefore, in this case, each client terminal 3 has a function of capturing the screen of the display device 22 of the client terminal 3 and transmitting it to the management server 2 regularly or irregularly. In order to capture the screen, for example, the operation screen information displayed on the screen may be read from a display information storage device that stores information to be displayed on the screen, such as a VRAM, and transmitted as operation screen information. The management server 2 also has a function (operation screen information processing unit) that receives operation screen information from each client terminal 3 and transmits it to the administrator terminal.

  Note that the administrator's e-mail address may be stored in advance in the management server 2, and the administrator may be notified by e-mail to the e-mail address. A pop-up message may also be used.

  In the external device management system 1 described above, the use range for the external device is set by using the operation log information. If the user is within the use range, the external device can be used. Can be disabled. Even if the external device is lost by this, the third party who acquired it cannot use the file recorded there on his computer terminal, while employees are lent by the company It is possible to copy to a laptop computer via an external device.

  Thus, according to the external device management system 1 of the present invention, it is possible to achieve both the prevention of information leakage and the ease of daily work.

  Furthermore, by using the present invention, since information on the range of use of the external device is stored in the external device information storage unit 9, information such as which department is used can be found.

Further, since the use range of the external recording medium is set according to the access authority level (attribute information) of the user who has stored the file in the external recording medium, the access is lower than the access authority level (attribute information) of the user. Users with authority levels (attribute information) cannot use the external recording medium. Therefore, even when an external recording medium is shared between users in the same department, it is possible to prevent information leakage.

1 is an overall conceptual diagram of the present invention. It is a conceptual diagram which shows an example of the system configuration | structure of this invention. It is a conceptual diagram which shows an example of the hardware constitutions of a management server. It is a flowchart which shows an example of the processing process of this invention. It is an example of operation log information. It is an example of the operation log information storage part. It is an example of a user information storage part. It is an example of an external device information storage part. It is an example of operation log information. It is a figure which shows typically the determination process of the use range information of USB memory. It is a figure which shows typically the external device information storage part in which the use range information was memorize | stored. It is an example of operation log information. It is an example of the display by a warning notification part. It is another example of the display by a warning notification part. It is another example of the display by a warning notification part. It is another example of the display by a warning notification part.

Explanation of symbols

1: External device management system 2: Management server 3: Client terminal 4: Operation log information receiving unit 5: Operation log information storage unit 6: User information acquisition unit 7: User information storage unit 8: Usage range information setting unit 9: External Device information storage unit 10: Usability determination unit 20: arithmetic device 21: storage device 22: display device 23: input device 24: communication device

Claims (12)

An external device management system that determines whether or not an external device can be used by using operation log information in a client terminal,
The external device management system includes:
An operation log information receiving unit for receiving operation log information in each client terminal;
Based on the user identification information in the operation log information from the client terminal, the attribute information of the user is acquired, the usage range information setting unit that sets the usage range information of the external device using the acquired attribute information of the user,
Based on the user identification information in the operation log information from the client terminal, the attribute information of the user is acquired, and the acquired attribute information of the user is compared with the usage range information of the external device, thereby using the external device. A usability judging unit for judging the availability;
An external device management system comprising: An external device management system that determines whether or not an external device can be used by using operation log information in a client terminal,
The external device management system includes:
An operation log information receiving unit for receiving operation log information in each client terminal;
A user information storage unit that stores attribute information including at least information used for determination of access authority in association with user identification information;
An external device information storage unit that stores at least identification information and use range information of the external device;
Based on the user identification information in the operation log information received from the client terminal when the file is stored in an external device, the attribute information of the user is acquired from the user information storage unit, and the acquired attribute information is As a usage range information of the external device, a usage range information setting unit to be stored in the external device information storage unit in association with the identification information of the external device in the operation log information;
Based on the identification information of the external device received from the client terminal connected to the external device or the external device, the usage range information of the external device is acquired from the external device information storage unit and connected to the external device Based on the user identification information received from the client terminal or the external device, the user attribute information is acquired from the user information storage unit, and the acquired use range information of the external device and the user attribute information are used. A usability determination unit that determines whether a client terminal connected to the external device or the external device can be used;
An external device management system comprising: The usage range information setting unit further includes:
When storing the acquired usage range information in the external device information storage unit, the usage range information already stored in the external device information storage unit is stored in association with the identification information of the external device. In this case, the use range information already stored is compared with the acquired use range information, and the strict use range information is stored in the external device information storage unit in association with the identification information of the external device.
The external device management system according to claim 2. The usability determination unit further includes:
When operation log information indicating that the external device is connected to the client terminal is received by the operation log information receiving unit from a client terminal connected to the external device, the external device included in the operation log information Based on the identification information of the external device, the usage range information of the external device is acquired from the external device information storage unit, and based on the user identification information included in the operation log information, the attribute information of the user is acquired by the user information storage unit. And using the acquired external device usage range information and user attribute information to determine whether or not the client terminal connected to the external device or the external device can be used,
The external device management system according to claim 2 or claim 3, wherein The usability determination unit further includes:
Send the determination result to the client terminal connected to the external device or the external device,
The client terminal connected to the external device or the external device is
When receiving the determination result of availability from the external device management system, control the availability of the external device according to the determination result,
The external device management system according to any one of claims 1 to 4, wherein the external device management system is provided. The client terminal connected to the external device or the external device is
When it is not possible to connect to the external device management system, the use prohibition of the external device is controlled.
The external device management system according to claim 5. The usage range information setting unit further includes:
When the operation log information is received by the operation log information receiving unit when the file is deleted from the external device, the deleted file is stored in the external device based on the identification information of the external device in the operation log information. The operation log information indicating that the file has been stored in the external device other than the operation log information indicating that the file has been stored is acquired from the operation log information storage unit, and based on the user identification information in each acquired operation log information The attribute information of those users is acquired from the user information storage unit, the strictest user attribute information is set as usage range information of the external device, and the external device information storage is associated with the identification information of the external device. Store it in the department,
The external device management system according to claim 2, wherein the external device management system is an external device management system. The external device management system further includes:
When it is determined that the user cannot use the external device, the operation screen information of the determined user is highlighted among the operation screen information of each client terminal displayed on the display device of a predetermined computer terminal The warning notification part,
The external device management system according to claim 2, further comprising: An external device management system that determines whether or not an external device can be used by using operation log information in a client terminal,
The external device management system includes:
An operation log information receiving unit for receiving operation log information in each client terminal;
A user information storage unit that stores attribute information including at least information used for determination of access authority in association with user identification information;
An external device information storage unit for storing at least external device access target identification information and use range information of the external device;
Based on the user identification information in the operation log information received from the client terminal when the file is stored in an external device, the attribute information of the user is acquired from the user information storage unit, and the acquired attribute information is As a usage range information of the external device, a usage range information setting unit to be stored in the external device information storage unit in association with the external device access target identification information of the external device in the operation log information,
Based on the external device access target identification information received from the client terminal connected to the external device or the external device, the usage range information of the external device is acquired from the external device information storage unit and connected to the external device Based on the user identification information received from the client terminal or the external device, the user attribute information is acquired from the user information storage unit, and the acquired usage range information of the external device and the user attribute information are obtained. Using a client terminal connected to the external device or an availability determination unit for determining availability of the external device;
An external device management system comprising: An external device management system that determines whether or not a portable semiconductor storage device can be used by using operation log information in a client terminal,
The external device management system includes:
An operation log information receiving unit for receiving operation log information from each client terminal;
A user information storage unit that stores attribute information including at least information used for determination of access authority in association with user identification information;
An external device information storage unit for storing at least identification information of the portable semiconductor memory device and use range information of the portable semiconductor memory device;
Among the operation log information received from the client terminal, the operation log information including the information indicating that the file is stored in the portable semiconductor storage device as the operation content, from the operation log information, the user identification information and The identification information of the portable semiconductor storage device is extracted, the attribute information corresponding to the user identification information is acquired from the user information storage unit based on the extracted user identification information, and the acquired attribute information is acquired from the external device. A use range information setting unit for storing in the external device information storage unit in association with the extracted identification information of the portable semiconductor memory device,
Of the operation log information received from the client terminal, in the case of operation log information including information indicating that the portable semiconductor storage device is connected to the client terminal as the operation content, the operation log information is transferred from the operation log information. Extracting identification information and user identification information of the semiconductor storage device, based on the extracted identification information of the portable semiconductor storage device, obtaining usage range information of the portable semiconductor storage device from the external device information storage unit, Based on the extracted user identification information, the user's attribute information is acquired from the user information storage unit, and the use range information of the acquired portable semiconductor memory device is compared with the user's attribute information, thereby the portable type Use of determining whether or not a semiconductor memory device can be used and transmitting a determination result to a client terminal connected to the portable semiconductor memory device It has a determination portion,
The client terminal connected to the portable semiconductor memory device is
When the use result is received from the external device management system, control is performed to permit access to the portable semiconductor memory device if the use result is permitted, and if the use result is not permitted, the use is permitted. Control to disallow access to the portable semiconductor memory device,
An external device management system. Computer terminal
An operation log information receiving unit for receiving operation log information in each client terminal;
Based on the user identification information in the operation log information from the client terminal, the attribute information of the user is acquired, and the usage range information setting unit that sets the usage range information of the external device using the acquired attribute information of the user,
Based on the user identification information in the operation log information from the client terminal, the attribute information of the user is acquired, and the acquired attribute information of the user is compared with the usage range information of the external device, thereby using the external device. A usability judging unit for judging the availability,
An external device management program that functions as an external device. An external device management program for causing a computer terminal having a storage device and an arithmetic device to function,
In the storage device,
A user information storage unit that stores attribute information including at least information used for determination of access authority in association with user identification information;
An external device information storage unit that stores at least identification information and use range information of the external device, and
The arithmetic unit includes
An operation log information receiving unit for receiving operation log information in each client terminal;
Based on the user identification information in the operation log information received from the client terminal when the file is stored in the external device, the attribute information of the user is acquired from the user information storage unit of the storage device, and the acquired A use range information setting unit that stores attribute information as use range information of the external device in association with identification information of the external device in the operation log information and stored in the external device information storage unit of the storage device;
Based on the external device identification information received from the client terminal connected to the external device or the external device, the usage range information of the external device is acquired from the external device information storage unit of the storage device, and the external device Based on the user identification information received from the client terminal connected to the external device or the external device, the attribute information of the user is acquired from the user information storage unit of the storage device, and the acquired usage range information of the external device and An availability determination unit that determines whether or not the client terminal connected to the external device or the external device can be used by using user attribute information;
An external device management program.

Images