JP2012094106A - Information processing device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce processing load to allocate authority to a new organization ID when an organization ID of an organization with a same entity changes.SOLUTION: An ID change organization table associating an old organization ID with a new organization ID for an organization with a same entity whose organization ID changes and a role allocation table showing a role which is allocated to the organization by associating the organization ID with a role ID, are stored in an ID management system DB 150. During an organization change, a role allocation change part 107 extracts the role allocation table describing the old organization ID shown in the ID change organization table, creates and enables new role allocation information showing association between the role ID of the extracted role allocation table and the new organization ID and disables the existing role allocation table showing the old organization ID.

Description

  The present invention relates to a technique for efficiently managing use authority for a business system, passage authority for an entrance / exit management system, and the like in an organization such as a company.

In a personnel database (Database) in a company or the like, personal information, organization information, and assignment information are managed.
In general, an ID (Identification) management server can automatically receive personal information, organization information, assignment information, and personnel change information in cooperation with the personnel database.
It is also possible to receive IC card ID information from an IC (Integrated Circuit) card vendor as a CSV (Comma Separated Values) file, import the information, and assign an individual to a card.
The ID management server manages personal information, organization information, assignment information, IC card information, and usage rights assigned to individuals for various business systems.
Various business system servers receive personal information, IC card information, and usage authority from the ID management server, and manage, for example, authority that can be used with an IC card held by an individual.
In the ID management server, the usage authority can be set for each individual. However, if it is set for each individual, the authority changing process due to personnel changes or the like becomes complicated and the management load increases.
In this regard, by assigning the use authority to the organization or the position, it is possible to automate the use authority setting process in response to the change of authority in response to the organization due to personnel changes.
As a technique for efficiently managing such use authority, there is a technique described in Patent Document 1, for example.

JP 2007-172379 A

In a company or the like, an organization ID or an organization name may be changed due to organization reorganization or the like while the organization entity is the same.
In such a case, as the system, the organization before the change and the organization after the change are treated as separate organizations, so in order to continue to use the business system that has been available so far, a new organization It is necessary to reset the authority assignment so that the same authority as before can be assigned to the ID.
The technique of Patent Document 1 does not cope with the case where the organization ID is changed, but the organization ID is changed. According to Patent Document 1, it is necessary to reset the authority assignment manually.
In a large company, the number of organizations is large, and the load of authority allocation processing at the time of organizational reform is large.

  The present invention has been made in view of the above circumstances, and is intended to reduce the processing burden when assigning authority to a new organization ID when the organization entity is the same but the organization ID is changed. With a purpose.

An information processing apparatus according to the present invention includes:
A role assignment information storage device for storing role assignment information in which a role ID (Identification) that is an identifier of a role for which a specific system use authority is designated and an organization ID that is an identifier of an organization to which the role is assigned; ,
It is connected to an ID change information storage device that stores ID change information in which an organization ID before change, an organization ID after change, and a change date and time are described for an organization whose organization ID is changed at a predetermined date and time. An information processing apparatus,
An information extraction unit that extracts role assignment information in which the organization ID before change described in the ID change information is extracted from the role assignment information stored in the role assignment information storage device;
The role ID described in the role assignment information extracted by the information extraction unit and the changed organization ID described in the ID change information are described, and the change date and time described in the ID change information is described. New role assignment information that is valid in response to the above, and the existing role assignment information in which the organization ID before change described in the ID change information is described is changed at the change date and time described in the ID change information. And an information management unit that is invalidated.

  According to the present invention, based on the ID change information, the role ID assigned to the organization ID before the change is assigned to the organization ID after the change, and new role assignment information that becomes effective at the change date and time is generated. Since the existing role assignment information is invalidated at the change date and time, the assignment of the changed organization ID and role ID can be validated from the change date and time, and the processing burden when assigning authority to the new organization ID is reduced. Can be reduced.

FIG. 3 is a diagram illustrating an example of a system configuration according to the first embodiment. FIG. 3 is a diagram showing a table configuration example according to the first embodiment. FIG. 3 is a diagram illustrating an example of a table element according to the first embodiment. The figure which shows the example of the ID change organization table which concerns on Embodiment 1. FIG. FIG. 6 is a diagram showing a role assignment update example according to the first embodiment. FIG. 3 is a flowchart showing an operation example of the ID management system according to the first embodiment. FIG. 3 is a flowchart showing an operation example of the ID management system according to the first embodiment. 2 is a diagram illustrating a hardware configuration example of an ID management system according to Embodiment 1. FIG. The figure explaining the update of the non-regular user organization allocation table which concerns on Embodiment 2. FIG.

Embodiment 1 FIG.
In the present embodiment, the old organization ID and the new organization ID are associated with the organization whose organization ID is changed while the entity is the same, and various business systems are used based on the association at the time of organization reorganization. Describe techniques for automatically assigning authority to new organizations.

  FIG. 1 shows a system configuration example according to the present embodiment.

The ID management system 100 assigns the authority to use the business system 330 to an organization or an individual.
More specifically, the ID management system 100 sets a role for an organization or an individual, and assigns the authority to use the business system 330 for each role.
The ID management system 100 is an example of an information processing apparatus.
The internal configuration of the ID management system 100 will be described later.

The ID management system 100 is connected to an ID management system DB (Database) 150.
The ID management system DB 150 stores various tables shown in FIGS. 2 and 3, and further stores an ID change organization table shown in FIG.
Details of the tables shown in FIGS. 2 and 3 and the ID change organization table shown in FIG. 4 will be described later.
The ID management system DB 150 is an example of a role assignment information storage device and an ID change information storage device.
The ID management system 100 is connected to the display device 200 and the keyboard 210.

The ID management system 100 is connected to a personnel database system 310, a user terminal device 320, and a business system 330 via a LAN (Local Area Network) 300.
The personnel database system 310 manages personal information, organization information, and assignment information.
The user terminal device 320 is a terminal device used by a user (employee or the like), logs into the business system 330, and uses data and resources of the business system 330.
The business system 330 is a computer system used for business, and provides a service to the user within the range of the usage authority authorized by the accessed user.
The business system 330 is connected to the business system DB 340.
There are a plurality of user terminal devices 320 and business systems 330.

In the ID management system 100, the use authority for each business system 330 is managed using the tables shown in FIGS.
FIG. 2 shows the cooperation between the tables, and FIG. 3 shows an example of the table elements of each table.
In the figure, a role is used as a container for grouping a plurality of organizations and a plurality of individuals. Organizations and individuals for which a common role is set are common to a common business system 330. Has usage rights.
For example, a plurality of organizations (individuals) are set in the role (R1), and a usage right that enables the use of a specific function of the business system (K1) is assigned to the role (R1).
By doing so, in principle, individuals belonging to the organization in which the role (R1) is set are uniformly given the authority to use a specific function of the business system (K1).
As described above, by using the role, the use authority allocation burden is reduced as compared to setting the use authority for each organization and for each individual.

2 and 3, information of each user (employee, etc.) is described in the user table.
Information on each organization is described in the organization table.
The user and the organization are associated by the organization allocation table.
The role table describes information about each role.
Organizations and roles are associated with each other by role assignment information.
Moreover, a user and a role may be matched by role assignment information.
Information on each business system is described in the system table.
Roles and systems are associated with each other by a system allocation table.
As shown in FIG. 2, for example, the user (P1) is associated with the organization (a) by the organization allocation table (P1-a) (belongs to the organization (a)).
Further, the organization (a) is associated with the role (R1) by the role assignment table (a-R1), and the role (R1) is associated with the system (K1) by the system assignment table (R1-K1). .
As a result, the user (P1) can use the system (K1) within the range of the use authority assigned to the role (R1).
Note that the role (R1), the role (R2), and the role (R3) are associated with the system (K1), respectively, but the usage authority permitted by the system (K1) is different. In the system K1, a connection destination IP address for connecting to an actual business system is set, and information on a role assigned to the system K1 and information of a user assigned to the role are set in this connection destination. By transmitting, the business system side can set the usage authority corresponding to the available users and roles.

The table elements of each table are as shown in FIG. 3, but since the table closely related to the present embodiment is a role assignment table, the table elements of the role assignment table will be described.
The role ID is a role ID included in the role table, and the organization / user ID is an organization ID included in the organization table or a user ID included in the user table.
In the role assignment table, the role corresponding to the role ID is associated with the organization / user corresponding to the organization / user ID.
The valid start date is the date when the association between the role and the organization (user) is valid, and the valid end date is the date when the association between the role and the organization (user) is invalid.

When a user is assigned to an organization that corresponds to the role (R1) due to a personnel change or is transferred to another organization, the personal information is distributed to the business system automatically in response to the personnel change, and automatically when the personnel change. Usage authority is set.
However, the organization name and organization ID may be changed even though they are substantially the same organization.
In such a case, since the organization assigned to the role is treated as a separate organization, it is necessary to reset the role assignment.
In a company with many organizations and many business systems, the management setting load for resetting the use authority becomes high.

In this regard, the ID management system 100 according to the present embodiment holds, for example, an ID change organization table as shown in FIG. 4 in the ID management system DB 150, and uses the ID change organization table to create a new organization at the time of organization reorganization. The process of assigning the same authority as before to the name and organization ID is automatically performed.
The ID-change organization table in FIG. 4 is a table for organizations whose organization ID is changed although the organization name is not changed at the time of organization reorganization.
In FIG. 4, the new organization ID is a changed organization ID that is newly used from the effective start date and time.
The former organization ID is an organization ID before change that is used until immediately before the effective start date and time of the new organization ID.
The effective start date / time is the organization reorganization date / time, in other words, the change date / time when the original organization ID is changed to the new organization ID (for example, April 1, 00:00:00).
The valid end date / time is the date / time when the use of the new organization ID is canceled.
Normally, the effective end date / time of the new organization ID is undecided until the next organization reorganization becomes concrete.
For this reason, for example, the maximum date and time allowed by the ID management system 100 (for example, December 31, 9999 23:59:59) is set while the valid end date is not yet determined.
The ID change organization table is an example of ID change information.

  Based on the above description, the internal configuration of the ID management system 100 according to the present embodiment will be described.

  The control unit 101 includes a communication unit 102, an input / output unit 103, an organization change mapping information setting unit 104, a role setting unit 105, an assignment setting unit 106, a role assignment changing unit 107, an authority information output unit 108, and an ID management system DB 150. Controls the operation of elements and the exchange of data between elements.

  The communication unit 102 communicates with the ID management system DB 150, the personnel database system 310, and the business system 330.

  The input / output unit 103 inputs information from the keyboard 210 and outputs information to the display device 200.

The personnel information setting unit 109 retrieves user information, organization information, and assignment information from the personnel database system 310 as files from the communication unit 102 as needed due to personnel changes, and stores the user table, organization table, and organization allocation table shown in FIG. Create and register in the ID management system DB 150.
The organization change mapping information setting unit 104 generates an ID changed organization table illustrated in FIG. 4 and stores the generated ID changed organization table in the ID management system DB 150.
More specifically, each element of FIG. 4 (new organization ID, organization name, valid start date / time, valid end date / time, original organization ID) input by the operator of the ID management system 100 using the keyboard 210 or by reading a file. ) Is obtained from the input / output unit 103, and an ID change organization table is generated. The organization change mapping information may be input by the personnel system 310 and may be imported as a file into the organization change mapping information setting unit 104 via the communication unit 102 to generate an ID change organization table.
Then, the generated ID change organization table is stored in the ID management system DB 150 via the communication unit 102.

The role setting unit 105 generates the role illustrated in FIG.
More specifically, each element (role ID, role name, valid start date / time, valid end date / time) of the roll table in FIG. 3 input by the operator of the ID management system 100 using the keyboard 210 or by reading a file is displayed. Acquired from the input / output unit 103 and generates a roll table.
Then, the generated role table is stored in the ID management system DB 150 via the communication unit 102.

The assignment setting unit 106 generates the assignment table (organization assignment table, role assignment table, system assignment table) illustrated in FIGS. 2 and 3.
More specifically, each element (user ID, organization ID, role ID, system ID, valid start) of each allocation table in FIG. 3 input by the operator of the ID management system 100 using the keyboard 210 or by reading a file. Date / time, valid end date / time, etc.) are acquired from the input / output unit 103, and each allocation table is generated.
Then, each generated allocation table is stored in the ID management system DB 150 via the communication unit 102.

The role assignment change unit 107 generates a new role assignment table for the new organization ID shown in the ID change organization table of FIG.
Further, the role assignment table for the original organization ID shown in the ID changed organization table of FIG. 4 is invalidated.
That is, the role assignment changing unit 107 extracts role assignment information in which the original organization ID described in the ID change organization table (FIG. 4) is described from the role assignment information (FIG. 3).
Then, the role assignment changing unit 107 describes the role ID described in the extracted role assignment information and the new organization ID described in the ID change organization table, and the effective start described in the ID change organization table A new record of the role assignment table in which the date and time is described as the valid start date and time is generated.
Further, the role assignment changing unit 107 starts the effective start in which the existing role assignment information (extracted role assignment information) in which the original organization ID described in the ID change organization table is described is described in the ID change organization table. Disable it at daytime.
The invalidation process is performed by describing the time immediately before the valid start date and time of the new organization ID described in the ID change organization table in the column of the valid end date and time of the existing role assignment information.
For example, if the effective start date / time of the new organization ID is April 1, 2010, 0:00:00, the column of the effective end date / time of the existing role assignment information (the role assignment information in which the original organization ID is described) Describes March 31, 2010 at 23:59:59.
The role assignment change unit 107 is an example of an information extraction unit and an information management unit.

The authority information output unit 108 extracts the corresponding role from the system table of FIG. 2 assigned to the business system 330 and notifies the business system 330 of the user and role information assigned to the role. The business system 330 sets the combination information of the user and the role notified from the ID management system 100 as a user who can use the business system 330, and registers it in the business system DB 340 as different usage authority (reference authority, write authority, etc.) depending on the role. .
For example, when the system (K1) illustrated in FIG. 2 corresponds to the business system 330, and the user (P1) tries to log in to the business system 330 using the user terminal device 320, the user (P1) The user can log in to the business system 330 with the use authority corresponding to the role (R1).

Next, an operation example of the roll assignment changing unit 107 according to the present embodiment will be described with reference to FIGS. 5 and 6.
FIG. 5 shows a specific example of role assignment update according to the present embodiment, and FIG. 6 is a flowchart showing an operation example of the role assignment change unit 107 according to the present embodiment.
In the present embodiment, it is assumed that the role assignment changing unit 107 performs the flow of FIG. 6 at a time before 24:00 every day (for example, 23:00).
However, if the organization reorganization date is limited to a specific date (April 1, October 1, etc.), it will start from 24:00 the day before the organization reorganization date (March 31, September 31, etc.) Alternatively, the flow of FIG. 6 may be performed at the previous time (for example, 23:00).
In the following description, an example in which the flow of FIG. 6 is performed on March 31, 2010 will be described.

In the flowchart of FIG. 6, the role assignment changing unit 107 first searches the ID management system DB 150 for an ID changed organization table (FIG. 4) whose effective start date is the next day via the communication unit 102 (information). (Extraction process) (S101).
That is, the role assignment changing unit 107 searches the ID change organization table whose effective start date and time is April 1, 2010, 0: 0: 0.

  When the corresponding ID changed organization table is extracted (YES in S102) (information extraction process), the role assignment changing unit 107 displays the original organization ID described in the extracted ID changed organization table in the column of the organization ID. The described role assignment table (FIG. 3) is searched in the ID management system DB 150 via the communication unit 102 (S103) (information extraction processing).

  If the corresponding role assignment table cannot be extracted (NO in S104) (information extraction process), the next ID change organization table is searched.

On the other hand, if the corresponding role assignment table can be extracted (YES in S104) (information extraction process), the role assignment change unit 107 determines the role ID of the extracted role assignment table and the ID change organization table extracted in S102. Is described as the effective start date / time (April 1, 2010 0: 0: 0) described in the ID changed organization table extracted in S102. New role assignment information is generated (S106) (information management processing).
The valid end date / time is, for example, the maximum date / time allowed in the system.

Further, the role assignment changing unit 107 sets the valid end date / time of the role assignment table extracted in S104 to the last time of the current day (for example, 23:59:59 on March 31, 2010) (S107) Information management process).
As a result, the existing role assignment table is invalidated at 00: 00: 00: 00 on April 1, 2010. Instead, the new role assignment table (new organization ID is described) generated in S106. The role assignment table is effective from April 1, 2010, 0:00:00, and after April 1, the association between the new organization ID and the role is used.

When there is an unprocessed role assignment table (YES in S108), the role assignment change unit 107 performs the processing from S103 on on the unprocessed ID change organization table. Furthermore, when there is an unprocessed ID changed organization table (YSE in S109), the role assignment changing unit 107 performs the processing after S101 on the unprocessed ID changed organization table.
If there is no unprocessed ID changed organization table (NO in S109), the role assignment changing unit 107 displays the new role assignment information generated in S106 and the existing role assignment information whose effective end date / time is changed in S107. It is stored in the ID management system DB 150 via the communication unit 102.

For example, as shown in FIG. 5 (a), when the organization with organization ID a is assigned to the role (R1) by the role assignment information (a-R1) before the organization reorganization, FIG. 5 (b). As shown in FIG. 6, an example is considered in which the organization entity is not changed and only the organization ID is changed to x by the organization reorganization.
The role assignment changing unit 107 executes the flow shown in FIG. 6 on the day before the organization reorganization date, and reflects the change of the organization ID, as shown in FIG. 5C, and changes the organization ID: x and the role (R1). Role assignment information (x-R1) to be linked is generated.
On the other hand, the role assignment information (a-R1) that associates the organization ID: a with the role (R1) is invalid on the organization reorganization date.
For this reason, the organization ID: a is not associated with any role.
The new organization assignment tables (P1-x) and (P2-x) are generated by the personnel information setting unit 109.

  Next, FIG. 7 shows an operation example of the authority information output unit 108 according to the present embodiment.

  The authority information output unit 108 is activated every day at 0:00 and extracts the roles and user information assigned to the system table of FIG. 3 assigned to each business system for each business system. The information is transmitted to each business system 330 via 102. At this time, as user information to be transmitted, information such as a user ID, a password, and a role ID is passed. On the business system 330 side, login is permitted only to a user who logs in to the business system 330 with the passed user ID and password. Further, the use authority is identified by the role ID corresponding to the user ID, and the operation with the use authority corresponding to the role ID is permitted. In addition, by starting at 00:00 every day, by sending the user information and role information of the effective user assigned to the effective role with the effective role assignment information on the corresponding day, Only available users can use each business system. The valid user is a user table whose valid start date and time is before the current time and whose valid end date and time is after the current time. An effective role is a roll table whose effective start date and time is before the current time and whose effective end date and time is after the current time. The valid role assignment information is a role assignment table in which the valid start date and time is before the current time and the valid end date and time is after the current time.

  The authority information output unit 108 searches the system table and sequentially extracts the system table (S201). When the system table is extracted, the role table assigned to the system table is searched (S203). When the role table assigned to the system table is found, the user information is extracted from the organization table / user table assigned to the role table, the correspondence information with the role information is generated, and the user is added to the business system in which the system table is set. Information and role information are transmitted (S206). This process is performed for all system tables.

  After the above processing, the user logs in to the business system from the user terminal 320 using the user ID and password. The business system 330 performs user authentication using the user ID and password received from the authority information output unit 108, and within the authority range permitted by the role ID output from the authority information output unit 108, the user data access, etc. Services to users.

In the above description, the case where the organization ID does not change and the organization ID changes is described.
As shown in the role assignment information in FIG. 3, it is also possible to assign a role ID to the user ID.
For this reason, even when there is no change in the user entity but the user ID changes, the role assignment changing unit 107 performs the process shown in FIGS. 5 and 6 to create a new role for linking the new user ID and the role ID. It is also possible to generate allocation information and invalidate existing role allocation information at the effective start date.

In the above, the usage authority for the business system 330 is taken as an example of the system usage authority, and the mechanism for continuously assigning the role designated for the usage authority for the business system 330 to the new organization has been described.
In this regard, the access authority for the entry / exit management system is taken as an example of the system use authority, and the role for which the access authority for the entrance / exit management system is designated using the ID management system 100 according to the present embodiment is also given to the new organization. A mechanism for continuous allocation can be realized.

  According to the present embodiment, based on the ID change organization table, the role ID assigned to the original organization ID is assigned to the new organization ID, and new role assignment information that becomes valid at the effective start date and time is generated. Since the existing role assignment information is invalidated at the valid start date and time, the assignment of the new organization ID and role ID can be validated from the valid start date and time, and the processing burden when assigning authority to the new organization ID Can be reduced.

Embodiment 2. FIG.
In the first embodiment, the entity as the organization is the same, and when only the organization ID is changed, the new organization ID and the role are associated with each other.
In order to keep the role assignment valid for individuals belonging to the target organization even after the organization ID is changed, it is necessary to update the organization assignment table shown in FIG. 3 and associate each user ID with the new organization ID. is there.
As shown in FIG. 9, if a regular user such as a regular employee who is centrally managed by the personnel DB system 310, the organization assignment table is automatically updated by the personnel DB system 310, it is necessary to manually update the organization assignment table. Absent.
On the other hand, companies and the like often employ non-regular users who are related to an organization, such as temporary employees and employees of subcontractors, but are not officially affiliated with the organization.
Since such non-regular users are not managed by the personnel database system 310, even if the new organization ID and role shown in the first embodiment are associated with each other, the organization allocation table of the non-regular users is automatically set. Therefore, it is necessary to manually update the organization allocation table of the non-regular user.
In the present embodiment, an example will be described in which the role assignment changing unit 107 updates the organization assignment table of such an unauthorized user.
In the present embodiment, the regular user user table is referred to as a regular user table, and the regular user organization allocation table is referred to as a regular user organization allocation table.
In addition, the non-regular user table is referred to as a non-regular user table, and the non-regular user organization allocation table is referred to as a non-regular user organization allocation table.

A system configuration example according to the present embodiment is the same as that shown in FIG.
However, the ID management system DB 150 stores a non-regular user table and a non-regular user organization allocation table in addition to the regular user table and the regular user organization allocation table.
In the non-regular user table, as shown in FIG. 9, the non-regular user identifier, the user ID of the non-regular user, the non-regular user cooperation staff classification (classification such as temporary employee or cooperation company employee), The password of the non-regular user, the valid start date / time and the valid end date / time of the non-regular user table are described.
Further, as shown in FIG. 9, the non-regular user organization allocation table includes a user ID that is an identifier of an irregular user, an organization ID that is an identifier of an organization related to the irregular user, and the validity of the irregular user organization allocation table. Start date and time and valid end date and time are described.
The irregular user organization allocation table is an example of irregular user organization allocation information, and the ID management system DB 150 is also an example of an irregular user organization allocation information storage device.

The role assignment changing unit 107 performs the operation described in the first embodiment and updates the non-regular user organization assignment table.
For example, after performing the operation of FIG. 6, the role assignment changing unit 107 does not include the original organization ID of the ID changed organization table (FIG. 4) extracted in S <b> 101 and S <b> 102 of FIG. The normal user organization allocation table is searched, a duplicate of the searched non-regular user organization allocation table is generated, and the organization ID column of the duplicate non-regular user organization allocation table is also described in the new organization ID (ID changed organization table). New organization ID).
Then, the valid end date and time of the non-regular user organization assignment table in which the original organization ID is described is set as the final time of the current day (for example, March 31, 2010, 23:59:59).
Furthermore, the effective start date / time of the non-regular user organization assignment table in which the new organization ID is described is set to the effective start date / time described in the ID change organization table (for example, April 1, 2010, 0: 0: 0). The valid end date / time is the maximum date / time allowed in the system.
Then, the role assignment changing unit 107 stores in the ID management system DB 150 an irregular user organization assignment table in which the original organization ID is described and an irregular user organization assignment table in which the new organization ID is described.
By doing so, the role assignment changing unit 107 can update the non-regular user organization assignment table, and can eliminate the need for manual update.

  As described above, according to the present embodiment, since the non-regular user organization assignment table is also automatically updated, individual input settings at the time of organization reorganization become unnecessary, and the processing burden at the time of organization reorganization can be reduced.

Finally, a hardware configuration example of the ID management system 100 shown in the first and second embodiments will be described.
FIG. 8 is a diagram illustrating an example of hardware resources of the ID management system 100 illustrated in the first and second embodiments.
The configuration in FIG. 8 is merely an example of the hardware configuration of the ID management system 100, and the hardware configuration of the ID management system 100 is not limited to the configuration illustrated in FIG. Also good.

In FIG. 8, the ID management system 100 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a card reader device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The ID management system DB 150 described in the first and second embodiments is realized by the RAM 914, the magnetic disk device 920, and the like.
A communication board 915, a keyboard 902, a mouse 903, a card reader device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  As shown in FIG. 1, the communication board 915 is connected to a network. For example, the communication board 915 may be connected to the Internet, a WAN (Wide Area Network), a SAN (Storage Area Network), and the like in addition to the LAN.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the ID management system 100 is started, the BIOS program in the ROM 913 and the boot program for the magnetic disk device 920 are executed, and the operating system 921 is started by the BIOS program and the boot program.

  The program group 923 stores programs that execute the functions described as “˜units” in the description of the first and second embodiments. The program is read and executed by the CPU 911.

In the file group 924, in the description of the first and second embodiments, “determination of”, “determination of”, “comparison of”, “generation of”, “update of”, and “setting of” are set. ”,“ Registration of ”,“ selection of ”,“ search for ”,“ extraction of ”, etc., information, data, signal values, variable values, and parameters indicating the results of the processing are“ It is stored as each item of "~ file" and "~ database".
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowcharts described in the first and second embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “˜unit” in the description of the first and second embodiments may be “˜circuit”, “˜device”, “˜device”, and “˜step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first and second embodiments. Alternatively, the computer executes the procedure and method of “to unit” in the first and second embodiments.

  As described above, the ID management system 100 according to the first and second embodiments includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, a display device as an output device, and a communication device. A computer including a board or the like, and implements the functions indicated as “to part” as described above using these processing devices, storage devices, input devices, and output devices.

  100 ID management system, 101 control unit, 102 communication unit, 103 input / output unit, 104 organization change mapping information setting unit, 105 role setting unit, 106 allocation setting unit, 107 role allocation changing unit, 108 authority information output unit, 150 ID Management system DB, 200 display device, 210 keyboard, 300 LAN, 310 HR DB system, 320 user terminal device, 330 business system, 340 business system DB.

Claims (4)

A role assignment information storage device for storing role assignment information in which a role ID (Identification) that is an identifier of a role for which a specific system use authority is designated and an organization ID that is an identifier of an organization to which the role is assigned; ,
It is connected to an ID change information storage device that stores ID change information in which an organization ID before change, an organization ID after change, and a change date and time are described for an organization whose organization ID is changed at a predetermined date and time. An information processing apparatus,
An information extraction unit that extracts role assignment information in which the organization ID before change described in the ID change information is extracted from the role assignment information stored in the role assignment information storage device;
The role ID described in the role assignment information extracted by the information extraction unit and the changed organization ID described in the ID change information are described, and the change date and time described in the ID change information is described. New role assignment information that is valid in response to the above, and the existing role assignment information in which the organization ID before change described in the ID change information is described is changed at the change date and time described in the ID change information. An information processing apparatus comprising: an information management unit configured to be invalidated. The information processing apparatus includes:
A role assignment information storage device that stores role assignment information in which a role ID and a user ID that is an identifier of a user to which the role of the role ID is assigned are described;
Connected to an ID change information storage device for storing ID change information in which a user ID before change, a user ID after change, and a change date and time are described for a user whose user ID is changed at a predetermined date and time,
The information extraction unit includes:
Among the role assignment information stored in the role assignment information storage device, extract the role assignment information in which the user ID before the change described in the ID change information is described,
The information management unit
The role ID described in the role assignment information extracted by the information extraction unit and the changed user ID described in the ID change information are described, and the change date and time described in the ID change information New role assignment information that is valid in response to this, and the existing role assignment information in which the user ID before the change described in the ID change information is described is changed at the change date and time described in the ID change information. The information processing apparatus according to claim 1, wherein the information processing apparatus is invalidated. A role assignment information storage device for storing role assignment information in which a role ID (Identification) that is an identifier of a role for which a specific system use authority is designated and an organization ID that is an identifier of an organization to which the role is assigned; ,
It is connected to an ID change information storage device that stores ID change information in which an organization ID before change, an organization ID after change, and a change date and time are described for an organization whose organization ID is changed at a predetermined date and time. On the computer,
Information extraction processing for extracting role assignment information in which the organization ID before change described in the ID change information is extracted from the role assignment information stored in the role assignment information storage device;
The role ID described in the role assignment information extracted by the information extraction process and the changed organization ID described in the ID change information are described, and the change date and time described in the ID change information are described. New role assignment information that is valid in response to the above, and the existing role assignment information in which the organization ID before change described in the ID change information is described is changed at the change date and time described in the ID change information. A program characterized by causing information management processing to be invalidated to be executed. The information processing apparatus includes:
Stores non-regular user organization allocation information in which an organization ID, which is an organization identifier, is associated with an irregular user ID, which is an identifier of an unauthorized user who is related to the organization but does not belong to the organization. Connected to the non-regular user organization allocation information storage device,
The information management unit
Correspondence between the organization ID before the change described in the ID change information, the non-regular user ID associated in the non-regular user organization allocation information, and the organization ID after the change described in the ID change information Generated, new non-regular user organization allocation information that becomes valid at the change date and time described in the ID change information,
The existing non-regular user organization allocation information in which the organization ID before the change described in the ID change information is described is invalidated at the change date and time described in the ID change information. The information processing apparatus according to claim 1 or 2.

Images