JP2012160104A - Information sharing system, information sharing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information sharing system, an information sharing method, and a program that enable rational access to a past article, and thereafter enable improvement of information security.SOLUTION: Article input means inputs an article posted to a first group. Disclosure range determination means determines a second group to which a user belonging to the first group as a post destination of the input article belongs as a disclosure range of the article. Access request input means inputs an access request to the article. Access propriety determination means determines access propriety of a user as a request source of the access request to the article as a target of the input access request based on group information stored in group information storage means, user information stored in user information storage means, and the disclosure range of the article.

Description

  Embodiments described herein relate generally to an information sharing system, an information sharing method, and a program for sharing an article posted to a group among a plurality of users belonging to the group.

  In recent years, users participating in (registering) certain “places” such as tasks and communities in electronic bulletin boards (BBS) and mailing lists, categories in document management systems, etc., browse information such as files and articles registered on the spot.・ Information sharing systems with functions that can be shared are known. This “place” is called a group for convenience.

  When this information sharing system is used in, for example, a company, a user participating in a group (hereinafter referred to as a member of the group) has been registered with the group since, or belongs to which department (department). Regardless of whether or not, articles in the group can be viewed without limitation.

  However, the fact that the members of the group can browse all the articles without limitation in this case may be an information security problem in a company or the like. In such a case, it is necessary to create a new group with newly registered members, or to dismiss some members in consideration of whether each article can be viewed (that is, accessed). .

JP 2006-127126 A

  However, when creating a new group as described above, it is necessary to redo various settings (for example, change of URL or e-mail address), which imposes a burden on the majority of members registered in the group. Become. Therefore, it is troublesome to create a new group for such a situation, and it is often used as it is while knowing the risk.

  On the other hand, if the member is removed from the group as described above, the article posted in the past (that is, the article posted by the member) cannot be accessed. Also, articles that have been browsed before being removed from the group (that is, articles already known) cannot be accessed. In such a case, there is a case where the work of the member who is removed from the group may be hindered.

  Therefore, the problem to be solved by the present invention is to provide an information sharing system, an information sharing method, and a program capable of improving information security while enabling rational access to past articles. is there.

  According to the embodiment, an information sharing system capable of sharing an article posted to a first group among a plurality of users belonging to the first group is provided.

  The information sharing system according to the embodiment includes a group information storage unit, a user information storage unit, an article input unit, an article storage unit, a disclosure range determination unit, a disclosure range storage unit, an access request input unit, and an access And a determination unit for availability.

  The group information storage means stores group information indicating users belonging to the first group.

  The user information storage means stores user information indicating a second group different from the first group to which the user belongs.

  The article input means inputs an article posted to the first group by a user belonging to the first group.

  The article storage means stores the input article.

  The disclosure range determining means is a posting destination of an article stored in the article storage means based on user information stored in the user information storage means and group information stored in the group information storage means. A second group to which a user belonging to one group belongs is determined as the publication range of the article.

  The access request input means inputs an access request for the article when the user accesses the article stored in the article storage means.

  The access permission determination unit is configured to determine a target of the input access request based on the group information stored in the group information storage unit, the user information stored in the user information storage unit, and the determined disclosure range. It determines whether or not the user who is the request source of the access request for the article to be accessed can access.

The block diagram which shows the hardware constitutions of the information sharing system which concerns on embodiment. The block diagram which mainly shows the function structure of the information sharing system 30 shown in FIG. The figure which shows an example of the data structure of the group information storage part 221 contained in the storage part 22 shown in FIG. The figure which shows an example of the data structure of the user information storage part 222 contained in the storage part 22 shown in FIG. The figure which shows an example of the data structure of the department information storage part 223 contained in the storage part 22 shown in FIG. The flowchart which shows the process sequence of the article registration process performed in the information sharing system 30 which concerns on this embodiment. The figure for demonstrating concretely about the article registered into the article storage part 224. FIG. The figure for demonstrating concretely about the open range information registered into the open range storage part 225. FIG. The figure which shows notionally about the intermediate | middle option of the accessibility determination method. The figure for demonstrating concretely the intermediate | middle option of the 1st and 2nd access permission determination method. The flowchart which shows the process sequence of the access permission determination processing performed in the information sharing system 30 which concerns on this embodiment. The flowchart which shows the process sequence of a 2nd access permission determination process. The figure for demonstrating concretely the determination process of accessibility.

  Hereinafter, embodiments will be described with reference to the drawings.

  FIG. 1 is a block diagram showing a hardware configuration of the information sharing system according to the present embodiment. As shown in FIG. 1, the computer 10 is connected to an external storage device 20 such as a hard disk drive (HDD). The external storage device 20 stores a program 21 executed by the computer 10. The computer 10 and the external storage device 20 constitute an information sharing system 30.

  According to the information sharing system 30, articles posted to a certain group (group in the information sharing system 30) can be shared among a plurality of users belonging to the group. Although omitted in FIG. 1, the information sharing system 30 is connected to a plurality of user terminals used by each of a plurality of users who use the information sharing system 30.

  Here, the information sharing system 30 according to the present embodiment will be described as being used in a company, for example. In this case, the users who use the information sharing system 30 (hereinafter simply referred to as users) include employees in the company. In addition to the group in the information sharing system 30 described above, the user belongs to a group (group in a company) divided from different viewpoints. The group in this company includes departments or sections established in the company. Hereinafter, a group in the information sharing system 30 is simply referred to as a group, and a group in a company such as a department or section is simply referred to as a department.

  FIG. 2 is a block diagram mainly showing a functional configuration of the information sharing system 30 shown in FIG. As illustrated in FIG. 2, the information sharing system 30 includes an article posting unit 31, an article registration unit 32, an article content analysis unit 33, a disclosure range determination unit 34, a disclosure range registration unit 35, an article browsing / editing unit 36, and article acquisition. A unit 37, an access permission determination unit 38, and an access control unit 39. In the present embodiment, these units 31 to 39 are realized by the computer 10 illustrated in FIG. 1 executing the program 21 stored in the external storage device 20. This program 21 can be stored in advance in a computer-readable storage medium and distributed. Further, this program 21 may be downloaded to the computer 10 via, for example, a network.

  The information sharing system 30 includes a storage unit 22. In the present embodiment, the storage unit 22 is stored in, for example, the external storage device 20 illustrated in FIG. The storage unit 22 includes a group information storage unit 221, a user information storage unit 222, a department information storage unit 223, an article storage unit 224, and a disclosure range storage unit 225.

  The group information storage unit 221 stores group information indicating users (each) belonging to the group for each group (first group).

  The user information storage unit 222 stores, for each user, user information indicating a department (second group) to which the user belongs.

  In the department information storage unit 223, information related to the department to which the user belongs (hereinafter referred to as department information) is stored.

  The article posting unit 31 inputs an article posted by the user, for example, in response to a user operation on the user terminal. The article input by the article posting unit 31 includes, for example, information indicating a group in which the article is posted (hereinafter referred to as a posting destination group).

  The article registration unit 32 stores the article input by the article posting unit 31 in the article storage unit 224.

  The article content analysis unit 33 acquires the article stored in the article storage unit 224 by the article registration unit 32 from the article storage unit 224. The article content analysis unit 33 analyzes the article acquired from the article storage unit 224.

  Based on the analysis result of the article by the article content analysis unit 33, the publication range determination unit 34 determines whether the article includes information (for example, a character string) that indicates the publication range of the article.

  When it is determined that the information indicating the publication range of the article is included, the publication range determination unit 34 determines the section to which each of the users belonging to the posting group of the article belongs to the publication range (accessible of the article). Range).

  The disclosure range registration unit 35 stores the disclosure range by associating the disclosure range information indicating the section determined as the disclosure range of the article by the disclosure range determination unit 34 with the article ID (article identification information) for identifying the article. Register (store) in the unit 225.

  The article browsing / editing unit 36 inputs a request for browsing or editing an article stored in the article storage unit 224 (hereinafter referred to as an access request) in accordance with a user operation on the user terminal. In the access request input by the article browsing / editing unit 36, an article ID (article identification information) for identifying the article that is the target of the access request and the user who is the request source of the access request are identified. User ID (user identification information) is included.

  The article acquisition unit 37 acquires an article identified by the article ID included in the access request input by the article browsing / editing unit 36 from the article storage unit 224.

  The access permission determination unit 38 includes group information stored in the group information storage unit 221, user information stored in the user information storage unit 222, department information stored in the section information storage unit 223, and disclosure range storage unit. Based on the disclosure range information stored in 225 and the article acquired by the article acquisition unit 37, the access request for the article identified by the article ID included in the access request input by the article browsing / editing unit 36 Access permission (that is, permission or denial) of the user identified by the included user ID is determined. The access permission determination unit 38 determines whether or not access is possible based on a set access right takeover level among a plurality of predetermined access right takeover levels to be described later.

  In addition, when permission is determined by the access permission determination unit 38 as access permission, the user identified by the user ID included in the access request is an article acquired by the article acquisition unit 37 by operating a user terminal, for example. In other words, it is possible to browse or edit the article (the article identified by the article ID included in the access request). On the other hand, when the access permission determination unit 38 determines that access is denied, the user identified by the user ID included in the access request cannot browse or edit the article acquired by the article acquisition unit 37. .

  The access control unit 39 has a function of controlling processing of the information sharing system 30 (each unit 31 to 38 included therein).

  FIG. 3 shows an example of the data structure of the group information storage unit 221 included in the storage unit 22 shown in FIG. As described above, the group information storage unit 221 stores group information indicating users belonging to the group for each group.

  As shown in FIG. 3, the group information stored in the group information storage unit 221 includes a group name, a user ID, a registration date, and a registration stop date (information indicating) in association with each other. The group name represents a group (name). In the present embodiment, the group name corresponds to an identifier for identifying the group. The user ID (user name) is an identifier for identifying users belonging to the group represented by the group name. The registration date indicates the date when the user identified by the user ID is registered (participated) in the group indicated by the group name. The deregistration date indicates the date on which the registration to the group indicated by the group name of the user identified by the user ID is canceled (stopped).

  In the example illustrated in FIG. 3, the group information storage unit 221 stores a plurality of group information including group information 221a to 221f.

  The group information 221a stored in the group information storage unit 221 includes a group name “product X project”, a user ID “A”, a registration date “2008-10-01”, and a deregistration date “2009-10-01”. Is included in association. According to this group information 221a, the user identified by the user ID “A” belongs to the group represented by the group name “product X project”. It is shown that the group is registered and the registration to the group is canceled on October 1, 2009.

  The group information 221b stored in the group information storage unit 221 includes a group name “product X project”, a user ID “B”, and a registration date “2008-10-01” in association with each other. According to this group information 221b, the user identified by the user ID “B” belongs to the group represented by the group name “product X project”. It shows that you have registered with the group. Note that the deregistration date (column) included in the group information 221b is blank (that is, a NULL value). This is because the user identified by the user ID “B” is represented by the group name “product X project”. It shows that it still belongs to the group.

  Here, for the sake of convenience, only the group information 221a and 221b have been described. However, the same applies to other group information including the group information 221c to 221f, and detailed description thereof will be omitted.

  The group information storage unit 221 (group information stored in the group information storage unit 221) is updated as appropriate when a new user is registered in the group or when the user is unregistered from the group.

  FIG. 4 shows an example of the data structure of the user information storage unit 222 included in the storage unit 22 shown in FIG. As described above, the user information storage unit 222 stores, for each user, user information indicating a department (affiliation department) to which the user belongs.

  As shown in FIG. 4, the user information stored in the user information storage unit 222 includes a user ID, a department name (affiliation department name), a title (name), a department registration date, and a department end date (information indicating). Include in association. The user ID is an identifier for identifying the user. The department name represents the department name to which the user identified by the user ID belongs. The title indicates the title (for example, chief, section manager, or department manager) in the department (namely, the department to which the user belongs) indicated by the department name of the user identified by the user ID. The division registration date indicates the date when the user identified by the user ID is registered in the division indicated by the division name. The division end date indicates the date on which the registration to the division indicated by the name of the division identified by the user ID is canceled (that is, the date when the division transferred to another division).

  In the example shown in FIG. 4, the user information storage unit 222 stores a plurality of user information including user information 222 a to 222 g.

  The user information 222a stored in the user information storage unit 222 includes a user ID “A”, a department name “first development department”, a department registration date “2008-04-01”, and a department end date “2009-08-”. 31 ”is included in association with each other. According to this user information 222a, the user identified by the user ID “A” belongs to the department represented by the department name “first development department” from April 1, 2008 to August 31, 2009. It has been shown. When the user identified by the user ID “A” does not have a special title, the title (column) is blank as in the user information 222a.

  Further, the user information 221d stored in the user information storage unit 222 corresponds to the user ID “C”, the department name “second development department”, the title “lead”, and the department registration date “2008-04-01”. It is included. According to this user information 222d, the user identified by the user “C” belongs to the department represented by the department name “second development department” from April 1, 2008, and the title of the user is the supervisor. It is shown that there is. The section end date (column) included in the user information 221d is blank. This is because the user identified by the user ID “C” is currently assigned to the section represented by the section name “second development department”. It also shows that it belongs continuously.

  Here, for the sake of convenience, only the user information 222a and 222d has been described. However, the same applies to other group information including the user information 222b, 222c, and 222e to 222g, and thus detailed description thereof is omitted.

  The user information storage unit 221 (user information stored in the user information storage unit 221) is appropriately updated when a change is made to the department to which the user belongs. As shown in the user information 222d and 222f, even if the department to which the user belongs (that is, the department name) is the same, if the job title is changed, it is stored in the user information storage unit 222 as different user information.

  FIG. 5 shows an example of the data structure of the department information storage unit 223 included in the storage unit 22 shown in FIG. In the division information storage unit 223, division information (information on the division) is stored for each division.

  As shown in FIG. 5, the division information stored in the division information storage unit 223 includes a division name, an installation date, an abolition date, and a transition destination (information indicating). The division name represents the (name) of the division set in the company. The installation date indicates the date on which the department represented by the department name was installed. The abolition date indicates the date on which the department represented by the department name was abolished. The transition destination indicates which section is to be treated after the section is abolished, for example, by the rename or consolidation of the section represented by the section name.

  In the example illustrated in FIG. 5, the department information storage unit 223 stores a plurality of department information including the department information 223 a to 223 d.

  The department information 223a stored in the department information storage 223 includes the department name “first development department” and the installation date “2006-04-01” in association with each other. According to the section information 223a, it is indicated that the section represented by the section name “first development department” was established on April 1, 2006. If the department represented by the department name “first development department” still exists, the abolition date and the transfer destination field are blank as in the department information 223a.

  Further, the department information 223b stored in the department information storage unit 223 includes a department name “product planning department”, an installation date “2005-04-01”, an abolition date “2006-03-31”, and a transition destination “No. One product planning department "is included. According to the department information 223b, the department represented by the department name “first product planning department” was established on April 1, 2005 and was abolished on March 31, 2006. It is shown that it is treated as a department (that is, moved to the first product planning department).

  Here, for convenience, only the section information 223a and 223b has been described. However, the same applies to other section information including the section information 223c and 223d, and thus detailed description thereof is omitted.

  Here, the operation of the information sharing system 30 according to the present embodiment will be described. In the information sharing system 30, a process for registering an article posted by a user (hereinafter referred to as an article registration process) and a process for determining whether or not an access from the user can be performed in response to an access request from the user (hereinafter referred to as an article sharing process) (Denoted as accessibility determination processing). Hereinafter, each of these processes will be described.

  First, with reference to the flowchart of FIG. 6, the process procedure of the article registration process performed in the information sharing system 30 according to the present embodiment will be described.

  The article registration process is executed when an article is posted from a user terminal connected to the information sharing system 30.

  In this case, the article posting unit 31 inputs (receives) an article posted by the user (hereinafter referred to as a posted article) from the user terminal in accordance with a user operation on the user terminal (step S1). The posted article input by the article posting unit 31 includes information indicating a posting destination group of an article in which the posted article is posted (for example, a posting destination group name) and information indicating a user who has posted the posted article (for example, Contributor ID) and the like. The article posting unit 31 passes the input posted article to the article registration unit 32 via the access control unit 39, for example.

  The article registration unit 32 registers the posted article passed from the article posting unit 31 in the article storage unit 224 (step S3). At this time, the article registration unit 32 registers the posted article in the article storage unit 224 only when the user who posted the posted article passed from the article posting unit 31 belongs to the posting destination group of the posted article. . That is, when the user who posted the posted article does not belong to the posting destination group of the posted article, the posting is rejected, and the posted article is not registered in the article storage unit 224. If the posted article is not registered in this way, the article registration process is terminated. Note that such processing in step S3 includes group information stored in the group information storage unit 221, information indicating the posting destination group of the posted article included in the posted article, and information indicating the user who posted the posted article. Based on.

  Here, an article registered in the article storage unit 224 will be described in detail with reference to FIG. FIG. 7 shows an example of the data structure of the article storage unit 224. The article storage unit 224 stores articles posted by the user.

  As shown in FIG. 7, the articles stored in the article storage unit 224 correspond to the article ID, the posting group name, the parent article ID, the posting date, the poster, the title, the text, and the attached material (information indicating). Including.

  The article ID is an identifier for identifying an article. The posting destination group name represents the posting destination group (name) of the article identified by the article ID. The posting date indicates the date when the article identified by the article ID is posted (the date registered in the article storage unit 224). The poster ID is an identifier (user ID) for identifying the user (poster) who posted the article identified by the article ID. The title is the title of the article identified by the article ID. The text is the text of the article identified by the article ID. The attached material is an attached material (attached file) attached to the article identified by the article ID.

  Of the various types of information included in the articles stored in the article storage unit 224, the posting group name, posting date, contributor ID, title, text, and attached material are input by the article posting unit 31. This information is already included in the article. On the other hand, among various information included in the article, the article ID is information added to the article by the article registration unit 32 when the posted article is registered in the article storage unit 224.

  In the example illustrated in FIG. 7, the article storage unit 224 stores (registers) a plurality of articles including articles 224a to 224i.

  The article 224a stored in the article storage unit 224 includes an article ID “1001”, a posting destination group name “product X project”, a posting date “2009-01-10”, a contributor ID “B”, and a title “title”. 1 ”and the text“ Text 1 ”are associated with each other. This article 224a indicates that the article identified by the article ID “1001” was posted on the posting destination group “Product X Project” by the user “B” on January 10, 2009. . The posting group “product X project” is a group represented by the posting group “product X project”, and the user “B” is a user identified by the poster ID “B”. The same applies to other cases. Further, according to the article 224a, it is indicated that the title of the article identified by the article ID “1001” is “title 1” and the text of the article is “text 1”. If there is no attached material in the article identified by the article ID “1001”, the attached material (column) is blank as shown in the article 224a.

  The article 224d stored in the article storage unit 224 includes an article ID “1004”, a posting destination group name “product X project”, a posting date “2009-02-10”, a contributor ID “B”, a title “Title 4”, the text “Text 4” and the attached document “Declaration Form” are included in association with each other. This article 224d indicates that the article identified by the article ID “1004” was posted on the posting destination group “Product X Project” by the user “B” on February 10, 2009. . In addition, the title of the article identified by the article ID “1004” is “title 4”, the text of the article is “text 4”, and the attached material of the article is “approval”. ing.

  Here, for the sake of convenience, only the articles 224a and 224d have been described, but the same applies to other articles including the articles 224b, 224c, and 224e to 224i, and thus detailed description thereof is omitted.

  Returning to FIG. 6 again, the article content analysis unit 33 acquires the posted article registered in the article storage unit 224 by the article registration unit 32 from the article storage unit 224. The article content analysis unit 33 analyzes the acquired posted article (step S3). The posted article acquired by the article content analysis unit 33 includes various information described with reference to FIG. The article content analysis unit 33 passes the analysis result of the posted article to the disclosure range determination unit 34.

  The disclosure range determination unit 34 refers to the analysis result of the posted article passed from the article content analysis unit 33, and information (for example, an identifier indicating the disclosure range) indicating the disclosure range of the posted article is included in the posted article. It is determined whether or not it is included. Thereby, the disclosure range determination unit 34 determines whether or not the disclosure range of the posted article is specified (step S4). That is, when registering a posted article in the article storage unit 224, the disclosure range determination unit 34 determines whether or not a disclosure range is set based on the content of the posted article.

  For example, layout information analysis and character string matching can be used for this determination algorithm. Specifically, when a character string such as “(Secret)” is included at the beginning of the posted article, or for example, in the footer information of a document file (attached material) attached to the posted article, “confidential” When a character string such as “” is included, it is determined that the posting range of the posted article is specified.

  When it is determined that the posting range of the posted article is specified (YES in step S4), the publishing range determining unit 34 is a user belonging to the group (posting group) represented by the posting group name included in the posted article. (Hereinafter referred to as a member of the posting destination group) is specified (step S5). Specifically, based on the group information stored in the group information storage unit 221, the disclosure range determination unit 34 associates the group information with the posting destination group name (that is, the group name) included in the posted article. Is identified as a member of the posting destination group.

  Next, the disclosure range determination unit 34 specifies the minimum group set that includes the members of the specified posting destination group (step S6). Specifically, based on the user information stored in the user information storage unit 222, the disclosure range determination unit 34 associates the user ID specified in step S5 with the department name included in the user information. That is, the set of departments to which the members of the posting destination group belong is specified as the minimum group of departments that include the members of the posting destination group.

  The disclosure range determination unit 34 determines the section name (set thereof) identified in step S6 as the disclosure range of the posted article (step S7). In this way, the disclosure range determination unit 34 determines the disclosure range from the department to which the member of the posting destination group belongs.

  Note that the disclosure range determination unit 34 generates disclosure range information including the department name determined as the disclosure range of the posted article.

  The disclosure range registration unit 35 registers (stores) the disclosure range information generated by the disclosure range determination unit 34 in the disclosure range storage unit 225 (step S8). When the process of step S8 is executed, the article registration process is terminated.

  Here, with reference to FIG. 8, the disclosure range information registered in the disclosure range storage unit 225 will be specifically described. FIG. 8 shows an example of the data structure of the disclosure range storage unit 225. The public range storage unit 225 stores public range information indicating the public range of the article in association with the article ID for identifying the article (posted article).

  As shown in FIG. 8, the disclosure range information stored in the disclosure range storage unit 225 includes the registration date and the section name (information indicating) in association with each other as described above. The posting date indicates the date (the date registered in the article storage unit 224) when the article identified by the associated article ID is posted. This posting date is the same as the posting date included in the article identified by the associated article ID. The department name is the department name determined by the disclosure range determination unit 34 as the disclosure range of the article identified by the article ID.

  In the example illustrated in FIG. 8, the disclosure range storage unit 225 stores (registers) a plurality of disclosure range information including disclosure range information 225 a to 225 e.

  The publication range information 225a stored in the publication range storage unit 225 in association with the article ID “1004” includes the posting date “2009-02-10” and the department name “first development department” in association with each other. ing. According to the disclosure range information 225a, the date on which the article identified by the article ID “1004” is posted is February 10, 2009, and the disclosure range of the article belongs to the section “first development department” ( User).

  Further, the posting date “2009-10-10” and the department name “first sales department” are associated with the disclosure range information 225e stored in the disclosure range storage unit 225 in association with the article ID “1007”. include. According to the disclosure range information 225e, the date on which the article identified by the article ID “1007” is posted is October 10, 2009, and the disclosure range of the article belongs to the section “first sales department” ( User).

  Here, for the sake of convenience, only the disclosure range information 225a and 225e has been described. However, since the same applies to other disclosure range information including the disclosure range information 225b to 225d, detailed description thereof will be omitted.

  Note that the disclosure range information 225a to 225c illustrated in FIG. 8 indicates the disclosure range of the article identified by the article ID “1004”. Also, the disclosure range information 225d and 225e illustrated in FIG. 8 indicates the disclosure range of the article identified by the article ID “1007”.

  Returning to FIG. 6 again, if it is determined in step S4 that the published range of the posted article is not specified, the published range determining unit 34 sets the published range of the posted article as a whole (step S9). In this case, the disclosure range information indicating all as the disclosure range of the posted article is generated by the disclosure range determination unit 34, and the process of step S8 described above is executed.

  As described above, according to the article registration process, each time an article is posted by the user, the posted article (posted article) is registered in the article storage unit 224, and further, a publication range indicating a publication range of the posted article. Information is registered in the disclosure range storage unit 225.

  Next, an access permission determination process executed in the information sharing system 30 according to the present embodiment will be described. As described above, in the access permission determination process, it is determined whether or not the user can access in response to an access request from the user.

  There are a plurality of methods (hereinafter referred to as “accessibility determination method”) for determining the access permission performed in the access permission determination processing. For example, in a system in which articles are posted to a group, in general, “anybody can access any article posted to any group”, “any article posted to any group” “A user who uses the system can access” and “an article posted to a group can be accessed by a member (user) registered in the group” can be considered.

  In the information sharing system 30 according to the present embodiment, “an article posted to a group can be accessed if it is a member registered in the group” is applied as an access permission determination method.

  Here, when “an article posted to a group can be accessed if it is a member registered in the group”, as an access permission determination method applied to a member registered in the group in the past, For example, “Even if the registration to the group is canceled, it is possible to access articles posted within the period that was registered in the group (that is, belonged)” and “ Further consideration is that after the registration is canceled, all articles cannot be accessed ".

  In this embodiment, even after the registration to the group is canceled, the articles can be accessed if they are posted within the period registered in the group, and the registration to the group is canceled. Of the two access permission determination methods “cannot access all articles after being performed”, one of the access permission determination methods set by the administrator of the information sharing system 30, for example, has been registered in the group in the past Shall apply.

  On the other hand, when “an article posted to a group can be accessed if it is a member registered in the group”, a member currently registered in the group (that is, currently belonging to the group) As an access permission determination method applied in this way, for example, “if an article is posted to the group regardless of the registration period to the group, it can be accessed (that is, an article of all periods can be accessed)” and “the group It is further conceivable that the article can be accessed if it is posted within the period registered in (that is, only articles within the group registration period can be accessed).

  In the present embodiment, as shown in FIG. 9, this “access is possible if the article is posted to the group regardless of the registration period (registration date) to the group” and “the period registered in the group An intermediate option of the two accessibility determination methods “accessible if the article is posted within” is given to a user (for example, an administrator) of the information sharing system 30. As shown in FIG. 9, the access permission determination method “accessible if the article is posted to the group regardless of the registration period for the group” is the easiest access permission determination method in this case. On the other hand, the access permission determination method “accessible if the article is posted within the period registered in the group” is the strictest access permission determination method in this case.

  Hereinafter, for convenience, the first access permission determination method, “registered in the group,” is referred to as the access permission determination method “accessible if the article is posted to the group regardless of the registration period of the group”. The access permission determination method “accessible if the article is posted within the period” is referred to as a second access permission determination method.

  Hereinafter, with reference to FIG. 10, an intermediate option of the first and second accessibility determination methods will be specifically described.

  FIG. 10 shows a period in which, for example, users A to C are registered in a certain group (group registration period for users A to C). In the example shown in FIG. 10, the group registration period of the user A is a period from t1 to t2. The group registration period for user B is a period from t3 to t4. The group registration period of user C is a period from t5 to the present. Here, it is assumed that the user C currently registered in the group accesses an article posted in the group. Note that the users A to C belong to the department M, for example.

  Here, as an intermediate option for the first and second access determination methods, a plurality of access right takeover levels for determining whether or not a user can access an article is prepared in advance. Each of the plurality of access right takeover levels represents, for example, a range of accessible articles corresponding to the takeover level. Here, it is assumed that the takeover levels of a plurality of access rights include the first to sixth takeover levels.

  It is assumed that the first takeover level is “accessible articles of all periods”. In the example shown in FIG. 10, when the first takeover level is applied, the user C can access articles posted to the group in all the periods from t0 to the present. This first takeover level corresponds to the easiest access permission determination method shown in FIG.

  The second takeover level is assumed to be “accessible from the time when the user of the division M (the division to which the user C belongs) is first registered”. Here, the user who is the user of the division M and is first registered in the group is the user A. Therefore, when the second takeover level is applied in the example shown in FIG. 10, the user C posts to the group during the period from t1 when the user A belonging to the division M is registered in the group to the present. Access to published articles.

  The third handover level is assumed to be “accessible only during the period in which the user of the division M (the division to which the user C belongs) is registered”. In the example shown in FIG. 10, when the third takeover level is applied, the user C has a period from t1 to t2, during which the users A to C belonging to the division M are registered in the group, from t3. It is possible to access articles posted to the group during the period from t4 to t4 and the period from t5 to the present.

  The fourth takeover level is “similar to the third takeover level basically. However, if the post (the position in the user's C department M) is a certain level or higher (for example, the section manager or higher), It is assumed that In other words, when the fourth handover level is applied, if the position of the user C is not higher than a certain level, it is the same as when the third handover level is applied. The same as when the second takeover level is applied.

  The fifth takeover level is “accessible only during a period in which the users of the department M up to N (the department to which the user C belongs) are registered”. Here, assuming that N = 1, out of the users belonging to the division M, the user C is one user B. In this case, when the fifth takeover level is applied in the example shown in FIG. 10, the user C registers the period from t3 to t4 when the user B is registered in the group and the user C registers in the group. It is possible to access articles posted to the group during the period from t5 to the present.

  The sixth takeover level is assumed to be “accessible only during a registered period”. In the example shown in FIG. 10, when the sixth takeover level is applied, the user C accesses an article posted to the group during a period from t5 when the user C is registered in the group to the present. can do. This sixth takeover level corresponds to the strictest access permission determination method shown in FIG. 9 described above.

  For example, the administrator of the information sharing system 30 can set in advance any one of the first to sixth takeover levels (desired takeover level) in the information sharing system 30.

  Here, with reference to the flowchart of FIG. 11, the process procedure of the access permission determination process performed in the information sharing system 30 which concerns on this embodiment is demonstrated. The accessibility determination process can be executed uniformly in accordance with the processing procedure described here regardless of which of the first to sixth takeover levels described above is set.

  First, the article browsing / editing unit 36 inputs (receives) an access request for an article stored in the article storage unit 224 in accordance with a user operation on the user terminal (step S11). This access request includes an article ID for identifying the article that is the target of the access request and a user ID for identifying the user who is the request source of the access request. The article browsing / editing unit 36 passes the input access request to the article acquisition unit 37 via the access control unit 39, for example.

  The article acquisition unit 37 stores an article identified by the article ID included in the access request passed from the article browsing / editing unit 36, that is, an article including the article ID (hereinafter referred to as an access target article). Obtained from the unit 224 (step S12). The article acquisition unit 37 passes the acquired access target article and access request to the access permission determination unit 38.

  Next, the access permission determination unit 38 refers to the group information storage unit 221, and the user identified by the user ID included in the access request (hereinafter referred to as an access user) is determined by the article ID included in the access request. It is determined whether or not the identified article (that is, the access target article) is a member of the posting destination group (that is, it belongs to the posting destination group) (step S13).

  Here, when group information including the posting destination group name included in the access target article passed from the article acquisition unit 37 and the user ID included in the access request is referred to as corresponding group information, in step S13 If the corresponding group information exists in the group information storage unit 221 in which the registration cancellation date is blank (that is, the registration is not cancelled), it is determined that the access user is a member of the posting destination group. On the other hand, if the corresponding group information whose registration cancellation date is blank does not exist in the group information storage unit 221, it is determined that the access user is not a member of the posting destination group.

  When it is determined that the access user is not a member of the posting destination group (NO in step S13), the access permission determination unit 38 refers to the group information storage unit 221 and the access user is a past member of the posting destination group. It is determined whether or not (step S14).

  In this step S14, if the group information storage unit 221 has the corresponding group information in which the registration cancellation date is not blank (that is, it was a member of the posting destination group but has been canceled), the access user Is determined to be a past member of the posting group. On the other hand, when the corresponding group information whose registration cancellation date is not blank does not exist in the group information storage unit 221, it is determined that the access user is not a past member of the posting group.

  When it is determined that the access user is a past member of the posting group (YES in step S14), the access permission determination unit 38 determines that the access user is a member of the posting group (a corresponding period). It is determined whether an access target article has been posted (that is, the access target article is an article within the corresponding period) (step S15).

  In this step S15, when the posting date included in the access target article is within the period from the registration date included in the group information to the deregistration date (that is, the registration period), the access target article is within the corresponding period. Is determined to have been posted. On the other hand, when the posting date included in the access target article is not within the period from the registration date included in the corresponding group information to the deregistration date, it is determined that the access target article has not been posted within the corresponding period.

  When it is determined that the access target article has been posted within the corresponding period (YES in step S15), the access permission determination unit 38 accesses the access target article (article identified by the article ID included in the access request) ( A process (hereinafter referred to as a first access permission determination process) for determining whether or not access (permission or rejection) of the user identified by the user ID included in the access request is executed (step S16).

  The first access permission determination process is executed based on an access permission determination method that is set by the administrator of the information sharing system 30 and is applied to members that have been registered in the group in the past. Here, as described above, the access permission determination method applied to the members registered in the group in the past can be expressed as “even if registration to the group is canceled, If the article is posted within a certain period, it can be accessed "and" All articles cannot be accessed after being removed from the group ".

  In this case, the administrator of the information sharing system 30 sets “accessible if the article is posted within the period registered in the group even after the registration in the group is canceled”. In the first access permission determination process, permission is determined as the access permission of the access user for the access target article.

  On the other hand, when the administrator of the information sharing system 30 has set “cannot access all articles after the registration to the group is canceled”, the first access permission determination process determines the access target article. Denial is determined as whether the access user can access.

  When the process of step S16 is executed, the access permission (permission or rejection) determined in the first access permission determination process is output (step S17). Here, when permission is output as access permission / prohibition, the access user can access (for example, view or edit) the article to be accessed. On the other hand, when the rejection is output as the access permission / prohibition, the access user cannot access the access target article.

  If it is determined in step S14 that the access user is not a past member of the posting destination group, or if it is determined in step S15 that the article to be accessed has not been posted within the corresponding period, the processing in step S17 Is executed. Here, rejection is output as access permission / inhibition.

  On the other hand, when it is determined in step S13 described above that the access user is a member of the posting destination group, the access permission determination unit 38 posts the access target article after the access user is registered in the posting destination group (that is, It is determined whether or not the article to be accessed is an article after registration (step S18).

  In this step S18, when the posting date included in the access target article is after the registration date included in the corresponding group information, it is determined that the access target article has been posted after the access user is registered in the posting destination group. . On the other hand, if the posting date included in the access target article is not after the registration date included in the corresponding group information (that is, before the registration date), the access target article is posted after the access user is registered in the posting destination group. It is determined that it has not been done.

  When it is determined that the access target article has not been posted after the access user has been registered in the posting destination group (NO in step S18), the access permission determination unit 38 determines the access target article (by the article ID included in the access request). A process of determining whether or not an access user (a user identified by a user ID included in the access request) is allowed to access (permitted or rejected) (hereinafter referred to as a second access permission determination process) is executed. (Step S19). In the second access permission determination process, for example, a section included in the disclosure range information based on the disclosure range information stored in the disclosure range storage unit 225 in association with the article ID for identifying the access target article. When the access user belongs to the department represented by the name, permission is determined as whether the access user can access the article to be accessed. Further, the second access permission determination process is executed based on the takeover level set by the administrator of the information sharing system 30 among the first to sixth takeover levels described above. Details of the second access permission determination process will be described later.

  When the process of step S19 is executed, the process of step S17 described above is executed. In step S17, the access permission determined in the second access permission determination process is output.

  If it is determined in step S18 described above that the access target article has been posted after the access user has been registered in the posting destination group, the process of step S17 is executed. Here, permission is output as accessibility.

  Next, a processing procedure of the second access permission determination process described above will be described with reference to the flowchart of FIG. In the second access permission determination process, when a user accesses information (articles) in the group, the access permission is determined by comparing the history of departments to which the user has belonged in the past and the disclosure range.

  First, the accessibility determination unit 38 determines the disclosure range information stored in the disclosure range storage unit 225 in association with the article ID included in the access request input in step S1 shown in FIG. Obtained from the storage unit 225 (step S21). The disclosure range information acquired here indicates the disclosure range of the access target article (article identified by the article ID included in the access request).

  Next, the access permission determination unit 38 acquires user information of an access user (a user identified by the user ID included in the access request) from the user information storage unit 222 (step S22). In this case, the access permission determination unit 38 acquires user information including a user ID for identifying an access user (that is, a user ID included in the access request).

  Based on the acquired user information and the section information stored in the section information storage section 223, the access permission / inhibition determining unit 38 determines the name of the section to which the access user belongs and the past section of the section (that is, the access user). The department name (list) representing the department to which the department belongs to is acquired (step S23). In this case, the accessibility determination unit 38 acquires the department name included in the user information acquired in step S22 as the department name representing the department to which the access user belongs. In addition, the access permission determination unit 38 acquires a section name included in the section information including the section name representing the section to which the access user belongs as the transfer destination as the section name representing the past section of the section to which the access user belongs. In addition, when the past department section exists further with respect to the past department section of the department section to which the access user belongs, the department name representing the department section is also acquired.

  The access permission determination unit 38 is a user who belongs to (or belongs to) at least one of the departments represented by the acquired department name and is a member of a group to which the article to be accessed is posted ( The registration period of the member other than the access user) in the posting destination group is specified (step S24). In this case, the access permission determination unit 38 specifies a user ID included in the user information in association with the acquired department name, and includes a group including the specified user ID and a post destination group name included in the access target article The period from the registration date to the deregistration date included in the information is specified as the registration period for the posting destination group.

  The access permission determination unit 38 includes intermediate output information that includes the acquired division name and the registration period of the user who belongs to (or belong to) the division represented by the division name in association with the posting destination group. Is generated (step S25).

  Next, the access permission determination unit 38 determines whether the access user can access the access target article based on the disclosure range information acquired in step S21 and the intermediate output information generated in step S25 (step S26). In this case, the access enable / disable determining unit 38 determines the access enable / disable according to the takeover level set by the administrator of the information sharing system 30 among the first to sixth takeover levels described above. In order to determine permission as access permission, at least the access user belongs to the department (or department after the department transferred) represented by the department name included in the disclosure range information acquired in step S21. Need to be. In other words, if the user exists in the department to which the member who can access the article at the time the article is registered, the access is permitted.

  That is, the accessibility determination unit 38 determines whether the division name included in the disclosure range information matches the division name included in the intermediate output information, and is associated with the division name for the registration period included in the intermediate output information. The access permission is determined according to whether or not the posting date included in the access target article corresponds to the takeover level (range represented by) set by the administrator.

  Here, with reference to FIG. 13, the access permission determination process in step S26 shown in FIG. 12 will be specifically described.

  Here, for example, it is assumed that users A to E exist as users registered (or registered) in the group “product X project”. It is assumed that user A belongs to the first development department and has been registered in the group “Product X Project” until October 2008 and October 2009. User B belongs to the second development department and is registered in the group “product X project” from October 2008 to the present. It is assumed that the user C belongs to the second development department as a chief and is registered in the group “Product X Project” from October 2008 to the present. User D belongs to the first sales department from October 2008 to April 2009, belongs to the first sales department from April 2009 to the present, and the group “ It is assumed that it is registered in “Product X Project”. Further, it is assumed that the user E belongs to the first development department and is registered in the group “product X project” from December 2009 to the present.

  Further, as shown in FIG. 13, it is assumed that an article identified by the article ID “1004” is posted within a period from October 2008 to April 2009. Further, it is assumed that an article identified by the article ID “1007” is posted within a period from October 2009 to December 2009. Here, assuming that the article identified by the article ID “1004” has a specified disclosure range, the disclosure section information indicating the publication range of the article identified by the article ID “1004” includes the department name “No. "Development Department", "Second Development Department" and "First Sales Department" are included. Further, if the article identified by the article ID “1007” has a specified disclosure range, the publication name indicating the publication range of the article identified by the article ID “1007” includes the department name “second development department”. And “First Sales Department”.

  Hereinafter, whether or not the user E currently registered in the group “product X project” accesses the article identified by the article ID “1004” and the article ID “1007” will be described with reference to the first to first items described above. The case where each of the 6 takeover levels is set will be specifically described.

  First, a case where the first takeover level is set will be described. As described above, the first takeover level is “accessible to articles of all periods”. In this case, the user E can access all articles posted to the group “product X project”. Therefore, permission is determined as whether or not the user E can access the article identified by the article ID “1004” and the article ID “1007”.

  Next, a case where the second takeover level is set will be described. The second takeover level is “readable from the time when the user of the division M is first registered”. Here, the department “first development department” to which the user E belongs corresponds to the department M. In addition, in October 2008, the user A who was first registered in the group “product X project” among the users belonging to the department “first development department” was registered in the group “product X project”. In this case, the user E can access articles posted after October 2008. Therefore, permission is determined as whether or not the user E can access the article identified by the article ID “1004” and the article ID “1007”.

  Next, a case where the third takeover level is set will be described. The third takeover level is “accessible only during the period in which the user of the division M is registered”. Here, the department “first development department” to which the user E belongs corresponds to the department M. Further, the period during which user A belonging to the department “first development department” is registered in the group “product X project” is from October 2008 to October 2009. The period during which the user E belonging to the department “first development department” is registered in the group “product X project” is from December 2009 to the present. In this case, the user E can access articles posted within the period from October 2008 to October 2009 and within the period from December 2009 to the present. Therefore, permission is determined as whether or not the user E can access the article identified by the article ID “1004”, but denial is determined as whether or not the user E can access the article identified by the article ID “1007”. The

  Next, a case where the fourth takeover level is set will be described. The fourth takeover level is “same as the third takeover level basically, but if the position is above a certain level, the second takeover level is set”. Here, the user E has no special title. Therefore, as in the case where the third takeover level is set, permission is determined as whether or not the user E can access the article identified by the article ID “1004”, but the permission is determined by the article ID “1007”. Denial is determined as whether or not the user E can access the article.

  Next, a case where the fifth takeover level is set will be described. The fifth takeover level is “accessible only during a period in which the users of the department M up to N people are registered”. Here, the department “first development department” to which the user E belongs corresponds to the department M. Further, the period during which user A belonging to the department “first development department” is registered in the group “product X project” is from October 2008 to October 2009. Here, assuming that N = 1, among users belonging to the subordinate “first development department”, one person of user E is user A. In this case, the user E is in the period from October 2008 to October 2009 when the previous user A is registered in the group “product X project” and the user E is in the group “product X project”. It is possible to access articles posted in the registered period from December 2009 to the present. Therefore, permission is determined as whether or not the user E can access the article identified by the article ID “1004”, but denial is determined as whether or not the user E can access the article identified by the article ID “1007”. The

  Finally, the case where the sixth takeover level is set will be described. The sixth takeover level is assumed to be “accessible only during a registered period”. Here, the period during which user E is registered in the group “product X project” is from December 2009 to the present. In this case, the user E can access articles posted within a period from December 2009 to the present. Therefore, refusal is determined as whether or not the user E can access the article identified by the article ID “1004” and the article ID “1007”.

  As described above, the result of accessibility is different depending on the takeover level set by the administrator of the information sharing system 30.

  As described above, in this embodiment, when an article is posted to the group by a user belonging to the group (first group) in the information sharing system 30, the department (second group) to which the user belonging to the group belongs. ) As the publication range of the article, and when an access request for the article is input, whether or not the user who is the request source of the access request for the article is accessible is determined based on the publication range of the article With the configuration, it is possible to improve information security while allowing rational access to past articles. That is, according to the present embodiment, the information sharing system 30 is automatically determined by determining the article disclosure range (access control) from the time when the article is posted and the state of the members of the community (group) at that time. Information security can be improved without degrading the work efficiency of organizations such as companies by performing necessary and sufficient access control on user transfer or new registration without causing group members to perform new work, etc. .

  In the present embodiment, the section name (set) of the members of the posting group is determined as the posting scope of the posting article. However, the posting of the posting article including the post of the member of the posting group is disclosed. It does not matter as a range. Thus, for example, in an article posted in a group or the like where only a user whose job title is a section manager or higher can be registered in the department "first development department", even a user belonging to the department "first development department" If the person is in charge (that is, the position is not higher than the section manager), the access can be denied.

  Further, in the present embodiment, it has been described that information necessary for the second access permission determination process described above is acquired and the access permission is determined after the intermediate output information is generated. There may be a configuration in which a process corresponding to the takeover level is performed after determining the takeover level set by the administrator at the start of the determination process. Briefly, for example, when the first takeover level is set, permission may be determined as access permission without executing special processing. When the second to fourth takeover levels are set, the section included in the disclosure range information stored in the disclosure range storage unit 225 in association with the article ID for identifying the access target article. It may be determined whether or not the access user belongs to the department represented by the name. In this case, if the access user belongs to the department represented by the department name included in the disclosure range information, permission is determined as access permission. On the other hand, if the access user does not belong to the department, access permission is determined. As rejected. If the fifth takeover level is set, a process similar to the process shown in FIG. 12 may be executed. In addition, when the sixth takeover level is set, since the access target article is an article posted after the access user registers in the group, if the denial is determined as access permission without executing special processing, Good.

  In the present embodiment, the group is uniquely identified by the group name. However, in an actual operation, for example, an email address or a group ID may be used as an identifier.

  In this embodiment, the section information stored in the section information storage section 223 includes a section (for example, the first development section) and a section (for example, the first development section, first section) positioned below it. Information indicating a hierarchical relationship may be included. Thereby, for example, when the section name “first development department first section” is included in the disclosure range information, the department “first department” located above the department “first development department first section” It is also possible to adopt a configuration that allows access to users belonging to the “development department”.

  In the present embodiment, the article stored in the article storage unit 224 may include the parent article ID. The parent article ID is an identifier for identifying the parent article of the article identified by the article ID included in the article. Here, the parent article is assumed to be an article that becomes, for example, a reply source (or reference source) of an article identified by an article ID. By including this parent article ID in the article, a relationship (parent-child relationship) between the article identified by the article ID and the article identified by the parent article ID can be expressed. Thereby, for example, it is possible to adopt a configuration in which the publication range of the article indicated by the publication range information is also applied to the parent (or child) article of the article.

  Further, the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment.

  DESCRIPTION OF SYMBOLS 10 ... Computer, 20 ... External storage device, 22 ... Storage part, 30 ... Information sharing system, 31 ... Article contribution part, 32 ... Article registration part, 33 ... Article content analysis part, 34 ... Publication range determination part, 35 ... Publication Range registration unit, 36 ... article browsing / editing unit, 37 ... article acquisition unit, 38 ... access permission determination unit, 39 ... access control unit, 221 ... group information storage unit, 222 ... user information storage unit, 223 ... department information storage 224 ... article storage unit 225 ... public range storage unit.

Claims (6)

In an information sharing system capable of sharing an article posted to a first group among a plurality of users belonging to the first group,
Group information storage means for storing group information indicating users belonging to the first group;
User information storage means for storing user information indicating a second group different from the first group to which the user belongs;
Article input means for inputting articles posted to the first group by users belonging to the first group;
Article storage means for storing the input article;
Based on the user information stored in the user information storage means and the group information stored in the group information storage means, users belonging to the first group that is the posting destination of the articles stored in the article storage means Publishing range determination means for deciding the second group to which the article belongs as the publishing range of the article;
An access request input means for inputting an access request for the article when the user accesses the article stored in the article storage means;
Based on the group information stored in the group information storage means, the user information stored in the user information storage means, and the determined disclosure range, the access to the article that is the target of the input access request An information sharing system comprising: access permission determination means for determining whether a user who is a request source can access.   When the article stored in the article storage means includes information indicating the publication range of the article, the disclosure range determination means is a second group to which each of the users belonging to the first group belongs. The information sharing system according to claim 1, wherein the information is determined as a publication range of articles stored in the article storage means. A setting means for setting any one of a plurality of predetermined access right takeover levels for determining whether or not the user can access the article;
2. The information sharing system according to claim 1, wherein the access permission determination unit determines whether or not the user who is the access request source can access the article that is the target of the access request based on the set access right takeover level. . The access permission determination means includes:
Based on group information stored in the group information storage means, first determination means for determining whether a user who is a request source of the input access request belongs to the first group;
When it is determined that the user belongs to the first group, a user who is a request source of the input access request is determined as the disclosure range based on user information stored in the user information storage unit. And a second determination means for determining whether it belongs to the second group,
When it is determined that it belongs to the second group determined as the disclosure range, permission is determined as the accessibility of the user who is the request source of the access request to the article that is the target of the input access request. Item 1. The information sharing system according to Item 1. An information sharing method for sharing an article posted to a first group among a plurality of users belonging to the first group, the group information storing means storing group information indicating users belonging to the first group And an information sharing method executed by an information sharing system using user information storage means for storing user information indicating a second group different from the first group to which the user belongs,
Inputting an article posted to the first group by a user belonging to the first group;
Storing the input article in an article storage means;
Based on the user information stored in the user information storage means and the group information stored in the group information storage means, users belonging to the first group that is the posting destination of the articles stored in the article storage means Determining a second group to which the article belongs as a publication range of the article;
When a user accesses an article stored in the article storage means, inputting an access request for the article;
Based on the group information stored in the group information storage means, the user information stored in the user information storage means, and the determined disclosure range, the access to the article that is the target of the input access request An information sharing method comprising: determining whether a user who is a request source can access. Group information storage means for storing group information indicating users belonging to the first group, user information storage means for storing user information indicating a second group different from the first group to which the user belongs, and article storage means; Information that can be shared among a plurality of users belonging to the first group, which is composed of an external storage device having a computer and a computer that uses the external storage device. In a shared system, a program executed by the computer,
In the computer,
Inputting an article posted to the first group by a user belonging to the first group;
Storing the input article in the article storage means;
Based on the user information stored in the user information storage means and the group information stored in the group information storage means, users belonging to the first group that is the posting destination of the articles stored in the article storage means Determining a second group to which the article belongs as a publication range of the article;
When a user accesses an article stored in the article storage means, inputting an access request for the article;
Based on the group information stored in the group information storage means, the user information stored in the user information storage means, and the determined disclosure range, the access to the article that is the target of the input access request A program for executing the step of determining whether or not a user who is a request source can access.

Images