JP2015108903A - Distributed information cooperation system and data operation method therefor and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accelerate system maintenance by shortening time required for operation processing such as the registration, deletion or change of a user account.SOLUTION: In a server as a request source which executes processing when receiving a request for the new registration or update of an account input from a client terminal UT, a processing group corresponding to the operation classification is divided into a plurality of processing groups in accordance with the operation classification on the basis of the request, and processing belonging to each of the divided processing groups is executed in parallel by a plurality of operation target servers for each of the divided processing groups, and when the parallelization processing of the processing groups is executed, an authentication token is copied to a slave thread generated in a one-to-one relation with respect to each operation target server, and log data indicating the execution result of each slave thread are generated during the execution, and the thread name of each slave thread is applied to each log data.

Description

  The present invention relates to a distributed information linkage system that enables user IDs to be linked by converting user IDs uniquely managed by a plurality of service servers through linkage identifiers (kana) by an authentication server, and the system The present invention relates to a data operation method and a program executed by.

  In recent years, with the widespread use of the Internet and broadband services, many online services such as financial services such as banks and credit cards, online shopping, and Web mail have been provided. Since authentication is required to identify an individual online, user IDs are managed in individual services. For this reason, as the number of services to be used increases, an increase in the burden on the user for managing the user ID becomes a problem.

  Therefore, in order to reduce the burden of user ID management, in order to securely link user IDs between service servers having different user ID systems, and to access a plurality of service servers with a single authentication procedure. In addition, there has been proposed a technology that enables user data to be accessed safely using ID-linked single sign-on. If this technique is used, ID cooperation can be realized by transferring individual user information between data servers without notifying each user's own user ID managed by each data server.

  From the viewpoint of security, a system that uses a pseudonym for user ID cooperation between data servers has also been proposed (see, for example, Patent Document 1). This system includes a user authentication / management server that authenticates a user and manages the user's identity, and a service providing server that provides various services to the user. The user ID is linked by converting the pseudonym by the management server. The reason for using the pseudonym is to prevent the leakage of personal information generated by linking the user IDs existing in each server while preventing the leakage of the real user's ID.

  On the other hand, in the actual operation of the system, there are many methods to provide account registration and maintenance of account information by providing a contact point (hereinafter referred to as user support center) where the operating entity supports the user upon request from the user. It is used. For example, in the system described in Patent Document 2, account registration at the start of use and maintenance of account information after the start of use are performed collectively from the user support center. This method is particularly effective when the user support center initially registers a large number of user accounts, such as when a business operator newly enters the system.

Japanese Patent No. 04932861 Japanese Patent No. 044848407

  According to the system described in Patent Document 1, the real user ID is not transferred on the communication path, and even if one pseudonym leaks, the range of influence can be minimized, so that security can be kept high. . However, at the time of account registration, after registering the user ID, it is necessary to store the same pseudonym for user ID cooperation in the authentication server and the service server in association with the user ID of each server, and a simple name identification table Processing is more complicated than a system with

  On the other hand, in the system described in Patent Literature 2, when performing operation processing such as registration, deletion, and change of a user account, an operation request is given to a plurality of servers in series to operate a user ID and a cooperation identifier. Since it is necessary to perform processing sequentially, initial registration per user takes time, and a system having a large number of service servers may cause problems in system operation. Also, registration of user IDs and linkage identifiers for multiple data on multiple servers ends abnormally due to a failure of some servers in the system, resulting in inconsistencies in the data on each server In addition, there are cases where it is difficult to analyze the situation and restore the inconsistent state.

  The present invention has been made paying attention to the above circumstances, and its main purpose is a distributed information linkage system which shortens the time required for operation processing such as registration, deletion or change of a user account and speeds up system maintenance. And a data operation method and program thereof.

In order to achieve the above object, the present invention comprises the following aspects.
(1) It includes a plurality of service servers that hold management data including individual user IDs issued independently for each user to be managed, and a cooperation identifier for linking between individual user IDs related to the same user of the service server When managing data and transferring data related to an arbitrary user between the service servers, an authentication server that converts the individual user ID related to the user via the cooperation identifier and a request from the client terminal A distributed information linkage system that includes a portal server that receives data, and that these servers perform data communication with each other via a communication network,
When a data operation request for the management data is input from the client terminal, the server that is the request source of the processing corresponding to the data operation request among the authentication server and the portal server is the data input from the client terminal An operation type is determined based on an operation request, and a dividing unit that divides a processing group corresponding to the operation type into a plurality of processing groups according to the determined operation type, and for each of the divided processing groups A parallel processing control unit is provided for causing a plurality of servers to be operated among the plurality of service servers and the authentication server to execute the processes belonging to the processing group in parallel.

  (2) In the system according to (1), when the operation type designated by the data operation request is registration of a user account, the dividing unit determines the processing group required for registration of the user account as the plurality of processing groups. The process is divided into individual user ID registration processing in the service server and cooperation identifier registration processing in the authentication server and each service server. Then, the parallel processing control unit first causes the portal server to execute the process of registering individual user IDs in a plurality of service servers to be operated in parallel, and then the authentication server is directed to a plurality of service servers to be operated. A process for generating a linkage identifier and registering it in its own server, and then executing the process for registering the generated linkage identifier in a plurality of service servers to be operated in parallel. It is.

  (3) In the system according to (1), when the operation type designated by the data operation request is deletion of a user account, the dividing unit determines a processing group necessary for deleting the user account as the plurality of processing groups. The process is divided into an individual user ID deletion process in the service server and a cooperation identifier deletion process in the authentication server and each service server. Then, the parallel processing control means first causes the plurality of service servers to be operated by the portal server to execute the individual user ID deletion processing in parallel, and then the portal server is to cooperate with the plurality of service servers to be operated. The identifier deletion process is executed in parallel, and then the authentication server executes the deletion process of the association identifier registered in the own server.

  (4) In the system according to (3), the server serving as the request source of the process corresponding to the data operation request includes the plurality of service servers, the authentication server, and the portal server, and a first server having a system management function And a second server group serving as a request source of a process corresponding to the data operation request, and a third server group. The parallel processing control means performs the divided individual user ID deletion processing and the cooperation identifier deletion processing of the classified third server group, first server group, and second server group. It is made to execute in order.

  (5) In the system according to (1), the parallel processing control unit generates a parent thread corresponding to a process belonging to the processing group for each of the divided processing groups, and operates the parent thread as an operation target. Is divided into a plurality of child threads corresponding to each of the plurality of servers, and the authentication token issued by the authentication server to the user who is the request source of the data operation is copied to each of the divided child threads. A plurality of child threads to which the authentication token is copied are assigned to the plurality of servers to be operated on a one-to-one basis and executed in parallel.

  (6) In the system according to (5), the parallel processing control unit gives the parent thread first identification information for identifying the parent thread, and a plurality of children divided from the parent thread. Log data in which second identification information associated with the first identification information is assigned to each thread, the processing result of the child thread is represented for each child thread, and the second identification information is assigned. Is generated and output.

According to each aspect of the present invention, the following effects can be obtained.
(1) Based on the data operation request input from the client terminal, the processing group corresponding to the operation type is divided into a plurality of processing groups according to the operation type, and for each of the divided processing groups, Processes belonging to a process group are executed in parallel on a plurality of servers to be operated. For this reason, it is possible to shorten the processing time of data operation in the entire system as compared to the case where a plurality of servers to be operated sequentially execute requested processing in series, thereby reducing the processing time related to data operation. The speed can be increased.

  (2) When the operation type specified by the data operation request is registration of a user account, processing groups necessary for registration of the user account include individual user ID registration processing in a plurality of service servers, authentication servers, This is divided into the registration process of the cooperation identifier in the service server. Of these, the portal server first executes the process of registering individual user IDs in a plurality of service servers to be operated in parallel. Next, the authentication server generates a linkage identifier for the plurality of service servers. Parallel processing to be registered in the own server and parallel processing to register the generated cooperation identifier in the plurality of service servers to be operated are respectively executed. For this reason, the user account registration process for all the servers to be operated in the system is smoothly performed in a short time.

  (3) When the operation type specified by the data operation request is deletion of a user account, processing groups necessary for deletion of the user account include individual user ID deletion processing in a plurality of service servers, authentication servers, This process is divided into linkage identifier deletion processing in the service server. First, the portal server executes parallel user ID deletion processing in a plurality of service servers to be operated, and then the portal server performs parallel identifier deletion processing in a plurality of service servers to be operated. Then, the authentication server deletes the cooperation identifier registered in the self server. For this reason, the deletion process of the user account with respect to all the servers to be operated in the system is smoothly performed in a short time.

  (4) a plurality of service servers, authentication servers, and portal servers, a first server group having a system management function, a second server group serving as a request source of processing corresponding to a data operation request, and other 3 server groups. Then, the deletion process of the individual user ID and the deletion process of the cooperation identifier are executed in the order of the third server group, the first server group, and the second server group. For this reason, it is possible to sequentially perform user account deletion processing from a server remote from the deletion request source server.

  (5) For each divided processing group, a parent thread corresponding to a process belonging to the processing group is divided into a plurality of child threads corresponding to each of a plurality of servers to be operated. Then, the authentication token issued by the authentication server to the user who is the data operation request source is copied to each of the divided child threads, and the plurality of child threads to which the same authentication token is copied are the plurality of operation targets. The server is assigned one-to-one. In this way, it is possible to prevent the use of the authentication token from competing among the child threads operating in parallel in the plurality of servers to be operated.

  (6) The first identification information for identifying the parent thread is given to the parent thread, and each of the plurality of child threads divided from the parent thread includes the first identification information associated with the first identification information. 2 identification information is given. For each child thread, log data representing the processing result of the child thread and having the second identification information added thereto is generated and output. For this reason, log data can be matched between each child thread and the parent thread by the identification information given to the log data. Therefore, for example, even if a failure occurs in some servers in the system during parallel processing and inconsistency occurs in the registered data, it becomes possible to perform situation analysis and recovery from the inconsistent state more easily than log data. .

  That is, according to the present invention, it is possible to provide a distributed information cooperation system, a data operation method, and a program thereof that shorten the time required for operation processing such as registration, deletion, or change of a user account and speed up system maintenance. it can.

The block diagram which shows the function structure of the distributed information cooperation system which concerns on one Embodiment of this invention. In the portal server or authentication server of the system shown in FIG. 1, a grouping process executed when a data operation request is received, an execution order determination process for each process group, and a thread parallel process process procedure and process for each process group The flowchart which shows the content. The figure which shows an example of the management data for user ID cooperation memorize | stored in the service server of the system shown in FIG. 1, an authentication server, and a portal server. The figure which shows the outline | summary of the parallelization process using a thread | sled performed in the portal server and authentication server of the system shown in FIG. The figure which shows the sequence of the user account registration process performed in the system shown in FIG. The figure which shows the first half part of the sequence of the user account registration process performed in the conventional system. The figure which shows the second half part of the sequence of the user account registration process performed in the conventional system. The figure which shows the sequence of the collection process of the registered information, the registration change process of the service to be used, and the update process of a user attribute which are performed in the system shown in FIG.

Embodiments according to the present invention will be described below with reference to the drawings.
[One Embodiment]
(Constitution)
FIG. 1 is a functional block diagram showing a configuration of a distributed information cooperation system according to an embodiment of the present invention.
In this system, a plurality of service servers SSV1 to SVn independently operated by a medical institution such as a hospital, a portal server PSV, and an authentication server ASV are communicably connected via a communication network NW. For example, an IP (Internet Protocol) network is used as the communication network. Note that UT indicates a client terminal used by the system administrator, and this client terminal UT is connected to the portal server PSV via the communication network NW.

  Each of the service servers SSV1 to SVn includes a computer and a storage medium, and includes a user information storage unit 11, a data operation processing unit 12, and a communication processing unit 13 as functions necessary for carrying out this embodiment. . The user information storage unit 11 includes a personal data storage unit and an ID linkage information storage unit 111.

In the personal data storage unit, personal data relating to the patients who visited the medical institution and medical workers such as doctors and nurses belonging to the medical institution are individually issued to these users by their own servers. It is stored in association with the user ID. The personal information related to the patient includes medical data such as an electronic medical record and patient attribute information. The personal information of the medical staff includes attribute information such as qualifications and departments.
In the ID linkage information storage unit 111, for example, as shown in FIG. 3, an authentication server ASV, which will be described later, is associated with the individual user ID uniquely issued by the own server for each of the users such as the patient and the medical staff. A pseudonym issued to each user is stored.

The communication processing unit 13 has a function of performing data communication with other servers in the system according to a communication protocol defined by the communication network NW.
When the data operation processing unit 12 receives the data operation request from the communication processing unit 13, the operation type specified by the received data operation request for the user account or personal data stored in the user information storage unit 11 of the server itself. The process corresponding to is executed.

  Similarly to the service servers SSV1 to SSVn, the authentication server ASV also includes a computer and a storage medium. As functions necessary for carrying out this embodiment, a user information storage unit 21, a data operation processing unit 22, a communication processing unit 23, a parallel processing unit 24, and an authentication processing unit 25. The user information storage unit 21 includes an ID linkage information storage unit 211 and a use service information storage unit 212.

  In the ID linkage information storage unit 211, for example, as shown in FIG. 3, for each user who uses the system, a pseudonym as a linkage identifier and a user are associated with the system common user ID issued by the authentication processing unit 25. Is stored. In the usage service information storage unit 212, for example, as shown in FIG. 3, a service name registered as a usage destination in association with the common user ID is stored.

  The communication processing unit 23 has a function of performing data communication with other servers in the system according to a communication protocol defined by the communication network NW.

  When the communication processing unit 23 receives an authentication request for a user from the client terminal UT or each server, the authentication processing unit 25 refers to the user information storage unit 21 and performs authentication of the user. In addition, when the user who has been authenticated once uses the system from a server in the system, the authentication state is maintained so that re-authentication can be omitted. Furthermore, the authentication result is notified to other servers in the system as an authentication token so that the authentication result can be used in information distribution between servers in the system.

When the parallel processing unit 24 receives various data operation requests transmitted from the client terminal UT or each server by the communication processing unit 23, the parallel processing unit 24 executes the following processing according to the content of the request.
(1) If the received request is an account registration / update / deletion request, the following processing is executed.
(a) A process of dividing and grouping a processing group necessary for the operation according to the operation type specified by the request.
(b) Processing for determining whether parallel processing is possible for each processing group.
(c) Processing that determines the execution order of each processing group.
(2) In the case of a single data operation, when the above (1) is performed, the following processing is executed for the processing group.
(d) A thread for executing the processing is generated for each data operation target server, and the processing is requested to the data operation processing unit of each data operation target server by executing each thread in parallel.

  When the data operation processing unit 22 receives the data operation request from the communication processing unit 23, the data operation processing unit 22 determines whether the operation target data exists in its own server or in another server. In the case of an operation request for the data of the own server, processing corresponding to the operation type specified by the data operation request is performed on the user information storage unit 11 of the own server, and in the case of an operation request for the data of another server Performs processing for requesting data operation to another server via the communication processing unit 23.

  Similarly to the service servers SSV1 to SSVn and the authentication server, the portal server PSV includes a computer and a storage medium. As functions necessary for carrying out this embodiment, a user information storage unit 31, a data operation processing unit 32, A communication processing unit 33 and a parallel processing unit 34 are provided.

  The user information storage unit 31 includes an ID linkage information storage unit 311. In the ID linkage information storage unit 311, for example, as shown in FIG. 3, the authentication server ASV issued to each user who uses the system in association with the individual user ID issued independently by the own server. A pseudonym is stored.

  The communication processing unit 33, the parallelization processing unit 34, and the data operation processing unit 32 have the same functions as the communication processing unit 23, the parallelization processing unit 24, and the data operation processing unit 22 of the authentication server ASV.

(Operation)
Next, the operation of the system configured as described above will be described.
The types of data operations performed by the system include user account registration, user account update (addition of services to be used), user account update (deletion of used services), and user account update (update of user attributes). There is a user account deletion.

  It is assumed that the system administrator performs an operation for requesting data operation of any of the above operation types at the client terminal UT. Then, when the client terminal UT receives the request by the communication processing unit 33, the parallel processing unit 34 executes the parallel processing of the data operation as follows. FIG. 2 is a flowchart showing the processing procedure and processing contents.

That is, the parallel processing unit 34 first determines the operation type designated by the received data operation request in step S10, and divides and groups the processing group corresponding to the operation type according to the determination result. .
For example, if the operation type is “user account registration”, in step S11, the operation type is divided into the following processing groups.
(0) User ID and system common user ID generation / registration in the authentication server ASV, user attribute registration processing (when a new user account is registered)
(1-1) Create and register a user ID and register user attributes on all service servers other than the authentication server ASV used by the user (service server that provides the service to be added when a service is added) Processing to be performed (when the user ID and user attribute are not registered).
(1-2) In the authentication server ASV, create and register a linkage identifier (a pseudonym) for all service servers other than the authentication server ASV used by the user (a service server that provides the service to be added when a service is added) And a process of registering the pseudonym in all service servers other than the authentication server ASV used by the user.

  (1-3) Processing for registering a service used for each user in the authentication server ASV (in the case of a system managing a service used for each user).

  If the operation type is “update user account (add service)”, in step S12, the process is divided into the processing groups (1-1) to (1-3).

On the other hand, if the operation type is “update user account (service deletion)”, in step S13, the operation type is divided into the following processing groups.
(2-1) A process of deleting the corresponding user ID in all servers other than the authentication server used by the user (a service server providing a service to be deleted when the used service is deleted).
(2-2) The linkage identifier (a pseudonym) is deleted in all servers other than the authentication server ASV used by the user (the service server providing the service to be deleted when the used service is deleted), and the user in the authentication server ASV Processing to delete a linkage identifier (a pseudonym) for all servers other than the authentication server to be used (a service server that provides a service to be deleted when a used service is deleted).
(2-3) Processing for deleting the service used for each user in the authentication server ASV (in the case of a system that manages the service used for each user).

If the operation type is “update user account (change user attribute information)”, the process is divided into the following processing groups in step S14.
(3-1) A process of updating the user attribute information in the authentication server ASV and each service server that has already been linked with the ID.

Furthermore, when the operation type is “delete user account”, in step S15, the operation type is divided into the following processing groups.
(2-1) A process of deleting the corresponding user ID in all servers other than the authentication server used by the user (a service server providing a service to be deleted when the used service is deleted).
(2-2) The linkage identifier (a pseudonym) is deleted in all servers other than the authentication server ASV used by the user (the service server providing the service to be deleted when the used service is deleted), and the user in the authentication server ASV Processing to delete a linkage identifier (a pseudonym) for all servers other than the authentication server to be used (a service server that provides a service to be deleted when a used service is deleted).
(2-3) Processing for deleting the service used for each user in the authentication server ASV (in the case of a system managing a service used for each user).
(4-1) In the authentication server ASV, a process of deleting a user ID and a system common user ID (implemented only when deleting an account from the system).

When the operation type is “update user account” of the user, the portal server PSV that is the request source executes the following processing.
(5-1) A process of collecting the individual user ID and user attribute information of the user in parallel from all the service servers SSV1 to SSVn used by the user.

  Next, in step S16, the parallel processing unit 34 determines whether or not parallel processing can be performed for each of the processing groups divided in steps S11 to S15. For example, when there are a plurality of servers to be operated, it is determined that parallel processing is possible, and when there is a single server to be operated, it is determined that parallel processing is not possible.

Subsequently, in step S17, the parallel processing unit 34 of the portal server PSV determines the processing order according to a rule set in advance for each operation type for the processing group divided in steps S11 to S15.
For example, when the operation type is “register user account”, first, (0) is executed, and the processing order is determined so that (1-1) to (1-3) are executed after the processing. When the operation type is “update user account (add service)”, the processing order is determined so that (1-1) to (1-3) are executed in order. On the other hand, when the operation type is “update user account (service deletion)”, the processing order is determined so as to sequentially execute (2-1) to (2-3). Further, when the operation type is “delete user account”, first, execute the steps (2-1) to (2-3), and then execute the process (4-1) after the completion. decide. When the operation type is “update user account (change user attribute information)”, the processing order is not particularly determined because only (3-1) is provided.

  Next, in step S18, the parallel processing unit 34 of the portal server PSV causes the server to be operated to execute the parallel processing as follows. That is, first, in step S181, a parent thread representing a process corresponding to an operation request having the same content is divided into a plurality of child threads so that each server to be operated is a separate thread.

  In step S182, an authentication token indicating that the user has been authenticated is copied to each of the divided child threads. Specifically, each child thread and Cookie are associated with each other on a one-to-one basis, and an authentication token instance is generated for each child thread (cookie). At the same time, a thread name associated with the thread name given to the parent thread is given to each child thread. For example, a plurality of child threads obtained by dividing a parent thread to which a certain parent number is assigned are assigned a serial number following the parent number.

  Subsequently, in step S183, the child threads are activated to call data operation processing units of a plurality of servers to be operated, and in step S19, the data operation processing units are caused to execute processes. FIG. 4 shows an operation image of parallelization of processing using threads in steps S181 to S183 described above.

  In step S19, each data operation processing unit generates and outputs log data representing the execution result during execution of each child thread. At this time, the thread name of the child thread is given to the log data. When it is confirmed in step S20 that all threads have been processed, the processing result is returned to the requesting server.

A specific example of the operation described above will be described below.
(1) New Registration of User Account FIG. 5 shows an operation sequence of the system when new registration of a user account is performed.
Assume that the system administrator inputs the attribute information and registration service of the user at the client terminal UT in order to newly register a user such as a doctor. Then, a user account registration request is sent from the client terminal UT to the portal server PSV.

  In the portal server PSV, when the communication processor 33 receives the user account new registration request, the parallel processing unit 34 first determines the operation type from the request, and is necessary for the operation according to the determined operation type. The processing group is divided into a plurality of processing groups.

For example, in this case, since the operation type is “new account registration”, the four processing groups (0), (1-1) to (1-3) described above,
(0) User ID and system common user ID generation / registration in the authentication server ASV, and user attribute registration processing
(1-1) User ID generation / registration and user attribute registration processing in the service server used by the user
(1-2) Generation / registration of a cooperation identifier (a pseudonym) for a service server used by a user in the authentication server ASV, and a registration process of the pseudonym to the service server
(1-3) The processing is divided into registration processing of the use service for each user in the authentication server ASV.

  Next, the parallel processing unit 34 of the portal server PSV determines whether parallel processing is possible for each of the divided processing groups. Among the above processing groups, (1-1) and (1-2) have multiple servers to be operated, so the processing groups (1-1) and (1-2) can be processed in parallel. It is determined. Subsequently, the processing execution order is set for each processing group. In the above example, the processing order is such that (0) is executed first and (1-1) to (1-3) are executed after the processing according to a predetermined rule for “new account registration”. It is determined.

  The parallel processing unit 34 of the portal server PSV subsequently transfers a user account new registration request to the data operation processing unit 25 of the authentication server ASV in accordance with the determination result of the processing order of the processing group, and the above (0). The execution of the process is instructed. In accordance with this instruction, the data operation processing unit 25 of the authentication server ASV generates a system common user ID for a new user and an individual user ID in its own server, stores them in the user information storage unit 21, and associates them with the common user ID. To store user attribute information.

  The parallel processing unit 34 of the portal server PSV causes the service servers SSV1 to SSVn used by the user to execute the parallel processing (1-1) as follows. That is, as illustrated in FIG. 4, first, for each of the service servers SSV1 to SSVn to be used, a child thread is generated by dividing the parent thread in which the execution object of the process (1-1) is described. The authentication token indicating that the user has been authenticated is copied to each of the generated child threads. At the same time, a thread name associated with the thread name given to the parent thread is given to each child thread. Subsequently, the child threads are activated to call the data operation processing units 12 of the service servers SSV1 to SSVn, and the data operation processing units 12 execute the processing (1-1) in parallel.

  As a result, the data operation processing unit 12 of each of the service servers SSV1 to SSVn generates its own individual user ID for each new registration target user as shown in FIG. 5, and this individual user ID is the portal server PSV. Is stored in the user information storage unit 11 together with the user attribute information notified by the user. When the individual user ID generation and registration processing ends, the generated individual user ID is returned from the data operation processing unit 12 of each service server SSV1 to SSVn to the portal server PSV.

  The process (1-1) is also executed in the system management service server (for user information retrieval) as shown in FIG. 5, whereby the system management service server has an individual user ID and user attribute. The user registration destination server name is stored together with the information. The generated individual user ID is returned to the portal server PSV.

  When the individual user ID generation / registration process in each of the service servers SSV1 to SSVn is completed, the portal server PSV subsequently instructs the parallel processing unit 24 of the authentication server ASV to execute the parallel process (1-2). To do.

  Upon receiving the above instruction, the parallel processing unit 24 of the authentication server ASV first generates a cooperation identifier (a pseudonym) for each of the service servers SSV1 to SSVn, and the system common user previously generated in (0) The information is stored in the user information storage unit 21 of the own server in association with the ID.

  Next, as in the case of (1-1) described above, the execution object of the process (1-2) is described for each of the service servers SSV1 to SSVn and the portal server PSV to be used. A child thread obtained by dividing the parent thread is generated, and an authentication token indicating that the user has been authenticated is copied to each of the generated child threads. At the same time, a thread name associated with the thread name given to the parent thread is given to each child thread. Subsequently, the child threads are activated to call the data operation processing units 12 and 32 of the service servers SSV1 to SSVn and the portal server PSV, and the data operation processing units 12 and 32 respectively execute the above (1-2). Run processes in parallel.

  As a result, in each of the service servers SSV1 to SSVn and the data operation processing units 12 and 32 of the portal server PSV, as shown in FIG. 5, the cooperation identifier (a pseudonym) notified from the authentication server ASV to the own server is obtained. The user information is stored in the user information storage units 11 and 31 in association with the individual user ID generated by the above (1-1).

  Note that the process (1-2) is also executed in parallel in the system management service server (for user information retrieval) as shown in FIG. The cooperation identifier (a pseudonym) generated for the server is stored in association with the individual user ID.

  Finally, the data operation processing unit 32 of the authentication server ASV executes the above process (1-3) as follows. That is, the use service name transmitted together with the new account registration request from the client terminal UT is received via the portal server PSV, and this use service name is associated with the individual user ID of the user's own server to store the user information. Stored in the unit 21.

  Further, the data operation processing units 12, 22, and 32 of each server generate log data representing the execution result during the execution of the child thread in the series of processing steps described above. At this time, the thread name of the child thread is given to the log data. The log data is stored in, for example, a log data storage unit in each server.

  6 and 7, the portal server PSV and the authentication server ASV each generate and register a common user ID for each service server SSV1 to SSVn, and generate and register a cooperation identifier (a pseudonym). The operation sequence when processing is sequentially executed in series is shown in order to compare with the operation sequence (FIG. 5) in one embodiment of the present invention.

(2) Updating user accounts In actual system operation, when updating account information, a plurality of operations are often processed simultaneously. FIG. 8 shows an operation sequence of the system when a user service addition, a service deletion, and a user attribute change are requested at the same time. In FIG. 8, the service provided by the service server SSV4 is the authentication server ASV. In this example, the service is added as a service to be used, the used service is deleted from the service server SSV3, and the user attribute information stored in the authentication server ASV and each service server to be used is updated.

  Assume that the system administrator performs an operation for requesting addition of a usage service, deletion of a usage service, or change of a user attribute for a specific user registered for usage in the client terminal UT. Then, an account update request for the specific user is sent from the client terminal UT to the portal server PSV.

  In the portal server PSV, when the communication processing unit 33 receives the user account update request, the parallel processing unit 34 first determines an operation type from the request, and is necessary for the operation according to the determined operation type. The processing group is divided into a plurality of processing groups. For example, in this case, since the operation types are “account update (add service)”, “account update (service delete)” and “account delete”, the processing is (1-1), (2-1), It is divided into (2-2), (1-2), (1-3), (2-3), and (5-1).

  Subsequently, the data operation unit 33 of the portal server PSV determines the processing order for each of the divided processing groups according to a rule set in advance for each operation type. Then, the parallel processing of each processing group is executed as follows for each server to be operated.

  That is, as shown in FIG. 8, first, the process of collecting registered user information is performed in parallel from the authentication server ASV and the service servers SSv1 and SSV2 in which the specific user is registered for use.

  Next, the parallel processing unit 34 of the portal server PSV generates a child thread for registering an account in the service server SSV4 and also generates a child thread for deleting an account from the service server SSV3. Copy an authentication token indicating that the user has been authenticated to each child thread. At the same time, a thread name associated with the thread name given to the parent thread is given to each child thread. Subsequently, the child threads are activated to call the data operation processing units 12 of the service servers SSV3 and SSV4, and the data operation processing units 12 respectively execute the above (1-1), (2-1), (2 -2) is executed in parallel.

  As a result, the data operation processing unit 12 of the service server SSV4 generates an individual user ID unique to the own server corresponding to the user to be added as shown in FIG. 8, and the individual user ID is notified from the portal server PSV. The user attribute information is stored together with the user attribute information. At the same time, the data operation processing unit 12 of the service server SSV3 deletes the individual user ID and pseudonym of the specific user to be deleted as shown in FIG. Further, in the authentication server ASV, the pseudonym for the service server SSV3 of the specific user is deleted.

  Next, the parallel processing unit 34 of the portal server PSV puts the child thread into a completion standby state, and then passes the user ID group of each server as a registration destination to the parallel processing unit 24 of the authentication server ASV.

  On the other hand, the parallel processing unit 24 of the authentication server ASV first generates a cooperation identifier (a pseudonym) for the service server SSV4 according to (1-2), and corresponds this cooperation identifier (a pseudonym) to the specific user. And stored in the user information storage unit 21 of the own server in association with the user ID common to the system.

At the same time, a child thread for registering the cooperation identifier (a pseudonym) in the service server SSV4 is generated, an authentication token is copied to the child thread, and a thread associated with the thread name given to the parent thread Assign a name to the child thread. Then, the child thread is activated to call the data operation processing unit 12 of each service server SSV4, and the data operation processing unit 12 executes the process (1-2).
As a result, in the service server SSV4, in the data operation processing unit 12 of the service server SSV4, as shown in FIG. 8, the cooperation identifier (a pseudonym) is associated with the individual user ID and stored in the user information storage unit 11.

  Further, the parallel processing unit 24 of the authentication server ASV puts the child thread in a completion standby state, registers the service name to be used in the user information storage unit 21 of its own server according to (1-3), and 2-3) delete the service name of the service server SSV3 from the user information storage unit 21.

Finally, the parallel processing unit 34 of the portal server PSV generates child threads for updating user attribute information in the authentication server ASV and the service servers SSV1 and SSV2 registered for use by the specific user. Copy the authentication token to each child thread and assign the thread name. Then, each child thread is activated to call the data operation processing units 22 and 12 of the authentication server ASV and each of the service servers SSV1 and SSV2, and the data operation processing units 22 and 12 respectively execute the process (3-1). Are executed in parallel.
As a result, in the authentication server ASV and the service servers SSV1 and SSV2, the user information of the corresponding users stored in the user information storage units 21 and 11 is updated by the data operation processing units 22 and 12, respectively.

  Even in the series of processing steps related to the account update described above, the data operation processing units 12, 22, and 32 of each server generate log data representing the execution result during the execution of the child thread. At this time, the thread name of the child thread is given to the log data. The log data is stored in, for example, a log data storage unit in each server.

(Effect of one embodiment)
As described above in detail, in one embodiment, a server that is a request source that performs processing upon receipt of a new account registration or account update request input from the client terminal UT performs the operation type based on the request. Are divided into a plurality of processing groups, and for each of the divided processing groups, the processing belonging to the processing group is executed in parallel on a plurality of servers to be operated. For this reason, it is possible to shorten the processing time of data operation in the entire system as compared to the case where a plurality of servers to be operated sequentially execute requested processing in series, thereby reducing the processing time related to data operation. The speed can be increased.

  In parallel processing of the processing group, the authentication token is copied to a child thread generated one-on-one for each operation target server. For this reason, the use of the authentication token can be prevented from competing between the child threads operating in parallel in the plurality of servers to be operated.

  Furthermore, log data representing the execution result is generated during the execution of each child thread, and the thread name of the child thread is assigned to each log data. For this reason, log data can be matched between each child thread and the parent thread by the identification information given to the log data. Therefore, for example, even if a failure occurs in some servers in the system during parallel processing and inconsistency occurs in the registered data, it becomes possible to perform situation analysis and recovery from the inconsistent state more easily than log data. .

  By the way, for example, within the processing of the same request, when the parent thread starts up multiple child threads without deciding names, and a simple serial number is given to the child thread name, multiple requests are executed simultaneously. In this case, since multiple child threads are mixed and log is output, even if the thread name is output to the log data, it is impossible to determine which log data is the log data of the child thread started from the same parent thread. End up.

[Other Embodiments]
In the embodiment, a plurality of service servers SSV1 to SSVn operated by a medical institution such as a hospital are connected to the authentication server ASV via the communication network NW, whereby patient medical information is introduced between the referral source and the referral destination hospital. The case where it is possible to browse is described as an example. However, the present invention is not limited to this, and for example, information on students who have been transferred may be viewed by connecting a plurality of school servers via an authentication server. Further, by connecting servers such as company factories, sales offices, and affiliated companies via a linkage server, for example, information on employees who have been transferred or transferred, and information related to employees may be viewable.

  In addition, the configuration of the authentication server, portal server, and each service server, the processing procedure and processing content, the type of service, the configuration of the cooperation identifier (a pseudonym), and the like can be variously modified without departing from the gist of the present invention. It can be implemented.

  In short, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Further, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

  SSV1 to SSVn ... service server, ASV ... authentication server, PSV ... portal server, UT ... client terminal, NW ... network, 11, 21, 31 ... user information storage unit, 12, 22, 32 ... data operation processing unit, 13, 23, 33 ... communication control unit, 24, 34 ... parallel processing unit, 25 ... authentication processing unit.

Claims (8)

Management data including a plurality of service servers that hold management data including individual user IDs issued independently for each user to be managed, and a cooperation identifier that links between individual user IDs related to the same user of the service server. An authentication server that holds and converts an individual user ID related to the user via the cooperation identifier when transferring data related to an arbitrary user between the service servers, and a portal server that receives a request from a client terminal A distributed information cooperation system in which these servers perform data communication with each other via a communication network,
When a data operation request for the management data is input from the client terminal, a server that is a request source of processing corresponding to the data operation request among the authentication server and the portal server is
A division unit that determines an operation type based on a data operation request input from the client terminal, and divides a processing group corresponding to the operation type into a plurality of processing groups according to the determined operation type;
For each of the divided processing groups, there is provided parallel processing control means for causing a plurality of servers to be operated among the plurality of service servers and authentication servers to execute the processing belonging to the processing group in parallel. Distributed information linkage system. When the operation type specified by the data operation request is registration of a user account, the dividing unit includes a processing group necessary for registration of the user account, registration processing of individual user IDs in the plurality of service servers, Dividing into the registration process of the identifier for cooperation in the authentication server and each service server,
The parallel processing control unit first causes the portal server to execute parallel processing for registering individual user IDs in a plurality of service servers to be operated, and then the authentication server is used for cooperation for the plurality of service servers to be operated. A process for generating an identifier and registering it in its own server is executed, and subsequently a process for registering the generated cooperation identifier in a plurality of service servers to be operated is executed in parallel. Item 4. The distributed information cooperation system according to item 1. When the operation type specified by the data operation request is deletion of a user account, the dividing unit includes a processing group necessary for deleting the user account, and individual user ID deletion processing in the plurality of service servers; Divided into processing for deleting the identifier for cooperation in the authentication server and each service server,
The parallel processing control means first causes the plurality of service servers to be operated by the portal server to execute the deletion processing of individual user IDs in parallel, and then the portal server sets the linkage identifier to the plurality of service servers to be operated. 2. The distributed information linkage system according to claim 1, wherein the deletion processing is executed in parallel, and then the authentication server executes the deletion processing of the cooperation identifier registered in the own server. A server that is a request source of a process corresponding to the data operation request,
The plurality of service servers, authentication servers, and portal servers, a first server group having a system management function, a second server group serving as a request source of processing corresponding to a data operation request, and other third servers And further comprising means for classifying the server group,
The parallel processing control means executes the divided individual user ID deletion process and the cooperative identifier deletion process in the order of the classified third server group, first server group, and second server group. The distributed information cooperation system according to claim 3, wherein: The parallel processing control means includes:
For each of the divided processing groups, a parent thread is generated corresponding to a process belonging to the processing group, and the parent thread is divided into a plurality of child threads corresponding to each of a plurality of servers to be operated, The authentication token issued by the authentication server to the user who is the request source of the data operation is copied to each of the divided child threads, and the plurality of child threads to which the authentication token is copied are the plurality of servers to be operated The distributed information cooperation system according to claim 1, wherein the distributed information cooperation system is assigned in a one-to-one manner and executed in parallel. The parallel processing control means includes:
First identification information for identifying the parent thread is given to the parent thread, and a second identification associated with the first identification information is assigned to each of a plurality of child threads divided from the parent thread. Means for providing information;
6. The distributed information cooperation system according to claim 5, further comprising means for generating and outputting log data to which each child thread represents a processing result of the child thread and to which the second identification information is added. . Management data including a plurality of service servers that hold management data including individual user IDs issued independently for each user to be managed, and a cooperation identifier that links between individual user IDs related to the same user of the service server. An authentication server that holds and converts an individual user ID related to the user via the cooperation identifier when transferring data related to an arbitrary user between the service servers, and a portal server that receives a request from a client terminal And a data operation method executed by a distributed information cooperation system in which these servers perform data communication with each other via a communication network,
When a data operation request for the management data is input from the client terminal, the server that is the request source of the process corresponding to the data operation request among the authentication server and the portal server is the data input from the client terminal A process of determining an operation type based on an operation request, and dividing a processing group corresponding to the operation type into a plurality of processing groups according to the determined operation type;
For each of the divided processing groups, a server that is a request source for a process corresponding to the data operation request is assigned a process belonging to the process group as a plurality of servers to be operated among the plurality of service servers and authentication servers. A data operation method characterized by comprising the steps of:   A program that causes a computer included in a server that is a request source of a process corresponding to the data operation request to execute a process corresponding to each unit included in the distributed information cooperation system according to any one of claims 1 to 6.

Images