JP2015187808A - Authority management device, authority management method, and authority management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authority management device, an authority management method, and an authority management system for checking authority given to a user at low cost.SOLUTION: An authority management device includes storage means for storing a user and authority given to the user on the basis of conditions for the giving, and display means for giving a display device an instruction to display information on giving indicating that the authority has been given to the user in a predetermined period, in a section specified on the basis of the user and the authority in a table having at least a user axis and an authority axis.

Description

  The present invention relates to an authority management device, an authority management method, and an authority management system.

  Traditionally, the authority on the business system side has been managed individually for each business system, but backgrounds such as diversification of systems and users, leakage of information due to sloppy management, enforcement of the Japanese version of the SOX (Surence Oxley) There is a growing need for integrated management of authority information. There are products that use IT (Information Technology) systems as well as the most basic means of using paper and forms, but they place emphasis on the function of registering authority, There is a need for a means for efficient confirmation and inventory.

  There is a system that manages the user's name, affiliation, and other attributes for system users, and additionally manages the authority granted to users to use the business system together with the user attributes. To do. For example, information such as “whether a file can be read from or written to the A system” or “execution of an administrator menu for the B system” is managed.

  In the access authority management device described in Patent Document 1, when managing authority granted to a user, the predecessor's user ID (Identifier) The password is invalidated.

  By the way, if an unnecessary authority is given to such a system due to a setting mistake or the like, a security incident such as an overtaking act or information leakage is caused. On the other hand, if the necessary authority is not granted by mistake or if the necessary authority is mistakenly removed, the person's business may be stopped and business opportunities may be lost. For this reason, it is necessary to carry out periodic inventory of authority information and to detect unauthorized authority at an early stage.

JP2013-73535A

  As in the access authority management device described in Patent Document 1 described above, when authority attributes are set on a predetermined date, there is a problem that it is unclear whether or not the authority is set as intended.

  An object of the present invention is to provide an authority management apparatus, an authority management method, and an authority management system for solving the above-described problems and confirming the authority given to the user at a lower cost.

  The authority management apparatus according to the present invention includes a storage unit that stores a user and an authority that is granted to the user based on the grant condition, and a user that is stored in the storage unit in a section indicating a correspondence relationship between the user and the authority. Display means for giving an instruction to the external device to display grant information indicating that the right is given to the user for a predetermined period based on the relationship with the right.

  The authority management method of the present invention stores a user and the authority granted to the user based on the grant condition, and stores the user and authority stored in the storage means in a section indicating a correspondence relationship between the user and the authority. Based on the relationship, an instruction to display grant information indicating that the authority has been granted within a predetermined period is given to the display device.

  The effect of this invention is that the authority given to the user can be confirmed at lower cost.

It is a block diagram which shows the characteristic structure of 1st embodiment of this invention. FIG. 2 is a block diagram showing a configuration of an authority management system to which the authority management apparatus according to the first embodiment of the present invention is applied. It is a figure which shows the example of a display of the display part 102 in 1st embodiment of this invention. It is a figure which shows the example of a display accompanying the date specification of the display part 102 in 1st embodiment of this invention. It is a figure which shows the example of a display accompanying the period designation | designated of the display part 102 in 1st embodiment of this invention. It is a figure which shows the example of the authority table 121 in 1st embodiment of this invention. It is a figure which shows the example of the user table 122 in 1st embodiment of this invention. It is a figure which shows the example of the business roll table 124 in 1st embodiment of this invention. It is a figure which shows the example of the authority provision object table 123 in 1st embodiment of this invention. It is a figure which shows the example of the authority structure array 131 in 1st embodiment of this invention. It is a figure which shows the example of the user structure arrangement | sequence 132 in 1st embodiment of this invention. It is a figure which shows the example of the flag structure array 133 in 1st embodiment of this invention. It is the specific example which stored the value in the authority structure array 131 in 1st embodiment of this invention. It is the specific example which stored the value in the user structure array 132 in 1st embodiment of this invention. It is an example of the search result of the authorization object table in 1st embodiment of this invention. It is a specific example of storage of a value in the flag structure array in the first embodiment of the present invention. It is an example of the search result of the business role table in 1st embodiment of this invention. It is a specific example of storage of a value in the flag structure array in the first embodiment of the present invention. It is a flowchart which shows the whole process of the authority management apparatus 100 in 1st embodiment of this invention.

(First embodiment)
Next, a first embodiment of the present invention will be described.

  First, the configuration of the first embodiment of the present invention will be described. FIG. 2 is a block diagram showing a configuration of an authority management system to which the authority management apparatus according to the first embodiment of the present invention is applied.

  Referring to FIG. 2, the authority management system according to the first exemplary embodiment of the present invention includes an authority management apparatus 100, a client 200, and a server 300.

  Here, the authority management apparatus 100 provides an access control function to the server 300 based on the information regarding the user and the information regarding the authority, and generates display data regarding the authority and causes the display unit 201 to display the display data.

  The client 200 is a terminal for an administrator or the like to instruct the authority management apparatus to display authority.

  The server 300 provides the business service to the user of the business service, and performs access control for the user according to the response of the authority management apparatus 100 as necessary at the time of provision.

  The authority management device 100 includes a storage unit 101, a display unit 102, and an access control unit 103.

  The storage unit 101 will be described. The storage unit 101 stores an authority table 121, a user table 122, an authority grant target table 123, and a business role table 124, respectively.

  FIG. 6 is a diagram showing an example of the authority table 121 according to the first embodiment of this invention. Each row of the authority table 121 represents an authority. For each authority, an authority ID (Identifier), an authority name, an effective period start date, and an effective period end date are set as necessary.

  FIG. 7 is a diagram illustrating an example of the user table 122 according to the first embodiment of this invention. Each row of the user table 122 represents a user. For each user, attributes related to the user are set. As user attributes, for example, a user ID, a user name, a department, a job title, an employee classification, and a district are set as necessary. The attributes of the user are merely examples, and as long as the present invention can be implemented, only a part of the attributes may be included, or attributes other than those illustrated may be included.

  FIG. 8 is a diagram illustrating an example of the business role table 124 according to the first embodiment of this invention. Each row of the business role table 124 represents a business role. For each business role, a business role ID, a business role name, and a conditional expression are set as necessary. The conditional expression is a logical expression for specifying a target for which the business role is valid using the value of an item set in the user table 122 or the like. The administrator or the like can assign the business role to a user who satisfies the logical expression by setting the logical expression. Note that the authority granted by the business role is defined using the authority grant target table 123.

  FIG. 9 is a diagram illustrating an example of the authority grant target table 123 according to the first embodiment of this invention. Each row of the authority grant target table 123 represents an authority and a grant target link. A business role ID or a user ID is set as the grant target ID. In the grant target object, “U” is set if the set grant target type is a user, and “R” is set if the set grant target type is a business role. Furthermore, an effective period start date and an effective period end date are set as necessary.

  As shown in FIG. 9, in the first embodiment of the present invention, the administrator or the like can directly grant the authority to the user, or the business role is assigned by granting the authority to the business role. Authority can also be granted to the assigned user. The former is referred to as direct grant and the latter is referred to as indirect grant.

  The display unit 102 will be described. The display unit 102 generates screen output data 130 to be displayed on the display unit 201 of the client 200 based on data stored in the storage unit 101.

  The screen output data 130 includes an authority structure array 131, a user structure array 132, and a flag structure array 133.

  FIG. 10 is a diagram illustrating an example of the authority structure array 131 according to the first embodiment of this invention. The authority structure array 131 is data having at least a part of items corresponding to each column of the authority table 121. In FIG. 10, the authority structure array 131 is expressed in a format like a C language structure, but the actual definition method depends on the programming language.

  FIG. 11 is a diagram illustrating an example of the user structure array 132 according to the first embodiment of this invention. The user structure array 132 is data having at least a part of items corresponding to each column of the user table 122. The actual definition method depends on the programming language.

  FIG. 12 is a diagram illustrating an example of the flag structure array 133 according to the first embodiment of this invention. The flag structure array 133 includes a target object flag, a condition name, an effective period start date, and an effective period end date.

  FIG. 3 is a diagram showing a display example of the display unit 102 in the first embodiment of the present invention.

  First, as shown in FIG. 3, a table is prepared with authority on the vertical axis and users on the horizontal axis. The vertical and horizontal axes are merely examples, and may be opposite to the example in FIG. In this table, the authority directly granted to the individual user and the authority indirectly granted by the business role are displayed by distinguishing them with characters, colors, icons, etc. so that they can be seen at a glance.

  The uppercase “U” in a circle indicates that the user has the authority granted directly, and the uppercase “R” in the square indicates that the user has the authority indirectly granted by the business role. Represents that As described above, the authority given directly and the authority given indirectly can be distinguished by different display formats depending on characters, colors, icon shapes, and the like.

  Furthermore, the conditions of business loose can be displayed by performing a predetermined operation on the “R” icon or the like. For example, the conditional expression set in the business role corresponding to the on-mouse icon that is the operation target may be displayed in a pop-up window or the like by turning on the mouse. Further, a specific authority (“reference” is possible but “update” is not possible) may be displayed.

  FIG. 4 is a diagram showing a display example with date and time designation on the display unit 102 in the first embodiment of the present invention.

  By making it possible to designate a date as shown in FIG. 4, in addition to the example shown in FIG. 3, it is possible to confirm the authorization status at that date at a glance. In the example of FIG. 4, the administrator or the like can specify the date and time. In addition, for example, a clock icon is displayed in addition to an icon indicating the authority so that the authority for which the valid period is set can be easily understood. The authority icon to which the clock icon is assigned indicates that the authority has a valid period.

  FIG. 5 is a diagram showing a display example with a period designation on the display unit 102 in the first embodiment of the present invention.

  In addition to the example shown in FIG. 3 or FIG. 4, it is possible to confirm how the authority grant status changes within the period by allowing the period to be specified as shown in FIG. . In the example of FIG. 5, the administrator or the like can specify the period by two dates and times. The authority newly granted within the specified period, the authority to be deprived after the effective period expires within the specified period, the authority granted regardless of the effective period, or the effective period Different display methods (change color and brightness, change line style, change background pattern, etc.) depending on the type of authority such as authority that is always granted in the specified period, although the period is limited ) May be displayed. For example, a clock icon is given to the authority newly granted within a designated period, and the authority icon is black on a white background. The authority that is revoked within the specified period due to expiration of the validity period is given a clock icon, and the authority icon is black and white. In this way, by displaying icons in different display formats corresponding to grants and withdrawals within the specified period of direct grant authority and indirect grant authority, it is possible for administrators etc. to recognize each separately Become.

  In addition to the above description, the display unit 102 includes a screen display icon 141 that is icon data to be displayed on the display unit 201.

  The access control unit 103 will be described. The access control unit 103 returns authority information in response to a request from the server 300, and provides information for the request source to perform access control. The external program is a service that runs on the server 300. When the external program accepts an operation from the user, the external program obtains information on the authority granted to the user from the access control unit 103, and permits only a predetermined operation according to the authority. When the access control unit 103 receives a request including a user name, the access control unit 103 returns information regarding the authority of direct grant and indirect grant corresponding to the user name. The protocol between the external program and the access control unit 103 is arbitrary.

  The authority management apparatus 100 may be a computer that includes a CPU (Central Processing Unit) and a storage medium that stores a program, and that operates according to control based on the program. In addition, the storage unit 101, the display unit 102, and the access control unit 103 may be configured as individual storage media or a single storage medium.

  Next, the operation of the authority management device 100 according to the first embodiment of the present invention will be described.

  FIG. 19 is a flowchart showing overall processing of the authority management device 100 according to the first embodiment of this invention.

  First, screen output data initialization processing is executed (step S101). When the user starts authority confirmation or inventory from the client 200, first, as screen output data initialization processing, the display unit 102 acquires necessary data from the authority table 121 stored in the storage unit 101. Next, the display unit 102 stores the authority structure array 131 of the screen output data 130 in order.

  FIG. 13 is a specific example in which values are stored in the authority structure array 131 according to the first embodiment of this invention.

  The numbers in [] in FIG. 13 are called “subscripts”.

  Next, the display unit 102 acquires “user ID” and “user name” of necessary data from the user table 122 stored in the storage unit 101, and sequentially stores them in the user structure array 132 of the screen output data 130.

  FIG. 14 is a specific example in which values are stored in the user structure array 132 according to the first embodiment of this invention.

  Thereafter, the display unit obtains “ITR001” which is the value of “authority structure array [0]. Authority ID” at the head from the authority structure array 131, and corresponds to the authority ID “ITR001” from the authority grant target table. The “authority ID”, “granting target ID”, “granting target object”, “valid period start date”, and “valid period end date” of the data are acquired.

  FIG. 15 is an example of a search result of the authority grant target table according to the first embodiment of this invention.

  Next, the “granting object” of the acquired authorization granting data is confirmed (step S102).

  If the “granting object” of the authority granting data confirmed in step S102 is “U”, the “granting object ID” of the data is searched from the user structure array 132 (step S103). For example, in the case of the second row in FIG. 15, “user structure array [2]” corresponding to “U003” is extracted. At this time, data is registered at a position in the flag structure array 133 that is specified by using the subscript “0” of the authority structure array 131 and the subscript “2” of the user structure array 132 as subscripts. Specifically, since the flag structure array 133 is a three-dimensional array, the subscript “0” of the authority structure array 131 is used for the first subscript, and the subscript “2” of the user structure array 132 is used for the second subscript. ", The initial value" 0 "is assigned to the last third subscript to register the data. The third subscript is assigned a serial number of 0, 1, 2,... Each time data is registered in the flag structure array in which the first and second subscripts have the same value. That is, in the above example, data is registered in “flag structure array [0] [2] [0]”.

  FIG. 16 is a specific example of storing values in the flag structure array in the first embodiment of the present invention. As the data to be registered, data as shown in FIG. 16 is registered based on the information in the second row of FIG. The condition name is “null” when “granting object” is “U”.

  When the “granting object” of the authority granting data confirmed in step S102 is “R”, the “granting object ID” of the data is searched from the business role table 124 (step S104). For example, in the case of the first row in FIG. 15, data corresponding to “BR001” is acquired.

  FIG. 17 is an example of the search result of the business role table in the first exemplary embodiment of the present invention. The user ID “U001” is acquired from the user table 122 based on the conditional expression of FIG. Thereafter, data that can be acquired from the user structure array 132 based on the acquired user ID is registered in the “flag structure array [0] [0] [0]” in the same procedure as in step S103 described above.

    FIG. 18 is a specific example of storing values in the flag structure array in the first embodiment of the present invention. In step S104, data as shown in FIG. 18 is registered based on the first line of FIG. 15 and the information of FIG.

  Next, steps S101 to S104 are sequentially executed on all data in the authority structure array 131 to generate a flag structure array 133 of the screen output data 130 (step S105).

  Next, the display unit 102 executes screen display processing (step S106). As a screen display process, the display unit 102 creates a table with the “authority name” of the authority structure array 131 on the vertical axis and the “user name” of the user structure array 132 on the horizontal axis. Be displayed on the unit 201. Next, in order to display the icons “U” and “R” in each cell specified by the user name and authority name in the table, first, the table displayed on the display unit 201 with respect to the flag structure array 133 is displayed. Substitute the number of “rows minus 1” as the first subscript and the number of “columns minus 1” into the second subscript, and the third subscript is 0, 1 , 2... Are substituted in order to obtain flag structure array data.

  Next, when the “target object flag” of the acquired data is “U” or “R”, the corresponding screen display icon 141 is displayed in the table cell of the display unit 201. If neither “U” nor “R”, move to the next row or column and repeat the same process. This is performed for all the cells in the table of the display unit 201, and a screen as shown in FIG. Further, when the mouse is on the “R” icon, the “condition name” of the corresponding flag structure array data is displayed.

  Next, when the date and time or period is specified on the display unit 201, an icon display format is set based on the date and time or period (step S107).

  A specific process in S107 when the date and time is specified will be described. When “specify date and time” is selected, the validity period start date or validity period end date of the authority structure array 131 is not “null”, and the validity period start date or validity period end of the flag structure array 133 When the day is not “null”, a clock icon is displayed in the table cell of the display unit 201 as shown in FIG.

  Furthermore, when “designate date” is selected on the display unit 201, the designated date is compared with the effective period start date and the effective period end date, and “effective period start date <= specified date < Only when the condition “= effective period end date” is satisfied, an icon “U” or “R” is displayed in the table cell in step S106. The size comparison is performed for both the validity period of the authority structure array 131 and the validity period of the flag structure array 133, and an icon is displayed only when both satisfy the above conditions.

On the other hand, a specific process in S107 when a period is designated on the display unit 201 will be described. The following processing is performed based on the effective period start date and the effective period end date.
(1) When “effective period start date <= start date of specified period” and “end date of specified period <= effective period end date”, the “U” or “R” icon is displayed without a background color.
(2) When “effective period start date <= start date of specified period” and “effective period end date <end date of specified period”, the “U” or “R” icon is grayed out.
(3) In the case of “start date of specified period <effective period start date” and “end date of specified period <= effective period end date”, the icon of “U” or “R” is highlighted.
(4) In the case of “start date of specified period <start date of effective period” and “end date of effective period <end date of specified period”, the icon of “U” or “R” is displayed in a broken line.
With these processes, a table as shown in FIG. 5 is displayed on the display unit 201.

  According to the first embodiment of the present invention, when performing the inventory of the authority granted to the user in the conventional method, “confirm user data → confirm authority data → confirm authority object data → confirm business role data” In the first embodiment of the present invention, the work that requires four steps can be confirmed on one screen (one step), so the efficiency is quadrupled by simple calculation. Furthermore, when AND and OR conditions are added to the conditional expressions of business roles, it is almost impossible with the conventional method. However, in the first embodiment of the present invention, validity confirmation and inventory for such conditions are also performed. Is possible.

  Further, according to the first embodiment of the present invention, in order to confirm the authority on an arbitrary date in the conventional method, in addition to the user data and authority data, the effective period of the authority and the effective period of the grant condition are multiplied. Matching is required and the number of work steps is further increased. However, in the first embodiment of the present invention, since it can be confirmed on the same one screen (one step), the date is included without reducing efficiency. Stocktaking is possible. Furthermore, it is possible in the first embodiment of the present invention to confirm the change in the authorization status during a certain period, which is practically impossible with the conventional method.

  Thus, the operation of the first embodiment of the present invention is completed.

  Next, a characteristic configuration of the first embodiment of the present invention will be described. FIG. 1 is a block diagram showing a characteristic configuration of the first embodiment of the present invention.

  Referring to FIG. 1, the authority management apparatus 100 includes a storage unit 101 and a display unit 102.

  Here, the storage unit 101 stores a user list, an authority list, a business role list, and an association list that associates a user with an authority and a business role.

  Based on the information stored in the storage unit 101, the display unit 102 directly grants and indirectly grants the user in a cell that is an area specified by the user and the authority in the table including the user axis and the authority axis. In accordance with the authority assigned by, data for displaying the authority grant status is generated in a display format that can be distinguished and recognized. The generated data is instructed to be displayed on an external display device.

  According to the first embodiment of the present invention, the authority given to the user can be confirmed at a lower cost.

  The reason is that, in the table containing the user axis and authority axis, the authority granted directly to the individual user and the authority indirectly granted by the business role are distinguished by characters, colors, icons, etc., and the administrator is centralized This is because it can be presented.

  Further, according to the first embodiment of the present invention, the validity of past and future authorities can be confirmed at a lower cost.

  The reason is that in the table containing the user axis and authority axis, at the date and time specified by the administrator, the validity of the authority at the specified date and time is distinguished from the effective period of the authority by characters, colors, icons, etc. This is because it can be presented to an administrator or the like.

  Further, according to the first embodiment of the present invention, it is possible to confirm the status of grant and deprivation within a predetermined period at a lower cost.

  The reason for this is that in the table containing the user axis and authority axis, at the date and time specified by the administrator, etc., whether the authority is granted or revoked during the specified period is distinguished by characters, colors, icons, etc. This is because it can be presented to an administrator or the like centrally.

  While the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  For example, the embodiment of the present invention can be applied to a system that manages the business role itself in addition to the system that performs authority management. The present invention can also be applied to systems such as privilege ID management, device management, and asset management that have the same concept of effective period.

  Similarly, members of the business role change dynamically depending on events such as personnel changes or organizational revisions, so it is possible to apply changes in which the status of granting authority can be confirmed by entering event information. .

  Furthermore, even if the authority is different, it is possible to apply such information as displaying information such as “authority for the same business system” and “authority granted by the same business role”. Finally, since it is not possible to immediately know the unauthorized authority (e.g., excession rights or duplication) even if you check the confirmation screen, even if it has a function to display candidates for unauthorized authority according to the conditions registered in advance Good.

  The present invention can be applied to an access authority management apparatus in which an administrator or the like manages user authority.

DESCRIPTION OF SYMBOLS 100 Authority management apparatus 101 Memory | storage part 102 Display part 103 Access control part 121 Authority table 122 User table 123 Authorization grant table 124 Business role table 130 Screen output data 131 Authority structure array 132 User structure array 133 Flag structure array 141 Screen Display icon 200 Client 201 Display unit 300 Server

Claims (10)

Storage means for storing the user and the authority granted to the user based on the granting condition;
An instruction to display grant information indicating that the authority has been granted to the user for a predetermined period based on the relationship between the user and the authority stored in the storage unit in a section indicating a correspondence relationship between the user and the authority. Display means for giving to an external device;
Authority management device. The authority management apparatus according to claim 1, wherein the display unit displays the grant information in a table in which a user and an authority form a matrix. The storage means further stores an individual authority individually given to the user,
The display means further gives an instruction to display grant information indicating grant of individual authority in a display format different from the grant information to the section.
The authority management apparatus according to claim 2. In the case where the authority is given to the user within the specified period or is deprived from the user, the display means is a form that also shows the grant or deprivation of the authority,
The authority management apparatus according to any one of claims 1 to 3. The display means further displays information on granting or depriving of authority in response to a predetermined operation on the granting information.
The authority management apparatus according to any one of claims 1 to 3. Memorize the user and the authority granted to the user based on the granting conditions;
An instruction to display grant information indicating that the authority has been granted to the user within a predetermined period based on the relationship between the user and the authority stored in the storage unit in a section indicating a correspondence relationship between the user and the authority To the display device,
Permission management method. The authority management method according to claim 6, wherein when the grant information is displayed, the grant information is displayed in a table in which a user and an authority form a matrix. Further memorize the individual authority given to each user,
An instruction to display grant information indicating grant of individual authority in a display format different from the grant information is further given to the section.
The authority management method according to claim 7. When the authority is granted to the user within the specified period or is deprived from the user, the display format of the grant information is a format that also indicates the grant or deprivation of the authority,
The authority management method according to any one of claims 6 to 8. In accordance with a predetermined operation on the grant information, further displays information on granting or depriving of authority.
The authority management method according to any one of claims 6 to 8.

Images