JP2017146717A - Access control device, information processing system and access control method, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access control device or the like for enabling a supervisor of an operator to control access authority to a system of the operator.SOLUTION: An access control device 10 includes: an authentication part 11 for authenticating a user when receiving a request to access a system by a system user, and registering authentication state information 21 representing whether the user performs log-in in a storage part 20 on the basis of its authentication result; and a determination part 12 for determining a supervisor of the user on the basis of user information 22 including information relating to the user and information representing the supervisor of the user when the authentication by the authentication part 11 is successful, determines whether the supervisor performs log-in as the system user on the basis of the authentication state information 21, and permitting the user's access when the supervisor performs the log-in.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an access control device, an information processing system, an access control method, and a computer program.

  In activities in an organization such as a company, for example, full-time employees and contract employees, supervisors and subordinates, a person (supervisor) in a specific position manages the work status of one or more subordinates (workers). It is necessary to supervise.

  However, for some reason, there is a situation where the supervisor's management is inadequate when the worker works (for example, the supervisor is absent or the place where the supervisor and the worker work is physically distant). Sometimes.

  If such an absence of supervisors is given to workers, actions that violate company regulations, such as taking out confidential information registered in the system outside the company, will result in security accidents. there is a possibility.

  Therefore, the user identifier of the worker is applied only during the period in which the user makes an application and receives the application and the system administrator performs the work in the scene where the system usage permission is to be given to the worker temporarily. There is a case to operate to enable. When operated in this way, each system administrator, supervisor, and worker has disadvantages. For example, each time an application is made, the system administrator needs to reset the worker ID (IDentification) to be valid or invalid (heavy work load). Supervisors and workers must create an application form and submit it to the system department each time they use it, and it may take some time for the application to be accepted. Therefore, even if an operator needs to use it urgently, it may be difficult to respond quickly.

  Here, as related technologies, for example, there are the following patent documents.

  Patent Document 1 discloses a connection control device that manages user information for each client terminal and determines whether to connect the client terminal to a network based on the information.

  Patent Document 2 discloses a user management system that performs access control of other users on the information based on the entrance / exit of the administrator who manages the information stored in the information devices in the area.

  In Patent Document 3, an authorization delegator creates an authentication ticket without giving a password to a non-authority delegator or requesting a system administrator to create a temporary account for the non-delegator. An authority delegation method is disclosed in which authority can be delegated simply by transferring.

JP 2012-199800 A JP 2009-230616 A JP 2006-221506 A

  However, even if the techniques proposed in Patent Documents 1 to 3 are used, system access control cannot be performed based on the relationship between the worker and the supervisor.

  SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide an access control device or the like that allows an operator's supervisor to control access authority to a worker's system.

  In order to achieve the above object, an access control apparatus according to an aspect of the present invention has the following arrangement.

That is, the access control apparatus according to one aspect of the present invention
When a request for access to the system is received by a system user, the user is authenticated, and authentication status information indicating whether the user is logged in is stored based on the authentication result An authentication part to be registered in the department,
When the authentication by the authentication unit is successful, the supervisor of the user is determined based on user information including information relating to the user and information representing the supervisor of the user, and the supervision A determination unit that determines whether or not a user is logged in as a user of the system based on the authentication status information. When the user is logged in, the determination unit permits access to the user.

An information processing system according to an aspect of the present invention that achieves the same object,
A terminal that receives a request for access to the system by a user of the system;
A server on which the Web server software including the access control device as a filter to be set in a filter API (Application Program Interface) of Web server software and a Web application that implements the system are executed;
A storage device for storing the authentication status information and the user information;

An access control method according to an aspect of the present invention that achieves the same object,
When a request for access to the system is received by a system user, the user is authenticated, and authentication status information indicating whether the user is logged in is stored based on the authentication result Register to the department,
When the authentication is successful, the supervisor of the user is determined based on user information including information related to the user and information indicating the supervisor of the user, and the supervisor Whether or not the user is logged in is determined based on the authentication status information, and if the user is logged in, the user is permitted to access.

  Furthermore, the same object is achieved by a computer readable program storing a computer program for realizing the access control apparatus, information processing system, or access control method having the above-described configuration by a computer, and the computer program. This is also achieved by a storage medium.

  According to the present invention described above, there is an effect that the supervisor of the worker can control the access authority to the worker's system.

It is a block diagram which shows the structure of the access control apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the structure of the information processing system which concerns on the 2nd Embodiment of this invention. It is a schematic diagram of the whole system using the information processing system which concerns on the 2nd Embodiment of this invention. It is a figure which shows the user information storage part of the information processing system which concerns on the 2nd Embodiment of this invention. It is a figure which shows the authentication status information storage part of the information processing system which concerns on the 2nd Embodiment of this invention. It is a figure which shows the connection information storage part of the information processing system which concerns on the 2nd Embodiment of this invention. It is a flowchart explaining a process when there exists a login request | requirement in the information processing system which concerns on the 2nd Embodiment of this invention. It is a flowchart explaining a process when there exists an operation request | requirement in the information processing system which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the information processing system which concerns on the 3rd Embodiment of this invention. It is a schematic diagram of the whole system using the information processing system which concerns on the 3rd Embodiment of this invention. It is a figure which shows the user information storage part of the information processing system which concerns on the 4th Embodiment of this invention. It is a figure which shows the authentication status information storage part of the information processing system which concerns on the 4th Embodiment of this invention. It is a flowchart explaining a process when there exists a login request | requirement in the information processing system which concerns on the 4th Embodiment of this invention. It is a figure which shows the hardware constitutions of the computer (information processing apparatus) which can implement | achieve the 1st thru | or 4th embodiment of this invention.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

<First Embodiment>
FIG. 1 is a block diagram showing a configuration of an access control apparatus according to the first embodiment of the present invention.

  The access control apparatus 10 according to the present embodiment includes an authentication unit 11 and a determination unit 12.

  The authentication unit 11 authenticates the user when receiving a request for access to the system by a system user, and indicates whether the user is logged in based on the authentication result. The authentication status information 21 is registered in the storage unit.

  When the authentication by the authentication unit 11 is successful, the determination unit 12 determines the supervisor of the user based on user information 22 including information related to the user and information representing the supervisor of the user. Whether or not the supervisor is logged in as a user of the system is determined based on the authentication status information 21. If the supervisor is logged in, access of the user is permitted.

  As described above, the first embodiment has an effect that the supervisor of the worker can control the access authority to the worker's system.

  The reason is that the access control device 10 according to the present embodiment gives the worker access authority to the system when the determination unit 12 confirms that the supervisor of the worker is logged in.

<Second Embodiment>
Next, a second embodiment based on the access control apparatus according to the first embodiment described above will be described. FIG. 2 is a block diagram showing a configuration of an information processing system according to the second embodiment of the present invention. However, the configuration shown in FIG. 2 is an example, and the present invention is not limited to the information processing system shown in FIG.

  The information processing system according to the present embodiment includes a terminal 101, a server 103, and a storage device 112.

  The terminal 101 is a terminal such as a personal computer. The terminal 101 includes a web browser execution unit 102 that executes a web browser. The web browser execution unit 102 executes a web browser used to display a web page representing an execution result by a web application described later.

  The Web browser execution unit 102 of the terminal 101 uses a keyboard or other input device (not shown) for a Web application running on the server 103 to process a request (HTTP request) via the HTTP (HyperText Transfer Protocol) protocol. )I do.

  Then, the terminal 101 receives an execution result by the Web application based on the processing request as a response (HTTP response). Then, the terminal 101 displays the execution result on the Web browser based on the received HTML (HyperText Markup Language) content.

  The storage device 112 accepts authentication using an LDAP (Lightweight Directory Access Protocol) protocol from an external system such as a directory service system. The storage device 112 includes an authentication state information storage unit 113 and a user information storage unit 114.

  The authentication status information storage unit 113 stores authentication status information, that is, information indicating whether or not the user is logged in to the Web application.

  The user information storage unit 114 stores user information, that is, a user ID (Identification) and a password used when the user uses a Web application, information indicating an administrator of the user, and the like. The user ID and password are an example of information related to the user.

  The server 103 is a device that generates and returns HTML content in accordance with an HTTP request from a Web browser. The server 103 is a computer such as a server or a workstation. The server 103 includes a web server execution unit 104 and a web application execution unit 105.

  The web server execution unit 104 executes web server software. The Web server software provides information and functions in response to a request from the Web browser executed by the Web browser execution unit 102 of the terminal 101.

  The web application execution unit 105 executes a web application. The Web application is a program that realizes processing that is an object to be performed by the worker.

  Note that a mechanism in which Web server software once receives an HTTP request from a Web browser and then transfers the HTTP request to the Web application has a general configuration as a Web application.

  The Web server execution unit 104 includes a filter API (Application Program Interface) unit 106. The filter API unit 106 can set an independently developed filter. For example, if the Web server software is IIS (Internet Information Service) provided by Microsoft Corporation, the filter API unit 106 is ISAPI (Internet Server Application Program Interface).

  The filter API unit 106 can set a plurality of filters. As one of these filters, in the present embodiment, a filter 107 that controls availability of the system is set. The filter 107 is another example of the access control apparatus 10 of the first embodiment.

  The filter 107 includes an authentication unit 108, a determination unit 109, a content generation unit 110, and a connection information storage unit 111.

  The authentication unit 108 refers to the user information storage unit 114 and authenticates the user.

  The determination unit 109 determines whether or not a user who has been successfully authenticated by the authentication unit 108 can be used.

  The content generation unit 110 generates HTML content indicating that the user is inaccessible when authentication by the authentication unit 108 fails.

  The connection information storage unit 111 stores a URL (Uniform Resource Locator) to be determined in the HTTP request for the Web application.

  FIG. 3 is a schematic diagram of the entire system using the information processing system according to the second embodiment of the present invention. However, the configuration shown in FIG. 3 is an example, and the present invention is not limited to the system shown in FIG.

  The system according to the present embodiment includes a terminal 201, a terminal 202, a server 203, a server 204, and a storage device 205. As shown in FIG. 3, these devices are connected so as to communicate with each other.

  The terminal 201 and the terminal 202 have the same configuration as the terminal 101. That is, the terminal 201 and the terminal 202 include the Web browser execution unit 102 shown in FIG. In the present embodiment, it is assumed that the supervisor uses the terminal 201 and the worker uses the terminal 202.

  The server 203 and the server 204 have the same configuration as the server 103. That is, similarly to the server 103, the server 203 and the server 204 include the Web server execution unit 104 and the Web application execution unit 105 illustrated in FIG.

  In addition, the server 203 and the server 204 generate HTML content representing the processing result of the Web application in response to an HTTP request from the terminal 201 and the terminal 202 to the Web application. Then, the server 203 and the server 204 return the generated HTML content to the terminal 201 or the terminal 202 that has made the HTTP request.

  According to FIG. 3, there are two servers on which the Web application operates, a server 203 and a server 204, which are physically connected to different terminals. That is, the terminal 201 used by the supervisor is connected to the server 203, and the terminal 202 used by the worker is connected to the server 204. However, the number of servers on which the Web application operates is not limited to two, and may be one or more in consideration of load distribution and the like.

  The storage device 205 indicates a storage device that stores user information, such as a directory server. The storage device 205 is an example of the storage device 112 illustrated in FIG. 2, and is, for example, an authentication directory used when the server 203 and the server 204 perform user authentication.

  Here, it is assumed that the information shown in FIG. 4 is registered in the user information storage unit 114 in advance.

  FIG. 4 is a diagram showing the user information storage unit 114 of the information processing system according to the second embodiment of the present invention. The user information storage unit 114 is a table that stores user information, and includes a user ID, a password, a supervisor flag, and a supervisor ID. The user ID, password, supervisor flag, and supervisor ID are associated in the user information storage unit 114 as shown in the table conceptually shown in FIG.

  The user ID is an identifier that uniquely identifies the user.

  The password is a character string used to confirm that the user is the user.

  The supervisor flag is a value indicating whether or not the user is a supervisor. The supervisor flag is “true” when the user is a supervisor, and “false” when the user is not a supervisor.

  The supervisor ID is a user ID used by the user's supervisor. When the user does not have a supervisor, the supervisor ID is “N / A”.

  As shown in FIG. 4, the user information storage unit 114 stores information about users whose user IDs are “ADMIN1”, “ADMIN2”, “WORKER1”, and “WORKER2”. ADMIN1 and ADMIN2 are supervisors because the supervisor flag is “true”. WORKER1 and WORKER2 are workers (not supervisors) because the supervisor flag is “false”. For example, since the supervisor ID of WORKER1 is “ADMIN1”, the supervisor of WORKER1 is ADMIN1.

  Further, it is assumed that the information shown in FIG. 5 is registered in the authentication state information storage unit 113 in advance.

  FIG. 5 is a diagram showing the authentication state information storage unit 113 of the information processing system according to the second embodiment of the present invention. The authentication state information storage unit 113 is a table that stores authentication state information, and includes a user ID and a login state. It is assumed that the user ID and the login state are associated in the authentication state information storage unit 113 as shown in a table conceptually shown in FIG.

  The user ID is an identifier for uniquely identifying the user, similar to the user ID in FIG.

  The login state is information representing the login state of the user to the system at a certain time (for example, time t1). According to FIG. 5, at time t1, ADMIN1 is in a login state, and ADMIN2, WORKER1, and WORKER2 are in a logout state.

  Assume that the supervisors (ADMIN 1 and ADMIN 2) use the terminal 201. In addition, it is assumed that workers (WORKER 1 and WORKER 2) are using the terminal 202.

  FIG. 6 is a diagram showing the connection information storage unit 111 of the information processing system according to the second embodiment of the present invention. The connection information storage unit 111 is a table that stores connection information, and includes an operation type and a connection URL. The operation type and the connection URL are associated in the connection information storage unit 111 as shown in a table conceptually shown in FIG.

  The operation type is information representing the type of operation requested using the terminal.

  The connection URL is information representing the connection URL corresponding to the operation type for a request made using the terminal. According to FIG. 6, when the connection URL is “/ webapp / login”, the server recognizes that the user who uses the terminal requests “authentication”.

  Next, processing when a worker (WORKER1, WORKER2) makes a login request to the Web application in the terminal 202 after time t1 will be described.

  The information processing system determines whether the request from the terminal 202 is a login or a general operation based on whether or not the request matches the URL registered in the connection information storage unit 111. For example, if the request from the terminal 202 is “/ webapp / login”, the server 204 searches for a connection URL in the connection information storage unit 111 and detects whether there is a URL that matches this. According to FIG. 6, when the connection URL is “/ webapp / login”, since the operation type is “authentication”, the server 204 executes the process shown in FIG. 7 in response to the login request. FIG. 7 is a flowchart for explaining processing when there is a login request in the information processing system according to the second embodiment of the present invention.

  Based on the operation by the users (here, WORKER 1 and WORKER 2), the terminal 202 operates the Web browser executed by the Web browser execution unit 102 and uses the Web application to be executed by the Web application execution unit 105 of the server 204. The user ID and password are transmitted to the server 204. Thereby, the terminal 202 makes a login request to the Web application (step S101).

  The authentication unit 108 of the filter 107 confirms whether the user information corresponding to the user ID and password transmitted in step S101 is registered with reference to the user information storage unit 114 (step S102).

  If registered (“Yes” in step S102), the authentication unit 108 changes the login state corresponding to the user ID in the authentication state information storage unit 113 from “logout” to “login”, and proceeds to step S103. Move.

  If not registered (“No” in step S102), the content generation unit 110 generates HTML content indicating authentication failure, returns the generated HTML content to the terminal 202 (step S104), and ends the process.

  The determination unit 109 refers to the user information storage unit 114 and confirms the value of the supervisor flag corresponding to the user (step S103).

  If the supervisor flag is “true” (“Yes” in step S103), the determination unit 109 performs the processing from step S110 onward because the user is a supervisor.

  If the supervisor flag is “false” (“No” in step S103), the determination unit 109 performs the processing from step S107 onward because the user is not a supervisor. Since WORKER1 and WORKER2 are the latter, the determination unit 109 proceeds to step S107.

  Next, the determination unit 109 refers to the user information storage unit 114 and acquires a supervisor ID corresponding to the user (step S107). As a result, the determination unit 109 acquires ADMIN1 as the supervisor ID corresponding to WORKER1, and ADMIN2 as the supervisor ID corresponding to WORKER2.

  Then, the determination unit 109 refers to the authentication state information storage unit 113 and confirms whether or not a user who uses the acquired supervisor ID as a user ID is logged in (step S108). Thereby, the determination unit 109 determines that the supervisor of WORKER1 is logged in because the login state of ADMIN1 who is the supervisor of WORKER1 is “login”, and proceeds to step S110. Further, the determination unit 109 determines that the supervisor of WORKER 2 is not logged in because the login state of ADMIN 2 which is the supervisor of WORKER 2 is “logout”, and proceeds to step S109.

  If the supervisor is not logged in (“No” in step S108), the content generation unit 110 generates HTML content indicating that access is not possible, returns the generated HTML content to the terminal 202 (step S109), and performs processing. finish.

  When the supervisor is logged in (“Yes” in step S108), the determination unit 109 determines that the authentication of the user who requested the login is successful (step S110). Then, the determination unit 109 transmits a request for the Web application from the terminal 202 to the Web application execution unit 105 (Step S111).

  Upon receiving the request, the Web application execution unit 105 generates HTML content representing the result of executing the Web application based on the request, and returns the generated HTML content to the terminal 202 (Step S112).

  Next, processing when an operator makes an operation request to the Web application on the terminal 202 will be described.

  As described above, the information processing system determines whether the request from the terminal 202 is a login or a general operation based on whether the request matches the URL registered in the connection information storage unit 111. For example, when the request from the terminal 202 is “/ webapp / mail / send”, the determination unit 109 of the server 204 searches for a connection URL in the connection information storage unit 111 and determines whether there is a URL that matches this. Is detected. According to FIG. 6, when the connection URL is “/ webapp / mail / send”, since the operation type is “operation”, the server 204 executes the processing shown in FIG. 8 in response to the operation request. FIG. 8 is a flowchart for explaining processing when there is an operation request in the information processing system according to the second embodiment of the present invention.

  Based on the operation by the user, the terminal 202 operates the Web browser executed by the Web browser execution unit 102 and makes an operation request for the Web application to be executed by the Web application execution unit 105 of the server 204 (Step S201).

  In response to the operation request, the server 204 performs the processing from step S103 described with reference to FIG.

  Accordingly, even when the user performs an operation request operation from the terminal 202 to the Web application, it is possible to control the requested operation only when the supervisor is logged in. .

  Further, the server 204 may monitor the operation log of the Web application and monitor the user's work status in real time by the supervisor of the user.

  As described above, the second embodiment has an effect that the supervisor of the worker can control the access authority to the worker's system.

  The reason is that the information processing system according to the present embodiment restricts the worker to use the system only when the supervisor who supervises the worker is logged in to the system. .

  As a result, the supervisor can manage the worker while being in a different place from the worker.

  Furthermore, there is an advantage that it is not necessary to modify an existing Web application. In order to implement this embodiment, the Web server execution unit 104 (filter API unit 106) on the server on which an existing Web application runs is added to the filter 107 and the storage device 112 (user information storage unit 113). This is because the authentication status information storage unit 114) may be prepared.

In addition, when an operator uses the system, it is necessary that the supervisor is always logged in to the system, so that the supervisor is indirectly monitored by the supervisor, and the worker is illegal There is also a deterrent effect that discourages you.
<Third Embodiment>
Next, a third embodiment based on the information processing system according to the second embodiment described above will be described.

  In the second embodiment, when the supervisor is in a login state with respect to the Web application, the operator can log in to the Web application and perform operations on the subsequent Web application.

  In this embodiment, when the supervisor is logged in to the OS, not to the Web application, the operator can log in to the Web application and perform subsequent operations on the Web application.

  FIG. 9 is a block diagram showing a configuration of an information processing system according to the third embodiment of the present invention. However, the configuration shown in FIG. 9 is an example, and the present invention is not limited to the information processing system shown in FIG.

  In the information processing system according to the present embodiment, a directory service storage device 116 and an authentication information acquisition unit 115 are added to the information processing system shown in FIG.

  The directory service storage device 116 stores various resources such as user information and computer information on the network. For example, when Active Directory provided by Microsoft, which is one of the directory services, logs in to a client OS that participates in the domain of Active Directory, information indicating that the user has logged in is stored in the directory service storage device 116.

  The authentication information acquisition unit 115 updates the login state of the authentication state information storage unit 113 based on information in the directory service storage device 116 at predetermined time intervals (for example, every 5 minutes). That is, the authentication information acquisition unit 115 performs the following processing. The authentication information acquisition unit 115 acquires the user ID registered in the user information storage unit 114, connects to the directory service storage device 116, and acquires information indicating the login state of the user ID with respect to the OS. . Then, the authentication information acquisition unit 115 updates the login state of the authentication state information storage unit 113 based on the acquired login state (“login” or “logout”). That is, in this embodiment, the login state of the authentication state information storage unit 113 indicates whether or not the user is logged in to the OS.

  FIG. 10 is a schematic diagram of an entire system using an information processing system according to the third embodiment of the present invention. However, the configuration shown in FIG. 10 is an example, and the present invention is not limited to the system shown in FIG.

  Terminals 201 and 202, server 204, and storage device 205 shown in FIG. 10 are the same as terminals 201, 202, server 204, and storage device 205 shown in FIG.

  The domain controller 207 is a controller for authenticating the directory service storage device 206 (the directory service storage device 116 in FIG. 9). The domain controller 207 makes an authentication request to the directory service storage device 206 using the user ID and password received by the user for the authentication attempt to the OS of the server 204. When the authentication success status is returned from the directory service storage device 206, the directory service storage device 206 records information indicating that the user has been authenticated. Further, the domain controller 207 returns a success status to the terminal 201.

  Up to this point, this embodiment has explained that whether or not the OS is logged in is stored in the login state of the authentication state information storage unit 113. Since other processes are not changed from those of the second embodiment, description thereof is omitted.

  As described above, the third embodiment has an effect that the supervisor of the worker can control the access authority to the worker's system.

  The reason is that the information processing system according to the present embodiment restricts the worker to use the system only when the supervisor who supervises the worker is logged on to the OS. .

<Fourth Embodiment>
Next, a fourth embodiment based on the information processing system according to the second embodiment described above will be described.

  In the second embodiment, in the user information storage unit 114 shown in FIG. 4, one supervisor is registered for the worker.

  However, in the present embodiment, it is possible to register a plurality of supervisors for one worker by registering a supervisor at a higher level with the supervisor and making the supervisor a hierarchical structure.

  In the present embodiment, new information is added to the information managed by the user information storage unit 114 described in the second embodiment.

  FIG. 11 is a diagram showing the user information storage unit 114 of the information processing system according to the fourth embodiment of the present invention. In FIG. 11, an operator flag is added as compared with the user information storage unit 114 of the second embodiment shown in FIG.

  The worker flag is a value indicating whether or not the user is a worker. The worker flag is “true” when the user is a worker, and “false” when the user is not a worker. Here, the worker is a person for whom a supervisor ID corresponding to the user is registered.

  As shown in FIG. 11, the user information storage unit 114 stores information about users whose user IDs are “ADMIN0”, “ADMIN1”, “ADMIN2”, “WORKER1”, and “WORKER2”. WORKER1 and WORKER2 are workers (not supervisors) because the worker flag is “true”. For example, since the supervisor ID of WORKER1 is “ADMIN1”, the supervisor of WORKER1 is ADMIN1. ADMIN1 and ADMIN2 are supervisors because the supervisor flag is “true”. Furthermore, since ADMIN1 and ADMIN2 have the supervisor ID “ADMIN0”, ADMIN0 is the supervisor. ADMIN0 is registered as the highest supervisor because the supervisor flag is “true” and the supervisor ID is “N / A” (invalid).

  Further, it is assumed that the information shown in FIG. 12 is registered in advance in the authentication state information storage unit 113 at a certain time t2. FIG. 12 is a diagram showing an authentication state information storage unit 113 of the information processing system according to the fourth embodiment of the present invention. In the authentication state information storage unit 113 shown in FIG. 12, the same user ID as the user ID defined in the user information storage unit 114 shown in FIG. 11 is registered. According to FIG. 12, at time t2, ADMIN0 is in the login state, and ADMIN1, ADMIN2, WORKER1, and WORKER2 are in the logout state.

  Next, with reference to FIG. 13, a description will be given of the movement when the user (WORKER 1) makes a login request to the Web application in the terminal 202 after time t2. FIG. 13 is a flowchart for explaining processing when there is a login request in the information processing system according to the fourth embodiment of the present invention.

  Based on the operation by the user (WORKER 1), the terminal 202 operates the Web browser executed by the Web browser execution unit 102, and sets the user ID and password for the Web application to be executed by the Web application execution unit 105 of the server 204. To the server 204. Thereby, the terminal 202 makes a login request to the Web application (step S301).

  The authentication unit 108 of the filter 107 indicates whether the user information corresponding to the user ID and password transmitted in step S301 is registered (matches the registered user ID and password), as shown in FIG. The user information storage unit 114 is checked for confirmation (step S302).

  If registered (“Yes” in step S302), the authentication unit 108 changes the login state corresponding to the user ID in the authentication state information storage unit 113 illustrated in FIG. 12 from “logout” to “login”. Then, the process proceeds to step S303.

  If not registered (“No” in step S302), the content generation unit 110 generates HTML content indicating authentication failure, returns the generated HTML content to the terminal 202 (step S304), and ends the process.

  Then, the determination unit 109 refers to the user information storage unit 114 and confirms the value of the worker flag corresponding to the user (step S303).

  When the worker flag is “false” (“No” in step S303), the determination unit 109 performs the processing from step S310 onward because the user is the highest supervisor. The top supervisor is a user without a supervisor.

  When the worker flag is “true” (“Yes” in step S303), the determination unit 109 performs the processing from step S307 onward because the user is the worker. Since WORKER1 is the latter, the determination unit 109 proceeds to step S307.

  Next, the determination unit 109 refers to the user information storage unit 114 and acquires a supervisor ID corresponding to the user. When there is a supervisor who uses the acquired supervisor ID as a user ID, the determination unit 109 also acquires the supervisor ID. The determination unit 109 repeats this process until the user has no supervisor, that is, until the user ID of the highest supervisor is acquired (step S307). Accordingly, the determination unit 109 acquires ADMIN1 and ADMIN0 as the supervisor ID corresponding to WORKER1.

  Then, the determination unit 109 refers to the authentication state information storage unit 113 and confirms whether there is a logged-in user who uses the acquired supervisor ID as the user ID (step S308). Thereby, the determination unit 109 determines that the supervisor of WORKER1 is logged in because the login state of ADMIN1 who is the supervisor of WORKER1 is “login”, and proceeds to step S310.

  If the supervisor is not logged in (“No” in step S308), the content generation unit 110 generates HTML content indicating that access is not possible, returns the generated HTML content to the terminal 202 (step S309), and performs processing. finish.

  When the supervisor is logged in (“Yes” in step S308), the determination unit 109 determines that the authentication of the user who requested the login is successful (step S310). Then, the determination unit 109 transmits a request for the Web application from the terminal 202 to the Web application execution unit 105 (Step S311).

Upon receiving the request, the Web application execution unit 105 generates HTML content representing the result of executing the Web application based on the request, and returns the generated HTML content to the terminal 202 (step S312).
In this embodiment, if any one of a plurality of supervisors is in a login state, the worker is determined to be successful. However, the present invention is not limited to this, and it is sufficient to determine in advance conditions under which an operator is judged to be successful in recognition of the characteristics and importance of the system.

  As described above, the fourth embodiment has an effect that the supervisor of the worker can control the access authority to the worker's system.

  The reason is that the information processing system according to the present embodiment restricts the worker to use the system only when the supervisor who supervises the worker is logged in to the system. .

  Furthermore, according to the present embodiment, by registering a plurality of supervisors to a certain worker, it is possible to perform accurate access control taking into consideration the characteristics and importance of the system.

(Hardware configuration)
1, 2, and 9 in the above-described embodiment may be practiced by a dedicated device, but can be regarded as a function (processing) unit (software module) of a software program. However, various configurations can be envisaged when mounting each part shown in these drawings. An example of the hardware environment in such a case will be described with reference to FIG.

  FIG. 14 is a diagram illustrating a hardware configuration of a computer (information processing apparatus) capable of realizing the first to fourth embodiments of the present invention. That is, FIG. 14 shows a configuration of a computer (information processing apparatus) capable of realizing all or part of the access control apparatus 10 shown in FIG. 1 and the filter 107 shown in FIG. 2 and FIG. The hardware environment which can implement | achieve each function in a form is represented.

An information processing apparatus 9000 illustrated in FIG. 14 includes the following apparatuses, and has a configuration in which these are connected via a bus 9007.
CPU (Central Processing Unit) 9001
-Display 9002,
・ Communication interface (I / F) 9003,
・ ROM (Read Only Memory) 9004,
A RAM (Random Access Memory) 9005 and a hard disk device (HD) 9006.

  The hard disk device (HD) 9006 stores a program group 9006A and various kinds of stored information 9006B. The program group 9006A is, for example, a computer program for realizing functions corresponding to each block (each unit) of the access control apparatus 10 shown in FIG. 1 and the filter 107 shown in FIGS. The various storage information 9006B is, for example, the recording unit 20 illustrated in FIG. 1 and the storage device 112 illustrated in FIGS. A communication interface 9003 is a general communication unit that realizes communication with an external device via the network 9100.

  In the information processing apparatus 9000, the CPU 9001 of the hardware executes a computer program capable of realizing the functions of the block diagram or the flowchart referred to in the description of the above-described embodiment. That is, the CPU 9001 executes the computer program using the hardware resources of the information processing apparatus 9000 shown in FIG. 14 to achieve the functions of the embodiment of the present invention. Specifically, when the filter 107 is realized by the information processing device 9000, the information processing device 9000 causes the CPU 9001 to execute a computer program for executing the processing steps of the flowcharts shown in FIGS. do it. The computer program supplied to the information processing apparatus 9000 may be stored in a readable / writable RAM 9005 or a non-volatile storage device (storage medium) such as the hard disk device 9006.

  In the above-described case, a general procedure can be adopted as a method for supplying a computer program into the apparatus. The supply method includes, for example, a method of installing in the apparatus via various storage media such as a CD-ROM, and a method of downloading from the outside via a network 9100 such as the Internet. In such a case, the embodiment of the present invention can be regarded as being configured by a code constituting the computer program or a computer-readable storage medium in which the code is recorded.

  While the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

DESCRIPTION OF SYMBOLS 10 Access control apparatus 11 Authentication part 12 Judgment part 20 Storage apparatus 21 Authentication status information 22 User information 101 Terminal 102 Web browser execution part 103 Server 104 Web server execution part 105 Web application execution part 106 Filter API part 107 Filter 108 Authentication part 109 Determination unit 110 Content generation unit 111 Connection information storage unit 112 Storage device 113 Authentication state information storage unit 114 User information storage unit 116 Directory service storage device 201 Terminal 202 Terminal 203 Server 204 Server 205 Storage device 206 Directory service storage device 207 Domain controller 9000 Information processing device 9001 CPU
9002 Display 9003 Communication interface (I / F)
9004 ROM
9005 RAM
9006 Hard disk device (HD)
9006A Program group 9006B Various stored information 9007 Bus 9100 Network

Claims (9)

When a request for access to the system is received by a system user, the user is authenticated, and authentication status information indicating whether the user is logged in is stored based on the authentication result An authentication part to be registered in the department,
When the authentication by the authentication unit is successful, the supervisor of the user is determined based on user information including information relating to the user and information representing the supervisor of the user, and the supervision An access control device comprising: a determination unit that determines whether or not a user is logged in as a user of the system based on the authentication state information; and a determination unit that permits access of the user when logged in . The authentication status information is:
The access control apparatus according to claim 1, wherein the access control apparatus is information indicating whether or not the OS (operating system) on which the system is running is logged in. The access control apparatus according to claim 1, wherein the information representing the supervisor of the user is an identifier capable of identifying the user included in the information related to the user corresponding to the supervisor. The user information further includes information representing a supervisor who supervises a user who is a supervisor of the user, whereby a plurality of supervisors of the user are registered, and the determination unit 4. The access control apparatus according to claim 1, wherein whether or not to permit access is determined based on the authentication status information of a plurality of users who are supervisors of the user. 5. . A terminal that receives a request for access to the system by a user of the system;
The web server software including the access control device according to any one of claims 1 to 4 and a web application that realizes the system are executed as a filter set in a filter API (application program interface) of the web server software. Server
An information processing system comprising: a storage device that stores the authentication status information and the user information. The information processing system according to claim 5, wherein the server passes the request to the Web application when permitting the user access by the filter. The information processing system according to claim 5 or 6, wherein when the server does not permit access by the filter, the server returns content representing the fact to the terminal. When a request for access to the system is received by a system user, the user is authenticated, and authentication status information indicating whether the user is logged in is stored based on the authentication result Register to the department,
When the authentication is successful, the supervisor of the user is determined based on user information including information related to the user and information indicating the supervisor of the user, and the supervisor An access control method for determining whether or not the user is logged in based on the authentication status information and permitting the user access when logged in. When a request for access to the system is received by a system user, the user is authenticated, and authentication status information indicating whether the user is logged in is stored based on the authentication result Authentication function to be registered in the department,
When the authentication by the authentication function is successful, the supervisor of the user is determined based on user information including information on the user and information representing the supervisor of the user, and the supervisor A computer that determines whether or not a user of the system is logged in based on the authentication status information, and if the user is logged in, a computer that realizes a determination function that allows the user access ·program.

Images