JP2018160220A - Access control system, access control method, and access control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To guarantee the safety of security by that an approver satisfies an approval condition and increase the efficiency of business operations.SOLUTION: A service providing device 500 transmits an authentication approval coordination request to an information terminal device 200 when a use request is received from the information terminal device 200 that requests use of an application by a user 60. The information terminal device 200 transmits the authentication approval coordination request to an access control device 300. A storage unit 350 of the access control device 300 stores information about a user who uses the application as user information 351, and also stores the approval condition of an approver who approves use of the application as approval policy information 354. An approval determination unit 340 of the access control device 300 extracts candidates for the approver as approver candidates from the user information 351 on the basis of the approval policy information 354, and determines that approval is possible when any approver among the approval candidates satisfies the approval condition.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an access control system, an access control method, and an access control program.

  Corporate employees have more opportunities to use external cloud services in business in addition to internal systems. Users can use internal systems or external cloud services via the Internet network from various locations such as customers, business partners, business hotels, and homes, as well as using devices on managed internal networks. There is a case. In the case of use from outside the company, identity verification is strengthened by two-factor authentication based on biometric authentication such as a one-time password using a token device or a smartphone application, or a fingerprint for user authentication. While the places where such information can be used are freed, there is an increased risk of snooping information by others, voyeuring information by surveillance cameras, or intentional leakage of important information by employees alone.

Patent Document 1 discloses a technique for preventing access to a management document from an inappropriate place.
Patent Document 2 discloses an access control method capable of restricting the use of information to a designated geographical area.

JP 2000-163379 A JP 2006-195484 A

  In Patent Literature 1 and Patent Literature 2, the user's location information is used for authentication so that the service can be used only at a predetermined location with a predetermined access right. Therefore, when the user is in a position where access is not permitted, access is not permitted in any case, which may reduce the efficiency of the business.

  The present invention provides an access control system capable of ensuring security safety and permitting access by clearing an authorization policy even when a user is in a place where access is not permitted. The purpose is to do.

An access control system according to the present invention includes an information terminal device carried by a user, a service providing device that provides an application, and an access control device that controls access to the application.
The service providing apparatus includes:
Upon receiving a usage request for requesting use of the application by the user from the information terminal device, an authentication authorization cooperation request for requesting authentication of the user and authorization for use of the application by the user is sent to the information terminal. It has an authentication cooperation function part that transmits to the device,
The information terminal device
Sending the authentication authorization cooperation request transmitted from the authentication cooperation function unit to the access control device,
The access control device
A storage unit that stores information of a user who uses the application as user information, and stores approval conditions of an approver who approves the use of the application as authorization policy information;
Based on the authorization policy information, an approver candidate is extracted from the user information as an approver candidate, and the approval is possible when any approver of the approver candidates satisfies the approval condition. And an authorization determination unit for determining that there is a device.

The access control system includes:
A mobile terminal device carried by the user and having a mobile terminal device capable of acquiring location information;
The storage unit
Stores the location information of the user who uses the application as the user location information,
The authorization policy information includes a geographical range from the mobile terminal device as an extraction condition for extracting an approver candidate from the user information,
The authorization determination unit
From the user location information, a user located in the geographical range included in the authorization policy information is extracted as the approver candidate.

The user information includes an attribute of a user who uses the application,
The authorization policy information includes an attribute of a user who uses the application as the extraction condition,
The authorization determination unit
A user who is located in the geographical range included in the authorization policy information and has an attribute included in the authorization policy information is extracted as the approver candidate from the user information.

The access control device
The list of approver candidates is displayed on the user's mobile terminal device, and the user is allowed to select an approver who approves the use of the application from the list of approver candidates, and is selected by the user. An approver is used as a selection approver, and a request unit that transmits an approval request for requesting approval to the mobile terminal device of the selection approver is provided.

The authorization determination unit
When the approval result from the selection approver is already approved, it is determined that the approval is possible.

The user location information includes a status of a user who uses the application,
The authorization policy information includes a state of a user who uses the application as the approval condition,
The authorization determination unit
In the list of approver candidates, it is determined whether there is an approver satisfying the approval condition among the approvers whose approval condition is in the login state, and approval can be performed for the approver satisfying the approval condition. judge.

An access control method according to the present invention includes an information terminal device carried by a user, a service providing device that provides an application, and an access control device that controls access to the application. In an access control method of an access control system having an access control device including a storage unit that stores information as user information and stores an approval condition of an approver who approves use of the application as authorization policy information,
When the service providing device receives a usage request for requesting the use of the application by the user from the information terminal device, the service authorization device requests authentication of the user and authorization for use of the application by the user. Sending a cooperation request to the information terminal device;
The information terminal device transmits the authentication authorization cooperation request transmitted from the service providing device to the access control device;
The access control device extracts an approver candidate as an approver candidate from the user information based on the authorization policy information, and when any approver of the approver candidates satisfies the approval condition. , It is determined that the authorization is possible.

An access control program according to the present invention is an access control device connected to an information terminal device carried by a user and a service providing device that provides an application, and information about a user who uses the application In the access control program of the access control device having a storage unit that stores the approval condition of the approver who approves the use of the application as the authorization policy information,
Upon receiving a usage request for requesting the use of the application by the user, an authentication / authorization cooperation request for requesting authentication of the user and authorization for use of the application by the user is received, and the authorization policy information Based on the above, the candidate of the approver is extracted as the approver candidate from the user information, and the approval is determined to be possible when any one of the approver candidates satisfies the approval condition The determination process is executed by the access control device which is a computer.

  In the access control system according to the present invention, an approval condition for approving the use of an application by a user is set in the authorization policy information. The authorization determination unit determines that the authorization is possible when the approver satisfies the approval condition. Therefore, even when the user is in a place where the use is not permitted, the approver satisfies the approval condition, thereby ensuring security safety and improving business efficiency.

1 is a configuration diagram of an access control system 600 according to Embodiment 1. FIG. 1 is a configuration diagram of each device of an access control system 600 according to Embodiment 1. FIG. FIG. 3 is a hardware configuration diagram of each device of the access control system 600 according to the first embodiment. FIG. 4 is a sequence diagram illustrating a position information registration process S10 according to the first embodiment. FIG. 3 is a configuration diagram of user information 351 according to the first embodiment. FIG. 3 is a configuration diagram of user position information 352 according to the first embodiment. FIG. 6 is a sequence diagram illustrating authentication authorization request processing S20 according to the first embodiment. FIG. 6 is a flowchart of authorization determination processing S30 according to the first embodiment. FIG. 6 is a flowchart of authorization determination processing S30 according to the first embodiment. The block diagram of the location registration information 353 which concerns on Embodiment 1. FIG. The block diagram of the application information 356 and the application authorization information 355 which concern on Embodiment 1. FIG. FIG. 4 is a configuration diagram of authorization policy information 354 according to the first embodiment. FIG. 5 is a configuration diagram of search condition information 357 according to the first embodiment. FIG. 4 is a configuration diagram of determination information 358 according to the first embodiment. FIG. 11 is a sequence diagram of processing that is started after the authorization determination unit 340 according to the first embodiment receives the authorization request 63.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, the same code | symbol is attached | subjected to the part which is the same or it corresponds in each figure. In the description of the embodiments, the description of the same or corresponding parts will be omitted or simplified as appropriate.

Embodiment 1 FIG.
*** Explanation of configuration ***
The configuration of the access control system 600 according to the present embodiment will be described using FIG.
The access control system 600 is a mobile terminal device 100 that is carried by a user 60 and that can acquire position information, an information terminal device 200 that is carried by the user 60, and a service providing device that provides an application 500 and an access control apparatus 300 that controls access to an application. In the access control system 600, the mobile terminal device 100, the information terminal device 200, the access control device 300, and the service providing device 500 are connected via a network 400. In the following description, an application is also referred to as an application.
Each of the portable terminal device 100 and the information terminal device 200 is a device carried by the user 60. The mobile terminal device 100 is a computer that can acquire position information from a GPS (Global Positioning System), Wi-Fi (registered trademark), or a mobile base station. Specifically, the mobile terminal device 100 is a smartphone or a tablet terminal. Specifically, the information terminal device 200 is a computer such as a notebook PC (Personal Computer) having a browser function.
Specifically, the access control device 300 is an authentication server provided by an authentication permission provider.
The service providing apparatus 500 provides a service that a user uses using the information terminal apparatus 200. The service providing apparatus 500 is an in-house system or an external cloud service, and provides use of an application.

  The configuration of each device of access control system 600 according to the present embodiment will be described with reference to FIG. Each of the mobile terminal device 100, the information terminal device 200, the access control device 300, and the service providing device 500 is also referred to as each device of the access control system 600.

The mobile terminal device 100 includes a user authorization unit 110 as a functional configuration. The user authorization unit 110 is also referred to as a user authorization application. The user authorization unit 110 includes a position acquisition unit 111, an approval request unit 112, and a user authentication unit 113.
The information terminal device 200 has a browser function unit 210 as a functional configuration. The browser function unit 210 activates the browser and executes various processes using the browser function. A specific example of the browser is software such as Chrome or FireFox.
As a functional configuration, the service providing apparatus 500 has a function configuration, and the authentication cooperation function unit 510 requests and uses authentication cooperation information such as SAML (Security Association Markup Language) SP (Service Provider) and OIDC (OpenID Connect) RP (Relying Party). Execute the function to perform.
The access control device 300 includes a master information management unit 310, a position information reception unit 320, a request unit 330, an authorization determination unit 340, a storage unit 350, an authentication unit 360, and an authentication / authorization cooperation function unit 370 as functional configurations. The storage unit 350 stores user information 351, user position information 352, location registration information 353, authorization policy information 354, application authorization information 355, application information 356, search condition information 357, and determination information 358. . The authentication authorization cooperation function unit 370 executes a function of providing authentication cooperation information such as SAML IDP (Identity provider) and OIDC OP (OpenID Provider).
Here, SAML is a standard (protocol) for performing authentication cooperation based on XML. IDP is a function that provides authentication information in accordance with the SAML standard. The SP is a function that requests and uses authentication information in accordance with the SAML standard. OIDC is a standard (protocol) for performing authentication cooperation based on JSON (Java Script (registered trademark) Object Notation). The OP is a function that provides authentication information in accordance with the OpenID Connect standard. The RP is a function that requests and uses authentication information in accordance with the OpenID Connect standard.

The hardware configuration of each device of the access control system 600 according to the present embodiment will be described with reference to FIG. Each of the mobile terminal device 100, the information terminal device 200, the access control device 300, and the service providing device 500 is also referred to as each device of the access control system 600.
Each device of the access control system 600 is a computer.
Each device of the access control system 600 includes hardware such as a processor 901, an auxiliary storage device 902, a memory 903, a communication device 904, an input interface 905, and a display interface 906.
The processor 901 is connected to other hardware via the signal line 910, and controls these other hardware.
The input interface 905 is connected to the input device 907.
The display interface 906 is connected to the display device 908.

The processor 901 is an IC (Integrated Circuit) that performs arithmetic processing.
Specifically, the processor 901 is a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).
Specifically, the auxiliary storage device 902 is a ROM (Read Only Memory), a flash memory, and an HDD (Hard Disk Drive).
The memory 903 is specifically a RAM (Random Access Memory).
The communication device 904 includes a receiver 9041 that receives data and a transmitter 9042 that transmits data.
Specifically, the communication device 904 is a communication chip or a NIC (Network Interface Card).
The input interface 905 is a port to which the cable 911 of the input device 907 is connected.
Specifically, the input interface 905 is a USB (Universal Serial Bus) terminal.
The display interface 906 is a port to which the cable 912 of the display device 908 is connected.
Specifically, the display interface 906 is a USB terminal or a HDMI (registered trademark) (High Definition Multimedia Interface) terminal.
Specifically, the input device 907 is a mouse, a keyboard, or a touch panel.
Specifically, the display device 908 is an LCD (Liquid Crystal Display).

A program that realizes the functions of each device of the access control system 600 is also referred to as an access control program. The access control program is normally stored in the auxiliary storage device 902, and is loaded into the memory 903 and sequentially read and executed by the processor 901.
Further, the auxiliary storage device 902 also stores an OS (Operating System).
Then, at least a part of the OS is loaded into the memory 903, and the processor 901 executes a program that realizes the functions of each device of the access control system 600 while executing the OS.
In FIG. 3, one processor 901 is illustrated, but each device of the access control system 600 may include a plurality of processors 901.
Then, a plurality of processors 901 may execute a program that realizes the function of each device of the access control system 600 in cooperation with each other.
Further, information, data, signal values, and variable values indicating the processing results of each device of the access control system 600 are stored in the memory 903, the auxiliary storage device 902, or a register or cache memory in the processor 901.
A program that realizes the functions of each device of the access control system 600 is stored in a storage medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD.

The function of each device in the access control system 600 may be provided by a “processing circuit”.
Further, “part” may be read as “circuit”, “process”, “procedure”, or “processing”.
“Circuit” and “processing circuitry” are not only a processor 901 but also other types of processing circuits such as logic IC or GA (Gate Array) or ASIC (Application Specific Integrated Circuit) or FPGA (Field-Programmable Gate Array). Is a concept that also includes

*** Explanation of operation ***
Next, an access control method of the access control system 600 according to the present embodiment and an access control process by the access control program will be described.
FIG. 4 is a sequence diagram showing the location information registration process S10 included in the access control process according to the present embodiment. The location information registration process S10 is a process for registering location information in the access control apparatus 300 in order for the user 60 to obtain authentication authorization for accessing the service providing apparatus 500 while away from home.
In step S <b> 11, the user 60 logs into the user authorization unit 110 of the mobile terminal device 100. The user authorization unit 110 acquires the user ID and credential information input from the user 60 and transmits them to the access control apparatus 300. Specifically, the credential information is a password. In addition to the password, the credential information may be biological information such as a fingerprint or an iris.

The configuration of user information 351 according to the present embodiment will be described with reference to FIG.
In the user information 351, information on users who use the application is registered. That is, the user registered in the user information 351 can use the access control system 600. In the user information 351, information such as a user ID, a user name, an organization code, an attribute (position), credential information, that is, a password, and a mobile terminal identifier for identifying a mobile terminal device carried by the user is registered.
In step S12, the authentication unit 360 of the access control apparatus 300 acquires the user ID and password, refers to the user information 351 using the user ID and password, and determines whether the user 60 can be authenticated.
In step S <b> 13, the authentication unit 360 transmits a determination result of authentication of the user 60 to the user authorization unit 110 of the mobile terminal device 100.

When the determination result transmitted from the access control device 300 is not authenticated, the user authorization unit 110 displays a message indicating that the login has failed on the display device of the mobile terminal device 100. If the determination result transmitted from the access control device 300 is authentic, the user authorization unit 110 acquires the location information of the mobile terminal device 100 in step S14. The position acquisition unit 111 displays on the display device a display for allowing the user 60 to input whether to permit acquisition of position information, and accepts permission to acquire position information from the user 60.
In step S <b> 15, when the position acquisition unit 111 receives permission to acquire position information from the user 60, the position acquisition unit 111 acquires position information of the mobile terminal device 100 using GPS, Wi-Fi, or a mobile base station.
In step S <b> 16, the location acquisition unit 111 transmits the user ID and location information to the access control device 300.
In step S17, the location information receiving unit 320 of the access control device 300 receives the user ID and the location information. The position information receiving unit 320 registers or updates the position information of the user 60 in the user position information 352 of the storage unit 350 based on the received user ID and position information.

The configuration of the user position information 352 according to the present embodiment will be described using FIG.
In the user position information 352, a user ID, position information, a final state update date and time, and a state are set. Specifically, the position information is longitude and latitude. The final state update date and time is the latest date and time when the position information related to the user ID is registered or updated. The state indicates whether the position information related to the user ID is logged in, valid, or invalid. The fact that the position information related to the user ID is valid means that the user has logged in at the position represented by the position information within a predetermined time from the current date and time. The location information related to the user ID is invalid means that a predetermined time or more has passed since the most recent date and time when the user logged in at the location represented by the location information.

Next, the authentication authorization request process S20 included in the access control process according to the present embodiment will be described with reference to FIG. The authentication authorization request process S20 is a process in which the user 60 requests authentication authorization for accessing the service providing apparatus 500 while away from home.
In step S <b> 21, the user 60 activates the browser of the information terminal device 200 and selects the URL of the application to be accessed.
In step S22, the browser of the information terminal device 200, that is, the browser function unit 210 transmits an application screen request to the service providing device 500 based on the URL of the selected application. The application screen request is an application use request 61.
In step S23, the service providing apparatus 500 accepts the usage request 61. Upon receiving the use request 61, the authentication cooperation function unit 510 of the service providing apparatus 500 transmits an authentication / authorization cooperation request 62 for requesting authentication of the user 60 and authorization of use of the application by the user 60 to the information terminal apparatus 200. To do.
The authentication authorization cooperation request 62 is a request for authenticating that the user 60 is a user registered in the access control system 600 and authorizing access to the application of the service providing apparatus 500.

In step S <b> 24, upon receiving the authentication / authorization cooperation request 62 from the service providing apparatus 500, the browser function unit 210 of the information terminal apparatus 200 transmits the authentication / authorization cooperation request 62 to the access control apparatus 300.
In step S <b> 25, the authentication / authorization cooperation function unit 370 of the access control apparatus 300 passes the authentication / authorization cooperation request 62 to the authentication unit 360.
In step S <b> 26, the authentication unit 360 transmits a user ID and credential information acquisition request to the information terminal device 200.
In step S27, the browser function unit 210 of the information terminal device 200 displays a user authentication screen for inputting a user ID and credential information on the display device.
In step S <b> 28, the browser function unit 210 of the information terminal device 200 acquires a user ID and credential information from the user 60.
In step S <b> 29, the browser function unit 210 of the information terminal device 200 transmits the user ID and credential information acquired from the user 60 to the access control device 300.
In step S210, the authentication unit 360 of the access control apparatus 300 refers to the user information 351 using the received user ID and credential information, and determines whether or not the user 60 can be authenticated.
In step S <b> 211, the authentication unit 360 outputs the authentication result to the authentication / authorization cooperation function unit 370.
In step S212, the authentication / authorization cooperation function unit 370 outputs the authorization request 63 to the authorization determination unit 340 that determines whether or not the user represented by the user ID is authorized to access the application. The authorization request 63 includes a user ID and an application URL. When the authorization determination unit 340 receives the authorization request 63, the authorization determination process S30 is started.

Next, the authorization determination process S30 included in the access control process according to the present embodiment will be described with reference to FIGS. 8 and 9 are flowcharts showing the authorization determination process S30.
In the authorization judgment process S30, the authorization judgment unit 340 receives an authentication authorization cooperation request 62 that requests authentication of the user 60 and authorization of use of the application by the user 60. And when the authorization judgment part 340 extracts the candidate of an approver as an approver candidate from the user information 351 based on the authorization policy information 354, and one of the approver candidates satisfies the approval condition, It is determined that authorization is possible.

In step S <b> 31, the authorization determination unit 340 refers to the user location information 352 using the user ID included in the authorization request 63 as a key, and acquires the location information of the user 60.
In step S <b> 32, the authorization determination unit 340 refers to the location registration information 353 using the location information as a key, and acquires location information corresponding to the location of the user 60.

The configuration of the location registration information 353 according to the present embodiment will be described using FIG.
In the location registration information 353, information such as location ID, location name, location classification, reference latitude, reference longitude, longitude range, latitude range, group ID, and address is set.
As a specific example, it is assumed that the user himself is “Taro Sato” with the user ID “USR001”. When the user ID included in the authorization request 63 is USR001, the authorization determination unit 340 refers to the user location information 352 using USR001 as a key, and acquires the latitude and longitude corresponding to USR001. Then, the authorization determination unit 340 refers to the location registration information 353 using the latitude and longitude corresponding to USR001 as keys, and acquires information on a line including the latitude and longitude corresponding to USR001 as location information.

  In step S <b> 33, the authorization determination unit 340 refers to the application information 356 and the application authorization information 355 using the application URL included in the authorization request 63 as a key, and acquires the row information corresponding to the application URL.

The configuration of the application information 356 and the application authorization information 355 will be described with reference to FIG. In the application information 356, an application ID, an application URL, and an application name are set in association with each other. Further, in the application authorization information 355, an application authorization ID, an application ID, an authorization use place classification, an authorization policy ID, and an authorization valid time are set.
As a specific example, when the URL of the application included in the authorization request 63 is the URL of the business application A, the authorization determination unit 340 refers to the application information 356 using this URL as a key, and the application ID “APP001 corresponding to this URL. Is obtained. Then, the authorization determination unit 340 refers to the application authorization information 355 using the application ID “APP001” as a key, and acquires information on a row corresponding to “APP001”. Specifically, the authorization determination unit 340 acquires information on the first line corresponding to the application ID “APP001”. At this time, the authorization policy ID is PLC001.

In step S34, the authorization determination unit 340 determines whether the location category of the location registration information 353 obtained from the user ID of the user is registered as the authorized usage location category of the application authorization information 355 obtained from the application ID. judge. When the location classification obtained from the user ID is registered as the authorized usage location classification obtained from the application ID, the authorization determination unit 340 proceeds to step S35.
If the location classification obtained from the user ID is not registered as the authorized usage location classification obtained from the application ID, the authorization determination unit 340 proceeds to step S3401. As illustrated in FIG. 7, in step S3401, the authorization determination unit 340 transmits error information indicating that authorization cannot be performed because the location is not permitted to the authentication authorization cooperation function unit 370. Then, the authentication / authorization cooperation function unit 370 transmits this error information to the information terminal device 200. The information terminal device 200 displays a screen representing this error information on the display device as an error screen. The error screen displayed on the display device indicates that the user 60 is not authorized to access the application because the location where the service providing device 500 is accessed is not permitted.

  In step S35, the authorization determination unit 340 refers to the authorization policy information 354 using the authorization policy ID acquired in step S33 as a key. The authorization determination unit 340 acquires information on the row corresponding to the authorization policy ID acquired in step S33.

The configuration of the authorization policy information 354 according to the present embodiment will be described using FIG.
In the authorization policy information 354, an authorization policy ID, a proximity user search condition ID, an authorization policy name, a proximity user range, a proximity user authorization condition, the number of proximity users, and a description are set in each row. The proximity user approval condition is an example of an approval condition of an approver who approves the use of the application. The proximity user range is a geographical range from the mobile terminal device, and is an example of an extraction condition for extracting an approver candidate from the user information 351. The proximity user search condition ID is also an example of an extraction condition for extracting an approver candidate from the user information 351. By referring to search condition information 357 described later using the proximity user search condition ID as a key, a detailed extraction condition for extracting an approver candidate from the user information 351 can be obtained. Here, the authorization policy information 354 and the search condition information 357 may be configured by one database. The search condition information 357 is also called proximity user search condition information.
As a specific example, when the authorization policy ID is PLC001, the authorization determination unit 340 refers to the authorization policy information 354 using the authorization policy ID “PLC001” as a key, and the first line corresponding to the authorization policy ID “PLC001”. Get information. At this time, the proximity user search condition ID is CND001.

  In step S36, the authorization determination unit 340 refers to the search condition information 357 using the proximity user search condition ID of the user authorization policy information 354 acquired in step S35 as a key. The authorization determination unit 340 acquires information on the row of the search condition information 357 corresponding to the proximity user search condition ID of the user authorization policy information 354 acquired in step S35.

The configuration of the search condition information 357 according to the present embodiment will be described using FIG.
In the search condition information 357, a proximity user search condition ID, a user attribute name, a user attribute value, an organization condition, and a description are set in each row. The user attribute name and the user attribute value are attributes of the user who uses the application, and are examples of extraction conditions for extracting the approver candidate from the user information 351.
As a specific example, when the proximity user search condition ID is CND001, the authorization determination unit 340 refers to the search condition information 357 using the proximity user search condition ID “CND001” as a key, and the proximity user search condition ID “ Information from the first line to the third line corresponding to “CND001” is acquired. At this time, the proximity user search conditions are the title “superior” or “proxy superior”, the organization code “not specified”, and the organization condition “present”. If the organization code is “not specified”, the organization code is the same as that of the user.

In step S37, the authorization determination unit 340 refers to the user information 351 based on the proximity user search condition corresponding to the proximity user search condition ID acquired in step S36. Based on the proximity user search condition acquired in step S36, the authorization determination unit 340 extracts a user that matches the proximity user search condition from the user information 351 as a proximity user candidate. The authorization determination unit 340 extracts, from the user information 351, a user that matches the user attribute name and the user attribute value, which are attributes included in the authorization policy information, as a nearby user candidate.
As a specific example, when the proximity user search condition is the title “superior” or “deputy supervisor”, the organization code “not specified”, and the organization condition “present”, the authorization determination unit 340 determines from the user information 351. , USR002 and USR003 that match the proximity user search condition are acquired. In the authorization determination unit 340, “Jiro Takahashi” of USR002 and “Hanako Yamada” of USR003 are extracted as candidates for proximity users. The proximity user candidate is an approver candidate 73 who approves the use of the application. That is, “Jiro Takahashi” of USR002 and “Hanako Yamada” of USR003 are extracted as approver candidates 73.

In step S <b> 38, the authorization determination unit 340 refers to the user position information 352 using the user ID of the proximity user candidate as a key, and acquires the position information of the proximity user candidate.
As a specific example, when “Jiro Takahashi” in USR002 and “Hanako Yamada” in USR003 are candidates for proximity users (approver candidate 73), the authorization determination unit 340 refers to the user location information 352 and changes to USR002. The corresponding second row and the third row corresponding to USR003 are acquired.

In step S <b> 39, the authorization determination unit 340 determines whether or not the difference between the “user's own location information” and the “location information of the proximity user candidate” is included in the proximity user range of the user authorization policy information 354. Calculate That is, the authorization determination unit 340 further extracts, from the user position information 352, users located in the proximity user range that is the geographical range included in the authorization policy information 354 as the approver candidate 73. Then, the authorization determination unit 340 sets proximity user candidates in the determination information 358.
From step S37 to step S39, the authorization determination unit 340 selects, from the user information 351, a user who is located in the geographical range included in the authorization policy information 354 and has an attribute included in the authorization policy information 354. 73 is extracted.

The configuration of the determination information 358 according to the present embodiment will be described using FIG.
The determination information 358 includes a determination ID, a user ID, a user name, a proximity user authorization condition, a proximity user ID, a proximity user name, a proximity status, a proximity login status, a request status, and a determination. As a result, an application name and an application URL are set.
As a specific example, when the user is “Taro Sato” of USR001, and “Jiro Takahashi” of USR002 and “Hanako Yamada” of USR003 are candidates for proximity users, the authorization determination unit 340 is shown in FIG. Each information is set in the determination information 358 as described above. At this time, even when the proximity user candidate status is invalid, the determination information 358 is set.

In step S <b> 310, the authorization determination unit 340 acquires the proximity user candidate to be processed from the determination information 358.
In step S <b> 311, the authorization determination unit 340 refers to the determination information 358 for the proximity user candidate to be processed, and whether the proximity user authorization condition is “login” and the login state is “login”. Determine. If the proximity user authorization condition is “login” and the login state is “login”, it means that the authorization condition of the proximity user is satisfied, and the authorization process is terminated. “If the proximity user authorization condition is“ login ”and the login state is other than“ login ”, the process advances to step S312.
That is, the authorization determination unit 340 determines whether there is an approver satisfying the approval condition among the approvers whose approval conditions are logged in from the list of approver candidates 73, and approves the approver satisfying the approval condition. Is determined to be possible. Here, a list of approver candidates 73 is registered in the determination information 358, and the determination in step S311 is performed using the determination information 358. However, even if the determination in step S311 is performed based on the state of the user position information 352 of the approver candidate 73 and the authorization policy derived from the URL of the application included in the use request 61 without registering in the determination information 358. Good.

In step S312, the authorization determination unit 340 calls the request unit 330 (step S312a) and causes the approval request selection process S40 to be executed.
The approval request selection process S40 is a process for displaying a list of candidates for nearby users on the mobile terminal device 100 of the user 60 and allowing the user 60 to select a person requesting approval. In the approval request selection process S40, the request unit 330 of the access control apparatus 300 displays a list of approver candidates 73 on the mobile terminal device 100 of the user 60, and the user 60 uses the application from the list of approver candidates 73. Select approver to approve.

FIG. 15 is a sequence diagram subsequent to FIG. 7, and is a sequence diagram of processing started after the authorization determination unit 340 receives the authorization request 63 (step S <b> 121).
In step S312a of FIG. 15, the authorization determination unit 340 causes the request unit 330 to execute the approval request selection process S40.
In step S <b> 401, the request unit 330 transmits a list screen display request for requesting display of a candidate list screen including a list of proximate user candidates to the mobile terminal device 100 of the user 60.
In step S <b> 402, upon receiving the list screen display request from the request unit 330, the approval request unit 112 of the mobile terminal device 100 displays a candidate list screen that is a list of candidates for nearby users on the display device of the mobile terminal device 100. Perform push notifications.
In step S403, when the user 60 who has received the push notification logs in to the user authorization unit 110, the approval request unit 112 displays a candidate list screen on the display device, and approves the user 60 from the candidate list screen. Encourage selection of nearby users to request. The proximity user selected by the user 60 is also referred to as a selection approver 60x.
In step S <b> 404, the approval request unit 112 transmits a proximity user selection notification including the user ID of the selection approver 60 x selected by the user 60 and the user ID of the user 60 to the access control apparatus 300.

In step S312b of FIG. 9, the request unit 330 of the access control apparatus 300 receives the proximity user selection notification. The proximity user selection notification can include information such as canceling the request to the proximity user without selecting an approver.
In step S313, the authorization determination unit 340 determines whether or not the proximity user selection notification includes information for canceling the request to the proximity user. If the proximity user selection notification is information for canceling the request to the proximity user, the process advances to step S3130. In step S3130, the authorization determination unit 340 transmits error information indicating that authorization cannot be performed because the request to the proximity user has been canceled to the authentication authorization cooperation function unit 370. Then, the authentication / authorization cooperation function unit 370 transmits this error information to the information terminal device 200. The information terminal device 200 displays a screen representing this error information on the display device as an error screen. From the error screen displayed on the display device, it can be seen that the user 60 was not authorized to access the application because the request to the proximity user was canceled. If the proximity user selection notification is not information for canceling the request to the proximity user, the process proceeds to step S314.

  In step S314, the authorization determination unit 340 calls the request unit 330 (step S314a) and causes the approval request process S50 to be executed. In the approval request process S50, the request unit 330 of the access control device 300 transmits an approval request for requesting the mobile terminal device 100 of the selection approver 60x for approval, with the approver selected by the user 60 as the selection approver 60x. To do. The approval request process S50 is a process for requesting approval from the selected proximity user.

In step S501 in FIG. 15, the request unit 330 sends an approval request 64 for requesting the mobile terminal device 100 of the selected proximity user to display an approval request screen requesting approval for access to the application of the user 60. Send.
In step S <b> 502, upon receiving the approval request 64 from the request unit 330, the approval request unit 112 of the selected nearby user's mobile terminal device 100 responds to access to the application of the user 60 on the display device of the mobile terminal device 100. Execute push notification that displays the approval request screen for requesting approval.
In step S503, when the proximity user who has received the push notification logs in to the user authorization unit 110, the approval request unit 112 displays an approval request screen on the display device. The proximity user who has received the push notification approves the access to the application of the user 60 using the approval request screen. Alternatively, the proximity user who has received the push notification may deny access to the application of the user 60 using the approval request screen.
In step S <b> 504, the approval request unit 112 transmits an approval result notification 65 including the user ID of the proximity user, the user ID of the user 60, and the approval result to the access control apparatus 300.

In step S314b of FIG. 9, the request unit 330 of the access control apparatus 300 receives the approval result notification 65.
In step S315, the authorization determination unit 340 determines whether the approval result notification 65 is approval or disapproval. If the approval result notification 65 is denied, the process proceeds to step S3150. In step S3150, the authorization determination unit 340 transmits error information indicating that authorization cannot be performed because the proximity user, that is, the selection approver 60x, has rejected the authentication authorization cooperation function unit 370. Then, the authentication / authorization cooperation function unit 370 transmits this error information to the information terminal device 200. The information terminal device 200 displays a screen representing this error information on the display device as an error screen. From the error screen displayed on the display device, it can be seen that the user 60 is not authorized to access the application because the user 60 is denied by the proximity user.
If the approval result notification 65 is approval, it means that the authorization condition of the proximity user is satisfied, so the authorization process is terminated. That is, the authorization determination unit 340 determines that authorization is possible when the approval result from the selection approver 60x has been approved.
Above, description of authorization determination process S30 is complete | finished.

In step S601 of FIG. 15, the authorization determination unit 340 transmits the authorization result of the authorization determination process S30 to the authentication / authorization cooperation function unit 370.
In step S602, the authentication authorization cooperation function unit 370 determines whether the authorization result is authorization. If not authorized, the process proceeds to step S603. In the case of authorization, the process proceeds to step S605.
In step S <b> 603, the authentication / authorization cooperation function unit 370 transmits a disapproval notification indicating that the approval result is disapproval to the information terminal device 200 of the user 60.
In step S604, the browser function unit 210 of the information terminal device 200 displays an unusable screen indicating that the application is unusable on the display device. At this time, the reason that the application cannot be used may be displayed together.

In step S605, the authentication authorization cooperation function unit 370 transmits an authentication authorization message indicating that the authorization result is authorization to the information terminal device 200 of the user 60.
In step S <b> 606, the browser function unit 210 of the information terminal device 200 transmits an authentication authorization message to the service providing device 500. That is, the browser function unit 210 redirects the authentication authorization message to the service providing apparatus 500.
In step S <b> 607, upon receiving the authentication authorization message, the authentication cooperation function unit 510 of the service providing apparatus 500 transmits application screen data and an authenticated session identifier to the information terminal apparatus 200.
In step S608, the browser function unit 210 of the information terminal device 200 displays an application screen on the display device.
As described above, the user 60 can perform processing for the application using the application screen.

*** Explanation of effects of this embodiment ***
In the access control system 600 according to the present embodiment, by using the user location information for authentication, control is performed so that the service can be used only with a predetermined access right at a predetermined location, and information leakage occurs. Can reduce the risk. Further, in the access control system 600 according to the present embodiment, even if the usage location is not registered in advance, the service can be used with the predetermined access right as long as the predetermined policy definition is satisfied. Control. Further, in the access control system 600 according to the present embodiment, it is possible to flexibly set policy definitions such as “when other users in the same group are logged in close to a certain number of people”. Therefore, according to the access control system 600 according to the present embodiment, it is possible to prevent a risk of intentional leakage of important information by an employee alone or an accident due to a single job at midnight.

In the first embodiment, each unit of each device of access control system 600 constitutes each device of access control system 600 as an independent functional block. However, the configuration of each device of the access control system 600 is not limited to the configuration described in the above embodiment. The functional blocks of each device of the access control system 600 are arbitrary as long as the functions described in the above-described embodiments can be realized. These functional blocks may be configured in any other combination or arbitrary block configuration to configure each device of the access control system 600.
Each device of the access control system 600 may be a system composed of a plurality of devices instead of a single device.

Although Embodiment 1 was described, you may implement combining several parts among this Embodiment. Alternatively, one part of this embodiment may be implemented. In addition, this embodiment may be implemented in any combination as a whole or in part.
The above-described embodiment is essentially a preferable example, and is not intended to limit the scope of the present invention, the scope of the application of the present invention, and the scope of use of the present invention. The embodiment described above can be variously modified as necessary.

  60 users, 60x selection approver, 61 use request, 62 authentication authorization linkage request, 63 authorization request, 64 approval request, 65 approval result notification, 73 approver candidate, 100 mobile terminal device, 110 user authorization unit, 111 position Acquisition unit, 112 Approval request unit, 113 User authentication unit, 200 Information terminal device, 210 Browser function unit, 300 Access control device, 310 Master information management unit, 320 Location information receiving unit, 330 Request unit, 340 Authorization determination unit, 350 Storage Unit, 351 User Information, 352 User Location Information, 353 Location Registration Information, 354 Authorization Policy Information, 355 Application Authorization Information, 356 Application Information, 357 Search Condition Information, 358 Judgment Information, 360 Authentication Unit, 370 Authentication Authorization Cooperation function unit, 400 network, 500 service providing device 510 Authentication Cooperation Function Unit, 520 Execution Unit, 600 Access Control System, 901 Processor, 902 Auxiliary Storage Device, 903 Memory, 904 Communication Device, 9041 Receiver, 9042 Transmitter, 905 Input Interface, 906 Display Interface, 911, 912 Cable, 907 Input device, 908 display device, 910 signal line, S10 position information registration processing, S20 authentication authorization request processing, S30 authorization determination processing, S40 approval request selection processing, S50 approval request processing.

Claims (8)

In an access control system having an information terminal device carried by a user, a service providing device for providing an application, and an access control device for controlling access to the application,
The service providing apparatus includes:
Upon receiving a usage request for requesting use of the application by the user from the information terminal device, an authentication authorization cooperation request for requesting authentication of the user and authorization for use of the application by the user is sent to the information terminal. It has an authentication cooperation function part that transmits to the device,
The information terminal device
Sending the authentication authorization cooperation request transmitted from the authentication cooperation function unit to the access control device,
The access control device
A storage unit that stores information of a user who uses the application as user information, and stores approval conditions of an approver who approves the use of the application as authorization policy information;
Based on the authorization policy information, an approver candidate is extracted from the user information as an approver candidate, and the approval is possible when any approver of the approver candidates satisfies the approval condition. An access control system including an authorization determination unit that determines that there is an access control system. The access control system includes:
A mobile terminal device carried by the user and having a mobile terminal device capable of acquiring location information;
The storage unit
Stores the location information of the user who uses the application as the user location information,
The authorization policy information includes a geographical range from the mobile terminal device as an extraction condition for extracting an approver candidate from the user information,
The authorization determination unit
The access control system according to claim 1, wherein a user who is located in the geographical range included in the authorization policy information is extracted as the authorizer candidate from the user position information. The user information includes an attribute of a user who uses the application,
The authorization policy information includes an attribute of a user who uses the application as the extraction condition,
The authorization determination unit
The access control according to claim 2, wherein a user who is located in the geographical range included in the authorization policy information and has an attribute included in the authorization policy information is extracted from the user information as the authorizer candidate. system. The access control device
The list of approver candidates is displayed on the user's mobile terminal device, and the user is allowed to select an approver who approves the use of the application from the list of approver candidates, and is selected by the user. 4. The access control system according to claim 2, further comprising: a request unit that transmits an approval request for requesting approval to the mobile terminal device of the selection approver with the approver as a selection approver. 5. The authorization determination unit
The access control system according to claim 4, wherein when the approval result from the selection approver is already approved, it is determined that the authorization is possible. The user location information includes a status of a user who uses the application,
The authorization policy information includes a state of a user who uses the application as the approval condition,
The authorization determination unit
In the list of approver candidates, it is determined whether there is an approver satisfying the approval condition among the approvers whose approval condition is in the login state, and approval can be performed for the approver satisfying the approval condition. The access control system according to claim 3 for determining. An information terminal device carried by a user, a service providing device that provides an application, and an access control device that controls access to the application, storing information about the user who uses the application as user information In an access control method for an access control system, the access control device includes a storage unit that stores approval conditions of an approver who approves the use of the application as authorization policy information.
When the service providing device receives a usage request for requesting the use of the application by the user from the information terminal device, the service authorization device requests authentication of the user and authorization for use of the application by the user. Sending a cooperation request to the information terminal device;
The information terminal device transmits the authentication authorization cooperation request transmitted from the service providing device to the access control device;
The access control device extracts an approver candidate as an approver candidate from the user information based on the authorization policy information, and when any approver of the approver candidates satisfies the approval condition. An access control method for determining that the authorization is possible. An access control device connected to an information terminal device carried by a user and a service providing device that provides an application, storing information about the user who uses the application as user information, and using the application In the access control program of the access control device provided with a storage unit that stores the approval condition of the approver who approves as approval policy information,
Upon receiving a usage request for requesting the use of the application by the user, an authentication / authorization cooperation request for requesting authentication of the user and authorization for use of the application by the user is received, and the authorization policy information Based on the above, the candidate of the approver is extracted as the approver candidate from the user information, and the approval is determined to be possible when any one of the approver candidates satisfies the approval condition An access control program that causes the access control device that is a computer to execute a determination process.

Images