JP2021135953A - Approval support device, authentication system, approval support method and program - Google Patents

Abstract

To provide an approval support device, an authentication system, an approval support method and an approval support program, which allow an approver to visually and easily grasp a range of confirmation items, in each stage of an approval flow.SOLUTION: An approval support device 300 comprises: a first acquiring part 310 for acquiring a whole numerical range indicating a range of authority required for executing a function; a second acquiring part 320 for acquiring a sum of a numerical range corresponding to each authority which is already approved by approval operation(s) performed by one or more users; a third acquiring part 330 for acquiring a numerical range indicating a range of authority of a user set for each user; and a presenting part 340 for presenting a sum of the numerical range corresponding to the authority which is approved already, to the whole numerical range, and the numerical range corresponding to the authority of the user performing the approval operation, by pattern data by which a relative ratio can be visually recognized, for every time when the approval operation is executed.SELECTED DRAWING: Figure 1

Description

The present invention relates to an approval support device, an approval support method, and an approval support program that provide a user interface associated with an authentication system.

Conventionally, in the authentication system in an organization, an approval flow via multiple approvers is defined for each function to be executed, and the user is authorized to execute the function only after the final approval is obtained (for example). , Patent Document 1).

Specifically, the conventional authentication system
・ Hold the organization as data of people with a tree structure,
・ Hold a part of the tree structure as a privileged group
-For each authority, hold one or more approval flows that combine the approval route that follows a tree-structured person to a specific hierarchy and the necessity of approval by a privileged group.
-When requesting authority, obtain approval from everyone who follows the specified approval flow.
By doing so, the authority is granted.

At the time of approval, a person who can approve in each route or privilege group confirms the required authority and the current approval status in the approval flow, and then approves or denies. Make a decision. By obtaining approvals in order according to this approval flow, authority is finally granted.

Japanese Unexamined Patent Publication No. 2004-246516

However, in the conventional authentication system, it is not possible to complete the approval when a person with a certain authority in the organization is absent, so it is necessary to introduce a new concept such as proxy. In addition, since it is difficult to create a special organizational structure, for example, in an authentication system in which an approval flow assuming a four-layer organization is set, when a new organization with only two layers is assumed, the existing approval is performed. The flow was not available and it was necessary to additionally set the approval flow for the second layer.

These issues are due to the fact that the approval flow must be changed due to changes in the tree structure because the conventional authentication system performs processing based on the tree structure data. That is, the more complex the tree structure, the more approval flows had to be set for the authentication system.

In addition, in such a complicated authentication system, the approver tries to approve in order to determine the authority for which the approval is to be given and whether the person to be granted is appropriate. It is necessary to pay attention to the situation at the time of approval, such as whether or not it has undergone a special approval flow that is different from the usual one. Furthermore, the approver needs to know what kind of confirmation was made by other approvers before he / she approves, whether he / she is the final approver, and so on.

For example, an approver approves as a superior of an organization, as a member of a privileged group, or on behalf of someone, but does not misidentify his or her position and authority on the system at the time of approval and give false approval. Therefore, it was necessary to carefully judge from the displayed login name or role name. Also, for example, an approver who has both an approval authority that only confirms the formal format and an approval authority that has full authority for emergencies can check the range of items to be confirmed depending on the difference in the approval flow that has passed. It should be noted that is different.
And, unless the approval flow is confirmed, it is not possible to grasp what kind of confirmation has been made so far. In order to approve without knowing the items to be confirmed so far, the approver must confirm all the items, which reduces the value of the authentication system that aims to share the approval work. Furthermore, if the approver is the final approver, the authority will be granted immediately after the approval, so it is necessary for the approver to understand that all necessary confirmations have been made.

As described above, due to the complexity of the conventional authentication system, the approver has to pay various attentions at the time of approval, which impairs the convenience of the system.
An object of the present invention is to provide an approval support device, an authentication system, an approval support method, and an approval support program that allow an approver to visually and easily grasp the scope of confirmation items at each stage of the approval flow.

The approval support device according to the present invention has a first acquisition unit that acquires an overall numerical range indicating the range of authority required to execute a function, and an authority that has already been approved in response to an approval operation of one or a plurality of users. The second acquisition unit for acquiring the sum of the corresponding numerical ranges, the third acquisition unit for acquiring the numerical range indicating the range of authority of the user set for each user, and the above-mentioned when the approval operation is performed. A presentation unit that presents the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation with respect to the entire numerical range in a visible graphic. And.

The presentation unit may indicate a numerical range by the length of the progress bar as the figure.

The presentation unit may indicate a numerical range by the area of the pie chart as the figure.

The presenting unit may list the figures for a plurality of functions that require approval.

The third acquisition unit is included in a numerical range as the range of authority of the user, and further acquires a basic approval range indicating the range of authority granted by the user by a normal approval operation, and the presentation unit is the present unit. Of the plurality of functions, the functions whose basic approval range includes a range continuous with the sum of the numerical ranges may be displayed in a list with priority.

The presenting unit may preferentially display a list of functions including a range in which the numerical range as the range of authority of the user is continuous with the sum of the numerical ranges, among the plurality of functions.

The presenting unit may emphasize and display the function that satisfies the entire numerical range by adding the numerical ranges as the range of authority of the user among the plurality of functions.

The approval support device may include a selection unit that accepts selection of an approval range indicating which range is approved among the numerical ranges as the range of authority of the user.

The third acquisition unit is included in the numerical range as the range of authority of the user, and further acquires the basic approval range indicating the range of authority granted by the user by a normal approval operation, and the selection unit is the selection unit. The basic approval range may be used as the initial value of the approval range.

The authentication system according to the present invention has an authority management unit that manages authority data in which a numerical range indicating the range of authority of the user is set for each user, and an overall numerical range that indicates the range of authority required to execute a function. On the other hand, when the sum of the numerical ranges corresponding to the privileges of the one or more users satisfies the entire numerical range in response to the approval operation of one or more users, the execution authority of the function is granted. The sum of the numerical range corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation with respect to the entire numerical range at the time of the approval operation. It is provided with a display control unit that displays a relative ratio by a visible figure.

The approval support method according to the present invention is for each of the first acquisition step of acquiring the entire numerical range indicating the range of authority required to execute the function and the authority already approved according to the approval operation of one or a plurality of users. When the approval operation is performed, the second acquisition step of acquiring the sum of the corresponding numerical ranges, the third acquisition step of acquiring the numerical range indicating the range of authority of the user set for each user, and the approval operation are performed. Presenting the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation with respect to the entire numerical range by presenting the relative ratio by visible graphic data. Steps and are performed by the computer.

The approval support program according to the present invention is for operating a computer as the approval support device.

According to the present invention, the approver can easily visually grasp the range of confirmation items at each stage of the approval flow in the authentication system.

It is a figure which shows the functional structure of the authentication system in embodiment. It is a figure which illustrates the progress bar in embodiment. It is a figure which shows the display example of the progress bar in embodiment. It is a figure which shows the example of the list display of the progress bar in an embodiment. It is a figure which illustrates the method of selecting the approval range in an embodiment. It is a figure which shows the structure of the service provision system in 1st implementation example. It is a figure which shows the functional structure of the authentication apparatus in 1st implementation example. It is a figure which shows the functional structure of the service providing apparatus in 1st implementation example. It is a sequence diagram which shows the 1st processing procedure example of the service providing system in 1st implementation example. It is a sequence diagram which shows the 2nd processing procedure example of the service providing system in 1st implementation example. It is a figure which shows the functional structure of the authentication apparatus in 2nd implementation example. It is a sequence diagram which shows the processing procedure example of the service provision system in 2nd implementation example.

Hereinafter, an example of the embodiment of the present invention will be described.
The authentication system of the present embodiment manages the range of authority required for the function to be executed and the range of authority possessed by each user by a numerical range, and when the approver approves, the already approved range and the range to be approved from now on. Display a progress bar indicating the range.

Here, as a conventional authentication system that presents the progress status of the approval flow to the approver, there is one that displays the number of approvals required so far in the approval flow. For example, if 6 approvals are required and 3 approvals have already been made, half of the overall progress bar will be filled. Further, when the future approval range is indicated, for example, the range of 3/4 to 4/6 of the progress bar is filled as the future approval range.

However, in such a conventional authentication system, for example, in the case of an approver who has a 6-level organization and a 2-level organization at the same time, the progress bar is filled more in the 6-level organization. Is done. For this reason, the scope of authority to be exercised by oneself seems to be narrow, but in reality, the same attention may be paid to approval requests from any organization.
In addition, in a 6-level organization, an approval request that has been submitted as an emergency and has been approved only once under oneself is filled with the same range as the progress bar displayed in the approval request that has been submitted from a 2-level organization. However, in practice, different care must be taken.

In order to avoid such problems, measures such as displaying a marker or approver indicating the approval position on the progress bar or writing a written explanation can be considered, but in each case, the number of markers to read the characters is considered. It will increase the confirmation items required for the approver, such as confirming.

On the other hand, in the present embodiment, the approver can easily visually grasp the range of confirmation items by the following functional configuration.

FIG. 1 is a diagram showing a functional configuration of the authentication system 1 in the present embodiment.
The authentication system 1 is composed of one or a plurality of information processing devices (computers), and includes an authority management unit 100, an authority granting unit 200, and a display control unit 300.

The authority management unit 100 manages authority data in which a numerical range indicating the range of the user's authority is set for each user.
The numerical range is represented by, for example, two numerical values, and the magnitude of the authority is represented by the magnitude of the range.

The authorization unit 200 has a numerical range corresponding to each authorized user's authority according to the approval operation of one or a plurality of users with respect to the entire numerical range indicating the range of the authority required to execute the requested function. When the sum of is satisfied the whole numerical range, the requester is given the authority to execute this function.

When the approver performs the approval operation, the display control unit 300 relatives the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the approver's authority to the entire numerical range. The ratio is displayed by a visible figure.
Specifically, the display control unit 300 indicates a numerical range by, for example, the length of the progress bar as a figure, but the figure is not limited to this. For example, the numerical range may be indicated by the area of a pie chart or the like.

FIG. 2 is a diagram illustrating a progress bar in the present embodiment.
The progress bar is a user interface for displaying one or more numerical ranges in the entire numerical range. For example, a horizontally long rectangle or a figure having a circular design or gradation at the end is used. Be done.

In this example, the already approved range and the range to be approved are displayed in different colors with respect to the entire numerical range. This allows the approver to see the current approval status and the scope of approval from now on with a single progress bar.

The display control unit 300 includes a first acquisition unit 310, a second acquisition unit 320, a third acquisition unit 330, a presentation unit 340, and a selection unit 350. The display control unit 300 may be provided as an independent information processing device (approval support device).

The first acquisition unit 310 acquires the entire numerical range indicating the range of authority required to execute the function. The entire numerical range may be managed in advance in association with the user's authority for each function.

The second acquisition unit 320 acquires the sum of the numerical ranges corresponding to the already approved privileges according to the approval operation of the approver.
The sum of the numerical ranges may be calculated by the authorization unit 200 and provided to the second acquisition unit 320, but the second acquisition unit 320 may calculate the sum based on the numerical range for each approver. good.

The third acquisition unit 330 acquires a numerical range indicating the range of the user's authority set for each user from the authority management unit 100.
Further, the third acquisition unit 330 may further acquire a basic approval range which is included in the numerical range as the range of the user's authority and indicates the range of the authority given by the user by the normal approval operation.

When the approval operation is performed, the presentation unit 340 presents the above-mentioned progress bar regarding the function for which approval is requested to the approver.
Specifically, for example, the terminal of the approver as the approval support device generates an image of the progress bar and displays it on the screen. Alternatively, the terminal of the approver may receive the display data from the presentation unit 340 of the approval support device and display it on the screen.

In the authentication system 1, the approver does not use different positions at the time of approval, and the authority to exercise can be visually grasped by the displayed "range of approval from now on". For example, when approving a wider range than usual, a wider range than usual is displayed on the progress bar.
In the authentication system 1, a plurality of approval flows are not distinguished, and the approver can visually grasp the range of required authority by the length of the progress bar. For example, the approver can visually grasp what kind of confirmation has been made by other approvers who have approved so far by the "already approved range" on the progress bar. In addition, it can be determined whether or not the approval is final based on whether or not the "range of approval from now on" reaches the right end of the progress bar.

FIG. 3 is a diagram showing a display example of the progress bar in the present embodiment.
The length of the progress bar indicates the "amount of approval required", and the total length is color-coded into "already approved range" A, "future approval range" B, and "residual approval range" C. Will be done.

Comparing (a1) and (a2), for example, according to the overall length of the progress bar, it can be seen that (a1) requires more approval.
In addition, depending on the positional relationship between the "range that has already been approved" and the "range to be approved from now on", for example, in (b1), oneself may approve next, and in (b2), oneself approves after another approval. I understand.
Also, depending on the relationship between the length of the "range to be approved from now on" and the length of the "residual approval range", for example, when comparing (c1) and (c2), (c2) needs to pay more attention. It turns out that there is. Furthermore, in (c3), caution as the final approver is required.

In addition, the presentation unit 340 may display a list of a plurality of corresponding progress bars vertically arranged for a plurality of functions (approved cases) requiring approval.
As a result, the approver can, for example, select a group of projects for which the same attention should be paid based on the "range of approval from now on" from all the projects that can be approved, and projects that require special approval different from the usual ones. Can be seen. Furthermore, further improvement in visibility can be expected by sorting according to the length of the "range to be approved from now on".

FIG. 4 is a diagram showing an example of displaying a list of progress bars in the present embodiment.
Here, a list of approval cases presented to an approver having the approval authority and the basic approval range shown in the authority data is illustrated.

The presentation unit 340 includes a plurality of functions to be displayed in a list, including the sum of the numerical ranges with respect to the approved authority, that is, the range continuous with the already approved range included in the basic approval range acquired by the third acquisition unit 330. The list is displayed with priority.
Specifically, the cases 5, 12, and 6 correspond to this, and the cases for which the basic approval range is approved are displayed with the highest priority.

Next, the presentation unit 340 preferentially displays a list of functions including a range in which the numerical range as the range of the user's authority is continuous with the range already approved, among the plurality of functions.
Specifically, cases 3 and 1 correspond to this, and cases that exceed the basic approval range and can approve a range that is continuous with the already approved range are preferentially displayed.

Further, the presentation unit 340 satisfies the entire numerical range by adding the numerical ranges as the range of the user's authority among the plurality of functions, that is, the function of completing the settlement with its own approval is emphasized and displayed. You may.
Specifically, the case 6 corresponds to this, and for example, the background color is displayed separately.

In addition, a case such as a case 10 whose basic approval range is not included in the range to be approved from now on, a case such as a case 4 and 2 which does not have continuous approval authority in a range already approved, a case 11 such as a case 11. , Items that you are not involved in approval may also be displayed.

By displaying such a list, for example, for a user who holds full authority such as the president, not all cases are always displayed, but cases that need to be approved with the minimum care. That is, the matter that approves only the basic approval range is displayed preferentially.
At this time, it is possible to search for a specific type of project, for example, a project for which approval is to be completed immediately using the authority of the president. In addition, it is also possible to approve a project in which the already approved range and the range to be approved are different from each other in advance.

The order of the list display may be changed according to the purpose, and by using each numerical range displayed on the progress bar and the above-mentioned basic approval range, a sort focusing on the precautions that the approver should pay. Is possible.

The selection unit 350 accepts the selection of the approval range indicating which range is approved among the numerical ranges as the range of the user's authority.
At this time, the selection unit 350 may use the above-mentioned basic approval range as the initial value of the approval range.

FIG. 5 is a diagram illustrating a method of selecting an approval range in the present embodiment.
In this example, the overall approval range is 0 to 1, and the already approved range is 0 to 0.4.
Here, the range that the approver can approve from now on is the unapproved range 0.4 to 0.9 among the numerical ranges corresponding to the authority of the approver.

Here, when the basic approval range, which is the default approval range, is 0.5 to 0.8, for example, a region of 0.4 to 0.5, a region of 0.5 to 0.8, or 0.8. The approval range may be specified by selecting (for example, clicking) one or more areas from the areas of ~ 0.9.
Further, the range from the start point to the end point of the approval range may be specified by dragging or the like. Alternatively, the approval range may be specified by moving the start point or end point of the basic approval range, which is the default approval range, within the approveable range by dragging or the like.

By providing the interface for selecting the approval range in this way, it becomes easy to select whether to approve only the basic approval range or the entire approvable range. In addition, since the basic approval range is selected by default, an additional operation is imposed only in the case of an approval operation different from the usual one, so that an erroneous operation is suppressed.

Next, service providing systems 1A (first implementation example) and 1B (second implementation example) will be described as implementation examples of the authentication system 1 in this embodiment.

[First implementation example]
FIG. 6 is a diagram showing a configuration of the service providing system 1A in the first implementation example.

The service providing system 1A is an authentication device 10 that authenticates the user and issues a token indicating the authority when using each function of the service to the user, confirms the user's authority by the token, and performs each function of the service by API. A service providing device 20 for providing to users is provided, and each is connected to a plurality of users (terminals) by communication.

When using a certain function, that is, API, the user A accesses the authentication device 10 and acquires an authorization token corresponding to the authority of the user A.
At this time, if the authority of the user A is insufficient to execute the API, for example, if the approval of another user B is required, the user A makes an approval request to the user B, and the user B requests approval. An approval token corresponding to the authority of user B is acquired from the authentication device 10 and transmitted to user A.
Then, the user A executes the API provided by the service providing device 20 with the authorization token and the authorization token.

The service providing device 20 has confirmed that the received authorization token and the authorization token are correct, and that the sum of the permissions of the token group satisfies the execution authority of the API in response to the request from the user A. Above, execute the API.

Here, the token group (authorization token or authorization token) issued by the authentication device 10 is given a numerical range indicating the scope of authority for each scope.
Traditional tokens
A character string is set in the scope, such as {id: "A", scope: "canSendMail"} + signature.
On the other hand, in this implementation example, a part of the numerical range of 0 to 1 (for example, 0 to 0.5) is set as the authority for the user A who does not have the complete execution authority. And the authorization token is
Two numerical values (0,0.5) are given to the scope, such as {id: "A", scope: ["canSendMail", 0,0.5]} + signature.

In addition, another user B
{Id: "B", scope: ["canSendMail", 0.5,1]} + If the user has the remaining authority (numerical range 0.5 to 1) such as signature, first, user A Execution plan data {mail data} was sent to user B, and user B restricted the execution target (plan) from the authorization token he had.
{Id: "B", scope: ["canSendMail", 0.5,1], plan: {mail data}} + Obtain an approval token such as a signature from the authentication device 10.

By using the authorization token of the user A and the authorization token received from the user B together, the total of the numerical range given to the scope becomes 0 to 1, and the function (API) corresponding to "canSendMail". Can be used.

FIG. 7 is a diagram showing a functional configuration of the authentication device 10 in the first mounting example.
The authentication device 10 is an information processing device (computer) such as a server device, and includes a control unit 11 and a storage unit 12, as well as various data input / output devices and communication devices.

The control unit 11 is a part that controls the entire authentication device 10, and realizes each function in this implementation example by appropriately reading and executing various programs stored in the storage unit 12. The control unit 11 may be a CPU.

The storage unit 12 is a storage area for programs and various data for making the hardware group function as the authentication device 10, and may be a ROM, RAM, flash memory, hard disk (HDD), or the like.

The control unit 11 includes an authorization management unit 111, an authorization token issuing unit 112, and an authorization token issuing unit 113.

The authority management unit 111 stores and manages the authority data in which the numerical range indicating the range of authority in the function (API) permitted to be used by the user is set in the storage unit 12. A plurality of authority data may be set for each user.
In addition, the scope character string and the numerical range are similarly stored for each function as the authority data required to execute each function.

for example,
-A user with the authority of the chief of staff can send an email.
-A user with employee authority can send an email only with the approval of the chief of staff regarding the content of the email.
・ All employees or section chiefs can only send emails with themselves as the sender.
For the condition, the authority is set as follows.
-For the API to send an email, ["canSendMail", [0.5, 1]]
・ For Chief B, [“canSendMail”, 0,1]
・ For employee A, [“canSendMail”, 0,0.5]

In this way, the authority data includes a character string and two numerical values in an identifiable form.
The two numerical values included in the authority data indicate a numerical range, and may be, for example, a start point and an end point of the numerical range, but are not limited to this, and are limited to the size of the start point and the range, or the end point and the range. It may be the size or the like. Hereinafter, the two numerical values will be described as assuming that they are the start point and the end point of the range. For example, given 0.1 and 0.5, it indicates a numerical range of 0.1 to 0.5.

The authorization token issuing unit 112 authenticates the user and issues an authorization token associated with a part or all of the authority data of the first user to the authenticated first user.
As the authentication method, for example, password authentication, common key authentication, two-step authentication, bioauthentication, proxy authentication by OpenID Connect, authentication by tokens issued from other authentication systems, etc. can be applied, but these are limited. I can't.

The specific data of the authorization token issued to the user A is described in the following format, for example.
{
id: "A",
scope: ["canSendMail", [0,0.5]]
}, Signature // Signature of authentication device 10

The approval token issuing unit 113 authenticates the user, and for the second user who approves the execution plan data of the function by the first user, the approval token associated with a part or all of the authority data of the second user. Is issued.
As the authentication method, the same method as the authorization token issuing unit 112 can be applied, and further, the authentication may be performed by the authorization token issued by the authorization token issuing unit 112.

Further, the approval token issuing unit 113 issues an approval token associated with the specified authority data when any of the authority data of the user is specified by the user.

The execution plan data and the authority data transmitted from the first user A to the second user B are described in, for example, in the following format.
{API: "sendmail", from: "A", title: "hello", content: "hello world"} // Execution plan data ["canSendMail", [0,0.5]] // Authority data

The authorization token issued to the second user B is, for example,
{
id: "B",
scope: [“canSendMail”, [0,1]]
}, signature // The approval token issued by presenting the execution plan data, which is the signature of the authentication device 10, is, for example,
{
id: "B",
scope: [“canSendMail”, [0,1]]
plan: {api: "sendmail", from: "A", title: "hello", content: "hello world"}
}, Signature // Described as the signature of the authentication device 10.

The authorization data and the authorization token or the authorization token are associated with each other by, for example, one of the following methods.
-Permission data is included in the token data.
-When issuing a token, it is managed in association with the authority data by a database or the like.
In this implementation example, permission data is included in the token data.

The authorization token and the authorization token may be configured to be distinguishable from each other by being given an identifier.
Further, it can be verified that the authorization token and the authorization token are issued by the authentication device 10 by, for example, the following verification method.
-Verification by digital signature-Verification by collating the token with the database-Verification by collating the hash value of the token with the database-Verification using API that performs any of the above

FIG. 8 is a diagram showing a functional configuration of the service providing device 20 in the first implementation example.
The service providing device 20 is an information processing device (computer) such as a server device, and includes a control unit 21 and a storage unit 22, as well as various data input / output devices and communication devices.

The control unit 21 is a part that controls the entire service providing device 20, and realizes each function in this implementation example by appropriately reading and executing various programs stored in the storage unit 12. The control unit 11 may be a CPU.

The storage unit 12 is a storage area for programs and various data for making the hardware group function as the service providing device 20, and may be a ROM, RAM, flash memory, hard disk (HDD), or the like.

The control unit 21 includes a token receiving unit 211 and a function providing unit 212.

The token receiving unit 211 receives the authorization token issued to the first user authenticated by the authentication device 10 and the second user who approves the execution plan data of the function (API) by the first user. The issued authorization token is received from the first user together with the function execution request.

The function providing unit 212 provides the function to the first user when the sum of the authorization token received from the first user and the numerical range associated with each of the authorization tokens includes a predetermined range.
As described above, the predetermined range is a numerical range (for example, 0 to 1) set in the authority data for each function (API).

Here, the sum of the numerical ranges indicates a set of the minimum numerical ranges including all of the plurality of target numerical ranges. For example, by adding the numerical range of 0 to 0.5 and the numerical range of 0.3 to 0.7, a numerical range of 0 to 0.7 can be obtained. Further, by adding the numerical range of 0 to 0.1 and the numerical range of 0.8 to 0.9, a set of two numerical ranges of 0 to 0.1 and 0.8 to 0.9 is obtained.
When the addition of the numerical range of the token group includes the numerical range set in the authority data of the function (API), the use of the function is permitted.

FIG. 9 is a sequence diagram showing a first processing procedure example of the service providing system 1A in the first implementation example.
In this example, a case where the employee A uses the API for sending an e-mail with the approval of the section chief B will be described.

In step S1, the employee A (terminal) acquires an authorization token associated with the authorization data A1 (for example, [“canSendMail”, [0,0.5]]) for the mail transmission function from the authentication device 10.

In step S2, the employee A generates execution plan data X having an email title, an email destination, an email body, and the like necessary for executing the API for transmitting the email.
In step S3, the employee A transmits the execution plan data X and the authority data A1 to the section chief B (terminal).

In step S4, the section chief B confirms the contents of the execution plan data X and the authority data A1.
In step S5, the section chief B acquires the execution plan data X and the approval token associated with the authority data B1 set for the section chief B from the authentication device 10.
In step S6, the chief B sends the approval token to the employee A.

In step S7, the employee A grants the authorization token and the authorization token, and calls the API for transmitting the e-mail provided by the service providing device 20.

In step S8, the service providing device 20 confirms that the authority data A1 and the authority data B1 include "canSendMail" as a character string of the scope.

In step S9, the service providing device 20 has the mail title, the mail destination, the mail body, etc. specified at the time of executing the API, and the mail title, the mail destination, the mail body, etc. of the execution plan data linked to the approval token. Make sure they are equal.

In step S10, the service providing device 20 adds up the numerical ranges indicated by the two numerical values [0,0.5] of the authority data A1 and the two numerical values [0,1] of the authority data B1 [0, Confirm that the numerical range indicated by 1] includes the numerical range indicated by the two numerical values [0,1] of the authority data set in the API for sending the mail.

In step S11, the service providing device 20 verifies the authorization token and the signature given to the authorization token, and executes the function of transmitting an email.

FIG. 10 is a sequence diagram showing a second processing procedure example of the service providing system 1A in the first implementation example.
In this example, a case where the user A uses the target API with the approval of a plurality of users U1 to Un will be described.

In step S21, the user A (terminal) acquires the authorization token K associated with the authorization data for the target API from the authentication device 10.
In step S22, the user A generates execution plan data X necessary for executing the target API.

In step S23, the user A transmits the permission data Kd used for executing the target API and the execution plan data X among the permission data set by the user A to the users U1 to Un (terminals).
The data transmission to the users U1 to Un may be performed all at once, but the user A first transmits the data to some users Ux, waits for the approval token described later to be returned, and then returns the data. The authority data Kd and the execution plan data X may be transmitted to another user Uy together with one or more approval tokens.

In step S24, the users U1 to Un confirm the contents of Kd, X, and the approval token group, respectively, and link them to the execution plan data X and the authority data set for themselves from the authentication device 10. Acquire approval tokens K1 to Kn.
In step S25, the users U1 to Un transmit the approval tokens K1 to Kn acquired by each of the users U1 to Kn to the user A.

In step S26, the user A grants the authorization token K and the authorization tokens K1 to Kn and calls the target API.

In step S27, the service providing device 20 confirms that the granted authorization token K is one.
In step S28, the service providing device 20 verifies the validity of the granted authorization token K and all the authorization tokens K1 to Kn, and confirms the result.

In step S29, the service providing device 20 acquires all the authorization data associated with the granted authorization token K and all the authorization tokens K1 to Kn.
In step S30, the service providing device 20 acquires all the execution plan data X associated with all the granted approval tokens K1 to Kn.

In step S31, the service providing device 20 confirms that all the acquired authority data includes a character string equal to the scope character string included in the authority data set in the target API.

In step S32, the service providing device 20 confirms that all of the execution plan data X are targeted for the requested contents of the called API.
This confirmation method is, for example, one of the following (1) to (3).

(1) When the format of the execution plan data X is all or part of the telegram to be input when using the API, the service providing device 20 uses all or part of the telegram actually transmitted to the target API. Is equal to the execution plan data X.
When a part of the telegram is used, which part of the telegram is used as the execution plan data X (for example, HTTP Request data in the case of HTTP) shall be determined in advance for each API or as a whole. ..

(2) When the format of the execution plan data X is such that some or all the arguments required when using the API are encoded by a method such as JSON or XML, the service providing device 20 specifies the execution plan data X. Make sure that some or all of the arguments given are equal to the values actually specified for the API of interest.
The encoding method shall be determined in advance. In addition, when a part of the arguments is used, which argument is to be confirmed (for example, PHAT, header, QueryString, POSTDATA, etc. in the case of HTTP) shall be determined in advance for each API or as a whole. At this time, the service providing device 20 confirms that the value is equal to the specified value by predetermining that a regular expression, a wildcard, a numerical range, etc. can be used as an argument to be specified in the execution plan data X. Alternatively, matching by regular expressions, wildcards, numeric ranges, etc. may be performed.

(3) When the format of the execution plan data X is a character string or a value (for example, "ALL", "*", a numerical value 1, etc.) indicating that API execution by any argument is permitted, the service providing device 20 Can be confirmed regardless of the content of the request to the target API.

In step S33, in the service providing device 20, the sum of the numerical ranges indicated by the two numerical values of all the authority data includes the numerical range indicated by the two numerical values set in the target API. Make sure that.

In step S34, the service providing device 20 permits the execution of the function provided by the target API when all the items can be confirmed.
When the service providing device 20 is used in combination with the authority management of another system, in this step, instead of determining that it is executable, it is made executable within the range set in advance in the scope, and the confirmation result of the other authority is obtained. You may judge whether or not it can be executed together with.

[Second implementation example]
In the first implementation example, the approval token is issued to the second user who is the approver and is provided to the first user who executes the API. On the other hand, in the second implementation example, the authorization token is directly issued from the authentication device 10 to the first user.
In this implementation example, the same reference numerals are given to the same configurations as those in the first implementation example, and the description thereof will be omitted or simplified.

FIG. 11 is a diagram showing a functional configuration of the authentication device 10 in the second mounting example.
The control unit 11 of the authentication device 10 includes an authority management unit 111, an authorization token issuing unit 112, an authorization token issuing unit 113a, and a user determination unit 114.
Compared with the first implementation example, the approval token issuing unit 113a has been changed, and the user determination unit 114 has been added.

In response to the request from the first user, the user determination unit 114 determines the second user for which the authority data for adding the numerical range to include the predetermined range is set.
At this time, the user determination unit 114 may determine, for example, the minimum number of second users required to satisfy the condition, or a plurality of second users who can approve the same numerical range. It may be decided more than once.
Further, the user determination unit 14 may determine the second user by the designation from the first user.

The approval token issuing unit issues an approval token associated with the authority data of the second user to the first user in response to a request from the second user determined by the user determination unit 14.

FIG. 12 is a sequence diagram showing an example of a processing procedure of the service providing system 1B in the second implementation example.
In this example, as in the first implementation example (FIG. 9), a case where the employee A uses the API for sending an e-mail with the approval of the section chief B will be described.

In step S41, the employee A (terminal) acquires an authorization token associated with the authorization data A1 (for example, [“canSendMail”, [0,0.5]]) for the mail transmission function from the authentication device 10.

In step S42, the employee A generates execution plan data X having an email title, an email destination, an email body, and the like necessary for executing the API for transmitting the email.
In step S43, the employee A transmits the execution plan data X and the authority data A1 to the authentication device 10.

In step S44, the authentication device 10 does not have enough numerical range [0,0.5] received from employee A in order to satisfy the numerical range [0,1] set in the authority data for "canSendMail" [0,0.5]. 0.5, 1] is included, that is, the chief B is determined as the second user who has the approval authority.

In step S45, the authentication device 10 transmits the execution plan data X and the authority data A1 to the chief B (terminal) who is the determined second user, and requests the approval of the execution plan data X.

In step S46, the section chief B confirms the contents of the execution plan data X and the authority data A1.
In step S47, the section chief B notifies the authentication device 10 that the execution plan data X has been approved.

In step S48, the authentication device 10 generates an approval token associated with the execution plan data X and the authority data B1 set for the section chief B, and transmits the approval token to the employee A.

In step S49, the employee A grants the authorization token and the authorization token, and calls the API for transmitting the mail provided by the service providing device 20.
After that, the service providing device 20 performs the same processing (steps S8 to S11) as in the first implementation example, and executes the mail transmission function.

In the above-mentioned implementation example, the function to be managed by the authority is described as being provided by API, but the implementation form is not limited to this.

Communication between the user's terminals may be direct communication, but is not limited to this. For example, communication may be performed via the authentication device 10, or a communication server may be separately provided.

Regarding the process of determining whether or not the function can be executed, the authentication device 10 may provide an API that returns a confirmation result from one or more token groups, and the service providing device 20 may call this API to obtain the confirmation result.

Further, although the service providing device 20 can verify the token group by inquiring to the authentication device 10, the authorization token and the authorization token may be verified without inquiring to the authentication device 10. In this case, common key information is set in advance between the authentication device 10 and the service providing device 20.

The service providing device 20 has been described as a configuration that accepts a plurality of tokens, but the present invention is not limited to this.
For example, in the case of compatibility with an existing configuration that accepts one token, a configuration in which tokens having a plurality of tokens as an array may be transmitted from the user to the service providing device 20 may be used. In this case, after the array of tokens is passed to the authentication device 10 and expanded, the authentication device 10 confirms the numerical range of the scope and returns the result to the service providing device 20.

The authentication device 10 and the service providing device 20 may be an integrated device. Further, the functional units of each device may be distributed and arranged in a plurality of devices.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. Moreover, the effects described in the above-described embodiments are merely a list of the most preferable effects arising from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

The approval support method by the authentication system 1 is realized by software. When realized by software, the programs that make up this software are installed in the information processing device (computer). Further, these programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Further, these programs may be provided to the user's computer as a Web service via a network without being downloaded.

1 Authentication system 100 Authority management unit 200 Authority granting unit 300 Display control unit (approval support device)
310 1st acquisition unit 320 2nd acquisition unit 330 3rd acquisition unit 340 Presentation unit 350 Selection unit

Claims (12)

The first acquisition unit that acquires the entire numerical range that indicates the range of authority required to execute the function, and
A second acquisition unit that acquires the sum of the numerical ranges corresponding to each of the privileges already approved in response to the approval operation of one or more users, and
A third acquisition unit that acquires a numerical range that indicates the range of authority of the user, which is set for each user.
When the approval operation is performed, the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation are calculated as a relative ratio to the entire numerical range. An approval support device including a presentation unit that presents by a visible figure. The approval support device according to claim 1, wherein the presentation unit indicates a numerical range by the length of the progress bar as the figure. The approval support device according to claim 1, wherein the presentation unit indicates a numerical range in the area of a pie chart as the figure. The approval support device according to any one of claims 1 to 3, wherein the presentation unit displays a list of the figures for a plurality of functions requiring approval. The third acquisition unit is included in the numerical range as the range of authority of the user, and further acquires the basic approval range indicating the range of authority granted by the user by a normal approval operation.
The approval support device according to claim 4, wherein the presenting unit preferentially displays a list of functions in which the basic approval range includes a range continuous with the sum of the numerical ranges among the plurality of functions. According to claim 4 or 5, the presenting unit preferentially displays a list of functions including a range in which the numerical range as the range of authority of the user is continuous with the sum of the numerical ranges among the plurality of functions. The described approval support device. Any of claims 4 to 6, wherein the presenting unit emphasizes and displays a function that satisfies the entire numerical range by adding the numerical ranges as the range of authority of the user among the plurality of functions. Approval support device described in Crab. The approval support device according to any one of claims 1 to 7, further comprising a selection unit that accepts selection of an approval range indicating which range is approved among the numerical ranges as the range of authority of the user. The third acquisition unit is included in the numerical range as the range of authority of the user, and further acquires the basic approval range indicating the range of authority granted by the user by a normal approval operation.
The approval support device according to claim 8, wherein the selection unit sets the basic approval range as an initial value of the approval range. An authority management unit that manages authority data for which a numerical range indicating the range of authority of the user is set for each user,
The sum of the numerical ranges corresponding to the privileges of each of the one or more users, depending on the approval operation of one or more users, is the total numerical value with respect to the total numerical range indicating the range of authority required to execute the function. When the range is satisfied, the authorization section that grants the execution authority of the function and the authorization section
At the time of the approval operation, the relative ratio of the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation is visually recognized with respect to the entire numerical range. An authentication system including a display control unit that displays by possible figures. The first acquisition step to acquire the entire numerical range that indicates the range of permissions required to execute the function,
The second acquisition step of acquiring the sum of the numerical ranges corresponding to each of the privileges already approved according to the approval operation of one or more users, and
The third acquisition step of acquiring the numerical range indicating the range of authority of the user set for each user, and
When the approval operation is performed, the sum of the numerical ranges corresponding to the already approved authority and the numerical range corresponding to the authority of the user who performs the approval operation are calculated as a relative ratio to the entire numerical range. An approval support method in which a computer executes a presentation step presented by visible graphic data. An approval support program for operating a computer as the approval support device according to any one of claims 2 to 9.

Images