JP2022003591A - Device, method, and program for affiliation management - Google Patents

Abstract

To provide a device, a method, and a program for job sharing authorization, which enable authorization of sharing between regions of jobs performed by operators through communication between dedicated administrators who can access only specific regions.SOLUTION: According to an embodiment, job sharing is authorized in a sharing destination region by a source operator when a destination administrator belonging to the sharing destination region accepts the source operator, belonging to a sharing source region, set by a source administrator belonging to the sharing source region.SELECTED DRAWING: Figure 11

Description

The present invention relates to a job sharing permission device, a job sharing permission method, and a job sharing permission program.

In Patent Document 1, in a computer system that is hierarchically managed and used by a plurality of users, the administrator who is entrusted with the management of the access authority of the lower system does not require registration permission for the user and the system administrator. Discloses an access right management system that does not allow access to the relevant lower system (see paragraph 0001, etc.). Also disclosed in Patent Document 2 is an access control system in which access to resources such as digital content or digital services is provided only in accordance with the corresponding permissions that can be represented, for example, in the form of a digital license or certificate. (See paragraph 0001, etc.).

Japanese Unexamined Patent Publication No. 2000-76194 Japanese Unexamined Patent Publication No. 2006-254464

In such a field of managing system access and system security, for example, an operator belonging to the area of company 1 can use not only the job of company 1 but also the job of the area of company 2. When it is desired to make settings (job sharing settings between areas), conventionally, an administrator (general manager) who can access both company 1 and company 2 has had to make the sharing settings.

However, there is a problem that it is not preferable in some cases from the viewpoint of security that an administrator can access the entire area in this way. In addition, there is a problem that the mechanism becomes complicated in the operation of allowing a certain administrator to access the entire area and make the shared setting.

Therefore, it is possible to access only by the communication between the managers who narrowed the accessible range, that is, in the above example, only the manager who can access only the company 1 (the full-time manager of the company 1) and the company 2. I want the operator belonging to company 1 to be able to perform the job of company 2 only by exchanging with the dedicated manager (dedicated manager of company 2) (that is, to be able to share between the areas of the job). Although there was a request (I want to), it has not been realized in the past.

The present invention has been made in view of the above, and permits sharing of jobs performed by an operator between areas by exchanging information between dedicated managers who are managers who can access only a specific area. It provides a job sharing permission device, a job sharing permission method, and a job sharing permission program that can be used.

In order to solve the above-mentioned problems and achieve the object, the job sharing permission device according to the present invention includes a control unit and is a shared destination area by a former operator who is an operator belonging to the original area which is the shared source area. A job sharing permission device that permits sharing of jobs in the destination area, and the control unit transfers the former operator set by the former administrator who is an administrator belonging to the former area to the destination area. It is characterized by providing a sharing permission means for permitting the sharing of the job in the destination area by the former operator when the destination administrator who is the belonging administrator accepts the job.

Further, the job sharing permission device according to the present invention further includes a storage unit, and the storage unit includes original operator identification information for identifying the original operator and the original operator identification information as information set by the original administrator. User-shared information including a destination area identification information for identifying a destination area and a completion category which is a category indicating that acceptance of the former operator has been completed, and a user group identification information and an area for identifying a user group. User group information including the area identification information for identification is stored, and the sharing permission means refers to the user sharing information and acquires the destination area identification information having the completion category. The area acquisition means, the first user group acquisition means for acquiring the user group identification information associated with the destination area identification information acquired by the destination area acquisition means by referring to the user group information, and the first user group acquisition. It is characterized by including a storage means for storing the user group identification information acquired by the means and the original operator identification information included in the user shared information in the user group affiliation information.

Further, in the job sharing permission device according to the present invention, the storage unit contains the job use authority information including the user group identification information and the job group identification information for identifying the job group, and the job group identification information. Job group affiliation information including job identification information for identifying a job is further stored, and the control unit refers to the user group affiliation information and associates with the input original operator identification information. A job for acquiring the job group identification information associated with the user group identification information acquired by the second user group acquisition means by referring to the second user group acquisition means for acquiring the user group identification information and the job use authority information. It is further provided with a group acquisition means and a job acquisition means for acquiring job identification information associated with the job group identification information acquired by the job group acquisition means by referring to the job group affiliation information. ..

Further, in the job sharing permission device according to the present invention, the storage unit contains the administrator identification information for identifying the administrator, the operator identification information for identifying the operator, and the area identification information for identifying the area. The user information including the above is further stored, the control unit further includes a setting control means for controlling the setting and cancellation of the setting of the former operator by the former administrator, and the setting control means includes the user information. The first administrator area acquisition means for acquiring the area identification information associated with the input administrator identification information, and the operator identification information set by the former administrator with reference to the user information. Whether or not the operator area acquisition means for acquiring the associated area identification information, the area identification information acquired by the first administrator area acquisition means, and the area identification information acquired by the operator area acquisition means are the same. It is characterized in that it is provided with a setting determination means for determining.

Further, in the job sharing permission device according to the present invention, user information including an administrator identification information for identifying an administrator and an area identification information for identifying an area is further stored in the storage unit. The control unit further includes acceptance control means for controlling acceptance and cancellation of the former operator by the destination administrator, and the acceptance control means is an input administrator with reference to the user information. The second administrator area acquisition means for acquiring the area identification information associated with the identification information, the area identification information acquired by the second administrator area acquisition means, and the user shared information set by the former administrator. It is characterized by comprising an acceptance determination means for determining whether or not the included destination area identification information is the same.

Further, the job sharing permission method according to the present invention is executed by an information processing apparatus including a control unit, and is a destination area that is a sharing destination area by a former operator who is an operator belonging to the original area that is the sharing source area. It is a job sharing permission method for permitting job sharing, and the former operator set by the former administrator who is the administrator belonging to the former area, which is executed by the control unit, belongs to the destination area. It is characterized by including a sharing permission step that permits the sharing of the job in the destination area by the former operator when accepted by the destination administrator who is the administrator.

Further, the job sharing permission program according to the present invention is a destination area which is a sharing destination area by a former operator who is an operator belonging to the original area which is a sharing source area for execution by an information processing apparatus including a control unit. The former operator set by the former administrator who is the administrator belonging to the former area to be executed by the control unit, which is a job sharing permission program for permitting the sharing of the jobs of the above, is set in the destination area. It is characterized by including a sharing permission step that permits the sharing of the job in the destination area by the former operator when the destination administrator who is the belonging administrator accepts the job.

According to the present invention, there is an effect that sharing between areas of a job performed by an operator can be permitted by exchanging between dedicated managers who are managers who can access only a specific area.

FIG. 1 is a block diagram showing an example of the configuration of a job sharing permission device. FIG. 2 is a diagram showing the classification of the business list performed by the system administrator. FIG. 3 is a diagram showing the types of users. FIG. 4 is an image diagram of a system configuration in conventional security management. FIG. 5 is an operation assumption diagram in security management for an organization having an ASP type configuration. FIG. 6 is an image diagram of a system configuration in security management for an organization having an ASP type configuration. FIG. 7 is an operation assumption diagram in security management for an organization having a parent company-subsidiary structure. FIG. 8 is an image diagram of a system configuration in security management for an organization having a parent company-subsidiary configuration. FIG. 9 is an operation assumption diagram in security management for an organization having a parent company-subsidiary-subsidiary company configuration. FIG. 10 is an operation assumption diagram in security management for an organization in which a plurality of parent companies and subsidiaries are arranged side by side. FIG. 11 is an image diagram of the dual-role operator setting. FIG. 12 is a table diagram showing a flow of processing when setting a dual-role operator. FIG. 13 is an image diagram showing the operation contents and operation range of the general manager and the full-time manager. FIG. 14 is a diagram showing an implementation plan of an audit and usage status management system job. FIG. 15 is an image diagram of a reference range when a user search for a business job is executed. FIG. 16 is a diagram showing an example of a security reflection target table. FIG. 17 is a diagram showing an example of company-specific security reflection processing when the reflection source table (setting data) is user group affiliation information and the reflection destination table (reflection data) is user group affiliation reflection information. FIG. 18 is a diagram showing an example of security reflection processing by company when the reflection source table (setting data) is the login authority information for each area and the reflection destination table (reflection data) is the login authority reflection information for each area. be. FIG. 19 is a diagram showing security version control. FIG. 20 is a diagram showing an example of data configuration in area information. FIG. 21 is a diagram showing an example of data configuration in user information, user group information, and user group affiliation information. FIG. 22 is a diagram showing an example of data configuration in job information, job group information, and job group affiliation information. FIG. 23 is a diagram showing an example of data configuration in the area login authority information, the job use authority information, and the user sharing information. FIG. 24 is a diagram showing an example of data configuration in the business system information in the area. FIG. 25 is a diagram showing an example of the login authentication process and the area login authority determination process in the present embodiment. FIG. 26 is a diagram showing an example of the available job determination process in the present embodiment. FIG. 27 is a diagram showing an example of output data obtained by the available job determination process in the present embodiment. FIG. 28 is a diagram showing an example of a common operation (belonging area ID specifying process) in the security setting process in the present embodiment. FIG. 29 is a diagram showing an example of user registration processing (update processing, reference processing, and deletion processing of existing users) in the present embodiment. FIG. 30 is a diagram showing an example of a user registration process (additional process of a new user) in the present embodiment. FIG. 31 is a diagram showing an example of a user group registration process (update process, reference process, and delete process of an existing user group) in the present embodiment. FIG. 32 is a diagram showing an example of a user group registration process (addition process of a new user group) in the present embodiment. FIG. 33 is a diagram showing an example of the user group affiliation registration process (reference process, deletion process, and additional process) in the present embodiment. FIG. 34 is a diagram showing an example of job group registration processing (existing job group update processing, reference processing, and deletion processing) in the present embodiment. FIG. 35 is a diagram showing an example of a job group registration process (additional process of a new job group) in the present embodiment. FIG. 36 is a diagram showing an example of job group affiliation registration processing (reference processing, deletion processing, and additional processing) in the present embodiment. FIG. 37 is a diagram showing an example of the area login authority registration process (reference process, deletion process, and additional process) in the present embodiment. FIG. 38 is a diagram showing an example of job use authority registration processing (reference processing, deletion processing, and additional processing) in the present embodiment. FIG. 39 is a diagram showing an example of a user sharing setting process (shared process) in the present embodiment. FIG. 40 is a diagram showing an example of a user sharing setting process (sharing release process) in the present embodiment. FIG. 41 is a diagram showing an example of a user sharing setting process (shared acceptance process) in the present embodiment. FIG. 42 is a diagram showing an example of a user sharing setting process (shared acceptance cancellation process) in the present embodiment. FIG. 43 is a diagram showing an example of a user sharing setting process (transfer process) in the present embodiment.

Hereinafter, embodiments of the job sharing permission device, the job sharing permission method, and the job sharing permission program according to the present invention will be described in detail with reference to the drawings. The present invention is not limited to this embodiment.

[1. Overview]
Conventionally, the system administrator who manages accounts has the authority to view and modify all user information, and there is no mechanism that allows the administrator to manage (restrict) the manageable area (manageable area). rice field. In addition, it is not possible to jointly set and manage "users who have login authority across multiple areas" only by the administrators of the multiple areas without permitting operations other than the administrators of the multiple areas. was difficult.

Further, normally, the work of the system administrator is roughly classified into three types as shown in FIGS. 2A to 2C. In the past (current situation), one administrator had the authority of the entire system for all the tasks (A) to (C). Here, since the work (A) is a work related to the control of the entire system, the authority of the entire system is required as before, but the work (B) and (C) are exclusively managed in FIG. As shown at the time of human operation, there was a request to distinguish the scope of authority between the general manager and the individual company full-time manager, but it could not be realized.

Therefore, in the present embodiment, when the manageable area (company in charge, etc.) of the system account and the system security administrator is restricted, the access of the administrator to information other than the manageable area is restricted. , Provide a mechanism that enables the administrator to appropriately manage only users in the area having access authority. That is, in the present embodiment, management by an administrator (dedicated administrator) who narrows the operable range is possible.

As a result, for example, the following effects 1 to 3 are produced.
1. 1. It is now possible to set (restrict) manageable areas (company, etc.) for system account and system security administrators.
2. 2. The administrator whose manageable area is limited can only set the access right of his / her own area.
3. 3. When a user account can log in to multiple areas, we have realized a mechanism that allows the same account to be shared only between administrators in the multiple areas.
Hereinafter, a specific configuration and operation will be described.

[2. composition]
The configuration of the job sharing permission device 100 according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an example of the configuration of the job sharing permission device 100.

The job sharing permission device 100 is a commercially available desktop personal computer. The job sharing permission device 100 is not limited to a stationary information processing device such as a desktop personal computer, but is a portable notebook personal computer, a PDA (Personal Digital Assistants), a smartphone, a tablet personal computer, or the like on the market. It may be a type information processing device.

As shown in FIG. 1, the job sharing permission device 100 includes a control unit 102, a communication interface unit 104, a storage unit 106, and an input / output interface unit 108. Each part of the job sharing permission device 100 is communicably connected via an arbitrary communication path.

The communication interface unit 104 connects the job sharing permission device 100 to the network 300 so as to be communicable via a communication device such as a router and a wired or wireless communication line such as a dedicated line. The communication interface unit 104 has a function of communicating data with another device via a communication line. Here, the network 300 has a function of connecting the job sharing permission device 100 and the server 200 so as to be able to communicate with each other, and is, for example, the Internet, a LAN (Local Area Network), or the like. The data stored in the storage unit 106, which will be described later, may be stored in the server 200.

An input device 112 and an output device 114 are connected to the input / output interface unit 108. As the output device 114, a speaker or a printer can be used in addition to a monitor (including a home television). As the input device 112, a keyboard, a mouse, and a microphone, as well as a monitor that cooperates with the mouse to realize a pointing device function can be used. In the following, the output device 114 may be referred to as a monitor 114 as a display unit, and the input device 112 may be described as a keyboard 112 or a mouse 112.

Various databases, tables, files, and the like are stored in the storage unit 106. In the storage unit 106, a computer program for giving an instruction to a CPU (Central Processing Unit) in cooperation with an OS (Operating System) to perform various processes is recorded. As the storage unit 106, for example, a memory device such as a RAM (Random Access Memory) / ROM (Read Only Memory), a fixed disk device such as a hard disk, a flexible disk, an optical disk, or the like can be used.

The storage unit 106 may use, for example, the area information 106a, the user information 106b, the user group information 106c, the user group affiliation information 106d, the job information 106e, the job group information 106f, the job group affiliation information 106g, and the area login. It includes authority information 106h, job use authority information 106i, user sharing information 106j, and intra-regional business system information 106k.

In the following description of the area information 106a to the business system information in the area 106k, the expressions in parentheses are specific examples of each information, and for example, when the area identification information (area ID and area name) is described, the area is described. It means that, for example, a region ID, a region name, and the like can be given as specific examples of the identification information. The figure shows a specific example.

The area information 106a is a table that manages IDs and names that identify areas to be managed. As shown in FIG. 20, the area information 106a includes, for example, area identification information (area ID and area name) for identifying an area. The area is not particularly limited, and examples thereof include a company and a group company in which a plurality of companies are grouped together. The area defined by the area ID = 0 is a special area for setting the environment (system control setting and system security management). On the other hand, the area defined by the area ID ≠ 0 is an area for which the environment setting is not performed and is a management target area.

The user information 106b is a table that manages an ID and a name that uniquely identifies a user. As shown in FIG. 21, the user information 106b includes, for example, user identification information (user ID and user name) for identifying a user, area identification information (belonging area ID), a password, and the like. The types of users include an administrator (managing side) who mainly sets and manages the system and an operator (managed side) who performs only specific business jobs. Further, as the type of the administrator, there are an overall administrator who can manage the entire area and a dedicated administrator (administrator for each area) who belongs to a specific area and can manage only the specific area. Therefore, the user identification information includes, for example, the administrator identification information for identifying the administrator (in FIG. 21, for example, Manager1 which is the user ID of the entire administrator, Area1Manager1 which is the user ID of the full-time administrator, and the like. ) And operator identification information for identifying the operator (for example, Area1Operater1 which is the user ID of the operator in FIG. 21) and the like. The user defined by the belonging area ID = <NULL> is a user who does not belong to any area and can refer to the entire system. On the other hand, the user defined by the area ID ≠ <NULL> is a user for each area belonging to a specific area.

The user group information 106c is a table that manages units for grouping users. As shown in FIG. 21, the user group information 106c contains, for example, user group identification information (user group ID and user group name) for identifying a user group, user group type, area identification information (belonging area ID), and the like. include. The user group types include "1: general administrator" which is a type corresponding to the user group of the general administrator, "2: administrator by area" which is a type corresponding to the user group of the dedicated administrator, and "2: administrator by area". There is "3: General by area" which is a type corresponding to the user group of the operator. The user group defined by the belonging area = 0 is a special group that can operate the area of the environment setting. On the other hand, the user group defined by the affiliation area ≠ 0 is an area-specific group belonging to the management area.

The user group affiliation information 106d is a table for managing users who belong to the user group. As shown in FIG. 21, the user group affiliation information 106d includes, for example, user group identification information (user group ID), user identification information (user ID), and the like. The administrator of the entire system shown by MA1 in FIG. 21 belongs to the group of the user group type "1: general administrator", and the administrator dedicated to each area shown by MA2 in FIG. 21 belongs to the user group type "2: area". The operator who belongs to the group of "separate administrator" and is dedicated to each area shown in MA3 in FIG. 21 belongs to the group of user group type "3: general by area". It is also possible for one user to belong to (concurrently serve) a plurality of user groups.

The job information 106e is a table that manages information on a program (job) to be executed. As shown in FIG. 22, the job information 106e includes, for example, job identification information (job ID) for identifying a job, a job type, and the like. As the job type, "1: overall control" (shown by MA4 in FIG. 22), which is a type corresponding to an important program (a program that can be operated only by the overall administrator) that controls the basis of the system, and system usage authority are used. The type corresponding to the program to be operated (program that can be operated only by the general administrator and the administrator for each area) "2: Security management" (shown by MA5 in Fig. 22) and the type corresponding to the business program used by general operators. "3: General by region" (shown by MA6 in FIG. 22) and the like exist.

The job group information 106f is a table that manages units for grouping jobs. As shown in FIG. 22, the job group information 106f contains, for example, job group identification information (job group ID and job group name) for identifying a job group, job group type, area identification information (belonging area ID), and the like. include. The job group defined by the belonging area = 0 is a special group that can operate the area of the environment setting. On the other hand, the job group defined by the affiliation area ≠ 0 is an area-specific group belonging to the management area.

The job group affiliation information 106g is a table for managing jobs belonging to the job group. As shown in FIG. 22, the job group affiliation information 106g includes, for example, job group identification information (job group ID), job identification information (job ID), and the like. The system control job shown by MA7 in FIG. 22 belongs to the group of job group type "1: overall control", and the security management job shown by MA8 in FIG. 22 belongs to the job group type "2: security management". The general job for each area shown by MA9 in FIG. 22 belongs to the group of the job group type "3: General for each area".

The area login authority information 106h is a table that manages which area each user group can operate (log in to which area). As shown in FIG. 23, the area login authority information 106h includes, for example, area identification information (area ID and area name), user group identification information (user group ID), and the like. As shown by MA10 in FIG. 23, the general manager and the full-time manager can operate the area of the environment setting. On the other hand, as shown by MA11 in FIG. 23, the operator of each area can operate only the area recognized by himself / herself.

The job usage authority information 106i is a table that manages which job group in which area each user group can operate (start). As shown in FIG. 23, the job use authority information 106i includes, for example, area identification information (area ID and area name), user group identification information (user group ID), job group identification information (job group ID), and the like. As shown by MA12 in FIG. 23, the general administrator can perform operations related to overall control and security management, and as shown by MA13 in FIG. 23, the area-specific manager can perform operations related to security management. On the other hand, as shown by MA14 in FIG. 23, the operator in each area can operate only the jobs belonging to the job group in each area.

The user sharing information 106j is a table that manages settings for sharing a user among administrators in a plurality of areas. As shown in FIG. 23, the user sharing information 106j is, for example, information set by a former administrator who is an administrator who belongs to the original area which is a sharing source area, and is an operator who belongs to the original area. Former operator identification information (user ID) for identifying an operator, destination area identification information for identifying a destination area to be shared (shared destination area ID), and an administrator belonging to the destination area of the former operator. An incomplete category (acceptance status = incomplete), which indicates that acceptance by a certain destination administrator has not been completed, and a completion category, which indicates that acceptance by the destination administrator of the former operator has been completed (acceptance status = incomplete). Acceptance status = completed) etc. are included. For details, see [4. Specific example of the process], the prior manager can accept the former operator by updating the incomplete category to the completed category. The operator whose acceptance status is completed can refer to it from the administrator of the shared destination area ID associated with the completion. On the other hand, the operator whose acceptance status is incomplete cannot be referred to by the administrator until the administrator of the shared destination area ID associated with the incomplete accepts the operator.

The intra-regional business system information 106k is various business data for each region, and is a table that manages IDs that identify areas to be managed and various attributes. As shown in FIG. 24, the intra-regional business system information 106k includes, for example, region identification information (region ID) and the like. Since the intra-regional business system information 106k shown in FIG. 24 assumes general management target data, it is not specified except for the region ID.

The control unit 102 is a CPU or the like that collectively controls the job sharing permission device 100. The control unit 102 has an internal memory for storing a control program such as an OS, a program that defines various processing procedures, required data, and the like, and performs various information processing based on these stored programs. Run.

The control unit 102 functionally conceptually means, for example, (1) the former operator set by the former administrator who is the administrator belonging to the former area, and the former administrator who is the administrator belonging to the destination area. Accepts, the sharing permission unit 102a as a sharing permission means for permitting the sharing of the job in the destination area by the former operator, and (2) the destination having the completion category with reference to the user sharing information. User group identification information associated with the destination area identification information acquired by the destination area acquisition means by referring to the destination area acquisition unit 102a1 as the destination area acquisition means for acquiring the area identification information and (3) the user group information. The first user group acquisition unit 102a2 as the first user group acquisition means for acquiring the above, and (4) the user group identification information acquired by the first user group acquisition means and the original operator identification information included in the user sharing information. 102a3 as a storage means for storing the user group affiliation information, and (5) the second user group identification information associated with the input original operator identification information by referring to the user group affiliation information. With reference to the second user group acquisition unit 102b as the user group acquisition means and (6) the job use authority information, the job group identification information associated with the user group identification information acquired by the second user group acquisition means can be obtained. A job that acquires job identification information associated with the job group identification information acquired by the job group acquisition means by referring to the job group acquisition unit 102c as the job group acquisition means to be acquired and (7) the job group affiliation information. Refer to the job acquisition unit 102d as the acquisition means, (8) the setting control unit 102e as the setting control means for controlling the setting and cancellation of the setting of the former operator by the former administrator, and (9) the user information. , The first administrator area acquisition unit 102e1 as the first administrator area acquisition means for acquiring the area identification information associated with the input administrator identification information, and (10) the original management with reference to the user information. The operator area acquisition unit 102e2 as an operator area acquisition means for acquiring the area identification information associated with the operator identification information set by the person, (11) the area identification information acquired by the first administrator area acquisition means, and the above. The setting determination unit 102e3 as a setting determination means for determining whether or not the area identification information acquired by the operator area acquisition means is the same, and (12) the above. The acceptance control unit 102f as an acceptance control means for controlling the acceptance and cancellation of the former operator by the prior administrator, and (13) the area identification information associated with the input administrator identification information by referring to the user information. The second administrator area acquisition unit 102f1 as the second administrator area acquisition means for acquiring the above, (14) the area identification information acquired by the second administrator area acquisition means, and the area identification information set by the former administrator. It is provided with an acceptance determination unit 102f2 as an acceptance determination means for determining whether or not the destination area identification information included in the user shared information is the same. For details of the processing executed by each part, see the following [4. Specific example of processing] will be described.

[3. Outline of processing]
Hereinafter, the outline of the process according to the present embodiment will be described. In this item, first, the mode of security management will be explained, then the outline of the job sharing operation will be explained, and finally, the security reflection by company will be explained.

[3-1. Security management mode]
In this item, the mode of security management will be described with reference to FIGS. 3 to 11.

First, the three types of users (company-wide user, full-time user, and concurrent user) appearing in FIGS. 4 and 4 will be described with reference to FIG. The classification of users is described in [2. As explained in [Configuration], there is a classification focusing on its own role (classification divided into the system administrator who manages it and the operator who manages it), but it is within the range of areas (company) that can be operated. There is also a classification that focuses on. Specifically, as shown in FIG. 3, the users are defined as a user who has access right to the entire system (company-wide user), a user who has access right to only one specific company (dedicated user), and a specific plurality of companies. It is a classification divided into users who have access rights (concurrent users).

Next, a conventional security management mode (a mode in which a dedicated administrator does not exist) will be described with reference to FIG. As shown in FIG. 4, in the past, both the company-specific administrator function (a function of providing a dedicated administrator who can access only a specific company) and the intercompany user sharing function (a function of sharing an operator between companies) are invalid. Met. Further, in the past, the mode of security management has been the following operations 1 to 3.
1. 1. The system administrator was able to manage the security of the entire system.
2. 2. The system administrator had the authority to refer to and update the company settings on the environment setting menu even when the roles of the person in charge for each company were divided.
3. 3. The system administrator could give the business operator login authority to one company or any number of companies as needed.

Next, as a first example of the mode of security management (a mode in which a dedicated manager exists) in this embodiment, regarding the mode of security management (complete vertical division management for each company) for an organization having an ASP type configuration. This will be described with reference to FIGS. 5 and 6. In this mode, the company-specific administrator function is valid (the company-specific administrator is independent), and the inter-company user sharing function is invalid (there is no user sharing between companies). In addition, in this mode, the mode of security management shall be the following operations 1-9. The arrows in FIG. 5 indicate the presence or absence of a controlling relationship between companies, the vertical arrows in FIG. 6 indicate the range that can be operated by the administrator, and the horizontal arrows in FIG. 6 indicate the range that can be operated by the operator. Shows the range.
1. 1. The system administrator who maintains the environment can manage the security of the entire system.
2. 2. There is no business connection between the management companies (in the case of group companies that fall under this mode, consolidated accounting may be used, but the consolidated company is also independent).
3. 3. The security manager of each company (that is, the dedicated manager) can manage the security only for his own company.
4. Business operators of each company can only log in to their own company.
5. There are no concurrent security managers or business operators who operate across companies.
6. The relationship between the security administrator and the company subject to security settings is 1: 1.
7. The relationship between the business operator and the company to which the business operator can log in is 1: 1.
8. If there are exceptional security managers who can manage multiple companies, different IDs for each company shall be prepared and used properly.
9. If there is an operator transfer or secondment between holding companies or affiliated companies, the security management shown in the next paragraph will be used.

Next, as a second example of the mode of security management (a mode in which a full-time manager exists) in this embodiment, regarding the mode of security management (management in a business holding company, etc.) for an organization having a parent company-subsidiary type configuration. , 7 and 8 will be described. In this mode, the company-specific administrator function is valid (the company-specific administrator is independent), and the inter-company user sharing function is invalid (there is no user sharing between companies). In addition, in this mode, the mode of security management shall be the following operations 1-9. The arrows in FIG. 7 indicate the presence or absence of a controlling relationship between companies, the vertical arrows in FIG. 8 indicate the range that can be operated by the administrator, and the horizontal arrows in FIG. 8 indicate the range that can be operated by the operator. Shows the range.
1. 1. The system administrator who maintains the environment is an employee of the parent company and can manage the security of the entire system.
2. 2. In this mode, because there is a controlling relationship with the subsidiary of the parent company, the employee of the parent company may have the business approval authority of the subsidiary.
3. 3. The security manager of a subsidiary can manage security only for his own company.
4. Subsidiary business operators can only log in to their own company.
5. The concurrent security managers and business operators who operate across companies are employees of the parent company and have company-wide authority.
6. The relationship between the security administrator of the parent company (parent company system administrator in FIG. 8) and the security setting target company is 1: ALL.
7. The relationship between the business operator of the parent company (company-wide dual-role operator in FIG. 8) and the company to which the business operator can log in is 1: ALL.
8. The relationship between the security manager of the subsidiary (dedicated manager in Fig. 8) and the company subject to security setting is 1: 1.
9. The relationship between the business operator of the subsidiary (dedicated operator in FIG. 8) and the company to which the business operator can log in is 1: 1.

Next, as a third example of the security management mode (a mode in which a full-time manager exists) in this embodiment, security management for an organization having a parent company-subsidiary-subsidiary company structure (when an intermediate holding company exists) The mode of management) will be described with reference to FIG. In this mode, the company-specific administrator function is enabled, and the intercompany user sharing function is also enabled (that is, the company-specific managers cooperate with each other and user sharing occurs). In addition, in this mode, the mode of security management shall be the following operations 1 to 13. The arrows in FIG. 9 indicate the presence or absence of a controlling relationship between the companies.
1. 1. The parent company's system administrator is an employee of the parent company and can manage the security of the company and its subsidiaries directly.
2. 2. In this mode, because there is a controlling relationship with the subsidiary of the parent company, the employee of the parent company may have the business approval authority of the subsidiary.
3. 3. A subsidiary's system administrator is an employee of the subsidiary and can manage the security of the company and its subsidiary companies.
4. In this mode, because there is a controlling relationship with the subsidiary company's subsidiary company, the subsidiary employee may have the business approval authority of the subsidiary company.
5. The security manager of the grandchild company can manage the security only for his own company.
6. Business operators of sub-company can only log in to their own company.
7. Only the security administrator for environmental maintenance has the authority to operate across companies, and does not use it in actual operation.
8. The relationship between the security manager of the parent company (the manager of company A in FIG. 9) and the company subject to security setting is 1: m (m is a natural number).
9. The relationship between the business operator of the parent company (operator of company A in FIG. 9) and the company to which the business operator can log in is 1: m (m is a natural number).
10. The relationship between the security manager of the subsidiary (manager of company C in FIG. 9) and the company subject to security setting is 1: n (n is a natural number).
11. The relationship between the business operator of the subsidiary (the operator of company C in FIG. 9) and the company to which the business operator can log in is 1: n (n is a natural number).
12. The relationship between the security managers of the subsidiary companies (managers of companies D and E in FIG. 9) and the security setting target companies is 1: 1.
13. The relationship between the business operators of the subsidiary companies (operators of companies D and E in FIG. 9) and the companies to which the business operators can log in is 1: 1.

Next, as a fourth example of the security management mode (a mode in which a full-time manager exists) in the present embodiment, FIG. 10 is used to describe the security management mode for an organization in which a plurality of parent companies and subsidiaries are arranged side by side. explain. In this mode, the company-specific administrator function is enabled, and the intercompany user sharing function is also enabled (that is, the company-specific managers cooperate with each other and user sharing occurs). In addition, in this mode, the mode of security management shall be the following operations 1-5. The arrows in FIG. 10 indicate the presence or absence of a controlling relationship between the companies.
1. 1. The parent company's system administrator is an employee of the parent company and can manage the security of the company and its subsidiaries directly.
2. 2. In this mode, because there is a controlling relationship with the subsidiary of the parent company, the employee of the parent company may have the business approval authority of the subsidiary.
3. 3. The security manager of a subsidiary can manage security only for his own company.
4. Subsidiary business operators can only log in to their own company.
5. To the extent that the parent company straddles different affiliated companies, the security administrator does not have security management authority, and the operator does not have login authority.

Here, in the third example and the fourth example, a procedure for setting a dual-role operator capable of operating jobs of a plurality of companies (that is, a procedure for sharing a job) will be described with reference to FIG. .. The vertical arrow in FIG. 11 indicates the range that can be operated by the administrator, and the horizontal arrow in FIG. 11 indicates the range that can be operated by the operator. Further, in the present embodiment, the administrator (concurrent administrator) who can set the security of a specific plurality of companies is not set. This is because even the administrator of the parent company does not know all the composition of the security group of the subsidiary and the composition of the user, and if a concurrent administrator is set, the security dedicated to the subsidiary can be changed. This is because the authority is too loose.

The dual-role operator is set according to steps 1 to 3 below. For example, if the operator belonging to company A in FIG. 11 wants to concurrently serve as company B,
1. 1. First, as shown by the arrow in (1) of FIG. 11, the full-time manager of company A creates a full-time operator of company A.
2. 2. Next, as shown by the arrow in (2) of FIG. 11, the full-time manager of company A discloses the created full-time operator of company A to company B.
3. 3. Finally, as shown by the arrow in (3) of FIG. 11, the full-time manager of company B determines whether the open full-time operator of company A can be accepted, and if it is possible, accepts it. As a result, the full-time operator belonging to company A becomes a dual-role operator belonging to both company A and company B.
Although detailed description is omitted, as shown in FIG. 11, the setting for the full-time operator belonging to company C to concurrently serve as company D and company E is also performed by the same procedure as in steps 1 to 3 above. Can be done.

[3-2. Outline of job sharing operation]
In this item, the outline of the job sharing operation will be described with reference to FIGS. 12 to 15.

First, the meanings of the terms used in the tables (A) to (J) of FIG. 12 will be described. The affiliated company NO is a company NO indicating that the company is exclusively assigned to a specific company, and the system administrator having the affiliated company NO is a user who has the same affiliated company NO or public company NO as his own affiliated company NO. And can only handle groups. The public company NO is the company NO of the public destination to publish the user when the administrator of the company other than the company NO to which the user belongs is also allowed to maintain, and multiple public company NOs must be specified. Is possible. The public acceptance status turns ON (completed) when the system administrator of the public destination company accepts the user who has the public destination company NO, and as a result, the user can use the job of the public destination company.

The procedure until job sharing is performed will be described with reference to the tables (A) to (J) of FIG.

First, as shown in the table (A) of FIG. 12, the system administrator who has the full right without the affiliated company NO attribute can refer to and update all the objects (targets) as before, and the user's You can browse and set the company NO attribute. In addition, the system administrator who has the full right can give the user a company number to which the user belongs, which means that the user is dedicated to a specific company. For example, in the table (B) of FIG. 12, the system administrator having full authority creates a full-time administrator of the company 100 by giving the affiliated company NO100 to a certain user, and also to another user. By giving the affiliated company NO200, a full-time administrator of the company 200 is created.

Users and groups created by the administrator given the affiliated company number automatically take over the affiliated company NO of the administrator who is the creator, and only the company of the affiliated company NO can perform security management and jobs. .. For example, an administrator given the affiliated company NO100 (shown in Table (C) of FIG. 12) can create a company 100 manager 2 and a company 100 operator, but the created company 100 manager 2 and The company 100 operator automatically takes over the affiliated company NO100 as shown in the table (D) of FIG. As a result, the company 100 manager 2 can only manage the security of the company of the affiliated company NO100, and the company 100 operator can only perform the job of the company of the affiliated company NO100. Become. Since it is the same as this, detailed description will be omitted, but as shown in Tables (E) and (F) of FIG. 12, the managers given the affiliated company NO200 are the company 200 manager 2 and the company. 200 operators can be created.

An administrator who has been given a company number can assign a public company number to an operator who has the same company number. For example, if the company 100 manager having the affiliated company NO100 wants to disclose the company 100 operator having the affiliated company NO100 to the company 200 and the company 300, the company 100 manager becomes the company 100 operator in the table (G) of FIG. On the other hand, the public company NO200 and the public company NO300 are assigned to prepare the table (H) of FIG. Unless the public acceptance status in Table (H) of FIG. 12 changes from "not yet" to "completed", that is, the operator with the public company NO is not activated by the acceptance of the administrator with the public company number. As long as the public company manager cannot refer to the operator who has the public company NO.

An administrator who has a company number to which the company belongs can accept an operator published to his company from another company and complete the public acceptance status. For example, if a company 200 manager (shown in Table (I) of FIG. 12) who has a company No. 200 wants to accept a company 100 operator published from company 100 to company 200, which is his company, the figure is shown in the figure. As shown in Table (J) of 12, the public acceptance status of the public company NO200 of the company 100 operator may be updated from "not yet" to "completed".

In this way, the company 100 operator, who is an operator belonging to the company 100, can perform not only the job of the company 100 but also the job of the company 200, and the sharing of the job is completed.

As described above, the operation contents and the operation contents that can be performed by the system administrator (general administrator) who has full authority without the affiliated company NO attribute and the system administrator (dedicated administrator) who has the affiliated company NO attribute explained in this item [3-2]. An image diagram summarizing the range of operations is shown in FIG. Regarding the operations performed by the general manager and the full-time manager, the following points 1 to 4 exist.

1. 1. When assigning an administrator who can set security for each company, the timing to reflect the setting result also differs for each company. The method of reflecting security for each company will be described in detail in the following item [3-3].
2. 2. The system administrator (general administrator) can perform all operations. If the administrator (dedicated administrator) of the company 100 cannot refer to the authority setting made to the company 100 by the system administrator (general administrator) as well as the authority setting made to the company 100, the whole I can't see. The manager of the company 100 (dedicated manager) needs to be able to operate the environment setting menu so that the number of managers of the same company 100 can be increased by himself / herself. It is necessary to clarify the operations that can be performed by the administrator of each company in the environment setting menu.
3. 3. The implementation plan of the audit and usage status management job is shown in the table of FIG.
4. When searching for user information in a business job, it is possible to take security into consideration by narrowing down to only users who have login authority to the company that is operating. FIG. 15 shows an image diagram of a reference range when a user search for a business job is executed.

[3-3. Reflection of security by company]
In this item, the method of reflecting the security for each company will be described with reference to FIGS. 16 to 19.

In order to manage the security setting information in chronological order and switch the security to be applied depending on the login timing, the security setting information and the security reflection information table are separated, and the setting is reflected in the actual environment by the security reflection process. There was a request. However, in the past, when security authority settings were transferred to the dedicated managers of each company in a group company, it was difficult to adjust the timing to reflect the security collectively. In addition, it should be avoided that unrelated other companies are reflected at the timing when the manager of each company reflects the security.

Therefore, in this embodiment, a company-specific security reflection function is realized in order to satisfy the requirement that the dedicated administrator of each company wants to reflect only the setting contents of his / her own company after setting the security. The target table for security determination is shown in FIG.

The outline of the company-specific security reflection function is as shown in 1 to 5 below.
1. 1. The reflection result requires that all reflection tables generate the same security version of data.
2. 2. When the dedicated administrator reflects the security, each time the table is reflected, the following steps 3 to 4 are taken.
3. 3. The security information of the company of the full-time administrator generates the reflection data of the new version from the setting data.
4. For security information of companies other than the company of the full-time administrator, the reflected data of the new version is generated by copying from the reflected data of the previous version.
5. The above 3 to 4 are prevented from being executed simultaneously in each company, and job exclusive control is required for the entire system.

Specific processing images when the company-specific security reflection function is executed are shown in FIGS. 17 to 19. As a premise of the processing, the full-time manager of the company No. 100 shall perform the reflection processing. Further, it is assumed that the previous security version = N is in the reflected state.

FIG. 17 is a diagram showing processing when the reflection source table (setting data) is the user group affiliation information and the reflection destination table (reflection data) is the user group affiliation reflection information. As shown in FIG. 17, in this case, the company to be reflected is determined by the affiliated company NO. As shown by the straight line arrow in FIG. 17, the own company is generated from the setting data, and as shown by the curved arrow in FIG. 17, the company other than the own company is generated from the previous reflection data.

FIG. 18 is a diagram showing processing when the reflection source table (setting data) is the area login authority information and the reflection destination table (reflection data) is the area login authority reflection information. As shown in FIG. 18, in this case, the company to be reflected is determined by the Key company NO. As shown by a straight line arrow in FIG. 18, the own company is generated from the setting data, and the companies other than the own company are generated from the previous reflection data.

FIG. 19 is a diagram showing security version control. As shown in FIG. 19, the security version is updated from N to N + 1.

[4. Specific example of processing]
Hereinafter, specific examples of the processing according to the present embodiment will be described. The processes related to this embodiment are roughly classified into data aggregation and security settings, and therefore, the items will be described in this order below.

[4-1. Data aggregation]
First, the data aggregation performed to acquire the job will be described. Since data aggregation is performed in the order of login authentication, area login authority determination, and available job determination, items will be described below in this order.

(1) Login authentication First, login authentication to the system is performed. Specifically, as shown in FIG. 25, a user ID (Area1Operater1) and a password are input. If the entered user ID and password combination exists in the user information 106b (when the user ID and password match), login is permitted. On the other hand, if the entered user ID and password combination does not exist in the user information 106b (when the user ID and password do not match), login is rejected, an error is displayed, and then the process ends. do.

(2) Area login authority determination Subsequently, the areas to which the area login authority is given are displayed in a list as options according to the logged-in user. Specifically, first, as shown in FIG. 25, the user group ID (Area1OperaterGroup1) associated with the user ID (Area1Operater1) input in (1) above is acquired with reference to the user group affiliation information 106d. .. Subsequently, as shown in FIG. 25, the area ID (1) and the area name (area 1) associated with the acquired user group ID (Area1OperaterGroup1) are acquired with reference to the area login authority information 106h, and as options. Is displayed. It should be noted that the following points 1 to 3 exist when determining the area login authority.

1. 1. If the user has the area login authority only for a single area (for example, if the user has the login authority only for the area 1 as explained in the previous paragraph), the selection of the acquired area ID is omitted. , You can proceed to (3) below.
2. 2. When the user has the area login authority in a plurality of areas (for example, when the user has the login authority in the area 1 and the area 2), the acquired area ID and the area name are listed as options and the selected area ID is displayed. Is the input information in (3) below.
3. 3. If the user's log-in area does not exist, the process ends after an error is displayed.

(3) Available job determination Finally, the login user ID input in (1) above and the area ID selected in (2) above are input, and a list of available jobs is displayed. Specifically, first, as shown in FIG. 26, the user group ID (Area1OperaterGroup1) associated with the login user ID (Area1Oprerater1) entered in (1) above is acquired with reference to the user group affiliation information 106d. To. Subsequently, as shown in FIG. 26, with reference to the job usage authority information 106i, the area ID 1 selected in (2) above and the user group ID Area1OperaterGroup1 acquired in this item (3) The associated job group ID (Area1JobGroup1) is acquired. Finally, as shown in FIG. 26, the job ID (business menu 1 and business menu 2) associated with the acquired job group ID (Area1JobGroup1) is acquired with reference to the job group affiliation information 106g. In this way, the area-specific operator can use the business menu of the area to which he / she belongs.

Here, when the login user ID input in (1) and the area ID acquired and selected in (2) are not information about operators but information about general managers and full-time managers. Explain what kind of job is acquired.

When the login user ID (Manager1) is input as the information about the general administrator and the area ID (0) is acquired and selected, the left column of FIG. 27 is the same method as the acquisition of the job related to the operator described above. As shown in, system control job (area registration and job registration) and security management job (user registration, user group registration, user group affiliation registration, job group registration, job group affiliation registration, area login authority registration, job User authority registration and user sharing settings) are acquired.

When the login user ID (Area1Manager1) is input as the information about the dedicated administrator and the area ID (0) is acquired and selected, the middle column of FIG. 27 is the same as the acquisition of the job related to the operator described above. As shown in, security management jobs (user registration, user group registration, user group affiliation registration, job group registration, job group affiliation registration, area login authority registration, job use authority registration, and user sharing settings) are acquired.

In this way, both the general administrator and the full-time administrator have security management jobs (user registration, user group registration, user group affiliation registration, job group registration, job group affiliation registration, area login authority registration, job use authority). Registration and user sharing settings) can be acquired and used, but the range in which security settings can be made differs between the general administrator and the dedicated administrator. Therefore, the difference in the range in which the security setting is possible will be described in detail in the following item [4-2].

[4-2. security settings]
Next, the security settings performed by the general administrator and the dedicated administrator will be described.

(1) Common operation In this item, the common operation performed in any of the following (2) to (16) will be described. When a job related to security settings is started, the area ID to which the user belongs is specified from the login user ID as an initial operation. Specifically, as shown in FIG. 28, the belonging area ID (Null) associated with the user ID (Manager1) input by the system administrator (general administrator) who is the operator with reference to the user information 106b. Is acquired, and the affiliation area ID (3) associated with the user ID (Area3Manager1) input by the area-specific administrator (dedicated administrator) who is the operator is acquired. In the following, the security setting is controlled by using the specified affiliation area ID (hereinafter, referred to as “operator's affiliation area ID”).

(2) User registration (update, reference and deletion of existing users)
The configurable range in user registration (update, reference, and deletion of existing users) is controlled as follows by the relationship between the operator's belonging area ID, the belonging area ID in the user information 106b, and the user shared information 106j. ..

The control when the operator's belonging area ID is NULL (when the operator is the general administrator) is as follows 1 and 2.
1. 1. As shown in FIG. 29 (A), in the user information 106b, reference and update are permitted for the information of all users regardless of the belonging area ID.
2. 2. However, when the operation of changing the affiliation area ID in the user information 106b is performed, as shown in FIG. 29 (A), the user whose affiliation area ID has been changed is deleted from the existing user group affiliation information 106d. Will be done. This is because when the user's area ID is changed, the existing set authority information becomes invalid.

The control when the operator's belonging area ID is 1 (when the operator is a full-time administrator) is as follows 1 and 2.
1. 1. About the information of the user (the user with the second to fourth circles from the top in the user information 106b of (B) of FIG. 29) having 1 which is the same belonging area ID as the operator in the user information 106b. , Browse, update and delete are allowed. However, it is not permitted to change the belonging area ID in the user information 106b to another value.
2. 2. In the user information 106b, only reference is permitted for the information of the user whose belonging area ID is NULL (the user with the first circle from the top in the user information 106b of FIG. 29 (B)).

The control when the operator's belonging area ID is 2 (when the operator is a full-time administrator) is as follows.
1. 1. Regarding the information of the user having the same belonging area ID 2 as the operator in the user information 106b (the user with the second to third circles from the top in the user information 106b of (C) of FIG. 29). , References and updates are allowed. However, it is not permitted to change the belonging area ID in the user information 106b to another value.
2. 2. In the user information 106b, only reference is permitted for the information of the user whose belonging area ID is NULL (the user with the first circle from the top in the user information 106b in FIG. 29C).
3. 3. The user information 106b has a affiliation area ID different from that of the operator, but the user sharing information 106j has the same shared destination area ID (2) as the operator's affiliation area ID (2) and is in the accepted state. Only reference is permitted for the information of the user whose is "completed" (the user marked with a circle in the user shared information 106j of FIG. 29 (C)).

(3) User registration (addition of new users)
The configurable range in user registration (addition of a new user) is controlled as follows by the area ID to which the operator belongs.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 30A, the NUML is used as the affiliation area ID of the new user newly registered in the user information 106b. And one of the specific numbers is allowed to be selected and registered.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown in FIG. 30B, a new user newly registered in the user information 106b. It is not allowed to select the area ID to which the operator belongs, and 1 which is the same area ID as the operator is automatically assigned. By this control, the dedicated manager of each area can increase the number of users in the same area without being aware of it when registering a new user.

(4) User group registration (update, reference and deletion)
The settable range in user group registration (update, reference, and deletion) is controlled as follows depending on the relationship between the operator's area ID and the user group information 106c.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 31 (A), in the user group information 106c, all users regardless of the affiliation area ID. References and updates are allowed for group information. However, it is not permitted to change the belonging area ID in the user group information 106c to another value.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown by a circle in (B) of FIG. 31, in the user group information 106c, Only the information of the user group having 1 which is the same belonging area ID as the operator is permitted to be referred, updated and deleted. However, it is not permitted to change the belonging area ID in the user group information 106c to another value. Even when the operator's belonging area ID is 2 or 3, the control is the same as in this paragraph.

(5) User group registration (new addition)
The settable range in user group registration (new addition) is controlled as follows by the operator's area ID.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 32 (A), the type and affiliation of the newly registered new user group in the user group information 106c. It is permitted to select and register the area ID. However, the following combinations 1 and 2 cannot be specified.
1. 1. Combination of user group type = 3 and belonging area ID = NULL 2. Combination of user group type ≠ 3 and belonging area ID ≠ NULL

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when the ID is 1, as shown in FIG. 32 (B), the user group information 106c is newly registered. It is not allowed to select the type and affiliation area ID of the new user group, and type = 3 and 1 which is the same affiliation area ID as the operator are automatically assigned. By this control, the dedicated administrator of each area can increase the number of user groups in the same area without being aware of it when registering a new user group. Even when the operator's belonging area ID is 2 or 3, the control is the same as in this paragraph.

(6) User group affiliation registration (reference, deletion and addition)
The configurable range in user group affiliation registration (reference, deletion and addition) is controlled as follows.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 33 (A), all the information is referred to, deleted, and in the user group affiliation information 106d. Additions are allowed. However, as an exception, among the combinations of user groups and users, the combinations shown below are not permitted to operate.
The user group is a user group whose user group type is "3: General by area", and
"There is no user shared information such that the user's belonging area ID ≠ NULL, the user group's belonging area ID ≠ the user's belonging area ID, and" the user group belonging area ID = user shared information 106j shared destination area ID. Or, the combination of the user of "The acceptance status of the user shared information 106j is incomplete"

When the operator's affiliation area ID is other than NULL (when the operator is a full-time administrator), for example, 2, as shown in FIG. 33 (B), the operator in the user group affiliation information 106d. References and deletions are permitted for user groups and user information that have the same affiliation area as. However, in the following cases 1 and 2, the following operations are exceptionally permitted.
1. 1. For users under the user group (AreaManagerGroup marked with a circle in FIG. 33) whose user group type is "2: Administrator by area", a user having 2 which is the same belonging area ID as the operator (circle in FIG. 33). Reference, deletion and addition of Area2Manager1) marked with are permitted. With this control, it is possible to add and remove an administrator in the same area as the operator himself.
2. 2. For the subordinates of the user group (Area2OperaterGroup2 marked with a circle in FIG. 33) whose user group type is "3: General by area" and which has the same affiliation area ID as the operator itself, "Affiliation area ID = NULL user". (Manager1 marked with a circle in FIG. 33) ”or“ User shared information 106j has the same shared destination area ID as the area ID to which the operator belongs, and the acceptance status is completed (Area1Operater1 marked with a circle in FIG. 33). Is allowed to be viewed, deleted and added. By this control, a user shared by an administrator in another area can be added to and deleted from a user group in the area to which the operator belongs.

(7) Job group registration (update, reference and deletion)
The settable range in job group registration (update, reference, and deletion) is controlled as follows depending on the relationship between the operator's area ID and the job group information 106f.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 34 (A), in the job group information 106f, all jobs regardless of the affiliation area ID. References and updates are allowed for group information. However, it is not permitted to change the belonging area ID in the job group information 106f to another value.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown by a circle in (B) of FIG. 34, in the job group information 106f. Only the information of the job group having 1 which is the same belonging area ID as the operator is permitted to be referred, updated and deleted. However, it is not permitted to change the belonging area ID in the job group information 106f to another value. Even when the operator's belonging area ID is 2 or 3, the control is the same as in this paragraph.

(8) Job group registration (new addition)
The settable range in job group registration (new addition) is controlled as follows by the operator's area ID.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 35 (A), the type and affiliation of the newly registered new job group in the job group information 106f. It is permitted to select and register the area ID. However, the following combinations 1 and 2 cannot be specified.
1. 1. Combination of job group type = 3 and belonging area ID = NULL 2. Combination of job group type ≠ 3 and affiliation area ID ≠ NULL

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown in FIG. 35 (B), newly registered in the job group information 106f. It is not allowed to select the type and affiliation area ID of the new job group, and type = 3 and 1 which is the same affiliation area ID as the operator are automatically assigned. By this control, the dedicated manager of each area can increase the number of job groups in the same area without being aware of it when registering a new job group. Even when the operator's belonging area ID is 2 or 3, the control is the same as in this paragraph.

(9) Job group affiliation registration (reference, deletion and addition)
The configurable range in job group affiliation registration (reference, deletion and addition) is controlled as follows.

When the operator's affiliation area ID is NULL (when the operator is the general administrator), as shown in FIG. 36 (A), all the information is referred to, deleted, and in the job group affiliation information 106g. Additions are allowed. However, as an exception, among the combinations of job groups and jobs, the combinations shown below shall not be permitted to operate.
Job group type ≠ job type combination

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 2, as shown in FIG. 36 (B), the job group type = 3 and the operator Job groups with the same affiliation area ID (Area2JobGroup1 circled in FIG. 36) and jobs with job type = 3 (business menu 1, business menu 2 and business menu 3 marked with circles in FIG. 36) are allowed to be set. .. By this control, the security management group for the operator's own business menu can be arbitrarily rearranged at the discretion of the area-specific administrator (dedicated administrator).

(10) Login authority setting for each area (reference, deletion and addition)
The settable range in the area-specific login authority setting (reference, deletion, and addition) is controlled by the operator's area ID as follows.

When the area ID to which the operator belongs is NULL (when the operator is the general administrator), as shown in FIG. 37 (A), the operation is permitted for all the information in the area login authority information 106h. Ru. The area ID to be associated is limited to the same area as the area ID to which the user group belongs.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, the area login authority information 106h is shown by enclosing it in a square in (B) of FIG. 37. In, the operation is permitted only for the information of the user group having 1 which is the same belonging area ID as the operator. By this control, only the login authority of the operator's area can be appropriately managed.

(11) Job usage authority registration (reference, deletion and addition)
The settable range in job usage authority registration (reference, deletion, and addition) is controlled by the operator's area ID as follows.

When the operator's area ID is NULL (when the operator is the general administrator), as shown in FIG. 38 (A), the operation is permitted for all the information in the job usage authority information 106i. Ru. The area ID to be associated is limited to the same area as the area ID to which the user group and the job group belong.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, the job usage authority information 106i is shown by enclosing it in a square in (B) of FIG. 38. In, the operation is permitted only for the information of the user group and the job group having 1 which is the same belonging area ID as the operator. By this control, only the job usage authority in the operator's area can be appropriately managed. The area ID to be associated is limited to the same area as the area ID to which the user group and the job group belong.

(12) to (16) Job Sharing In the following items (12) to (16), job sharing between regions will be described in detail with reference to FIGS. 39 to 43. As an outline of the job sharing process, the sharing permission unit 102a is a former administrator who is an administrator belonging to the original area which is the sharing source area (in FIGS. 39 to 43, the administrator of the area with the area ID = 1). The former operator (the operator in the area with the area ID = 1 in FIGS. 39 to 43), which is the operator belonging to the original area, set by the above, is the administrator who belongs to the destination area which is the shared destination area. When accepted by the administrator (in FIGS. 39 to 43, the administrator of the area with the area ID = 2), the former operator is permitted to share the job in the destination area.

(12) User sharing settings (sharing)
The settable range in the user sharing setting (sharing) is controlled as follows by the operator's belonging area ID.

The control when the operator's belonging area ID is NULL (when the operator is the general administrator) is as follows.
1. 1. As shown in the user information 106b of FIG. 39 (A), the user whose affiliation area ID = NULL can be referred to by all the administrators without sharing, and is therefore excluded from the sharing setting. That is, the target of the sharing setting is limited to the user whose belonging area ID ≠ NULL.
2. 2. As shown in FIG. 39 (A), for the user set as the sharing target, the belonging area ID in the user information 106b ≠ the sharing destination area ID in the user sharing information 106j (the combination that can be shared is , Area ID ≠ User's area ID combination only). For example, when NewUser1 (belonging area ID = 1) in the user information 106b of FIG. 39 (A) is set in the user sharing information 106j as a sharing target, the sharing destination area ID must be set to other than 1. It means that it will not be.
3. 3. As shown in the user sharing information 106j of FIG. 39 (A), immediately after setting the user as a sharing target, the acceptance state for the user becomes “incomplete”.
4. As shown in the area information 106a of FIG. 39 (A), the shareable range is limited to the area ID ≠ 0. That is, in the user sharing information 106j of FIG. 39 (A), the sharing destination area ID must be set to other than 0.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown in FIG. 39 (B), the setting control unit 102e is the former administrator. Controls the settings of the original operator by. Specifically, it is as follows.
1. 1. As shown in FIG. 39 (B), the first administrator area acquisition unit 102e1 refers to the user information 106b and acquires the affiliation area ID associated with the input original administrator user ID. For example, when the input original administrator user ID is Area1Manager1, the affiliation area ID acquired by the first administrator area acquisition unit 102e1 is the affiliation area as shown in the user information 106b of FIG. 39 (B). ID = 1.
2. 2. As shown in FIG. 39 (B), the operator area acquisition unit 102e2 refers to the user information 106b and acquires the belonging area ID associated with the user ID of the operator set by the former administrator. For example, when the user ID of the set operator is NewUser1, the belonging area ID acquired by the operator area acquisition unit 102e2 is the belonging area ID = 1 as shown in the user information 106b of FIG. 39 (B). .. On the other hand, for example, when the user ID of the set operator is Area2Operater1, the belonging area ID acquired by the operator area acquisition unit 102e2 is the belonging area ID = 2 as shown in the user information 106b of FIG. 39 (B). Is.
3. 3. Whether or not the affiliation area ID acquired by the first administrator area acquisition unit 102e1 described in 1 above and the affiliation area ID acquired by the operator area acquisition unit 102e2 described in 2 above are the same in the setting determination unit 102e3. Is determined. For example, as described in 1 and 2 above, when the input original administrator user ID is Area1Manager1 and the set operator user ID is NewUser1, the first administrator area acquisition unit 102e1 acquires the user ID. Since the belonging area ID is 1 and the belonging area ID acquired by the operator area acquisition unit 102e2 is also 1, the setting determination unit 102e3 determines that they are "same" (that is, the set operator can make a shared setting. Judged as a target). On the other hand, as described in 1 and 2 above, when the input original administrator user ID is Area1Manager1 and the set operator user ID is Area2Operater1, the first administrator area acquisition unit 102e1 Since the affiliation area ID acquired in 1 is 1 and the affiliation area ID acquired by the operator area acquisition unit 102e2 is 2, the setting determination unit 102e3 determines that they are not the same (that is, they are shared by the set operators). Judge that it is not a configurable target). When "not the same", the setting determination unit 102e3 may notify the former administrator who is performing the operation that "it is not the same" by displaying an error or the like, for example. As described above, by providing the job sharing permission device 100 according to the present embodiment with the setting control unit 102e, the former administrator who is an operator is different from only the user who has the same affiliation area ID as the former administrator. It can be set as a sharing target for the area. Thereby, the user in the area of the operator can be shared with the administrator in another area.
4. Similar to item 2 when the operator's affiliation area ID is NULL, for the user set as the sharing target, the affiliation area ID in the user information 106b must be ≠ the sharing destination area ID in the user sharing information 106j. It doesn't become.
5. Immediately after setting the user as a sharing target, the acceptance state for the user becomes "incomplete" as in item 3 when the operator's belonging area ID is NULL.
6. As shown by circles in the area information 106a of FIG. 39 (B), the shareable range is limited to the area ID ≠ 0 and the area ID ≠ the operator's area ID. That is, in the user sharing information 106j of FIG. 39 (B), the sharing destination area ID must be set to other than 0 and 1.

(13) User sharing setting (cancellation of sharing)
The user sharing setting (cancellation of sharing) is a function used when the administrator of the area on the sharing side (original area side) cancels sharing with the administrator of another area (destination area). The settable range in the user sharing setting (sharing cancellation) is controlled as follows by the operator's belonging area ID.

The control when the operator's belonging area ID is NULL (when the operator is the general administrator) is as follows 1 and 2.
1. 1. As shown in the user sharing information 106j of FIG. 40A, the user is deleted from the user sharing information 106j as a result of the operation of deleting the sharing.
2. 2. When the user whose acceptance status is completed is released from sharing, the user ID of the user and the shared destination area ID of the user in the user group information 106c are derived from the user group affiliation information 106d of FIG. 40 (A). The user group ID associated with the same affiliation area ID is deleted. This is because it is necessary to deprive the login authority and job use authority to another area (destination area) as the sharing is canceled.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 1, as shown in FIG. 40B, the setting control unit 102e is the former administrator. Controls the cancellation of the settings of the original operator by. Since the specific control method for canceling the setting is the same as that of items 1 to 3 when the operator's belonging area ID is other than NULL in (12), the description thereof will be omitted, but for example, (1) in FIG. As shown in B), if the affiliation area ID associated with Area1Manager1 which is the user ID of the former administrator is 1, and the affiliation area ID associated with Area1Operater1 which is the user ID of the set operator is also 1, the setting is made. The determination unit 102e3 determines that "they are the same" (that is, it is determined that the set operator is a target that can be set to cancel sharing). As described above, by providing the job sharing permission device 100 according to the present embodiment with the setting control unit 102e, the former administrator who is an operator shares only the user who has the same affiliation area ID as the former administrator. It can be released. The method of deleting the user group ID and the user ID from the user group affiliation information 106d in FIG. 40 (B) is the same as in item 2 when the operator's affiliation area ID is NULL. The explanation is omitted.

(14) User sharing settings (shared acceptance)
The configurable range in the user sharing setting (shared acceptance) is controlled as follows by the operator's belonging area ID.

When the operator's area ID is NULL (when the operator is the general administrator), as shown in FIG. 41 (A), the acceptance status "incomplete" is applied to all the users in the user shared information 106j. Is allowed to change to "done".

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 2, as shown in FIG. 41 (B), the acceptance control unit 102f is the destination administrator. Controls the acceptance of former operators by. Specifically, it is as follows 1-2.
1. 1. The second administrator area acquisition unit 102f1 refers to the user information 106b and acquires the affiliation area ID associated with the input destination administrator user ID. For example, when the input user ID of the destination administrator is Area2Manager1, the second administrator area acquisition unit 102f1 acquires the belonging area ID = 2 by the method shown in FIG. 28.
2. 2. The acceptance determination unit 102f2 includes the affiliation area ID acquired by the second administrator area acquisition unit 102f1 described in 1 above, the shared destination area ID included in the user information sharing information 106j set by the former administrator, and the shared destination area ID. Determine if they are the same. For example, when the shared destination area ID set for Area1Operater1 by the former administrator is 2, the acceptance determination unit 102f2 determines that it is "same" (that is, the set operator can set the shared acceptance). Is determined to be). On the other hand, when the shared destination area ID set for Area1Operater1 by the former administrator is 3, the acceptance determination unit 102f2 determines that they are not the same (that is, the set operator sets the shared acceptance. Judge that it is not a possible target). When "not the same", the acceptance determination unit 102f2 may notify the destination administrator performing the operation that "it is not the same" by displaying an error or the like, for example. As described above, by providing the job sharing permission device 100 according to the present embodiment with the acceptance control unit 102f, the destination administrator who is an operator has the same shared destination area ID as the area ID to which the destination administrator belongs. Only for users, the acceptance status "incomplete" can be changed to "completed" for shared acceptance.

Here, when the acceptance state in the user shared information 106j is changed from "incomplete" to "completed", how is the state in which the operator in the original area can use the job in the destination area is created? (14-1) and (14-1) and (14-1) regarding how the operator of the original area can acquire the job of the destination area after the usable state is created. It will be described in detail as 14-2).

(14-1) Creation of a state in which an operator in the original area can use a job in the destination area First, how is a state in which an operator in the original area 1 can use a job in the destination area 2 is created? It will be explained in detail.

First, the destination area acquisition unit 102a1 acquires the shared destination area ID having the completion category with reference to the user sharing information 106j. For example, when the user sharing information 106j is as shown in FIG. 41 (B), the destination area acquisition unit 102a1 has the sharing destination area ID = 2 of Area1Operater1 and the sharing destination of Area1Operater1 as the sharing destination area ID having the completion category. The area ID = 3 and the shared destination area ID = 2 of NewUser1 are acquired. However, in the following, for convenience of explanation, the description will proceed assuming that only the shared destination area ID = 2 of Area1Operater1 has been acquired.

Subsequently, the first user group acquisition unit 102a2 refers to the user group information 106c and acquires the user group ID associated with the shared destination area ID acquired by the destination area acquisition unit 102a1. For example, when the data structure of the user group information 106c is as shown in FIG. 21 and the shared destination area ID acquired by the destination area acquisition unit 102a1 is the shared destination area ID of Area1Operater1, the first user group acquisition unit 102a2 Acquires Area2OperaterGroup2 as a user group ID associated with ID = 2, as shown in FIG.

Finally, the storage unit 102a3 stores the user group ID (Area2OperaterGroup2) acquired by the first user group acquisition unit 102a2 and the user ID (Area1Operater1) included in the user sharing information 106j in the user group affiliation information 106d. ..

In this way, the information that "Area1Operater1 belonging to the original area 1 also belongs to Area2OperaterGroup2 (destination area 2)" is stored in the user group affiliation information 106d, whereby the operator of the original area Area1Operater1 A state is created in which the operator can use the job of Area2OperaterGroup2, which is the destination area.

(14-2) Acquisition of Jobs in Destination Area by Operator in Original Region Next, how an operator in original region 1 can acquire a job in destination region 2 will be described in detail. As described in (14-1) above, it is assumed that the user group ID (Area2OperaterGroup2) and the user ID (Area1Operater1) are stored in the user group affiliation information 106d.

First, the second user group acquisition unit 102b refers to the user group affiliation information 106d and acquires the user group ID associated with the input original operator user ID. For example, when the input user ID of the original operator is Area1Operater1, the second user group acquisition unit 102b acquires Area2OperaterGroup2 as the user group ID associated with the user group ID.

Subsequently, the job group acquisition unit 102c refers to the job usage authority information 106i and acquires the job group ID associated with the user group ID acquired by the second user group acquisition unit 102b. For example, when the data structure of the job usage authority information 106i is as shown in FIG. 26 and the user group ID acquired by the second user group acquisition unit 102b is Area2OperaterGroup2, the job group acquisition unit 102c and the user group ID Acquire Area2JobGroup1 as the associated job group ID.

Finally, the job acquisition unit 102d refers to the job group affiliation information 106g and acquires the job ID associated with the job group ID acquired by the job group acquisition unit 102c. For example, when the data structure of the job group affiliation information 106g is as shown in FIG. 26 and the job group ID acquired by the job group acquisition unit 102c is Area2JobGroup1, the job acquisition unit 102d is associated with the job group ID. Acquire the business menu 2 as the ID.

In this way, Area1Operater1 which is the operator of the original area can acquire the job menu 2 which is the job of Area2OperaterGroup2 which is the destination area.

(15) User sharing settings (cancellation of sharing acceptance)
The user sharing setting (sharing acceptance cancellation) is a function used when the acceptance is canceled by the administrator of the area on the shared side (destination area side). The settable range in the user sharing setting (sharing acceptance cancellation) is controlled as follows by the operator's belonging area ID.

The control when the operator's belonging area ID is NULL (when the operator is the general administrator) is as follows 1 and 2.
1. 1. The acceptance status "completed" can be changed to "incomplete".
2. 2. When the shared acceptance of the user whose acceptance status is completed is canceled, the user ID of the user and the shared destination area of the user in the user group information 106c are derived from the user group affiliation information 106d of FIG. 42 (A). The user group ID associated with the same belonging area ID as the ID is deleted. This is because it is necessary to deprive the login authority and job use authority to another area (destination area) as the shared acceptance is canceled.

When the area ID to which the operator belongs is other than NULL (when the operator is a full-time administrator), for example, when it is 2, as shown in FIG. 42 (B), the acceptance control unit 102f is the destination administrator. Controls the rejection of the former operator by. Since the specific method for controlling acceptance / cancellation is the same as in Items 1 and 2 when the operator's area ID in (14) is other than NULL, the description thereof will be omitted, but for example, (1) in FIG. As shown in B), when the belonging area ID associated with Area2Manager1 which is the user ID of the destination administrator is 2, and the shared destination area ID set for Area1Operater1 by the former administrator is also 2, the acceptance determination unit 102f2. Is determined to be "same" (that is, it is determined that the set operator is a target that can be set to cancel shared acceptance). As described above, by providing the job sharing permission device 100 according to the present embodiment with the acceptance control unit 102f, the destination administrator who is an operator has the same shared destination area ID as the area ID to which the destination administrator belongs. Only for the user, the acceptance status "completed" can be changed to "incomplete" to cancel the shared acceptance. The method of deleting the user group ID and the user ID from the user group affiliation information 106d in FIG. 42 (B) is the same as in item 2 when the operator's affiliation area ID is NULL. The explanation is omitted.

(16) User sharing settings (transfer)
Transfer is a function used when an administrator of an area sharing a user (original area side) transfers ownership and management authority to an administrator of another area (destination area). In other words, for example, when an operator who originally belonged to area 1 moves to an area under the jurisdiction of another administrator due to a transfer or transfer, the side shared with the sharing side (former area side). It is a function to switch the position with (the destination area side). Note that this function can be used only between areas where operator sharing is established.

When the operator's belonging area ID is NULL (when the operator is the general administrator), as shown in FIG. 43 (A), the shared destination area in the user shared information 106j for the operator whose acceptance state is completed. Updates that replace the ID with the affiliation area ID in the user information 106b are permitted. As a result, the manager owned by the operator is replaced and transferred.

When the operator's area ID is other than NULL (when the operator is a full-time administrator), for example, when it is 1, the control is as follows.
1. 1. The transfer operation is permitted only for the operator who has the same affiliation area ID as the former administrator who is the operator. For example, in the case of (B) of FIG. 43, the transfer operation is permitted only for Area1operater1 having 1 in the user information 106b, which is the same belonging area ID as the former administrator's belonging area ID = 1.
2. 2. The transfer operation can be performed only from the administrator side sharing the operator (administrator side of the former area), and the ownership is taken by the discretion of the shared side (administrator side of the destination area). Operation is not allowed.

Above, [4. As described in [Specific Example of Processing], according to the job sharing permission device 100 according to the present embodiment, a job performed by an operator by exchanging between a dedicated administrator who is an administrator who can access only a specific area. You can allow sharing between areas of. Therefore, for example, since the job sharing setting can be made without going through an overall administrator who can access the entire area, the job sharing permission device 100 according to the present embodiment is excellent in terms of security and shares the job. It has the advantage that the setting for doing so is not complicated.

[5. Other embodiments]
In addition to the above-described embodiments, the present invention may be implemented in various different embodiments within the scope of the technical ideas described in the claims.

For example, among the processes described in the embodiments, all or part of the processes described as being automatically performed may be performed manually, or all the processes described as being performed manually may be performed. Alternatively, a part thereof can be automatically performed by a known method.

In addition, processing procedures, control procedures, specific names, information including parameters such as registration data and search conditions for each processing, screen examples, and database configurations shown in this specification and drawings are not specified unless otherwise specified. Can be changed arbitrarily.

Further, with respect to the job sharing permission device 100, each component shown in the figure is a functional concept and does not necessarily have to be physically configured as shown in the figure.

For example, with respect to the processing functions included in the job sharing permission device 100, particularly each processing function performed by the control unit 102, all or any part thereof is realized by the CPU and a program interpreted and executed by the CPU. It may be realized as hardware by wired logic. The program is recorded on a non-temporary computer-readable recording medium including a programmed instruction for causing the information processing apparatus to execute the process described in the present embodiment, and job sharing is permitted as necessary. It is read mechanically by the device 100. That is, a computer program for giving instructions to the CPU in cooperation with the OS and performing various processes is recorded in a storage unit such as a ROM or an HDD (Hard Disk Drive). This computer program is executed by being loaded into RAM, and cooperates with the CPU to form a control unit.

Further, this computer program may be stored in the application program server connected to the job sharing permission device 100 via an arbitrary network, and all or part of the computer program may be downloaded as needed. Is.

Further, the program for executing the process described in the present embodiment may be stored in a non-temporary computer-readable recording medium, or may be configured as a program product. Here, the "recording medium" includes a memory card, a USB (Universal Serial Bus) memory, an SD (Secure Digital) card, a flexible disk, a magneto-optical disk, a ROM, an EPROM (Erasable Programmable Read Only Memory), and an EEPROM (registration). Trademarks) (Electrically Erasable and Protocol Read Only Memory), CD-ROM (Compact Disk Read Only Memory), MO (Magnet-Optical Disc), MO (Magnet-Optical Disc), DVD (Digital), DVD (Digital) It shall include any "portable physical medium". Therefore, a recording medium containing a program for executing a process or a process method as described herein also constitutes the present invention.

Further, the "program" is a data processing method described in any language or description method, regardless of the format such as source code or binary code. The "program" is not necessarily limited to a single program, but is distributed as a plurality of modules or libraries, or cooperates with a separate program represented by an OS to achieve its function. Including things. It should be noted that well-known configurations and procedures can be used for the specific configuration and reading procedure for reading the recording medium and the installation procedure after reading in each device shown in the embodiment.

Various databases and the like stored in the storage unit 106 are memory devices such as RAM and ROM, fixed disk devices such as hard disks, flexible disks, and storage means such as optical disks, and are used for various processes and website provision. Stores programs, tables, databases, files for web pages, etc.

Further, the job sharing permission device 100 may be configured as an information processing device such as a known personal computer or workstation, or may be configured as the information processing device to which an arbitrary peripheral device is connected. Further, the job sharing permission device 100 may be realized by mounting software (including a program or data) that realizes the processing described in the present embodiment on the device.

Furthermore, the specific form of distribution / integration of the device is not limited to the one shown in the figure, and all or part of the device may be functionally or physically in any unit according to various additions or functional loads. It can be distributed and integrated. That is, the above-described embodiments may be arbitrarily combined and implemented, or the embodiments may be selectively implemented.

The present invention is useful in all industries, but is particularly useful in the account and security management industry.

100 Job sharing permission device
102 Control unit
102a Sharing permission unit
102a1 Destination area acquisition unit
102a2 First user group acquisition unit
102a3 storage unit
102b Second user group acquisition unit
102c Job group acquisition unit
102d Job acquisition unit
102e Setting control unit
102e1 First administrator area acquisition department
102e2 Operator area acquisition unit
102e3 setting judgment unit
102f Acceptance control unit
102f1 Second administrator area acquisition department
102f2 Acceptance judgment unit
104 Communication interface section
106 Storage unit
106a Area information
106b User information
106c User group information
106d User group affiliation information
106e Job information
106f Job group information
106g Job group affiliation information
106h area login authority information
106i Job usage permission information
106j User shared information
Business system information in 106k area
108 Input / output interface section
112 Input device
114 Output device 200 Server 300 Network

Claims (1)

A job sharing permission device that includes a control unit and a storage unit, and allows a former operator who is an operator belonging to the original area that is the sharing source area to share a job in the destination area that is the sharing destination area.
In the storage unit
As the information set by the former administrator who is the administrator belonging to the original area, the original operator identification information for identifying the original operator, the destination area identification information for identifying the destination area, and the source operator User-shared information including the completion category, which is a category indicating that acceptance has been completed,
User group information including user group identification information for identifying a user group and area identification information for identifying an area, and
Is stored,
The control unit
When the former administrator who is the administrator belonging to the destination area accepts the former operator set by the former administrator, the sharing permission means for permitting the former operator to share the job in the destination area is provided. Prepare,
The sharing permission means is
With reference to the user-shared information, a destination area acquisition means for acquiring the destination area identification information having the completion category, and
The first user group acquisition means for acquiring the user group identification information associated with the destination area identification information acquired by the destination area acquisition means by referring to the user group information, and
A storage means for storing the user group identification information acquired by the first user group acquisition means and the original operator identification information included in the user shared information in the user group affiliation information.
To prepare for
A job sharing permission device characterized by.

Images