JP2022081506A - Management system, control device, management method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce a security risk of a management object device while improving convenience of a user.

SOLUTION: A management system comprises a management object device which can be operated by using a first ID having a predetermined authority, a control device which controls the management object device and a terminal which acquires terminal position information indicating a position of a self-terminal and transmits the terminal position information to the control device. The control device includes an ID use management unit for requesting authentication of a terminal to the management object device and, if the management object device authenticates the terminal, determining whether or not to permit the use of the first ID to the terminal on the basis of the terminal position information and use determination time.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2022,JPO&INPIT

Description

The present invention relates to a management system, a control device, a management method and a program.

The information processing device (computer) generally has a function of setting an access authority (hereinafter, simply referred to as an authority) for data or the like stored in the information processing device according to a user ID (identifier). Further, in general, in order to protect important functions or data, access authority to important functions or data is restricted to the administrator of the information processing apparatus or the like. In other words, in order to protect important functions or data, the authority to a predetermined user (administrator of an information processing device, etc.) is stronger than that of a user other than the predetermined user (hereinafter referred to as a general user). Is given.

In Patent Document 1, regarding the device that holds the controlled object data internally, the access to the controlled object data is given a special authority based on the life cycle state of the device and the position and / or time of the device. The technology to limit to the users who have it is described.

Japanese Unexamined Patent Publication No. 2016-0580335

The disclosure of the above prior art document shall be incorporated into this document by citation. The following analysis was made from the point of view of the present invention.

As described above, by limiting the access authority to the important function or data to the administrator of the information processing apparatus or the like, the important function or data can be protected. However, there are cases where a general user needs to temporarily access important functions or data.

Here, in the technique described in Patent Document 1, when the access to the controlled target data is restricted to a user (administrator or the like) having special authority, the controlled target data is transferred to a user other than the administrator. Do not allow access to. Therefore, in the technique described in Patent Document 1, when the access to the controlled target data is restricted to a user having a special authority, the convenience of a user other than the administrator may be reduced.

Further, in the technique described in Patent Document 1, the access right is granted to the device that holds the data to be controlled internally if the state of the device (life cycle state), the position and / or time of the device satisfy predetermined conditions. The user can access the controlled data. Therefore, the technique described in Patent Document 1 cannot prevent a user having an access right from unnecessarily accessing the controlled object data.

Therefore, an object of the present invention is to provide a management system, a control device, a management method, and a program that contribute to reducing the security risk of the managed device while improving the convenience of the user.

According to the first aspect of the present invention, a management system is provided. The management system uses a first ID having a predetermined authority to operate a managed device, a control device that controls the managed device, and terminal position information indicating the position of the own terminal. Includes a terminal that acquires and transmits the terminal position information to the control device. The control device requests the management target device to authenticate the terminal, and when the management target device authenticates the terminal, the first control device is based on the terminal position information and the usage determination time. It is provided with an ID usage management unit that determines whether or not to permit the use of the ID to the terminal.

According to the second aspect of the present invention, a control device is provided. The control device controls a managed device that can be operated by using a first ID having a predetermined authority. Further, the control device requests the management target device to authenticate the terminal, and when the management target device authenticates the terminal, the control device is based on the terminal position information indicating the position of the terminal and the usage determination time. An ID utilization management unit for determining whether or not to permit the use of the first ID to the terminal is provided.

According to the third aspect of the present invention, a management method is provided. The management method includes a step of acquiring terminal position information indicating the position of the terminal. Further, the management method includes a step of requesting the management target device to authenticate the terminal, which can be operated by using the first ID having a predetermined authority. Further, the management method is a step of determining whether or not to permit the use of the first ID to the terminal based on the terminal position information and the usage determination time when the terminal is authenticated. including.
It should be noted that this method is linked to a specific machine called a control device that controls a managed device.

According to the fourth aspect of the present invention, the program is provided. The program causes a computer controlling a control device to execute a process of receiving terminal position information indicating a terminal position from the terminal. Further, the program causes the computer to execute a process of requesting the authentication of the terminal from the managed device, which can be operated by using the first ID having a predetermined authority. Further, when the terminal is authenticated, the program determines whether or not to permit the terminal to use the first ID based on the terminal position information and the usage determination time. , Let the computer do it.
Note that these programs can be recorded on a computer-readable storage medium. The storage medium may be a non-transient such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. The present invention can also be embodied as a computer program product.

According to each viewpoint of the present invention, a management system, a control device, a management method, and a program that contribute to reducing the security risk of the managed device while improving the convenience of the user are provided.

It is a figure for demonstrating the outline of one Embodiment. It is a block diagram which shows an example of the whole structure of management system 1. It is a figure which shows an example of the use application information table 105. It is a figure which shows an example of the managed server table 106. It is a figure which shows an example of the work user table 107. It is a flowchart which shows an example of the operation of management server 100. It is a flowchart which shows an example of the operation of management server 100. It is a flowchart which shows an example of the operation of management server 100. It is a flowchart which shows an example of the operation of management system 1. It is a flowchart which shows an example of the operation of management system 1. It is a flowchart which shows an example of the operation of the control device 300. It is a flowchart which shows an example of the operation of the control device 300.

First, an outline of one embodiment will be described with reference to FIG. It should be noted that the drawing reference reference numerals added to this outline are added to each element for convenience as an example for assisting understanding, and the description of this outline is not intended to limit anything. Further, the connection line between the blocks in each block diagram includes both bidirectional and unidirectional. The one-way arrow schematically shows the flow of the main signal (data), and does not exclude bidirectionality. Further, in the circuit diagram, block diagram, internal configuration diagram, connection diagram, etc. shown in the disclosure of the present application, although not explicitly stated, an input port and an output port exist at the input end and the output end of each connection line, respectively. The same applies to the input / output interface.

As described above, a management system that contributes to reducing the security risk of the managed device while improving the convenience of the user is desired.

Therefore, as an example, the management system 1000 shown in FIG. 1 is provided. The management system 1000 includes a management target device 1010, a control device 1020, and a terminal 1030.

The managed device 1010 can be operated by using the first ID having a predetermined authority. The terminal 1030 acquires the terminal position information indicating the position of the own terminal 1030 and transmits the terminal position information to the control device 1020.

The control device 1020 controls the managed device 1010. Further, the control device 1020 includes an ID utilization management unit 1021. The ID usage management unit 1021 requests the management target device 1010 to authenticate the terminal 1030. When the management target device 1010 authenticates the terminal 1030, the ID usage management unit 1021 uses the first ID in the management target device 1010 based on the terminal position information received from the terminal 1030 and the time to be determined. , Determine whether to allow the terminal 1030. In the following description, the time to be determined is referred to as a usage determination time.

Here, it is assumed that the first ID is a user ID (hereinafter referred to as privileged ID) having stronger authority than the user ID of a general user. Further, it is assumed that the time to be determined is the time at the time of determination. In that case, with respect to the terminal 1030 authenticated by the managed device 1010, the control device 1020 determines whether or not to allow the terminal 1030 to use the privileged ID in the managed device 1010 as the position of the terminal 1030 and the time at the time of determination. Judgment based on. Therefore, the control device 1020 is a terminal 1030 authenticated by the management target device 1010, and has a privilege ID in the management target device 1010 for the terminal 1030 existing at a position satisfying the predetermined condition at a time satisfying the predetermined condition. Allow the use of.

That is, in the management system 1000, the control device 1020 permits the use of the privileged ID of the management target device 1010 from an external device (that is, the terminal 1030) different from the management target device 1010. Further, in the management system 1000, if a predetermined condition is satisfied, even a general user can use the privileged ID of the managed device 1010. Therefore, the management system 1000 contributes to improving the convenience of the user who uses the managed device 1010.

On the other hand, the control device 1020 causes the managed device 1010 to authenticate the terminal 1030. Further, the control device 1020 determines whether or not to allow the terminal 1030 to use the privileged ID in the managed device 1010 based on the position and time of the terminal 1030. That is, the control device 1020 limits the terminal 1030 that can use the privileged ID of the managed device 1010, the place that can be used, and the time. Therefore, the management system 1000 contributes to reducing the security risk of the managed device 1010.

Therefore, the management system 1000 contributes to reducing the security risk of the managed device 1010 while improving the convenience of the user.

[First Embodiment]
The first embodiment will be described in detail with reference to the drawings. In the following description, the managed device is referred to as a managed server. However, this does not mean that the managed device is limited to the server.

FIG. 2 is a block diagram showing an example of the overall configuration of the management system 1 according to the present embodiment. The management system 1 includes a management server 100, a terminal 200, and a control device 300. Note that FIG. 2 shows one terminal 200, but this is not limited to the fact that the management system 1 is configured to include one terminal 200. Of course, the management system 1 may include two or more terminals 200.

The control device 300 connects to the managed server (managed device) (301a, 301b). In the following description, the managed server (310a, 310b) will be referred to as a managed server 310 when it is not necessary to distinguish them from each other. Further, FIG. 2 shows two managed servers (301a and 301b), but this does not mean that the number of managed servers 310 is limited to two. Of course, the management system 1 may be configured to include one or three or more managed servers 310.

The control device 300 and the managed server 310 are arranged in the managed server network (first network) 400. In the management system 1 according to the present embodiment, the managed server network 400 is assumed to be a LAN (Local Area Network). In other words, in the management system 1 according to the present embodiment, the control device 300 and the management target server 310 are arranged in the LAN. When the terminal 200 exists in the managed server network 400, it is assumed that the terminal 200 can be connected to the control device 300 and the managed server 310 via the managed server network 400.

Further, the terminal 200 can be connected to the management server 100 via a second network different from the management target server network 400. For example, the second network may be the Internet. Alternatively, the second network may be a LAN different from the managed server network 400.

The management server 100 includes a usage application management unit 103, a management server control unit 104, and a management server storage unit 101. Further, the management server 100 includes a communication means (not shown). Needless to say, the management server 100 may be configured to include hardware and / or software (not shown).

The terminal 200 is an information processing device (computer) used by a working user. For example, the terminal 200 may be a smartphone, a tablet terminal, or the like. The terminal 200 includes an ID management relay unit 201 and a position information acquisition unit 202. Further, the terminal 200 includes a communication means (not shown). Needless to say, the terminal 200 may be configured to include hardware and / or software (not shown).

The control device 300 is an information processing device (computer) that controls the managed server 310. The control device 300 includes an ID utilization management unit 301. Further, the control device 300 includes a communication means (not shown). Of course, the control device 300 may be configured to include hardware and / or software (not shown).

The management target server 310 is an information processing device (computer). Specifically, the managed server 310 can be connected by using at least one of a first ID having a predetermined authority and a second ID different from the first ID, an information processing device (computer). ). In the following description, it is assumed that the first ID is a privileged ID.

Hereinafter, the management server 100 will be described in detail.

The management server storage unit 101 stores information necessary for operating the management server 100. The management server storage unit 101 stores the ID management database 102. The management server storage unit 101 is realized by a magnetic disk device, an optical disk device, and a semiconductor memory.

Hereinafter, the ID management database 102 will be described in more detail.

The ID management database 102 stores information in which information for identifying the management target server 310 and usage application information are associated with each other. In the following description, the table in which the information identifying the managed server 310 and the usage application information are associated with each other is referred to as a usage application information table 105.

The information that identifies the managed server 310 may be a number or the like assigned to each managed server 310, and the details thereof are not limited as long as the information can identify the managed server 310. In the following description, the information that identifies the managed server 310 is referred to as a managed server ID.

The usage application information includes a privileged ID (first ID), information indicating the authority corresponding to the privileged ID, a usage start time, and a profit end time.

The information indicating the authority corresponding to the privilege ID is the information indicating the authority that can be used by using the privilege ID in the managed server 310. In the following description, among the information indicating the authority corresponding to the privilege ID, the information included in the usage application information is referred to as the application target authority.

The usage start time is a time when the user plans to start using the managed server 310. On the other hand, the usage end time is a time when the user plans to end the use of the managed server 310. In other words, the user applies to use the managed server 310 from the usage start time to the usage end time.

FIG. 3 is a diagram showing an example of the usage application information table 105. Specifically, FIG. 3 shows a table in which a managed server ID, a work user ID, a privileged ID, an application target authority, a usage start time, and a usage end time are associated with each other.

Further, the ID management database 102 stores the managed server ID, the server connection information, the authentication information corresponding to the second ID, the registration position information, and the distance threshold value in association with each other. In the following description, the second ID will be referred to as a connected user ID. The connected user ID is a user ID associated with the privileged ID, and is a user ID for connecting to the managed server 310. Further, in the following description, a table in which the managed server ID, the server connection information, the connected user authentication information corresponding to the connected user ID (second ID), the registered position information, and the distance threshold are associated with each other is provided. , Called the managed server table 106. In the following description, the authentication information corresponding to the connected user ID is referred to as the connected user authentication information. The connected user authentication information is information including a connected user ID and a password corresponding to the connected user ID.

The server connection information is information necessary for connecting to the managed server 310. For example, the server connection information may include a host name and a port number corresponding to the managed server 310. Further, for example, the server connection information may include an IP address and a port number corresponding to the managed server 310.

The registered location information is information indicating a location that has been applied for use by a user and registered. For example, the registered position information may be information indicating the position where the user of the terminal 200 plans to work by using the privileged ID.

The distance threshold value is a distance used as a threshold value for determining whether or not the difference between the position of the terminal 200 and the position for which use has been applied in advance is within a predetermined range.

FIG. 4 is a diagram showing an example of the managed server table 106. Specifically, FIG. 4 shows a managed server ID, a host name, a port number, a connected user ID, a password corresponding to the connected user ID (connection user password), registered position information, and a distance threshold. Shows a table associated with.

Further, the ID management database 102 stores the authentication information corresponding to the third ID. In the following description, the table that stores the third ID and the password corresponding to the third ID is referred to as a work user table 107. Further, in the following description, the third ID is referred to as a working user. Further, in the following description, the authentication information corresponding to the work user ID (third ID) is referred to as work user authentication information.

The working user ID is a user ID corresponding to a user who uses the terminal 200. The work user authentication information is information including a work user ID and a password corresponding to the work user ID.

FIG. 5 shows an example of the working user table 107. Specifically, FIG. 5 shows an example of a table in which a work user ID and a password are associated with each other. For example, referring to FIG. 5, the password corresponding to the work user ID “suzuki” is “B7343a7cbdd302”.

In the following description, for convenience of explanation, the ID management database 102 shall store the user table, the usage application information table 105, and the management target server table 106. However, this does not mean that the ID management database 102 is limited to storing (holding) data in a table format.

The usage application management unit 103 authenticates the working user. Further, the usage application management unit 103 receives the usage application information and registers the received usage application information in the ID management database 102. Specifically, the usage application management unit 103 obtains usage application information including a management target server ID, a privileged ID, an application target authority, a usage start time, and a usage end time, which are the usage application targets. accept. Then, the usage application management unit 103 registers the usage application information including the management target server ID, the privilege ID, the application target authority, the usage start time, and the usage end time in the ID management database 102.

The management server control unit 104 receives a login request of a working user from the ID management relay unit 201. When the management server control unit 104 receives a login request from the ID management relay unit 201, the management server control unit 104 displays a list of the management target servers 310 corresponding to the working users in the ID management relay unit 201 among the management target servers 310 registered in advance. respond. Then, when the management server control unit 104 receives the management target server ID from the ID management relay unit 201, the management server control unit 104 refers to the usage application information table 105 and obtains the usage application information corresponding to the received management target server ID. Respond to the management relay unit 201.

Hereinafter, the terminal 200 will be described in detail.

The position information acquisition unit 202 acquires terminal position information indicating the position of the own terminal 200. The position information acquisition unit 202 is realized by using, for example, a GPS (Global Positioning System) function.

The ID management relay unit 201 transmits the connection user authentication information corresponding to the connection user ID and the terminal position information to the control device 300. Further, the ID management relay unit 201 transmits the registered position information and the distance threshold value to the control device 300. Specifically, the ID management relay unit 201 transmits the registered position information and the distance threshold value to the control device 300 when applying for use. More specifically, the ID management relay unit 201 receives the connection user authentication information and the usage application information corresponding to the management target server 310 to be connected from the management server 100. Then, the ID management relay unit 201 transmits the connection user authentication information, the usage application information, and the terminal position information to the control device 300.

Further, the terminal 200 acquires the terminal position information at predetermined time intervals and transmits the terminal position information to the control device 300. Specifically, after the control device 300 permits the terminal 200 to use the privileged ID of the managed server 310, the position information acquisition unit 202 acquires the terminal position information at predetermined time intervals. Then, after the control device 300 permits the terminal 200 to use the privileged ID of the managed server 310, the ID management relay unit 201 transmits the terminal position information to the control device 300 at predetermined time intervals.

Hereinafter, the control device 300 will be described in detail.

When the management target server 310 authenticates the connected user authentication information transmitted from the terminal 200, the ID usage management unit 301 uses the privileged ID (first) based on the terminal location information and the time when the terminal location information is received. It is determined whether or not to allow the terminal 200 to use the ID) of 1. In the following description, the time when the ID usage management unit 301 receives the terminal position information is also referred to as a usage determination time.

Specifically, when the managed server 310 authenticates the connected user authentication information transmitted from the terminal 200, the difference between the position of the terminal 200 and the position for which the usage application has been applied in advance is equal to or less than the distance threshold value. Suppose that is the case. Further, it is assumed that the usage determination time is after the predetermined usage start time and is less than the predetermined usage end time. In that case, the ID usage management unit 301 permits the terminal 200 to use the first ID. Here, it is assumed that the managed server 310 is the managed server 310 to be connected to the terminal 200. Further, the usage start time and the usage end time shall be the times registered in advance as the usage application information.

Further, it is assumed that the ID usage management unit 301 receives the terminal position information from the terminal 200 after permitting the terminal 200 to use the privileged ID in the management target server 310. In that case, the ID usage management unit 301 determines whether or not to allow the terminal 200 to use the privileged ID corresponding to the management target server 310 to be connected, based on the terminal location information and the usage determination time. ..

Further, after the ID usage management unit 301 permits the terminal 200 to use the privileged ID corresponding to the management target server 310 to be connected, at least one of the terminal location information and the usage determination time satisfies a predetermined condition. Suppose it's gone. In that case, the ID usage management unit 301 disables the privileged ID from the terminal 200.

Specifically, the ID usage management unit 301 permits the terminal 200 to use the privileged ID corresponding to the management target server 310 to be connected, and then determines the position of the terminal 200 and the work place for which the usage has been applied in advance. It is assumed that the distance exceeds the distance threshold applied in advance. In that case, the ID usage management unit 301 disables the privileged ID from the terminal 200.

Further, it is assumed that the ID usage management unit 301 permits the terminal 200 to use the privileged ID corresponding to the management target server 310 to be connected, and then the usage determination time exceeds the usage application time for which the usage application has been applied in advance. In that case, the ID usage management unit 301 disables the privileged ID from the terminal 200.

Further, it is assumed that the ID usage management unit 301 receives the terminal position information from the terminal 200 after disabling the privileged ID corresponding to the management target server 310 to be connected from the terminal 200. Then, in that case, it is assumed that the usage determination time is after the usage start time for which the usage application has been applied in advance and is less than the usage end time for which the usage application has been applied in advance. In that case, the ID usage management unit 301 permits the terminal 200 to use the privileged ID corresponding to the managed server 310 again based on the received terminal location information. Specifically, if the received terminal position information satisfies a predetermined condition, the terminal 200 is permitted again.

Next, the operation of the management system 1 according to the present embodiment will be described in detail.

First, a process of registering a working user will be described with reference to FIG.

In step A1, the management server control unit 104 accepts the input of the work user ID and the password.

For example, the administrator of the management server 100 uses an input device (keyboard or the like (not shown)) connected to the management server 100 to input a work user ID and a password corresponding to the work user ID. You may. Alternatively, for example, the administrator of the management server 100 may input the work user ID and the password corresponding to the work user ID by using an information processing device (computer) different from that of the management server 100. .. Then, the information processing apparatus different from the management server 100 may transmit the input work user ID and the password corresponding to the work user ID to the management server 100. In that case, the information processing apparatus may transmit the work user ID and the password corresponding to the work user ID to the management server 100 via a network (for example, the Internet).

Hereinafter, similarly, the administrator of the management server 100 may input information by using an input device (keyboard or the like (not shown)) connected to the management server 100, and a detailed description thereof will be given. Is omitted. Further, similarly, similarly, the administrator of the management server 100 may input information by using an information processing device (computer) different from that of the management server 100, and detailed description thereof will be omitted. Further, in that case, as described above, the information processing apparatus may transmit the input information to the management server 100 via the network (for example, the Internet), and detailed description thereof will be omitted. ..

In step A2, the management server control unit 104 registers the input work user ID and password in the work user table 107.

Next, the process of registering the server connection information and the connected user authentication information will be described with reference to FIG. 7.

In step A11, the management server control unit 104 inputs the management target server information including the server connection information, the connection user authentication information, the registration position information, and the distance threshold for one or more managed servers 310. Accept. Here, it is assumed that the input connection user authentication information is registered in advance in the managed server 310.

In step A12, the management server control unit 104 registers the management target server information that has received the input in the management target server table 106.

In step A13, the management server control unit 104 receives the input of the registration position information and the distance threshold value for the management target server 310 registered in the ID management database 102 and corresponding to the management target server information. In step A14, the management server control unit 104 registers the input registration position information and the distance threshold value in the management target server table 106.

Next, the process of registering the application information will be described with reference to FIG.

In step A21, the usage application management unit 103 receives usage application information for one or more managed servers 310. Specifically, the usage application management unit 103 includes a managed server ID, a privileged ID, an application target authority, a usage start time, and a usage end time with respect to one or more managed servers 310. , Accept usage application information.

In step A22, the usage application management unit 103 presents the received usage application information to the administrator of the management server 100 (that is, the person who approves the usage application). Specifically, the usage application management unit 103 includes a managed server ID, a privileged ID, an application target authority, a usage start time, and a usage end time with respect to one or more managed servers 310. , The usage application information is presented to the administrator of the management server 100 and the like.

For example, the usage application management unit 103 may output the received usage application information using a display device (display or the like (not shown)). Alternatively, the usage application management unit 103 transmits the received usage application information to the information processing device (for example, a PC (Personal Computer)) used by the administrator of the management server 100 via the network (Internet or the like). You may. There are various methods for presenting the received usage application information to the administrator of the management server 100 (that is, the person who approves the usage application), but the details thereof are not limited.

The administrator or the like of the management server 100 confirms the presented usage application information. When approving the usage application information, the administrator or the like of the management server 100 executes a predetermined approval operation. For example, the usage application management unit 103 may display the "approval" button on the display screen. Then, when approving the usage application information, the administrator or the like of the management server 100 may execute the approval operation by pressing the "approval" button.

In step A23, the usage application management unit 103 accepts an approval operation by the administrator of the management server 100 or the like with respect to the received usage application information. In step A24, the usage application management unit 103 registers the approved usage application information in the usage application information table 105.

Next, the operation of the management system 1 will be described with reference to FIG. In the following description, it is assumed that the management server 100 has already executed the processes shown in FIGS. 6 to 8. That is, it is assumed that the management server 100 has already registered the necessary information in the ID management database 102. That is, it is assumed that the management server 100 has already registered information in the work user table 107, the management target server table 106, and the usage application information table 105, respectively.

In step S1, the terminal 200 requests authentication of the working user. Specifically, the ID management relay unit 201 transmits the work user ID and the password to the management server 100, and requests the authentication of the work user. Here, it is assumed that the terminal 200 can be connected to the management server 100 via a network (second network) different from the managed server network 400.

In step S2, the management server 100 authenticates the working user. Specifically, the management server control unit 104 receives the work user ID and password from the terminal 200. Then, the management server control unit 104 determines whether or not the received work user ID and password are registered in the work user table 107.

If the received work user ID and password are not registered in the work user table 107, the management server control unit 104 does not authenticate the work user for which authentication is requested. In that case, the management server control unit 104 notifies the terminal 200 of the authentication request source that the work user for which the authentication request is not authenticated is not authenticated.

When the received work user ID and password are registered in the work user table 107, the management server control unit 104 authenticates the work user for which authentication is requested. In the following description, the case where the management server control unit 104 authenticates the work user for which the authentication is requested will be described.

In step S3, when the work user is authenticated, the management server 100 acquires a list of managed servers 310 corresponding to the work user. Specifically, the management server control unit 104 refers to the usage application information table 105, and acquires one or more managed server IDs corresponding to the authenticated work user as a list of the managed servers 310.

In step S4, the management server 100 transmits the acquired list of managed servers 310 to the terminal 200. In step S5, the terminal 200 receives the list of managed servers 310.

In step S6, the terminal 200 determines the managed server ID corresponding to the managed server 310 which is the target of the usage application based on the operation of the user. Specifically, the ID management relay unit 201 displays a list of received managed server IDs on the display screen of the terminal 200. The user of the terminal 200 selects the managed server ID of the usage application target from the displayed list of managed server IDs. Then, the ID management relay unit 201 determines the management target server ID selected by the user as the management target server ID corresponding to the management target server 310 which is the usage application target.

In step S7, the terminal 200 transmits the determined managed server ID. In step S8, the management server 100 receives the management target server ID.

In step S9, the management server 100 transmits the management target server information including the server connection information, the connection user authentication information, the registration position information, and the distance threshold, and the usage application information to the terminal 200. Specifically, the management server control unit 104 refers to the management target server table 106 and acquires the management target server information corresponding to the received management target server ID. Here, the managed server information includes server connection information, connection user authentication information, registration position information, and distance threshold value. Further, the management server control unit 104 refers to the usage application information table 105 and acquires the usage application information corresponding to the received management target server ID. Then, the management server control unit 104 transmits the acquired management target server information and the usage application information to the terminal 200.

In step S10, the terminal 200 receives the managed server information and the usage application information.

Here, the ID management relay unit 201 may display the server connection information among the received managed server information on the display screen of the terminal 200. Further, the ID management relay unit 201 may display the received usage application information on the display screen of the terminal 200.

It is assumed that the management system 1 prohibits the user from directly logging in to the managed server 310 using the connected user ID. In that case, it is preferable that the ID management relay unit 201 does not present the connected user authentication information to the user among the received managed server information.

In step S11, the terminal 200 connects to the managed server 310 by using the server connection information among the received managed server information. Then, the process proceeds to step S21 shown in FIG.

Next, the operation of the management system 1 will be continuously described with reference to FIG. In the following description, it is assumed that the terminal 200 can be connected to the control device 300 and the managed server 310 via the managed server network 400. That is, in the following description, it is assumed that the user operates the terminal 200 at a place where the managed server network 400 can be connected.

In step S21, the terminal 200 transmits the received management target server information, the usage application information, and the terminal position information to the control device 300. Specifically, the position information acquisition unit 202 acquires terminal position information indicating the position of the own terminal 200. Then, the ID management relay unit 201 transmits the received management target server information, the usage application information, and the acquired terminal position information to the control device 300.

In step S22, the control device 300 receives the management target server information, the usage application information, and the terminal position information.

In step S23, the control device 300 transmits the connected user authentication information to the managed server 310 for which the usage application has been applied, and requests user authentication. Specifically, the ID usage management unit 301 connects to the management target server 310 by using the server connection information among the received management target server information. Then, the ID usage management unit 301 transmits the connection user authentication information to the connected management target server 310, and requests the authentication of the connection user. Specifically, the ID usage management unit 301 transmits the connection user ID and the password to the connected management target server 310, and requests the authentication of the connection user.

In step S24, the managed server 310 executes user authentication by using the connected user authentication information. For example, when the OS (Operating System) of the managed server 310 is Linux (registered trademark), user authentication may be executed by using ssh. Further, for example, the managed server 310 may execute user authentication by using PowerShell when the OS is Windows (registered trademark). Of course, the managed server 310 may execute user authentication by using a method according to the operating environment. Then, the managed server 310 responds to the control device 300 with the result of the authentication of the connected user (step S25).

In step S26, the control device 300 determines whether or not the authentication of the connected user is successful. If the authentication of the connected user is successful (Yes branch in step S26), the process proceeds to step S101 shown in FIG. When the authentication of the connected user fails (No branch in step S26), the ID usage management unit 301 sends a notification of the usage application failure to the terminal 200 (step S27). Then, the terminal 200 receives the notification of the failure of the usage application (step S28).

Next, the operation of the control device 300 will be described continuously with reference to FIG. 11.

In step S101, the ID usage management unit 301 determines whether or not the difference between the position of the terminal 200 and the position for which usage is applied in advance is equal to or less than a predetermined distance threshold value. Specifically, the ID usage management unit 301 compares the terminal location information with the registered location information included in the usage application information. Then, in the ID usage management unit 301, the difference between the terminal location information and the registered location information included in the usage application information (for example, the place where the user of the terminal 200 is scheduled to work) is equal to or less than the distance threshold value included in the usage application information. The ID usage management unit 301 determines whether or not this is the case.

If the difference between the position of the terminal 200 and the position for which use has been applied in advance exceeds a predetermined distance threshold value (No branch in step S101), the process proceeds to step S103. In step S103, the ID usage management unit 301 determines that the use of the applied privileged ID is not permitted on the managed server 310 for which the privileged ID has been applied for. Then, the process proceeds to step S106.

On the other hand, when the difference between the position of the terminal 200 and the position for which the use has been applied in advance is equal to or less than the predetermined distance threshold value (Yes branch in step S101), the process proceeds to step S102.

In step S102, the ID usage management unit 301 determines whether or not the time when the terminal position information is received is the time between the usage start time and the usage end time included in the usage application information. That is, the ID usage management unit 301 determines whether or not the usage determination time is after the predetermined usage start time and less than the predetermined usage end time.

If the time when the terminal position information is received is not the time between the usage start time and the usage end time included in the usage application information (No branch in step S102), the process proceeds to step S103. In step S103, the ID usage management unit 301 determines that the use of the applied privileged ID is not permitted on the managed server 310 for which the privileged ID has been applied for. Then, the process proceeds to step S106.

On the other hand, if the time when the terminal position information is received is the time between the usage start time and the usage end time included in the usage application information (Yes branch in step S102), the process transitions to step S104. In step S104, the ID usage management unit 301 permits the terminal 200 to use the applied privileged ID on the management target server 310 for which the usage application has been applied.

In step S105, the ID usage management unit 301 sets the application target authority for the applied privileged ID on the management target server 310. Here, the ID usage management unit 301 may set a password for the privileged ID that has been permitted to be used. For example, the ID usage management unit 301 may create a random password as the password corresponding to the privileged ID.

In step S106, the ID usage management unit 301 transmits information and the like regarding the availability of the privileged ID to the terminal 200. Specifically, the ID usage management unit 301 transmits information regarding the availability of the privileged ID to the terminal 200. Further, when the ID usage management unit 301 sets a password for the privileged ID that has been permitted to be used, the ID usage management unit 301 notifies the terminal 200 of the set password.

When the terminal 200 receives the information regarding the availability of the privileged ID, the ID management relay unit 201 displays the information regarding the availability of the privileged ID on the display screen of the terminal 200. Further, when the terminal 200 receives the password corresponding to the privileged ID, the ID management relay unit 201 displays the received password on the display screen of the terminal 200. In that case, the user of the terminal 200 logs in to the managed server 310 by using the displayed password, and performs work on the managed server 310.

Next, with reference to FIG. 12, the processing after the control device 300 permits the terminal 200 to use the privileged ID of the managed server 310 will be described.

In step S201, the ID usage management unit 301 determines whether or not the terminal position information has been received from the terminal 200 at predetermined time intervals. Specifically, regarding the privileged ID of the managed server 310, the ID usage management unit 301 determines whether or not the terminal position information is received from the terminal 200 permitted to be used at a predetermined time interval.

When the ID usage management unit 301 receives the terminal position information from the terminal 200 (Yes branch in step S201), the process proceeds to step S202. On the other hand, when the ID usage management unit 301 has not received the terminal position information from the terminal 200 (No branch in step S201), the process proceeds to step S203.

In step S202, the ID usage management unit 301 determines whether or not the difference between the position of the terminal 200 and the position for which usage has been applied in advance is equal to or less than a predetermined distance threshold value. That is, the same processing as in step S101 shown in FIG. 11 is performed.

If the difference between the position of the terminal 200 and the position for which use has been applied in advance exceeds a predetermined distance threshold value (No branch in step S202), the process proceeds to step S203. In step S203, the ID usage management unit 301 disables the privileged ID for which usage has been applied on the management target server 310. Then, the process proceeds to step S207.

On the other hand, when the difference between the position of the terminal 200 and the position for which the use has been applied in advance is equal to or less than the predetermined distance threshold value (Yes branch in step S202), the process proceeds to step S204.

In step S204, the ID usage management unit 301 determines whether or not the application target authority is set for the privileged ID for which the usage application has been applied on the management target server 310. If the authority to be applied for is set for the privileged ID for which the use is applied on the managed server 310 (Yes branch in step S204), the process proceeds to step S208.

On the other hand, if the privilege to be applied for is not set for the privileged ID on the managed server 310 (No branch in step S204), the process proceeds to step S205. In step S205, the ID usage management unit 301 makes the privileged ID for which the usage application is applied available on the management target server 310 for which the usage application is applied for the privileged ID. That is, after disabling the privileged ID for which the use has been applied from the terminal 200, the ID usage management unit 301 uses the privileged ID when the terminal position information and the usage determination time satisfy predetermined conditions. Allow terminal 200.

In step S206, the ID usage management unit 301 sets the authority of the application target for the privileged ID for which the usage application has been applied on the management target server 310.

In step S207, the ID usage management unit 301 transmits the availability of the privileged ID to the terminal.

In step S208, the ID usage management unit 301 determines whether or not the current time has exceeded the usage end time. If the current time does not exceed the usage end time (No branch in step S208), the process returns to step S201 and the process is continued. On the other hand, when the current time exceeds the usage end time (Yes branch in step S208), the ID usage management unit 301 disables the applied privileged ID on the managed server 310 (step S209). .. Then, the ID usage management unit 301 notifies the terminal 200 that the applied privileged ID has been disabled.

As described above, in the management system 1 according to the present embodiment, the control device 300 uses the privileged ID of the management target server 310 from an external device (that is, the terminal 200) different from the management target device 1010. Allow that. Further, in the management system 1 according to the present embodiment, the control device 300 determines whether or not to allow the terminal 200 to use the privileged ID in the managed server 310 based on the position and time of the terminal 200. .. Specifically, in the management system 1 according to the present embodiment, when the worker (user of the terminal 200) is at the position requested in advance within the time requested in advance, the control device 300 manages the control device 300. Make the privileged ID of the target server 310 available. As a result, the management system 1 according to the present embodiment contributes to reducing the security risk of the managed server 310 while improving the convenience of the user.

Further, in the management system 1 according to the present embodiment, the control device 300 uses the privileged ID of the managed server 310 when the terminal position information is not received at a predetermined time interval after permitting the use of the privileged ID. Disable. For example, suppose that the user of the terminal 200 ends the use of the privileged ID and turns off the power of the terminal 200. When the power of the terminal 200 is turned off, the control device 300 cannot receive the terminal position information at a predetermined time interval. In that case, the control device 300 disables the privileged ID of the managed server 310. That is, in the situation where the user does not actually use the privileged ID, the management system 1 according to the present embodiment makes the privileged ID unusable. Therefore, the management system 1 according to the present embodiment contributes to appropriately protecting the management target server 310 according to the situation while improving the convenience of the user.

Further, in the management system 1 according to the present embodiment, the control device 300 and the management target server 310 are arranged in a LAN (managed server network 400). Further, in the management system 1 according to the present embodiment, the terminal 200 connects to the management server 100 via a network different from the managed server network 400. Therefore, the management system 1 according to the present embodiment can manage the privileged ID of the managed server 310 existing in the LAN. As a result, the management system 1 according to the present embodiment contributes to reducing the security risk of the managed server 310 existing in the LAN while improving the convenience of the user.

In the above description, the mode in which the management server 100 transmits the management target server ID corresponding to the authenticated work user to the terminal 200 as a list of the management target servers 310 has been described. Here, of course, the management server 100 may transmit the registered position information, the distance threshold value, and the like in association with the management target server ID as a list of the management target servers 310. The details of the list of managed servers 310 transmitted from the management server 100 to the terminal 200 are not limited as long as they are information that can be used when the user selects the managed server 310 to be applied for use.

Further, the terminal 200 may transmit the terminal position information to the management server 100 together with the authentication request of the working user. Then, when the work user is authenticated, the management server 100 refers to the management target server table 106 and may specify the management target server 310 in which the difference between the terminal position information and the registered position information is within a predetermined range. good. Then, the management server 100 may transmit the management target server ID of the specified management target server 310 to the terminal 200 as a list of the management target servers 310.

Further, a QR (Quick Response) code (registered trademark) including a managed server ID may be pasted on the managed server 310. Further, in the present modification 1, the terminal 200 is provided with a camera (not shown). In that case, the terminal 200 takes a picture of the QR code attached to the managed server 310 using the camera, and reads the information stored in the QR code (that is, the information including the managed server ID). The terminal 200 transmits the read information to the management server 100. The management server 100 refers to the managed server table 106, and acquires the managed server information based on the received managed server ID. Further, the management server 100 refers to the usage application information table 105 and acquires the usage application information based on the received management target server ID. Then, the management server 100 may transmit the acquired management target server information and the usage application information to the terminal 200.

Further, in the above description, the mode in which the control device 300 controls the availability of the privileged ID of the information processing device (managed server 310) has been described. However, this does not mean that the control target of the control device 300 is limited to the management target server 310. The managed device may be a network device. In that case, the control device 300 may connect to a network device (that is, a managed device) and control the availability of the privileged ID in the network device.

Further, for example, the control device 300 may control a system including two or more information processing devices. Specifically, the control device 300 may connect to the system and control the availability of the privileged ID in the system. The control target of the control device 300 may be any device to which a privileged ID is set, and the type thereof does not matter.
The present invention is also described in the following appendix.
(Appendix 1)
A managed device that can be operated using a first ID with a predetermined authority, and
A control device that controls the managed device and
A terminal that acquires terminal position information indicating the position of its own terminal and transmits the terminal position information to the control device.
Including
The control device requests the management target device to authenticate the terminal, and when the management target device authenticates the terminal, the first control device is based on the terminal position information and the usage determination time. A management system including an ID usage management unit that determines whether or not to permit the use of an ID to the terminal.
(Appendix 2)
The terminal acquires the terminal position information at predetermined time intervals, transmits the terminal position information to the control device, and receives the terminal position information.
When the management target device authenticates the terminal and then receives the terminal position information from the terminal, the ID usage management unit receives the terminal position information from the terminal, and the connection target is based on the terminal position information and the usage determination time. The management system according to Appendix 1, which determines whether or not to permit the terminal to use the first ID corresponding to the managed device.
(Appendix 3)
The terminal transmits the registered position information and the distance threshold value to the control device.
The ID usage management unit determines the usage when the managed device authenticates the terminal and the difference between the terminal position information and the registered position information is equal to or less than the distance threshold. The management system according to Appendix 1 or 2, which permits the terminal to use the first ID when the time is after the predetermined usage start time and is less than the predetermined usage end time.
(Appendix 4)
The ID usage management unit receives the terminal position information from the terminal after disabling the first ID corresponding to the management target device to be connected from the terminal, and the usage determination time is set. If it is after the usage start time and less than the usage end time, the terminal is again permitted to use the first ID corresponding to the managed device based on the terminal position information. The management system according to 3.
(Appendix 5)
The managed device can be connected by using a second ID different from the first ID.
The terminal transmits the authentication information corresponding to the second ID and the terminal position information to the control device.
When the ID utilization management unit receives the authentication information, the management target device requests the management target device to authenticate the authentication information, and when the management target device authenticates the authentication information transmitted from the terminal, the authentication information is described. In any one of Appendix 1 to 4, which determines whether or not to permit the use of the first ID based on the terminal position information and the usage determination time when the terminal position information is received. The management system described.
(Appendix 6)
Control the managed device that can be operated using the first ID with the predetermined authority,
When the managed device is requested to authenticate the terminal and the managed device authenticates the terminal, the first ID is used based on the terminal position information indicating the position of the terminal and the usage determination time. A control device including an ID utilization management unit that determines whether or not to permit the terminal.
(Appendix 7)
The process of acquiring terminal position information indicating the position of the terminal, and
A process of requesting authentication of the terminal from a managed device, which can be operated by using a first ID having a predetermined authority, and a process of requesting authentication of the terminal.
When the terminal is authenticated, a step of determining whether or not to permit the use of the first ID to the terminal based on the terminal position information and the usage determination time, and a step of determining.
Management methods performed by the computer that controls the control unit, including.
(Appendix 8)
Processing to receive terminal position information indicating the position of the terminal from the terminal,
A process of requesting terminal authentication from a managed device, which can be operated by using a first ID having a predetermined authority, and
When the terminal is authenticated, a process of determining whether or not to allow the terminal to use the first ID based on the terminal position information and the usage determination time.
Is a program that causes the computer that controls the control device to execute.
The present invention is also described as follows.
(Form 1)
A managed device that can be operated using a first ID with a predetermined authority, and
A control device that controls the managed device and
A terminal that transmits terminal position information indicating the position of its own terminal to the control device, and
Including
The control device requests the managed device to authenticate the second ID for using the first ID, and when the managed device authenticates the second ID, the terminal can be used. A management system that determines whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received.
(Form 2)
A managed device that can be operated using a first ID with a predetermined authority, and
A control device that controls the managed device and
A terminal that transmits terminal position information indicating the position of its own terminal to the control device, and
Including
The control device requests the managed device to authenticate the second ID for using the first ID, and when the managed device authenticates the second ID, the terminal can be used. A management system that determines whether or not to allow the terminal to use the first ID based on the terminal position information received at the first time.
(Form 3)
After permitting the terminal to use the first ID, the control device obtains the first ID permitted to be used when the terminal position information is not received from the terminal at the first time interval. Make it unavailable,
The management system according to Form 1 or 2.
(Form 4)
The control device stores a start time and an end time, which are time ranges in which the use of the first ID is permitted.
When the first time is outside the range of the start time and the end time of the previous period, it is determined whether or not to use the first ID.
The management system according to any one of embodiments 1 to 3.
(Form 5)
When the current time exceeds the end time after permitting the terminal to use the first ID, the control device disables the first ID for which the use is permitted.
The management system according to the fourth embodiment.
(Form 6)
The managed device that can be operated is controlled by using the first ID having a predetermined authority.
Receive terminal position information indicating the position of the terminal from the terminal,
When the management target device is requested to authenticate the second ID for using the first ID and the management target device authenticates the second ID, the terminal position information is received from the terminal. A control device for determining whether or not to permit the terminal to use the first ID based on the first time.
(Form 7)
The managed device that can be operated is controlled by using the first ID having a predetermined authority.
Receive terminal position information indicating the position of the terminal from the terminal,
When the management target device is requested to authenticate the second ID for using the first ID and the management target device authenticates the second ID, the terminal performs the first time. A control device that determines whether or not to allow the terminal to use the first ID based on the received terminal position information.
(Form 8)
After permitting the terminal to use the first ID, the control device obtains the first ID permitted to be used when the terminal position information is not received from the terminal at the first time interval. Make it unavailable,
The control device according to embodiment 6 or 7.
(Form 9)
The start time and end time, which are the time ranges in which the use of the first ID is permitted, are stored.
When the first time is outside the range of the start time and the end time of the previous period, it is determined whether or not to use the first ID.
The control device according to any one of embodiments 6 to 8.
(Form 10)
When the current time exceeds the end time after permitting the terminal to use the first ID, the control device disables the first ID for which the use is permitted.
The control device according to the ninth embodiment.
(Form 11)
The process of receiving terminal position information indicating the position of the terminal from the terminal, and
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a step of determining whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received from the terminal. ,
Management methods performed by the computer that controls the control unit, including.
(Form 12)
The process of receiving terminal position information indicating the position of the terminal from the terminal, and
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a step of determining whether or not to allow the terminal to use the first ID based on the terminal position information received from the terminal at the first time. ,
Management methods performed by the computer that controls the control unit, including.
(Form 13)
A step of disabling the first ID that has been permitted to be used when the terminal position information is not received from the terminal at the first time interval after permitting the terminal to use the first ID. ,
The management method according to the form 11 or 12, comprising the above.
(Form 14)
A step of determining whether or not to use the first ID when the first time is outside the range of the start time and the end time, which is the time range in which the use of the first ID is permitted.
The management method according to any one of the forms 11 to 13, comprising the above.
(Form 15)
A step of disabling the first ID for which use is permitted when the current time exceeds the end time after permitting the terminal to use the first ID.
The management method according to the form 14, comprising the above.
(Form 16)
Processing to receive terminal position information indicating the position of the terminal from the terminal,
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a process of determining whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received from the terminal. ,
Is a program that causes the computer that controls the control device to execute.
(Form 17)
Processing to receive terminal position information indicating the position of the terminal from the terminal,
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a process of determining whether or not to allow the terminal to use the first ID based on the terminal position information received from the terminal at the first time. ,
Is a program that causes the computer that controls the control device to execute.

The disclosure of the above patent documents shall be incorporated into this document by citation. Within the framework of the entire disclosure (including the scope of claims) of the present invention, the embodiments can be changed and adjusted based on the basic technical idea thereof. Further, various combinations or selections of various disclosure elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the framework of all disclosure of the present invention. be. That is, it goes without saying that the present invention includes all disclosure including claims, various modifications and modifications that can be made by those skilled in the art in accordance with the technical idea. In particular, with respect to the numerical range described in this document, any numerical value or small range included in the range should be construed as being specifically described even if not otherwise described. In the present invention, it is self-evident that a computer will be used when an algorithm, software, or flowchart or automated process step is shown, and it is also self-evident that the computer will be equipped with a processor and memory or storage device. be. Therefore, even if the specification is lacking, it is understood that these elements are naturally described in the present application.

1, 1000 Management system 100 Management server 101 Management server storage 102 ID management database 103 Usage application management unit 104 Management server control unit 105 Usage application information table 106 Managed server table 107 Working user table 200, 1030 Terminal 201 ID management relay unit 202 Location information acquisition unit 300, 1020 Control device 301, 1021 ID usage management unit 310, 310a, 310b Managed server 400 Managed server network 1010 Managed device

Claims (17)

A managed device that can be operated using a first ID with a predetermined authority, and
A control device that controls the managed device and
A terminal that transmits terminal position information indicating the position of its own terminal to the control device, and
Including
The control device requests the managed device to authenticate the second ID for using the first ID, and when the managed device authenticates the second ID, the terminal can be used. A management system that determines whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received. A managed device that can be operated using a first ID with a predetermined authority, and
A control device that controls the managed device and
A terminal that transmits terminal position information indicating the position of its own terminal to the control device, and
Including
The control device requests the managed device to authenticate the second ID for using the first ID, and when the managed device authenticates the second ID, the terminal can be used. A management system that determines whether or not to allow the terminal to use the first ID based on the terminal position information received at the first time. After permitting the terminal to use the first ID, the control device obtains the first ID permitted to be used when the terminal position information is not received from the terminal at the first time interval. Make it unavailable,
The management system according to claim 1 or 2. The control device stores a start time and an end time, which are time ranges in which the use of the first ID is permitted.
When the first time is outside the range of the start time and the end time of the previous period, it is determined whether or not to use the first ID.
The management system according to any one of claims 1 to 3. When the current time exceeds the end time after permitting the terminal to use the first ID, the control device disables the first ID for which the use is permitted.
The management system according to claim 4. The managed device that can be operated is controlled by using the first ID having a predetermined authority.
Receive terminal position information indicating the position of the terminal from the terminal,
When the management target device is requested to authenticate the second ID for using the first ID and the management target device authenticates the second ID, the terminal position information is received from the terminal. A control device for determining whether or not to permit the terminal to use the first ID based on the first time. The managed device that can be operated is controlled by using the first ID having a predetermined authority.
Receive terminal position information indicating the position of the terminal from the terminal,
When the management target device is requested to authenticate the second ID for using the first ID and the management target device authenticates the second ID, the terminal performs the first time. A control device that determines whether or not to allow the terminal to use the first ID based on the received terminal position information. After permitting the terminal to use the first ID, the control device obtains the first ID permitted to be used when the terminal position information is not received from the terminal at the first time interval. Make it unavailable,
The control device according to claim 6 or 7. The start time and end time, which are the time ranges in which the use of the first ID is permitted, are stored.
When the first time is outside the range of the start time and the end time of the previous period, it is determined whether or not to use the first ID.
The control device according to any one of claims 6 to 8. When the current time exceeds the end time after permitting the terminal to use the first ID, the control device disables the first ID for which the use is permitted.
The control device according to claim 9. The process of receiving terminal position information indicating the position of the terminal from the terminal, and
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a step of determining whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received from the terminal. ,
Management methods performed by the computer that controls the control unit, including. The process of receiving terminal position information indicating the position of the terminal from the terminal, and
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a step of determining whether or not to allow the terminal to use the first ID based on the terminal position information received from the terminal at the first time. ,
Management methods performed by the computer that controls the control unit, including. A step of disabling the first ID that has been permitted to be used when the terminal position information is not received from the terminal at the first time interval after permitting the terminal to use the first ID. ,
The management method according to claim 11 or 12, comprising the above. A step of determining whether or not to use the first ID when the first time is outside the range of the start time and the end time, which is the time range in which the use of the first ID is permitted.
The management method according to any one of claims 11 to 13, comprising the above. A step of disabling the use of the first ID, which is permitted to be used, when the current time exceeds the end time after the terminal is permitted to use the first ID.
14. The management method according to claim 14. Processing to receive terminal position information indicating the position of the terminal from the terminal,
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a process of determining whether or not to allow the terminal to use the first ID based on the first time when the terminal position information is received from the terminal. ,
Is a program that causes the computer that controls the control device to execute. Processing to receive terminal position information indicating the position of the terminal from the terminal,
A process of requesting the managed device to authenticate the second ID for using the first ID, which can be operated by using the first ID having a predetermined authority.
When the second ID is authenticated, a process of determining whether or not to allow the terminal to use the first ID based on the terminal position information received from the terminal at the first time. ,
Is a program that causes the computer that controls the control device to execute.

Images