JP2024044982A - Authority management system for business systems - Google Patents

Abstract

[Problem] To provide a means for reducing the burden of authority setting work on a system administrator. [Solution] An authority management system A can grant authority to use one or more business systems B connected via a network to a user C according to preset authority information, and includes at least a simulation unit 10 that simulates the setting status of authority to use each business system B for user C based on simulation conditions input by a system administrator D, and outputs as a simulation result a user for whom authority to use a certain business system is set in a mixed manner, with both authority granted and excluded. [Selected Figure] Figure 1

Description

The present invention provides an authority management system that can grant usage authority for one or more business systems connected via a network to a user according to preset authority information. Related to an authority management system that allows simulation of setting conditions.

For business systems that include groupware such as email sending and receiving, document creation, and CAD, it is common for in-house system administrators to set usage permissions for individuals or groups based on employee attributes (company name, department name, job title, employee classification, etc.).
In recent years, rights management systems capable of collectively managing the rights to use a plurality of business systems have been developed, and the applicant has also developed a system described in Patent Document 1 below.

Patent No. 6716655

Some authority management systems are equipped with a so-called reservation setting function, which allows users to input information for changing the settings of usage rights for each business system in advance and then execute the setting changes on the actual change date (such as the date on which personnel transfers are announced).
However, this reservation setting function only allows the system administrator to check whether the permissions have been set as intended after the reservation settings have actually been reflected. If the permissions have been set in an unintended manner, the system administrator will be faced with a large mental and time burden as he or she will be busy responding to inquiries from employees and correcting the permission settings on the day of the change.

Therefore, the present invention aims to provide a means to reduce the burden on system administrators in setting permissions.

In order to solve the above problems, the present invention provides authority management for one or more business systems connected via a network, which allows users to be granted usage authority for each business system according to preset authority information. A system that simulates the setting status of usage rights for each business system for users based on simulation conditions input by the system administrator, and users who are set to have usage rights mixedly granted and excluded for a certain business system. The present invention is configured to include at least a simulation section that outputs the following as a simulation result.
According to this configuration, it is possible to simulate in advance the setting status of the usage authority at any date including the future, so that the system administrator can perform the authority setting work with plenty of time.
Also, from the simulation results, it is possible to easily understand which users have mixed usage authority settings.

Further, in the present invention, the simulation unit is provided with a function of displaying a simulation result screen on the display provided in the terminal used by the system administrator, and this simulation result screen includes at least a result display column, and the The display field includes an excluded person display column that lists users who have been set to have both permissions granted and excluded for a certain business system as users who have been excluded from being granted permissions to use that business system. It can also be configured.
According to this configuration, it is possible to easily understand users who are mixedly set to be granted and excluded from use of the business system.

Furthermore, in the present invention, a link that can transition to a setting confirmation screen for the authority information that is the exclusion condition for the usage authority can be provided in the excluded user display field.
With this configuration, it is possible to check the setting confirmation screen of a user who has been excluded, which is highly convenient when tracing the reason why authority settings have not been made as intended by the system administrator.

Furthermore, in the present invention, the simulation result screen can further include a condition display column, in which the reference date used in the simulation is displayed, and a reference date condition display column in which the reference date can be re-input as a new date, and a re-run button is provided to re-run the simulation based on the reference date displayed in the reference date condition display column and update the simulation result screen.
According to this configuration, it is possible to execute a simulation again on the simulation result screen without returning to the simulation execution screen.

In addition, in the present invention, the simulation unit is further provided with a function of displaying a simulation range setting screen and a simulation execution screen on the display provided in the terminal used by the system administrator. At least includes a narrowing field where narrowing conditions can be set, and a target display field with a link to transition to a simulation execution screen that targets any range from the range narrowed down by the narrowing conditions. On the simulation execution screen, a reference date input field where a reference date can be input is run, and a simulation is performed of the usage authority setting status on the reference date entered in the reference date input field, and the simulation result screen is displayed. The configuration may include at least an execution button that allows transition to.
According to this configuration, simulation targets can be narrowed down more quickly by only selecting on the display screen.

The present invention can reduce the burden on system administrators in setting permissions.

1 is a schematic diagram showing an overview of a rights management system according to the present invention. An image diagram showing the configuration of authority information. An image diagram showing the configuration of authority information after setting changes. An image of the simulation range setting screen (1). Image diagram (2) of the simulation range setting screen. Image diagram (3) of the simulation range setting screen. An image of the simulation execution screen. Image diagram of the simulation result screen (1). Image of the simulation result screen (2) Image diagram (1) of the authority setting confirmation screen. Image diagram (2) of the authority setting confirmation screen. FIG. 13 is an image showing the configuration of authority information after correction.

Embodiments of the present invention will be described below with reference to the drawings.

<1> Overall configuration (Figure 1)
The authority management system A according to the present invention is a system that allows each user C to set usage authority for one or more business systems B connected via a network. .
The authority management system A sets the usage authority of each user C for each business system B through the authority information setting work performed by the system administrator D.
In the present invention, the system administrator D refers to a person who has the authority to set authority in the authority management system A according to the present invention, and includes an employee who belongs to a company that introduces the authority management system A according to the present invention, This includes people who are commissioned by the company.

The authority management system A according to the present invention includes at least a simulation unit 10 , and further includes an authority setting unit 20 and an authority reflecting unit 30 in addition to the simulation unit 10 .
Each unit can be realized by a program installed on an information processing device such as a server, a PC, a smartphone, or a tablet.
The details of each part will be explained below.

<2> Authority setting section (Figure 1)
The authority setting unit 20 has a function of setting authority information for the user C based on input by the system administrator D.

<2.1> User In the present invention, user C refers to a person who uses business system B that manages usage authority with authority management system A according to the present invention, and has introduced authority management system A according to the present invention. This includes employees who belong to companies that do.
Further, the user C in the present invention includes not only a single user but also users who group a plurality of users C by attributes such as company name, department, employee classification, and position.

<2.2> Authority information (Fig. 2)
The authority information is information that specifies whether or not the user is authorized to use the business system B, the validity period of the authority (start date and/or end date), and the like.
In this embodiment, the authority information is configured by combining four types of information: "user information,""authoritygroup,""authority," and "authority rule."
FIG. 2 shows an image diagram of each piece of information constituting the authority information.

<2.2.1> User information (Figure 2(a))
FIG. 2(a) is an image diagram showing the structure of user information.
User information is information that assigns attributes (identification number, name, department, position, employee classification, etc.) to each user C.
For example, A, who is one of the users C, indicates that his department is "Human Resources Department," his title is "Section Manager," and his employee classification is "Full-time employee."
Further, C indicates that the department to which the person belongs is "Human Resources Department," the position is "None," and the employee classification is "Temporary Employee."

<2.2.2> Authority group (Figure 2(b))
FIG. 2(b) is an image diagram showing the structure of the authority group.
The authority group (item name: authority group name) is information in which each user C is divided into groups based on the attributes of the user C.
For example, an authority group whose authority group name is "All Employees (Document)" does not have any conditions 1 to 3, so all users C (A, B, and C in Figure 2 (a)) , Ding), and that the authority with the authority name ``All Employee Authority'' is applied to the group.
In addition, the authority group whose authority group name is "Human Resources Department (Human Resources)" has "Human Resources Department" in condition 1, so the user C who belongs to the Human Resources Department (A, B, C in Figure 2) This indicates that the group includes the following three people), and that the authority with the authority name ``Human Resources Department Authority'' is applied to the group.

<2.2.3> Authority (Fig. 2(c))
FIG. 2C is an image diagram showing the configuration of authorities.
The authority (item name: authority name) is information indicating which authority rule is to be applied among authority rules described later.
For example, an authority rule with an authority rule name of "Document System (All Employees)" is applied to an authority with an authority name of "All Employees Authority."
Further, an authority rule with the authority rule name "CAD system (all employees)" is applied to the authority with the authority name "Engineering department authority".
In FIG. 2C, one authority rule is applied to each of the "all employee authority,""personnel department authority," and "engineering department authority." However, in the present invention, multiple authority rules can also be applied to one authority.

<2.2.4> Authorization Rules (Fig. 2(d))
FIG. 2D is an image diagram showing the configuration of the authority rule.
The authority rule is information indicating the contents of authority.
The contents of the authority include the target business system B and the authority type in the business system B.
The authority type includes various types of usage authority, such as viewing authority, application authority, and approval authority, depending on the type of business system B.
For example, an authority rule with the authority rule name "Document System (All Employees)" is set to grant the authority to use the document system to the target to which the authority rule is applied.
In addition, an authority rule with the name "Human Resources System (Human Resources Department)" indicates that the authority to use the human resources system is granted with an exception setting that excludes temporary workers from those to whom the authority rule applies.
In this embodiment, the above-mentioned exception setting to exclude temporary workers is assumed to be an additional setting added after the fact to the initial setting, and it is difficult for system administrator D to understand from the name of the authority rule "Human Resources System (Human Resources Department)" that temporary workers are excluded from the targets to which the authority rule applies.
In addition, in this embodiment, the start date of the validity period for each authority rule is set to April 1, 2020, and no end date is set.

<2.3> When authority settings are mixed As a result of authority settings by the authority setting unit 20, user C belongs to multiple authority groups, multiple authority rule names are set for user C, or There may be a situation where settings for granting usage rights and exclusion settings for a certain business system B coexist due to settings for excluding users from being granted usage rights (hereinafter also referred to as "exclusion settings").
In this case, from the viewpoint of security, the authority management system A according to the present invention can be configured to select exclusion settings preferentially without granting usage authority.

<3> Authority reflection section (Figure 1)
The authority reflection unit 30 has a function of reflecting the settings in the authority setting unit 20 on each business system B.
In the present invention, the timing and method of authority reflection by the authority reflection unit 30 are not particularly limited, and therefore detailed explanation will be omitted.

<4> Simulation section (Fig. 1)
The simulation unit 10 has a function of simulating the setting status of the usage authority of each user C for each business system B based on the simulation conditions input by the system administrator D.

<4.1> Simulation conditions (Fig. 1)
The simulation conditions are information for specifying the scope of the simulation.
In the present invention, the simulation conditions include at least a reference date (a date on which the setting status of the usage authority is to be confirmed).
In addition, the simulation conditions may include attributes of user C (such as name, department, position, employee category, etc.), the authority group and authority mentioned above, the name of business system B, and the like.
By setting this item appropriately, the execution range of the simulation can be narrowed down and specified.

<4.2> Example of Output of Simulation Results In the present invention, the output of simulation results is not particularly limited, and may be displayed on a screen or generated and saved as a data file.
More specifically, the simulation results may be displayed on the screen of the terminal used by system administrator D, or may be output in a data format such as a tabular file such as CSV or a document file such as PDF. is possible.
Among these, details of an example in which the simulation results are displayed on a screen on a display provided in a terminal used by system administrator D will be described in the section <5.4> below.
System administrator D refers to the output simulation results and checks the usage authority setting status of each user C on the reference date, thereby confirming whether the usage authority has been set as intended. be able to.

<4.2.1> Result display when authority settings are mixed As explained in <2.3> above, settings for granting and excluding usage authority for a certain business system B to a certain user C If settings are mixed, this may be indicated in the screen display or data file output as a simulation result.
In the simulation results, if there is a mixture of granting and exclusion settings for a certain business system B for a certain user C, it may be necessary to change the setting of authority groups, the assignment of authority rules to authority, and the settings for authority rules. It is possible that the authority contents are set in a different way than system administrator D expected, so if you output the simulation results in a form that allows you to list user C who has mixed usage authority settings, Confirmation work on the system administrator D side becomes more efficient.

<5> Usage image (Fig. 2 to Fig. 12)
Next, as an example of how to use the authority management system A of the present invention, the flow of setting authority for user C, running a simulation of the authority setting status, viewing the simulation results, and reconfirming the authority setting status will be explained while referring to the screen displayed on the display of the terminal used by the system administrator D.

<5.1> Preconditions (Figure 2, Figure 3)
In this embodiment, a situation is assumed in which the authority setting unit 20 changes the setting from the authority information shown in FIG. 2 to the authority information shown in FIG. 3.

<5.1.1> Changes in authority information In the authority information shown in Figure 2, the authority rule name ``Human Resources System (Human Resources Department)'' set with the authority name ``Human Resources System (Human Resources Department)'' changes the authority information shown in Figure 2. Person C (belonging to the human resources department, temporary employee) is excluded from being granted permission to use the human resources system.
On the other hand, in the authority information shown in FIG. 3, system administrator D has made the following settings to newly grant C the authority to use the personnel system from October 1, 2022.
(1) New establishment of authority rules (Figure 3 (d))
Create a new authority rule with the authority rule name "Human Resources System (Human Resources Department Dispatch)".
(2) Add new authority rule to authority (Figure 3(c))
Added new authority rule ``Human Resources System (Human Resources Department Dispatch)'' to the authority ``Human Resources Department Authority''.

As a result of this setting change, for User C, the setting for granting usage rights based on the authority rule name “Personnel System (Human Resources Department Dispatch)” and the setting for excluding usage rights based on the authority rule name “Personnel System (Human Resources Department)” have become overlapping.
Therefore, the authority setting unit 20 prioritizes the exclusion setting derived from the authority rule name "Personnel System (Personnel Department)," which will result in User C not being granted authority to use the Personnel System even by October 1, 2022.

To grasp the above problem in advance, system administrator D will use simulation unit 10 to perform a simulation to confirm whether user C has been granted permission to use the personnel system as of October 1, 2022.

<5.2> Simulation range setting screen (Fig. 4)
FIG. 4 shows an example of a simulation range setting screen 40 that is displayed on a display of a terminal used by a system administrator D when the system administrator D operates the authority management system A to perform a simulation.
The simulation range setting screen 40 according to this embodiment is provided with a narrowing down field 41 and a target display field 42 .
Details of each column and button are shown below.

<5.2.1> Narrowing field (Figure 4)
The narrowing down field 41 is a field for setting conditions (narrowing down conditions) for narrowing down the targets to be simulated.
In the present invention, the contents of the narrowing down conditions are not particularly limited, and any conditions can be used.
In this embodiment, the narrowing down field 41 includes the following fields and buttons.

(1) Authority group input field (Figure 4)
The authority group input field 411 is a field for inputting an authority group whose item name is "authority group name", as explained in FIG. 3(c).
In this embodiment, the authority group input field 411 is configured with a column titled "Authority Group Name", and one authority group can be selected from a plurality of authority groups using a drop-down list format (not shown). It is configured to allow input.

(2) Authority system input field (Figure 4)
The authority system input field 412 is a field for inputting the name of business system B (hereinafter also referred to as "system name").
In this embodiment, possible system names include "document system,""personnelsystem," and "CAD system."
In this embodiment, the authority system input field 412 is configured with a field titled "System Name", and one system name is selected from a plurality of system names and inputted using a drop-down list format (not shown). It is configured as possible.

(3) Authority input field (Fig. 4)
The authority input field 413 is a field for inputting the "authority" with the item name "authority name" as described in FIG.
In this embodiment, the authority input field 413 is configured as a field titled "Authority Name," and is configured to allow the selection and input of any one of a plurality of authorities in a drop-down list format (not shown).

(4) Target date input field (Figure 4)
The target date input field 414 is a field for inputting a target date.
The target date is a condition for narrowing down the authority group names that are set as of the date input as the target date.
In this embodiment, the target date input field 414 is configured as a field with the title "target date," and is configured so that any date can be selected and input in a drop-down calendar format (not shown).
In this embodiment, although "2022/9/1" is automatically displayed in the target date input field 414 as the date on which the simulation will be executed (hereinafter also referred to as the "execution date"), the system administrator D can also reselect the base date (the date on which the user wishes to check the setting status of the usage rights).
If there is no change in the configuration of authority group names between the execution date and the reference date, the contents of the target display field 42 will not change. However, since there is a possibility that, for example, authority group names may have been reduced between the execution date and the reference date, it is preferable to input the reference date in advance in the target date input field 414 and then narrow down the results.

(5) Search button, clear button (Figure 4)
The search button 415 is a button that, when selected by the system administrator D, narrows down the authority group names based on the contents of the inputs in the respective fields exemplified in (1) to (4) above.
The clear button 416 is a button that, when selected by the system administrator D, erases the contents entered in each of the fields exemplified in (1) to (4) above.

<5.2.2> Target display field (Figure 5, Figure 4)
As shown in FIG. 5, the target display field 42 is a field in which the results narrowed down by inputting in each field in the narrowing down field 41 and selecting the search button 415 are displayed for each authority group.
The target display field 42 may be left blank in the initial state (before narrowing down) of the simulation range setting screen 40, as shown in FIG. 4, or may be set to display all authority groups in advance. good.

(1) Display image (Fig. 5, Fig. 6)
In Figure 5, when the authority group input field 411, the authority system input field 412, and the authority target input field are all left blank in the narrowing down field 41 and the search button 415 is selected, an image is shown in which all authority groups are displayed in the target display field 42.
Furthermore, in the narrowing down field 41 in FIG. 5, when “Human Resources Department (Human Resources)” is entered in the authority group input field 411 and the search button 415 is selected, only authority groups with the authority group name “Human Resources Department (Human Resources)” are displayed in the target display field 42, as shown in FIG. 6.

(2) Adding links (Figures 5 and 6)
In addition, in both Figures 5 and 6, a link (first link 421) that transitions to a simulation execution screen 50 targeting the authority group name is embedded in the text portion of the authority group with the item name "authority group name" displayed in the target display field 42.

<5.2.3> On-screen operations (Figure 6)
In this way, on the simulation range setting screen 40 (FIG. 6), the system administrator D can use the narrowing field 41 to narrow down the name of the authority group to be confirmed, as necessary, and select the name displayed in the target display field 42. By selecting the selected authority group name on the screen, it is possible to proceed to the simulation execution screen 50 (FIG. 7) that targets the selected authority group name.

<5.3> Simulation execution screen (Fig. 7)
FIG. 7 is an image diagram of a simulation execution screen 50 which is displayed when the authority group name "Personnel Department (Personnel)" is selected from the target display field 42 on the simulation range setting screen 40 shown in FIG.
The simulation execution screen 50 according to this embodiment includes a simulation range display field 51, a base date input field 52, and an execution button 53.
Details of each column and button are shown below.

<5.3.1> Simulation range display column (Fig. 7)
The simulation range display field 51 is a field for displaying the simulation range.
In the simulation range display field 51, the name of the authority group selected in the target display field 42 on the simulation range setting screen can be displayed.
In this embodiment, the authority group "Personnel Department (Personnel)" is displayed in the simulation range display field 51, whose title name is "Authority Group Name."

<5.3.2> Base date input field (Figure 7)
The reference date input field 52 is a field for the system administrator D to input a reference date.
In the present embodiment, the reference date input field 52 takes over and displays the date selected as the target date in the simulation range setting screen 40 shown in FIGS. 4 to 6, and the date is input separately by the system administrator D. It is configured to be editable.

<5.3.3> Execute button (Figure 7)
The execution button 53 is a button selected by the system administrator D on the screen in order to execute a simulation of the authority setting status on the date set in the reference date input field 52.

<5.3.4> On-screen operations (Figure 7)
On the simulation execution screen 50, the system administrator D inputs the date on which he/she wishes to check the authority setting status in the reference date input field 52, and selects the execution button 53.
While the simulation is being executed, a simulation progress bar display screen may be superimposed on the simulation execution screen 50 (not shown).
After the simulation is completed, the screen automatically transitions to a simulation result screen 60, which will be described later.

<5.4> Simulation result screen (Fig. 8)
FIG. 8 shows an example of a simulation result screen 60 .
The simulation result screen 60 according to this embodiment has a condition display field 61 and a result output field 62 .
Details of each column are shown below.

<5.4.1> Condition display column (Figure 8)
The condition display column 61 is a column for displaying conditions used in the simulation.
The condition display field 61 according to this embodiment includes at least the following display fields and buttons.
(1) Selected group display field (Figure 8)
The selected group display column 611 is a column that displays the authority group name of the authority group displayed in the simulation range display column 51 of the simulation execution screen 50.
Therefore, the selection group display field 611 has the same display as the simulation range display field 51 described in <5.3.1> above.
(2) Base date condition display column (Figure 8)
The reference date condition display field 612 is a field that displays the reference date selected in the reference date input field 52 of the simulation execution screen 50.
Note that the reference date condition display column 611 can also be configured so that the reference date can be edited.
(3) Rerun button (Figure 8)
The rerun button 613 allows you to run the simulation again on the simulation result screen 60 without returning to the simulation execution screen 50 described above, based on the base date that has been corrected by the base date editing function in the base date condition display field 61. This is a button for execution.

<5.4.2> Result display field (Figure 8, Figure 9)
The result display field 62 includes at least an exclusion target person display field 621, which will be described below, and can also include a grant target person display field 622.
Details of each column are shown below.

(1) Exclusion target display column (Figure 8)
The excluded user display column 621 displays a list for each user C who has been excluded, with item names such as authority name, rule name, reason for exclusion, employee number, name, and company name.
The "Reason for exclusion" field displays the reason for exclusion, and by referring to this display and checking the condition settings for permission settings, the reason for exclusion can be tracked.
In the excluded person display column 621 in this embodiment, person C is displayed as an excluded person, and from among the authority rules that include person C as an authority setting target, the authority rule “Personnel System (Personnel Department)”, which is the cause of the exclusion of authority from being granted, is displayed in the “Authority Rule Name” column.

(1.1) How to transition to the authority setting confirmation screen (Figure 8)
In the excluded person display field 621, a link (second link 623) that allows transition to a screen (authority setting confirmation screen 70) where the user C's authority setting status can be confirmed for the user C listed is provided. may be provided.
In this embodiment, the system administrator D has embedded the second link 623 in the text portion of the authority rule name listed in the column of ``authority rule name'', ``Human Resources System (Human Resources Department)''.

(2) Grantee display field (Figure 8)
In the grantee display field 622, the authority name, rule name, name, job title, etc. are displayed in table format for each user C who is a grantee.
In this embodiment, the persons A and B are displayed as the persons to whom the use authority of the personnel system is to be granted, and the name of the authority rule on which the use authority is granted is displayed. The second link 623 described above may also be embedded in this authority rule name.

(3) Modified examples of display in each column (Figure 9)
In the result display column according to the present invention, the excluded person display column 621 and the grantee display column 622 may be configured so that each column can be switched and displayed.
In the simulation result screen 60 shown in FIG. 10, in the result display column, an excluded person display column 621 and a grantee display column 622 are divided into different tabs, and each column can be switched by selecting the tab. It consists of

<5.5> Authority setting confirmation screen (Figure 10, Figure 11)
The authority setting confirmation screen 70 is a screen for confirming the authority setting status of the authority rule name that is the cause of exclusion from the simulation results displayed on the simulation result screen 60.

<5.5.1> Reuse of authority setting screen The authority setting confirmation screen 70 may be a screen (authority setting screen) used when creating or editing an authority rule name using the authority setting unit 20 described above, or may be a newly prepared screen separate from the authority setting screen.
In this embodiment, the authority setting confirmation screen 70 uses the authority setting screen described above.

<5.5.2> Structure of authority setting confirmation screen (Figure 10)
In the authority setting confirmation screen 70 according to the present embodiment, an exclusion condition display field 71 is provided, and in addition, a grant condition display field 72 and a condition editing field 73 are provided.
The details of each column will be explained below.

(1) Exclusion Condition Display Column (Figure 10)
The exclusion condition display field 71 is a field that displays a list of exclusion conditions set in the authority rule.
In this embodiment, the authority rule name "Personnel System (Personnel Department)" has an exclusion condition set such that temporary staff who belong to the Personnel Department are not eligible to be granted authority.
In addition, since the exclusion conditions are positioned as conditions for excluding from within the range set by the above-mentioned grant conditions, the exclusion range will be the same even if the exclusion conditions displayed in the exclusion condition display field 71 are not set to "Human Resources Department" and only "Temporary Employee" is set.
The exclusion condition display field 71 also has an edit button 711 and a delete button 712 .
The edit button 711 is a button for transferring information on the exclusion conditions to the condition edit field 73 so that the exclusion conditions can be modified and reflected in the condition edit field 73, which will be described later.
The delete button 712 is a button for deleting an exclusion condition.

(2) Condition display field (Figure 10)
The granting condition display field 72 is a field for displaying a list of granting conditions set in the authority rule.
In this embodiment, the authority rule name "Personnel System (Personnel Department)" has a condition set such that all users C who belong to the personnel department are excluded from authority assignment.
In addition, the adding condition display field 72 is provided with an edit button 721 and a delete button 722, similar to the above-described removing condition display field 71.
The edit button 721 is a button for transferring information on the conditions to the condition edit field 73 so that the conditions can be modified and reflected in the condition edit field 73, which will be described later.
The delete button 722 is a button for deleting an assigned condition.

(3) Condition editing field (Figure 10, Figure 11)
The condition editing field 73 is a field for adding new granting conditions and exception conditions, and modifying and reflecting already generated granting conditions and exception conditions in the authority rule.

As shown in FIG. 10, the condition editing field 73 is blank at the initial stage, and by selecting each item and clicking the "Add to condition list" button, you can add new conditions to add or exclude conditions. can be added.

Further, by selecting the edit buttons 711 and 721 provided in the exclusion condition display field 71 or the grant condition display field 72, it is also possible to modify and reflect the grant conditions or exclusion conditions.
For example, as shown in FIG. 11, when the edit button 711 provided in the exclusion condition display field 71 is selected, the selected exclusion condition items (department, position, employee classification, etc.) are carried over to the condition editing field 73. By selecting these items again, you can modify and reflect the exclusion conditions.

<5.6> Image of modifying authority settings (Figure 12)
In this example, as a result of the simulation, the reason why the settings for granting and excluding the authority to use the HR system are mixed for C (Human Resources Department, Temporary Employee) is that the authority rule name is "Human Resources System (Human Resources Department)". It turns out that this is due to the existence of the exclusion conditions set in .
Therefore, in response to this, as shown in the modified authority information shown in Figure 12, the exclusion condition is deleted from the authority rule name "Human Resources System (Human Resources Department)" and the authority rule name is changed to "Human Resources System (Human Resources Department Dispatch)". Depending on the deletion method, it is possible to modify the authority settings as intended by system administrator D.
Note that the authority rule name ``Human Resources System (Human Resources Department Dispatch)'' is nothing more than a redundant grant setting, so there is no problem in leaving it as is.

A: Authority management system 10: Simulation section 20: Authority setting section 30: Authority reflection section 40: Simulation range setting screen 41: Narrowing field 411: Authority group input field 412: Authority system input field 413: Authority input field 414: Target date input field 415: Search button 416: Clear button 42: Target display field 421: First link 50: Simulation execution screen 51: Simulation range display field 52: Reference date input field 53: Execution button 60: Simulation result screen 61: Condition display field 611: Selected group display field 612: Reference date condition display field 613: Re-execute button 62: Result output field 621: Exclusion target person display field 622: Grant target person display field 623: Second link 70: Authority setting confirmation screen 71: Exclusion condition display field 711: Edit button 712: Delete button 72: Grant condition display field 721: Edit button 722: Delete button 73 : Condition editing field B: Business system C: User D: System administrator

Claims (1)

An authority management system that can grant usage authority for each business system to a user according to preset authority information for one or more business systems connected via a network, the system comprising:
Based on the simulation conditions input by the system administrator, we simulate the setting status of usage privileges for each business system for users, and the simulation result shows users who have been set to have mixed usage privileges granted and excluded for a certain business system. characterized by comprising at least a simulation section that outputs
Permission management system.