JP4650607B2 - Network management system, network management method, and network management program - Google Patents

Description

  The present invention relates to a method and system for managing network devices constituting a computer network, and more particularly to a method and system for managing network devices shared by a plurality of users.

  Data centers provide computer resources and network resources to enterprises as well as various types of Internet-related service providers such as storage service providers, hosting service providers, application service providers, etc. Or provide a place where can be installed. Many types of organizations, including companies and various Internet-related service providers, have established information provision systems, product sales systems, etc. (hereinafter referred to as service sites) in the data center to serve employees and general consumers. Provide service.

  FIG. 26 shows a system configuration example of a conventional general data center. A border router 1002 connected to the Internet 1001 and managed by a data center operator exists, and a LAN (Local Area Network) of each service site 1010 is arranged under the border router 1002.

  The service site 1010 includes several switches 1003, a firewall 1004 for preventing unauthorized access and improving the security of the service site, a plurality of Web servers 1006, and a load balancer 1005 for distributing the load of the plurality of Web servers. The resources (resources) such as the switch 1003, the firewall 1004, the load balancer 1005, and the Web server 1006 are used for each service site in a form occupied by a single service site.

  As a form of managing these resources, there are a form in which a data center provider collectively performs operation management and centralized management, and a form in which each service site 1010 operator individually performs operation monitoring.

  On the other hand, there is a technique called VLAN (Virtual LAN) (Non-Patent Document 1). This is a technique for allowing a single network device to be shared by a plurality of broadcast domains, and a network device that does not support the conventional VLAN technology can only be used within a single broadcast domain. In a network device compatible with VLAN technology, a single device can be logically divided and used by belonging to a plurality of broadcast domains.

  With the introduction of this VLAN technology, multiple users can share a single network device, allowing the surplus performance of the network device to be shared with other users, and improving network device usage efficiency. Can be improved.

  FIG. 27 shows a configuration similar to that shown in FIG. 26 using a switch (VLAN switch) corresponding to the VLAN technology. There is a border router 1002 connected to the Internet 1001 and managed by a data center operator, and each service site 1010 is arranged under the border router 1002.

  There is a VLAN switch 1007 shared by a plurality of service sites, and these are logically divided into a plurality of LANs of the service sites 1010 by VLAN technology, and a firewall 1004, a plurality of Web servers 1006, a load balancer are included in each LAN. 1005 is connected.

  In recent years, the scope of application of this VLAN technology has been expanded for the purpose of further improving the utilization efficiency of network devices, and it has begun to be widely introduced into network devices such as firewalls and load balancers in addition to the VLAN switches.

FIG. 28 shows a configuration similar to that shown in FIG. 26 using a firewall or load balancer corresponding to the VLAN technology.

  There is a border router 1002 connected to the Internet 1001 and managed by a data center operator, and each service site 1010 is arranged under the border router 1002. There is a VLAN switch 1007 shared by a plurality of the service sites 1010, and a VLAN firewall 1011 and a VLAN load balancer 1012 are connected to them, and these network devices are logically divided into separate service sites 1010. Belongs to LAN.

  In this example, in addition to the VLAN switch, a VLAN firewall and a VLAN load balancer are also shared by a plurality of users, and a network that will be shared in the future in order to improve the use efficiency of the network device and reduce the cost that can be realized thereby. The number and type of devices tend to increase.

  An example of a conventional network management function for managing these network devices is described in Patent Document 1 below. The “expandable computing system” disclosed herein shows how a service site LAN that dynamically controls a VLAN switch and assigns a port on the VLAN switch and a server machine connected thereto can be changed. However, only the form in which the data center operator undertakes operation management collectively and centrally manages the above-described shared VLAN switch is assumed. When each service site operator is individually monitored for operation, it is necessary to have a mechanism that allows each user to safely present the setting information and operation information for each shared network device. However, the above example does not have this mechanism.

  An example of a conventional network control method for performing access control related to a network device is described in Patent Document 2 below. The network control method disclosed here shows a method for exclusive control of control requests sent to the same device at the same time. The setting information and operation information of the shared network device are used for each individual user. I do not have a device that can safely present only.

  An example of another conventional access control apparatus for performing access control related to a network device is described in Patent Document 3 below. In the network control device disclosed here, only network devices that are exclusively used by the service site are assumed, and the shared network device setting information and operation information can be presented safely for each individual user. I don't have a mechanism that can be done.

Japanese translation of PCT publication No. 2003-507817 (page 61, FIG. 2-A) JP 2002-520909 A (page 51, FIG. 6) Japanese Patent Laying-Open No. 2003-271560 (page 11, FIG. 1) “IEEE 802.1Q, 2003 Edition, IEEE Standards for Local and metropolitan area networks Virtual Bridged Local Area Networks”, page 2, section 1.2

  As described above, the first problem is that there is not provided a device that can safely present only the use amount of setting information and operation information for each shared network device for each individual user.

  Accordingly, an object of the present invention is to configure a virtual network device that is a subset of the network device for each user for a shared network device shared by a plurality of users, and set by another user for one user Another object of the present invention is to provide a system capable of configuring the virtual network device so as not to show operational data for the set contents and the processing performed.

Another object of the present invention is within the scope of functions provided by the shared network device in each of a plurality of virtual network devices configured for each user with respect to one shared network device shared by a plurality of users. An object of the present invention is to provide a system in which the virtual network device can be configured so that the functions can be selected or aggregated and different functions are provided for each virtual network device.

According to a first embodiment of the invention,
Terminal 1,
Network 2 and
A shared network device 3 connected to the network 2 and shared by a plurality of users;
Connected to the network 2, confirming the access authority to the virtual network device in response to a setting change request or information acquisition request for the virtual network device from the terminal 1, searches for information on the corresponding shared network device 3, and A shared network device controller 4 that issues a resource control flow execution request in response to various information acquisition requests or the setting information change request;
Provided by a network management system comprising a control controller 5 that receives a resource control flow execution request issued by the shared network device controller 4 and searches and executes the corresponding resource control flow 3001 to actually control the shared network device 3 Is done.

Here, the shared network device controller 4
A request receiving unit 401 that receives the various requests such as the operation information / setting information acquisition request, the setting information change request, and the access authority confirmation request transmitted from the terminal 1 and performs user authentication;
A resource information repository 402 for storing a shared network device information object 2001 and a virtual network device information object 2101;
The virtual network device information object 2101 is searched from the resource information repository 402, and the setting item or operation data item that is the target of the request transmitted from the terminal 1 and the setting item included in the virtual network device information object 2101 or A virtual resource information access unit 403 that compares the operation data item to confirm the presence of the item and calls the access authority confirmation unit 404;
An access authority confirmation unit 404 that compares the user information specified by the request reception unit 401 with the user information included in the virtual network device information object 2101 to confirm access authority;
Shared resource information access means 405 for retrieving the shared network device information object 2001 of the shared network device 3 corresponding to the virtual network device.

The virtual network device information object 2101 is
Created in units of the shared network device 3 and users sharing the shared network device 3,
A device ID as an identifier of the virtual network device;
A device information storage area 2102 for storing information on the device itself such as a user ID, a used device ID, a used device model ID, and a used device type;
A device setting information storage area 2103 for storing various setting information;
And a device operation information storage area 2104 in which various operation information is stored.

Among the setting item items or operation data items provided by the shared network device 3 corresponding to the device setting information storage area 2103 and the device operation information storage area 2104, the user of the virtual network device refers to the virtual network device. By storing setting items or operation data items to be changed,
A virtual network device that is a subset of the network device is virtually configured for each user for a shared network device shared by a plurality of users,
The virtual network device is configured so as not to show the setting contents set by another user and the operation data for the performed processing to a certain user. In addition, it is possible to select the function within a range of functions provided by the shared network device in each of a plurality of virtual network devices configured for each user with respect to one shared network device shared by a plurality of users. Thus, the virtual network device is configured to provide a different function for each virtual network device.

Request verification means 406 for confirming whether there is no problem even if the setting item targeted by the request is changed when the request transmitted from the terminal 1 by the shared network device controller 4 is a setting information change request;
When the request transmitted from the terminal 1 is the setting information change request, the process flow identifier of the change processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the setting information change request Control processing flow calling means 407 for taking out
When the request is the operation information / setting information acquisition request, the processing flow of the information acquisition processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the operation information / setting information acquisition request And an information acquisition process flow calling unit 408 for extracting an identifier.

The controller 5
A communication unit 501 for accessing the shared network device 3 via the network 2, executing a setting change request command or an information reference request command on the device, and receiving an execution result;
A resource control processing flow store (resource control processing flow storage means) 502 for storing a processing flow 3001 describing the contents of the setting change request command and the information reference request command executed on the shared network device 3;
The process flow 3001 that matches the process flow identifier of the information acquisition process flow received from the information acquisition process flow call means 407 is searched from the resource control process flow store 502 and executed, and the execution result is called the information acquisition process flow call means. Processing flow identifier information collecting means 503 to send back to 407;
The processing flow 3001 that matches the processing flow identifier of the change processing flow received from the control processing flow calling unit 406 is searched from the resource control processing flow store 502 and executed, and the execution result is returned to the control processing flow calling unit 406. And control execution means 504.

The shared network device information object 2001 is created for each shared network device,
A device ID as an identifier of the shared network device;
A device information storage area 2002 in which information about the device itself such as a model ID is stored;
A device setting information storage area 2003 in which various setting information is stored;
A device operation information storage area 2004 in which various operation information is stored;
And a processing flow storage area 2005 for storing information of identifiers of processing flows executed when changing the various setting information and acquiring various operation information.

  With this configuration, various information acquisition or setting information change of the corresponding shared network device 3 can be performed in response to various information acquisition or setting information change of the virtual network device.

According to the second embodiment of the present invention, in the first embodiment, the control processing flow calling means 407 includes the setting items included in the setting information change request in the shared network device information object 2001. Whether the process flow identifier of the change process flow of the corresponding item is included in the virtual network device information object 2101 searched by the virtual resource information access unit 403 before taking out the process flow identifier of the change process flow of the corresponding item Process to confirm,
Before the information acquisition processing flow calling unit 408 extracts the processing flow identifier of the information acquisition processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the operation information / setting information acquisition request In addition, the virtual network device information object 2101 searched by the virtual resource information access unit 403 performs processing for confirming whether or not the processing flow identifier of the information acquisition processing flow of the corresponding item is included.

The virtual network device information object 2101 is
Created in units of the shared network device 3 and users sharing the shared network device 3,
A device ID as an identifier of the virtual network device;
A device information storage area 2102 for storing information on the device itself such as a user ID, a used device ID, a used device model ID, and a used device type;
A device setting information storage area 2103 for storing various setting information;
A device operation information storage area 2104 for storing various operation information;
And a processing flow storage area 2105 for storing information of identifiers of processing flows executed when changing the various setting information included in the object and acquiring various operation information.

  With this configuration, the plurality of virtual networks within the functions provided by the shared network device corresponding to each of the plurality of virtual network devices configured for each user with respect to one shared network device shared by a plurality of users. Functions can be aggregated and different functions can be provided for each virtual network device.

According to the third embodiment of the present invention, in the first embodiment, the virtual resource information access unit 403 searches the virtual network device information object 2101 from the resource information repository 402 and The shared resource information access unit 405 is called without checking the existence or the access authority checking unit 404 and
In addition to operating the shared resource information access unit 405 in the first embodiment aspect, a call of the access authority checking means 404 in the shared network device information object 2001 after a search.

  In addition to the configuration of the shared network device information object 2001 in the first embodiment, the shared network device information object 2001 includes at least an administrator ID of the administrator of the shared network device 3 in the device information storage area 2002. And a virtual device information storage area 2006 for storing virtual device information 2091 including a virtual device ID used when the shared network device is presented to the user as a virtual network device. In addition, each of the setting items stored in the device setting information storage area 2003 includes public availability information indicating whether each of the setting items is open to the user and can be referred to or changed by the user. And the setting contents and previous items included in the setting item Each virtual rule includes virtual device ID information indicating to which virtual network device each rule is disclosed, and each of the operation data items stored in the device operation information storage area 2004 is disclosed to the user and used. Information indicating whether or not the reference can be made or changed by a user, and virtual device ID information indicating to which virtual network device the information is disclosed.

  As a result, the virtual network device information object 2101 is not held in the resource information repository 402, but the shared network device shared by a plurality of users when requested by the terminal 1 is virtually A virtual network device that is a subset of the network device is dynamically configured.

According to the fourth embodiment of the present invention, in addition to the first embodiment,
The request receiving unit 401 receives a virtual network device template registration request, a shared network device template registration request, a virtual network device registration request, or a shared network device registration request transmitted from the terminal 1,
Resource information for storing in the shared network device controller 4 a shared network device template 5001 related to the setting item or operation information item of the shared network device 3 and a virtual network device template 6001 related to the setting item or operation information item of the virtual network device. A template store 409,
A resource information template registration unit 410 that stores a virtual network device template and a shared network device template received from the request reception unit 401 in the resource information template store 409;
Based on the information included in the virtual network device registration request and the shared network device registration request received by the request receiving unit 401, the corresponding shared network device template 5001 and virtual network device template 6001 corresponding to the resource information template store 409 are used. Resource registration means 411 for generating the virtual network device information object 2101 and the shared network device information object 2001 and registering them in the resource information repository 402,
The control controller 5 further includes resource control processing flow registration means 505 for storing the resource control processing flow 3001 included in the shared network device registration request received by the request receiving means 401 in the resource control processing flow store 502.

  With this configuration, it becomes possible to add a shared network device or virtual network device to be managed.

  The first effect is that a virtual network device that is a subset of the network device can be configured virtually for each user with respect to the network device, so that a plurality of users can share the network device, and the use efficiency of the network device is improved. Can be improved.

  The second effect is that the user of the network device can configure the virtual network device such that the setting contents set by another user and the operation data for the processing performed are not shown to one user of the network device. Even when managing network devices, it will be possible to safely manage and manage the network while maintaining security.

  A third effect is that each of a plurality of virtual network devices configured for each user of a network device can select or aggregate the functions within a range of functions provided by the shared network device, for each virtual network device. By providing different functions, it is possible to provide virtual network devices of a scale and functions that meet the user's requirements without disclosing unnecessary functions to the user, thereby improving the efficiency of network device usage and the safety of operation management. Can be improved.

  Next, the best mode for carrying out the invention will be described in detail with reference to the drawings.

Referring to FIG. 1, in the first embodiment of the present invention, a user issues various information acquisition requests such as operation information / setting information acquisition requests for virtual network devices, setting information change requests, and access authority confirmation requests. , A terminal 1 for issuing various information acquisition requests and setting information change requests such as operation information / setting information acquisition requests to the shared network device 3, a network 2, and a plurality of users connected to the network 2 And shared network device 3 such as VLAN switch, VLAN firewall, VLAN load balancer and the like that are jointly used by the network 2 and the various information acquisition requests from the terminal 1 or the setting information change request or the access authority confirmation Accept requests and access to virtual network devices Verify Seth authority to search the information of the corresponding shared network device 3, a shared network device controller 4 for issuing the resource control flow execution request in accordance with the various information acquisition request or the setting information change request,
It is composed of a control controller 5 that receives a resource control flow execution request issued by the shared network device controller 4, searches for and executes the corresponding resource control flow 3001, and actually controls the shared network device 3.

  The shared network device controller 4 and the control controller 5 may be in the same device, or may be in a different device and connected to the network 2 in the previous period.

Hereinafter, the configuration and functions of the terminal 1 will be described in detail. The terminal 1 includes an input / output unit 101 including a keyboard for inputting information, the various information acquisition request, the setting information change request, or the access authority confirmation request, a screen for providing information, and the like.
The shared network device that transmits the various information acquisition request, the setting information change request, or the access authority confirmation request input from the user or the administrator to the shared network device management controller 4 via the network 2 The communication unit 102 receives an execution result from the management controller 4.

  Next, the configuration and function of the shared network device 3 will be described in detail.

  The shared network device 3 is a network device that can use the VLAN technology such as a VLAN switch, a VLAN firewall, and a VLAN load balancer, and is a device that is shared by a plurality of users.

  In the network device, when a failure occurs in a single device, it is automatically detected, and another network device of the same model prepared as a spare is set and operated as it is. Many have a device redundancy function. The shared network device 3 may be composed of a single device or a cluster of network devices of the same model that operates the device redundancy function.

  In addition, the network device generally has an access restriction function that allows setting change and information reference via a network from a device having an IP address registered in the device 3 in advance. The access restriction function may be used so that setting change and information acquisition from devices other than the network device controller 4 are not performed.

  Next, the configuration and function of the virtual network device will be described.

  The virtual network device is a virtual network device logically configured as a subset of the shared network device 3, and is configured for each shared network device 3 and for each user who shares the shared network device 3.

The shared network device 3 can be referred to by the user among public setting items set to be disclosed as setting items that can be referred to / changed by the user among various setting items to be provided and various operation data items to be provided. The open operation data item is set to be disclosed as an operation data item. On the virtual network device, a part or all of the public setting item and the public operation data item are disclosed to the user as a setting item and an operation data item of the virtual network device, and the user of the virtual network device A part used by the user in the setting of the public setting item on the corresponding shared network device 3 when the virtual network device is requested to set the setting item or acquire information on the setting item / operation data item Information of a part used by the user among the information of the setting change and the public setting item / public operation data item is acquired.

Next, the configuration and function of the shared network device controller 4 will be described in detail .

The shared network device controller 4
A request receiving unit 401 that receives the various requests such as the operation information / setting information acquisition request, the setting information change request, and the access authority confirmation request transmitted from the terminal 1 and performs user authentication;
A resource information repository 402 for storing a shared network device information object 2001 and a virtual network device information object 2101;
The virtual network device information object 2101 is searched from the resource information repository 402, and the setting item or operation data item that is the target of the request transmitted from the terminal 1 and the setting item included in the virtual network device information object 2101 or A virtual resource information access unit 403 that compares the operation data item to confirm the presence of the item and calls the access authority confirmation unit 404;
An access authority confirmation unit 404 that compares the user information specified by the request reception unit 401 with the user information included in the virtual network device information object 2101 to confirm access authority;
Shared resource information access means 405 for retrieving the shared network device information object 2001 of the shared network device 3 corresponding to the virtual network device;
Request verification means 406 for confirming whether there is no problem even if the setting item targeted by the request is changed when the request transmitted from the terminal 1 is a setting information change request;
When the request transmitted from the terminal 1 is the setting information change request, the process flow identifier of the change processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the setting information change request Control processing flow calling means 407 for taking out
When the request is the operation information / setting information acquisition request, the processing flow of the information acquisition processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the operation information / setting information acquisition request An information acquisition process flow calling unit 408 for extracting an identifier is included.

  It should be noted that all the means in the shared network device management controller 4 do not necessarily exist on the same device. For example, the resource information repository 402 is arranged on another device and accessed via the network 2. The resource information repository 402 and the control processing flow call device 407 may be arranged on separate devices and accessed via the network 2, or the information acquisition process The flow call device 408 may be arranged on a separate device and accessed via the network 2, or the control processing flow call device 405 may be arranged on a separate device and routed via the network 2. You may comprise so that it may access, and you may make it the structure which combined those two or more. The user authentication in the request accepting unit 401 may use a known authentication method such as authentication using the IP address of the terminal 1, password authentication, or authentication using an authentication key for each user.

  When the terminal 1 transmits the various requests to the request receiving means 401, various standard such as SNMP (Simple Network Management Protocol), Telnet, HTTP (Hypertext Transfer Protocol), and SOAP (Simple Object Access Protocol) are used. A communication protocol may be used.

  Further, the shared network device information object 2001 stored in the resource information repository 402 may be configured not to hold the information acquired from the shared network device 3 in the shared network device information object 2001, or temporarily or regularly. It is good also as a structure hold | maintained.

  Next, the configuration and function of the controller 5 will be described in detail.

The controller 5
A communication unit 501 for accessing the shared network device 3 via the network 2, executing a setting change request command or an information reference request command on the device, and receiving an execution result;
A resource control processing flow store (resource control processing flow storage means) 502 for storing a processing flow 3001 describing the contents of the setting change request command and the information reference request command executed on the shared network device 3;
The process flow 3001 that matches the process flow identifier of the information acquisition process flow received from the information acquisition process flow call means 408 is searched from the resource control process flow store 502 and executed, and the execution result is called the information acquisition process flow call means. Processing flow identifier information collecting means 503 to send back to 408;
The processing flow 3001 that matches the processing flow identifier of the change processing flow received from the control processing flow calling unit 407 is searched from the resource control processing flow store 502 and executed, and the execution result is returned to the control processing flow calling unit 407. And control execution means 504.

  Note that all the means in the control controller 5 do not necessarily exist on the same device. For example, the resource control processing flow store 502 is arranged on a separate device and accessed via the network 2. Alternatively, the information acquisition unit 503 may be arranged on a separate device and accessed via the network 2, or the control execution unit 504 may be arranged on a separate device and the network 2 It may be configured to be accessed via, or may be configured by combining them.

  The communication unit 501 executes SNMP (Simple Network Management Protocol), Telnet, HTTP (Hypertext Transfer Protocol), FTP (File) when executing the setting change request command or the information reference request command on the shared network device 3. Various standard communication protocols such as Transfer Protocol (TFTP) and Trivial File Transfer Protocol (TFTP) may be used.

  The information collection unit 503 or the control execution unit 504 is configured to use SNMP (Simple Network Management Protocol), CLI (Command Line Interface), and the information change request command executed on the shared network device 3 and the information reference request command. Various command formats provided by the shared network device 3 such as XML (Extensive Markup Language) may be used.

The description form of the processing flow 3001 handled by the resource control processing flow store 502, the information collection unit 503, or the control execution unit 504 is not limited to a script, and a program component may be used.

  Next, the shared network device information object described above will be described in detail. FIG. 2 is an example of a shared network device information object.

The shared network device information object 2001 is created for each shared network device,
A device ID as an identifier of the shared network device;
A device information storage area 2002 in which information about the device itself such as a model ID is stored;
A device setting information storage area 2003 in which various setting information is stored;
A device operation information storage area 2004 in which various operation information is stored;
The processing flow storage area 2005 stores information on identifiers of processing flows executed when changing the various setting information and acquiring various operation information.

  In the device setting information storage area 2003, information on setting items that the administrator and the user refer to and change the setting items provided by the shared network device 3 is stored. It is not necessary to store information on all setting items. In FIG. 2, as an example, there are an SSH access enable / disable setting item 2011, an SSH access permitted host IP setting item 2012, a port assignment setting item 2013, and a packet filtering rule setting item 2014. Of these, the port assignment setting item 2013 is assumed to have a configuration in which the shared network device 3 corresponding to this example has a plurality of ports. The packet filtering rule setting item 2014 holds a plurality of rules 2071 because it is assumed that the shared network device 3 corresponding to this example is configured to hold a plurality of rules. Each of the setting content 2061 and the rule 2071 is the setting content 2061 or the rule 2071 used by each user who shares the shared network device 3, and a key item as an identifier thereof is used. Have. In the example shown in FIG. 2, the key item of the setting content 2061 is “port name”, and the key item of the rule 2071 is “filter name”. It is described as a column.

  Within the information of the various setting items, there are setting conditions that serve as constraint conditions for changing the settings of the items, and setting content addition / deletion conditions that serve as constraint conditions for adding or deleting the various setting contents. In addition, a corresponding open operation data item condition describing a condition of processing contents to which operation data should be added or deleted in conjunction with addition or deletion of the setting contents is included. The various conditions may be configured to be included in all of the setting items, or may be configured to include only a part necessary for performing various processes. The condition description method takes the form described in the natural language in the example of FIG. 2, but is not necessarily limited to this form, and various existing programming languages and knowledge description languages may be used. .

  The device operation information storage area 2004 stores information on operation data items referred to by the administrator and the user for the operation data items provided by the shared network device 3, and all the information provided by the shared network device 3 is not necessarily provided. It is not necessary to store information on the operation data item. In FIG. 2, device operating time data 2021 and port-specific operating data 2022 exist as an example. Of these, the port-specific virtual data 2022 assumes that the shared network device 3 corresponding to this example is configured to hold a plurality of ports, and therefore holds a plurality of operation data 2081. Yes. Each of the operation data 2081 is operation data relating to a port used by each user sharing the shared network device 3, and has a key item as an identifier of each. In the example shown in FIG. 2, the key item of the operation data 2081 is “port name”, which is described as an underlined character string in the figure.

  Note that the configuration of the shared network device information object 2001 is not limited to the configuration of the example of FIG. 2 but is included in the device information storage area 2002, the device setting information storage area 2003, and the like. Each setting item, the setting content or the rule included in each setting item, the device operation information storage area 2004, and each operation data item included in the device operation information storage area 2004 The operation data included in each operation data item and the processing flow storage area 2005 are individually realized as separate objects, and another object associated with the shared network device information object 2001 is created. May be stored in the resource information repository 402.

  Further, the setting contents or the rules included in the device setting information storage area 2003 and the operation data included in the device operation information storage area 2004 regularly hold information acquired from the shared network device 3 therein. It is possible to adopt a configuration that does not hold at all, or a configuration that holds it temporarily or a configuration that holds it temporarily.

  Next, the virtual network device information object described above will be described in detail. FIG. 3 is an example of a virtual network device information object.

The virtual network device information object 2101 is created in units of the shared network device 3 and in units of users who share and use the shared network device 3.
A device ID as an identifier of the virtual network device;
A device information storage area 2102 for storing information on the device itself such as a user ID, a used device ID, a used device model ID, and a used device type;
A device setting information storage area 2103 for storing various setting information;
It comprises a device operation information storage area 2104 in which various operation information is stored.

The device setting information storage area 2103 stores information on setting items that the user refers to or changes for the setting items provided by the virtual network device, and all the settings provided by the corresponding shared network device 3 are not necessarily stored. It is not necessary to store information about items. In FIG. 3, there are a port assignment setting item 2111 and a packet filtering rule setting item 2112 as an example. Of these, the port assignment setting item 2111 holds a plurality of setting contents 2061 because it is assumed that the virtual network device corresponding to this example is configured to hold a plurality of ports. As for the packet filtering rule setting item 2112, since it is assumed that the virtual network device corresponding to this example is configured to hold a plurality of rules, a plurality of rules 2071 are held. The setting content 2061 and the rule 2071 correspond to the setting content and rule in the shared network device 3 corresponding to the virtual network device that are used by the user of the virtual network device. Each of the setting content 2061 and the rule 2071 has a key item as an identifier. In the example shown in FIG. 3, the key item of the setting content 2061 is “port name”, and the key item of the rule 207 is “filter name”. It is described as a column.

  In the device operation information storage area 2104, information on operation data items referred to by the user for the operation data items provided by the virtual network device is stored, and all the operations provided by the corresponding shared network device 3 are not necessarily stored. It is not necessary to store information about data items. In FIG. 3, port-specific operation data 2113 exists as an example. The port-specific operation data 2113 holds a plurality of operation data 2081 because it is assumed that the virtual network device corresponding to this example is configured to hold a plurality of ports. The operation data 2081 is obtained by extracting a part of the operation data in the shared network device 3 corresponding to the virtual network device. Each of the operation data 2081 has a key item as an identifier. In the example shown in FIG. 3, the key item of the operation data 2081 is “port name”, and is described as an underlined character string in the figure.

  Note that the configuration of the shared network device information object 2101 is not limited to the configuration of the example of FIG. 3, but a device information storage area 2102, a device setting information storage area 2103, a device operation information storage area 2104, The setting items, the operation data items, the setting contents, the rules, or the operation data included in them are individually realized as separate objects and associated with the shared network device information object 2101. It may be stored in the resource information repository 402.

  Further, the user information of the virtual network device is not included in the device information storage area 2102 as in the configuration of the example of FIG. 3, but the shared network device information object 2101 and the user information object 2201 are associated with each other. These objects may be stored in the resource information repository 402 in the form of creating them.

  In addition, the setting contents or the rules included in the device setting information storage area 2103 and the operation data included in the device operation information storage area 2104 include information acquired from the corresponding shared network device 3 in a regular manner. However, it is possible to adopt a configuration that does not hold at all.

  When there are a plurality of virtual network device information objects 2101 corresponding to the same shared network device, the setting items or the operation data items included in the device setting information storage area 2103 or the device operation information storage area 2104 are For each virtual network device information object 2101 within the range of each setting item or each operation data item included in the device setting information storage area 2003 or the device operation information storage area 2004 of the corresponding shared network device information object 2001 It may be configured differently.

  Next, the above-described user information object will be described in detail. FIG. 4 is an example of a user information object.

A user information object 2201 is created for each user,
A user ID as a user identifier;
It consists of a user information storage area 2202 for storing information used for user authentication such as a password, and information related to user attributes such as an administrator flag and a user name.

  Next, the resource control processing flow described above will be described in detail. FIG. 5 is an example of a resource control processing flow.

  The resource control processing flow 3001 describes the execution contents of a single or plural setting change request commands and information reference request commands executed on the shared network device 3. Further, some data processing related to the command execution result response may be included. In addition, some argument may be received and processing may be performed using the value in some data processing related to the execution contents of the setting change request command or the information reference request command and the command execution result response.

The form of the processing flow 3001 is not limited to a script, and may be a program component.

  Next, various requests transmitted from the terminal 1 will be described in detail.

  The requests transmitted from the terminal 1 include the operation information / setting information acquisition request, the setting information change request, and the access authority confirmation request. It is not always necessary to be able to process all of the requests, and only a part of the requests may be processed.

  Each request includes at least a request identifier for identifying a request type, a virtual network device identifier for identifying the virtual network device to be processed, and a processing item identifier for identifying a setting information item or an operation data item to be processed. And are included. In addition, when the request is a setting information change request, a processing flow argument indicating a change content of the setting information item can be included. Also, authentication token information for user authentication can be included. Further, other parameters may be included as necessary.

  The request identifier, the virtual network device identifier, the processing item identifier, and the processing flow argument are not limited to one in one request, and may include a plurality.

  Next, the operation at the time of changing the setting of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  First, the user inputs a setting information change request for the virtual network device from the input / output unit 101 of the terminal 1, and the input request is transmitted from the communication unit 102 via the network 2 and is shared network device management controller. 4 is received by the request receiving means 401 (step S101).

  Next, the request reception unit 401 checks whether or not an authentication token is included in the setting information change request, and if included, executes user authentication using the user information object 2201 in the resource information repository 402. (Step S102). The authentication token is information for confirming the authentication state of the user, and the form thereof differs depending on the user authentication processing method used by the request receiving means 401. As a processing method of the user authentication used at this time, a known authentication method such as authentication using the IP address of the terminal 1, password authentication, authentication by authentication key for each user may be used.

  On the other hand, when it is found that the authentication token is not included or the user is not a valid user as a result of the user authentication, the request receiving unit 401 notifies the terminal 1 that the user authentication has failed and performs processing. The process ends (step S103).

When the user authentication is completed in the step S102, the virtual resource information access unit 403 is called, and the virtual resource information access unit 403 reads the virtual network specified in the setting information change request from the resource information repository 402. The virtual network device information object 2101 of the device is searched (step S104). Further, it is confirmed whether the setting item to be changed included in the setting information change request is included in the device setting information storage area 2102 of the virtual network device information object 2101 (step S105). If it is confirmed that the request is not included, the request accepting unit 401 notifies the terminal 1 that the setting change has failed and ends the process (step S106).

  Next, the access authority confirmation unit 404 is called, and the user ID of the user specified by the user authentication in the step S102 and the use included in the device information storage area 2102 in the virtual network device information object 2101. The user ID is compared, and it is confirmed whether or not the user has the authority to change the setting of the virtual network device (step S107).

  When it is confirmed that there is no authority, the request accepting unit 401 notifies the terminal 1 that the setting change has failed and ends the process (step S108).

On the other hand, if it is confirmed in step S105 that the user has authority, the shared resource information access unit 405 is called, and the resource is based on the used device ID included in the device information storage area 2102 of the virtual network device information object 2101. The shared network device information object 2001 is searched from the information repository 402 (step S109).

  Next, the request verification unit 406 is called up and refers to the previous period setting condition and the setting content addition / deletion condition in the change target setting item included in the device setting information storage area 2003 of the shared network device information object 2001. Then, it is confirmed whether or not the various conditions are not violated even if the change content indicated by the processing flow argument is changed in the change target setting item included in the setting change request (step S110). When the violation is confirmed, the request receiving unit 401 notifies the terminal 1 that the setting change has failed and ends the process (step S111).

On the other hand, if it can be confirmed that there is no problem, the control processing flow calling means 407 is called to acquire the setting information change processing flow identifier of the corresponding setting item from the processing flow storage area 2005 of the shared network device information object 2001. A processing flow execution request is transmitted to the control execution means 504 in the controller 5 (step S112).

  Upon receipt of the processing flow execution request, the control execution unit 504 searches the resource control processing flow store 502 for the corresponding processing flow 3001 based on the identifier of the setting information change processing flow (step S113). Read and execute (step S114).

According to the contents described in the processing flow 3001, the shared network device 3 is accessed via the communication means 501, and a single or a plurality of setting change request commands are executed on the shared network device 3, and the shared The setting of the network device 3 is changed (step S115).

  When the setting change of the shared network device 3 is normally completed, the control processing flow calling unit 407 receives a normal completion notification, and the corresponding open operation data item included in the change target setting item in the shared network device information object 2001. The conditions are confirmed, and operation data is added, updated, or deleted in the device operation information storage area 2004 as necessary, and stored again in the resource information repository 402 (step S116). Finally, a normal completion notice is sent to the request receiving means 401, and the process is terminated (step S117).

  Next, with reference to the flowchart of FIG. 7, the operation at the time of collectively referring to the setting information / operation data information of the virtual network device in the present embodiment will be described.

  About step S201-S206, the process similar to said step S101-S106 is performed based on the said setting information and working data information batch reference request instead of the said setting information change request.

  Next, the shared resource information access unit 405 is called, and the shared network device information object 2001 is searched from the resource information repository 402 based on the used device ID included in the device information storage area 2102 of the virtual network device information object 2101. (Step S207).

  Next, the information acquisition processing flow calling means 408 is called to acquire the processing flow identifiers of all setting items and all operation data items from within the processing flow storage area 2005 of the shared network device information object 2001, and within the control controller 5 The processing flow execution request is transmitted to the information collecting means 503 (step S208).

  Upon receipt of the processing flow execution request, the information collection unit 503 sequentially searches the resource control processing flow store 502 for the corresponding processing flow 3001 based on the identifiers of the setting information acquisition processing flow and the operation data information acquisition processing flow ( In step S209, the processing flow 3001 is read and executed (step S210).

  According to the contents described in the processing flow 3001, the shared network device 3 is accessed via the communication means 501, and the single or plural setting information reference request commands are executed on the shared network device 3, Information is acquired from the shared network device 3 (step S211).

  When the acquisition of information from the shared network device 3 is normally completed, a normal completion notification is sent to the request reception unit 401 together with the acquired information, and the process is terminated (step S212).

  When the shared network device information object 2001 or the virtual network device information object 2101 is configured to temporarily or regularly hold information acquired from the shared network device 3, the shared network device information object 2001 or the If information is held in the virtual network device information object 2101, the procedure of steps S 208 to S 211 may be omitted, and the information held in the object may be returned in step S 212.

  Next, the operation when referring to the setting information / operation data information of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  For steps S301 to S309, the same processing as steps S101 to S109 is executed based on the setting information / operation data information reference request instead of the setting information change request.

  However, in step S305, the comparison contents during the operation in step S105 may be a processing item included in the setting information / operation data information reference request and an operation data item in the device operation information storage area 2104. Different. For steps S310 to S314, the same processing as in steps S208 to S212 is executed.

  When the shared network device information object 2001 or the virtual network device information object 2101 is configured to temporarily or regularly hold information acquired from the shared network device 3, the shared network device information object 2001 or the If the information is held in the virtual network device information object 2101, the steps S 310 to S 313 are omitted, and the information held in the shared network device information object 2001 or the virtual network device information object 2101 is returned in step S 314. It may work to do.

  Next, with reference to the flowchart of FIG. 9, the operation when confirming the access authority of the virtual network device in the present embodiment will be described in detail.

  For steps S401 to S407, the same processing as steps S101 to S107 is executed based on the access authority confirmation request instead of the setting information change request. Finally, if it is confirmed in step S106 that the user has authority, the request receiving unit 401 notifies the terminal 1 of the confirmation result and ends the process (step S408).

  Next, the effect of this embodiment will be described.

  In the present embodiment, the virtual network device information object 2101 is created in units of the shared network device 3 and in units of users who share and use the shared network device 3, and includes the device setting information storage area 2103 and Among the setting item items or operation data items provided by the shared network device 3 corresponding to the device operation information storage area 2104, the setting items or operation data that the user of the virtual network device refers to or changes in the virtual network device Store items.

  Further, the shared network device controller 4 stores the virtual network device information object 2101 in the resource information repository 402, the virtual network device information object 2101 is searched from the resource information repository 402, the virtual resource information access means 403, Access authority confirmation means 404 for confirming access authority using user information included in the virtual network object 2101 and shared resource information access for retrieving the shared network device information object 2001 corresponding to the virtual network device information object 2101 Means 405 are provided.

  As a result, a virtual network device that is a subset of the network device for each user can be configured virtually for a shared network device shared by a plurality of users. The virtual network device can be configured not to show operational data for the processing performed.

  Further, in the present embodiment, if the request transmitted from the terminal 1 by the shared network device controller 4 is a setting information change request, there is no problem even if the setting item targeted by the request is changed. A request verification unit 406 for confirming whether or not, a control processing flow calling unit 407 for retrieving a processing flow identifier of a corresponding item included in the shared network device information object 2001, and an information acquisition processing flow calling unit 408.

  As a result, it is possible to configure so that various information acquisition, setting information change, or access authority confirmation for the virtual network device can be performed by providing the control controller 5 that searches for the processing flow and accesses and executes the shared network device 3.

  Next, the best mode for carrying out the second invention of the present invention will be described in detail with reference to the drawings. The second embodiment of the present invention is the same as the first embodiment of the present invention except that the control processing flow calling unit 407 and the information acquisition processing flow calling unit 408 are different from those of the first embodiment. This is the same as the embodiment.

  The control process flow calling unit 407 may retrieve the virtual resource before retrieving the process flow identifier of the change process flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the setting information change request. The virtual network device information object 2101 searched by the information access unit 403 performs a process of confirming whether or not the process flow identifier of the change process flow of the corresponding item is included. This point is different from the first embodiment described above.

  The information acquisition process flow calling unit 408 extracts the process flow identifier of the information acquisition process flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the operation information / setting information acquisition request. Prior to this, processing for confirming whether or not the virtual network device information object 2101 searched by the virtual resource information access unit 403 includes the processing flow identifier of the information acquisition processing flow of the corresponding item is performed. This point is different from the first embodiment described above. Note that the second embodiment may be implemented simultaneously with the first embodiment.

  Next, the virtual network device information object will be described in detail. FIG. 10 is an example of a virtual network device information object in the second embodiment.

  The virtual network device information object 2101 changes the various setting information included in the object and acquires various operation information in addition to the configuration of the virtual network device information object 2101 according to the first embodiment. A processing flow storage area 2105 for storing information on the identifier of the processing flow executed at this time. The processing flow storage area 2105 does not necessarily include information on processing flow identifiers corresponding to all the various setting information and various operation information included in the object 2101.

  Note that the configuration of the shared network device information object 2101 is not limited to the configuration of the example of FIG. 10, but a device information storage area 2102, a device setting information storage area 2103, a device operation information storage area 2104, The processing flow storage area 2105 and the setting items, the operation data items, the setting contents, the rules, or the operation data included therein are individually realized as separate objects, and the shared network device information The resource information repository 402 may be stored in a state associated with the object 2101.

  Next, the operation at the time of changing the setting of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  About step S501-S511, the process similar to said step S101-S111 of the operation | movement at the time of the setting change of the said virtual network device in embodiment of 1st invention is performed.

  Next, the control processing flow calling unit 407 refers to the processing flow storage area 2105 in the virtual network device information object 2101 to determine whether or not the processing flow identifier of the setting information change processing flow of the setting item to be changed is included. Is confirmed (step S512).

  If it is confirmed in step S512 that the process flow identifier is included, a process flow execution request including the process flow identifier is transmitted to the control execution means 504 in the control controller 5, and if the step S512 is performed. When it is confirmed that the processing flow identifier is not included, the setting information change processing flow identifier of the corresponding setting item is acquired from the processing flow storage area 2005 of the shared network device information object 2001, and the control controller 5 A processing flow execution request is transmitted to the control execution means 504 (step S513).

  For the next steps S514 to S518, processing similar to that of steps S113 to S117 of the operation at the time of changing the setting of the virtual network device in the embodiment of the first invention is executed.

  Next, with reference to the flowchart of FIG. 12, the operation at the time of collectively referring to the setting information / operation data information of the virtual network device in the present embodiment will be described.

  About step S601-S606, the process similar to said step S201-S206 of the operation | movement at the time of the setting information and operation data information batch reference of the said virtual network device in embodiment of 1st invention is performed.

  When it is confirmed in step S605 that the user has authority, the information acquisition processing flow calling unit 408 is called, and the processing flow storage area 2105 in the virtual network device information object 2101 is referred to, and all the setting items are set. And it is confirmed whether the identifiers of the processing flows of all the operation data items are included (step S607).

  If there is a process flow identifier included in step S607, a process flow execution request including the process flow identifier is transmitted to the information acquisition unit 503 in the control controller 5 for the process flow identifier. If there is the setting item or the operation data item that does not include the process flow identifier in S607, the process flow identifier is not included in Step S607 from within the process flow storage area 2005 of the shared network device information object 2001. The process flow identifiers of all the setting items and the operation data items are acquired, and a process flow execution request is transmitted to the information acquisition means 503 in the control controller 5 (step S608).

  For the next steps S609 to S613, processing similar to that of steps S208 to S212 of the operation at the time of batch reference of the setting information / operation data information of the virtual network device in the embodiment of the first invention is executed.

  When the shared network device information object 2001 or the virtual network device information object 2101 is configured to temporarily or regularly hold information acquired from the shared network device 3, the shared network device information object 2001 or the If information is held in the virtual network device information object 2101, the procedure of steps S 609 to S 612 may be omitted, and the information held in the object may be returned in step S 613.

  Next, the operation when referring to the setting information / operation data information of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  About step S701-S708, the process similar to said step S301-S308 of the operation | movement at the time of the setting information and operation data information reference of the said virtual network device in embodiment of 1st invention is performed.

  If it is confirmed in step S707 that the user has authority, the information acquisition processing flow calling unit 408 is called, and the processing flow storage area 2105 in the virtual network device information object 2101 is referred to, and the setting of the reference target is performed. It is confirmed whether the item or the identifier of the process flow of the operation data item is included (step S709).

  If processing flow identifiers are included in step S709, a processing flow execution request including the processing flow identifier is transmitted to the information acquisition means 503 in the controller 5 for those, and if the processing flow identifier is included in step S709, If the identifier is not included, the identifier of the processing flow of the setting item or operation data item to be referenced is acquired from the processing flow storage area 2005 of the shared network device information object 2001, and the information acquisition means 503 in the control controller 5 is acquired. A processing flow execution request is transmitted to (step S710).

  For the next steps S711 to S715, processing similar to that in steps S310 to S314 of the operation when referring to the setting information / operation data information of the virtual network device in the embodiment of the first invention is executed.

  When the shared network device information object 2001 or the virtual network device information object 2101 is configured to temporarily or regularly hold information acquired from the shared network device 3, the shared network device information object 2001 or the If information is stored in the virtual network device information object 2101, the procedure of steps S 711 to S 714 may be omitted, and the information stored in the object may be returned in step S 715.

  Next, the operation when confirming the access authority of the virtual network device in the present embodiment will be described in detail. The operation of this processing is the same as the operation at the time of confirming the access authority of the virtual network device in the embodiment of the first invention.

Next, effects of the best mode for carrying out the present invention will be described. In the best mode for carrying out the present invention, an identifier of a processing flow executed when the virtual network device information object 2101 changes the various setting information included in the object or acquires various operation information. And a processing flow storage area 2105 for storing the information of
Before the control processing flow calling unit 407 extracts the processing flow identifier of the change processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the setting information change request, the virtual resource A process of confirming whether or not the process flow identifier of the change process flow of the corresponding item is included in the virtual network device information object 2101 searched by the information access means 403;
Before the information acquisition processing flow calling unit 408 extracts the processing flow identifier of the information acquisition processing flow of the corresponding item included in the shared network device information object 2001 for the setting item included in the operation information / setting information acquisition request In this configuration, the virtual network device information object 2101 searched by the virtual resource information access unit 403 has a configuration for performing processing to check whether or not the processing flow identifier of the information acquisition processing flow of the corresponding item is included.
For each virtual network device within a range of functions provided by the shared network device corresponding to each of a plurality of virtual network devices configured for each user with respect to one shared network device shared by a plurality of users It can be configured to provide different functions.

  Next, the best mode for carrying out the third invention of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 14, the third embodiment is the same as the first embodiment except for the following points.

  Operations of the virtual resource access unit 403 and the shared resource information access unit 405 are different from those of the first embodiment. The virtual resource information access unit 403 in the shared network device management controller 4 searches for the virtual network device information object 2101 from the resource information repository 402, confirms the presence / absence of a processing target item, and the access authority confirmation unit 404. The shared resource information access unit 405 is called without calling.

  In addition to the operation of the request verification unit 406 in the embodiment of the first invention, the request verification unit 406 calls the access authority verification unit 404 after searching for the shared network device information object 2001.

  Next, the above-described shared network device information object will be described. FIG. 15 is an example of the shared network device information object in the embodiment of the third invention.

In addition to the configuration of the shared network device information object 2001 in the embodiment of the first invention, the shared network device information object 2001 includes at least an administrator ID of an administrator of the shared network device 3 in the device information storage area 2002. Including
A virtual device information storage area 2006 for storing virtual device information 2091 including a virtual device ID when presenting the shared network device as a virtual network device to the user with respect to the user who shares the shared network device, Further, each of the setting items stored in the device setting information storage area 2003 (the port assignment setting item 2013 and the packet filtering rule setting item 2014 in FIG. 15 correspond to this) are disclosed to the user, and the user sets the setting information. It includes disclosure permission / inhibition information indicating whether reference or change can be performed, and the setting contents and the rules included in the setting items and the setting items (the setting contents 2061 and rules 2071 in FIG. 15 correspond to this). ) For each virtual network device Including the virtual device ID information.

  Also, each of the operation data items stored in the device operation information storage area 2004 (the operation data 2022 for each port corresponds to this in FIG. 15) is disclosed to the user and referred to or changed by the user. Information indicating whether the information can be disclosed and virtual device ID information indicating to which virtual network device the information is disclosed.

  Next, the operation at the time of changing the setting of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG. About step S801-S803, the process similar to said step S101-S103 of the operation | movement at the time of the setting change of the said virtual network device in embodiment of 1st invention is performed.

  When the user authentication is completed in step S802, the virtual resource information access unit 403 is called, and a shared network information setting change request corresponding to the processing target virtual network device specified in the request is sent to the shared resource information access. Issued to the means 405 (step S804).

  Next, the shared resource information access unit 405 includes the shared network device information object 2001 including the virtual device information having the virtual network device identifier designated by the request from the resource information repository 402 in the virtual device information storage area 2006. Search is performed (step S805).

  Next, the access authority confirmation unit 404 is called, and the user ID of the user specified by the user authentication in step S802 and the virtual device information storage area 2006 in the shared network device information object 2001 are displayed. The user ID included in the virtual device information having the virtual network device identifier specified in the request is compared, and it is confirmed whether or not the user has authority to change the setting of the virtual network device (step S806). ).

  If it is confirmed that there is no authority, the request receiving means 401 notifies the terminal 1 that the setting change has failed and ends the processing (step S807).

  On the other hand, with respect to subsequent steps S808 to S815 when it is confirmed that the authority is obtained in step S806, the steps S110 to S117 of the operation at the time of changing the setting of the virtual network device in the embodiment of the first invention are performed. The same processing is executed.

  Next, with reference to the flowchart of FIG. 17, the operation at the time of collectively referring to the setting information / operation data information of the virtual network device in the present embodiment will be described.

  About step S901-S903, the process similar to said step S201-S203 of the operation | movement at the time of batch information reference of the setting information and operation data information of the said virtual network device in embodiment of 1st invention is performed.

  When the user authentication is completed in step S902, the virtual resource information access unit 403 is called, and the setting information on the virtual network device from the shared network device corresponding to the virtual network device to be processed specified by the request A batch acquisition request for operating data information is issued to the shared resource information access unit 405 (step S904).

  Next, the shared resource information access unit 405 includes the shared network device information object 2001 including the virtual device information having the virtual network device identifier designated by the request from the resource information repository 402 in the virtual device information storage area 2006. Search is performed (step S905).

  Next, the access authority confirmation unit 404 is called, and the user ID of the user specified by the user authentication in step S902 and the virtual device information storage area 2006 in the shared network device information object 2001 are stored. The user ID included in the virtual device information having the virtual network device identifier specified in the request is compared, and whether or not the user has the authority to collectively acquire setting information / operation data information of the virtual network device Confirmation is made (step S906).

  If it is confirmed that there is no authority, the request accepting unit 401 notifies the terminal 1 that the setting change has failed and ends the processing (step 907).

  On the other hand, the subsequent steps S908 to S912 when the authority is confirmed in step S906 are the same as those in the collective acquisition of the setting information / operation data information of the virtual network device in the embodiment of the first invention. The same processing as in steps S208 to S212 of the operation is executed.

  Next, the operation when referring to the setting information / operation data information of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  For steps S1001 to S1003, the same processing as steps S301 to S303 of the operation when referring to the setting information / operation data information of the virtual network device in the embodiment of the first invention is executed.

  When the user authentication is completed in step S1002, the virtual resource information access unit 403 is called, and a setting information / operation data information reference request for the shared network device corresponding to the processing target virtual network device specified in the request is issued. This is issued to the shared resource information access means 405 (step S1004).

  Next, the shared resource information access unit 405 includes the shared network device information object 2001 including the virtual device information having the virtual network device identifier designated by the request from the resource information repository 402 in the virtual device information storage area 2006. Search is performed (step S1005).

  Next, the access authority confirmation unit 404 is called, and the user ID of the user specified by the user authentication in step S1002 and the virtual device information storage area 2006 in the shared network device information object 2001 are stored. The user ID included in the virtual device information having the virtual network device identifier specified in the request is compared, and it is confirmed whether or not the user has the authority to change the setting of the virtual network device (step S1006). ).

  If it is confirmed that there is no authority, the request receiving means 401 notifies the terminal 1 that the setting change has failed and ends the processing (step S1007).

  On the other hand, for subsequent steps S1008 to S1012 when it is confirmed in step S1006 that the user has authority, the operation at the time of referring to the setting information / operation data information of the virtual network device in the embodiment of the first invention is performed. The same processing as in steps S308 to S312 is executed.

  Next, with reference to the flowchart of FIG. 19, the operation when confirming the access authority of the virtual network device in the present embodiment will be described in detail.

  For steps S1101 to S1103, the same processing as in steps S401 to S403 of the operation at the time of confirming the access authority of the virtual network device in the embodiment of the first invention is executed.

  When the user authentication is completed in step S1102, the virtual resource information access unit 403 is called, and an access authority confirmation request for the shared network device corresponding to the processing target virtual network device specified in the request is sent to the shared resource information. It is issued to the access means 405 (step S1104).

  Next, the shared resource information access unit 405 includes the shared network device information object 2001 including the virtual device information having the virtual network device identifier designated by the request from the resource information repository 402 in the virtual device information storage area 2006. Search is performed (step S1105).

  Next, the access authority confirmation unit 404 is called, and the user ID of the user specified by the user authentication in step S1102 and the virtual device information storage area 2006 in the shared network device information object 2001 are stored. The user ID included in the virtual device information having the virtual network device identifier specified in the request is compared, and it is confirmed whether or not the user has the authority to change the setting of the virtual network device (step S1106). ).

  If it is confirmed that there is no authority, the request receiving means 401 notifies the terminal 1 that the setting change has failed and ends the processing (step S1107).

  On the other hand, if it is confirmed in step S1106 that the user has authority, the request receiving unit 401 notifies the terminal 1 of the confirmation result and ends the process (step S1108).

Next, the effect of this embodiment will be described. In the present embodiment, the device information storage area 2002 includes at least an administrator ID of the administrator of the shared network device 3,
A virtual device information storage area 2006 for storing virtual device information 2091 including a virtual device ID when presenting the shared network device as a virtual network device to the user with respect to the user who shares the shared network device, In addition, each of the setting items stored in the device setting information storage area 2003 includes public availability information indicating whether each of the setting items is open to the user and can be referred to or changed by the user. Including virtual device ID information indicating to which virtual network device each of the setting content and the rule included in an item is disclosed,
Each of the operation data items stored in the device operation information storage area 2004 is disclosed to the user and can be referred to or changed by the user. Including virtual device ID information indicating whether to publish to
The virtual resource information access unit 403 does not search the virtual network device information object 2101 from the resource information repository 402, check whether there is a processing target item, or call the access authority confirmation unit 404, but does not execute the shared resource information. Call the access means 405,
In addition to the operation in the first embodiment, the request verification unit 405 is configured to call the access authority confirmation unit 404 after searching the shared network device information object 2001.

  As a result, the virtual network device information object 2101 is not held in the resource information repository 402, but the shared network device shared by a plurality of users when requested by the terminal 1 is virtually A virtual network device that is a subset of the network device can be dynamically configured.

  Next, a fourth embodiment of the present invention will be described in detail with reference to the drawings.

  Referring to FIG. 20, in the fourth embodiment of the present invention, a resource information template store, resource information template registration means, resource registration means, and resource control processing flow registration means are added to the first embodiment described above. It has been added.

  The resource information template store 409 receives the virtual network device template registration request, the shared network device template registration request, the virtual network device registration request, and the shared network device registration request transmitted from the terminal 1 by the request reception unit 401, and The shared network device controller 4 stores a shared network device template 5001 related to the setting item or operation information item of the shared network device 3 and a virtual network device template 6001 related to the setting item or operation information item of the virtual network device. The resource information template registration unit 410 stores the virtual network device template and the shared network device template received from the request reception unit 401 in the resource information template store 409.

  The resource registration unit 411 receives the corresponding shared network device template 5001 from the resource information template store 409 based on the information included in the virtual network device registration request received by the request receiving unit 401 or the shared network device registration request. The virtual network device template 6001 is searched, the virtual network device information object 2101 and the shared network device information object 2001 are generated and registered in the resource information repository 402.

  The resource control processing flow registration unit 505 stores the resource control processing flow 3001 included in the shared network device registration request received by the request receiving unit 401 in the control controller 5 in the resource control processing flow store 502.

  The fourth embodiment may be performed simultaneously with the first to third embodiments.

  Next, the shared network device information template will be described. FIG. 21 is an example of a shared network device information template.

The shared network device information template 5001 is created for each model of the shared network device 3, and relates to the shared network device itself such as the device model ID of the shared network device 3 and the device configuration type indicating a single device configuration or a cluster configuration. Information and
Information 5011 regarding various setting items provided by the shared network device 3;
And information 5012 related to various operation data items provided by the shared network device 3.

The information 5011 regarding the setting item includes
A setting item that is information on a setting item that the administrator and the user refer to or change the setting item provided by the shared network device 3;
A sub-setting item that is a setting item that exists in a layer below the setting item and is referred to or changed by an administrator and a user when the setting item provided by the shared network device 3 has a layer;
A processing flow identifier that is an identifier of the processing flow to be used when changing the setting of the setting item or the sub-setting item;
Process flow argument that specifies an argument at the time of execution of the process flow as necessary,
Setting condition information for specifying a restriction condition for changing the setting of the setting item or the sub-setting item,
Setting content addition / deletion condition information for specifying constraint conditions for adding or deleting the various setting contents;
And corresponding open operation data item condition information that describes the condition of the processing details to which operation data should be added or deleted in conjunction with the addition or deletion of the setting contents.

  The setting condition information, the setting content addition / deletion condition information, and the corresponding open operation data item condition information may be configured to be included in all of the setting items or the sub setting items, and various processes are performed. However, it may be configured to include only a part necessary for. The condition description method takes the form described in the natural language in the example of FIG. 23, but is not necessarily limited to this form, and various existing programming languages and knowledge description languages may be used. .

The information 5012 related to the operation data item includes
An operation data item that is information of an operation data item that can be referred to by the user among various operation data items provided by the shared network device 3;
A sub-operation data item that is an operation data item that exists in a layer below the operation data item and can be referred to by an administrator and a user when there are layers in various operation data items provided by the shared network device 3;
A processing flow identifier which is an identifier of the processing flow to be used when acquiring information of the operation data item or the sub operation data item;
And a processing flow argument for specifying an argument for executing the processing flow as necessary. Next, the virtual network device information template will be described. FIG. 22 is an example of a virtual network device information template.

  The virtual network device information template 6001 is created for each model of the shared network device 3, and the user ID, the used device ID, the used device model ID of the corresponding shared network device 3, and the corresponding shared network device 3 are configured as a single device. Virtual device information 6011 related to the virtual network device itself, such as a device configuration type such as whether it is a cluster configuration, information 6012 related to various setting items provided by the virtual network device 3, and various operation data items provided by the virtual network device 3. Information 6013.

Information about the setting item 6012 includes
A setting item that is information of a setting item provided by the virtual network device and referred to or changed by an administrator and a user;
When the setting item provided by the virtual network device has a hierarchy, the setting item includes a sub-setting item that exists in a layer below the setting item and is a setting item that an administrator and a user refer to or change.

The information 6013 related to the operation data item includes
An operation data item that is provided by the virtual network device and is information of an operation data item that can be referred to by a user;
When various operation data items provided by the virtual network device have a hierarchy, the operation data items are subordinate to the operation data items that exist in the hierarchy below the operation data items and can be referred to by the administrator and the user. The

  The setting item and the operation data item correspond to the public setting item and the public operation data item in the corresponding shared network device 3.

  Next, various requests transmitted from the terminal 1 will be described.

  The requests transmitted from the terminal 1 include the virtual network device template registration request, the shared network device template registration request, the virtual network device registration request, and the shared network device registration request. It is not always necessary to be able to process all of the requests, and only a part of the requests may be processed.

  Each request includes at least a request identifier for identifying a request type. In addition, the virtual network device template registration request and the shared network device template registration request include template information that is the content of the virtual network device template and the shared network device template, and the content of the resource control flow of the shared network device. Control flow information, and in the virtual network device registration request and the shared network device registration request, the used device ID, used device model ID, and used device type of the shared network device 3 corresponding to the virtual network device to be registered. And the virtual network device information object 2101 or the shared network device information object 2001 and the setting contents and the route to be set in the various setting items in the object. Including the information. Also, authentication token information for user authentication can be included. Further, other parameters may be included as necessary.

  The request identifier, the template information, and the setting content / rule information are not limited to one in one request, and may be included in plural. In addition, one request does not necessarily have to exchange all information in one data exchange communication. For example, the template information or the processing flow information is used as the virtual network device template registration request or the shared network device template registration request. The information may be sent by performing another data exchange communication instead of being included in the first data exchange communication.

  Next, an operation at the time of registering the virtual network device template or registering the shared network device template in the present embodiment will be described in detail with reference to the flowchart of FIG.

  About step S1201-S1203, the process similar to said step S101-S103 of the operation | movement at the time of the setting change of the said virtual network device in embodiment of 1st invention is performed.

  When the user authentication is completed in step S1202, the resource information template registration unit 410 is called, and the resource information template registration unit 410 receives the user information of the user specified by the user authentication in step S1202. The object 2201 is searched from the resource information repository 402 to check whether the user is an administrator (step S1204).

If it is confirmed that the user is not an administrator, the request receiving unit 401 notifies the terminal 1 that the setting change has failed and ends the process (step S1205).

  On the other hand, if it is confirmed that the user is an administrator, the resource information point plate registration unit 410 is called, and the virtual network device template registration request received by the request reception unit 401 in the step S1201 or the shared network device template The template information included in the registration request is extracted and stored in the resource information template store 409 (step S1206).

  Next, the processing flow information included in the virtual network device template registration request or the shared network device template registration request received by the request reception unit 401 in step S1201 is extracted, and the resource control processing flow registration unit 505 is called. (Step S1207).

  The resource control process flow registration unit 505 stores the process flow information in the resource control process flow store 502 (step S1208).

Finally, a normal completion notice is sent to the request receiving means 401, and the process is terminated (step S1209).

  Next, the operation at the time of registration of the shared network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  For steps S1301 to S1305, the same processing as steps S1201 to S1205 of the operation at the time of virtual network device template registration or shared network device template registration in the fourth embodiment described above is executed.

  Next, the resource registration unit 411 receives the device model ID and device type of the shared network device 3 to be registered included in the shared network device registration request received from the resource information template store 409 by the request reception unit 401 in step S1301. The corresponding shared resource device template 5001 is searched from the resource information template store 409 based on (step S1306).

  Next, the resource registration unit 411 creates the shared network device information object 2001 using the shared resource device template 5001 acquired in step S1306, and the shared network received by the request reception unit 401 in step S1301. The setting contents and the rule information to be set in the various setting items in the object included in the device registration request are set (step S1307).

  Next, the shared network device information object 2001 created in step S1307 is passed to the shared resource information access unit 405, and then the request verification unit 406 is called to store the device setting information of the shared network device information object 2001. The setting contents included in the virtual network device registration request received by the request reception unit 401 with reference to the previous period setting conditions and the setting contents addition / deletion conditions in the change target setting items included in the area 2003 It is checked whether or not the various conditions are not violated even if the rule information is set (step S1308). If the violation is confirmed, the request accepting unit 401 notifies the terminal 1 that the process has failed and ends the process (step S1309).

  On the other hand, when it is confirmed that there is no problem, the control processing flow calling unit 407 is called and the setting information change processing flow identifier of the corresponding setting item is acquired from the processing flow storage area 2005 of the shared network device information object 2001. Then, a processing flow execution request is transmitted to the control execution means 504 in the control controller 5 (step S1310).

  Upon receipt of the processing flow execution request, the control execution unit 504 searches the resource control processing flow store 502 for the corresponding processing flow 3001 based on the identifier of the setting information change processing flow (step S1311), and the processing flow 2201 is Read and execute (step S1312).

  According to the contents described in the processing flow 3001, the shared network device 3 is accessed via the communication means 501, and a single or a plurality of setting change request commands are executed on the shared network device 3, and the shared The setting of the network device 3 is changed (step S1313).

  When the setting change of the shared network device 3 is normally completed, the control processing flow calling unit 407 receives a normal completion notification, and the corresponding open operation data item included in the change target setting item in the shared network device information object 2001. The conditions are confirmed, and operation data is added, updated, or deleted in the device operation information storage area 2004 as necessary, and stored again in the resource information repository 402 (step S1314).

  Finally, a normal completion notice is sent to the request receiving means 401, and the process is terminated (step S1315).

  Next, the operation at the time of registration of the virtual network device in the present embodiment will be described in detail with reference to the flowchart of FIG.

  For steps S1401 to S1403, the same processing as steps S1201 to S1203 of the operation at the time of virtual network device template registration or shared network device template registration in the embodiment of the fourth invention is executed.

  Next, the resource registration unit 411 sends the shared network device 3 corresponding to the virtual network device to be registered included in the virtual network device registration request received from the resource information template store 409 by the request receiving unit 401 in step S1401. The corresponding virtual resource device template 6001 is searched from the resource information template store 409 based on the used device model ID and the used device type (step S1404).

  Next, the resource registration unit 411 creates the virtual network device information object 2101 using the virtual resource device template 6001 acquired in step S1404, and the virtual network received by the request reception unit 401 in step S1401. The setting contents and the rule information set in the various setting items in the object included in the device registration request are set (step S1405).

  Here, in the device setting information storage area 2103 or device operation information storage area 2104 of the virtual network device information object 2101, information 6012 regarding various setting items provided by the virtual network device 3 of the virtual resource device template 6001 and It is not necessary to include all setting items or operation data items included in the information 6013 related to various operation data items provided by the virtual network device 3, and settings specified in the virtual network device registration request from the terminal 1 An item or an operation data item may be included.

  Next, the shared resource information access unit 405 is called, and the device model of the shared network device 3 corresponding to the virtual network device to be registered included in the virtual network device registration request received by the request receiving unit 401 in step S1401. The shared network device information object 2001 is searched from the resource information repository 402 based on the ID and the used device type (step S1406).

  Next, the request verification unit 406 is called up and refers to the previous period setting condition and the setting content addition / deletion condition in the change target setting item included in the device setting information storage area 2003 of the shared network device information object 2001. Then, it is confirmed whether or not the various conditions are not violated even if the setting content or the rule information included in the virtual network device registration request received by the request receiving unit 401 is set (step S1407). If it is confirmed that the violation has occurred, the request receiving means 401 notifies the terminal 1 that the processing has failed and ends the processing (step S1408).

  On the other hand, when it is confirmed that there is no problem, the control processing flow calling unit 407 is called and the setting information change processing flow identifier of the corresponding setting item is acquired from the processing flow storage area 2005 of the shared network device information object 2001. Then, a processing flow execution request is transmitted to the control execution means 504 in the control controller 5 (step S1409).

  When the control execution unit 504 receives the processing flow execution request, the control execution unit 504 searches the resource control processing flow store 502 for the corresponding processing flow 2201 based on the identifier of the setting information change processing flow (step S1410). Read and execute (step S1411).

  According to the contents described in the processing flow 2201, the shared network device 3 is accessed via the communication means 501, and one or a plurality of the setting change request commands are executed on the shared network device 3, and the shared The setting of the network device 3 is changed (step S1412).

  When the setting change of the shared network device 3 is normally completed, the control processing flow calling unit 407 receives a normal completion notification, and the corresponding open operation data item included in the change target setting item in the shared network device information object 2001. The conditions are confirmed, and operation data is added, updated, or deleted in the device operation information storage area 2004 as necessary, and stored again in the resource information repository 402 (step S1413).

  Finally, a normal completion notice is sent to the request receiving means 401, and the process is terminated (step S1414).

  Next, effects of the best mode for carrying out the present invention will be described.

In the best mode for carrying out the present invention, the request receiving means 401 transmits a virtual network device template registration request, a shared network device template registration request, a virtual network device registration request, or a shared network device registration request transmitted from the terminal 1. Receive
A resource information template store 409 for storing the shared network device template 5001 and the virtual network device template 6001 in the shared network device controller 4;
A resource information template registration unit 410 that stores a virtual network device template and a shared network device template received from the request reception unit 401 in the resource information template store 409;
Based on the information included in the virtual network device registration request and the shared network device registration request received by the request receiving unit 401, the corresponding shared network device template 5001 and virtual network device template 6001 corresponding to the resource information template store 409 are used. Resource registration means 411 for generating the virtual network device information object 2101 and the shared network device information object 2001 and registering them in the resource information repository 402,
The control controller 5 further includes resource control processing flow registration means 505 for storing the resource control processing flow 3001 included in the shared network device registration request received by the request receiving means 401 in the resource control processing flow store 502. . With this configuration, it is possible to add a shared network device or virtual network device to be managed.

  The present invention can be applied to applications such as a network management system for controlling and monitoring network devices and a program for realizing the network management system on a computer. Further, the present invention can also be applied to applications such as providing network management functions for controlling and monitoring network devices to various programs running on a computer.

It is a block diagram which shows the structure of the 1st Embodiment of this invention. It is the figure which showed the structure of the shared network apparatus information object in the 1st Embodiment of this invention. It is the figure which showed the structure of the virtual network device information object in the 1st Embodiment of this invention. It is the figure which showed the structure of the user information object in the 1st Embodiment of this invention. It is the figure which showed the resource control flow in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting change of the virtual network device in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information batch reference of the virtual network device in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information reference of the virtual network device in the 1st Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the access authority confirmation of the virtual network device in the 1st Embodiment of this invention. It is the figure which showed the structure of the virtual network device information object in the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting change of the virtual network device in the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information batch reference of the virtual network device in the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information reference of the virtual network device in the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the 3rd Embodiment of this invention. It is the figure which showed the structure of the shared network apparatus information object in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting change of the virtual network device in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information batch reference of the virtual network device in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the setting information and operation data information reference of the virtual network device in the 3rd Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the access authority confirmation of the virtual network device in the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the 4th Embodiment of this invention. It is the figure which showed the structure of the shared network equipment information template in the 4th Embodiment of this invention. It is the figure which showed the structure of the virtual network device information template in the 4th Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of the virtual network device template registration in the 4th Embodiment of this invention, or the said shared network device template registration. It is a flowchart which shows the operation | movement at the time of the shared network apparatus registration in the 4th Embodiment of this invention. It is a flowchart which shows the operation | movement at the time of virtual network device registration in the 4th Embodiment of this invention. It is an example of the system configuration | structure of the conventional general data center. It is an example of a system configuration of a data center using a VLAN switch. It is an example of a system configuration of a data center using a VLAN switch, a VLAN firewall, and a VLAN load balancer.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Terminal 2 Network 3 Shared network apparatus 4 Shared network apparatus controller 5 Control controller 101 Input / output means 102 Communication means 401 Request reception means 402 Resource information repository 403 Virtual resource information access means 404 Access authority confirmation means 405 Shared resource information access means 406 Request Verification means 407 Control processing flow call means 408 Information acquisition process flow call means 409 Resource information template store 410 Resource information template registration means 411 Resource registration means 501 Communication means 502 Resource control processing flow store 503 Information collection means 504 Control execution means 505 Resource control Processing flow registration means 1001 Internet 1002 Router 1003 Switch 1004 Firewall 1005 Load balancer 1006 Web server 1007 VLAN switch 1010 Service site 1011 VLAN firewall 1012 VLAN load balancer 2001 Shared network device information object 2002 Device information storage area 2003 Device setting information storage area 2004 Device operation information storage area 2005 Processing flow storage area 2006 Virtual Device information storage area 2011 SSH access enable / disable setting item 2012 SSH access permission host IP setting item 2013 Port allocation setting item 2014 Packet filtering rule setting item 2021 Device operation time data 2022 Port-specific operation data 2061 Setting content 2071 Rule 2081 Operation data 2091 Virtual device Information 2101 Virtual network device information 2102 Device information storage area 2103 Device setting information storage area 2104 Device operation information storage area 2105 Processing flow storage area 2111 Port allocation setting item 2112 Packet filtering rule setting item 2113 Port-specific operation data 2201 User information object 2202 User information storage area 3001 Processing Flow 5001 Shared Network Device Template 5011 Information on Setting Item 5012 Information on Operation Data Item 6001 Virtual Network Device Template 6011 Virtual Device Information 6012 Information on Setting Item 6013 Information on Operation Data Item

Claims (21)

A shared network device connected to the network and shared by multiple users;
The shared plurality of virtual network device information is a network device and information corresponding to each of the plurality of types of virtual network devices having different functions provided by virtualization, virtual network device information the virtual network device information contains multiple As a group, a resource information repository stored to be associated with the user;
It means for accepting the information acquisition request and / or setting change request to the virtual network device,
Access authority confirmation means for confirming access authority to the virtual network device corresponding to the information acquisition request and / or the setting change request with reference to the resource information repository;
Means for retrieving and acquiring information of the shared network device corresponding to the virtual network device based on the confirmed access authority;
A network management system comprising means for executing a request according to the information acquisition request and / or the setting change request, using the acquired information of the shared network device. The resource information repository includes
Shared network device information that is information of the shared network device is recorded,
2. The network management system according to claim 1, wherein the virtual network device information is recorded separately for each shared network device so that a plurality of shared network devices can be managed. The shared network device information includes
An area is provided for storing virtual device information including a virtual device ID and a user ID, which is information for identifying the virtual network device,
The addition or deletion of the virtual network device can be dynamically executed in response to the addition / deletion request of the virtual network device from a terminal that transmits the information acquisition request and / or the setting change request. The network management system according to claim 2. 4. The network management system according to claim 1, wherein different network functions are assigned to each of the plurality of virtual network devices logically inherent in the shared network device. 5. The network management system according to claim 1, wherein the virtual network device is used for operation of a service site constructed by a service provider. The administrator of the service site corresponding to the user can logically construct a new virtual network device in a shared network device, and the firewall and switch for the virtual network device according to the instructions of the administrator 6. The network management system according to claim 5, wherein any one of the functions of the router and the load balancer is individually set and operated to improve safety against access from the Internet. Network,
A shared network device connected to the network and logically including a plurality of types of virtual network devices having different functions;
A terminal that sends user information, information acquisition request data of setting items or operation data items provided by the shared network device, setting change request data, and access authority request data;
A virtual having an area in which information on items to be referred to or changed for setting items or operation data items provided by the shared network device is extracted for each shared network device unit and each user unit that shares and uses the shared network device. Storing network device information and shared network device information having an area in which information of a change / acquisition processing flow for acquiring information on setting items or operating data items provided by the shared network device or changing settings is stored. It has a resource information repository,
Means for confirming access authority to the virtual network device according to information acquisition request data and setting change request data for the virtual network device connected to the network and recorded in the resource information repository;
The information of the shared network device corresponding to the virtual network device requested to be accessed from the terminal is searched, and the execution request data of the change / acquisition processing flow according to the information acquisition request data and the setting change request data is obtained. Means for sending;
A network management system comprising: a control controller that receives the execution request data, accesses the shared network device, and executes the change / acquisition processing flow on the accessed shared network device.   The means for confirming the access authority and the means for sending the execution request data for the change / acquisition processing flow are the shared network device for setting items or operation data items that the shared network device individually provides for each user. 8. The network management according to claim 7, wherein the virtual network device information extracted as an item to be referred to or changed is managed as a separate item for each virtual network device constructed as a subset which is a part of the entire network management. system.   The means for confirming the access authority and the means for sending the execution request data for the change / acquisition processing flow are referred from the setting items or operation data items provided by the shared network device among the items in the virtual network device information. 9. The network management system according to claim 7, wherein a command is sent to execute a different processing program for each virtual network device for an item extracted as an item to be changed.   Whether or not the resource information repository discloses the user information in the shared network device information as an item to which the user can refer to or change the setting item or operation data item provided by the shared network device 10. The network management system according to claim 7, wherein allocation information indicating ??? is stored. Among the setting items or operation data items provided by the shared network device, a shared network device template describing the setting items or operation data items included in the shared network device information, and the setting items or operation provided by the virtual network device. A resource information template store memory for storing a virtual network device template describing which information is to be extracted from a setting item or an operation data item included in the shared network device information as an item to be referred to or changed for the data item;
The resource registration unit for registering the shared network device or the virtual network device with reference to the shared network device template or the virtual network device template. Network management system. A request receiving means for receiving each request data transmitted from the terminal and performing user authentication;
The virtual network device information is searched from the resource information repository, and the setting item or operation data item that is the target of each request transmitted from the terminal and the setting item or operation data item included in the virtual network device information are obtained. A virtual resource information access means for confirming the presence of an item by comparison;
Access authority confirmation means for confirming access authority by comparing user information specified by the request reception means and user information included in the virtual network device information;
Shared resource information access means for searching for the shared network device information corresponding to the virtual network device;
Request verification means for confirming whether or not there is no problem even if the setting item targeted by the request is changed when the request transmitted from the terminal is a setting change request;
When the request transmitted from the terminal is the setting information change request, control for extracting the process flow identifier of the change process flow of the corresponding item included in the shared network device information for the setting item included in the setting information change request Processing flow calling means;
When the request is the operation information / setting information acquisition request, the processing flow identifier of the information acquisition processing flow of the corresponding item included in the shared network device information for the setting item included in the operation information / setting information acquisition request The network management system according to claim 7, further comprising an information acquisition process flow call out unit. The controller is
A communication means for accessing the shared network device via the network and executing a setting change request command or an information reference request command on the device and receiving an execution result;
A resource control processing flow store for storing a processing flow describing the contents of the setting change request command and the information reference request command executed on the shared network device;
Information collecting means for retrieving and executing a process flow that matches the process flow identifier of the information acquisition process flow from the resource control process flow store, and sending the execution result to the information acquisition process flow calling means;
Control execution means for retrieving a process flow matching the process flow identifier of the change process flow from the resource control process flow store and executing the process flow, and sending the execution result to the control process flow calling means; The network management system according to claim 12. A plurality of types of virtual network device information which is information corresponding to each of a plurality of types of virtual network devices having different functions provided by virtualizing a shared network device shared and used by a plurality of users is stored in the virtual network. Storing as a virtual network device information group including a plurality of device information in a resource information repository stored so as to be associated with the user;
A step of accepting the information acquisition request and / or setting change request to the virtual network device,
Confirming access authority to the virtual network device corresponding to the information acquisition request and / or the setting change request with reference to the resource information repository;
Searching and acquiring information on the shared network device corresponding to the virtual network device based on the confirmed access authority;
And a step of executing a request according to the information acquisition request and / or the setting change request using the acquired information of the shared network device. Sends user information, information acquisition request data, setting change request data, and access authority request data for setting items or operating data items provided by shared network devices that logically contain multiple types of virtual network devices with different functions. Steps,
Virtual network device information in which information of items to be referred to or changed for setting items or operation data items provided by the shared network device is extracted for each shared network device unit and for each user unit that shares and uses the shared network device. Storing in the resource information repository shared network device information including information on a change / acquisition processing flow for performing information acquisition or setting change of setting items or operation data items provided by the shared network device;
Checking access authority to the virtual network device according to information acquisition request data and / or setting change request data for the virtual network device stored in the resource information repository;
Searching for shared network device information corresponding to the virtual network device;
Sending execution request data of the change / acquisition process flow according to the information acquisition request data and / or the setting change request data;
Receive the execution request data of the change / acquisition process flow, access the shared network device, execute the change / acquire process flow on the shared network device, and obtain an information acquisition request for the virtual network device and / or A network management method comprising a step of responding to a setting change request.   The virtual network device information extracted as an item to be referred to or changed for each virtual network device unit with respect to setting items or operation data items individually provided by the shared network device is managed. Item 16. The network management method according to Item 15. An instruction to execute a different processing flow for each virtual network device for items extracted as items to be referred to or changed from setting items or operation data items provided by the shared network device in the virtual network device information The network management method according to claim 16, further comprising the step of:   In the shared network device information, whether to disclose to the user which items that can be referred to or changed about the setting items or operation data items provided by the shared network device and the information of the users who share the shared network device The network management method according to claim 15, further comprising a step of storing allocation information to be indicated in the resource information repository. Among the setting items or operation data items provided by the shared network device, a shared network device template describing the setting items or operation data items included in the shared network device information, and the setting items or operation provided by the virtual network device. Storing a virtual network device template describing which information is to be extracted from the setting item or the operation data item included in the shared network device information as an item for referring to or changing the data item;
19. The method according to claim 15, further comprising: registering the shared network device information or the virtual network device information with reference to the shared network device template or the virtual network device template. Network management method. Receiving user information and each request data transmitted from the terminal, and performing user authentication;
The virtual network device information is searched from the resource information repository, and the setting item or operation data item that is the target of each request transmitted from the terminal and the setting item or operation data item included in the virtual network device information are obtained. A step of comparing and checking for items, and
Comparing the user information specified after receiving the request data with the user information included in the virtual network device information, and confirming the access authority to the corresponding virtual network device;
Retrieving the shared network device information corresponding to the virtual network device;
When the request transmitted from the terminal is a setting change request, confirming whether there is no problem even if the setting item targeted by the request is changed;
When the request transmitted from the terminal is the setting information change request, a step of extracting a process flow identifier of the change process flow of the corresponding item included in the shared network device information for the setting item included in the setting information change request When,
When the request is the operation information / setting information acquisition request, the processing flow identifier of the information acquisition processing flow of the corresponding item included in the shared network device information for the setting item included in the operation information / setting information acquisition request The network management method according to any one of claims 15 to 19, further comprising a step of taking out. On the computer,
Receives user information, information acquisition request data, setting change request data, and access authority request data for setting items or operation data items provided by shared network devices that logically contain multiple types of virtual network devices with different functions Steps,
Virtual network device information in which information of items to be referred to or changed for setting items or operation data items provided by the shared network device is extracted for each shared network device unit and for each user unit that shares and uses the shared network device. Storing as a resource information repository shared network device information including information on a change / acquisition processing flow for performing information acquisition or setting change of setting items or operation data items provided by the shared network device;
Confirming access authority to the virtual network device according to information acquisition request data and / or setting change request data for the virtual network device stored in the resource information repository;
Searching for shared network device information corresponding to the virtual network device;
Sending the execution request data of the change / acquisition process flow according to the information acquisition request data and / or the setting change request data,
A program causing a control controller to access the shared network device based on the execution request data of the change / acquisition processing flow and to execute the change / acquisition processing flow on the shared network device.

Images