JP4758381B2 - Test data generation system, program thereof, recording medium thereof, and test data generation method - Google Patents

Description

  The present invention relates to a test data generation system, a program thereof, a recording medium thereof, and a test data generation method.

JP 2001-175684 A JP 2003-005645 A JP 2005-285002 A

As shown in Patent Document 3 above, generally, in the final stage of development of a large-scale system, when performing a comprehensive test using the same data as the actual operation environment, in a system that involves the use of personal information, From the viewpoint of preventing leakage of personal information to the outside, it is not allowed to use actual personal data during system development.
For this reason, during system development, it is necessary to generate test data similar to the actual operating environment, and as a device for generating such test data, a surname with a high frequency in a personal name dictionary or the like is registered in advance. In addition, using random numbers corrected according to frequency and selecting and combining character strings from them, there is a problem due to the diversion of personal data even if the result is approximated to the actual distribution and disclosed results of use. A device (patent document 1) such as adopting a device with a means for generating fictitious surname data that does not exist, and a field (name) arbitrarily selected as personally identifiable personal data , Date of birth, etc.) can be used for analysis processing etc. by generating a file with encrypted data Devise such (Patent Document 2) have been proposed.

  In the above-mentioned Patent Document 3, since the surname data to be generated is fictitious as a problem of the above-mentioned Patent Document 1, there is no problem that an individual is specified regarding the surname, but other fields (date of birth, address) Etc.) is not taken into consideration, so there is a possibility that individuals may be specified by other data, and the approximateness of the distribution also assumes a general surname as a general population. Therefore, the approximation of distribution in operational data is not necessarily ensured, and furthermore, the appearance frequency of surname character strings is considered as a distribution, but the developed system is generally more than the appearance frequency of character strings However, because it is affected by the length of the character string (data amount), it has been pointed out that it does not make much sense in system testing, except in a few cases such as name search performance.

  Next, as a problem of the above-mentioned Patent Document 3, since the actual data can be used for the unencrypted field data, the test in the form close to the actual operation is performed. Although it is possible, the data in the field (name, date of birth, etc.) that identifies the individual is encrypted and cannot be used for testing because it has a different data format. The statistical distribution of the personal data set differs from the actual personal data set, and there are differences in the events that make sense of the personal data set distribution, such as the number of traffics processed and the data capacity. In this case, the field to be encrypted is reduced by lowering the standard for selection of the encrypted field. When it to not selected, could be a particular individual is pointed out that increasing.

Patent Document 3 is an apparatus for generating test data based on personal data stored in personal data storage means in order to solve the problems of Patent Document 1 and Patent Document 2, and each field of the personal data Conversion rule definition means for generating conversion rule definition information in which a part of the data is defined as a target for data conversion processing according to the data format of the field, and the personal data storage means based on the conversion rule definition information And a personal data converting means for generating the test data by converting the personal data stored in the test data.
By such means, Patent Document 3 provides a system for creating test data that cannot identify an individual, and a user sets a conversion rule on the system, and the production data is obtained based on the rule. It is possible to convert and create the destination data.

(First problem)
However, in the system of Patent Document 3, there is no mention of the handling of production data before conversion (actual data of personal information used in business), and production data before conversion is temporarily stored in a development or test computer. Since it exists, there is a risk of data leakage.

(Second problem)
Furthermore, not only in the above-mentioned patent document 3, but generally in actual development sites, one person can play a plurality of roles in situations where test data creation specifications are examined, test data is created, and testing is performed. There is a risk of data leakage.

(Third problem)
In addition, the same item may exist in a plurality of files in the test data, and depending on the test specification, it may be necessary to mask them in the same method. It is not mentioned and no specific solution is given.
Specifically, for example, in order to collect statistics on those who work in Nishi-ku, Osaka City, from the actual data "1-6-3 Shinmachi Nishi-ku, Osaka City", fictitious data for testing (personal information It is assumed that “Nishi-ku, Osaka City, Osaka, Japan ○○○○○○○” is generated. In addition to the above, in order to collect statistics on persons living in Shinmachi, Nishi-ku, Osaka City, it is assumed that fictitious data “Shinmachi Nishi-ku, Osaka City, Osaka Prefecture” is generated from the same actual data. On the other hand, if it becomes necessary to collect statistics on those who work in Shinmachi, Nishi-ku, Osaka and live in the same Shinmachi, using the former and latter test data, taking the product (AND) set of both data as is, The former test data will be included in the Nishi Ward, and will include data from employees who work outside Shinmachi. That is, since the masking method (designated position) is not unified, both data cannot be used.
Regarding such a point, Patent Document 3 does not provide any means for solving or support means for solving the problem.
The present invention aims to solve these problems.

The first invention of the present application provides a test data generation system using a computer that creates test data based on actual personal data and has the following configuration.
That is, the test data generation system includes a test data management device 1, a business first data processing device 2 that uses actual personal data, and a test second data processing device that performs data processing using the test data. 3. The test data management device 1 includes conversion rule definition means for defining rules for generating the test data, and generation command reception means for receiving a test data generation instruction. The first data processing device 2 includes personal data storage means for storing the personal data, conversion rule storage means for registering a defined conversion rule, and data conversion for generating fictitious data as test data from the personal data Means. The test data management device 1 registers the conversion rule defined by the conversion rule definition unit in the conversion rule storage unit of the first data processing device 2. Then, when the generation command receiving unit of the test data management device 1 receives the test data generation command, the first data processing unit 2 converts the personal data stored in the personal data storage unit into the conversion data by the data conversion unit. Conversion is performed based on the conversion rule registered in the rule storage means, and the generated test data is transferred to the second data processing device 3.

A second invention of the present application provides the test data generation system according to the first invention of the present application, which has the following configuration.
That is, the test data management apparatus 1 includes data deletion means and time management means. The time management means detects that the predetermined time has arrived for the test data of the second data processing device 3, and the data deletion means deletes the test data.

A third invention of the present application is the first or second invention of the present application, and provides a test data generation system having the following configuration.
That is, the test data management apparatus 1 includes an authentication unit. The authentication means authenticates whether or not the commander has authority to generate test data. The generation command accepting unit permits the data generation command to a person who has the authority of the test data generation command and generates the data for a person who does not have the authority to generate the test data according to the authentication of the authentication unit. The command and reference to the first data processing device 2 are not permitted.

A fourth invention of the present application is the third invention of the present application, and provides a test data generation system having the following configuration.
The authentication means authenticates whether or not the person who intends to define the conversion rule has authority to define the conversion rule. The conversion rule definition means permits the person who has the authority to define the conversion rule to register the conversion rule definition according to the authentication of the authentication means, and to the person who does not have the authority to define the conversion rule. Therefore, the conversion rule definition reference and registration are not allowed.

A fifth invention of the present application provides the test data generation system according to any one of the first to fourth inventions of the present application, which has the following configuration.
That is, the test data management apparatus 1 includes a consistency check unit. The conversion rule definition means generates conversion rule definition information in which a part of the data is defined as a data conversion process target for the data of each field of the personal data according to the data format of the field. The data conversion unit converts the personal data stored in the personal data storage unit based on the conversion rule definition information, and generates the test data. The consistency check means verifies the presence or absence of the same item as the test data item included in the conversion rule definition information before registration already generated by the conversion rule definition means during the definition of the conversion rule, and Verify whether conversion rules are identical.

A sixth invention of the present application provides a test data management program for a test data generation system for creating test data based on actual personal data by a computer, which has the following configuration.
That is, the test data management program of this test data generation system is installed in a computer, and the test data management device 1, the business first data processing device 2 that uses actual personal data, and the test data are used as data. A test second data processing device 3 that performs processing, and the test data management device 1 generates a conversion rule defining means for defining a rule for generating the test data, and a generation command for receiving a test data generation command The first data processing device 2 includes a personal data storage unit for storing the personal data, a conversion rule storage unit for registering a defined conversion rule, and a test for imaginary data from the personal data. Data conversion means for generating data, and the test data management device 1 includes the conversion rule definition means described above. Constructing a test data generation system for registering a conversion rule defined in the first data processing apparatus 2 of the conversion rule storing means Te.
The program receives the test data generation command by the generation command reception unit of the test data management device 1, and the personal data stored in the personal data storage unit is converted into the conversion rule storage unit by the data conversion unit. The test data is converted based on the conversion rule registered in (2), and the generated test data is transferred to the second data processing device 3.

The seventh invention of the present application provides a recording medium on which the program of claim 6 is recorded.
The eighth invention of the present application provides a test data generation method using a computer that creates test data based on actual personal data and has the following configuration.
That is, this test data generation method includes a test data management device 1, a business first data processing device 2 that uses actual personal data, and a test second data processing device that performs data processing using test data. 3 is used. The test data management device 1 includes conversion rule definition means for defining rules for generating the test data, and generation command reception means for receiving a test data generation command. The first data processing device 2 Comprises personal data storage means for storing the personal data, conversion rule storage means for registering a defined conversion rule, and data conversion means for generating fictitious data as test data from the personal data. . In this method, the test data management device 1 registers the conversion rule defined by the conversion rule definition unit in the conversion rule storage unit of the first data processing device 2. Then, when the generation command reception unit of the test data management device receives the test data generation command, the data conversion unit of the first data processing device 2 stores the personal data of the personal data storage unit with the conversion rule. Conversion is performed based on the conversion rule registered in the means, and the generated test data is transferred to the second data processing device 3.

A ninth invention of the present application is the first invention of the present application, and provides a test data generation system having the following configuration.
That is, the test data management device refers to the extraction condition setting means for setting the extraction condition of the personal data to be converted and the personal data storage means of the first data processing device, and the personal data extracted under the extraction condition. Extraction number confirmation means for detecting and displaying the number of cases is provided. The first data processing apparatus includes an extraction condition storage means for storing the extraction conditions determined by the extraction condition setting means of the test data management apparatus, and an extraction for extracting personal data from the personal data storage means in accordance with the extraction conditions of the extraction condition storage means Means, and extracted data storage means for storing the personal data extracted by the extracting means. When the generation command receiving means of the test data management apparatus receives the test data generation instruction, the first data processing apparatus extracts the personal data from the personal data storage means by the extraction means and stores it in the extracted data storage means. Thereafter, the personal data extracted in the extracted data storage means is converted by the data conversion means based on the conversion rules registered in the conversion rule storage means, and the generated test data is transferred to the second data processing device.

A tenth invention of the present application is the first invention of the present application, and provides a test data generation system having the following configuration.
That is, the first data processing apparatus includes a conversion notification unit that notifies the test data management apparatus that the generated test data has been transferred to the second data processing apparatus. The test data management device includes a conversion confirmation unit that receives the notification and displays that the first data processing device has generated test data and transferred it to the second data processing device.
In the eleventh invention of this application, in the second invention of the present application, the second data processing device comprises a deletion notification means, and the test data management device comprises a deletion confirmation means for displaying a record of data deletion. The deletion notification means provides a test data generation system that notifies the deletion confirmation means of deletion information of the data when the data deletion means deletes the data.

In the first to eleventh inventions of the present application, a test data processing (second data processing device) is provided separately from the business data processing device (first data processing device), and the business environment is used for testing. In addition to separation from the environment, in accordance with the instructions from the test data management device, registration of rules for conversion (generation of conversion programs) and conversion processing for generating test data from actual personal data By performing on the business data processing device where the personal data is placed, the personal data before conversion is concentrated on such business data processing device, and the personal data before conversion is converted to the test data processing device. Was prevented from dispersing. That is, only the test data is stored in the test processing device, and it is possible to prevent personal data before conversion from being placed in the test processing device.
This prevented the leakage of personal data and increased the confidentiality of personal data.
As described above, the present invention has solved the first problem.

In the second invention of the present application, the generated test data transferred to the second data processing apparatus can be reliably discarded after the expiration date. This prevented leakage of test data and reduced the risk of personal data being guessed indirectly from test data.
Furthermore, in the third invention of the present application, the authentication means included in the test data management device restricts the test data generation command and the reference to the first data processing device to the authorized person of the command, and personal data leaks to the unauthorized person. To prevent. Such authentication can restrict the authority of data generation commands to those who are not authorized to generate test data, such as those authorized to define data conversion rules. The authority to define conversion rules and the authority to generate data can be separated, reducing the risk of personal information leakage.
Thus, the third invention of the present application has solved the second problem.

Further, in the fourth invention of the present application, the above-mentioned authentication means restricts the reference and registration of the definition of the conversion rule to the authorized person of the rule registration and prevents personal data from leaking to the unauthorized person. By such authentication, the authority to refer to and define conversion rules is also restricted to persons other than those authorized to register conversion rules, such as data creation command authorized persons and data generation order requesters. In addition, the authority of the data generation command and the request authority of the command can be separated from the authority of defining the data conversion rule, and the risk of leakage of personal information is reduced.
Thus, the fourth invention of the present application has solved the second problem.

In the fifth invention of this application, during the definition of the conversion rule by the consistency check unit, the presence or absence of the same item as the test data item included in the conversion rule definition information before registration already generated by the conversion rule definition unit is verified, In addition, it is possible to verify whether or not the conversion rule is identical. For this reason, the person who defines the conversion rule can detect that the same item exists in a plurality of files. Furthermore, for a plurality of files in which the same item is detected, these are determined by the test specification. Can easily achieve matching such as masking by the same method.
Thus, the fifth invention of the present application has solved the third problem.
The sixth invention of the present application provides a management program for constructing a test data management apparatus that realizes the above system.
The seventh invention of the present application provides a medium for the sixth program of the present application.
The eighth invention of the present application provides a method realized by the system according to the first of the present application, and separates the test environment from the business environment and concentrates the personal data only on the business environment, thereby providing a test environment. To prevent actual personal data from being placed in This prevented the leakage problem and solved the first problem.

According to the ninth aspect of the present invention, the test data management apparatus can confirm the number of extractions of personal data to be converted before conversion for test data generation.
Thereby, it is possible to confirm whether or not the number of data to be extracted before conversion is appropriate for the customer, and the extraction condition can be reset so that the number of extractions desired by the customer before conversion is set.
In the tenth invention of the present application, in the test data management device, it is possible to confirm when the test data has been placed in the second data processing device.
Thereby, it is possible to easily indicate to the customer when the test data is in the second data processing apparatus.
In the eleventh aspect of the present invention, in the test data management apparatus, the test data can confirm that the data has been reliably deleted from the second data processing apparatus.
As a result, the customer can easily confirm the deletion of the test data.

Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.
1 to 10 show an embodiment of the present invention.
FIG. 1 is an explanatory diagram showing a system configuration of a system according to the present invention. FIG. 2A is an explanatory diagram of an authentication table referred to by the authentication means, and FIG. 2B is an explanatory diagram showing a layout of a test request item table. FIG. 3A is an explanatory diagram showing a masking target item list table, and FIG. 3B is an explanatory diagram of a request table (test data creation instruction table). FIG. 4 is an explanatory diagram of a test data specification registration (conversion rule definition acceptance) screen. FIG. 5 is an explanatory diagram showing the flow of registration of conversion rules. FIG. 6 is an explanatory diagram of an interface screen provided in the test data creation command receiving means. FIG. 7 is an explanatory diagram showing a flow of a request for creating test data. FIG. 8 is an explanatory diagram of an interface screen for a test data generation command. FIG. 9 is an explanatory diagram showing a flow of test data generation. FIG. 10 is an explanatory diagram showing an operation flow of the deleting means of the test data management apparatus 1.

1. System Overview A test data generation system according to the present invention uses a computer to create fictitious test data based on actual personal data. A business computer (first data) that uses actual personal data. A processing device 2) and a test computer (second data processing device 3) that is independent of the business computer, and fictitious data that is test data under the management of the management computer (test data management device 1) Is generated on a business computer where actual personal data is placed, and only the generated fictitious test data is passed to the test computer.

This system is operated by a test client A, a rule definer B, and a test data generation commander C.
The test requester A is a person in charge of test execution, for example, an administrator of the second data processing device 3 (test computer).
The rule definer B is an administrator of the test data management apparatus 1 (management computer), and is a person who serves as a contact point with a customer (a person who requests an item to be hidden in personal data) such as a product manager. .
The test data generation commander C is an administrator or operator of the first data processing apparatus 2 (business computer) and is a person who can contact actual personal data.
Hereinafter, the test requester A is simply called the requester A, the rule definer B is simply called the definer B, and the test data generation commander C is simply called the commander C.
Here, the overall work flow centered on the above three will be briefly described.
i) Specification request First, in the case where the requester A makes a request for a test using the second data processing device 3 (test computer) to be managed (i.e., wants to perform a test with the contents described above), Notify the definer B (items to be included in the data).
The “specification” in the requester A is an item included in the test data (not the specification of the conversion rule).
ii) Definition and registration of rules In the test data management means 1, the definer B generates, as fictitious data, necessary items of test data requested by the client A based on the above-mentioned specification request of the client A Define conversion rules for The definition of the conversion rule is to create a conversion program. The defined rule is registered in the first data processing apparatus 2 by the definer B.
iii) Notification of registration The commander C and the client A are notified that the above conversion rule has been registered.
iv) Test data creation request Client A who knows that generation of desired test data can be generated by the above notification requests commander C to generate test data.
v) Test data generation The commander C who receives the above request uses the conversion rule (conversion program) registered (defined) on the first data processing device 2 to be held by the first data processing device 2. The actual personal data is converted to generate fictitious test data, which is transferred to the second data processing device 3.
The above i) to v) are the outline of the work between the above A to C.
The system according to the present invention is responsible for at least ii) rule definition and registration, iv) test data creation request, and v) test data generation.

2. System Configuration As shown in FIG. 1, this test data generation system includes a test data management device 1, a business first data processing device 2 that uses actual personal data, and a test data processor that performs data processing using test data. The second data processing device 3 is provided.

  The test data management apparatus 1 includes a request receiving unit 11 that receives a request for generating test data, a conversion rule defining unit 12 that defines a rule for generating test data, and a definition command receiving unit 13 that receives a command for the definition. The computer includes a table storage unit 14, a consistency check unit 15, a generation command reception unit 16 that receives a test data generation command, an authentication unit 17, a data deletion unit 18, and a time management unit 19. The table storage means 14 of the test data management apparatus 1 includes an authentication table storage unit shown in FIG. 2A, a table layout storage unit shown in FIG. 2B, and FIG. 3A. A masking target item list table storage unit and a request table (test data creation instruction table) storage unit are provided in FIG. 3B (illustration of each storage unit itself is omitted).

The first data processing device 2 includes personal data storage means 21 for storing the personal data, conversion rule storage means 22 for registering a defined conversion rule, and data for generating fictitious data as test data from the personal data It is a computer comprising conversion means 23.
The second data processing device 3 is a computer provided with test data storage means 31.
The data storage means of each of the devices 1 to 3 is a data storage device such as a hard disk or other magnetic disk.

The test data management device 1, the first data processing device 2, and the second data processing device 3 are connected by a network such as a LAN or a WAN, and will be described below between the three devices. The necessary commands and data can be sent and received.
The client A, the definer B, and the commander C can all use and operate this system through the test data management device 1.
In FIG. 1, an arrow drawn with a one-dot chain line indicates the command system of the client A, an arrow drawn with white indicates a command system of the definer B, and an arrow drawn with a two-dot chain line indicates the commander C The arrow drawn with a solid line indicates the movement direction of the generated data, and the arrow drawn with a dotted line shows the deletion command system for the generated data.
In this embodiment, the requester A, the definer B, and the commander C all access the test data management apparatus 1 from their terminal computers.

3. System operation Below is a description of the function of each part in accordance with the specific operation of the system.
3-1) Definition of conversion rule and registration of the program It corresponds to ii) rule definition and registration in the system overview.
The definer B accesses the definition command receiving means 13 of the test data management device 1. At this time, the definition command accepting unit 13 authenticates by the authenticating unit 17 whether or not the accessing person is the definer B who has the authority to define the conversion rule.
Specifically, the definition command accepting unit 13 uses the authentication unit 17 to request the definer B to input an ID or password. The definer B inputs an ID or password given in advance to a person who has the authority to define the conversion rule. It should be noted that the authentication means can be implemented by using another known method such as biometrics authentication or using the other method in combination with the above. Here, authentication is performed using the employee number as an ID.

First, a specific example of the authentication unit 17 will be described.
The authentication means 17 performs authentication with reference to the authentication table shown in FIG. 2A stored in the table storage unit 14.
The authentication table includes items of “employee number”, “test data specification registration”, “test data creation instruction”, and “process execution” from the left as shown in the uppermost row.
The item “Register Test Data Specification” indicates whether or not there is an authority to define the conversion rule, ○ indicates that the user has the authority for the definition, and X indicates that the user does not have the authority for the definition.
The “test data creation instruction” item indicates whether or not the commander C has the authority to request the generation of test data. ○ indicates the authority for the request, and × indicates no authority for the request. It shows that.
The “Process Execution” item indicates whether or not the data conversion means 2 of the first data processing device 2 has the authority to generate a test data command, ○ indicates the authority of the command, and X indicates the command. Indicates that the user has no authority.

The requester A is given only the authority to request the commander C to generate test data, and is not given the authority to define conversion rules and the command to generate test data. Therefore, for the client A, only the “test data creation instruction” item is ○, and the “test data specification registration” and “process execution” items are “x”.
The definer B is given the authority to request the commander C to generate test data and the authority to define the conversion rule, but not the command to generate test data. Therefore, for the definer B, the items of “test data creation instruction” and “test data specification registration” are ◯, and the item of “process execution” is x.
The commander C is given only the authority to generate test data, is not authorized to define conversion rules, and has no authority to generate test data, and does not need the authority to request test data generation. is there. Therefore, for the commander C, only the “process execution” item is ○, and the “test data specification registration” and “test data creation instruction” items are “x”.

In FIG. 2A, the person having the employee number 100001 is authenticated as the definer B because the items of “test data creation instruction” and “test data specification registration” are ○ and the others are “x”. ing. Further, the person having the employee number 100002 is authenticated as the client A because the item of “test data creation instruction” is ○ and the others are ×. Further, the person having the employee number 100003 is authenticated as the commander C because the item “execution of processing” is “◯” and the others are “x”.
The authentication unit 17 refers to such a table and performs the above-described authentication, thereby prohibiting the requester A from referring to or defining the conversion rule and to instruct the first data processing device 2 to generate test data. , For the definer B, the test data generation command to the first data processing device 2 is prohibited, and the commander C is prohibited from referring to, defining, and registering the conversion rule.
That is, the authentication unit 17 prohibits access to the system by a person other than the system operator (A to C) by performing the above access control (access restriction), and the requester A, the definer B, and the commander. The separation of authority in C system operation is realized.

  Therefore, in the above description, the definer B inputs the employee number to the authentication unit 17 through the definition command receiving unit 13. The authenticating means 17 collates the above authentication table, and sends a definition rule to the definer B through the definition command accepting means 13 of the test data management apparatus 1 and the reference and definition necessary for defining the conversion rule. Allow the rule registration work.

Next, the definer B who has been authenticated, through the definition command accepting means 13, uses the conversion rule defining means 12 to store the table (masking) required for the conversion rule definition in the masking target item list table storage section of the table storing means 14. Create and update target item list table).
The table storage unit 14 stores a table layout database shown in FIG. This database shows the test items desired by the client A, and is provided to the definer B before or together with the request from the client A. As described above, the table of the table storage unit 14 ( Layout storage section).
As shown in FIG. 2B, the database of the table storage unit 14 holds items that the client A desires to test. However, the database holds items such as “applicant name” (code name “MKNSMI”) and “applicant address” (code name “MKNJUS”). It holds only the items necessary to specify the target for which the conversion rule is set.
In the example shown in FIG. 2B, the table layout database includes a table with a name of “completer master” (code name “RBEMO”) and a table with a name of “contract master” (code name “RCC1A”). We already have two kinds of tables.

The conversion rule definition means 12 provides the definition support screen (definition support interface) shown in FIG.
The definer B creates a masking target item list table shown in FIG. 3A using the input screen (definition support screen) shown in FIG.
As shown in FIG. 4, this definition support screen creates a masking item list table (FIG. 3A) from the test item table layout (FIG. 2B) stored in the table storage means 14. A selection receiving unit a that selects a table layout to be attempted; an input unit b that displays items included in the selected table layout and receives an input of a conversion rule; and a completion receiving unit c that receives an instruction to complete a definition (input) Have

Here, an example of conversion rules that can be defined by the conversion rule definition means 12 will be described.
First, a masking method will be described. As a first masking method, there is a method in which data before masking and data after masking are made to correspond one-to-one. This first method is applied when the item is unique key data such as an applicant number.
Specifically, in the first method, when 10 characters 0 to 9 are converted, the 10 characters are used for each of 0 to 9 so that there is no overlap between the converted characters. Conversion is performed by using a table replaced with. This table is, for example, 1 to 7, 2 to 4, 3 to 5, 4 to 3, 5 to 1, 6 to 9, 7 to 2, 8 to 0, 9 to 8 , 0 is replaced with 6, respectively.
As a second masking method, the data before masking and the data after masking are made to correspond to N (plurality) one-to-one.
Specifically, in the second method, when 10 characters from 0 to 9 before the conversion are converted, each of 0 to 9 is used for the 10 characters and overlapped between the converted characters. A table that replaces with permission is adopted, and conversion is performed using the table.
For example, in this case, 1 to 2, 2 to 3, 3 to 3, 4 to 2, 5 to 1, 6 to 1, 7 to 2, 8 to 3, 9 to 1, 0 To replace 0 with 0.
This can be employed, for example, when it is sufficient to identify only the area code for the telephone number.
Further, if not required, it can be selected not to perform such masking.
In each column of the item “masking method” of the input section b of FIG. 4, “1: 1” adopts the first masking method, and “N: 1” adopts the second masking method. "None" indicates that no masking is performed.

Furthermore, the conversion rule definition means 12 can also specify the designation of masking position information. For example, if it is specified that the 4th to 20th bytes are masked as 1 byte per character, the address “Osaka City ○○○○○○○ It is possible to prevent the address after “Osaka City” from being displayed.
The “FROM” item on the screen of FIG. 4 indicates the top position of masking, and the “TO” item indicates the end position of masking. The masking position can be specified by specifying the top position of masking (by setting the “FROM” item) and specifying the end position of masking (by setting the “TO” item).
Masking here includes both masking (blindfolding) and rewriting to another data without masking (the above-mentioned one-to-one conversion and N: 1 conversion). In addition, “imaginary” of fictitious data includes masking as well as the above rewriting.
Further, the method of defining the conversion rule to the fictitious data is not limited to the method using the conversion table as described above, and can be implemented even by using other known means (definition program). For example, the present invention can be implemented even using a random number generator (program) disclosed in Patent Document 3.

The definer B sets each item and defines a conversion rule on the definition support screen shown in FIG.
The conversion rule definition means 12 accepts such masking rule input, creates a masking target item list table shown in FIG. 3, and stores it in the table storage means 14.

FIG. 5 shows a series of steps from the creation of the masking target item list table, that is, the conversion rule definition to the conversion rule registration.
As shown in FIG. 5, the conversion rule definition and its registration process are as follows: conversion rule reception step 101, masking target item reading step 102, consistency check step 103, warning display step 104, correction reception step 105, The masking target registration step 106, the conversion rule generation step 107, and the conversion rule registration step 108 are performed.

Hereinafter, the above steps will be described in order.
In the conversion rule receiving step 101, the conversion rule defining means 12 receives an instruction to start the conversion rule registration process.
Initially, there is no conversion rule defined from the database shown in FIG. According to the above database example, a masking target item list table for “completer master” is created and stored in the table storage means 14, and then a masking target item list table for “contract master” is created. This is added to the masking target item list table in the storage means 14 (FIG. 3A).

Here, first, it is assumed that a masking target item list table for “completer master” has already been created, and a masking target item list table for “contract master” is created.
The conversion rule definition means 12 provides the necessary information to the definer B by referring to the database table of FIG. 2 (B) placed in the table storage means 14 through the support screen shown in FIG. Supports creation of masking item list table.

Specifically, the definer B can select the table name of the masking target item list table to be created from the table names in the database using the table name selection box a on the screen shown in FIG. A masking target item list table is newly created with the selected name. Here, “contract master” can be selected as the name of the masking target item list table.
As shown in FIG. 4, the conversion rule definition means 12 refers to the database table in FIG. The input part b) is displayed. For this displayed item, definer B inputs the masking method and masking range in the “masking method” column, “FROM” and “TO” columns as necessary.

Then, the conversion rule definition means 12 accepts the operation of the “Register” button (completion acceptance unit c) on the support screen shown in FIG. 4. If the above masking rule definition work is completed, the conversion rule definition means 12 The person B presses the “Register” button on the screen of FIG. 4 (actually, the button is operated by a method such as clicking the cursor position on the above button with an input device such as a mouse). By the operation of this button (completion acceptance unit c) by the definer B, the masking rule (conversion rule) is defined for the conversion rule defining means 12, and the process proceeds to the next masking target item reading step 102.
In this step 102, the conversion rule definition unit 12 reads the masking target item table already stored in the table storage unit 14. Here, the masking target item table of the “completer master” already stored is read from the table storage unit 14 into the conversion rule definition unit 12.

Then, the process proceeds to the next consistency check step 103. In step 103, the consistency check means 15 reads the masking target item table read above, that is, the masking target item table of the “completer master”, and the masking target item table defined above, that is, the “contract”. The master table is compared with the masking target item table to verify the presence of the same item. If the same item is not found by this verification, the conversion rule definition unit 12 automatically shifts the process to the masking target registration step 106.
Further, in the above, if the same item is detected, the consistency check unit 15 verifies the masking method of the “completer master” and the “contract master” and the matching / mismatching of the masking position ( Consistency / inconsistency check).
As a result of the verification by the consistency check unit 15, if the masking method and the masking position match (if they match), the conversion rule definition unit 12 automatically shifts the processing to step 106 as described above. .
In the above steps, the presence / absence of the item is verified first, but conversely, it is also possible to verify the consistency of the masking method first.

If the masking method or the masking position do not match (if they do not match), the consistency check means 15 automatically moves the process to the warning display step 104 and displays a warning message on the screen of FIG. Further, the inconsistent items are displayed with marks (for example, by changing colors). After the warning, that is, the definer B who knows the warning performs the correction receiving step 105. That is, if the definer B who has seen the warning determines that it is necessary to achieve consistency, the definer B causes the consistency check unit 15 to end the consistency check.
Then, the masking rule is corrected again on the support screen of FIG. The above steps 101 to 105 are repeated until necessary alignment is obtained.
Here, a specific example of the processing in steps 104 and 105 will be described.
Although omitted in FIG. 4, the definition support screen includes a warning display unit and a correction selection unit. This warning display unit issues a warning when inconsistency is detected as a result of the consistency check by the consistency check means 15. The warning display unit can be implemented as a warning window that pops up on the definition support screen. The correction selection unit can be implemented as a correction selection button provided in the warning window.
The definer B who sees the display presses the correction selection button in the warning window.
The operation of the above correction selection button is the selection of “YES” in step 105 in FIG. 5, and the warning message disappears (the warning window is closed). In FIG. 5, “End” under step 105 indicates the end of the display of the warning window (the warning window is closed), and the definition support screen accepts the input work (definition correction work) of the definer B. It shows that it will be in a state.
After closing the warning window, the conversion rule definition unit 12 displays the inconsistency item detected by the consistency check unit 15 with the mark as described above. By marking the inconsistent items in this way and displaying the support screen of FIG. 4, the definer B can easily correct the items as necessary.
After the correction, when the definer B presses the registration button again, the process returns to the state in which the step 101 shown in FIG. 5 is performed, and the processes after the step 102 are started again.

When the correction is not performed, the definer B operates the “registration” button (completion receiving unit c) on the support screen illustrated in FIG. This operation is the selection of “NO” in step 105 of FIG. Accordingly, the conversion rule definition unit 12 that has received the operation of the “Register” button shifts the processing to Step 106.
The following masking target registration step 106 to conversion rule registration step 108 are automatically performed by the conversion rule definition means 12.
In this step 106, the conversion rule definition unit 12 adds the newly defined masking target item table, that is, the “contract master” masking target item table, to the table storage unit 14. Then, the process proceeds to the conversion rule generation step 107, and the conversion rule definition unit 12 generates a conversion rule program (conversion program). After the conversion program is generated, the process proceeds to the conversion rule registration step 108, where the conversion rule definition unit 12 registers the conversion rule in the conversion rule storage unit 22 of the first data processing device 2 and ends the registration process.
In the fifth invention of the present application (Claim 5), the "conversion rule information before registration already generated by the conversion rule definition means" means the "masking target item table" stored in the table storage means 14. It is. As described above, after the defined masking target item table is stored in the table storage unit 14, the conversion rule (conversion program) is registered in the conversion rule storage unit 22 (before the rule is registered in the conversion rule storage unit 22). Therefore, the conversion rule (conversion program) is registered in the conversion rule storage unit 22 to refer to the masking target item table in the table storage unit 14. Even later, it falls under the reference of the definition “before registration”.

The steps 106 to 108 will be described in more detail. The defined masking target item table stored in the table storage unit 14 in step 106 is a parameter of the conversion rule program. The conversion rule program generated in step 107 is a source program (source code) in which the parameters are incorporated. The conversion rule program generated in step 108 is an executable file generated by compiling or assembling the source code.
However, as described above, instead of creating a conversion program by incorporating a parameter every time a rule is defined and registering the conversion rule, the conversion program sets a parameter (defined conversion rule) at the time of execution. It is also possible to obtain and convert test data.
The present invention (Claim 1) includes both the case where the generation of the conversion program in the former is defined as a rule and the case where only the latter parameter is defined separately from the conversion program in the latter. Collectively, it is called a conversion rule definition. That is, according to the present invention, for each conversion rule definition, a program incorporating a parameter is generated and registered in the first data processing device 2 (conversion rule storage means 22). Instead of changing (assuming that the same data is converted every time), such a conversion program is placed in the first data processing device 2 (conversion rule storage means 22) in advance, and the conversion rule is set. This includes both cases where only the parameter is registered (stored) in the first data processing device 2 (conversion rule storage means 22).

The above description of steps 101 to 106 is to create a masking item list table (“contract master”) on the assumption that one masking item list table has already been created (“completed master”). Was about. That is, the above description is about the creation of the masking target item table for the second and subsequent times, and there is another masking target item table to be compared with the masking target item table being created (target for consistency check). It was to explain the general state.
Here, a supplementary description will be given of the operation start processing in which there is no initial masking target item list table (first operation), that is, the processing in the case of creating the first masking target item list table.
As described above, when there is no masking target item list table that is initially held, a masking target item list table for the “completer master” is first created. At this time, since there is no other masking target item list table in the table storage unit 14, in step 102 after step 101 (operation of the registration button), the conversion rule definition unit 12 sets the table to be read to 0 (none). ) Is detected. In step 103, the consistency check unit 15 determines that this state (read target table is 0) is inconsistent, and the conversion rule definition unit 12 immediately shifts the processing to step 106.

3-2) Request to create test data Corresponds to iv) test data creation request in the system overview.
The requester A requests the commander C to generate test data through the test data management device 1.
This request for generation can be made to the commander C when the requester A knows that the request can be made upon receiving the notification that the definition of the test data conversion rule has been registered, as described above. .

Hereinafter, the request for creating the test data will be specifically described.
In the above request, the test data management apparatus 1 confirms the requester A by the authentication unit 17 and then provides the request support screen shown in FIG. The request support screen includes a table selection input receiving means d, a time limit input section e for receiving an input of an expiration date of test data to be generated, a test data name display section f, a test data item name display section g, A request receiving unit h.
However, as shown in FIG. 6, according to the authentication (access restriction) of the authentication means 17, unlike the definition support screen shown in FIG. 4, the conversion rule (defined masking rule) is not displayed on the request support screen.
Specifically, on the request support screen shown in FIG. 6, the client A selects the table name of the test data desired to be generated from the box (input reception means d) displayed as “select table name”. To do. The box accepts selection through a pull-down menu or the like. In the request support screen, the item name display unit g can display the item name of the selected test to be requested, and the requester A checks whether the test data requested to be generated is correct. be able to.
Then, the expiration date of the test data to be generated is input to a box (time limit input unit e) displayed as “test data expiration date” on the request support screen.
When the requester A completes the input on the request support screen, the requester A commands the test data management apparatus 1 by operating the execution button (request reception unit h).

The test data management apparatus 1 that has received the request from the client A on the request support screen, that is, when the execution button is pressed, starts the processing of the request process shown in FIG.
This request process executes a start step 201, a test data request registration step 202, and a notification step 203.
The start step 201 is a step of accepting the operation of the execution button on the request support screen shown in FIG.
In step 201, the test data management apparatus 1 that has received the request instruction registers the received request in the subsequent test data request registration step 202. This registration means storing the request table (test data creation instruction table) in FIG.
As shown in FIG. 3B, this request table is information (creation) that specifies the table name of the test data and the requester (requester A) in accordance with the input on the support screen of FIG. Together with the requester name, etc.), the test data expiration date information is held.
Then, in the notification step 203, the test data management apparatus 1 notifies the commander C that the new request has been made by a known communication means such as e-mail or FTP, and ends the request process.

3-3) Generation of test data This corresponds to v) test data generation in the system overview.
The commander C who has been authenticated by the authentication means 17 is requested to generate test data on the command support screen shown in FIG. 8 provided by the test data management device 1 and to the first data processing device 2. Command to generate test data.
Specifically, as shown in FIG. 8, the command support screen includes a request notification unit i, a test data content display unit j for the requested test data, and a command receiving unit k.
The commander C sees the display of the request notification unit i, knows that the request has been made, confirms the content of the requested test data in the content display unit j, and operates the execution button (command reception unit k). .

Next, the conversion command process will be described in detail with reference to FIG.
As shown in FIG. 9, the conversion command process performs a start step 301, an execution command step 302, a conversion start step 303, an execution step 304, and a transfer step 305.
The start step 301 is a step of starting the command process by operating the execution button of the commander C on the command support screen shown in FIG.
In the execution command step 302 following the start step 301, the test data management device 1 instructs the first data processing device 2 to generate test data, and ends the process in the test data management device 1.
The first data processing apparatus 2 that has received the generation instruction starts a conversion process in a conversion start step 303. Then, in an execution step 304, the conversion rule program in the conversion rule storage means 22 is executed, and converted into test data with reference to the personal data in the personal data storage means 21. In the next transfer step 305, the first data processing device 1 transfers the test data generated by the conversion to the second data processing device 3 (stores in the test data storage means 31), and the first data The process in the processing apparatus 2 is finished.

  The test data in the second data processing device 3 generated as described above is used by the client C for a necessary test on the second data processing device 3.

3-4) Others As described above, prior to the operation of the above system, it is necessary for the requester A to inform the system of the above request regarding the test contents (data items) to the definer B. It is necessary to notify the commander C of the completion of rule registration by the party B. Such communication may be exchanged directly within the client A, the definer B, and the commander C by well-known communication means such as e-mail, FAX, and telephone. It is preferred that the management device 1) relays such communication.
That is, it is preferable that the above-described system (test data management apparatus 1) also performs the above-mentioned i) specification request, iii) registered notification, and other processes associated with system operation. Hereinafter, an example of such a system will be described.

Specifically, the test data management apparatus 1 includes a notification storage unit (not shown) and a notification unit (not shown).
i) Specification Request The request accepting means 11 receives a request for a test data item from the requester A to the definer B prior to requesting test data, and requests for the test data from the requester A to the commander C. Accept each one. The request for the test data item can be received by inputting from the terminal computer through the request receiving means 11 or by receiving an e-mail in which the content of the request is described by the client A. The request receiving unit 11 stores the request (input data or mail) received by the request receiving unit 11 in the notification storage unit. The above notification unit notifies the definer B that the notification has been received (this can be implemented as displayed on the screen when the definer B accesses the system through the definition command accepting means 13). ). The definer B knows that there has been a request notification from the requester A from the notification unit, refers to the notification storage unit, and defines the conversion rule in ii) above based on the requester A's request content. Registration is performed (the conversion rule itself is not notified to the client A).
iii) Registered notification When the definer B completes registration of the conversion rule, the notification unit notifies the commander C through the definition command receiving means 13. The commander C who has received such notification of registration completion can select the conversion rule registered with reference to the conversion rule storage means 22. The notifying unit also notifies the requester A that the conversion rule for creating the requested test data has been registered by sending an e-mail or the like. As a result, the requester A knows that the commander C can request to generate test data, and requests the commander C to generate test data as described above.

3-5) Discarding test data Finally, the process of discarding data whose validity period has expired in the second data processing device 3 (the test data storage means 31) will be described.
As shown in FIG. 10, this discarding step performs a start step 401, a test data reading step 402, an expiration date checking step 403, and a deleting step 404.
The start step 401 is a step in which the data deletion unit 18 of the test data management apparatus 1 is activated at a predetermined time every day by the time management unit 19.
After the start step 401, in the test data reading step 402, the data deletion means 18 reads the request table (FIG. 3B) of the table storage means 14, and in the next expiration date check step 403, the table storage means 14 Check the existence of data that has expired from the request table. In this check, if a table whose expiration date has passed is not found, the deletion process is terminated.
In the above, when a request table whose expiration date has passed is found, the process proceeds to a deletion step 404, and the second data processing device 3 (for example, the test data storage unit 31) is searched for test data corresponding to the request table. Thus, the second data processing device 3 is instructed to delete the test data, and the deletion process is terminated. In response to such a deletion instruction, the second data processing device 3 deletes the target test data from the second data processing device 3.

4). System Considering Test Data Generation and Management Status Notification for Customers Hereinafter, another embodiment of the present invention will be described with reference to FIGS.
FIG. 11 is an explanatory diagram showing the system configuration of this embodiment. FIG. 12A is an explanatory diagram of an authentication table referred to by the authentication means in this embodiment, and FIG. 12B is an explanatory diagram showing a layout of a test data usage status management table used in this embodiment. FIG. 12C is an explanatory diagram showing the layout of the test purpose information table used in this embodiment. FIG. 13A is an explanatory diagram of a screen that displays a table list used in this embodiment, and FIG. 13B is an explanatory diagram of a screen that displays the contents of each table in FIG. 13A. . FIG. 14 is an explanatory diagram of a screen that displays the extraction result based on the table shown in FIG. 15 and 16 are explanatory diagrams showing a flow of data extraction by the extraction number confirmation means. FIG. 17A is an explanatory diagram showing the contents of the deletion instruction log, and FIG. 17B is an explanatory diagram showing the contents of the deletion execution log.

4-0) Request for test data generation and management status notification The systems shown in the above 1 to 3 focus on the definition of conversion rules, prevent leakage of production data, prevent data leakage by distributing authority related to testing, and convert It provided a means to ensure rule consistency.
Therefore, the above system is operated by a test computer administrator (test requester A), a project manager (rule definer B), and a business computer administrator (test data generation) who are system operators. It is intended only for the commander C).
On the other hand, the above-mentioned customer (hereinafter referred to as customer D as necessary) has agreed with the above-mentioned project manager on items to be hidden in the personal data (test data masking specifications). Furthermore, there is a request for confirming under what conditions the actual data is extracted before the test and how many pieces of the actual data are extracted as conversion targets for generating the test data. This is because the customer wants to adjust the extraction condition so that the desired number of data is extracted when the number of data extraction is different from the desired number.
There is also a requirement for customers to confirm when test data has been present on the test computer and when it has been deleted.
This embodiment enables generation of test data and notification of management status for such customers.

4-1) Outline of system The system according to this embodiment is a means for generating the means for confirming the number of data to be extracted from the production data as the conversion target in the systems 1 to 3 (FIGS. 1 to 10). A means for confirming the storage of the test data in the second data processing device 3 and the deletion of the test data after the storage is added. Accordingly, matters not particularly mentioned are the same as those in the embodiment shown in FIGS.
Also in this system, the test requester A, the rule definer B, and the test data generation commander C are used for defining test data conversion rules and generating test data.

In particular, in the operation of this system, by the pre-processing of test data generation, before generation (before data conversion), the customer D is extracted from the rule definer B with the number of data extracted as conversion targets in all production data. The customer D is informed before the conversion, and informs the rule definer B of the suitability of the notified number of extractions. When there is an excess or deficiency in the notified number of extractions, the customer D contacts the rule definer B, and the rule definer B adjusts the extraction conditions so that the number of extractions desired by the customer D is obtained.
If the extraction condition is confirmed, the rule definer B stores the extraction condition in the first data processing device 2. When the generation commander C issues the test data generation command described above, the first data processing device 2 extracts the data to be converted from the personal data storage means according to the extraction conditions, and the extracted individual Data conversion is performed on the data, and the generated test data is transferred to the second data processing device 3. The first data processing device 2 notifies the test data management device 1 that this transfer has been performed. The rule definer B notifies the customer D of this notification. The customer D can know when the test data is stored in the second data processing device 3 by receiving the transfer notification.

Furthermore, when the test data after generation stored in the second data processing device 3 is deleted by the data deletion means 18, the deletion confirmation means 45 provides information related to deletion of the data such as the date and time of deletion. B is displayed.
The rule definer B informs the customer D of data deletion together with information related to the data deletion. By receiving the notification of the deletion, the customer D can know that the test data is surely deleted from the second data processing device 3 and when the test data is deleted from the second data processing device 3. .

4-2) System Configuration As shown in FIG. 11, this test data generation system also uses the test data management device 1, the business first data processing device 2 that uses actual personal data, and the data processing using the test data. And a second data processing device 3 for testing.

  The test data management apparatus 1 includes a request receiving unit 11 that receives a request for generating test data, a conversion rule defining unit 12 that defines a rule for generating test data, and a definition command receiving unit 13 that receives a command for the definition. The table storage unit 14, the consistency check unit 15, the generation command reception unit 16 that receives a test data generation command, the authentication unit 17, the data deletion unit 18, the time management unit 19, and the conversion target. The extraction condition receiving means 41 for receiving the setting of the extraction conditions of the personal data, the extraction condition setting means 42 for setting the received extraction conditions, and the personal data storage means of the first data processing device are extracted with the above extraction conditions. The number-of-extraction confirmation means 43 for detecting and displaying the number of personal data to be displayed, and the first data processing device generates test data Conversion confirmation unit 44 for displaying that it has transferred to the over data processing apparatus, a computer and a deletion confirmation unit 45 for displaying a record of deletion of data that the data deleting unit 18 deletes.

  The table storage means 14 of the test data management apparatus 1 includes the authentication table storage unit shown in FIG. 12A (instead of the authentication table storage unit shown in FIG. 2A) and the above-described FIG. 2B. The table layout storage unit shown in FIG. 3A, the masking target item list table storage unit shown in FIG. 3A, and the test data shown in FIG. 12B (instead of the request table storage unit shown in FIG. 3B). A storage unit for a usage status management table, a storage unit for test purpose information shown in FIG. 12C, a storage unit for a table list shown in the screen of FIG. 13A, and a screen of FIG. 13B. Are provided with a storage unit for each extraction condition setting table (extraction condition table), an extraction number storage unit, an extraction target person list storage unit, and a data erasure execution log storage unit (illustrating each storage unit itself). Is omitted).

  The first data processing device 2 includes a personal data storage unit 21 for storing the personal data, an extraction condition storage unit 24 for storing an extraction condition determined by the extraction condition setting unit of the test data management device, and an extraction condition storage unit. 24. Extraction means 25 for extracting personal data from the personal data storage means 21 in accordance with 24 extraction conditions, extraction data storage means 26 for storing personal data extracted by the extraction means 25, and conversion rule storage for registering defined conversion rules Means 22, data conversion means 23 for generating fictitious data as test data from the personal data in the extracted data storage means 26, and transferring the generated test data to the second data processing device 3; Conversion notification means 27 for notifying the conversion confirmation means 44 of the test data management apparatus 1 that the data has been transferred to the data processing apparatus 3 It is a computer equipped with.

The second data processing device 3 is a computer including a test data storage unit 31 and a deletion notification unit 32.
The data storage means of each of the devices 1 to 3 is a data storage device such as a hard disk or other magnetic disk.
In the test data management apparatus 1, the request reception unit 11, the conversion rule definition unit 12, the definition command reception unit 13, the table storage unit 14, the consistency check unit 15, the generation command reception unit 16, and the authentication unit 17 The data deletion means 18 and the time management means 19 are the same as those in the embodiment shown in FIGS.
In the first data processing apparatus 2, the personal data storage means 21, the conversion rule storage means 22, and the data conversion means 23 are the same as those in the embodiment shown in FIGS.
The configuration of the test data storage means 31 of the second data processing device 3 is also the same as that of the embodiment shown in FIGS.

In this embodiment, the number-of-extraction confirmation means 43 of the test data management apparatus 1 is extracted using the extraction means 25 of the first data processing apparatus 2 with reference to the personal data storage means 26 under the extraction conditions. Detect the number of personal data.
However, the number-of-extraction confirmation unit 43 can be implemented as a device that can independently detect the number of extractions according to the conditions set by browsing the personal data storage unit 26 without depending on the extraction unit 25 of the first data processing device 2. .
In this embodiment, the conditions set by the extraction condition setting means 42 are stored in the extraction condition storage means 24 of the first data processing device 2, and the extraction means 25 refers to the extraction condition storage means 24 during conversion. In addition to this, it is assumed that the data is extracted. Alternatively, the extraction means 25 can directly refer to the table storage means 14 and acquire the set extraction condition at the time of conversion.

In this embodiment, the command systems in A to C are the same as those shown in FIG. 1 except for the setting of the extraction conditions for the data to be converted and the confirmation of the number of extracted data, the extraction of data, the conversion confirmation, and the deletion confirmation ~ Same as the embodiment shown in FIG.
In particular, in this embodiment, the customer D determines that the test data is generated from the rule definer B in the second data processing device 3 by the extraction condition, the number of extractions, and the conversion, and the second data processing device 3 performs the test. Get notified that the data has been deleted. The method of contacting the customer from the rule definer B may be any of electronic mail, facsimile, telephone, and mail. The same applies to the communication from the customer D to the rule definer B. In addition, as a method of contacting the customer from the rule definer B, the rule definer B writes the above information into a separate web server, and the customer D accesses the web server from his computer and is written. It can also be implemented as information browsing.
Although different from the embodiment shown in FIGS. 11 to 17, the customer D receives the authentication by the authentication unit 17 and directly accesses the deletion confirmation unit 45 to the conversion number confirmation unit 43 and the conversion confirmation unit 44. It is also possible to confirm that the test data has been generated in the second data processing device 2 by the extraction conditions, the number of extractions, and the conversion, and that the test data has been deleted from the second data processing device 2.

4-3) System Operation Hereinafter, the system operation of this embodiment will be described.
Also in the operation of this system, the same system operation as 3-1) to 3-5) in “3. System operation” of the embodiment shown in FIGS.
In the operation of the system shown in FIGS. 11 to 18, as pre-processing of 3-1) to 3-4) of “3. System operation” of the embodiment shown in FIGS. 4-3-1) Setting extraction conditions, 4-3-2) Confirming the number of extractions, 4-3-3) Registering extraction conditions.
Further, in the 3-3) test data generation in “3. System Operation”, the following 4-3-4) data extraction work is added. In 3-5) Test Data Discarding in “3. System Operation”, the following 4-3-5) Confirmation of test data deletion is added.
Here, an example is given in which customer D is a credit card company and business production data (personal data) is card member data of the credit card company.
The operation of each part will be described below in accordance with the specific operation of this system.

4-3-1) Setting Extraction Conditions Rule definer B accesses the extraction condition reception means 41 of the test data management means 1 before defining the test data conversion rules described above. At this time, the extraction condition receiving means 41 authenticates by the authenticating means 17 whether or not the accessing person is the definer B who has the authority to set the extraction conditions.
Specifically, the conversion condition receiving unit 41 uses the authentication unit 17 to request the definer B to input an ID or password. The definer B inputs an ID and a password given in advance to a person who has the authority to set extraction conditions. Here, authentication is performed using the employee number as an ID.

Here, a specific example of the authentication unit 17 will be described focusing on differences from the authentication unit 17 (the authentication table in FIG. 2A) employed in the embodiment shown in FIGS.
In this embodiment, the authentication unit 17 performs authentication with reference to the authentication table shown in FIG. 12A stored in the table storage unit 14.
The authentication table shown in FIG. 12A is obtained by adding the items “variation registration”, “execution of number confirmation”, and “execution of extraction process” to the authentication table shown in FIG.
The “variation registration” item indicates whether or not the user has the authority to set the conversion condition. “◯” indicates that the user has the authority for the setting, and “X” indicates that the user does not have the authority for the setting.
The item “execution of number confirmation” is an authority that allows the personal data storage means 21 of the second data processing device 2 to be browsed to detect only the number of personal data to be converted (the authority that the contents of personal data cannot be viewed). ◯ indicates that the user has the authority for the setting, and X indicates that the user does not have the authority for the setting.
The “Extraction process execution” item indicates whether or not there is an authority to extract the personal data to be converted from the personal data storage unit 21 of the second data processing apparatus 2 to the extraction data storage unit 26. It has authority, and x indicates that it does not have authority for the setting.

As shown in FIG. 12A, for the employee of the employee number 100001 who is the definer B, both the “variation registration” and “execution of number confirmation” items are marked with ○, and the “extraction processing execution” item is marked with “X”. Is attached. Therefore, the employee number 100001 is permitted to set the extraction condition as the rule definer B, and has the authority to confirm the number of data extracted by the extraction condition. However, the definer B cannot actually extract data from the personal data storage means 21 of the first data processing device 2 to the extracted data storage means 26.
Further, as shown in FIG. 12A, the person with the employee number 100002, as the requester A, is marked with “X” in each item of “variation registration”, “execution of number confirmation”, and “execution of extraction process”. It shows that these authority is not given.
Furthermore, as shown in FIG. 12 (A), the person with employee number 100003, as the commander C, is marked with a circle in the “Extraction process execution” item, and in both the “variation registration” and “number confirmation execution” items. And has the authority to actually extract data from the personal data storage means 21 of the first data processing device 2 to the extracted data storage means 26. However, in the commander C, browsing of the extracted data only for the confirmation of the extraction condition setting and the number confirmation is limited.
The authority of the other items shown in FIG. 12A in A to C is as described in the description of FIG.

When the definer B inputs the employee number to the authentication unit 17 through the extraction condition receiving unit 41, the authentication unit 17 refers to the authentication table shown in FIG. 12A and sets the extraction condition and confirms the number of extractions. Allow.
The definer B who has received the authentication extracts the data to be converted for test data generation from the personal data storage means 21 of the first data processing device 2 by the extraction condition setting means 42 through the extraction condition receiving means 41. Set the conditions.
Specifically, the extraction condition setting unit 42 provides the extraction condition setting support screen (condition setting support interface) shown in FIGS. 13A and 13B to the definer B through the extraction condition receiving unit 41.
The definer B uses the input screen (condition setting support screen) shown in FIGS. 13A and 13B to create a table list (of the extraction condition table) and extract each extraction condition in the table storage unit 14. Creates a table, selects the created table, and inputs / updates extraction conditions to the table.

As shown in FIG. 13A, the table list screen includes a test purpose display unit i for displaying information about the purpose of the test, a table list display unit j, and an extraction execution button k.
The definer B can add a table that defines extraction conditions to the table list display section j shown in FIG. 13A by using an input device such as a mouse or a keyboard. Then, the definer B selects an extraction condition table desired to be edited from the list displayed in the table list display unit j. The selection is performed by an operation such as clicking on a corresponding table in the table list display section j (for example, by clicking on a portion of the table list display section j displayed as “edit”, it is called “loan balance master”. You can select a table of names).
By the above selection, the extraction condition setting means 42 shifts to the display of the extraction condition setting screen shown in FIG.
As shown in FIG. 13B, the extraction condition setting screen includes an extraction condition input display unit m and a setting end button n. The extraction condition input display unit m is included in the extraction condition setting unit 42, and the setting end button n is included in the extraction number confirmation unit 43. Therefore, in this embodiment, the screen shown in FIG. 13B is provided by both the extraction condition setting means 42 and the extraction number confirmation means 43, to be precise.
The extraction condition input display unit m displays the contents of the extraction condition table selected above (in this case, the “loan balance master” table), that is, each item of the extraction conditions held by the table. The definer B can create an extraction condition item in the extraction condition input display unit m using the above input device, and can further input an extraction condition (extraction condition) corresponding to the item. As described above, the definer B can set the extraction condition of the data to be converted or change (update) the condition by using the extraction condition input display unit m. . When the setting of the conditions is completed, the setting end button n is operated (clicked) to return to the table list screen of FIG.

Each table used for determining the extraction condition is sequentially selected from the table list screen of FIG. 13A by the above procedure, and each table is extracted on the extraction condition setting screen of FIG. 13B. Set conditions.
When the extraction conditions are set for the tables in the list on the table list screen, the table used for data extraction is selected in the table list display section j (for example, the table used for extraction is “necessary”. Enter (select), and enter (unselect) "not" for tables not used for extraction).
The extraction condition setting unit 42 receives the above table creation, item creation in the table, extraction condition setting for the item, and selection of the table used for extraction, and stores them in the table storage unit 14.
When the table setting and table selection are completed, the definer B operates (clicks) the extraction execution button k on the table list screen in FIG.

4-3-2) Confirmation of number of extractions As described above, when the definer B operates the extraction execution button k on the extraction condition setting screen in FIG. Through the setting means 42, the extraction condition table of the table storage means 14 is referred to, the extraction means 25 of the first data processing device 2 is operated, and the personal data storage means 21 of the first data processing device 2 is referred to. Only the number of data extracted according to the extraction condition and the corresponding person list are stored in the extraction number storage unit of the table storage unit 14 and the extraction target person list storage unit, respectively. In this extraction, the personal data itself (contents of the actual data) in the personal data storage means 21 is restricted from being extracted from the first data processing device 2 to the test data management device 1. As described above, only the number of data items extracted according to the extraction condition and the corresponding person list (membership number list) can be acquired in the table storage unit 14. The applicable person list is not displayed to the definer B and is not informed.
And the extraction number confirmation means 43 displays only the number of extractions which an extraction number storage part hold | maintains to the definer B on the extraction number confirmation screen shown in FIG.
The extraction number confirmation screen shown in FIG. 14 includes an extraction number display part p and an extraction operation button r.
After the operation of the extraction execution button k on the table list screen of FIG. 13A, the test data management unit 1 and the first data processing device 2 automatically perform the display of the number of extractions by the extraction number confirmation unit 43 described above. .

This will be described more specifically.
The business production data (personal data) stored in the personal data storage means 21 of the first data processing device 2 is, for example, in terms of loans, for each loan record (record) Information such as loan amount, delinquency information, information for identifying the borrower (membership number), etc. The number of data stored in the personal data storage means 21 is the number of records (of course, one member may receive two or more loans and have a plurality of loan records. (The number of data does not match the number of members with a loan record, and is larger than the number of members who normally receive loans).

  For each extraction condition table set by the extraction condition setting means 42, the extraction number confirmation means 43 first determines the number of records satisfying all items of the extraction conditions in the table by the extraction means of the first data processing device 2. 25, the personal data storage unit 21 of the first data processing device 2 is referred to and detected. The extraction number confirmation means 43 displays the result (only the number) on the extraction number display part p of FIG. Here, as shown in FIG. 14, 2,000 records satisfying all items (all extraction conditions) of “loan balance master” which is the first extraction condition table, and all items of the next “payment management information” table are satisfied. It is shown that 4000 records have been detected, and 3000 records have been detected for a record that satisfies all the items of the last selected “ribo obligation information” table.

Next, when the definer B operates (clicks) the extraction operation button r shown in FIG. 14, first, the product set of the records of all the selected tables is transferred to the extraction unit 25 of the first data processing device 2. The personal data storage unit 21 of the first data processing device 2 is referred to and detected.
The detection of the product set is to cause the extraction means 25 to detect a target person (member) of a record common to all tables.
For example, there are four members (i, b, c, d) that have a record that satisfies all the extraction criteria for “loan balance master”, and members that have a record that satisfies all the extraction criteria for “arrears management information”. , I, b, c, h, d, f, and 5 members, i, b, c, c The extraction means 25 detects three members (i), (b), and (c) as detection results of the (member) product set.

Next, the extraction means 25 detects the records for the members i, b, c from the records determined by the conditions of each extraction condition table, and the number of records and the list of members i, b, c (Membership number list) is returned to the extraction condition confirmation means 43.
The extraction condition confirmation unit 43 displays the number of records of each table detected above on the extraction number display part p in FIG. The number of records displayed in the “number of test data” column of the number-of-extractions display section p shown in FIG. In this example, FIG. 14 shows the detection of 1000 of records determined in the “loan balance master” table, 1500 of records determined in the “payment management information” table, and 250 of records determined in the “revolving loan information” table. It has been shown.
This number of extractions is the number of records for each table for members with all of the items required for the test defined by all the tables present in the records determined in that table. The record about the member is to be converted, that is, the test data generation target.
From the operation of the extraction operation button r to the display of the number of test data, the extraction number confirmation means 43 and the extraction means 25 are automatically performed.

Further, in the test data management apparatus 1, by operating the extraction operation button r, in parallel with the above, a test data usage status management table shown in FIG. It is stored in the storage unit 14.
As shown in FIG. 12B, this test data usage status management table includes “table name (Japanese)”, “DBID (table name symbol)”, “test case”, “number of cases”, “test data expiration date”. "," Request for creation "," Data set name "," Use start date "," Delete date ", and" Log file name ", and the values (contents of the items) are also stored.
However, when the extraction number confirmation means 43 is moved by operating the extraction operation button r, “table name (Japanese)”, “DBID (table name symbol)”, “test case”, “number of cases”, Only the item “test data expiration date” is created (only the item is filled with data).
For example, by moving the extraction number confirmation means 43 by operating the extraction operation button r, the “loan balance master” table shown in FIG. "Loan balance master" is stored in the item "", "KASITUKEZANTBL" is stored in the item "DBID", and the numerical value of 1000 (cases) shown in the test data number column in FIG. , The date of the expiration date of the test data is stored in the “test data expiration date” column. The item “test case” stores the name of the test. The item is linked to the test purpose information table shown in FIG. 12C and stored in FIG. 12C. A table storing text data on the purpose of the test is called (the contents of FIG. 12C are also displayed on the test purpose display section i shown in FIG. 13A).
At this point, “creation requester”, “data set name”, “use start date”, “deletion date”, and “log file name” are blank (data not stored).

  Hereinafter, a series of steps from the operation of the extraction execution button k on the table list screen of FIG. 13A to the display of the number of extractions by the extraction number confirmation means 43 will be described with reference to the test data management device 1 and the first data. The operation of the processing apparatus 2 will be mainly described with reference to FIGS. 15 and 16.

  As shown in FIGS. 15 and 16, the process of confirming the number of extractions and displaying the number of extractions includes an instruction receiving step 501, a detection processing step 502, a number writing step 503, a member number writing step 504, and a setting table. Confirmation step 505, next detection processing step 506, next number writing step 507, next member number writing step 508, previous member number reading step 509, common member number writing step 510, common member number reading Step 511, extraction number detection step 512, extraction number writing step 513, and extraction table confirmation step 514 are performed.

Each step will be described in turn.
In the command receiving step 501, the extraction number confirmation means 43 receives an extraction command, that is, an extraction command by operating the extraction execution button k.

  In the detection processing step 502, the number-of-extraction confirmation unit 43 extracts the extraction condition (in the loan balance master in FIG. 13A) for the first table in the extraction condition table storage unit of the table storage unit 14 ( Based on the “extraction condition” in FIG. 13B, the extraction means 25 is caused to detect the number of records satisfying all the extraction conditions of the table with reference to the personal data storage means 21.

  In the number writing step 503, as a result of the execution of step 504, the number-of-extracted confirmation unit 43 includes the number of corresponding records from the extracting unit 25 (for “loan balance master” in FIG. 13A) and the record. Receive a list of members. The extracted number confirmation means 43 writes the received number of corresponding records in the extracted number storage section of the table storage means 14 and displays only the number of corresponding records (2000 in the extraction condition column of “loan balance master” in FIG. 14).

  In the member number writing step 504, the extraction number confirmation means 43 stores the member number list received above in the extraction target person list of the table storage means 14.

  In the setting table confirmation step 505, the extraction number confirmation unit 43 refers to the extraction condition table storage unit of the table storage unit 14 to determine whether there is an extraction condition table to be processed next. Judging. If it is determined that there is a table, the number-of-extraction-number confirmation unit 43 proceeds to the next detection processing step 506. If it is determined that the table does not exist, the extracted number confirmation unit 43 proceeds to the common member number reading step 511 shown in FIG.

  According to the list of FIG. 13A, since the “arrears management information” table exists as the selected (“necessary”) table, the number-of-extraction confirmation unit 43 proceeds to the next detection processing step 506. In the detection processing step 502, the same processing as that performed by the “loan balance master” is performed by the “arrears management information” table. That is, the number-of-extraction confirmation unit 43 determines the number of records that satisfy all of the extraction conditions of the table based on the extraction conditions (“extraction conditions” in FIG. 13B) set for the “arrears management information” table. Is extracted with reference to the personal data storage unit 21.

  In the next number writing step 507, the extracted number confirmation means 43 performs the same processing as that performed on the “loan balance master” in the number writing step 503 on the “arrears management information” table (as a result, “ 4000 items in the extraction condition column of “Arrears Management Information” are displayed).

  In the next member number writing step 508, the extraction number confirmation means 43 creates a member number list from the record about “loan balance master” obtained in the next number writing step 507.

  In the previous member number reading step 509, the extracted number confirmation means 43 reads the member number list obtained in the “loan balance master” stored in the extraction target person list of the table storage means 14 in the member number writing step 504. .

  In the common member number writing step 510, the number-of-extraction confirmation means 43 obtains the member number list obtained in the “loan balance master” read in the previous member number reading step 509 and the “number of cases written in step 507” The product of the member number list of “arrears management information” is replaced with the member number list of “loan balance master” and stored (overwritten) in the extraction target person list of the table storage means 14. For example, it is a product set of the list of members i, b, c, d written in the member number writing step 504 and the list of members i, b, c, d, f obtained in the next detection processing step 506. A list of members i, b, c, and d is stored (in this case, the contents are not changed).

When the process of the common member number writing step 510 ends, the extracted number confirmation unit 43 returns the process to the setting table confirmation step 505 again.
According to the list of FIG. 13 (A), since there is a “revolving credit information” table after “arrears management information” as the selected (“required”) table, The process proceeds to the next detection processing step 506, and the processing from step 506 to step 510 is repeated.

In this common member number writing step 510, the list of members i, b, c, d stored in the product set previously and the list of members i, b, c, h, f obtained about "revolving debt information" A list of members (i), (b), and (c) is obtained as a product set, and the list is stored (overwritten) in the extraction target person list of the table storage means 14.
The extracted number confirmation means 43 shifts the processing to the setting table confirmation step 505 when the common member number writing step 510 ends. According to the list of FIG. 13A, the selected table (which is “required”) does not follow the “revolving loan information”, so the number-of-extraction confirmation unit 43 proceeds to the common member number reading step 511. To migrate.

In the common member number reading step 511, the extraction number confirmation unit 43 reads the member number list from the extraction target person list in the table storage unit 14.
In the extraction number detection step 512, the extraction number confirmation means 43 determines all of the extraction conditions in the table based on the extraction conditions (“extraction conditions” in FIG. 13B) set in the table for the “arrears management information” table. The extraction means 25 is caused to detect the product set of the number of records satisfying the above (number of test data) and the extraction subject list of the table storage means 14 by referring to the personal data storage means 21.
In the extraction number writing step 513, the extraction number confirmation means 43 writes the number of corresponding test data received by the extraction means 25 in the test data usage status table of the table storage means 14 and displays only the number of the corresponding cases (“Lending” in FIG. 14). 1000 items in the test data count column of “Balance Master”).

In the extraction table confirmation step 514, the extraction number confirmation means 43 determines whether or not there is a table to be processed next. If there is no table, the extraction number confirmation means 43 ends the processing. Transition.
Here, since there is an “overdue management information” table after “loan balance master”, the above-described processing of steps 511 to 513 is performed on the “overdue management information” table. Next, the above-described steps 511 to 513 are performed on the “ribo bond information”. When the series of processing for “ribo bond information” is completed, there is no other selected table, and the processing ends.

The definer B, together with the table list shown in FIGS. 13A and 13B and the extraction conditions of each table, determines the number of cases displayed in the “test data number” column of the number-of-extractions display section p shown in FIG. The customer D is notified (contacted) by the method. This notification can be made by the definer B printing out (printing) the screens of FIGS. 13 and 14 and presenting it to the customer D.
The customer D who has been contacted determines whether or not the notified number of test data is the desired number, and if the number is too small, the corresponding extraction of the table with the extraction condition that seems necessary to be adjusted Instruct the definer B to relax the conditions, and if the number of cases is too large, make the applicable extraction conditions stricter (more limited) for tables with extraction conditions that may need to be adjusted. Instruct the definer B.

4-3-3) Registration of Extraction Conditions The definer B who has received the above instruction from the customer D adjusts (resets) the extraction conditions in the table in the extraction condition setting means 42, and again extracts the number of items to be confirmed At 43, the number of extractions is confirmed. If the extraction target is finally determined, the definer B stores the extraction condition and the target person list set above in the extraction condition storage unit 24 of the first data processing device 2.
However, each time the extraction operation button r is operated, the extraction condition storage means 24 stores the extraction condition and the target person list set above, and overwrites (updates) the previously stored data. (In this case, the extraction condition stored last in the extraction condition capability means 24 before the conversion is registered).

4-3-4) Data extraction Actual data extraction is performed at the time of data conversion command.
That is, when the execution command step 302 shown in FIG. 9 is executed by the commander C, the extraction unit 25 receives the command from the data conversion unit 23 and receives the extraction condition and member registered in the extraction condition storage unit 24. With reference to the number list (subject list), the corresponding data is extracted from the personal data storage means 21 to the extracted data storage means 26 (each extracted data is the same as the actual data).
Then, the personal data extracted to the extracted data storage means 26 is converted by the data conversion means 23 based on the conversion rule of the conversion rule storage means 22, and the test data storage of the second data processing device 3 is performed. The generated test data is stored in the means 31.
The data conversion unit 23 notifies the conversion notification unit 27 that the conversion has been performed, and the conversion notification unit 27 notifies the conversion confirmation unit 44 of the test data management apparatus 1 that the conversion has been performed. The conversion confirmation unit 44 sets the date of the conversion to the “use start date” in the test data use state management table in the table storage unit 14 shown in FIG. In the “data set name”, an identifier of generated data that can be identified by each processing device is stored.
The definer B receives the notification of the storage of the data from the conversion confirmation unit 44 and notifies the customer D of the contents of the test data usage status management table. By this communication, the customer D can know that the test data is stored in the second data processing device 3 and can be used.

4-3-5) Confirmation of Test Data Deletion When the test data is discarded in the above 3-5), the process moves to the deletion step 404 shown in FIG. The data is issued to the second data processing device 3 to delete the corresponding data from the test data storage means 31. The deletion notification means 32 confirms that the erasure has been performed, and notifies the deletion confirmation means 45 of the test data management apparatus 1. The deletion confirmation unit 45 stores the date when the test data is deleted in the “deletion date” of the test data usage status management table in the table storage unit 14 shown in FIG.
In the above, in response to the data deletion command shown in FIG. 17A issued by the data deletion unit 18, the deletion notification unit 32 notifies the data deletion execution log shown in FIG. 17B. The deletion execution log is stored in the data erasure execution log storage unit of the table storage unit 14 by the deletion confirmation unit 45. The log is linked to the “log file name” in the test data usage status management table in FIG. 12B, and can be called in the test data usage status management table.
When the definer B receives the deletion date stored in the test data usage status management table by the deletion confirmation unit 45, the definer B sends the contents of the data deletion execution log shown in FIG. contact. By this contact, the customer D can confirm from the second data processing device 3 that the corresponding test data has been deleted.

1 is an overall explanatory diagram of a system according to the present invention. (A) is explanatory drawing of the authentication table which an authentication means refers, (B) is explanatory drawing of the table layout previously stored in the table storage means. (A) is explanatory drawing of a masking target item list table, (B) is explanatory drawing of a request table. It is explanatory drawing of the definition support screen of a conversion rule. It is explanatory drawing which shows the flow from a conversion rule definition to registration. It is explanatory drawing of the request assistance screen of test data creation. It is explanatory drawing which shows the flow of the request of test data creation. It is explanatory drawing of the command assistance screen of test data creation. It is explanatory drawing which shows the flow of the command of test data creation. It is explanatory drawing which shows the flow of a deletion process. It is whole explanatory drawing which shows other embodiment of the system which concerns on this invention. (A) is an explanatory diagram of an authentication table referred to by the authentication means in this embodiment, (B) is an explanatory diagram showing a layout of a test data utilization status management table used in this embodiment, (C) These are explanatory drawings showing the layout of the test purpose information table used in this embodiment. (A) is explanatory drawing of the screen which displays the table list | wrist used in this embodiment, (B) is explanatory drawing of the screen which displays the content of each table of (A). It is explanatory drawing of the screen which displays the extraction result by the table shown in FIG. It is explanatory drawing which shows the flow of the data extraction by an extraction number confirmation means. It is explanatory drawing which shows the flow of the data extraction by an extraction number confirmation means. (A) is explanatory drawing which shows the content of the deletion command log, (B) is explanatory drawing which shows the content of the deletion execution log.

Explanation of symbols

1 Test Data Management System 2 First Data Processing Device 3 Second Data Processing Device

Claims (11)

In a test data generation system using a computer that creates test data based on actual personal data,
A test data management device, a business first data processing device that uses actual personal data, and a test second data processing device that performs data processing using the test data,
The test data management device comprises a conversion rule defining means for defining a rule for generating the test data, and a generation command receiving means for receiving a test data generation command,
The first data processing device comprises: personal data storage means for storing the personal data; conversion rule storage means for registering a defined conversion rule; and data conversion means for generating fictitious data as test data from the personal data And
The test data management device registers the conversion rule defined by the conversion rule definition unit in the conversion rule storage unit of the first data processing device,
When the generation command accepting unit of the test data management apparatus accepts the test data generation command, the first data processing unit causes the data conversion unit to transfer the personal data stored in the personal data storage unit to the conversion rule storage unit. A test data generation system which converts data based on a registered conversion rule and transfers the generated test data to a second data processing apparatus. The test data management device includes data deletion means and time management means,
The said time management means detects that the predetermined time has come for the test data of the second data processing device, and the data deletion means deletes the test data. Test data generation system. The test data management apparatus includes an authentication unit, and the authentication unit performs authentication to determine whether the commander has authority to generate test data.
The generation command accepting unit permits the data generation command to a person who has the authority of the test data generation command and generates the data for a person who does not have the authority to generate the test data according to the authentication of the authentication unit. 3. The test data generation system according to claim 1, wherein the command and reference to the first data processing device are not permitted. The above authentication means authenticates whether or not the person who intends to define the conversion rule has the authority to define the conversion rule,
The conversion rule definition means permits the person who has the authority to define the conversion rule to register the conversion rule definition according to the authentication of the authentication means, and to the person who does not have the authority to define the conversion rule. 4. The test data generation system according to claim 3, wherein reference and registration of the definition of the conversion rule are not permitted. The test data management device includes consistency check means,
The conversion rule definition means generates conversion rule definition information in which a part of data is defined as a target of data conversion processing for each field data of the personal data according to the data format of the field.
The data conversion means converts the personal data stored in the personal data storage means based on the conversion rule definition information, and generates the test data.
The consistency check means verifies the presence or absence of the same item as the test data item included in the conversion rule definition information before registration already generated by the conversion rule definition means during the definition of the conversion rule, and 5. The test data generation system according to claim 1, wherein the test data generation system verifies whether or not the conversion rule is identical. A test data management program for a test data generation system that creates test data based on actual personal data by a computer,
A test data management device, a business first data processing device that uses actual personal data, and a test second data processing device that performs data processing using test data; The test data management device includes a conversion rule defining means for defining a rule for generating the test data, and a generation command receiving means for receiving a test data generation command. The first data processing device stores the personal data Personal data storage means for storing, conversion rule storage means for registering a defined conversion rule, and data conversion means for generating fictitious data as test data from the personal data, the test data management device comprising: The conversion rule defined by the conversion rule definition means is registered in the conversion rule storage means of the first data processing device. Is intended to construct a Todeta generation system,
By receiving a test data generation command in the generation command receiving unit of the test data management device, the data conversion unit converts the personal data stored in the personal data storage unit into the conversion rule storage unit. A test data management program for a test data generation system, characterized in that the test data converted and generated based on a rule is transferred to a second data processing device.   A recording medium on which the program according to claim 6 is recorded. In a test data generation method using a computer that creates test data based on actual personal data,
Using a test data management device, a business first data processing device that uses actual personal data, and a test second data processing device that performs data processing using the test data,
The test data management device includes a conversion rule defining unit that defines a rule for generating the test data, and a generation command receiving unit that receives a test data generation command,
The first data processing device comprises: personal data storage means for storing the personal data; conversion rule storage means for registering a defined conversion rule; and data conversion means for generating fictitious data as test data from the personal data With
The test data management device registers the conversion rule defined by the conversion rule definition means in the conversion rule storage means of the first data processing device,
When the generation command receiving unit of the test data management device receives the test data generation command, the data conversion unit of the first data processing device registers the personal data of the personal data storage unit in the conversion rule storage unit. A test data generation method, characterized in that the test data is converted based on the converted conversion rule and the generated test data is transferred to the second data processing device. The test data management device refers to the extraction condition setting means for setting the extraction condition of the personal data to be converted and the personal data storage means of the first data processing device to determine the number of personal data extracted under the extraction condition. An extraction number confirmation means for detecting and displaying,
The first data processing apparatus includes an extraction condition storage means for storing the extraction conditions determined by the extraction condition setting means of the test data management apparatus, and an extraction for extracting personal data from the personal data storage means in accordance with the extraction conditions of the extraction condition storage means Means, and extracted data storage means for storing personal data extracted by the extracting means,
When the generation command receiving means of the test data management apparatus receives the test data generation instruction, the first data processing apparatus extracts the personal data from the personal data storage means by the extraction means and stores it in the extracted data storage means. Thereafter, the personal data extracted in the extracted data storage means is converted by the data conversion means based on the conversion rules registered in the conversion rule storage means, and the generated test data is transferred to the second data processing device. The test data generation system according to claim 1, wherein: The first data processing device comprises conversion notification means for notifying the test data management device that the generated test data has been transferred to the second data processing device,
2. The test data management device includes a conversion confirmation unit that receives the notification and displays that the first data processing device has generated test data and transferred it to the second data processing device. Test data generation system. The second data processing device includes a deletion notification means,
The test data management device comprises a deletion confirmation means for displaying a record of data deletion,
3. The test data generation system according to claim 2, wherein the deletion notifying means notifies the deletion confirmation means of the deletion information of the data when the data deleting means deletes the data.

Images