JP4887735B2 - Information processing apparatus, information processing system, and program - Google Patents

Description

  The present invention relates to an information processing apparatus, an information processing system, and a program that perform security control according to authority for each user.

  2. Description of the Related Art Conventionally, in an information processing apparatus in a company or the like, business processing is performed by executing a business application corresponding to the content of business, such as creating an estimate or creating a pay statement. In the business application, a user (user, employee) who is an employee of a company is generally authenticated with a password or the like, and security control is performed to control operation according to the authority of the authenticated user. For this reason, when setting security control for business processing for each user based on company personnel information, it is necessary to do it for various business applications in each department such as sales, accounting, and human resources. The larger it was, the more complicated it was.

As a technique for easily setting security control for each user in the information processing apparatus that performs this business process, for example, referring to personnel information and authority information for each business application, the authority for the individual business application is authenticated. Thus, Patent Document 1 discloses a technique that does not require updating of settings for authentication even when personnel information or authority information is updated.
JP 2005-107984 A

  However, in security control in business processing, even in the detailed operation of each business application, there are cases in which execution regulation or information concealment is performed according to the user's attributes. When performing security control after startup according to information, etc., it was necessary to set for each business application. For this reason, it is not sufficient to manage security control more easily, and further development has been desired.

  The present invention has been made in view of such problems, and an object of the present invention is to provide a technique for easily managing security control for each user in business processing.

In order to solve the above problem, the invention according to claim 1 stores a plurality of security control conditions for each operation group when the operation of the application is grouped into a plurality of operation processes. Security information storage means and first index information indicating which security control condition to use among a plurality of security control conditions for each operation group is defined for each operation group, and collectively A user information definition that associates and defines role information storage means for storing a plurality of role information to be managed and second index information indicating which role information of the role information is to be used for each authenticated user The storage means and second index information defined in association with the authenticated user are acquired from the user definition information means. The role information corresponding to the acquired second index information is acquired from the role information storage means, and the authentication is performed based on the first index information for each operation group collectively managed by the acquired role information. Based on each security control condition read by the condition reading means, a condition reading means for reading out the security control condition for each of the operation groups defined in association with the user who has been read from the security information storage means, Control means for executing and controlling security operations for each operation group .

According to a second aspect of the present invention, in the first aspect of the invention, the role information includes information related to a date on which the role information is applied to a corresponding user, and the condition reading unit includes the information related to the date. In response, role information corresponding to the user is acquired.

The invention described in claim 3 is the invention described in claim 1 or 2 , further comprising editing means for editing the plurality of role information and the security control condition .

The invention according to claim 4 is the invention according to any one of claims 1 to 3 , wherein the security control condition is menu security information which is a start condition of various application programs for each role information, The control means controls the menu display based on the acquired role information and the menu security information.

According to a fifth aspect of the present invention, in the invention according to any one of the first to third aspects, the security control condition is an item security information that is a control condition corresponding to various reference items for each role information. And the control means controls the display items based on the acquired role information and the item security information.

The invention according to claim 6 is the record according to any one of claims 1 to 3 , wherein the security control condition is a control condition corresponding to a reference record used in a business application for each role information. It is security information, and the control means controls the display record based on the acquired role information and the record security information.

The invention described in claim 7 is an information processing system having the main functions shown in the invention described in claim 1, and the invention described in claim 8 is a main function shown in the invention described in claim 1. It is a program that realizes.

According to the inventions described in claims 1, 7 , and 8 , role information corresponding to a user is defined as second index information in the user definition storage unit, and the role information includes a plurality of application operation processes grouped. Since the security control conditions used for each group are collectively managed by the first index information from the group, the role information is acquired based on the second index information, and is associated with the acquired role information. By acquiring the security control condition based on the first index information, it is possible to easily control the operation of the application .

According to the second aspect of the present invention, the role information includes date information for applying the role information to the corresponding user, and the authority corresponding to the user is acquired according to the information related to the date. Flexible security control can be set according to the date.

According to the third aspect of the invention, since the editing device for editing the role information and the security control condition is further provided, it is possible to set the device according to the security control.

According to the invention described in claim 4 , it is possible to perform control related to menu display based on menu security information which is a starting condition of various application programs for each role information, and the screen is configured with a menu configuration according to the user's authority. Can be displayed.

According to the fifth aspect of the present invention, it is possible to perform control related to display items based on security information that is a control condition corresponding to various reference items for each role information, and display items according to the user's authority. Can be displayed.

According to the sixth aspect of the present invention, it is possible to control the display record based on the record security information which is a control condition corresponding to various reference records for each role information, and the data record according to the authority of the user Can be displayed on the screen.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the present invention is not limited to the embodiments. The embodiment of the present invention shows the most preferable mode of the invention, and the use of the invention is not limited to this.

[First Embodiment]
First, a first embodiment of the present invention will be described with reference to FIGS.

  FIG. 1 is a block diagram schematically showing a functional configuration of the information processing apparatus 1 according to the present invention, and FIG. 2 is a diagram schematically showing a file configuration stored in the storage device 13. 3A is a diagram illustrating the contents of the user information definition file 131, FIG. 3B is a diagram illustrating the contents of the system security information definition file 132, and FIG. FIG. 3D is a diagram illustrating the contents of the record security information setting file 133, FIG. 3D is a diagram illustrating the contents of the menu security information setting file 134, and FIG. 3E is an employee personal information management file. FIG. 4 is a flowchart illustrating an operation process in the information processing apparatus 1, and FIG. 5 is a flowchart illustrating an employee information update process in the information processing apparatus 1. FIG. 6 is a diagram illustrating an outline of business processing in the information processing apparatus 1, and FIG. 7A is a table illustrating security control corresponding to user personal information. (B) is a figure which illustrates security control according to the update of a user's belonging person information.

  As shown in FIG. 1, the information processing apparatus 1 includes a CPU 11, a RAM 12, a storage device 13, a display device 14, and an input device 15, and each unit is electrically connected to each other by a bus 16. ) And WS (Work Station).

  The CPU 11 (Central Processing Unit) includes a ROM (Read Only Memory) and an internal RAM (Randam Access Memory) (not shown), reads various control programs and data stored in the ROM and the storage device 13, and stores the internal RAM and The data is expanded in a work area formed in the RAM 12, and the respective units of the information processing apparatus 1 are comprehensively controlled by executing processes corresponding to the various control programs and data. The CPU 11 operates based on a clock signal generated by a crystal oscillator that constantly transmits a constant frequency, not shown, and has a function of counting the clock signal and measuring the current date and time.

  The RAM 12 freely reads and writes data by designating an address as a storage destination, and forms a work area for temporarily storing various control programs and data controlled by the CPU 11 described above. Specifically, the RAM 12 stores user security information 121 created by processing to be described later in the work area.

  The storage device 13 is a non-volatile memory such as a magnetic or optical recording medium or semiconductor that can be read and written in accordance with an instruction from the CPU 11, and includes a user information definition file 131, a system security information definition file 132, and record security information settings. Various data files such as a file 133, a menu security information setting file 134, an item security information setting file 135, an employee information management file 136, an employee member information management file 137, and an information history management file 138 are stored. Specifically, the storage device 13 is a CD-R, CD-R / W, DVD-R, DVD-R / W, DVD + R / W, DVD-RAM, Blu-ray disc, MO disc, PC card, SD card, Memory Stick (registered trademark), smart media, compact flash (registered trademark), xD-Picture card, HDD, EEPROM (Electrically Erasable and Programmable ROM), and the like.

  The various data files stored in the storage device 13 are configured by associating one item of a table in each data file with one item of a table in another data file, as shown in FIG. Specifically, the user information definition file 131 and the system security information definition file 132 are role IDs, the system security information definition file 132 and the record security information setting file 133 are record group IDs, and the system security information definition file 132 and Menu security information setting file 134 is a menu group ID, system security information definition file 132 and item security information setting file 135 are item group IDs, user information definition file 131, employee information management file 136, employee personal information management The file 137 and the information history management file 138 are associated with each other by an employee number.

  The user information definition file 131 stores a “user ID” for each user in order to identify the user of the information processing apparatus 1, a “password” for authenticating login for each “user ID”, and various security information. This is a file for setting system information such as “Role ID” that is an index and “Employee number” that is an index of employee information. For example, as shown in FIG. 3A, system information of a user whose “user ID” is “test” is stored in a table format.

  The system security information definition file 132 includes, for each “role ID”, an “operation company” indicating a company that performs a security operation, a “system type” indicating a type of a business system, and an “operation range” indicating a range where the business operation can be performed. “Category”, “reference date information” that is information related to the reference date for invoking security actions, and “menu group ID”, “record group ID”, “item group ID” that are indexes of information related to each security action are set. It is a file. For example, as shown in FIG. 3B, various types of security information whose “role ID” is “jinji” are stored in a table format.

  The record security information setting file 133 sets “security item name” for setting the item name of the user information to be referred to (personal information) and security control for each “record group ID” for identifying a data record related to information processing. "Condition conjunction" that specifies logical conditions such as an "operator" for calculating a condition when performing the operation, "security item value" that is security information related to this "record group ID", and other "record group ID" ”And the like, and a security control such as presence / absence of access authority to the data record is set.

  As the “operator”, for example, there are comparison operators such as “=”, “>”, “<”, and the like is used to determine whether or not security control is performed between the “security item value” and the target record. . As the “security item value”, in addition to the configuration in which the value at the time of determining access control is directly stored, a predetermined instruction for instructing to refer to the information related to the user who is the reference destination stored in the “security item name” It may be configured to store literals.

  For example, as shown in FIG. 3C, the record security information setting file 133 includes “affiliation” in the employee affiliation information management file 137 as a reference destination of information regarding the user when the record group ID is “200”, “=” As a comparison operator in determining security control and “self”, which is a literal indicating that information related to the user is referred to, are stored in a table format. Note that the literal indicating that the information related to the user is referred to and the information related to the reference destination may be provided not only in the record security information setting file 133 but also in other security information setting files.

  The menu security information setting file 134 sets a “menu group” by setting a “menu ID” for identifying a menu and a “startup command” for storing processing start information for the menu, etc., for the “menu group ID”. A file that registers a menu for each “ID” and controls display / non-display of the menu, availability of activation, and the like. For example, as shown in FIG. 3D, “registration” or “registration” as “startup command” with respect to “10001” or “10002” that is “menu ID” when “menu group ID” is “100”. “Browse” is stored in a table format.

  The item security information setting file 135 sets “item group code”, “reference classification” and the like for “item group ID”, and displays security such as display / non-display of data items set by each item group code. A file that specifies control. The setting of security control for each item may be prohibition of data change / registration related to the item in addition to display / non-display, and is not particularly limited.

  The employee information management file 136 is a file that stores the personal information of the employee identified by the user ID in the “name” and “address” using the “employee number” in the user information definition file 131 as an index. The person information management file 137 is a file that stores information indicating the affiliation or job title of the employee in “affiliation” or “job title” using “employee number” as an index, and the information history management file 138 indexes “employee number”. Is a file that stores information such as the personnel history of employees and the schedule of future personnel changes in “history information 1A”, “history information 1B”. These files store user personal information. For example, as shown in FIG. 3E, the employee personal information management file 137 stores a numerical value such as “10” as the “employee number”. Then, a numerical value such as “500” is stored as a value indicating “affiliation” corresponding thereto.

  The display device 14 is a display such as an LCD (Liquid Crystal Display) or a CRT (Cathode Ray Tube), and displays an image corresponding to an image signal from the CPU 11 on the screen.

  The input device 15 is a pointing device such as a keyboard, a mouse, a touch panel, or the like that includes numeric keys, character keys, various function keys, and the like for inputting an operation instruction to the information processing device 1. An operation signal is output to the CPU 11.

  Next, an operation process of the information processing apparatus 1 performed under the control of the CPU 11 will be described. As shown in FIG. 4, the CPU 11 accepts an activation operation by inputting an ID or password from the input device 15 (step S <b> 11), and collates the input information with the information stored in the user information definition file 131. Then, a system login process for authenticating is performed (step S12).

  Next, information necessary for referring to various security stored in the system security information definition file 132 using the above-mentioned “role ID” as a key based on the “user ID” of the user authenticated in step S12 (“menu group” ID ”,“ record group ID ”,“ item group ID ”) is acquired, and information obtained by combining the acquired information and the information of the user information definition file 131 is stored as user security information 121 in a predetermined area of the RAM 12. User security information acquisition processing is performed (step S13).

  Next, information related to security control for each data record is acquired from the record security information setting file 133 based on the “record group ID” of the user security information 121, and the data record reference or data record corresponding to the user attribute information or the like is acquired. Conditions relating to security control for each record, such as data registration, are created and stored in the user security information 121 (step S14).

  In step S14, if the record security information setting file 133 stores a literal (for example, “self” described above) indicating the reference of the user's personal information or the like, the employee who is the reference destination of the information Stores the value of the information management file 136, the employee personal information management file 137 or the information history management file 138 (for example, the value stored in the “affiliation” of the employee personal information management file 137 in the case of the above-mentioned “affiliation”). The

  Next, a menu security process is performed in which information about a menu that can be activated is acquired from the menu security information setting file 134 based on the “menu group ID” of the user security information 121 (step S15). Based on this, for example, a menu display process for instructing display of only a startable menu is performed (step S16), and a menu screen is displayed on the display device 14.

  Next, an instruction for starting a business process screen by a user menu selection or the like performed based on the menu screen displayed on the display device 14 is received from the input device 15 (step S17), and the “item group ID” of the user security information 121 is received. Item security processing is performed in which information related to security control such as display / non-display of items related to business processing to be activated based on the item security information setting file 135 is performed (step S18), and security for each item is performed. A business screen display process for displaying data items according to the control is performed (step S19).

  Next, an access instruction to a record specifying an employee record (employee number) or the like performed based on the business process screen displayed on the display device 14 is received from the input device 15 (step S20), and the user security information 121 is received. Based on the security control conditions for each stored record, a record security process is performed to acquire the security control conditions for the access-instructed record (step S21), and according to the acquired security control conditions Data access processing for determining whether or not there is an access (browsing) right to the data and acquiring accessible data is performed (step S22), and a data display processing for displaying the acquired data on the display device 14 is performed. Once done (step S23), the process ends.

  Here, in addition to the data display in the business process, the employee information update process performed by the CPU 11 in accordance with an instruction from the user after the menu screen displayed on the display device 14 by the process up to step S16 will be described.

  As shown in FIG. 5, the CPU 11 accepts an instruction to display an employee information update screen from the input device 15 (step S30) in the processes after step S16, and the security of items related to the update process activated in the same manner as in step S18. Item security processing is performed to acquire information related to control from the item security information setting file 135 (step S31), and an employee information update screen with data items corresponding to the information is displayed on the display device 14 (step S32).

  Next, for the employee to be updated, an instruction to access the employee record by inputting the employee number is received from the input device 15 (step S33), and the record security process (step S21), the data access process (step S22), and the data display process described above. The same processing as (Step S23) is performed, and data relating to the employee to be updated is displayed on the display device 14 (Steps S34 to S36).

  Next, along with employee information to be updated such as affiliation change and postal change, an instruction to update the reference date for personnel and the reference date for security is received from the input device 15 (step S37). Based on the information, “reference date information” in the system security information definition file 132 and history information in the information history management file 138 are set by updating the employee information reference date (step S38), and the process ends.

  With the configuration and operation described above, the information processing apparatus 1 creates user security information 121, which is information related to security control performed in various processes when the user authenticated at login operates as shown in FIG. Based on this, security control is performed such as whether or not a menu is displayed according to the authority of the user and whether or not record data and item data can be displayed on the business processing screen. For this reason, the information processing apparatus 1 can centrally set authority regarding security control for each user, and can be managed in association with various operation controls by the user security information 121, so that security control can be easily managed. It can be carried out.

  Further, since the information processing apparatus 1 is configured to display a menu for instructing activation of an application program according to the operation range or menu group ID of the user security information 121, only the menu that can be operated according to the user is displayed. Security control can be performed.

  Further, the information processing apparatus 1 controls display / non-display of data records and data items according to the record group ID and item group ID of the user security information 121, and displays only information according to the user authority. It can be performed.

  Further, the information processing apparatus 1 can set security control through employee information update processing. Furthermore, the employee information update process is performed in accordance with the security control by the user security information 121, and only a user having the authority to register or change can perform the setting, so that a person in charge of personnel other than the system administrator can make the setting. Security settings can be managed safely.

  Specifically, as illustrated in FIG. 7A, the information processing apparatus 1 determines, for each authority such as “person in charge of personnel”, “accounter in charge”, and “system administrator” corresponding to the user at the time of login. , “Execution registration”, “authority and personnel information setting”, “password setting”, “employee salary browsing”, “employee salary setting”, and other execution control can be performed.

  Further, the information processing apparatus 1 is configured to store the date information related to security in the system security information definition file 132 and the information related to the history of personnel changes (personal information) in the information history management file 138, and the above-described step S14 In S15, S18, S21, or S22, the authority of the user is adjusted within a range corresponding to the date information related to the security around the date of issue of the user's personnel change based on the information related to the history.

  For this reason, as shown in FIG. 7B, the information processing apparatus 1 has a wide range of control regarding the security of the user even when the actual handling of the personnel of the user shifts from personnel to accounting on the date of the announcement. It can be flexibly accommodated, and it does not make it difficult to take over data due to changes in security control accompanying personnel changes.

[Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIGS. However, the description of the same configuration and operation as those of the first embodiment described above is omitted.

  8 is a schematic diagram showing an outline of the information processing system 100 according to the present invention, FIG. 9 is a block diagram schematically showing the functional configuration of the terminal 2 and the database server 4, and FIG. FIG. 11 is a block diagram schematically showing the functional configuration of the server 3, FIG. 11 is a diagram schematically showing the configuration of the database (DB) in the database server 4, and FIG. FIG. 13 is a ladder chart showing employee information update processing in the information processing system 100, and FIG. 14 is a diagram illustrating an outline of business processing in the information processing system 100. FIG. 15 is a diagram illustrating security control corresponding to the update of the company to which the user belongs.

  As shown in FIG. 8, the information processing system 100 is configured such that the terminal 2, the server 3, and the database server 4 are communicably connected to each other via a communication network N such as the Internet or an intranet. Note that a plurality of terminals 2 may be provided such as the illustrated terminals 2a, 2b, 2c,.

  As for the internal configuration of the terminal 2 and the database server 4, as shown in FIG. 9, the same units (CPU 21, RAM 22, storage device 23, display device 24 and input device 25) and communication device 26 as those of the information processing device 1 described above. And each unit is an information device configured to be electrically connected to each other by a bus 27.

  The communication device 26 is a circuit unit including a wireless communication circuit, an antenna, and a communication interface for performing wired communication, and transmits / receives data to / from an information device connected to the communication network N based on an instruction from the CPU 21. I do.

  With the above configuration, the terminal 2 is a PC or WS, for example, and operates as an operation terminal that uses data and services provided by the server 3 connected to the communication network N. The database server 4 operates as an information processing apparatus that provides a function as a relational database to devices connected to the communication network N. Specifically, the database server 4 manages various data related to business processing and the like by using a plurality of tables (DB), and data that is a key such as an ID number and a name by SQL (Structured Query Language) from other devices. Data registration, combination, extraction, etc. are performed in response to the instruction that specifies, and the result is returned.

  As shown in FIG. 10, the internal configuration of the server 3 is the same as those of the information processing apparatus 1 (the CPU 31, the RAM 32, the storage device 33, the display device 34, and the communication device 36) and the communication device 26 described above. The communication device 36 includes a communication device 36 that transmits and receives data to and from the information device connected to the communication network N, and each unit is an information device that is electrically connected to each other via a bus 37. Further, the server 3 stores user security information 121 created by an operation process described later in the RAM 32.

  With the above configuration, the server 3 provides services such as business processing using the database server 4 to the terminal 2 that is a client connected via the communication network N. For example, the server 3 is a CGI (Common Gateway Interface) that starts and processes a program by being called from a browser executed by the terminal 2 with an argument or the like by HTTP (HyperText Transfer Protocol) via the communication network N. Script processing is performed by incorporating the CGI functions such as SSI (Server Side Include), ASP (Active Server Pages), JSP (Java (registered trademark) Server Pages), and PHP (PHP: Hypertext Preprocessor) into the server. Operates as a business processing Web server using a function based on server side scripting technology (Server Side Scripting), and sends business information based on data obtained by sending SQL instructions to the database server 4 as a Web page to the browser of the terminal 2 Information processing apparatus.

About the configuration of the DB handled by the database server 4, as shown in FIG.
The user information definition DB 431 and the system security information definition DB 432 use the role ID as a key, the system security information definition DB 432 and the record security information setting DB 433 use the record group ID, and the system security information definition DB 432 and the menu security information setting DB 434. The system security information definition DB 432 and the item security information setting DB 435 use the item group ID as a key, and the VIEW employee information 440, the employee information management DB 436, the employee personal information management DB 437, and the information history management DB 438. The employee company management DB 439 and the user information definition DB 431 are associated with each other using the employee number as a key.

  Regarding the data structure of the user information definition DB 431, system security information definition DB 432, record security information setting DB 433, menu security information setting DB 434, item security information setting DB 435, employee information management DB 436, and employee personal information management DB 437, system security information definition The user information definition file 131, the system security information definition file 132, the record security information setting file 133, the menu security information setting file in the information processing apparatus 1 described above, except for storing “operating company” as information related to the operating company in the DB 432. 134, information similar to the item security information setting file 135, the employee information management file 136, and the employee personal information management file 137 is stored in the DB. Except for the configuration of holding Te is omitted because it is identical.

  The information history management DB 438 has the same data structure as the information history management file 138 described above, and stores information such as employee personnel history and future personnel change schedules for each company that uses the information processing system 100 (affiliated / affiliated company). ) Are stored as information history management DBs 438a and 438b.

  The employee affiliated company management DB 439 uses “employee number” as a key value, “company” which is information indicating the affiliated company / affiliated company, etc., and “system type” which is information indicating the system type to be used for personnel / accounting. In this configuration, “concurrent division”, which is information in case of other concurrent operations, and “S affiliation” and “S title”, which are security control information corresponding to affiliations and positions in the employee affiliation information management DB 437, are stored. is there.

  The VIEW employee information 440 is a VIEW table in which data is extracted from the employee information management DB 436, the employee personal information management DB 437, and the employee personal information management DB 437 by an SQL command using the employee number as a key value.

Next, details of operation processing in the information processing system 100 will be described with reference to FIG. Incidentally, in FIG. 1 2, performed by the CPU21 of the terminal 2 for the processing of steps S201 to S206, performs the CPU31 of the server 3 for the processing of steps S301 to S310, the database server for the processes of steps S401~S406 4 CPU 21.

  First, an activation operation by inputting a “user ID” or “password” from the user is received from the input device 25 of the terminal 2 and transmitted to the server 3 (step S201). Based on the input “user ID” Then, the user information definition DB 431 is received from the database server 4 and a system login process is performed in which the input “password” is verified against the “password” stored in the user information definition DB 431 (steps S301 and S401). ).

  Next, the system security information definition DB 432 is received from the database server 4 based on the authenticated “user ID” and using the “role ID” as a key, and the user security information 121 is stored in the RAM 32 as in step S13 described above. Security information acquisition processing is performed by the server 3 (steps S302 and S402).

  Next, the record security information setting DB 433 is received from the database server 4 by using the “record group ID” of the user security information 121 as a key value, and the conditions relating to the security control for each record are created in the server 3 as in step S14 described above. Record security condition creation processing stored in the user security information 121 is performed by the server 3 (steps S303 and S403).

  Next, the menu security information setting DB 434 is received from the database server 4 using the “menu group ID” of the user security information 121 as a key value, and the menu security processing is performed in the server 3 in the same manner as in step S15 described above (steps S304 and S404). Then, menu information corresponding to the menu security processing is transmitted from the server 3 to the terminal 2, and a menu screen is displayed on the display device 24 of the terminal 2 (steps S305 and S202).

  Next, an activation instruction for a business process screen from the user is received from the input device 25 of the terminal 2 (step S203), and the item security information setting DB 435 is received from the database server 4 using the “item group ID” of the user security information 121 as a key value. Then, the item security processing is performed in the server 3 in the same manner as in step S18 described above (steps S306 and S405), and business screen information for displaying data items according to the item security processing is transmitted from the server 3 to the terminal 2. The business screen is displayed on the display device 24 of the terminal 2 (steps S307 and S204).

  Next, an instruction to access the employee record specifying the “employee number” is accepted from the input device 25 of the terminal 2 (step S205), and the record security process similar to step S21 described above is performed (step S308). VIEW employee information 440 having “number” as a key value is received from the database server 4 and data access processing is performed in which accessible data is acquired in the same manner as in step S22 described above (steps S309 and S406). The transmitted data is transmitted to the terminal 2 and displayed on the display device 24 of the terminal 2 (steps S310 and S206), and the process ends.

  Here, an employee information update process performed after the menu screen is displayed (step S202) in the information processing system 100 will be described with reference to FIG. In FIG. 13, the CPU 21 of the terminal 2 performs each process of steps S211 to S215, the CPU 31 of the server 3 performs each process of steps S311 to S316, and the database server 4 performs each process of S411 to S413. CPU21 performs.

  First, an instruction to display an employee information update screen is received from the input device 25 of the terminal 2 and transmitted to the server 3 (step S211), the item security information setting DB 435 is received from the database server 4, and the same as step S31 described above. The item security process related to the update process is performed (steps S311 and S411), the update screen information of employee information by the data item corresponding to the information is transmitted to the terminal 2, and the update screen is displayed on the display device 24 of the terminal 2. (Steps S312 and S212).

  Next, for the employee to be updated, an instruction to access the employee record by inputting the employee number is received from the input device 25 of the terminal 2 and transmitted to the server 3 (step S213), which is shown in steps S308 to S310, S406 and S206 described above. The same processing as that described above is performed, and data relating to the employee to be updated is displayed on the display device 24 of the terminal 2 (steps S313 to S315, S412 and S214).

  Next, along with employee information to be updated such as affiliation / position / affiliated company change, an instruction to update the reference date for personnel or the reference date for security is received from the input device 25 of the terminal 2 and the server 3 (Step S215), and an update command based on the SQL statement based on the transmitted information is transmitted to the database server 4 (step S316), and the employee reference date and security reference date and security are issued. The system security information definition DB 432, the employee affiliation information management DB 437, the employee affiliation company management DB 439, etc. for storing the above reference date and the like are updated (step S413), and the process ends.

  With the configuration and operation described above, even in the information processing system 100 in which the terminal 2, the server 3, and the database server 4 are communicably connected via the communication network N, security control for each user in business processing can be easily managed. be able to. Specifically, as shown in FIG. 14, in response to an operation instruction from the terminal 2, user security information 121, which is information relating to security control performed in various processes when a user who has been authenticated at the time of login, operates, is created. Thus, security control is performed such as whether or not the menu is displayed according to the authority of the user and whether or not the record data and item data can be displayed on the business processing screen.

Further, the information processing system 100 extracts the employee information management DB 436, the employee personal information management DB 437, and the employee affiliated company management DB 439 that stores information such as the affiliated company / affiliated company as VIEW employee information 440, and records security is configured to perform an operation, it is possible to belong to the company also managed in the same user security information 121 when cormorants differences.

  The information processing system 100 is configured to store date information related to security and information related to history such as personnel changes in the database server 4 in the same manner as the information processing apparatus 1, and the above-described steps S303, S304, S306, S308 or S309 are stored. The user's authority is adjusted in a range corresponding to the date information related to security around the date of personnel announcement such as a change of the user's company based on the information related to the history.

  For this reason, as shown in FIG. 15, the information processing system 100 can flexibly control the security of the user even when the company to which the user belongs changes on the date of the announcement. It is possible to cope with it, and it is not difficult to take over data by changing the security control accompanying the change of the affiliated company.

  Note that the description in the present embodiment shows an example of the present invention, and the present invention is not limited to this. The detailed configuration and detailed operation of the information processing apparatus 1 or the information processing system 100 in the present invention can be appropriately changed without departing from the spirit of the present invention. For example, the numerical values in the various information files illustrated may be other literals and are not particularly limited.

  In addition, in the present embodiment, the information received from the input device 15 to identify the user is configured to be a user name or password input from a keyboard or the like. However, the input device 15 includes a card reader as a user. Information obtained by reading the magnetic card or IC card possessed by the camera, and further, the input device 15 includes a capacitive semiconductor chip, a CCD camera, an infrared camera, a microphone, etc., and fingerprint information and face image obtained therefrom. It may be biological information such as information, eye glow information, palm vein information, or voice information, and is not particularly limited.

It is the block diagram which showed typically the functional structure of the information processing apparatus 1 which is this invention. FIG. 3 is a diagram schematically illustrating a file configuration stored in a storage device 13. (A) is a figure which illustrates the content of the user information definition file 131, (b) is a figure which illustrates the content of the system security information definition file 132, (c) is the record security information setting file 133. (D) is a diagram illustrating the contents of the menu security information setting file 134, and (e) is a diagram illustrating the contents of the employee belonging information management file 137. 3 is a flowchart illustrating operation processing in the information processing apparatus 1. 5 is a flowchart showing employee information update processing in the information processing apparatus 1. 3 is a diagram illustrating an outline of business processing in the information processing apparatus 1. FIG. (A) is a table | surface which illustrates the security control corresponding to a user's personal information, (b) is a figure which illustrates the security control according to the update of a user's personal information. It is the schematic which showed the outline of the information processing system 100 which is this invention. 3 is a block diagram schematically showing functional configurations of a terminal 2 and a database server 4. FIG. 3 is a block diagram schematically showing a functional configuration of a server 3. FIG. It is the figure which showed typically the structure of the database in the database server 4. FIG. 3 is a ladder chart showing operation processing in the information processing system 100. 3 is a ladder chart showing employee information update processing in the information processing system 100. 2 is a diagram illustrating an outline of business processing in the information processing system 100. FIG. It is a figure which illustrates the security control corresponding to the update of the company to which a user belongs.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Information processing apparatus 100 Information processing system 2, 2a, 2b, 2c Terminal 3 Server 4 Database server N Communication network 11 CPU (acquisition means, control means)
12 RAM
13 Storage device (storage means)
14 Display device 15 Input device (editing means)
16 bus 21 CPU
22 RAM
23 storage device 24 display device 25 input device 26 communication device 27 bus 31 CPU (acquisition means, control means)
32 RAM
33 Storage device 34 Display device 35 Input device 37 Bus 121 User security information 131 User information definition file 132 System security information definition file (multiple authority information)
133 Record security information setting file (record security information)
134 Menu security information setting file (menu security information)
135 Item security information setting file (item security information)
136 Employee information management file (personal information)
137 Employee employee information management file (person information)
138 Information history management file (personal information)
431 User information definition DB
432 System security information definition DB (multiple authority information)
433 Record security information setting DB (record security information)
434 Menu security information setting DB (menu security information)
435 Item security information setting DB (item security information)
436 Employee Information Management DB (Person Information)
437 Employee employee information management DB (person information)
438, 438a, 438b Information history management DB (personal information)
439 Employee affiliation company management DB (personal information)
440 VIEW employee information

Claims (8)

Security information storage means for storing a plurality of security control conditions for each operation group when the operation of the application is grouped into a plurality of operation processes;
First index information indicating which security control condition to use among a plurality of security control conditions for each operation group is defined for each operation group, and role information to be managed collectively A plurality of role information storage means for storing;
User-defined storage means that associates and defines second index information indicating which role information of the role information is used for each authenticated user;
The second index information defined in association with the authenticated user is acquired from the user definition information means, the role information corresponding to the acquired second index information is acquired from the role information storage means, and the acquired Based on the first index information for each operation group collectively managed by role information, the security control condition for each operation group defined in association with the authenticated user is obtained from the security information storage means. A condition reading means for reading;
Based on each security control condition read by the condition reading means, control means for executing and controlling the security operation for each operation group;
An information processing apparatus comprising: The role information includes information related to a date on which the role information is applied to a corresponding user,
The information processing apparatus according to claim 1 , wherein the condition reading unit acquires role information corresponding to a user according to information related to the date. The information processing apparatus according to claim 1 or 2, further comprising an editing means for editing the security control condition and the role information. The security control condition is menu security information that is an application program start condition for each role information,
Wherein, the information processing apparatus according to any one of claims 1 to 3, characterized in that performs control related to the menu displayed on the basis of the role information and the menu security information the acquired. The security control condition is item security information that is a control condition corresponding to a reference item of an application program for each role information,
Wherein, the information processing apparatus according to any one of claims 1 to 3, wherein the performing control related to the display items based on the role information and the item security information the acquired. The security control condition is record security information that is a control condition corresponding to a reference record used in a business application for each role information,
Wherein, the information processing apparatus according to any one of claims 1 to 3, wherein the performing control related to the display records based on the obtained role information and the record security information was. Information processing in which a terminal device and an information processing device are communicably connected to each other, a user is authenticated at the time of logging in from the terminal device to the information processing device, and the information processing device performs operations of a plurality of applications according to the authenticated user In the system,
Security information for each operation group when the application operations are grouped into a plurality of operation processes, security information stored for each of the plurality of operation groups, and a plurality of security control conditions for each of the operation groups. First index information indicating which security control condition is used is defined for each operation group, role storage information for storing a plurality of role information to be collectively managed, and for each authenticated user Further comprising a database server for storing user-defined information defined in association with a second index method indicating which role information of the role information is to be used,
The information processing apparatus includes:
The second index information defined in association with the authenticated user is acquired from the user definition information stored in the database, and the role information corresponding to the acquired second index information is stored in the database. Based on the first index information for each operation group acquired from the role information storage and collectively managed with the acquired role information, for each operation group defined in association with the authenticated user Condition reading means for reading security control conditions from the database;
Based on the security control condition read in the previous SL condition reading means, and a control means for performing control security operation of each of said operating groups,
An information processing system comprising: A computer of an information processing apparatus that authenticates a user at the time of login and operates a business application including a plurality of application programs according to the authenticated user.
A security information storage function for storing a plurality of security control conditions for each operation group when the operation of the application is grouped into a plurality of operation processes;
First index information indicating which security control condition to use among a plurality of security control conditions for each operation group is defined for each operation group, and role information to be managed collectively A role information storage function for storing a plurality of roles;
A user-defined storage function that is defined in association with second index information indicating which role information of the role information is used for each authenticated user;
The second index information defined in association with the authenticated user is acquired from the user definition information function, the role information corresponding to the acquired second index information is acquired from the role information storage function, and the acquired Based on the first index information for each operation group collectively managed by role information, the security control condition for each operation group defined in association with the authenticated user is obtained from the security information storage function. Read condition reading function,
Based on each security control condition read by the condition reading means, an operation control function for executing and controlling a security operation for each operation group;
A program characterized by realizing.

Images