JP5390327B2 - Document management system and document management method - Google Patents

Description

  The present invention relates to a document management system and a document management method, and in particular, encrypts and stores content such as document information and restricts access to the content by limiting who can acquire the content. The present invention relates to a document management system and a document management method.

  In recent years, with an increase in awareness of information security, particularly in organizations such as companies that hold a large amount of confidential documents, a system that can efficiently realize management and protection of documents is required.

  As a technology that makes it possible to solve such a request, a document that has been digitized as a document file and can be processed by a computer system is protected by encryption, and the user's authority over the document Document protection systems that can be controlled and managed on the server side are becoming popular and effective.

  As a conventional technique related to the document protection system as described above, for example, a technique described in Patent Document 1 is known. In this prior art, a document file is encrypted and stored in a client PC (Personal Computer), and the document management server stores a decryption key, an access authority list, etc. of the document file, and refers to the document file. In this case, the user first obtains the decryption key after accessing the document management server and authenticating the reference authority.

  The greatest feature of such a document management system is that since the document management server centrally manages the user's operation authority for the managed document, the user's authority can be controlled on the server side. With this feature, the document management system described above can change the operation authority of an arbitrary user after the distribution of the protected document, so that the risk of information leakage with respect to a confidential document can be reduced.

JP-T-2007-511821

  In the above-described document management system according to the prior art, centrally managing user operation authority by the document management server is, conversely, management for setting / changing users who can refer to the managed document file. There is a person. Specifically, for example, when encrypting a document file, the administrator selects a person who can refer to the managed document file by referring to the list of users. .

  By the way, as for large equipment / equipment, it is not possible to design all the parts in one company, and it is often the case that the design of parts etc. is ordered from other companies. In such a case, it is necessary to encrypt the design drawings of the entire equipment / equipment so that the designer of the ordering party can refer to them, but the above-mentioned design drawings are encrypted by the ordering party. In many cases, it is not known by all the ordering designers who may refer to this. In the first place, the ordering party should determine who performs the design work at the ordering party, and it is not preferable that the ordering party can refer to the list of the ordering designers.

  That is, even a document file manager may not be able to determine who can refer to the managed document file described above.

  Regardless of the design of equipment / equipment, the same problems as described above may occur in various cases, such as when ordering a part of a program to another company, or when placing an order for an advertisement / promotion plan with another company. To do. Also, when multiple departments work together in a single company, a list of users can be displayed, but the document files managed by one department can be viewed by anyone in other departments, etc. In many cases, the above-mentioned department managing the document cannot determine whether or not to perform the process.

  Furthermore, the problem as described above is not limited to a document file, but occurs similarly in accessing an image file or the like.

  In view of the above-described points, an object of the present invention is to manage a document file or the like even if the administrator of the document file or the like cannot determine a person who can refer to the document file or the like. It is an object of the present invention to provide a document management system and a document management method capable of appropriately restricting access.

To achieve the above Symbol object, the present invention provides a document to perform restricted access to the content by limiting encrypts the content including the document information is stored, a person who can acquire the content in the management system, the user is encrypted held a plurality of first client 1 also holds the content that has been encrypted with a key file before Symbol in the first client a content management server for managing access rights to the content, is constituted by communicably connecting a second client to register the user referring to the contents encrypted with the content management server by a network, the The second client, in accordance with an instruction from the operator, has a user registration / change processing means possessed by the own client and Using the user management processing unit whose serial content management server has, with encrypting the content to the user file in the content management server registers a plurality of users by referring to the content that has been encrypted, the first client, using the access right management processing means having access permission registration and modification processing means and the content management server itself client has the instruction of the user is a steering author, to see the content encrypted : 1 or a plurality of users, in the predetermined access rights ID paired register with access files in the content management server, further, the content encryption processing means and the content management server itself client has the using the content management processing unit having said containment desired to be referenced to the user Tsu stores in the storage device is encrypted and is connected to its own clients as encrypted content, as a pair with a predetermined content ID and the access authority ID, stored in the content management file in the content management server, 1 also wish to see the encrypted content transmitted in addition to the first client to use a plurality of users, the first client of the other receiving the encrypted content that has been sent, the transmission when referring to the encrypted content that has been that the content program processing unit self client has transmits a content ID of the encrypted content to be referenced in the access control processing means with said content management server, the access control processing means, said by the content ID transmitted Obtains the access authority ID from the content management file, the access by the authorization ID obtains a referable user of the access rights file, of the encrypted content to be reference the content ID the other that has transmitted the authenticates the user of the first client, sends with the decryption key that the authentication succeeds to the content reference processing unit of the other of the first client, the decryption of the encrypted content by the content reference processing unit it characterized in that to perform the reduction display.

  According to the present invention, even when the administrator of a document file or the like cannot determine who can refer to the document file or the like, it is possible to appropriately restrict access to the document file or the like. Become.

It is a block diagram which shows the structural example of the document management system by the 1st Embodiment of this invention. It is a figure which shows the data structure of the key file in the 1st Embodiment of this invention. It is a figure which shows the data structure of the user file in the 1st Embodiment of this invention. It is a figure which shows the data structure of the access authority file in the 1st Embodiment of this invention. It is a figure which shows the data structure of the content management file in the 1st Embodiment of this invention. It is a figure which shows the data structure of the encryption content in the 1st Embodiment of this invention. It is a flowchart explaining the operation | movement of user registration in the document management system by the 1st Embodiment of this invention. It is a flowchart explaining the operation | movement of access authority registration in the document management system by the 1st Embodiment of this invention. It is a flowchart explaining the operation | movement of content encryption in the document management system by the 1st Embodiment of this invention. It is a flowchart explaining the content reference operation | movement in the document management system by the 1st Embodiment of this invention. It is a flowchart explaining operation | movement of the content re-encryption in the document management system by the 1st Embodiment of this invention. It is a flowchart explaining the operation | movement of content expiration in the document management system by the 1st Embodiment of this invention. It is a figure which shows the data structure of the content management file in the 1st Embodiment of this invention which enabled prohibiting the reference of the re-encrypted file. It is a figure which shows the example of the login screen (user authentication screen) at the time of performing the user registration and change process in the 1st Embodiment of this invention. It is a figure which shows the example of the user registration screen at the time of performing the user registration and change process in the 1st Embodiment of this invention. It is a figure which shows the example of the access authority registration screen at the time of performing the process of access authority registration in the 1st Embodiment of this invention. It is a figure which shows the example of the menu screen at the time of performing the content encryption process in the 1st Embodiment of this invention. It is a figure which shows the example of the content encryption screen at the time of performing the content encryption process in the 1st Embodiment of this invention. It is a figure which shows the example of the content re-encryption screen at the time of performing the process of content re-encryption in the 1st Embodiment of this invention. It is a figure which shows the example of the content revocation screen at the time of performing the content revocation process in the 1st Embodiment of this invention. It is a block diagram which shows the structure of the document management system by the 2nd Embodiment of this invention. It is a figure which shows the data structure of the contract file in the 2nd Embodiment of this invention. It is a figure which shows the data structure of the user file in the 2nd Embodiment of this invention. It is a flowchart explaining the outline | summary of the processing operation in the document management system by the 2nd Embodiment of this invention. It is a flowchart explaining the operation | movement which a contract management program produces a contract record in the document management system by the 2nd Embodiment of this invention. It is a figure which shows the example of the contract screen at the time of a contract management program creating a contract record. It is a block diagram which shows the structure of the document management system by the 3rd Embodiment of this invention. It is a figure which shows the data structure of the window person in charge file in the 3rd Embodiment of this invention. It is a flowchart explaining the processing operation of the operation | movement regarding utilization of the service in the document management system by the 3rd Embodiment of this invention. It is a flowchart explaining the operation | movement of a contact person registration in the 3rd Embodiment of this invention. It is a flowchart explaining the operation | movement of the person in charge of counter in the 3rd Embodiment of this invention. It is a figure which shows the example of the contact person registration screen at the time of performing the contact person registration process in the 3rd Embodiment of this invention. It is a figure which shows the example of the contact person approval screen at the time of performing the contact person approval process in the 3rd Embodiment of this invention.

  Hereinafter, embodiments of a document management system and a document management method according to the present invention are controlled in detail with reference to the drawings. In the embodiment of the present invention described below, “content” means not only a file such as a document file and an image file, but also the entire database, each record of the database, and the like unless otherwise specified. In addition, it means all electronic data that can be subject to browsing, viewing, mail transmission / reception, copying to an external storage medium, and the like.

  FIG. 1 is a block diagram showing a configuration example of a document management system according to the first embodiment of the present invention.

<Overall configuration and function of document management system>
As shown in FIG. 1, the document management system according to the first embodiment connects the devices of the content management server 1, the client 3, and the client 4 so that they can communicate with each other via a wired or wireless communication line. Configured.

  In FIG. 1, one device is shown, but two or more devices may exist. Each device does not need to exist one by one. For example, one client 3 and one client 4 can be configured to have both functions. Further, in FIG. 1, a plurality of programs (for example, the access authority registration / change program 41 of the client 4, the content encryption program 42, and the content reference program 43) provided in one device are separated on another device. Can be prepared.

  In FIG. 1, the content management server 1, the client 3, and the client 4 are communicably connected to each other via a LAN (Local Area Network) 9 and the Internet 91, but are connected only by the LAN 9 without going through the Internet 91. Alternatively, they may be connected by, for example, a WAN (Wide Area Network).

  As described above, the client 3 can register a user who may refer to the content subject to access restriction in the content management server 1. In addition, the client 4 can use the function of the content management server 1 to encrypt the content stored in the client 4 and restrict access. Further, the client 4 can also decrypt the encrypted content and refer to the user.

  In FIG. 1, the client 3 for registering the user and the client 4 for encrypting the content are separate devices. However, as described above, one device may have both functions. Further, another device that refers to the content encrypted by the client 4 may be connected to the LAN 9 and the Internet 91. Therefore, it is possible to transmit the content encrypted by the client 4 to the above-mentioned another device by e-mail or the like and refer to the other device.

  Also, the entire document management system according to the first embodiment can be constructed in, for example, one company. In this case, a device (client 3 or the like) installed in the same site as the content management server 1 is connected to the content management server 1 via the LAN 9, while a device installed in another area or the like is connected to the VPN ( Virtual Private Network) connection.

  On the other hand, for example, a plurality of companies belonging to the same company group can use the content management server 1 jointly. In this case, for example, a service provider that does not belong to the above-described company group installs and operates the content management server 1, and each company that belongs to the above-described company group manages devices such as the client 3 via the Internet 91. The server 1 may be connected to the VPN (Virtual Private Network).

<Configuration and function of each part of document management system>
Hereinafter, configurations and functions of the content management server 1, the client 3, and the client 4 will be described.

<Configuration and Function of Content Management Server 1>
The content management server 1 is a device such as a PC and is configured with a CPU (Central Processing Unit), a main storage device, and the like (not shown). In the main storage device, a user management program 11, an access authority management program 12, a content management program 13 and an access which are stored in an external storage device (not shown) at a predetermined timing such as when the content management server 1 is started. The control program 14 is loaded, and the instruction code stored in each program is executed by the CPU.

  Since the technique related to the program execution as described above is well known, in each drawing and the following description, in order to avoid complicated explanation regarding the program execution, the “user management program 11 refers to the file. The program is described as if the various programs are the main body of processing execution. In addition, an OS (Operating System) or the like is loaded on the main storage device of the content management server 1, and the CPU executes the OS instruction code as needed. Such a technique is also well known. In the following, the processing of the OS and the like will not be described unless particularly explained.

  The content management server 1 is communicably connected to a storage device 2 that is stored inside the PC main body or exists outside. The storage device 2 stores a key file 21, a user file 23, an access authority file 25, and a content management file 26. In the following, the purpose and stored contents of these files will be described with reference to the functions of each program.

  The key file 21 is a file that stores an encryption key for encrypting the content and a decryption key for decrypting the content encrypted by the encryption key as a pair. When only one encryption key and one decryption key are used in the entire system, only one set of encryption key and decryption key needs to be stored, and this simplifies the function of the system. However, in the first embodiment of the present invention, one or more pairs of encryption keys and decryption keys are stored, and an encryption key used when encrypting content can be selected. The system will be adopted. For this reason, the key file 21 also stores an ID (Identifier) for identifying a pair of an encryption key and a decryption key. By doing so, even if a decryption key corresponding to a certain encryption key leaks or is known by an estimation operation, content encrypted using another encryption key cannot be decrypted. Therefore, the confidentiality of the system can be improved. It is also possible to make the encryption key and the decryption key the same, and in this way the system can be made simpler, but on the other hand, by separating the encryption key and the decryption key, Even if the key is known, it cannot be decrypted, and the confidentiality of the system can be improved.

  The content management server 1 also includes a program for creating / updating the key file 21, but the function of this program is not shown because it is not directly related to the present invention.

  The user file 23 is a file that stores an account, a password, and the like of a user who needs to encrypt the content or decrypt the encrypted content. The contents of the user file 23 are registered by the user management program 11 when the content management server 1 receives a user registration request from the client 3.

  The content management file 26 is a file that manages which users are permitted to access content such as referring to encrypted content. In order to achieve this object, it is only necessary to store a list of users who are permitted to access a content ID that can uniquely identify the encrypted content. However, in many cases, access to the same user is permitted for a plurality of contents, and in this case, if the list of users permitted to access is stored in the content management file 26, the same contents are stored for each encrypted content. Are stored redundantly, and the capacity of the storage device is used redundantly. Therefore, in the first embodiment, the access authority file 25 stores a list of users who are permitted to access in pairs with the access authority ID, and the content management file 26 stores the access authority ID. The method is adopted.

  The contents of the access authority file 25 are registered by the access authority management program 12 in response to an access authority registration request from the client 4. The content management file 26 is created by the content management program 13 in response to a content encryption request from the client 4, and is referenced by the access control program 14 in response to a content reference request from the client 4.

  Each program described above may be a WEB application, for example, and may operate under a WEB server such as apache (not shown). In this way, functions such as the user registration / change program 31 of the client 3 to be described later can be realized by the WEB browser, and work such as installation of a special program on the client 3 does not occur. Can be.

<Configuration and function of client 3>
The client 3 is a device such as a PC, and is connected to the input device 35 and the display device 36 in a communicable manner. The input device 35 is a device such as a keyboard or a mouse, and the operator of the client 3 can instruct a process to be executed by the client 3 by operating the input device 35.

  The display device 36 is a liquid crystal display, a printer, or the like, and displays and prints the result of processing executed by the client 3.

  Although not shown, the client 3 includes a CPU and a main storage device. A user registration / change program 31 is loaded into the main storage device and executed by the CPU.

  The user registration / change program 31 sends the user's account and the like input by the operator of the client 3 using the input device 35 to the user management program 11 and requests to register it in the user file 23. To do.

<Configuration and function of client 4>
The client 4 is a device such as a PC, and is connected to the input device 45, the display device 46, and the storage device 46 so as to be communicable. The input device 35 is a device such as a keyboard or a mouse, and the operator of the client 4 can instruct a process to be executed by the client 4 by operating the input device 45.

  The display device 46 is a liquid crystal display, a printer, or the like, and displays and prints the result of processing executed by the client 4.

  The storage device 46 is a device such as a magnetic disk, and is built in the client 4 or connected externally. Although not shown, the storage device 46 stores content before encryption and encrypted content 49 that is content after encryption. Here, the encrypted content 49 does not mean a specific file or the like, but means general content encrypted by a content encryption program 42 described later. Accordingly, one or more encrypted contents 49 may exist or may not exist. The encrypted content 49 stores not only the result of encrypting the content before encryption, but also a content ID or the like that can uniquely identify the encrypted content 49.

  Although not shown, the client 4 includes a CPU and a main storage device. An access authority registration / change program 41, a content encryption program 42, and a content reference program 43 are loaded into the main storage device and executed by the CPU. .

  The access authority registration / change program 41 sends a list of users or the like input by the operator of the client 4 using the input device 45 to the access authority management program 12 and requests registration in the access authority file 25. .

  The content encryption program 42 transmits a content encryption request designated by the operator of the client 4 using the input device 45 to the content management program 13, creates the content management file 26, and transmits an encryption key. To ask. Then, the content encryption program 42 encrypts the content using the encryption key transmitted by the content management program 13, creates the encrypted content 49, and stores it in the storage device 46.

  The content reference program 43 transmits a reference request for the encrypted content 49 specified by the operator of the client 4 using the input device 45 to the access control program 14, and the operator of the client 4 stores the encrypted content 49. It is determined whether or not the user has the reference authority. If the user has the reference authority, a request is made to transmit the decryption key. Then, the content reference program 43 decrypts the content using the decryption key transmitted by the access control program 14 and displays the content content on the display device 46.

<Supplementary explanation about the functions of the document management system>
Next, on the premise of each configuration described above, a basic access control method in the document management system according to the first embodiment of the present invention will be described with an example.

  Now, it is assumed that in a certain company, five people a, b, c, d, and e need to encrypt content or refer to the encrypted content. It is assumed that the key file 21 has already been created.

  First, an operator of the client 3 (one of a to e or another person) may use the user registration / change program 31 and the user management program 11 to a, b , C, d, and e are registered in the user file 23.

  Next, the user a who is an operator of the client 4 uses the access authority registration / change program 41 and the access authority management program 12 to give users b and c who want to refer to the encrypted content a predetermined access. Registered in the access authority file 25 in pairs with the authority ID.

  Then, the user a encrypts the design drawing file (stored in the storage device 47) to be referred to by the users b and c by using the content encryption program 42 and the content management program 13. The stored content 47 is stored in the storage device 47 and the predetermined content ID and access authority ID are paired and stored in the content management file 26.

  User a transmits the encrypted content 49 to users b and c by e-mail transmission, file transfer, or the like.

When the users b and c try to refer to the encrypted content 49 transmitted by the content reference program 43 of the client 4 of each user, the content reference program 43 includes the content ID of the encrypted content 49 to be referred to, etc. Is transmitted to the access control program 14. The access control program 14 acquires the access authority ID of the content management file 26 based on the transmitted content ID, and acquires a user who can refer to the access authority file 25 based on the access authority ID. Since the users b and c are registered as referable users, the access control program 14 transmits to the content reference program 43 that the authentication is successful together with the decryption key, and the content reference program 43 is encrypted. The content 49 is decrypted and displayed on the display device 46.

  As described above, in the first embodiment of the present invention, when the encrypted content 49 is created, the registered user is registered in the content management server 1 by registering a user that can be referred to. The encrypted content 49 can be referred to. On the other hand, an unregistered user cannot refer to the encrypted content 49 or the like. Therefore, even when the user a mistakenly transmits the encrypted content 49 to the user d, the user d cannot refer to the encrypted content 49 and can prevent information leakage.

<Data structure of each file>
FIG. 2 is a diagram showing a data configuration of the key file 21 in the first embodiment of the present invention.

  As described above, the key file 21 is a file that stores a pair of an encryption key for encrypting content and a decryption key for decrypting the content encrypted by the encryption key. One or more key records 210 are stored.

  The key record 210 includes a key ID 211 that can uniquely identify the key record, an encryption key 212 that is a content encryption key, and a decryption key 213 that is a content decryption key encrypted by the encryption key 212. Is done.

  FIG. 3 is a diagram showing a data structure of the user file 23 in the first embodiment of the present invention.

  The user file 23 is a file storing a user's account, password, and the like that need to encrypt content or decrypt the encrypted content, and store one or more user records 230. Configured.

  The user record 230 includes a user ID (account ID) 231 that can uniquely identify a user, a password 232 used when the user logs in, and authority to perform user management operations such as user registration. A user management authority presence / absence 233 indicating whether or not the user has the authority and an encryption authority presence / absence 234 indicating whether or not the user has the authority to encrypt the content.

  In the user management authority presence / absence 233 and the encryption authority presence / absence 234, a value “authority” indicating that there is an authority, or a value “authority not included” indicating that there is no authority is set.

  If “authorized” is set in the user management authority presence / absence 233, the user can use the user registration / change program 31. If “no authority” is set, the user can use it. The person cannot use the user registration / change program 31.

  When “authorized” is set in the encryption authority presence / absence 234, the user can use the content encryption program 42. When “no authority” is set, the user The content encryption program 42 cannot be used. In this way, the first embodiment of the present invention makes it possible to set the presence / absence of encryption authority for each user. It becomes possible to set “no authority” to 234. Therefore, the document management system according to the first embodiment of the present invention can carry out unencrypted content export, such as copying unencrypted content to an external storage device or sending it by e-mail. By using it together with the system to be restricted, a user who does not have the authority to encrypt cannot take out the content to the outside, and can prevent information leakage more firmly.

  As described above, the user registration / change program 31 can be used only by users who have “authorized” set in the user management authority presence / absence 233 of the user record 230. When no user record 230 is created, no one can create the user record 230 using the user registration / change program 31. Therefore, when the document management system according to the first embodiment of the present invention is constructed, at least one user record 230 in which “authorized” is set in the user management authority presence / absence 233 is created. There is a need.

  FIG. 4 is a diagram showing a data configuration of the access authority file 25 in the first embodiment of the present invention.

  The access authority file 25 is a file for defining a user's access authority for use in access control, and is configured to store one or more access authority records 250.

  The access authority record 250 includes an access authority ID 251 that can uniquely identify the access authority, and a key that can uniquely identify the key record 210 that is used when creating the encrypted content to which the access authority is applied. It is composed of an ID 252 and a user ID 253 that can uniquely identify a user who can refer to the encrypted content to which the access authority is applied. N user IDs 253 are set (n is an integer of 1 or more).

  FIG. 5 is a diagram showing a data structure of the content management file 26 in the first embodiment of the present invention.

  The content management file 26 is a file for managing which users are permitted to access the content, such as referring to the encrypted content. The content management record 260 is stored each time the content is encrypted. One record is created. Therefore, the content management record 260 does not exist when encryption has never been performed.

  The content management record 260 is applied to the content ID 261 that can uniquely identify the encrypted content 49, the encrypted content name 262 that is the name of the encrypted content 49 (for example, the document file name), and the encrypted content 49. The access authority ID 263 can uniquely identify the access authority record 250 to be executed.

  FIG. 6 is a diagram showing a data configuration of the encrypted content 49 in the first embodiment of the present invention.

  The encrypted content 49 includes a content ID 491 that can uniquely identify the encrypted content 49, a user ID 492 of the user who created the encrypted content 49, an access restriction 493, and a content content 494 obtained by encrypting the content. Consists of

  Here, in the access restriction 493, information for restricting access related to the encrypted content 49, such as a period during which the encrypted content 49 can be referred to, whether printing is possible, whether copying is possible, and the like is set. . The access restriction 493 may be specified when creating the encrypted content 49 using the content encryption program 42, or another program (not shown) after the encrypted content 49 is created. You may create and change using In the first embodiment of the present invention, it is assumed that setting / changing is performed using another program not shown in FIG. 1, and further description of the access restriction 493 is omitted.

<Operation of access control system>
The description of the configuration and functions of the document management system according to the first embodiment of the present invention has been completed. Next, the operation of the document management system according to the first embodiment will be described with reference to a flowchart.

<Operations related to user registration / change>
FIG. 7 is a flowchart for explaining the user registration operation in the document management system according to the first embodiment of the present invention.

  An operator (user) of the client 3 operates the input device 35 to activate the user registration / change program 31.

  As described above, the client 3 is not provided with the special user registration / change program 31, but the same function can be realized by, for example, a WEB browser. Further, not only the user registration / change program 31 but also the access authority registration / change program 41, the content encryption program 42, etc., it is possible to realize the same function by a WEB browser, for example. In that case, an operator (user) such as the client 3 does not start each program, but operates the WEB browser by the input device 35 or the like and transmits a URL corresponding to each process to the WEB server. Good.

(1) When the user registration / change program 31 starts processing, the user registration / change program 31 displays a login screen (user authentication screen) on the display device 36, and uses the user ID and password input by the operator of the client 3 as the user. It transmits to the management program 11 (S701) and waits until it receives the authentication success / failure from the user management program 11 (step S701), although not explicitly shown in the figure.

  FIG. 14 is a diagram showing an example of a login screen (user authentication screen). Here, an example of a login screen displayed on the display device 36 in the process of step S701 will be described. The illustrated login screen (user authentication screen) D1400 includes a user ID input field D1401, a password input field D1402, an OK button D1403, and a cancel button D1404.

  When the operator of the client 3 inputs the user ID and password of the operator in the user ID input field D1401 and password input field D1402, and clicks the OK button D1403 with a mouse or the like, the user registration / change is performed. The program 31 transmits the input user ID and password to the user management program 11. On the other hand, although not explicitly shown in FIG. 7, when the operator of the client 3 clicks the cancel button D1404 with a mouse or the like, the user registration / change program 31 ends the process.

(2) Upon receiving the user ID and password transmitted from the user registration / change program 31, the user management program 11 authenticates the received user ID. Specifically, the received user ID is registered in the user file 23 (there is a user record 230 in which the received user ID is set to the user ID 231), and the received password is used. (The received password is the same as the password 232 of the user record 230 in which the received user ID is set to the user ID 231), and the user has user management authority. If the user ID is “authorized” in the user management authority presence / absence 233 of the user record 230 in which the received user ID is set to the user ID 231, the authentication is successful. Authentication failure occurs when any of these conditions is not satisfied. The user management program 11 transmits the processing result of “authentication success” or “authentication failure” to the user registration / change program 31 (step S750).

(3) Upon receiving the authentication result from the user management program 11, the user registration / change program 31 determines whether it is “authentication success” or “authentication failure”. A message indicating that the authentication has failed is displayed on the screen, and the operator of the client 3 is prompted to input a password correction (step S702).

  Note that the user authentication process such as the login screen display and the server authentication process described in the processes of steps S701, S750, and S702 described above is a process generally performed prior to the use of the program. Even in the first embodiment, not only the user management program 11 but also an access authority registration / change program 41, a content encryption program 42, a content reference program 43, and a contract management program 15 which will be described later are used. The user authentication process as described above is performed. As described above, when general processing is described in detail in each operation description, the description is too complicated. Therefore, in the following operation description, only the features of each user authentication process will be described.

(4) If it is determined in step S702 that “authentication is successful”, the user registration / change program 31 displays a user registration screen on the display device 36, and the user input by the operator of the client 3 The ID or the like is transmitted to the user management program 11 and waits until a processing result is received from the user management program 11 (not shown in FIG. 7) (step S703).

  FIG. 15 is a diagram illustrating an example of a user registration screen. Here, an example of the user registration screen displayed on the display device 36 in the process of step S703 will be described. The illustrated user registration screen D1500 includes a user ID input field, a password input field, a radio button for selecting whether the user has user management authority, and a radio for selecting whether the user has encryption authority. It has a button, an OK button, and a cancel button.

  The operator of the client 3 inputs the user ID and password of the user who wants to register in the user file 23 into each input field of the user registration screen D1500, and the own user has the user management authority and the encryption authority, respectively. Whether or not to have is selected by a radio button. When the OK button is clicked, the user registration / change program 31 transmits the input user ID, password, user management authority and encryption authority to the user management program 11. On the other hand, although not explicitly shown in FIG. 7, when the operator of the client 3 clicks the cancel button with a mouse or the like, the user registration / change program 31 ends the process.

(5) When the user management program 11 receives the user ID transmitted from the user registration / change program 31, the user management program 11 performs registration processing for the received user ID. Specifically, first, the received user ID, password, presence / absence of user management authority and encryption authority are checked (for example, the user record 230 in which the received user ID is set in the user ID 231). Is already in the user file 23, it is determined as an error). If the user management program 11 determines that the user ID is normal, the user ID 231, password 232, usage of the received user ID, password, user management authority presence / absence, and encryption authority presence / absence are respectively displayed. User management authority presence / absence 233 and encryption authority presence / absence 234 are set, and the user management record 230 is added to the user management file 23. The user management program 11 transmits the processing result of “error” or “normal” to the user registration / change program 31 (step S760).

  In the first embodiment of the present invention, the user management program 11 performs two processes, a user authentication process (process in step S750) and a registration process (process in step S760). As is well known, for example, a type is assigned to a message transmitted from the user registration / change program 31 (consisting of an input user ID or the like), and the user management program 11 sets the message type. Different processing can be executed according to the request. On the other hand, the user authentication process (the process of step S750) can be performed not by the user management program 11 but by a user authentication program (not shown). In the above description, the user management program 11 always waits for reception from the user registration / change program 31. For example, the WEB application receives a message from the user registration / change program 31. The user authentication program or the user management program 11 can be started by detecting the message type and determining the message type. Each of the above-described realization methods can be applied not only to the user management program 11 but also to an access authority management program 12 described later.

(6) Upon receiving the result of the registration process execution process from the user management program 11, the user registration / change program 31 determines whether “registration process has been successful” or “registration process has failed”. If so, terminate the process here, and if it is "registration process failure", prompt the operator of the client 3 for correction input by displaying a message indicating that registration failed on the user registration screen. The processing from step S703 is repeated (step S704).

  In the above description, the operation of the user registration / change program 31 or the like when registering a user has been described. In the first embodiment of the present invention, the user record 230 of the user file 23 is updated, deleted, or the like. By making it possible, the change of registered user information (for example, change of password), deletion of a user, and the like can be realized in the same manner. In this case, when authentication is successful (YES in step S702 of FIG. 7), although not shown, a menu screen for selecting one of user registration, user information change, or user deletion And the user registration / change program 31 or the like may execute the selected processes. Further, only the password may be changed by the user using another program not shown.

<Operation related to access authority registration / change>
FIG. 8 is a flowchart for explaining the access authority registration operation in the document management system according to the first embodiment of the present invention. Next, this will be explained.

  An operator (user) of the client 4 operates the input device 45 to start the access authority registration / change program 41.

(1) When the processing is started, the access authority registration / change program 41 displays a login screen (user authentication screen) on the display device 46 (not shown), and the user input by the operator of the client 4 The ID and password are transmitted to the access authority management program 12, and the process waits until an authentication success / failure is received from the access authority management program 12. The access authority management program 12 determines that the authentication is successful when the input user ID and password are registered in the user file 23 and the user has encryption authority. When receiving the “authentication success” from the access authority management program 12, the access authority registration / change program 41 displays an access authority registration screen on the display device 46 and accesses the access authority ID entered by the operator of the client 4. Although not shown in the figure, the process waits until a processing result is received from the access authority management program 12 (step S801).

  FIG. 16 is a diagram showing an example of the access authority registration screen. Here, an example of the access authority registration screen displayed on the display device 36 in the process of step S801 will be described. The illustrated access authority registration screen D1600 includes an access authority ID input field D1601, a key ID input field D1602, a user ID list display / selection field D1603, an OK button, and a cancel button. In the display / selection column D1603 of the user ID list, all user IDs registered in the user file 23 are scroll-displayed as necessary in pairs with the check button D1604.

  The operator of the client 4 selects the check button D1604 corresponding to the user ID of one or more users to be registered in the access authority file 23 by an operation such as clicking with the mouse (in the example shown in FIG. 16, usr2 And usr3 check button D1604 are selected), and an ID for uniquely identifying the access authority is entered in the access authority ID input field D1601 (for example, “usr2_20090728”). The user ID and the operation date may be combined), and the key ID 211 (for example, “key1”) of the key record 210 to be used as the encryption key / decryption key is input into the key ID input field D1602. In the present invention, in the above-described user registration / change, the user name, department, etc. can be set in the user record 230, and the user name, department, etc. are displayed in the user ID list display / selection column D1603. Etc. can also be displayed to facilitate the user's selection.

  When the OK button is clicked, the access authority registration / change program 41 transmits the input access authority ID, key ID, and user ID to the access authority management program 12. On the other hand, although not explicitly shown in FIG. 8, when the operator of the client 4 clicks the cancel button with a mouse or the like, the access authority registration / change program 41 ends the process.

(2) When the access authority management program 12 receives the access authority ID and the like transmitted from the access authority registration / change program 41, the access authority management program 12 performs a registration process for the received access authority ID and the like. Specifically, the access authority management program 12 first checks the received access authority ID, key ID, and user ID (for example, the access authority whose received access authority ID is set in the access authority ID 251). If the record 250 already exists, it is determined as an error). If it is determined that the access authority management program 12 is normal, the received access authority ID (“usr2_20090728” in the example shown in FIG. 16), the key ID (“key1” in the example shown in FIG. 16), and the user ID ( In the example shown in FIG. 16, “usr2” and “usr3”) are set in the access authority ID 251, key ID 252 and user ID 253 of the access authority record 250, respectively, and the access authority record 250 is added to the access authority file 25. . Thereafter, the access authority management program 12 transmits the processing result of “error” or “normal” to the access authority registration / change program 41 (step S860).

(3) When the access authority registration / change program 41 receives the result of the registration process execution process from the access authority management program 12, the access authority registration / change program 41 determines whether it is “registration process success” or “registration process failure”. If there is, the process ends here, and if it is “registration process failure”, a message indicating that the registration has failed is displayed on the access authority registration screen D1600, and the operator of the client 4 is prompted for correction input. Then, the processing from step S801 is repeated (step S802).

  The operation of the access authority registration / change program 41 and the like when registering access authority has been described above. However, the present invention changes the registered access authority (for example, changes of the user ID), deletes the access authority, and the like. The access authority record 250 can be updated, deleted, and the like can be realized in the same manner. In this case, although not shown in the figure, when authentication is successful, a menu screen for selecting one of access right registration, access right change or access right deletion is displayed, and the access right registration / change program 41 or the like is selected. What is necessary is just to perform each process performed.

<Operations related to content encryption>
FIG. 9 is a flowchart for explaining the content encryption operation in the document management system according to the first embodiment of the present invention. Next, this will be described.

  An operator (user) of the client 4 operates the input device 45 to activate the content encryption program 42.

(1) When the processing is started, the content encryption program 42 displays a login screen (user authentication screen) on the display device 46, although not shown, and the user ID input by the operator of the client 4 and The password is transmitted to the content management program 13 and waits until an authentication success / failure is received from the content management program 13. The content management program 13 determines that the authentication is successful when the input user ID and password are registered in the user file 23 and the user has the encryption authority. Upon receiving “authentication successful” from the content management program 13, the content encryption program 42 displays a menu screen on the display device 46 (step S901).

  FIG. 17 is a diagram showing an example of the menu screen. Here, an example of the menu screen displayed on the display device 46 in the process of step S901 will be described. In the illustrated menu screen D1700, radio buttons capable of selecting any one of “encryption”, “re-encryption”, and “revocation” are displayed, and an OK button and a cancel button are displayed.

  The operator of the client 4 selects a radio button corresponding to “encryption”, “re-encryption”, or “revocation” by an operation such as clicking with the mouse. In the example shown in FIG. 17, “encryption” is selected.

(2) When the OK button is clicked, the content encryption program 42 determines whether or not “encryption” of the content is specified by the radio button. If “encryption” is not specified, the content encryption program 42 Perform processing other than conversion. The processing other than encryption is content re-encryption processing and content revocation processing which will be described later with reference to FIGS. 11 and 12 (step S902).

  In the above description, although not explicitly shown in FIG. 9, when the operator of the client 4 clicks the cancel button with the mouse, the content encryption program 42 ends the processing here.

(3) If “encryption” is specified in the determination in step S902, the content encryption program 42 displays the content encryption screen on the display device 46 and the encryption input by the operator of the client 4 The target content is transmitted to the content management program 13. That is, the content encryption program 42 transmits the access authority ID and the encrypted content name input by the operator of the client 4 to the content management program 13 when an OK button on the content encryption screen described later is clicked. Then, the content encryption program 42 waits until it receives a processing result from the content management program 13 although not explicitly shown in FIG. Further, although not shown in FIG. 9, the content encryption program 42 ends the processing here when the operator of the client 4 clicks the cancel button with the mouse (step S903).

  FIG. 18 is a diagram showing an example of the content encryption screen. Here, an example of the content encryption screen displayed on the display device 46 in the process of step S903 will be described. In the illustrated content encryption screen D1800, input fields for content to be encrypted, encrypted content name, and access authority ID are displayed, and a reference button D1801 is displayed.

  The operator of the client 4 inputs a value capable of uniquely identifying the content to be encrypted (design drawing, budget material, etc.) in the entry field for the content to be encrypted. In the example shown in FIG. 18, “c: \ etc \ file1” (file1 of the etc folder in the c drive) and the absolute path of the content are input. However, the present invention is not limited to this example, and the value can uniquely identify the content. If it is. For example, when only a part of a spreadsheet is to be encrypted, in addition to the absolute path of the spreadsheet file, a matrix range to be encrypted may be specified. Also, instead of directly entering the input field of the content to be encrypted, clicking the browse button D1801 displays a tree structure diagram of drives, folders and files that can be referred to, and selects the file displayed in the structure diagram. Thus, the absolute path of the selected file may be input to the input field for the content to be encrypted.

  The operator of the client 4 inputs the name of the content (encrypted content) to be created by encrypting the content in the encrypted content name input field. In the example shown in FIG. 18, “encriptedfile1” and the file name are input. In this case, the encrypted content is stored in the folder entered in the input field of the content to be encrypted (in the example shown in FIG. 18, “c: \ etc ”) or a predetermined folder determined in advance. On the other hand, an absolute path may be input in the input field for the encrypted content name, or a folder to be stored may be specified after the encrypted content is created.

  The operator of the client 4 enters the access authority record 250 in which the key ID used for content encryption and the user ID that can refer to the encrypted content are set in the input field of the access authority ID. Enter the access authority ID 251. In the example illustrated in FIG. 18, “usr2_20090728” and the access authority ID exemplified in “Operation related to access authority registration / change” are input. For the access authority ID, a reference button is displayed, and when the reference button is clicked, the content encryption program 42 displays a list of access authorities so that the access authority can be selected from the list. Good.

(4) Upon receiving the access authority ID transmitted from the content encryption program 42, the content management program 13 performs encrypted content management processing. Specifically, first, the received access authority ID is checked and determined as an error (for example, if there is no access authority record 250 in which the received access authority ID is set to the access authority ID 251), Determination), and transmits the processing result of “error” to the content encryption program 42.

  On the other hand, if it is determined that the content management program 13 is normal, the content management program 13 generates a content ID (for example, a serial number starting from 1) that can uniquely identify the encrypted content, and then generates the generated content ID and the received encryption. The content name and access authority ID are set in the content ID 261, encrypted content name 262, and access authority ID 263 of the content management record 260, respectively, and the content management record 260 is added to the content management file 26. Then, the content management program 13 acquires the key ID 252 of the access authority record 250 in which the received access authority ID is set to the access authority ID 251, and the encryption key of the key record 210 in which the key ID 252 is set to the key ID 211. 212 is acquired, and the processing result of “normal”, the generated content ID, and the acquired encryption key 212 are transmitted to the content encryption program 42 (step S960).

(5) Upon receiving the content management processing execution result from the content management program 13, the content encryption program 42 determines whether the content management processing is normal or an error. A message indicating that the encryption has failed is displayed on the screen to prompt the operator of the client 4 to make a correction input, and the process returns to step 903 to repeat the process (step S904).

(6) If it is determined in step S904 that the content management process has been performed normally, the content encryption program 42 uses the received encryption key to enter the content input field for encryption on the content encryption screen D1800. Encrypt the content specified in. Then, the content encryption program 42 converts the received content ID, the user ID of the operator of the client 4 and the encrypted content into the content ID 491, the encrypted user ID 492 and the content content 494 of the encrypted content file 49, respectively. Then, the encrypted content file 49 is stored in the storage device 47. The access restriction 493 may be set to an initial value, that is, a value indicating that no restriction such as a reference period is applied. For example, the access restriction is designated by specifying the access restriction on the content encryption screen or the like. The content may be set (step S905).

  In the above description, when the specified content is encrypted, the original content may be simply encrypted. By doing so, the processing of the content encryption program 42 becomes relatively simple. However, in this case, in order to refer to the encrypted content, it is not sufficient to simply decrypt the encrypted content, but the original content file format (PDF (Portable Document Format), 3D CAD (Computer Aided) It is necessary to analyze and display content contents according to an XVL (eXtensible Virtual World Description Language) format (XVL is a registered trademark), a document file format, a table file format, etc. used in Design. For example, if the original content is a PDF file, the content must be displayed by analyzing what text, graphics, etc. are placed in which position in the document according to the file format of the PDF file. . As a result, the processing of the program that refers to the encrypted content becomes complicated, or each program that can process each file format must be modified so that the content can be decrypted.

  On the other hand, when the specified content is encrypted, the original content may be encrypted after being converted into a predetermined file format (for example, PDF). By doing so, the processing of the content encryption program 42 becomes relatively complicated, but the processing of the program that refers to the encrypted content can be simplified.

<Operation related to content reference>
FIG. 10 is a flowchart for explaining the content reference operation in the document management system according to the first embodiment of the present invention. Next, this will be described.

  An operator (user) of the client 4 operates the input device 45 to activate the content reference program 43. As described above, the content reference program 43 may have a function capable of analyzing various file formats, or may be a different program for each file format. The content reference program 43 may be started by double-clicking the program icon, or when the encrypted content 49 is double-clicked, the content reference program 43 corresponding to the file format of the encrypted content 49 is started. You can also make it.

(1) When the process is started, the content reference program 43 reads reference content (content to be decrypted). More specifically, when the content reference program 43 is activated by double-clicking on the encrypted content 49, the content reference program 43 reads the encrypted content 49. On the other hand, when activated by a method such as double-clicking the icon of the content reference program 43, a message prompting the user to specify reference content is displayed on the display device 46 (not shown), but the content specified by the operator of the client 4 Is read (step S1001).

(2) The content reference program 43 determines whether or not the read content is encrypted content (whether or not the content encryption program 42 is encrypted content). In order to make this determination, for example, the extension of the encrypted content 49 is set to a predetermined value (for example, “xvx”), and a value (for example, “ Various methods such as setting encrypted content ") may be used alone or in combination (step S1002).

(3) If the read content is not encrypted content in the determination in step S1002, the content reference program 43 analyzes the content content and displays it on the display device 46, and ends the processing here. (Step S1003).

(4) On the other hand, the content reference program 43 displays a login screen (user authentication screen) on the display device 46 (not shown) when the read content is an encrypted content in the determination in step S1002. Then, the operator of the client 4 is prompted to input the user ID and password. Then, the content reference program 43 transmits the content ID 491 and the input user ID and password to the access control program 14, and waits until the processing result from the access control program 14 can be received (step S1004).

(5) The access control program 14 determines that the authentication is successful when the user ID and password received from the content reference program 43 are registered in the user file 23, otherwise the authentication is failed. “Authentication success” or “authentication failure” is transmitted to the content reference program 43. When the authentication is successful, the access control program 14 checks the received content ID and determines that there is an error (for example, when there is no content management record 260 in which the received content ID is set to the content ID 261). ), The processing result of “error” is transmitted to the content reference program 43. When the access control program 14 determines that the content ID is normal, the access control program 14 acquires the access authority ID 263 of the content management record 260 in which the received content ID is set to the content ID 261, and the access authority ID 263 is the access authority. The access authority record 250 set in the ID 251 is acquired. If the received user ID is not set in the user ID 253 of the access authority record 250, the access control program 14 transmits the processing result of “error” to the content reference program 43. Further, when the received user ID is set in the user ID 253 of the access authority record 250, the access control program 14 acquires the key ID 252 of the access authority record 250, and the key ID 252 is set in the key ID 211. The decryption key 213 of the current key record 210 is acquired, and the “normal” processing result and the acquired decryption key 213 are transmitted to the content reference program 43 (step S1060).

(6) Upon receipt of the processing result from the access control program 14, the content reference program 43 determines whether the processing result is “normal” in which the operator of the client 4 has the authority to refer to the encrypted content 49. If “authentication failure” or “error” is received from the access control program 14, the process ends without decrypting the content content 494 of the encrypted content 49. Instead of terminating the process, for example, an error message may be displayed on the display device 46 to prompt the user to select another content (step S1005).

(7) The content reference program 43 determines that the operator of the client 4 has received “normal” having the authority to refer to the encrypted content 49 in step S1005. Since the user has the authority to refer to the encrypted content 49, the received decryption key is used to decrypt the content content 494 of the encrypted content 49, perform analysis according to the file format, and display it on the display device 46. To do. Even when it is determined that there is a reference authority, the content contents 494 may not be displayed because the referenceable period set in the access restriction 493 is exceeded. In addition, even when the content reference program 43 displays the content content 494, the content reference program 43 can also prohibit the operation by the operator of the client 4 by referring to the print permission / non-copy permission / inhibition set in the access restriction 493 ( Step S1006).

<Effects of basic functions of document management system>
The document management system described so far requires the basic functions of access control to encrypt files such as design drawings created by companies, etc., only by those who have encryption authority, and refer to the files. Only those who have the right to decrypt can be granted. Therefore, even when an encrypted file is transmitted to a user who does not have the decryption authority by mistake, the recipient cannot refer to the encrypted file, and information leakage can be prevented.

  Further, to whom the decryption authority is given can be changed for each encrypted file, the decryption authority can be given only to those who really need to refer to the encrypted file.

  Further, the document management system described above can refer to the encrypted file by a simple operation in which a person having decryption authority double-clicks the encrypted file and inputs a user ID and a password. In combination with, for example, single sign-on, it is possible to eliminate the need to input a user ID and a password when referring to the encrypted file. That is, in the document management system described above, a person having the decryption authority can refer to a file without even knowing that the file is encrypted.

  However, when multiple departments work together in one company, a list of users including other departments can be displayed, but the document files managed by one department can be displayed. In many cases, the department that manages the document file cannot determine who is referred to. In particular, when a plurality of companies use the content management server 1 jointly, the solution of this problem becomes more important. In such a case, the file re-encryption function described below can be used.

<Operations related to content re-encryption>
FIG. 11 is a flowchart for explaining the content re-encryption operation in the document management system according to the first embodiment of the present invention. Next, this will be described. Since the content re-encryption operation largely overlaps with the content encryption operation described above, starting with the display of the menu screen, the first embodiment of the present invention performs both content re-encryption and content encryption. It is assumed that the program 42 is operated. Therefore, in the following description, detailed description overlapping with content encryption is omitted. In addition, the content re-encryption operation has a part similar to the content reference such as processing related to reading of the encrypted content 49, and a detailed description overlapping with the content reference is also omitted. Note that a program different from the content encryption program 42 may perform content re-encryption.

  An operator (user) of the client 4 operates the input device 45 to activate the content encryption program 42.

(1) When the content encryption program 42 starts processing, although not shown, a login screen (user authentication screen) is displayed on the display device 46, and the user ID and password input by the operator of the client 4 are displayed. Is sent to the content management program 13 and waits until an authentication success / failure is received from the content management program 13. The content management program 13 determines that the authentication is successful when the input user ID and password are registered in the user file 23 and the user has the encryption authority. When receiving the “authentication success” from the content management program 13, the content encryption program 42 displays the menu screen as shown in FIG. 17 on the display device 46 (step S1101).

(2) The content encryption program 42 determines whether or not “re-encryption” of the content is designated when the operator (user) of the client 4 makes a necessary input from the menu screen and clicks the OK button. If “re-encryption” is not designated, processing other than re-encryption is performed. The processing other than re-encryption is content encryption processing described with reference to FIG. 9 and content revocation processing described later with reference to FIG. Although not explicitly shown in FIG. 11, when the operator of the client 4 clicks the cancel button on the menu screen with a mouse or the like, the content encryption program 42 ends the processing here (step S1102).

(3) If “re-encryption” is specified in the determination in step S1102, the content encryption program 42 displays the content re-encryption screen on the display device 46 and is input by the operator of the client 4 The content to be re-encrypted is transmitted to the content management program 13 and waits until it can receive the processing result from the content management program 13 although not explicitly shown in FIG. 11 (step S1103).

  FIG. 19 is a diagram showing an example of the content re-encryption screen. Here, an example of the content re-encryption screen displayed on the display device 46 in the process of step S1103 will be described. In the illustrated content re-encryption screen D1900, as with the content encryption screen D1800 described above, input fields for re-encryption target content, encrypted content name, and access authority ID are displayed. A content reference button, an OK button, and a cancel button are displayed.

  The operator of the client 4 can uniquely identify the encrypted content transmitted from other users in the input field for the content to be re-encrypted, and the content that needs to be referred to by the user such as his / her own department. Enter a correct value. In the example shown in FIG. 19, “c: \ etc \ encriptedfile1” and the other user “usr2” in the example shown in FIG. 18 encrypt it and send it to the operator of the client 4 (referred to as “usr3”). The absolute path of the content is entered.

  The operator of the client 4 inputs the name of the content (encrypted content) created by encrypting the content, such as “encriptedfile2”, in the encrypted content name input field. The operator of the client 4 has a key ID used for content encryption and a user ID that can refer to the encrypted content, such as “usr3_20090729”, set in the access authority ID input field. The access authority ID 251 of the access authority record 250 is entered.

  In step S1103, when the OK button on the content re-encryption screen is clicked, the content encryption program 42 reads the re-encryption content specified in the re-encryption target content input field and reads the read content. Is not encrypted content (if the content encryption program 42 is encrypted content), if it is not illustrated, an error message is displayed on the content re-encryption screen As a result, the operator of the client 4 is prompted for correction input.

  Also, the content encryption program 42 determines whether or not the encrypted user ID 492 of the encrypted content 49 matches the user ID of the operator of the client 4 when the read content is encrypted content. If they match, although not shown, an error message is displayed on the content re-encryption screen, and the operator of the client 4 is prompted to make corrections. Since the encrypted user ID 492 of the encrypted content 49 is set with the user ID of the user who performed the encryption, the fact that this matches the user ID of the operator of the client 4 is encrypted. The user who performed the encryption is trying to perform a seemingly meaningless operation of performing re-encryption, and the user who does not have the encryption authority may impersonate the user who has the encryption authority. There is. Therefore, as described above, such an operation is regarded as an error. If the operator of the client 4 is the user who actually encrypted the encrypted content 49, the content before encryption may be specified and content encryption may be performed.

  Next, the content encryption program 42 transmits to the content management program 13 the content ID 491 of the encrypted content 49 designated in the re-encryption content input field, the input access authority ID and the encrypted content name. Although not explicitly shown in FIG. 11, when the operator of the client 4 clicks the cancel button with a mouse or the like, the content encryption program 42 ends the process here (step S1103).

(4) Upon receiving the content ID or the like transmitted from the content encryption program 42, the content management program 13 performs reencrypted content management processing. Specifically, first, when the received content ID or the like is checked and determined as an error (for example, an error is determined when there is no content management record 260 in which the received content ID is set in the content ID 261). , The processing result of “error” is transmitted to the content encryption program 42. If the content management program 13 determines that the received content ID is normal, the content management program 13 generates a content ID that can uniquely identify the encrypted content, the generated content ID, the received encrypted content name, and the access The authority ID is set to the content ID 261, the encrypted content name 262, and the access authority ID 263 of the content management record 260, respectively, and the content management record 260 is added to the content management file 26. Then, the content management program 13 acquires the access authority ID 263 of the content management record 260 in which the received content ID is set to the content ID 261, and the access authority management record 250 in which the access authority ID 263 is set to the access authority ID 251. Key ID 252 is acquired, and the decryption key 213 of the key record 210 in which the acquired key ID 252 is set to the key ID 211 is acquired. Further, the content management program 13 acquires the key ID 252 of the access authority record 250 in which the received access authority ID is set to the access authority ID 251, and the encryption key of the key record 210 in which the key ID 252 is set to the key ID 211. 212 is acquired, and the “normal” processing result, the generated content ID, the acquired decryption key 213, and the acquired encryption key 212 are transmitted to the content encryption program 42 (step S1160).

(5) Upon receiving the result of the content management process from the content management program 13, the content encryption program 42 determines whether the result of the content management process is “success” or “error”, and the result of the content management process is “error” ”Is displayed, a message indicating that the encryption has failed is displayed on the content encryption screen, the operator of the client 4 is prompted for correction input, and the processing from step S1103 is repeated (step S1104).

(6) If it is determined in step S1104 that the result of the content management process from the content management program 13 is “normal”, the received re-encryption key is used to re-encrypt the content re-encryption screen D1900. The content specified in the content input field is decrypted, and the decrypted content is encrypted again using the received encryption key. Then, the received content ID, the user ID of the operator of the client 4 and the re-encrypted content are set in the content ID 491, the encrypted user ID 492, and the content content 494 of the encrypted content file 49, respectively. The file 49 is stored in the storage device 47. The access restriction 493 may be set to an initial value, that is, a value indicating that there is no restriction such as a reference period. For example, the access restriction is designated on the content encryption screen or the like, and the designated content May be set (step S1105).

<Effects of content re-encryption function>
By providing the content re-encryption function described above in the document management system, when multiple departments work together within a single company, the person in charge of each department is defined and the management responsibility As a person in charge of contact with other departments, each person can send and receive files from each department, and each person in charge of management can determine who in the department should refer to the received file.

  For example, in a certain department, when another department needs to refer to a file such as a design drawing created by the user a, the user a is the manager of the other department and has the encryption authority. Create an access authority record for the user who can refer to b, specify the access authority record, encrypt the design drawing file, and send the encrypted design drawing file to user b by e-mail or the like To do. If user b wants users c and d in his / her department to refer to the encrypted design drawing file, user b creates an access authority record that makes c and d referable, and You can specify the record and re-encrypt the design drawing file.

  As explained above, the authority to decrypt files such as design drawings created in a department should be given only to users who need to refer to that department, and to those responsible for trust in other departments. it can. Therefore, even if, for example, an encrypted file is sent to a person other than the person in charge of management in another department, the recipient cannot refer to the encrypted file and prevent information leakage. Can do. Also, the manager responsible for receiving the encrypted file can re-encrypt the received encrypted file and give the decryption authority only to users who need to refer to the re-encrypted file in their own department. Therefore, even if the manager responsible for receiving the encrypted file accidentally sends the encrypted file to a person who does not have the decryption authority, the recipient cannot refer to the encrypted file, preventing information leakage. can do.

  Furthermore, even if it is not possible for the department managing the file to determine who in the other department will refer to the design drawing file managed by a department, the file can be prevented while preventing information leakage. Can be referred to by users who need to refer to other departments. The same effect can be obtained even when a plurality of companies use the content management server 1 jointly.

  By the way, there is a case where it is desired to prohibit the reference of the encrypted file after the encrypted file is created and transmitted to other users. For example, if you accidentally encrypt a confidential document that should not be shown to other users and send it by mistake, or if you notice a design defect after encrypting and sending a file such as a design drawing, There are cases where it is difficult to refer to the file before modification because it has been modified. In such a case, it is possible to make it impossible to refer to the transmitted encrypted file by the revocation process described below.

<Operation related to content revocation>
FIG. 12 is a flowchart for explaining the content revocation operation in the document management system according to the first embodiment of the present invention. Next, this will be described. Since the content revocation operation is mostly the same as content encryption or content re-encryption, including the display of the menu screen, in the first embodiment of the present invention, the content revocation operation is also performed by the content encryption program 42. It is assumed that the operation is performed. Therefore, in the following description, detailed description overlapping with content encryption or content re-encryption is omitted. It should be noted that a program other than the content encryption program 42 may be used to invalidate the content.

  An operator (user) of the client 4 operates the input device 45 to activate the content encryption program 42.

(1) When the processing is started, the content encryption program 42 displays a login screen (user authentication screen) on the display device 46, although not shown, and the user ID input by the operator of the client 4 and The password is transmitted to the content management program 13 and waits until an authentication success / failure is received from the content management program 13. The content management program 13 determines that the authentication is successful when the input user ID and password are registered in the user file 23 and the user has the encryption authority. When the content encryption program 42 receives “successful authentication” from the content management program 13, the content encryption program 42 displays the menu screen as already described with reference to FIG. 17 on the display device 46 (step S 1201).

(2) In the case of the processing here, the operator (user) of the client 4 specifies “invalid” on the displayed menu screen, and then clicks the OK button. Accordingly, when the OK button is clicked, the content encryption program 42 determines whether or not “revocation” of the content is designated, and if “revocation” is not designated, processing other than revocation is performed. Note that the processing other than revocation is the content encryption and content re-encryption processing already described with reference to FIGS. 9 and 11. Although not explicitly shown in FIG. 12, when the operator of the client 4 clicks the cancel button with a mouse or the like, the content encryption program 42 ends the process (step S1202).

(3) If “revocation” is specified in the determination in step S1202, the content encryption program 42 displays a content revocation screen on the display device 46, and the revocation target content input by the operator of the client 4 or the like. Is sent to the content management program 13 and is not explicitly shown in the figure, but waits until the processing result from the content management program 13 can be received (step S1203).

  FIG. 20 is a diagram illustrating an example of a content revocation screen. Here, an example of a content revocation screen displayed on the display device 46 in the process of step S1203 will be described. The illustrated content revocation screen D2000 is configured to display an input field for content to be revoked, a revocation target content reference button, an OK button, and a cancel button.

  The operator of the client 4 inputs a value that can uniquely identify the content that the user wants to prohibit other users from referring to in the revocation target content input field of the content revocation screen D2000. In the example shown in FIG. 20, “c: \ etc \ encriptedfile1” and the absolute path of the content encrypted in the example described with reference to FIG. 18 and transmitted to other users are input.

  As the processing subsequent to step S1203, the content encryption program 42, when the operator of the client 4 inputs in the input field of the revocation target content on the content revocation screen D2000 and then clicks the OK button, The revocation target content specified in the input field is read, and it is determined whether the read content is encrypted content (whether the content encryption program 42 is encrypted content), which is not shown. However, if the content is not encrypted content, an error message is displayed on the content re-encryption screen to prompt the operator of the client 4 to make a correction input.

  Also, the content encryption program 42 determines whether or not the encrypted user ID 492 of the encrypted content 49 matches the user ID of the operator of the client 4 when the read content is encrypted content. If the contents do not match, it is attempted to prevent other users from referring to the encrypted content, etc., so although not shown, an error message is displayed on the content revocation screen and the client 4 is urged to input corrections. In addition, the content encryption program 42 transmits the content ID 491 of the encrypted content 49 specified in the entry field of the revocation target content to the content management program 13. Although not explicitly shown in FIG. 12, when the operator of the client 4 clicks the cancel button with a mouse or the like, the content encryption program 42 ends the processing here (step S1203).

(4) When the content management program 13 receives the content ID transmitted from the content encryption program 42, the content management program 13 performs the invalid content management process and transmits the result of the invalid content management process to the content encryption program 42. Specifically, first, when the received content ID or the like is checked and determined as an error (for example, when there is no content management record 260 in which the received content ID is set in the content ID 261, it is determined as an error). , The processing result of “error” is transmitted to the content encryption program 42. Also, the content management program 13 checks the received content ID and the like, and if it is determined to be normal, the content management program 260 deletes the content management record 260 in which the received content ID is set to the content ID 261. If the content management record 260 is deleted, an error will occur even if the encrypted content is referred to. Therefore, other users may be prohibited from referring to the encrypted content thereafter. it can.

  In the above description, instead of deleting the content management record 260, for example, a “revocation flag” may be provided as a data item of the content management record 260. When the content management record 260 is created, the revocation flag is set to “off”, and the revocation flag is set to “on” during the above revocation processing. On the other hand, in the content reference processing, the access restriction program 14 sets the value of the revocation flag. In the same manner, it is possible to prohibit the reference of the expired encrypted content and the like by prohibiting the reference when it is “ON”. By doing so, it is also possible to provide a process of canceling the revocation process (a process of returning the revocation flag set to “ON” to “OFF”). When the above-described processing is completed, the content management program 13 transmits a “normal” processing result to the content encryption program 42 (step S1260).

(5) Upon receiving the result of the content management process from the content management program 13, the content encryption program 42 determines whether the result of the content management process is “success” or “error”, and the result of the content management process is “normal”. If the result is “error”, the message indicating that the encryption has failed is displayed on the content encryption screen, and the operation of the client 4 is performed. The user is prompted to make corrections and the like, and the processing from step S1203 is repeated (step S1204).

  In the above description, the expired encrypted content 49 becomes unnecessary content that cannot be referred to by anyone, so the content encryption program 42 may delete it. However, as described above, in the case where a “revocation flag” is provided as a data item of the content management record 260 and a process for canceling the revocation process is provided, it is left without being deleted, and whether or not to delete is determined by the operation of the client 4. It is better to leave it to the person who is.

<Effects of content revocation function>
By providing the document management system with the content revocation function described above, it is possible to prohibit reference to the encrypted file after the encrypted file is created and transmitted to other users. The same applies to re-encrypted files.

  However, if the encrypted file is sent to the manager of another department, for example, and the manager of the other department re-encrypts the above-mentioned encrypted file so that it can be referenced by the user of the own department, the original encryption Even if the user who created the encrypted file invalidates the encrypted file, it is not possible to prohibit reference to the re-encrypted file. In such a case, as will be described below, if the document management system according to the first embodiment of the present invention is slightly changed, the original encrypted file is revoked, thereby re-encrypting the file. Can also be banned.

  FIG. 13 is a diagram showing a data configuration of the content management file 26 according to the first embodiment of the present invention, in which the re-encrypted file can be prohibited from being referenced by revoking the original encrypted file. It is. The data configuration of the content management file 26 shown in FIG. 13 is configured by adding an original content ID 264 to the data items of the content management record 260 described with reference to FIG.

  The original content ID 264 is set with an initial value (indicating that the original content does not exist) in the encrypted content management processing (the processing in step S960 described with reference to FIG. 9), and the re-encrypted content management processing (FIG. 11), the content ID of the content to be re-encrypted is set. In the access authority check process at the time of content reference (the process of step S1060 described with reference to FIG. 10), when a reference to content whose original content ID 264 is not an initial value is requested, a content record 260 whose original content ID 264 is an initial value is requested. The content management records 260 in which the original content ID 264 is set to the content ID 261 are referred to one after another. If the content record 260 does not exist in the middle of this process, or if the revocation flag is “ON”, it is assumed that all the content re-encrypted based on the content has been revoked and the content is referred to. Etc. can be prohibited.

<Document Management System According to Second Embodiment>
In the first embodiment of the present invention described above, the case where one company uses the content management server 1 or the case where one company group jointly uses the content management server 1 has been described as an example. . Technically, the document management system according to the first embodiment of the present invention can be used even when a plurality of companies that do not have a capital tie-up relationship use the content management server 1 jointly. If the first embodiment is used as it is, there are operational inconveniences such as it is possible to refer to a user list of another company. In particular, when a service provider installs and operates the content management server 1 and intends to provide content management services to a plurality of companies that are not related to each other, information related to each company is not visible to other companies. There is a need.

  Hereinafter, a document management system according to the second embodiment of the present invention having such a function will be described.

<Overall Configuration and Function of Document Management System According to Second Embodiment of Present Invention>
FIG. 21 is a block diagram showing a configuration of a document management system according to the second embodiment of the present invention.

  As shown in FIG. 21, the document management system according to the second embodiment of the present invention is a content management server 1, a client 3a, a client 3b, and a client 4a as in the document management system according to the first embodiment. Are connected to each other via a wired or wireless communication line.

  In the second embodiment, the service provider installs and operates the content management server 1, the two companies A and B use the content management server 1, and the client 3a is installed inside the company A. And 4a, assume that the client 3b and the client 4b (not shown) are installed inside the company B. The client 3a and the client 3b correspond to the client 3 of the first embodiment, and the client 4a and the client 4b correspond to the client 4 of the second embodiment. In the following description, the client 3a and the client 3b are both referred to as the client 3 and the client 4a and the client 4b are both referred to as the client 4 unless there is a particular need for distinction.

  In the second embodiment of the present invention shown in FIG. 21, each device is illustrated one by one as in the first embodiment, but there may be two or more each. In addition, it is not necessary for each device to exist one by one. For example, the client 3 and the client 4 may be configured to have both functions. With such a configuration, in the second embodiment of the present invention, as in the first embodiment, the client 3 can manage the users who may refer to the content subject to access restriction. It is possible to register with the server 1. In addition, the client 4 can use the function of the content management server 1 to encrypt the content stored in the client 4 and restrict access. Furthermore, the client 4 can also decrypt and refer to the encrypted content.

<Configuration and Function of Each Unit of Document Management System According to Second Embodiment>
Hereinafter, the configurations and functions of the content management server 1, the client 3, and the client 4 will be described by focusing on the configurations and functions different from those of the first embodiment.

<Configuration and Function of Content Management Server 1 of Second Embodiment>
In addition to the program in the first embodiment, the contract management program 15 is loaded in the main storage device of the content management server 1. In addition, the content management server 1 includes an input device 16 including a keyboard and a mouse, and a liquid crystal display so that an operator of the content management server 1 can use the contract management program 15 to check the processing result. A display device 17 including a display, a printer, and the like is connected to be communicable. Further, the storage device 2 connected to the content management server 1 stores a contract file 22 in addition to the files in the first embodiment. Hereinafter, the purpose of the contract file 22, the stored contents, etc. will be described with reference to the functions of the contract management program 15.

  The contract file 22 is a file for managing companies that use the content management server 1 (company A and company B in the above example). The number of users of the content management server 1 in each company, each company, etc. This file stores the name, address, etc. A service provider that installs and operates the content management server 1 can calculate a usage fee based on the number of users of the contract file 22, and can charge each company for payment of the usage fee. The contract file 22 is created by the operator of the content management server 1 using the contract management program 15 and updated as necessary.

  Although not shown, in addition to the content management server 1 in the service provider, a client PC is also installed, and the input device 16 and the display device 17 are connected to the above-described client PC. It is also possible for a person to create / update the contract file 22 using the contract management program 15.

<Configuration and Function of Client 3 and Client 4 in Second Embodiment>
The configurations and functions of the client 3 and the client 4 in the second embodiment of the present invention are not particularly different from those in the first embodiment. Although the content reference program 43 is not described in the client 4 in FIG. 21, the function of the content reference program 43 is the same as that of the first embodiment, and in the following description, it is necessary to particularly explain the function of the program. Since it is not, description is only omitted.

<Data structure of each file in the second embodiment>
Hereinafter, the data structure of each file in the second embodiment will be described by focusing on data items different from those in the first embodiment. The data structures of the key file 21, the access restriction file 25, and the content management file 26 are the same as those in the first embodiment.

  FIG. 22 is a diagram showing a data structure of the contract file 22 in the second embodiment of the present invention.

  As described above, the contract file 22 is a file for managing companies and the like that use the content management server 1, and stores one or more contract records 220.

  The contract record 220 includes a contract ID 221, a password 222, a contract user number 223, a contractor name / address, and the like 224.

  The contract ID 221 includes an ID that can uniquely identify the contract between the service provider and each company regarding the service provided by the service provider that each company uses the content management server 1 via a communication line. Is set. Company A enters into two service use contracts with each employee of department A1 and department A2 as service users, and company B uses one service with its employees as service users regardless of department. When a contract is concluded, there are three contract records 220 with different contract IDs 221.

  The password 222 is a password for authentication when a company or a department related to a service contract registers a service target user in the user file 23. That is, in the first embodiment described above, at least one user having user management authority is registered in the user file 23 without using the user registration / change program 31 before the service use is started. Although it is necessary, in the second embodiment, as will be described later, the service contract company or the service contract department uses the contract ID 221 and the password 222 after starting the service use and has at least one user management authority. Can be registered in the user file 23.

  In the number of contract users 223, the maximum number of users who can use the service in the company or department involved in the service contract is set. As will be described later, when the number of registered users of the company or department involved in the service contract has reached the number of contract users 223, no more users can be registered.

  In the contractor name / address etc. 224, the name, address, invoice destination name, contact telephone number, etc. of the company or department involved in the service contract are set.

  FIG. 23 is a diagram showing a data structure of the user file 23 in the second embodiment of the present invention.

  As in the case of the first embodiment, the user file 23 stores one or more user records 230, and includes a user ID 231, a password 232, a user management authority presence / absence 233, and an encryption authority presence / absence 234. Although the setting contents are the same as those in the first embodiment, the second embodiment further includes a contract ID 235 as a data item.

  In the contract ID 235, a value indicating which contract the user uses the service is set. For example, if company A has signed a contract with a service provider and the contract ID 221 of the contract record related to this contract is “CompanyA_01”, the contract ID 235 of the user record 230 related to the employee of company A contains “CompanyA_01”. ”Is set.

  The user ID 231 must be set to a value that can uniquely identify all users of the company A, the company B, etc. Therefore, in order to avoid duplication of user IDs between companies, for example, The user ID 231 is a character string that conforms to a predetermined rule, such as a character string that starts with a contract ID related to the user, and whether the user ID entered at the time of user registration complies with the predetermined rule. It is necessary to perform error checking using the user management program 11 or the like. However, this makes the user ID long and inconvenient to use. Therefore, when the user management program 11 or the like is realized by the WEB application as described above, domain names corresponding to the company A, the company B, etc. are set in the contract record 220, and each file except the contract file 22 is stored. Divide the space into domains.

<Operation of Document Management System According to Second Embodiment>
The description of the configuration and function of the document management system according to the second embodiment has been completed so far, and the operation of the document management system according to the second embodiment will be described below with reference to an operation flowchart related to service use. explain. Except for the contract management program 15, the operation of each program is almost the same as that of the first embodiment, and therefore, the difference from the first embodiment will be mainly described.

  FIG. 24 is a flowchart for explaining the outline of the processing operation in the document management system according to the second embodiment of the present invention. Next, this will be described.

(1) First, the company A concludes a service contract with the service provider to use the content management server 1 via a communication line (step S2401).

(2) The service provider determines a contract ID based on the contract concluded in step S2401, and creates a contract record 220 related to the contract with the company A using the contract management program 15 (step S2402).

  Here, details of the process of creating the contract record 220 will be described with reference to FIGS.

  FIG. 25 is a flowchart for explaining the operation of the contract management program 15 creating the contract record 220 in the document management system according to the second embodiment of the present invention, and FIG. 26 is a contract when the contract management program 15 creates the contract record 220. It is a figure which shows the example of a screen.

  (2-1) The operator of the content management server 1 operates the input device 16 to activate the contract management program 15. When the contract management program 15 is activated and starts processing, a contract screen D2600 as shown in FIG. 26 is displayed on the display device 17 until the OK button or the cancel button is clicked although not shown in the figure. Wait (step S2501).

  As illustrated in FIG. 26, the contract screen D2600 includes input fields for a contract ID, a password, the number of contract users, a contractor name, and a contractor address, an OK button, and a cancel button. . Using the contract screen D2600, the operator of the content management server 1 uses a contract ID (for example, “CompanyA_01”), a password (for example, “passwd”) to be registered in the contract file 22, and the number of contract users (for example, “20”). ), The contractor name (for example, “Company A”), and the contractor address (for example, “Yokohama City, Kanagawa Prefecture”) are entered in each input field.

  (2-2) When the OK button is clicked, the contract management program 15 performs an error check on the input contract ID and the like. If there is an error, the contract management program 15 displays an error message on the contract screen, etc. The operator of the management server 1 is prompted for correction input and the processing from step S2501 is repeated. In this error check, for example, when there is already a contract record 220 in which the input contract ID is set to the contract ID 221, an error is determined. Although not explicitly shown in FIG. 25, when the operator of the content management server 1 clicks the cancel button with a mouse or the like, the contract management program 15 ends the process (step S2502).

  (2-3) If no error is detected in the error check process in step S2502, the contract management program 15 determines that the error is normal, and the contract management program 15 determines that the error is normal. The number, the contractor name, and the contractor address are set in the contract ID 221, password 222, contract user number 223, contractor name / address, etc. 224 of the contract record 220, respectively, and the contract record 220 is added to the contract file 22. The process here ends (step S2503).

  In the above description, the operation of the contract management program 15 when registering a contract ID or the like has been described. However, by enabling the contract record 220 to be updated, deleted, etc., the registered contract information can be changed (for example, the number of contract users). Change), deletion of contract information, and the like can be realized in the same manner. In this case, after starting the contract management program 15, before the processing of step S2501, a menu screen for selecting either contract, contract change or contract deletion is displayed, but the contract management program 15 What is necessary is just to perform each selected process. Further, only the password may be changed by the contracting company itself by operating the client 3 using another program (not shown).

(3) Returning to the reference in FIG. 24, after creating the contract record 220, the service provider notifies the contract person in charge of the company A that the service is ready to be used. Then, the contract person in charge of the company A determines at least one user having the user management authority and creates the user record 230 of the user (step S2403).

  The user record 230 is created by the user registration / change program 31 by a process similar to the process already described with reference to FIG. Hereinafter, with reference to FIG. 7, the operation of creating the user record 230 will be described focusing on processing different from the processing already described.

  (3-1) An operator of the client 3 (such as a contract person in charge of the company A) operates the input device 35 to start the user registration / change program 31. When the user registration / change program 31 is activated and starts processing, a login screen (user authentication screen) is displayed on the display device 36, and a contract ID (user ID) input by the operator of the client 3 and The password is transmitted to the user management program 11 and waits until an authentication success / failure is received from the user management program 11 although not shown in the figure. The login screen (user authentication screen) in this case may be the same as that illustrated in FIG. However, the contract ID of the company A is input in the user ID input field D1401.

  When the operator of the client 3 clicks the OK button D1403 with a mouse or the like, the user registration / change program 31 transmits the input user ID and password to the user management program 11. On the other hand, although not explicitly shown in FIG. 7, when the operator of the client 3 clicks the cancel button D1404 with a mouse or the like, the user registration / change program 31 ends the process (step S701).

  (3-2) Upon receiving the user ID and password transmitted from the user registration / change program 31, the user management program 11 authenticates the received user ID. Specifically, the received user ID is registered in the contract file 22 (whether there is a contract record 220 in which the received user ID is set in the contract ID 221), and the received password is that of the contractor. (The received user ID is the same as the password 222 of the contract record 220 in which the received user ID is set in the contract ID 221), or the received user ID is registered in the user file 23. If the received password is that of the user and the user has user management authority, the authentication is successful, and if any of the above conditions is not satisfied, the authentication is failed. To do. The user management program 11 transmits the processing result of “authentication success” or “authentication failure” to the user registration / change program 31. In the case of “successful authentication”, the contract ID related to the operator of the client 3 (contract ID 221 if the operator is authenticated by the contract record 220, contract ID 235 if the operator is authenticated by the user record 220) is also the user. This is transmitted to the registration / change program 31 (step S750).

  As described above, when the combination of the user ID and the password is registered in the contract record 220 or the user record 230, if the authentication is successful, the same value as the contract ID is assigned as the user ID. Inconveniences such as a user having no user management authority being able to register as a user will occur. In order to avoid such an inconvenience, for example, the contract ID is a character string in accordance with a predetermined rule such as a character starting with “contract”, and the contract management program 15 adds the above-mentioned predetermined ID to the contract ID on the contract screen. If a character string that does not comply with the rules is input, an error occurs. On the other hand, when the user registration / change program 31 inputs a character string that conforms to the above-mentioned predetermined rules to the user ID on the user registration screen. It may be an error.

  (3-3) Upon receiving the authentication result from the user management program 11, the user registration / change program 31 determines whether “authentication success” or “authentication failure”. By displaying a message indicating that the authentication has failed on the login screen, the operator of the client 3 is prompted to input a password correction (step S702).

  (3-4) If “authentication success” is determined in step S702, the user registration / change program 31 performs user registration, user information change, or user deletion on the display device 36, although not shown. A menu screen for selecting one is displayed, and each selected process is executed. That is, when user registration is selected on the menu screen, the user registration / change program 31 displays the user registration screen on the display device 36 and uses the user ID and the like input by the operator of the client 3. Although not shown in the figure, the process waits until a processing result is received from the user management program 11.

  The user registration screen in the above-described process may be the same as that shown in FIG. The operator of the client 3 inputs the user ID and password of the user who wants to register in the user file 23 in each input field, and determines whether the user has user management authority and encryption authority. Select with the button. When the OK button is clicked, the user registration / change program 31 manages the entered user ID, password, user management authority, encryption authority, and contract ID related to the client 3 operator. Send to program 11. On the other hand, although not explicitly shown in FIG. 7, when the operator of the client 3 clicks the cancel button with a mouse or the like, the user registration / change program 31 ends the process (step S703).

  (3-5) Upon receiving the user ID transmitted from the user registration / change program 31, the user management program 11 performs a registration process for the received user ID. Specifically, first, the received user ID, password, presence / absence of user management authority, presence / absence of encryption authority, and contract ID are checked. If it is determined that the check is normal, the user management program 11 uses the received user ID, password, user management authority presence / absence, encryption authority presence / absence, and contract ID for each user of the user management record 230. The ID 231, password 232, user management authority presence / absence 233, encryption authority presence / absence 234, and contract ID 235 are set, and the user management record 230 is added to the user management file 23. The user management program 11 transmits the processing result of “error” or “normal” to the user registration / change program 31 (step S760).

  (3-6) Upon receiving the result of the registration process execution process from the user management program 11, the user registration / change program 31 determines whether it is “normal (registration process success)” or “error (registration process failure)”. If it is “normal”, the processing is terminated here. If it is “error”, a message indicating that the registration has failed is displayed on the user registration screen. A correction input is prompted and the processing from step S703 is repeated (step S704).

(4) Returning to the reference in FIG. 24, the contract person in charge of the company A registers the user having the user management authority in the user file 23 as described above, and then the registered user management authority. A user who has another company A registers a user of another company A in the user file 23, and a registered user who has encryption authority creates access authority. Specifically, as described with reference to FIG. 8, the access authority record 250 in which the user ID of the user of the company A who wants to refer to the encrypted content is created.

  In the second embodiment of the present invention, all users registered in the user file 23 in the display / selection column (D1603) of the user ID list on the access authority registration screen (D1600 in FIG. 16). Instead of displaying the ID, the contract ID 235 of the user record 230 related to the operator of the client 4 is referred to and only the user ID 231 in which the same value is set in the contract ID 235 may be displayed. By doing in this way, the user who has the user management authority of the company A can refer to only the user of the company A and register it in the access authority file 25 (steps S2404 and S2405).

(5) The user who has the encryption authority encrypts the content as in the case of the first embodiment, and creates the encrypted content 49. In the second embodiment of the present invention, the content management program 13 uses the access authority ID received from the content encryption program 42 (that is, the access authority input by the user having the encryption authority when registering the access authority). Checks whether it can be used for the encryption. Specifically, referring to the user ID 253 of the access authority record 250 in which the received access authority ID is set to the access authority ID 251, the value set to the contract ID 235 of the user record 230 is the encryption authority. It can be used when it is the same as the contract ID 235 of the user who has the password, and cannot be used when it is different. Similarly, in content re-encryption, it is determined whether the contract ID of the user having the encryption authority matches the contract ID related to the access authority ID designated by the user. In this way, only the access authority ID 251 of the access authority record 250 created by the user of the company A can be input to the access authority ID such as the content encryption screen (D1800 in FIG. 18). The encrypted content created by the user of company A is not referred to by users other than company A (step S2406).

(6) The user of the company A registered in the user record 230 and the access authority record 250 refers to the encrypted content as in the case of the first embodiment of the present invention (step S2407).

<Effects of Document Management System According to Second Embodiment>
As described above, the document management system according to the second embodiment of the present invention determines the contract ID of the operator (user) in each process, thereby enabling the user records 230 of other companies and other departments, The access authority record 250 cannot be referred to or used. That is, it is possible to refer to the encrypted content only between users having the same contract ID. Therefore, even when a plurality of companies and departments receive services provided by the same content management server 1 as in the second embodiment, information related to each company and department is hidden from other companies and departments. Information leakage can be prevented.

<Document Management System According to Third Embodiment>
In general, there is a case where content encrypted by a certain company or department is desired to be referred to by another company or department. As a method for this, re-encryption of content has already been described. However, if it is possible to refer to encrypted content only between users having the same contract ID as in the second embodiment, there is a risk of information leakage. However, content encrypted by a certain company or department cannot be referred to by users of other companies or departments with different contract IDs.

  Therefore, basically, it is necessary to be able to refer to the encrypted content only between users with the same contract ID, and to allow the users with different contract IDs to refer to the encrypted content. is there.

  Hereinafter, a third embodiment of the document management system having a function of allowing users having different contract IDs to refer to the encrypted content will be described.

<Overall Configuration and Function of Document Management System According to Third Embodiment>
FIG. 27 is a block diagram showing a configuration of a document management system according to the third embodiment of the present invention.

  As shown in FIG. 27, the document management system according to the third embodiment of the present invention is a content management server 1, a client 3a, a client 3b, and a client 4a as in the document management system according to the second embodiment. Are connected to each other via a wired or wireless communication line.

  Also in the third embodiment, as in the second embodiment, the service provider installs and operates the content management server 1, and two companies A and B use the content management server 1. Assume that the clients 3a and 4a are installed inside the company A, the client 3b and the client 4b (not shown) are installed inside the company B. The client 3a and the client 3b correspond to the client 3 in the first embodiment, and the client 4a and the client 4b correspond to the client 4 in the first embodiment. In the following description, both the client 3a and the client 3b will be referred to as the client 3 and the client 4a and the client 4b will be referred to as the client 4 unless there is a particular division.

  Note that the third embodiment of the present invention shown in FIG. 27 is illustrated as being configured to include one device as in the first embodiment, but there are two or more each. Also good. In addition, it is not necessary for each apparatus to exist one by one. For example, the client 3 and the client 4 may be configured to have both functions.

  With this configuration, in the third embodiment of the present invention, as in the first and second embodiments, the client 3 may refer to the content subject to access restriction. Can be registered in the content management server 1. Further, the client 4 can use the function of the content management server 1 to encrypt the content stored in the client 4 and restrict access. Furthermore, the client 4 can also decrypt and refer to the encrypted content.

<Configuration and Function of Each Unit of Document Management System According to Third Embodiment>
Hereinafter, the configurations and functions of the content management server 1, the client 3, and the client 4 will be described by focusing on the configurations and functions different from those of the second embodiment.

<Configuration and Function of Content Management Server 1 in Third Embodiment>
The program loaded in the main storage device of the content management server 1 is the same as that in the second embodiment, but some functions are different as will be described later. Further, the storage device 2 stores a contact person file 24 in addition to the files in the second embodiment. Hereinafter, the purpose and stored contents of the contact person file 24 will be described while referring to the functions of the user management program 11.

  The contact person file 24 receives content encrypted by other companies or departments at each company or department that uses the content management server 1, and the users in the company or department refer to the contents. It is a file that registers special users so that they can. For example, when a company A places an order for a part of equipment design with another company B, both the company A and the company B conclude a service use contract with the service provider related to the content management server 1, and the contract person in charge of the company B Determines a contact person for the service contract between the company B and the service provider, and registers the contact person in the contact person file 24 by the user management program 11 or the like. The user of company A may grant the authority to refer to the encrypted content to the person in charge of the company B in addition to the user of company A regarding the service contract between company A and the service provider. it can. Then, the person in charge of the company B can re-encrypt the received encrypted content and refer to the user of the company B. In this way, the user of the company A can refer to the encrypted content to a necessary person without knowing the user of the company B other than the person in charge of the window.

  In addition, when company A orders a plurality of different device designs from company B, it is possible to conclude a service use contract with the service provider for each device design so that the contract ID and contact person are different. It is possible to use the same service contract for any device design, and the same person in charge can be made the same.

<Configurations and Functions of Client 3 and Client 4 in the Third Embodiment>
The configurations and functions of the client 3 and the client 4 in the third embodiment are not particularly different from those in the second embodiment. In FIG. 27, the content reference program 43 is not described in the client 4, but the function of the content reference program 43 is the same as that in the first embodiment and the second embodiment. Then, since the function of the program is not particularly explained, the description is merely omitted.

<Data structure of each file in the third embodiment>
Hereinafter, the data structure of each file in the third embodiment will be described by focusing on data items different from those in the second embodiment. The data structures of the key file 21, the access restriction file 25, and the content management file 26 are the same as those in the second embodiment.

  FIG. 28 is a diagram showing a data structure of the window person in charge file 24 in the third embodiment of the present invention.

  As described above, the contact person file 24 is a window person who receives encrypted contents from other companies and re-encrypts them at a company or the like using the content management server 1 and refers to the users of the company or the like. It is a file to register. One contact person record 240 exists for each contract ID, or there is no record for the contract ID.

  The contact person record 240 includes a user ID 241, a contract ID 242, and an approval / non-approval 243.

  The user ID 241 is set to the same value as the user ID 231 of the user record 230 of the contact person in charge.

  The contract ID 242 is set with a contract ID of a company or the like that creates encrypted content and permits the person in charge to refer to the encrypted content.

  The approval / non-approval 243 indicates that a company or the like that allows the contact person in charge to refer to the encrypted content has approved the contact person (“approved”) or has not been approved. The indicated value (“Unapproved”) is set.

<Operation of Document Management System According to Third Embodiment>
This is the end of the description of the configuration and functions of the document management system according to the third embodiment. Next, the operation processing operations related to the use of services in the document management system according to the third embodiment will be described. Note that the operation of each program is almost the same as that in the second embodiment, and therefore, differences from the second embodiment will be mainly described.

  FIG. 29 is a flowchart for explaining an operation processing operation related to the use of a service in the document management system according to the third embodiment of the present invention. Next, this will be described.

(1) First, the company A concludes a service contract (hereinafter referred to as “contract A”) for using the content management server 1 via the communication line with the service provider (step S2901).

(2) The service provider determines a contract ID based on this contract, and creates a contract record 220 related to the contract with the company A as described in the second embodiment (step S2902).

(3) After creating the contract record 220, the service provider notifies the contract person in charge of Company A that the service is ready to be used. Then, the contract person in charge of the company A determines at least one user having the user management authority, and creates the user record 230 of the user as described in the second embodiment ( Step S2903).

(4) After the person in charge of contract of the company A registers a user having user management authority in the user file 23, a user having the user management authority uses another user of the company A Registered in the operator file 23 (S2904).

(5) Here, it is assumed that company A decides to entrust part of the design work etc. to company B, and the user of company A needs to reference the encrypted content to the user of company B. . In that case, the company B also concludes a service contract (hereinafter referred to as “contract B”) for using the content management server 1 via the communication line with the service provider (steps S2905 and S2906). .

(6) The service provider determines a contract ID based on this contract, and creates a contract record 220 related to the contract with the company B as described in the second embodiment (step S2907).

(7) After creating the contract record 220, the service provider notifies the contract person in charge of the company B that the service is ready to be used. Then, the contract person in charge of the company B determines at least one user having the user management authority, and creates the user record 230 of the user as described in the second embodiment (step S2908).

(8) After the person in charge of contract of company B registers a user having user management authority in the user file 23, a user having the user management authority uses another user of company B Registered in the operator file 23 (step S2909).

(9) Further, the contract person in charge of the company B or the user having the user management authority determines the contact person in charge of the company B for the contract A, creates the contact person record 240, and the contact person record 240 is registered in the contact person file 24. The contact person record 240 is created by the user registration / change program 31 (step S2910).

  FIG. 30 is a flowchart for explaining the operation of the contact person registration in the third embodiment. Here, the operation of the contact person registration will be described. Since the contact person registration operation overlaps with the user registration operation described with reference to FIG. 7, the following description focuses on operations different from user registration.

  (9-1) An operator of the client 3 (a contract person in charge of the company B or a user having user management authority) operates the input device 35 to start the user registration / change program 31. When activated, the user registration / change program 31 starts processing. Although not shown, the user registration / change program 31 displays a login screen (user authentication screen) on the display device 36 and uses the input entered by the operator of the client 3. The user ID (contract ID of the contract B or the user ID of the user having the user management authority) and the password are transmitted to the user management program 11, and the process waits until an authentication success / failure is received from the user management program 11. The login screen (user authentication screen) in this case is the same as that shown in FIG. When the operator of the client 3 inputs the user ID and password on the login screen D1400 and clicks the OK button D1403 with a mouse or the like, the user registration / change program 31 is not shown, but the entered user ID And the password are transmitted to the user management program 11. On the other hand, when the operator of the client 3 clicks the cancel button D1404 with a mouse or the like, the user registration / change program 31 ends the process.

  When the user management program 11 receives the user ID and password transmitted by the user registration / change program 31, the user management program 11 authenticates the received user ID and displays the result of “successful authentication”. The contract ID related to the operator of the client 3 or the processing result of “authentication failure” is transmitted to the user registration / change program 31.

  When the user registration / change program 31 receives “successful authentication” from the user management program 11, the user registration, user information change, user deletion, and contact person registration are performed on the display device 36, although not shown. Alternatively, a menu screen for selecting one of the contact person approvals is displayed, and each selected process is executed. On the other hand, when “authentication failure” is received, a message indicating that the authentication has failed is displayed on the login screen, and the operator of the client 3 is prompted to input a password correction. When the contact person registration is selected on the menu screen, the user registration / change program 31 displays the contact person registration screen D3200 as illustrated in FIG. 32 on the display device 36 and is input by the operator of the client 3. The received user ID and the like are transmitted to the user management program 11 and wait until the processing result is received from the user management program 11 although not shown in the figure.

  In addition, the operator of the client 3 uses the user ID of the user who wants to register in the contact person file 24 and the contract ID of another company or the like that creates the encrypted content and transmits it to the contact person (in this example, the contract A). Enter the contract ID) in each entry field. When the OK button is clicked, the user registration / change program 31 inputs the entered user ID, contract ID (contract ID of contract A), and contract ID related to the operator of the client 3 (contract ID of contract B). Is transmitted to the user management program 11. On the other hand, although not explicitly shown in FIG. 30, when the operator of the client 3 clicks the cancel button with a mouse or the like, the user registration / change program 31 ends the process (step S3001).

  (9-2) When the user management program 11 receives the user ID and the like transmitted from the user registration / change program 31, the user management program 11 performs a registration process for the received user ID and the like. Specifically, first, the received user ID and contract ID (contract ID of contract A and contract B) are checked (for example, the received contract ID (contract ID of contract A) is set in the contract ID 221. If there is no existing contract record 230, or if there is no user record 230 in which the received user ID and contract ID (contract B contract ID) are set in the user ID 231 and the contract ID 235, respectively, an error is determined. To do). If it is determined to be normal, the received user ID and contract ID are set in the user ID 241 contract ID 242 of the contact person record 240, and “unapproved” is set in the approval status 243. The person record 240 is added to the window person in charge file 24. The user management program 11 transmits the processing result of “error” or “normal” to the user registration / change program 31 (step S3060).

  (9-3) Upon receiving the registration process execution result from the user management program 11, the user registration / change program 31 determines whether the registration process is successful, that is, “normal” or “error”. If it is “normal”, the process ends here. If it is “error”, a message indicating that the registration has failed is displayed on the window for registering the person in charge of the window. Prompts for correction input, etc., and repeats the processing from step S3001 (step S3002).

  In the above description, the process for registering the contact person has been described. However, like the user registration, the user registration / change program 31 is configured to have functions such as changing the contact person and deleting the contact person. Also good.

(10) Returning to FIG. 29, the person in charge of contract of the company B or the user having the user management authority registers the person in charge of the contract A in the person in charge file 24 as described above. Then, the user ID of the person in charge of the window is notified to the contract person in charge of the company A (related to the contract A) or the user having the user management authority. Then, the contract person or the like of the company A (related to the contract A) or the user having the user management authority approves the user ID that is notified. Specifically, the approval is performed by setting “approved” in the approval presence / absence 243 of the contact person record 240 by the user registration / change program 31 or the like (step S2911).

  FIG. 31 is a flowchart for explaining the operation of the person in charge of the counter in the third embodiment. Here, the operation of approval of the person in charge of the contact will be described. Since the operation of the person in charge of the counter overlaps with the operation of user registration described with reference to FIG. 7, the operation different from the user registration will be mainly described below.

  (10-1) An operator of the client 3 (a contract person in charge of the company A or a user having user management authority) operates the input device 35 to start the user registration / change program 31. When activated, the user registration / change program 31 starts processing. Although not shown, the user registration / change program 31 displays a login screen (user authentication screen) on the display device 36 and uses the input entered by the operator of the client 3. A user ID (contract ID of contract A or a user ID of a user having user management authority) and a password are transmitted to the user management program 11 and waits until an authentication success or failure is received from the user management program 11. The login screen (user authentication screen) in this case is the same as that shown in FIG. When the operator of the client 3 inputs the user ID and password on the login screen D1400 and clicks the OK button D1403 with a mouse or the like, the user registration / change program 31 is not shown, but the entered user ID And the password are transmitted to the user management program 11. On the other hand, when the operator of the client 3 clicks the cancel button D1404 with a mouse or the like, the user registration / change program 31 ends the process.

  When the user management program 11 receives the user ID and password transmitted by the user registration / change program 31, the user management program 11 authenticates the received user ID and displays the result of “successful authentication”. The contract ID related to the operator of the client 3 or the processing result of “authentication failure” is transmitted to the user registration / change program 31.

  When the user registration / change program 31 receives “successful authentication” from the user management program 11, the user registration, user information change, user deletion, and contact person registration are performed on the display device 36, although not shown. Alternatively, a menu screen for selecting one of the contact person approvals is displayed, and each selected process is executed. On the other hand, when “authentication failure” is received, a message indicating that the authentication has failed is displayed on the login screen, and the operator of the client 3 is prompted to input a password correction. When the contact person approval is selected on the menu screen, the user registration / change program 31 displays the contact person approval screen D3300 illustrated in FIG. 33 on the display device 36, and is input by the operator of the client 3. The received user ID and the like are transmitted to the user management program 11 and wait until the processing result is received from the user management program 11 although not shown in the figure.

  Further, the operator of the client 3 is notified as the contact person in charge of the contract A from the user ID of the user who is approved as the contact person (the contract person of the company B or the user having the user management authority). User ID) is entered in the input field. When the OK button is clicked, the user registration / change program 31 transmits the entered user ID and the contract ID related to the operator of the client 3 (contract ID of contract A) to the user management program 11. On the other hand, although not explicitly shown in FIG. 30, when the operator of the client 3 clicks the cancel button with a mouse or the like, the user registration / change program 31 ends the process (step S3101).

  (10-2) Upon receiving the user ID transmitted from the user registration / change program 31, the user management program 11 performs an approval process for the received user ID. Specifically, first, the received user ID and contract ID (contract ID of contract A) are checked (for example, the received user ID and contract ID (contract ID of contract A) are the user IDs 241 respectively. If the contact person record 240 set in the contract ID 242 does not exist, it is determined as an error). When it is determined to be normal, the contact person record 240 (received user ID and contract ID (contract ID of contract A) related to the received user ID is set in the user ID 241 and the contract ID 242 respectively. “Approved” is set in the approval status 243 of the contact person record 230), and the contact person record 240 is updated. The user management program 11 transmits the processing result of “error” or “normal” to the user registration / change program 31 (step S3160).

  (10-3) When the user registration / change program 31 receives the result of the approval process from the user management program 11, the user registration / change program 31 determines whether the approval process is successful, that is, "normal" or "error". If it is “normal”, the process ends here. If it is “error”, a message indicating that the approval has failed is displayed on the contact person registration screen. Prompts for correction input and the like, and repeats the processing from step S3101 (step S3102).

  In the above description, the process of approving the person in charge of the window has been described, but the user registration / change program 31 may be configured to have a function of canceling the person in charge of the person in charge of the window as in the case of registering the person in charge of the window. .

  As described above, in the third embodiment of the present invention, the company that receives the encrypted content first registers the contact person, and the company that transmits the encrypted content approves the contact person. By doing so, a user who can be trusted by both companies can be registered as a contact person. In the above description, only the minimum functions necessary for the registration of the contact person and the approval of the contact person have been described. For example, the user name 230, the user's department, the position, the years of experience, the work history, etc. The user name of the person in charge of the window, the department to which the person in charge belongs, etc. may be displayed in the window person in charge registration and window person approval. By doing so, companies that receive encrypted content and companies that send encrypted content evaluate the reliability of the person in charge with reference to the position of the person in charge of the person in charge. be able to.

(11) Returning to the reference in FIG. 29, after the person in charge of contract of the company A approves the person in charge of the window as described above, the encryption authority among the users of the company A (related to the contract A) is granted. The person who has it creates access authority. Specifically, as described with reference to FIG. 8, the user ID of the user of the company A who wants to refer to the encrypted content, and the contact person in charge of the company B (related to the contract A) as necessary. The access authority record 250 in which the user ID is set is created (step S2405).

  In the third embodiment of the present invention, all users registered in the user file 23 in the display / selection column (D1603) of the user ID list on the access authority registration screen (D1600 in FIG. 16). Instead of displaying the ID, the contract ID 235 of the user record 230 related to the operator of the client 4 is referred to, and the user ID 231 in which the same value is set in the contract ID 235 is displayed, and in addition, the contract ID 242 is displayed. The user ID 241 of the contact person record 240 for which the same value as the contract ID 235 is set may be displayed. In this way, the user having the user management authority of the company A refers to only the user related to the contract A of the company A and the contact person in charge of the contract A of the company B to the access authority file 25. You can register.

(12) Next, the user who has the encryption authority (related to the contract A) of the company A encrypts the content and creates the encrypted content 49 as in the case of the second embodiment (S2913).

  In the above description, when the encrypted content 49 is created, the content management program 13 that operates together with the content encryption program 42 is the content encryption in the third embodiment as in the second embodiment. An error check is performed to determine whether the access authority ID received from the program 42 can be used for the encryption. However, the contents of the process are slightly different. Specifically, the content management program 13 refers to the user ID 253 of the access authority record 250 set in the access authority ID 251 for the received access authority ID, and is set in the contract ID 235 of the user record 230. If the value is the same as the contract ID 235 of the user having the encryption authority, or the value set in the contract ID 242 of the contact person record 240 is the contract ID 235 of the user having the encryption authority It can be used when they are the same and the approval status 243 is “approved”, and cannot be used when they are different.

  Similarly, in content re-encryption, it is determined whether or not the contract ID of the user having the encryption authority matches the contract ID related to the access authority ID designated by the user. In this way, only the access authority ID 251 of the access authority record 250 created by the user of the company A can be input to the access authority ID such as the content encryption screen (D1800 in FIG. 18). The encrypted content created by the user of the company A can be referred to only by the user of the company A and the contact person in charge of the company B, and is not referred to by other persons.

(13) The user of the company A and the contact person in charge of the company B (related to the contract A) registered in the user record 230 and the access authority record 250 are encrypted contents as in the case of the first embodiment. Can be referred to (S2914).

(14) Then, the contact person in charge of Company B (related to Contract A) accesses the encrypted content to refer to the user of Company B (the user who performs the design work received from Company A). Create permissions. Specifically, as described with reference to FIG. 8, the access authority record 250 in which the user ID of the user of the company B who wants to refer to the encrypted content is created. For example, when a part of the design is ordered from company B to company C, the contact person in charge of company C (in relation to contract B) is registered in the same manner as described above, and the window What is necessary is just to produce the access authority record 250 in which the person in charge was set (step S2915).

(15) Next, the user who has the encryption authority (related to the contract B) of the company B re-encrypts the content in the same manner as described above, and creates the encrypted content 49. Thereafter, the user of the company B registered in the user record 230 and the access authority record 250 can refer to the encrypted content as in the case of the first embodiment (step S2916). .

<Effects of Document Management System According to Third Embodiment>
As described above, in the document management system according to the third embodiment, for each service usage contract between each company and the service provider, the company that creates the encrypted content is the transmission destination of the encrypted content. The person in charge who can register the contact person, and the company that creates the encrypted content, approves the person in charge of the contact person of other companies, etc., and gives the person in charge of the window the authority to refer to the encrypted content. be able to.

  Therefore, if you want other companies or departments to refer to the content encrypted by a certain company or department, you can refer to the encrypted contents only between users with the same contract ID, while the contract ID is different. A person in charge of a company or the like can also refer to the encrypted content after approving the person in charge of the person concerned.

<Effects related to service business>
In the document management system according to the first embodiment of the present invention, a service provider that installs and operates the content management server 1 provides services based on the number of records of the user records 230 registered in the user file 23. Service usage fees can be charged to the companies and corporate groups that use them.

  In the document management system according to the second embodiment of the present invention, it is necessary to share an encrypted content with an internal user (that is, an encrypted content created by an internal user is transmitted to another internal user). Companies and departments, etc. (which need to be referred to) each conclude a service use contract, create a contract record 220 for each service use contract, and use the number of users who use the service based on the service use contract Since the service number is set to 223, the service provider can charge a service usage fee to the company or department that uses the service based on the contract user number 223 or the like.

  In the document management system according to the third embodiment of the present invention, companies and departments that need to share encrypted content not only with internal users but also with external users are among the external users. With some persons (one person in the example of the third embodiment) as the person in charge of the window, the authority to refer to the encrypted content can be granted, and a service use contract is concluded for each service use contract. 220, and the number of users who use the service based on the service use contract is set as the number of contract users 223. Therefore, the service provider can provide services based on the number of contract users 223 and the like. You can charge a service usage fee to the company or department you use. That is, companies and departments that need to share encrypted content with external users need only pay service usage fees for the number of internal users, regardless of the number of external users.

DESCRIPTION OF SYMBOLS 1 Content management server 11 User management program 12 Access authority management program 13 Content management program 14 Access control program 15 Contract management program 16 Input device 17 Display device 2 Storage device 21 Key file 22 Contract file 23 User file 24 Window person in charge file 25 Access authority file 26 Content management file 3 (3a, 3b) Client 31 (31a, 31b) User registration / change program 35 (35a, 35b) Input device 36 (36a, 36b) Display device 4 (4a) Client 41 ( 41a) Access authority registration / change program 42 (42a) Content encryption program 43 Content reference program 45 (45a) Input device 46 (46a) Display device 47 Storage device 49 encrypted content 9 LAN
91 Internet

Claims (5)

Encrypts the content including the document information is stored in a document management system for the restriction of access to the content by limiting who can obtain the content,
User access to the content encrypted held a first client 1 or the plurality holds the content encrypted, the SL before a key file first in the client a content management server for managing rights, and a second client to register the user referring to the contents encrypted with the content management server by a network formed by connecting communicably,
The second client according to an instruction of the operator, using the user management processing unit user registration and change processing means and said content management server itself client has to have, the user file in the content management server with encrypting the content, it registers a plurality of users by referring to the content that has been encrypted,
The first client using the access right management processing means having access permission registration and modification processing means and the content management server itself client has the instruction of the user is a steering author, referring to the content that is encrypted 1 or a plurality of users want to, in the predetermined access rights ID paired register with access files in the content management server, further, the content encryption processing means and the content management server itself client has using the content management processing means having, along encrypts the content desired to be referred to the user and stored in the connected storage device in the own client as encrypted content, and a predetermined content ID and access rights ID the in pairs, content management in the content management server file Stored in the Le, 1 or wants to see the encrypted content transmitted in addition to the first client to use a plurality of users,
First client of the other receiving the encrypted content that has been sent, the time of referring to the encrypted content transmitted, the content reference program processing unit self client has, trying to see the Transmitting the content ID of the encrypted content to the access control processing means of the content management server;
It said access control processing unit acquires the access ID from the content management file by the content ID transmitted, acquires referable user of the access rights file by the access authority ID, trying to see wherein authenticates the first client of the user the other having transmitted the content ID of the encrypted content are, that it has successfully authenticated with the decryption key to the content reference processing unit of the other of the first client document management system for causing transmit, perform decoding Display of the encrypted content by the content reference processing unit. In the document management system according to claim 1, wherein the user who wants to see the encrypted content, when an external user rather than the inside of the user, window whom part of the external user as representative, features and be Rubun form management system that authority to reference the encrypted content is granted. According to claim 1 or 2 document management system, wherein the content management server, wherein the to Rubun form management system that is installed and operated by service provider. In the document management system according to claim 3, wherein the content management server installation and operation to that service provider, based on the number of referable user the encrypted content, the user belongs companies, features and to Rubun form management system that against departments charge a service fee. Encrypts the content including the document information is stored in the document management method for a document management system for the restriction of access to the content by limiting who can obtain the content,
The document management system, the user is encrypted held a plurality of first client 1 also holds the content that has been encrypted with a key file before Symbol in the first client a content management server for managing access rights to the content that is being constructed by connecting communicably the second client and the network to register the user to see the content encrypted with the content management server And
The second client according to an instruction of the operator, using the user management processing unit user registration and change processing means and said content management server itself client has to have, the user file in the content management server with encrypting the content, it registers a plurality of users by referring to the content that has been encrypted,
The first client using the access right management processing means having access permission registration and modification processing means and the content management server itself client has the instruction of the user is a steering author, referring to the content that is encrypted 1 or a plurality of users want to, in the predetermined access rights ID paired register with access files in the content management server, further, the content encryption processing means and the content management server itself client has using the content management processing means having, along encrypts the content desired to be referred to the user and stored in the connected storage device in the own client as encrypted content, and a predetermined content ID and access rights ID the in pairs, content management in the content management server file Stored in the Le, 1 or wants to see the encrypted content transmitted in addition to the first client to use a plurality of users,
First client of the other receiving the encrypted content that has been sent, the time of referring to the encrypted content transmitted, the content reference program processing unit self client has, trying to see the Transmitting the content ID of the encrypted content to the access control processing means of the content management server;
It said access control processing unit acquires the access ID from the content management file by the content ID transmitted, acquires referable user of the access rights file by the access authority ID, trying to see wherein authenticates the first client of the user the other having transmitted the content ID of the encrypted content are, that it has successfully authenticated with the decryption key to the content reference processing unit of the other of the first client transmitted, a document management method characterized by causing the decoding Display of the encrypted content by the content reference processing unit.

Images