JP5509888B2 - Document management system and document management method - Google Patents

Description

  The present invention relates to a technique for setting access authority for a computer resource such as a document file.

  In the document management system, when it is desired to set an access authority for a document, the access authority is usually set by specifying a user, or an access authority is set by specifying an attribute of a user such as an office or a group.

  In the following Patent Document 1, a group (access right group) for which access rights are set for each computer resource is selected from a plurality of groups (access sets), and the type of access right is set for each selected access right group. The setting is described.

  Further, Patent Document 2 below describes extracting users of one selected group and users of related groups of the group, and narrowing down information distribution target persons according to the input distribution target person extraction conditions. Has been.

JP 2004-54779 A JP 2004-178433 A

  When setting access authority by specifying attributes such as offices and groups, it is desirable to be able to easily confirm what users are associated with the specified attributes.

  However, since a user may have a plurality of attributes, in order to specify a plurality of attributes and set access authority, it is necessary to search and set such users individually, which is complicated. In addition, setting errors may occur due to such complicated work. This problem cannot be improved by applying any of the techniques of Patent Document 1 and Patent Document 2.

  It is an object of the present invention to provide a new framework for setting access rights for computer resources.

  The document management system of the present invention extracts user attribute storage means for storing correspondence information between users and attributes, and attributes corresponding to the first user based on the correspondence information, and corresponds to the extracted attributes. Search means for outputting information indicating one or a plurality of second users, option display means for selectively displaying the information indicating the output one or more second users, and the first user; Access authority setting means for setting a predetermined access authority with respect to computer resources designated in advance for one or a plurality of second users corresponding to information selected from the displayed information, and When the search means extracts a plurality of attributes, the option display means corresponds to an attribute included in the combination for at least one of a combination of two or more attributes. Or information indicating a plurality of second user is selectively displayed, characterized in that.

  In an embodiment of the present invention, the search means outputs information indicating the one or more second users for each of the plurality of first users, and the option display means further includes the plurality of first users. An attribute common to all the users is extracted, and information indicating one or a plurality of second users corresponding to the extracted attribute is displayed in a selectable manner.

  In another embodiment of the present invention, when there are a plurality of the common attributes, the option display means further includes at least one of a combination of two or more attributes among the plurality of common attributes. Information indicating one or a plurality of second users corresponding to the attributes included in the combination is displayed in a selectable manner.

  The document management method of the present invention extracts an attribute corresponding to the first user based on correspondence information between a user and an attribute stored in the user attribute storage means, and one or more corresponding to the extracted attribute A search step for outputting information indicating the second user, an option display step for selectively displaying the output information indicating the one or more second users, the first user, and the display An access authority setting step of setting a predetermined access authority with respect to a computer resource designated in advance for one or a plurality of second users corresponding to the selected information among the selected information, the option display step Then, when a plurality of attributes are extracted in the search step, at least one of a combination of two or more attributes is included in the combination. Selectably displays information indicating one or more second users corresponding to the attribute, and wherein the.

  In the present invention, the term “means” does not simply mean a physical means, but includes a case where the functions of the means are realized by software. Also, the functions of one means or device may be realized by two or more physical means or devices, or the functions of two or more means or devices may be realized by one physical means or device.

  According to the present invention, when at least one first user is designated, information indicating the second user associated with the same attribute as the first user and indicating the setting range of the access authority can be selected. Displayed, the access authority setting operator (administrator) does not need to confirm each user even if he / she does not know the user associated with the attribute for which access authority is to be set. It can be done more easily. In addition, since it is possible to work while looking at the displayed second user, it is possible to further suppress the occurrence of setting mistakes.

It is a figure which shows the whole structure of the document management system of 1st Embodiment. It is a figure which shows an example of a data structure of a user information storage means. It is a figure which shows an example of a data structure of an office information storage means. It is a figure which shows an example of a data structure of a group information storage means. It is a figure which shows an example of a data structure of an authority information storage means. It is a figure which shows an example of a data structure of a search object variable memory | storage means. It is a figure which shows an example of a data structure of a search result storage means. It is an example of the flowchart of an access authority setting process. It is a figure which shows an example of a structure of a setting screen. It is a figure which shows the state which displayed the permission condition in the permission condition display column of a setting screen. It is a flowchart of an access authority determination process.

  Hereinafter, as an embodiment of the present invention, with reference to the drawings, a framework for setting a predetermined access authority with respect to a computer resource designated in advance for one or a plurality of users based on designation from an administrator. I will explain.

  FIG. 1 shows an overall configuration of a document management system 100 according to the first embodiment.

  The document management system 100 includes a user management device 200 and a document management device 300. The user management apparatus 200 and the document management apparatus 300 are communicably connected via a known communication line such as a LAN or the Internet. In addition, as the user management apparatus 200 and the document management apparatus 300, a personal computer or a server computer including components such as a CPU, a ROM, a RAM, a hard disk, and a communication apparatus can be used.

  The user management apparatus 200 includes a user attribute storage unit 201, a user information search unit 240, an office information search unit 241, a group information search unit 242, and a user authentication unit 243. The user attribute storage unit 201 includes a user information storage unit 210, an office information storage unit 220, and a group information storage unit 230 that store correspondence information between a user and an attribute (such as an office or group to which the user belongs). It implement | achieves functionally using memory | storage devices, such as. The user information search unit 240, office information search unit 241, group information search unit 242, and user authentication unit 243 function when the CPU reads a predetermined program from the storage device such as a hard disk into the RAM and executes it. Is realized. Hereinafter, the function of each means will be described.

  As shown in FIG. 2, the user information storage unit 210 stores a user ID, a user name, belonging office information (office ID), and belonging group information (group ID) as information indicating attributes for each user. In addition, for example, a password used together with the user ID in the login process is also stored.

  As shown in FIG. 3, the office information storage unit 220 stores an office ID, an office name, and belonging user information (for example, a user ID) as information indicating the belonging user for each office.

  As shown in FIG. 4, the group information storage unit 230 stores a group ID, a group name, and belonging user information (user ID) as information indicating the belonging user for each group. A group is composed of a plurality of users arbitrarily gathered across the office.

  The user information search unit 240, office information search unit 241, and group information search unit 242 cooperate with the search control unit 312 described later of the document management apparatus 300 and associate with the designated first user (representative user). The extracted attribute is extracted, and one or a plurality of second users (related users) associated with the extracted attribute are stored in the user attribute storage unit 201 as correspondence information between the user and the attribute. And the search unit 202 that outputs information indicating the specified one or a plurality of related users.

  Hereinafter, functions of the user information search unit 240, the office information search unit 241, and the group information search unit 242 will be described.

  When the user information retrieval unit 240 receives information (for example, a user name or a user ID) that can identify the user from the document management apparatus 300, the user information retrieval unit 240 refers to the information (FIG. 2) in the user information storage unit 210, and The information associated with the user who performs is output. Specifically, when a user name is specified, the user ID, office information, and group information associated with the user name are output as search results. When a user ID is specified, the user name, belonging office information, and belonging group information associated with the user ID are output as search results.

  When the office information retrieval unit 241 receives information from the document management apparatus 300 that can identify the office to which the user belongs (for example, an office ID or an office name) as the user attribute, information in the office information storage unit 220 (FIG. 3). The information associated with the corresponding office is output. Specifically, when an office ID is designated, an office name and belonging user information (for example, user ID) associated with the office ID are output as a search result. When an office name is designated, the office ID and the belonging user information associated with the office name are output as a search result.

  When the group information search unit 242 receives information (for example, a group ID or a group name) that can identify the group to which the user belongs as the user attribute from the document management apparatus 300, the information in the group information storage unit 230 (FIG. 4). The information associated with the corresponding group is output. Specifically, when a group ID is specified, a group name and belonging user information (for example, user ID) associated with the group ID is output as a search result. When a group name is specified, the group ID and belonging user information associated with the group name are output as a search result.

  When the user authentication unit 243 receives a user ID and password from the document management apparatus 300, the user authentication unit 243 executes an authentication process based on the received information. Specifically, referring to the information (FIG. 2) in the user information storage unit 210, if there is information about a user whose user ID and password match, the user name associated with the user , Belonging office information and belonging group information are output.

  The document management apparatus 300 includes document information storage means 301, authority information storage means 302, document ID variable storage means 303, permission authority variable storage means 304, search target variable storage means 305, search result storage means 306, search control means 312, An option display unit 313, an access authority setting unit 314, and an access authority determination unit 315 are provided. The document information storage unit 301, the authority information storage unit 302, the document ID variable storage unit 303, the permission authority variable storage unit 304, the search target variable storage unit 305, and the search result storage unit 306 use, for example, a storage device such as a hard disk. Functionally realized. The search control unit 312, the option display unit 313, the access authority setting unit 314, and the access authority determination unit 315 are functional when the CPU reads a predetermined program from the storage device such as a hard disk into the RAM and executes it. To be realized. Hereinafter, the function of each means will be described.

  The document information storage unit 301 stores a document ID, storage destination information, attribute information, and the like for each document (such as a computer-readable file including content such as sentences and diagrams) as a computer resource managed in the document management system 1. Store (not shown). The document itself is assumed to be separately stored in a storage device such as a hard disk provided in the document management apparatus 300. Since the attribute information of the document is not closely related to the present invention, the description thereof is omitted.

  As shown in FIG. 5, the authority information storage unit 302 stores the document ID, the condition number, the permission authority, and the permission condition as information (authority information) indicating the contents of the access authority set for each document. The permission authority indicates the content of an operation permitted for the document (for example, reference, update, deletion, or a combination thereof). The permission condition indicates a range in which permission authority is given. In the first embodiment, a user unit (for example, a user name and a user ID), a group unit (for example, a group name and a group ID), and an office unit (for example, a group name and a group ID). For example, it can be set by an office name, an office ID, or the like, or a combination thereof.

  Further, in the authority information stored in the authority information storage unit 302, when duplicate condition numbers are set for the same document ID, the condition numbers are associated with a plurality of duplicate authority information. The permission condition indicates that it is an AND condition. For example, the plurality of authority information is associated with the same permission authority, and indicates that the permission authority is given to a range that satisfies all of the permission conditions corresponding to each authority information. More specifically, in the example of FIG. 5, for example, the document with the document ID “DOCUMENT1” in which the condition number “2” is duplicated is set to the group with the group name “GROUP1” and the group with the group name “GROUP2”. It is shown that the permission authority "reference" is given to the user who belongs to both.

  The document ID variable storage unit 303 stores an ID of a document (target document) for which access authority is set, which is input by the administrator of the document management system 1.

  The permission authority variable storage unit 304 stores information indicating permission authority given to the target document input by the administrator of the document management system 1.

  As illustrated in FIG. 6, the search target variable storage unit 305 indicates a first user (representative user) serving as a reference for specifying the access authority setting range input by the administrator of the document management system 1. Information (user ID and user name) and information (office ID and group ID) indicating attributes associated with the user output from the user information search unit 240 of the user management apparatus 200 are stored.

  The search result storage unit 306 associates the attribute ID or the attribute combination ID with the attribute name and the attribute name associated with the representative user and each attribute combination (belongs to ) Store information indicating the user (for example, user ID). In the illustrated example, no name is set for the combination of attributes. The user associated with the combination of attributes is a user associated with all of the attributes included in the combination (belonging to all).

  The search control unit 312 stores information indicating access authority setting conditions (for example, document ID, representative user, permission authority, etc.) designated by the administrator as document ID variable storage unit 303, permission authority variable storage unit 304, And stored in the storage means corresponding to the specified information in the search target variable storage means 305. Also, it operates as the search unit 202 together with the user information search unit 240, the office information search unit 241 and the group information search unit 242 of the user management apparatus 200, for example, information indicating an attribute associated with the designated representative user For each representative user attribute, information indicating one or more related users associated with the attribute is acquired from the office information search unit 241 and the group information search unit 242. At least information indicating one or more acquired related users (information indicating the representative user and the second user in the first embodiment) is stored (output) in the search result storage unit 306.

  The option display unit 313 displays the attribute for each attribute associated with the representative user based on information indicating one or more related users output by the search unit 202 (specifically, the search control unit 312). Information indicating one or a plurality of related users associated with each other is displayed so as to be selectable. In addition, when the search unit 202 extracts a plurality of attributes for the representative user (when a plurality of attributes are associated with the representative user), a representative is displayed based on the output information indicating one or more related users. At least one of the combinations of two or more attributes included in the plurality of attributes of the user (all combinations in the first embodiment) is associated with all the attributes included in the combination (all Information indicating one or a plurality of related users (belonging to each other) is displayed so as to be selectable.

  The access authority setting unit 315 includes one or more associations corresponding to information selected by the administrator among information indicating the representative user designated by the administrator and one or more associated users displayed by the option display unit 313. For the target document (that is, for the range (attribute) common to the representative user and the related user), the access authority designated by the administrator is set for the target document. Specifically, authority information indicating the contents of the access authority is stored in the authority information storage unit 302.

The access authority determining unit 320 determines the authority of the person who is trying to access the document based on the authority information stored in the authority information storage unit 302 when the user tries to access any document, and is given. Allow access to the document within the scope of the authorized authority.
[Access permission setting process]
FIG. 8 is a flowchart showing the flow of access authority setting processing for the target document by the document management system 100. Hereinafter, the contents of such processing will be described with reference to FIG. In addition, in this specification, each process shown in a flowchart etc. (including a partial process to which no reference numeral is assigned) is arbitrarily changed or executed in parallel within a range that does not contradict the processing contents. Can do.

  In the first embodiment, the administrator of the document management system 100 operates the keyboard and mouse of the document management apparatus 300 or operates a user terminal connected to the document management apparatus 300 via a communication line. On the setting screen 900 shown, an access authority setting operation for the target document is performed.

First, in the setting screen 900, the administrator sets the ID of the target document in the document ID designation field 901, and the permission authority to set for the target document in the permission authority designation field 902.
When the user names of one or more representative users are entered into the target user designation field 903 and the search button 904 is clicked, the search means 202 (more specifically, the search control means 312 of the document management apparatus 300) is The designated value is substituted into a variable (S801).

  Specifically, the search control unit 312 of the search unit 202 stores information (document ID) indicating the target document in the document ID variable storage unit 303 and stores information indicating permission authority in the permission authority variable storage unit 304. The information (user name) indicating the representative user is stored in the search target variable storage unit 305.

  In the setting screen 900, information indicating the target document, permission authority, and representative user may be displayed in a selectable manner.

  Next, the search unit 202 extracts an attribute associated with the representative user designated by the administrator based on the correspondence information between the user and the attribute stored in the user attribute storage unit 201, and at least Information indicating one or a plurality of related users associated with the extracted attribute is output (S802 to S810). Details will be described below.

  First, the user information search unit 240 of the search unit 202 sets the attributes associated with the respective information (here, user names) indicating all representative users stored in the search target variable storage unit 305 as user information storage units. The information is sequentially searched from the information 210 (FIG. 2), and stored in the search target variable storage unit 305 for each representative user (S802, S803).

  Further, when a plurality of representative users are designated (when the determination in S804 is Yes), information indicating attributes common to all of the plurality of representative users is extracted based on the search result (S805, S805). S806). When a plurality of representative users are designated, for example, the ID of the office to which all of the plurality of representative users belong (duplicate office ID) and the ID of the group to which all of the plurality of representative users belong ( (Duplicate group ID) is extracted.

  The office information search means 241 of the search means 202 includes information in the office information storage means 220 for all offices associated with one or more related users belonging to the same office as the representative user (see FIG. 3). ) In order (S807, S808).

  Specifically, referring to the information in the office information storage unit 220, the office name and belonging user information associated with the office ID are acquired using the ID of the office associated with the representative user as a search key. And stored in the search result storage means 506 (FIG. 7).

  In the same manner as described above, the group information search unit 242 stores information on one or a plurality of related users belonging to the same group as the representative user for all groups associated with the representative user. The information (group name and affiliation user information) found by the search is sequentially stored in the search result storage means 506 (S809, S810).

  However, when there are duplicate office IDs or duplicate group IDs, the search processing in S807 and S809 is executed using only the existing duplicate office ID and duplicate group ID as search keys.

  Next, the option display unit 313 of the document management apparatus 300 displays at least a representative user based on information indicating one or a plurality of related users (stored in the search result storage unit 306) output by the search unit 202. For each attribute that is associated, information indicating one or a plurality of related users is displayed in a selectable manner. Further, when the search unit 202 extracts a plurality of attributes for the representative user (when a plurality of attributes are associated with the representative user), for each combination of two or more attributes included in the plurality of attributes. The information indicating one or a plurality of related users associated with all the attributes included in the combination is displayed in a selectable manner (S811 to S814). Details will be described below.

  First, the option display unit 313 does not overlap a combination of two or more attributes among the plurality of attributes when a plurality of attributes are associated with the representative user (when the determination in S811 is Yes). Create (S812). If a plurality of representative users are designated, there are a plurality of attributes common to all the representative users, that is, two or more duplicate office IDs and duplicate group IDs have been extracted in S805 and S806 in total. As a result, a combination of attributes corresponding to the extracted duplicate office ID or duplicate group ID is created.

  For example, if one representative user is associated with three attributes (for example, a group with group ID “GROUP1”, a group with group ID “GROUP2”, and an office with office ID “OFFICE2”), three combinations ( “GROUP1 × GROUP2”, “GROUP2 × OFFICE2”, “GROUP1 × GROUP2 × OFFICE2”). On the other hand, when two attributes are associated with two representative users (for example, one group is associated with the group ID “GROUP1”, “GROUP2”, “GROUP3”, and the other is the group ID). "GROUP2", "GROUP3", and "GROUP4" groups are associated), there are two duplicate group IDs ("GROUP2" and "GROUP3"), and one combination ("GROUP2 x GROUP3") Is created.

  Then, the option display unit 313 belongs to the created combinations, information indicating one or a plurality of related users associated with all the attributes included in one combination (for example, belonging to all such attributes). ID of one or a plurality of related users) is extracted and stored in the search result storage means 306 (FIG. 7) (S813).

  In addition, as shown in FIG. 10, the option display unit 313 displays one or a plurality of related users corresponding to each attribute of the representative user and each combination of a plurality of attributes in the permission condition display field 905 of the setting screen 900. The information to be displayed (in the example shown, the name of the attribute or combination of attributes and the belonging user information) is displayed in a selectable manner (S814). In addition, when the combination of the attribute corresponding to duplication office ID or duplication group ID has been created in S813, the information which shows the 1 or several related user matched is displayed for every such combination so that selection is possible. Moreover, the related user matched with the combination is a related user matched over all the attributes contained in one combination.

  Next, the access authority setting unit 314 of the document management apparatus 300 sends the representative user and one or a plurality of related users corresponding to the information selected from the information displayed in the permission condition display field 905 of the setting screen 900. On the other hand, the same access authority is set for the target document (for a range (attribute) common to the representative user and the related user) (S815 to S819). Details will be described below.

  First, the access authority setting unit 314 receives designation of information indicating the related user (permission condition) displayed in the permission condition display field 905 of the setting screen 900 from the administrator (S815). For example, the administrator checks the check box 906 displayed for each permission condition next to the permission condition display field 905 and clicks the setting button 907, thereby corresponding to the checked permission condition 1 Alternatively, a plurality of related users are designated.

  Next, the access authority setting unit 314 refers to each authority information (FIG. 5) stored in the authority information storage unit 302, and when the access authority is not set for the target document specified in S601 (S816). If the determination is No), the condition number is set to 1 (S817), and if the access authority is set (when the determination of S816 is Yes), the condition number corresponding to the set authority information is the largest A number obtained by incrementing the number by 1 is set as a condition number (S818).

Then, the access authority setting unit 314 newly generates authority information, that is, for the target document specified in S801, 1 corresponding to the target user (representative user) specified in S801 and the permission condition specified in S815. Or, for the plurality of related users (that is, for the range (attribute) common to the representative user and the related users), the authority information having the content of granting the permission authority specified in S801 is created and set condition number At the same time, it is stored in the authority information storage means 302 (S819).
[Example 1]
Next, as Example 1 of the access authority setting process, with respect to a target document whose document ID is “DOCUMENT1”, a representative user whose user name is “USERNAME11” and one or a plurality of related users extracted based on the representative user A case where the “reference” right is given as the permission right will be described.
[Prerequisites]
As a precondition of this example, the user information storage unit 210, the office information storage unit 220, and the group information storage unit 230 of the user attribute storage unit 201 include user information shown in FIG. Assume that the office information shown in FIG. 3 and the group information shown in FIG. 4 are registered. Further, it is assumed that the authority information has not been set for the target document whose document ID is “DOCUMENT1”.

  First, when the administrator of the document management apparatus 100 designates “DOCUMENT1” as the document ID of the target document, “reference right” as the permission authority, and the user with the user name “USERNAME11” as the target user, the search unit 202 is specified. Refers to the information in the user information storage means 210, and the user information corresponding to the specified user name “USERNAME11”, that is, the user ID “USER11”, the belonging office information (office ID) “OFFICE1”, and the belonging group information ( (Group ID) “GROUP1” and “GROUP2” are acquired and stored in the search target variable storage unit 305 as shown in FIG. 6 (S802 in FIG. 8).

  Next, since one representative user is designated in S601, the search means 202 skips the processing of S605 and S606, and refers to the office information (FIG. 3) of the office information search means 220 to represent the representative user. As the information related to one or more related users belonging to the same office (the office whose office ID is “OFFICE1”), the office name “OFFICENAME1” and the user IDs “USER11”, “USER12”, “USER13” of the belonging users It is acquired and stored in the search result storage means 306 (S807 to 808 in FIG. 8).

  Then, the search unit 202 refers to the group information (FIG. 4) of the group information search unit 230, and includes one or a plurality of members belonging to the same group as the representative user (offices with group IDs “GROUP1” and “GROUP2”). The group name “GROUPNAME1” and the user IDs “USER11”, “USER21”, “USER31”, “USER32” of the affiliated user are acquired as information related to the related user and stored in the search result storage unit 306 (S809 in FIG. 8). ~ 810).

  Next, the option display unit 313 associates a plurality of attributes with the representative user, that is, as shown in FIG. 6, the representative user's office and group belonging to the representative user stored in the search target variable storage unit 350 Since the total number of IDs is three, a combination of office and group is created (S811, S812).

  In this example, combinations are made using a total of three attributes consisting of the office to which the representative user belongs, the office with office ID "OFFICE1", the group with group ID "GROUP1", and the group with group ID "GROUP2". create. Specifically, four combinations of “OFFICE1 × GROUP1”, “OFFICE1 × GROUP2”, “GROUP1 × GROUP2”, and “OFFICE1 × GROUP1 × GROUP2” are created.

  Then, the option display unit 313 searches, for each created combination, information on users belonging to all offices and groups included in the combination (for example, user IDs of representative users and related users) in S808 and S810. Extraction is performed based on the search result stored in the result storage unit 306, and as shown in FIG. 7, it is stored in the search result storage unit 306 (S813 in FIG. 8).

  Next, the option display unit 313 extracts only the related user information from the information stored in the search result storage unit 306, specifically, the user information excluding the user ID “USER11” information. As shown in FIG. 8, each corresponding attribute or combination of attributes is displayed in a selectable manner on the permission condition display field 905 of the setting screen 900 (S814 in FIG. 8). In this example, the permission condition display field 905 replaces the group ID or office ID with the attribute name (for example, office name or group name) stored in the search result storage means 306 and displays the user ID. Based on the user ID stored in the search result storage unit 306, the ID is replaced with a user name that can be acquired via the search unit 202 and displayed. Specifically, the search unit 202 searches for a user name from the user information storage unit 210 using the user ID as a search key, and uses the user name found as a result of the search. As a result, in the permission condition display field 905 of the setting screen 900, the name of the related user is displayed for each attribute associated with the representative user or for each combination of attributes.

  Next, when one combination of attributes (for example, “GROUPNAME1 × GROUPNAME2”) is designated as information corresponding to one or a plurality of related users by the administrator, the access authority setting unit 314 newly creates an authority. Information is created, and the created authority information is stored in the authority information storage means 302 (S816 to S819 in FIG. 8).

  First, the access authority setting unit 314 refers to the information in the authority information storage unit 302, and the setting condition corresponding to the variable (here, document ID “DOCUMENT1”) stored in the document ID variable storage unit 303 is the authority information. Based on whether it is already stored in the storage means 302, a condition number of authority information to be newly created is determined. In this example, as shown in the precondition, since the authority information has not been set for the target document yet (No in S816 in FIG. 8), the condition number is determined to be “1”.

Then, the access authority setting unit 314 sets the condition number to “1”, the related user (user name is “USERNAME31”) corresponding to the combination of the representative user (user whose user name is “USERNAME11”) and the attribute specified by the administrator. Authority to grant "reference" rights to target documents (documents with document ID "DOCUMENT1") for "users" (that is, for ranges (attributes) common to representative users and related users) Create information. Further, as in this example, when a combination including two attributes (for example, a combination of “GROUPNAME1 × GROUPNAME2”) is designated as a permission condition, for example, it is shown in the authority information on the second and third lines in FIG. As described above, the authority information is created for each attribute (here, the group name) in association with the common condition number “1”.
[Example 2]
Next, as a second embodiment of the access authority setting process, for each of the target documents whose document IDs are “DOCUMENT2” and “DOCUMENT3”, the representative users whose user names are “USERNAME11” and “USERNAME21” are based on the representative users, respectively. A case where the “reference” right and the “update” right are granted as permission rights to one or a plurality of related users extracted in this manner will be described.
[Prerequisites]
As a precondition of this example, the user information storage unit 210, the office information storage unit 220, and the group information storage unit 230 of the user attribute storage unit 201 include user information shown in FIG. Assume that the office information shown in FIG. 3 and the group information shown in FIG. 4 are registered. Further, it is assumed that the authority information has not yet been set for the target documents whose document IDs are “DOCUMENT2” and “DOCUMENT3”.

  First, the administrator of the document management apparatus 100 sets “DOCUMENT2” and “DOCUMENT3” as the document ID of the target document, “reference right” and “update right” as permission rights, and user names “USERNAME11” and “USERNAME21” as target users. When each of the “users” is specified, the search unit 202 refers to the information in the user information storage unit 210, acquires user information corresponding to each of the specified user names (“USERNAME11” and “USERNAME21”), The data is stored in the search target variable storage unit 305 (S802 and S803 in FIG. 8).

  In this example, the user ID “USER11”, the office ID “OFFICE1”, and the group IDs “GROUP1” and “GROUP2” are acquired as information corresponding to the user name “USERNAME11” and stored in the search target variable storage unit 305. . Further, as information corresponding to the user name “USERNAME21”, the user ID “USER21”, the office ID “OFFICE2”, and the group ID “GROUP1” are acquired and stored in the search target variable storage unit 305.

  Next, since a plurality of representative users are designated, the search unit 202 (specifically, the search control unit 312) extracts duplicate office IDs and duplicate group IDs (S805 and S806 in FIG. 8).

  Specifically, with reference to the information in the search target variable storage unit 305, among the office IDs associated with each of the two designated representative users, the office ID (duplicate office ID) associated with both the office IDs. ). In this example, the duplicate office ID extraction result is none.

  Next, referring to the information in the search target variable storage unit 305, among the group IDs associated with each of the two designated representative users, the group ID (duplicate group ID) associated with each other is selected. Extract. In this example, “GROUP1” is extracted as the duplicate group ID.

  Next, the search unit 202 searches for a user associated with the duplicate office ID as one or a plurality of related users belonging to the same office as the representative user (S807 and S808 in FIG. 8). In this example, since there is no duplicate office ID, there is no search result.

  Then, the search unit 202 searches for a user associated with the duplicate group ID as one or a plurality of related users belonging to the same group as the representative user, and stores information found by the search in the search result storage unit 306. (S809 and S810 in FIG. 8). In this example, the group name “GROUPNAME1”, the user IDs “USER11”, “USER21”, “USER31”, and “USER32” are stored in the search result storage unit 306 as information corresponding to the duplicate group ID “GROUP1”. Stored.

  Next, the option display means 313 does not create a combination of attributes because the total of the duplicate office ID and the duplicate group ID is one (only group ID “GROUP1”) (S812 and S813 in FIG. 8 are skipped).

  The option display means 313 then displays the related user associated with the group name “GROUPNAME1” with the group ID “GROUP1” and the group with the group ID “GROUP1” in the permission condition display field 905 of the setting screen 900. A user name ("USERNAME31" and "USERNAME32") indicating each representative user whose user ID is "USER11" or "USER21" and only a related user among the related users whose user ID is "USER31" or "USER32" Are displayed in association with each other (S814 in FIG. 8).

  Next, when the administrator designates the group name “GROUPNAME1” displayed in the permission condition display field 905 as information corresponding to the related user, the access authority setting unit 314 newly creates authority information. The created authority information is stored in the authority information storage means 302 (S816 to S819 in FIG. 8).

  First, the access authority setting unit 314 refers to the information in the authority information storage unit 302 and corresponds to each of the variables stored in the document ID variable storage unit 303 (here, document IDs “DOCUMENT2” and “DOCUMENT3”). Based on whether the authority information is already stored in the authority information storage means 302, the condition number of the authority information to be newly created is determined. In this example, as shown in the precondition, since the authority information has not been set for the target document yet (No in S816 in FIG. 8), the condition number is determined to be “1”.

Then, the access authority setting unit 314 sets the condition number to “1”, the representative user (the user corresponding to “USERNAME11” and the user corresponding to “USERNAME21”), and the related user corresponding to the attribute designated by the administrator ( The user corresponding to "USERNAME31" and the user corresponding to "USERNAME32" (that is, the range (attribute) common to the representative user and the related user), the target document (the document corresponding to "DOCUMENT2" and For the document (corresponding to “DOCUMENT3”), the authority information having the content of giving the “reference” right and the “update” right is created. By setting the group ID “GROUP1” as a permission condition, access authority is granted to the related users (users corresponding to “USERNAME31” and “USERNAME32”) corresponding to the attribute specified by the administrator. Can be granted.
[Access permission judgment processing]
FIG. 11 is a flowchart showing the flow of access authority determination processing by the document management system 100. Hereinafter, the contents of such processing will be described with reference to FIG.

  When the user authentication unit 243 of the user management apparatus 200 receives the user ID and password of the user as login information from the user (specifically, the user terminal or the document management apparatus 200 operated by the user), the determination of S1101 is made. Yes), a login process is executed (S1102).

  Specifically, if the received login information does not match the user ID and password included in any of the user information stored in the user information storage unit 210, the user authentication unit 243 performs an access authority determination process. If it matches and the login information is matched, information indicating the attribute of the user matching the login information (for example, user ID, office ID, group ID, etc.) is output.

  Next, the access authority determining unit 315 of the document management apparatus 300 acquires the output user attribute information (S1103), and when the user has requested access to the document (when the determination in S1104 is Yes) ), The condition number N is set to "1" (S1105).

  Then, the access authority determination unit 315 refers to the authority information (FIG. 5) stored in the authority information storage unit 302, and the authority information regarding the document to be accessed corresponding to the set condition number N Whether or not exists is determined (S1106).

  When there is no authority information corresponding to the value of the condition number N for the document to be accessed, the access authority determining unit 315 ends the access authority determining process. On the other hand, if there is one or more authority information corresponding to the value of the condition number N for the document to be accessed, the authority information of the condition number N for the document to be accessed is sequentially referenced (S1107), and acquired in S1103. It is determined whether the information of the selected user satisfies the permission condition, that is, whether any of the user information (user ID, office ID, group ID, etc.) matches the permission condition of the authority information being referred to. (S1108).

  When the permission condition is not satisfied, the access authority determination unit 315 increments the condition number N by 1 (S1109), and repeats the processes of S1106 to S1108 based on the condition number N after the increment.

  On the other hand, when the permission condition is satisfied, the access authority determining unit 315 determines whether all authority information corresponding to the condition number N has been determined (S1110).

  If there is undetermined authority information among the authority information corresponding to the condition number N, the access authority determining unit 315 repeats the processes of S1107 to S1110 for the undetermined authority information corresponding to the condition number N.

  On the other hand, when all the authority information corresponding to the condition number N has been determined, the access authority determining unit 315 permits the operation of the document within the range of the permission authority (S1111).

  For example, when a user with a user name “USERNAME31” accesses a document whose document ID is “DOCUMENT1”, if the login is completed, the access authority determination unit 315 includes a user authentication unit of the user management apparatus 200. As the user information, the user ID “USER31”, the office ID “OFFICE3”, and the group IDs “GROUP1” and “GROUP2” are acquired from the information 243 (S1103).

  If the authority information shown in FIG. 5 is stored in the authority information storage unit 302, one authority information corresponding to the condition number “1” and one condition number “2” are associated with the document ID “DOCUMENT1”. Two corresponding authority information has been set.

  In this case, the access authority determining unit 315 includes information (“USER31”, “OFFICE3”, “GROUP1”, “GROUP2”) indicating the user attributes acquired in S1103 and the authority information corresponding to the condition number “1”. The permission condition value (“USER41”) is compared and the permission condition is not satisfied, so the authority information corresponding to the condition number “2” is referred to.

  Similarly to the above, the access authority determining unit 315 obtains information (“USER31”, “OFFICE3”, “GROUP1”, “GROUP2”) indicating the user attributes acquired in S1103 and the authority corresponding to the condition number “2”. Since the permission condition value ("GROUP1") is compared with the permission condition value, the permission condition value ("GROUP2") of the undetermined authority information corresponding to the condition number "2" is then compared. Similarly, it is understood that the permission condition is satisfied and all the authority information corresponding to the condition number “2” is determined.

  As a result, the access authority determination unit 315 permits the user with the user ID “USER31” to refer to the document with the document ID “DOCUMENT1” (S1111).

  As described above, according to the document management system 100, even if the access authority setting operator does not know the belonging user information of the office to which the access authority is to be set or the belonging user information of the group to which the access authority is to be set, By specifying at least one representative user associated with a range for which authority is to be set, information on one or a plurality of related users associated with the same attribute as the representative user can be displayed in a selectable manner. it can. This makes it easy to specify the access authority setting range appropriately based on the displayed information and to set the access authority under complicated conditions that combine multiple conditions such as offices and groups. Can be set.

  In addition, even when narrowing down the users for which the access authority is set on the condition that they are associated across a plurality of attributes, as described above, 1 or 1 associated with the same attribute as the representative user Since information on a plurality of related users is displayed, it is not necessary to individually check the users associated with the plurality of attributes, and the occurrence of setting errors can be suppressed.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments and can be variously modified and applied.
[Modification]
In the first embodiment, the document management system 100 is configured by the user management apparatus 200 and the document management apparatus 300. However, the document management system 100 may be configured by a single apparatus having both configurations. Alternatively, the document management system 100 may be configured by further subdividing three or more devices.

  DESCRIPTION OF SYMBOLS 100 ... Document management system, user management apparatus 200, document management apparatus 300, 201 ... User attribute storage means, 202 ... Search means, 210 ... User information storage means, 220 ... Office information storage means, 230 ... Group information storage means, 240 ... User information search means, 241 ... Office information search means, 242 ... Group information search means, 243 ... User authentication means, 301 ... Document information storage means, 302 ... Authority information storage means, 303 ... Document ID variable storage means, 304 ... Authorization authority variable storage means, 305 ... Search target variable storage means, 306 ... Search result storage means, 312 ... Search control means, 313 ... Option display means, 314 ... Access authority setting means, 315 ... Access authority determination means

Claims (4)

User attribute storage means for storing correspondence information between users and attributes;
Search means for extracting an attribute corresponding to the first user based on the correspondence information and outputting information indicating one or a plurality of second users corresponding to the extracted attribute;
Option display means for displaying the output information indicating one or more second users in a selectable manner;
Access authority setting means for setting a predetermined access authority with respect to computer resources designated in advance for the first user and one or a plurality of second users corresponding to information selected from the displayed information When,
With
When the search means has extracted a plurality of attributes, the option display means has one or a plurality of second users corresponding to the attributes included in the combination for at least one of a combination of two or more attributes. To display selectable information,
A computer resource management system characterized by the above. The search means outputs information indicating the one or more second users for each of the plurality of first users,
The option display means further extracts attributes common to all of the plurality of first users, and displays information indicating one or a plurality of second users corresponding to the extracted attributes in a selectable manner. The computer resource management system according to claim 1. In addition, when there are a plurality of the common attributes, the option display unit corresponds to an attribute included in the combination for at least one of a combination of two or more attributes among the plurality of common attributes. 3. The computer resource management system according to claim 2, wherein information indicating a plurality of second users is displayed in a selectable manner. A computer resource management method for a computer resource management apparatus, including search means, option display means, and access authority setting means,
The search means extracts the attribute corresponding to the first user based on the correspondence information between the user and the attribute stored in the user attribute storage means, and one or a plurality of second attributes corresponding to the extracted attribute. A search step for outputting information indicating a user;
An option display step in which the option display means displays the output information indicating the one or more second users in a selectable manner;
The access authority setting means gives a predetermined access authority to the first user and one or a plurality of second users corresponding to information selected from the displayed information with respect to computer resources designated in advance. An access authority setting step to be set;
Including
In the option display step, when a plurality of attributes are extracted in the search step, for at least one of a combination of two or more attributes, one or a plurality of second items corresponding to the attributes included in the combination Display selectable user information,
A computer resource management method.

Images