JP5630193B2 - Operation restriction management program, operation restriction management apparatus, and operation restriction management method - Google Patents

Description

  The present invention relates to an operation restriction management program, an operation restriction management device, and an operation restriction management method.

  In recent years, preventing information leakage is an important issue from the viewpoint of corporate compliance. Therefore, a company needs to strictly limit and manage operations on files that can cause information leakage, such as new registration, name change, editing, and printing.

  Thus, as a technique for restricting operations on files, an operation restriction management system that restricts operations on files in units of terminal devices that execute file operations is known (for example, see Patent Document 1). In this operation restriction management system, for example, information leakage can be prevented by setting operation restrictions for files such as browsing, copying, editing and printing to protect the contents of the files.

JP 2009-87216 A

  In the above operation restriction management system, every time a new file is created, operation restrictions must be set for the file, and the burden of setting it is heavy.

  An object of one aspect is to provide an operation restriction management program that can automatically set operation restrictions for file operations.

  In one aspect, the disclosed program includes a reception step of accepting first identification information for identifying a first file that is a target of a first operation by a user, and a second operation different from the operation. An extraction step for extracting the operation log from the storage unit storing the operation log including the second identification information for identifying the second file that is the target of the second file, and the second identification information included in the operation log A first comparison step for comparing the first identification information with the first identification information, and a second comparison for comparing the second identification information with the third identification information designated in advance based on the result of the first comparison step. And the restriction step for restricting the first operation when the second identification information and the third identification information coincide with each other.

  The disclosed program can automatically set operation restrictions on file operations.

FIG. 1 is a block diagram illustrating a configuration of an operation restriction management system according to the embodiment. FIG. 2 is an explanatory diagram illustrating an example of an operation log database. FIG. 3 is an explanatory diagram showing an example of a file path accuracy table. FIG. 4 is an explanatory diagram illustrating an example of the trace result storage unit. FIG. 5 is an explanatory diagram showing an example of the operation policy management table. FIG. 6 is a flowchart showing the processing operation of the server-side control unit related to the operation policy setting process. FIG. 7 is a flowchart showing the processing operation of the server-side control unit related to the operation target file trace processing. FIG. 8 is an explanatory diagram showing an example when a file is copied by changing the drive in the same client terminal. FIG. 9 is an explanatory diagram illustrating an example when a file operation is performed between client terminals. FIG. 10 is an explanatory diagram showing an example when the same file in the shared folder in the file server is copied to a plurality of client terminals. FIG. 11 is an explanatory diagram of a computer that executes an operation restriction management program.

  Hereinafter, embodiments of an operation restriction management program, an operation restriction management device, and an operation restriction management method disclosed in the present application will be described in detail with reference to the drawings. The disclosed technology is not limited by the present embodiment.

  FIG. 1 is a block diagram illustrating a configuration of an operation restriction management system according to the embodiment. The operation restriction management system 1 illustrated in FIG. 1 includes a client terminal 2, a management server 3 that manages the client terminal 2, and a management console 4 that executes various settings of the management server 3. The management server 3 has a function of recording an operation of the client terminal 2 that is a risk of information leakage to suppress problem behavior and preventing leakage of electronic information to the outside.

  Therefore, the management server 3 has functions such as a logon control / recording function, a policy management function, an operation restriction / recording function, a take-out file original storage function, and a service activation control function. First, the logon control / recording function is a function for recording logon and logoff of the client terminal 2 while prohibiting the logon of the client terminal 2 with an account authority that violates the policy. The policy management function is a function for setting prohibited operations and collected logs for each terminal and group of the client terminal 2.

  The operation restriction / recording function has functions such as an application activation prohibition function, a file operation restriction / recording function, a print screen key invalidation function, a mail transmission restriction / recording function, and a mail attachment restriction / recording function. The application activation prohibition function is a function for acquiring and managing application information already installed in the client terminal 2 and prohibiting activation of a designated application. Furthermore, the application activation prohibition function is a function that collects an operation log when the activation operation of the designated application is detected. The file operation restriction / recording function is a function for prohibiting movement, copying, printing, and the like of a file using an external medium from the client terminal 2 and temporarily canceling the prohibition. Furthermore, the file operation restriction / recording function is a function for recording, for example, file operations such as reference, creation, update, deletion, copying, movement, and rename as a log.

  Further, the print screen key invalidation function is a function for prohibiting the operation of the print screen key for obtaining a hard copy of the display screen of the client terminal 2 and recording the key operation as a log. The mail transmission restriction / recording function is a function for restricting mail transmission from the client terminal 2 to a specified address with a policy set on the administrator side and recording the mail. The file attachment restriction / recording function for mail is a function that restricts mail transmission with a file attached from the client terminal 2 according to a policy set on the administrator side and records the mail.

  The original file storage function is a function for compulsorily encrypting when file export from the client terminal 2 to the external recording medium is permitted. Further, the original storage function is a function for recording a log at the time of taking out and storing the original file on the management server 3 side. The service activation control function is a function that obtains a list of services that can be activated on the client terminal 2 and can restrict activation of any service by remote operation.

  Furthermore, the management server 3 has functions such as a device configuration change recording function, a screen capture function, a file tracking function, and a mail notification function. The device configuration change recording function is a function of determining that the device configuration has changed when an external recording medium such as a USB memory device is connected to the client terminal 2, and recording the log. The screen capture function is a function for acquiring a snapshot (hard copy) of the display screen when the title name of the display screen (window) of the client terminal 2 includes a specific application name or a specific keyword.

  The file tracking function is a function for searching an operation log of a corresponding file such as reference, creation, update, deletion, copying, movement, and renaming in the back trace direction or the forward trace direction based on the file operation log. The file trace function in the back trace direction is a function that searches the operation log of the corresponding file retroactively. The file trace function in the forward trace direction is a function for searching the operation log of the corresponding file in time series. The mail notification function is a function for notifying the management console 4 on the administrator side of a mail generated when a specific operation, for example, a violation operation is detected on the client terminal 2 side.

  The management server 3 illustrated in FIG. 1 includes a server-side communication unit 11, a server-side storage unit 12, and a server-side control unit 13. The server side communication unit 11 is connected to the client terminal 2 and the management console 4 for communication. The server-side storage unit 12 stores various types of information, and includes an operation log database 41, a file path accuracy table 42, an operation policy management table 43, and a trace result storage unit 44.

  FIG. 2 is an explanatory diagram showing an example of the operation log database 41. The operation log database 41 illustrated in FIG. 2 manages operation logs including an operation date and time 41A, a PC name 41B, a user name 41C, an operation classification 41D, a diversion source file 41E, and a diversion destination file 41F. The operation date and time 41A corresponds to the date and time when an operation related to a file such as reference, creation, update, deletion, copying, printing, moving, and renaming is completed. The PC name 41B corresponds to the machine name of the client terminal 2 etc. that executed the file operation. The user name 41C corresponds to the user name for logging on the client terminal 2 that executed the file operation. The operation category 41D corresponds to an operation category such as reference, creation, update, deletion, copying, renaming, printing, and the like.

  The diversion source file 41E manages the file path indicating the location of the diversion source file with respect to the file at the start of the operation, that is, the diversion source file. The diversion destination file 41F manages the file path indicating the location of the diversion destination file with respect to the file at the end of the operation, that is, the diversion destination file. The server-side control unit 13 automatically collects operation logs related to file operations of the client terminal 2 and records the collected operation logs in the operation log database 41. One record of the operation log is generated by the client terminal 2 for each operation on a certain file and managed by the management server 3. That is, the destination file that is the result of one operation on the original file is managed by one operation log for a certain file.

  FIG. 3 is an explanatory diagram showing an example of the file path accuracy table 42. The file path accuracy table 42 shown in FIG. 3 manages the accuracy 42B in association with the file path comparison definition 42A. The file path comparison definition 42A is a definition for comparing file paths.

  For example, when the comparison definition 42A is “perfect match with full path”, the accuracy 42B is “5”. When the comparison definition 42A is “exact match except drive name”, the accuracy 42B is “4”. When the comparison definition 42A is “matches after folder name”, the accuracy 42B is “3”. When the comparison definition 42A is “match only file name”, the accuracy 42B is “2”. When the comparison definition 42A is “part of the file name matches”, the accuracy 42B is “1”.

  Now, the file path comparison definition 42A will be described with a specific example. For example, the file path of the diversion destination file is “C: \ AAA \ BBB \ CCC.txt”. At this time, if the file path of the diversion source file to be compared with the diversion destination file is “C: \ AAA \ BBB \ CCC.txt”, the comparison definition 42A is “full path complete match”. As a result, the accuracy 42B is “5”. Further, when the file path of the diversion source file is “F: \ AAA \ BBB \ CCC.txt”, the comparison definition 42A is “exact match except drive name”. As a result, the accuracy 42B is “4”.

  Further, when the file path of the diversion source file is “E: \ BBB \ CCC.txt”, the comparison definition 42A is “Folder name and later match”. As a result, the accuracy 42B is “3”. When the file path of the diversion source file is “C: \ DDD \ CCC.txt”, the comparison definition 42A is “matches only the file name”. As a result, the accuracy 42B is “2”. When the file path of the diversion source file is “C: \ DDD \ CCCEE.txt”, the comparison definition 42A is “part of the file name matches”. As a result, the accuracy 42B is “1”.

  FIG. 4 is an explanatory diagram illustrating an example of the trace result storage unit 44. The trace result storage unit 44 illustrated in FIG. 4 stores, as trace results, operation logs that are sequentially extracted using a file tracking function that tracks operation logs related to files with high probability of matching with the specified file. In the case of file tracing in the back trace direction, the trace result storage unit 44 sequentially stores, as trace results, operation logs of files with the accuracy matching the specified file from operation logs before the operation date and time of the operation log related to the specified file. . Further, in the case of the file trace function in the forward trace direction, the trace result storage unit 44 sequentially stores, as trace results, operation logs of files with the accuracy matching the specified file from operation logs after the operation date and time of the operation log related to the specified file. To do. In the operation target file trace processing described later, the operation log of the original file of the operation target file is sequentially stored in the trace result storage unit 44 as a trace result.

  The trace result storage unit 44 stores the trace result of the operation log including the operation date / time 44A, the PC name 44B, the user name 44C, the operation classification 44D, the diversion source file 44E, the diversion destination file 44F, and the accuracy 44G. The operation date and time 44A corresponds to the date and time of an operation related to a file such as reference, creation, update, deletion, copying, printing, moving, and renaming. The PC name 44B corresponds to the machine name of the client terminal 2 etc. that executed the file operation. The user name 44C corresponds to the user name for logging on the client terminal 2 that executed the file operation. The operation category 44D corresponds to an operation category such as reference, creation, update, deletion, copying, renaming, printing, and the like. The diversion source file 44E manages the file path related to the diversion source file at the start of the operation. The diversion destination file 44F manages the file path related to the diversion destination file at the end of the operation. The accuracy 44G corresponds to the accuracy corresponding to the comparison result between the diversion destination file and the diversion source file in the operation log.

  FIG. 5 is an explanatory diagram showing an example of the operation policy management table 43. The operation policy management table 43 shown in FIG. 5 manages the policy pattern 43A, the average accuracy range 43B, and the operation restriction content 43C. The policy pattern 43A corresponds to a five-stage pattern of A to E for identifying operation restriction contents. The average accuracy range 43B corresponds to the accuracy range to which the operation restriction content is applied. The operation restriction content 43C indicates specific contents of the operation restriction, and includes a reference 43E, a take-out 43F, a print 43G, and an administrator alert 43D. The reference 43E sets whether to permit file reference according to the file reference operation on the client terminal 2 side. The take-out 43F sets whether to allow file take-out according to the file take-out operation on the client terminal 2 side. The print 43G is used to set whether or not to permit print output in accordance with the file printing operation on the client terminal 2 side. The administrator alert 43D sets whether or not to notify notification information such as an email to the management console 4 that is an administrator when an operation corresponding to the operation restriction content is detected.

  For example, when the policy pattern 43A is “A”, for example, if the average accuracy is X, the average accuracy 43B is “5 ≦ X”, the reference 43E is “impossible”, the take-out 43F is “impossible”, and the print 43G is “impossible”. “The administrator alert 43D is“ notify the administrator ”. When the policy pattern 43A is “B”, the average accuracy 43B is “4 ≦ X <5”, the reference 43E is “possible”, the take-out 43F is “impossible”, the print 43G is “impossible”, and the administrator alert 43D is “managed” Notification to the user ”. When the policy pattern 43A is “C”, the average accuracy 43B is “3 ≦ X <4”, the reference 43E is “possible”, the take-out 43F is “possible”, the printing 43G is “impossible”, and the administrator alert 43D is “management”. Notification to the user ”.

  When the policy pattern 43A is “D”, the average accuracy 43B is “2 ≦ X <3”, the reference 43E is “permitted”, the take-out 43F is “permitted”, the print 43G is “not permitted”, and the administrator alert 43D is “Do not notify”. When the policy pattern 43A is “E”, the average accuracy 43B is “1 ≦ X <2”, the reference 43E is “possible”, the take-out 43F is “possible”, the printing 43G is “possible”, and the administrator alert 43D is “Do not notify”.

  Returning to FIG. 1, the server-side control unit 13 includes a reception unit 51, an extraction unit 52, a comparison unit 53, and a restriction unit 54. The accepting unit 51 accepts a file operation on the client terminal 2 side, for example. When receiving the file operation, the extraction unit 52 extracts an operation log of the comparison target file including the file path of the diversion destination file, which is similar to the file path of the operation target file, from the operation log database 41. The extraction unit 52 compares the file path of the operation target file with the file path included in the operation log, and determines that the specified target file and the file related to the operation log are similar when a certain condition is satisfied. . For example, the extraction unit 52 extracts the operation log of the comparison target file when a part of the file name in the file path of the diversion destination file included in the operation log matches the file path of the designation target file. The file operation corresponds to, for example, a reference operation related to a file, a take-out operation, a print operation, or the like. That is, the file operation is a target operation for which a restriction is set by the operation restriction content of the operation policy management table 43 among the operations managed as the operation log.

  Further, when extracting the operation log of the comparison target file, the extraction unit 52 extracts operation logs of other comparison target files including the file path of the diversion destination file that are similar to the file path of the diversion source file of the comparison target file. Extract from database 41. The comparison unit 53 includes an accuracy calculation unit 53A, a specific file determination unit 53B, and an average accuracy calculation unit 53C. The accuracy calculation unit 53A compares the file path of the diversion source file 41E in the operation log database 41 of the extracted comparison target file with the file path of the diversion destination file 41F. The accuracy calculation unit 53A refers to the file path accuracy table 42 and identifies a comparison definition 42A corresponding to the comparison result. Further, the accuracy calculation unit 53A determines whether or not the accuracy 42B corresponding to the identified comparison definition 42A has been acquired from the file path accuracy table 42.

  Furthermore, when the accuracy calculation unit 53A acquires the accuracy from the file path accuracy table 42, the operation log 44 (44A to 44F) of the extracted comparison target file and the acquired accuracy 44G are associated with each other as a trace result. The result is stored in the trace result storage unit 44. The specific file determination unit 53B determines whether or not the trace result includes the file path or folder path of the specific file stored in the specific file table (not shown). The specific file is, for example, a highly confidential document file.

When there is a specific file in the trace result, the average accuracy calculation unit 53C operates from the operation target file to the specific file among all the trace results related to the operation target file stored in the trace result storage unit 44. Extract the total accuracy of the trace results related to the log.
Further, the average accuracy calculation unit 53C calculates the average accuracy by averaging the extracted all accuracy. As the average accuracy, a simple average method of simply adding all the accuracy of all trace results and averaging the added values is adopted, but for example, a weighted average method or the like may be adopted.

  The restriction unit 54 refers to the operation policy management table 43 and identifies the policy pattern 43A in the average accuracy range 43B corresponding to the average accuracy calculated by the average accuracy calculation unit 53C. Further, the restriction unit 54 extracts the operation restriction content 43C corresponding to the identified policy pattern 43A. The restriction unit 54 sets the extracted operation restriction content 43 </ b> C as a restriction on the corresponding file operation of the client terminal 2 that executed the corresponding file operation. Then, the client terminal 2 sets the operation restriction content 43 </ b> C set by the restriction unit 54 in the policy setting table 33 </ b> A in the storage unit 33. As a result, the client terminal 2 restricts the executed file operation based on the operation restriction content set in the policy setting table 33A.

  The extraction unit 52 continues the operation log extraction operation when the number of trace results stored in the trace result storage unit 44 exceeds the specified number or until operation logs of other comparison target files cannot be extracted. .

  The management console 4 illustrated in FIG. 1 corresponds to, for example, a personal computer or the like, and includes a management-side communication unit 21, a management-side display unit 22, a management-side operation unit 23, a management-side storage unit 24, and a management-side control unit 25. And have. The management communication unit 21 is connected to the management server 3 for communication. The management-side display unit 22 corresponds to, for example, a monitor unit that displays various types of information on the screen. The management side operation unit 23 corresponds to, for example, a mouse or a keyboard for inputting various information. The management-side storage unit 24 stores various information. The management-side control unit 25 controls the entire management console 4. The management console 4 determines the comparison definition and accuracy contents in the file path accuracy table 42 in the server-side storage unit 12, the policy pattern in the operation policy management table 43, the average accuracy range, and the operation restriction according to the setting operation. The contents and the like can be changed as appropriate.

  The client terminal 2 corresponds to, for example, a personal computer or the like, and includes an operation unit 31, a display unit 32, a storage unit 33, a communication unit 34, and a control unit 35. The operation unit 31 corresponds to, for example, a mouse or a keyboard for inputting various information. The display unit 32 corresponds to, for example, a monitor unit that displays various information on the screen. The storage unit 33 is a part that stores various types of information. The communication unit 34 is a part that is connected to the management server 3 and is connected to a network (not shown). In addition, the client terminal 2 employs a multi-user method that allows a plurality of users to use different logon user names.

  The storage unit 33 has a policy setting table 33A. The policy setting table 33A manages the operation restriction contents for the file operation set on the management server 3 side as an operation policy. The control unit 35 limits the corresponding file operation based on the operation policy managed in the policy setting table 33A.

  The management server 3 shown in FIG. 1 includes at least a reception unit 51, an extraction unit 52, a comparison unit 53, and a restriction unit 54 in the server-side control unit 13, and an operation log database in the server-side storage unit 12. 41 functions as an operation restriction management device. In this case, the accepting unit 51 accepts a file operation for the file. Furthermore, the operation log database 41 stores an operation log including the file path of the diversion source file and the file path of the diversion destination file that are performed on each of the plurality of files including the file.

  The extraction unit 52 refers to the operation log database 41 and extracts the operation log of the comparison target file including the file path of the diversion destination file similar to the file path of the diversion source file related to the file operation file. The comparison unit 53 compares the file paths of the diversion destination file and diversion source file related to the operation log of the extracted comparison target file. Based on the comparison result, the restricting unit 54 can restrict operations related to the file operation received by the receiving unit 51. As a result, operation restrictions on file operations can be set automatically.

  Next, the operation of the operation restriction management system 1 of this embodiment will be described. FIG. 6 is a flowchart showing the processing operation of the server-side control unit 13 related to the operation policy setting process. It is assumed that the following processing is performed in the client terminal 2 independently of FIG. The control unit 35 of the client terminal 2 monitors the operation on the file and determines whether or not the operation of the operation unit 31 is detected. When the operation is detected, the control unit 35 determines whether the operation corresponds to a file operation. The control unit 35 determines whether or not the policy set for the user is a policy for restricting the file operation when the file operation is applicable. Further, the control unit 35 transmits the file path to the management server 3 when the file operation is set to be restricted.

  In FIG. 6, the server-side control unit 13 determines whether information including the file path of the file to be operated is received from the client terminal 2 through the receiving unit 51 (Step S <b> 11). When receiving the information (Yes at Step S11), the server side control unit 13 executes the operation target file trace process shown in FIG. 7 (Step S12). Here, for convenience of explanation, the operation target file trace processing of FIG. 7 will be described first. FIG. 7 is a flowchart showing the processing operation of the server-side control unit 13 related to the operation target file trace processing.

  In FIG. 7, the server-side control unit 13 identifies an operation target file for file operation (step S21). The server-side control unit 13 determines whether or not the operation log of the comparison target file including the file path of the diversion destination file similar to the file path of the operation target file is extracted from the operation log database 41 through the extraction unit 52 ( Step S22). Here, all similar operation logs may be extracted, and the following processing may be executed on all extracted operation logs.

  When the server-side control unit 13 extracts the operation log of the comparison target file (Yes in step S22), the server-side control unit 13 passes the file paths of the diversion source file and the diversion destination file of the comparison target file through the accuracy calculation unit 53A in the comparison unit 53. Are compared (step S23). The server-side control unit 13 acquires the accuracy according to the comparison result between the file paths in the comparison target file from the file path accuracy table 42 through the accuracy calculation unit 53A (step S24). The accuracy calculation unit 53A acquires the accuracy 42B according to the comparison definition 42A corresponding to the comparison result.

  When the server-side control unit 13 acquires the accuracy corresponding to the comparison result between the file paths in the comparison target file, the server-side control unit 13 stores the trace result in which the accuracy is associated with the operation log of the comparison target file in the trace result storage unit 44 ( Step S25). When the server-side control unit 13 stores the trace result in the trace result storage unit 44, the server-side control unit 13 increments the number of stored trace results by +1 (step S26), and determines whether or not the number of stored trace results is within the specified number (step S26). Step S27).

  When the stored number is within the specified number (Yes in step S27), the server-side control unit 13 operates other comparison target files including the file path of the diversion destination file that is similar to the file path of the diversion source file of the comparison target file. It is determined whether or not a log has been extracted (step S28). When the operation log of another comparison target file is extracted (Yes at Step S28), the server-side control unit 13 proceeds to Step S23 in order to compare the file path of the diversion destination file and the diversion source file of the comparison target file. To do.

  Further, when the operation log of the comparison target file is not extracted (No at Step S28), the server-side control unit 13 determines another comparison target file including the file path of the diversion destination file that is similar to the file path of the operation target file. It is determined whether or not the operation log is extracted (step S29). When the server-side control unit 13 extracts an operation log of another comparison target file including the file path of the diversion destination file similar to the file path of the operation target file (Yes in step S29), the file paths of the comparison target files To compare with each other, the process proceeds to step S23. Moreover, the server side control part 13 complete | finishes the processing operation shown in FIG. 7, when the operation log of another comparison object file cannot be extracted (step S29 negative). If the number of trace results stored is not within the specified number (No at step S27), the server-side control unit 13 proceeds to step S29. In the operation target file trace process, when the stored number is not less than the specified number, the process proceeds to step S29. However, when the comparison target file stored as the trace result corresponds to a specific file such as a confidential document, the process may proceed to step S29.

  Moreover, the server side control part 13 complete | finishes the processing operation shown in FIG. 7, when the operation log of a comparison object file is not extracted (step S22 negative).

  In the operation target file trace process shown in FIG. 7, the trace result to the original file related to the operation target file is sequentially stored in the trace result storage unit 44. As a result, the original file of the operation target file can be specified according to the trace result stored in the trace result storage unit 44.

  As described above, if only one operation is performed on a certain file, it is possible to track the original file and the destination file included in one operation log. However, since a plurality of operation logs are generated in the client terminal 2 by performing a plurality of operations, the management server 3 that performs file tracing needs to specify the relationship between the operation logs. Through the above-described processing, the management server 3 can identify the related operation log and track the file.

  Furthermore, when there are a plurality of client terminals 2 or when there are a plurality of users who perform file operations, a certain file may be operated by the plurality of client terminals 2 or a plurality of users. In this case, each client terminal 2 may generate a large amount of operation logs related to a certain file. Therefore, as in this embodiment, the management server 3 comprehensively manages, so that the file trace can be executed more widely in the plurality of client terminals 2 and users managed by the management server 3. Note that the trace result storage unit 44 shown in FIG. 4 shows two trace paths as trace results of the operation target file “D: \ UserD \ memo.xls”.

  From the trace result of the operation target file “D: \ UserD \ memo.xls”, the first trace path 440A is the operation log of the operation date and time “2010/3/4 15:12” → the operation date and time “2010/2/13” 9:12 ”operation log → operation date and time“ 2010/2/12 12:12 ”operation log → operation date and time“ 2010/2/10 14:12 ”operation log → operation date and time“ 2010/1/27 10: Operation log of “20” operation log → operation date and time “2010/1/25 10:15”. The second trace path 440B is the operation log of the operation date “2010/3/4 15:12” from the trace result of the operation target file “D: \ UserD \ memo.xls” → the operation date “2010/2”. / 13 9:12 ”operation log → operation date and time“ 2010/2/10 14:12 ”operation log → operation date and time“ 2010/1/27 10:20 ”operation log → operation date and time“ 2010/1/25 This shows the operation path of the operation log of 10:15 ”.

  Next, returning to FIG. 6, the server-side control unit 13 stores the trace result of the comparison target file related to the operation target file in the trace result storage unit 44 after executing the operation target file trace process shown in FIG. 7 (step S <b> 12). doing. Then, the server-side control unit 13 determines whether there is a file path of the confidential document that is the specific file in the diversion destination file or diversion source file of the trace result stored in the trace result storage unit 44 through the specific file determination unit 53B. It is determined whether or not (step S13). The file path of the confidential document corresponds to, for example, “customer list” shown in FIG.

  When there is a file path of the confidential document in the diversion destination file or the diversion source file (Yes in step S13), the server side control unit 13 identifies the confidential document file as the original file that is the source of the operation target file. . Furthermore, when the original file of the operation target file is specified, the server-side control unit 13 calculates the average accuracy for each trace path up to the operation log including the file path of the confidential document through the average accuracy calculation unit 53C (step S14). ). The average accuracy calculation unit 53C sets “(5 + 5 + 1 + 1 + 5 + 5) /6=3.67” as the average accuracy of the first trace path 440A shown in FIG. ) /5=4.80 ".

  The server-side control unit 13 determines whether there are a plurality of trace paths including confidential documents (step S15). When there are not a plurality of trace paths including confidential documents (No at Step S15), the server-side control unit 13 determines the average accuracy of the trace path as the average accuracy related to the operation target file for the file operation (Step S16). In addition, when there are a plurality of trace paths including confidential documents (Yes in step S15), the server-side control unit 13 sets the maximum average accuracy among the average accuracy of the plurality of trace paths to the average related to the operation target file of the file operation. The accuracy is determined (step S17). In the example shown in FIG. 4, the average accuracy “4.80” of the second trace path 440B is determined as the average accuracy related to the operation target file.

  When the average accuracy is determined in step S16 or step S17, the server-side control unit 13 acquires the operation restriction content 43C corresponding to the determined average accuracy from the operation policy management table 43 through the restriction unit 54 (step S18). The server-side control unit 13 determines whether or not the operation policy corresponding to the acquired operation restriction content is higher than the operation policy currently set for the client terminal 2 that has executed the file operation of Step S11 (Step S11). S19).

  When the operation policy is higher than the currently set operation policy (Yes at Step S19), the server-side control unit 13 restricts the file operation accepted at Step S11 to the client terminal 2 that has executed the file operation. Is set (step S20). Then, the processing operation shown in FIG. 6 ends. That is, a new policy that is applied only to the operation target file is distributed from the management server 3 to the client terminal 2 in which the file operation is detected.

  The present invention is not limited to the policy distribution. For example, in step S20, the management server 3 transmits only the information of the policy pattern 43A in FIG. The client terminal 2 has an operation policy management table in the storage unit 33. Therefore, the client terminal 2 may refer to the storage unit 33 and execute the operation content restriction corresponding to the received policy pattern. The client terminal 2 sets an operation policy that restricts the file operation accepted in step S11 in the policy setting table 33A in consideration of the original file of the operation target file. As a result, the file operation of the client terminal 2 is restricted based on the operation policy. In the client terminal 2, when the operation for the file operation is restricted, the setting of the operation policy is cancelled.

  When the operation policy corresponding to the operation restriction content acquired in step S18 is not higher than the currently set operation policy (No in step S19), the server-side control unit 13 ends the processing operation illustrated in FIG. .

  Further, when there is no file path of the confidential document in the diversion destination file or diversion source file of the trace result (No in step S13), the server side control unit 13 ends the processing operation illustrated in FIG. Note that the server-side control unit 13 may move to step S14 in order to calculate the average accuracy from all the accuracy of the trace result even when there is no confidential document in the diversion destination file of the trace result.

  In the operation policy setting process shown in FIG. 6, when the file operation on the client terminal 2 side is accepted, the average accuracy is calculated for each trace path to the original file related to the operation target file, and the operation restriction content corresponding to the maximum average accuracy is calculated. Obtained from the operation policy management table 43. Further, in the operation policy setting process, the operation restriction content corresponding to the maximum average accuracy is acquired, and the acquired operation restriction content is set as the operation policy in the client terminal 2 that has executed the file operation. Then, the file operation performed on the client terminal 2 is restricted based on the operation policy. As a result, the management server 3 can specify the original file of the operation target file for the file operation, and can automatically set the operation policy for the file operation in consideration of the original file.

  In the operation policy setting process, every time a file operation is accepted, an average accuracy related to the operation target file is calculated, an operation policy corresponding to the average accuracy is set, and file operations can be restricted based on this operation policy.

  In the above embodiment, the original file of the operation target file can be specified even under the conditions shown in FIGS. FIG. 8 is an explanatory diagram showing an example when a file is copied by changing the drive in the same client terminal 2. For convenience of explanation, the files a, b, and c have the same file contents and the same file name “\ a”. In the operation log L101 when the same client terminal 2 copies the file a as the file b in the folder “\ A” of the same drive “D: \”, the diversion source file is “D: \ A \ a”, the diversion destination The file is “D: \ A \ a” and the operation category is “Copy”. Further, after the client terminal 2 changes the drive “D: \” to the drive “E: \” by changing the drive letter, the operation log L102 when the client terminal 2 copies the file “b” as the file “c” is diverted. The source file is “E: \ A \ a”, the diversion destination file is “E: \ A \ a”, and the operation classification is “copy”. The diversion source file “E: \ A \ a” of the operation target file has a drive name different from the destination file “D: \ A \ a” of the comparison target file.

  Therefore, when the management server 3 receives the file operation of the operation target file c, the management server 3 includes a diversion destination file “E: \ A \ a” similar to the file path “E: \ A \ a” in the operation target file c. The operation log L102 is extracted. Further, the management server 3 compares the diversion source file “E: \ A \ a” and the diversion destination file “E: \ A \ a” in the operation log L102, and the accuracy “5” according to the comparison result. To get. Furthermore, the operation log L101 including the diversion destination file “D: \ A \ a” similar to the diversion source file “E: \ A \ a” in the operation log L102 is extracted. Then, the management server 3 compares the diversion source file “D: \ A \ a” and the diversion destination file “D: \ A \ a” in the operation log L101, and the accuracy “5” according to the comparison result. To get.

  That is, since the file names are the same even if the drive names are different, the original file can be identified by extracting the operation log of the original file related to the operation target file. Even if the file names are different, if the file names partially match, the operation log of the original file can be similarly extracted to specify the original file. As a result, the accuracy of the extracted operation logs L101 and L102 is extracted, and the operation restriction content corresponding to the average accuracy of the extracted accuracy is acquired. The management server 3 sets an operation policy of operation restriction content in the client terminal 2 that has executed the file operation on the operation target file. Then, in the client terminal 2, the operation for the executed file operation is restricted.

  FIG. 9 is an explanatory diagram showing an example when a file operation is performed between the client terminals 2A and 2B. For convenience of explanation, the files a and c have the same file contents and the same file name “”. The files b and e have the same file contents and the same file name “\ a”. The files d and f have the same file contents and the same file name “\ c”.

  In the operation log L111 when the file a is copied as the file c in the client terminal 2A, the diversion source file is “C: \ b”, the diversion destination file is “C: \ b”, and the operation classification is “copy”. Become. Further, when the file b is copied to the USB memory 6 as the file b in the client terminal 2A, the client terminal 2A recognizes the USB memory 6 as the F drive. In the operation log L112 at this time, the diversion source file is “C: \ a”, the diversion destination file is “F: \ a”, and the operation classification is “copy”.

  Further, when the client terminal 2B copies the file b copied in the USB memory 6 as the file e, the client terminal 2B recognizes the USB memory 6 as the G drive. In the operation log L113 at this time, the diversion source file is “G: \ a”, the diversion destination file is “C: \ a”, and the operation classification is “copy”.

  In the operation log L114 when the client terminal 2B prints the file f, the diversion source file is “C: \ c” and the operation classification is “print”. Further, in the operation log L115 when the client terminal 2B copies the file f as the file d, the diversion source file is “C: \ c”, the diversion destination file is “C: \ c”, and the operation classification is “copy”. It becomes.

  Therefore, when the management server 3 receives the file operation of the operation target file e, the management server 3 displays the operation log L113 including the diversion destination file “C: \ a” similar to the file path “C: \ a” in the operation target file e. Extract. Further, the management server 3 compares the diversion source file “G: \ a” and the diversion destination file “C: \ a” in the operation log L113, and acquires the accuracy “4” according to the comparison result. Further, the management server 3 extracts the operation log L112 including the diversion destination file “F: \ a” similar to the diversion source file “G: \ a” in the operation log L113. Then, the management server 3 compares the diversion source file “C: \ a” and the diversion destination file “F: \ a” in the operation log L112, and acquires the accuracy “4” according to the comparison result.

  That is, since the file names are the same even if the drive names are different, the original file can be identified by extracting the operation log of the original file related to the operation target file. Even if the file names are different, if the file names partially match, the operation log of the original file can be similarly extracted to specify the original file. As a result, the accuracy of the extracted operation logs L113 and L112 is extracted, and the operation restriction content corresponding to the average accuracy of the extracted accuracy is acquired. The management server 3 sets an operation policy of operation restriction content in the client terminal 2 that has executed the file operation on the operation target file. Then, in the client terminal 2, the operation for the executed file operation is restricted.

  FIG. 10 is an explanatory diagram showing an example when the same file in the shared folder in the file server is copied to a plurality of client terminals 2. For convenience of explanation, the files a and b have the same file contents and the same file name “\ aaa”. The client terminal 2A recognizes the shared folder as “\\ 192.168.0.3 \ aaa”. On the other hand, the client terminal 2B recognizes the shared folder as “\\ FileSV3 \ aaa”. Assume that the client terminals 2A and 2B copy the file a stored in the shared folder in the file server 7 as the file b.

  The operation log L121 when the client terminal 2A copies the file a as the file b shows that the diversion source file is “\\ 192.168.0.3 \ aaa”, the diversion destination file is “\\ 192.168.0.3 \ aaa”, and the operation classification Becomes "copy". The operation log L122 when the client terminal 2B copies the file a as the file b is “\\ FileSV3 \ aaa” for the diversion source file, “\\ FileSV3 \ aaa” for the diversion destination file, and “copy” for the operation classification. It becomes.

  Therefore, when the management server 3 accepts the file operation of the operation target file b, the diversion destination file “\\ 192.168.0.3 \ aaa” similar to the file path “\\ 192.168.0.3 \ aaa” in the operation target file b. Is extracted. Furthermore, the management server 3 compares the diversion source file “\\ 192.168.0.3 \ aaa” and the diversion destination file “\\ 192.168.0.3 \ aaa” in the operation log L121, and the accuracy “ 5 ”is acquired. Similarly, when the management server 3 receives the file operation of the operation target file b, the management server 3 includes an operation including the diversion destination file “\\ FileSV3 \ aaa” similar to the file path “\\ FileSV3 \ aaa” in the operation target file b. The log L122 is extracted. Further, the management server 3 compares the diversion source file “\\ FileSV3 \ aaa” and the diversion destination file “\\ FileSV3 \ aaa” in the operation log L122, and acquires the accuracy “5” according to the comparison result. To do.

  In other words, even if the folder names are different, the file names are the same, so the operation log of the original file related to the operation target file can be extracted to identify the original file. Even if the file names are different, if the file names partially match, the operation log of the original file can be similarly extracted to specify the original file. As a result, the accuracy of the extracted operation logs L121 and L122 is extracted, and the operation restriction content corresponding to the average accuracy of the extracted accuracy is acquired. The management server 3 sets an operation policy of operation restriction content in the client terminal 2 that has executed the file operation on the operation target file. Then, in the client terminal 2, the operation for the executed file operation is restricted.

  In the above-described embodiment, when a file operation is received, an operation log of a comparison target file including a file path of a diversion destination file similar to the file path of the diversion source file related to the file operation file is extracted. In the embodiment, the file paths of the diversion destination file and diversion source file related to the operation log of the extracted comparison target file are compared, and the operation related to the file operation is limited based on the comparison result. As a result, the management server 3 can specify the original file of the operation target file for the file operation, and can automatically set the operation policy for the file operation in consideration of the original file.

  In the above embodiment, every time a file operation is accepted, an average accuracy related to the operation target file is calculated, an operation policy corresponding to the average accuracy is set, and the file operation can be restricted based on this operation policy. That is, it is possible for the administrator to reduce the trouble of setting a policy for each highly confidential file.

  In the above embodiment, the average accuracy is calculated based on the accuracy of the trace result to the original file related to the operation target file, and the operation related to the file operation is limited based on the calculated average accuracy. As a result, it is possible to absorb fluctuations in accuracy by using the average accuracy from the original file to the operation target file, and to limit file operations with an operation policy suitable for the accuracy.

  Further, in the above embodiment, the operation policy management table 43 is used to obtain the operation restriction content corresponding to the average accuracy of the original file related to the operation target file, and the file operation is performed based on the operation policy of the operation restriction content. Can be limited.

  In the embodiment, even when a drive letter is changed in the same client terminal 2 and a file having the same content is copied, the original file of the operation target file is specified using the accuracy of the file paths. As a result, the management server 3 can automatically limit the file operation of the client terminal 2 that has executed the file operation on the operation target file.

  In the embodiment, even when the file is copied from the client terminal 2 to a portable external recording medium such as the USB memory 6 and the drive letter of the file is changed, the accuracy of the file path is used to determine the source of the operation target file. Identify the file. As a result, the management server 3 can automatically limit the file operation of the client terminal 2 that has executed the file operation on the operation target file.

  In the embodiment, even if the file in the client terminal 2 is copied to a portable external recording medium and the file on this external recording medium is copied to another client terminal 2 and the drive letter of the file is changed, You can identify the original file. As a result, the management server 3 can automatically limit the file operation of the client terminal 2 that has executed the file operation on the operation target file.

  In the above embodiment, the management server 3 restricts the file operation based on the operation policy set for the client terminal 2 that has executed the file operation. However, the management server 3 may directly restrict the file operation on the client terminal side that has executed the file operation based on the operation restriction content corresponding to the average accuracy related to the operation target file.

  In the above embodiment, the file operation is restricted based on the operation restriction content corresponding to the average accuracy related to the operation target file. However, the accuracy of the original file related to the operation target file, for example, a confidential document file may be calculated, and the file operation may be restricted based on the operation restriction contents corresponding to the calculated accuracy. In this case, it is possible to reduce the processing load for averaging the accuracy of a plurality of trace results related to the operation target file.

  In addition, each component of each part illustrated does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each part is not limited to the one shown in the figure, and all or a part thereof may be functionally or physically distributed / integrated in arbitrary units according to various loads and usage conditions. Can be configured.

  Furthermore, various processing functions performed in each device are performed on a CPU (Central Processing Unit) (or a microcomputer such as an MPU (Micro Processing Unit), MCU (Micro Controller Unit), etc.) in whole or in part. You may make it perform. Various processing functions may be executed entirely or arbitrarily on a program that is analyzed and executed by a CPU (or a microcomputer such as an MPU or MCU) or hardware based on wired logic. Needless to say.

  By the way, the various processes described in the present embodiment can be realized by executing a prepared program on a computer. In the following, an example of a computer that executes a program having the same function as that of the above-described embodiment will be described with reference to FIG. FIG. 11 is an explanatory diagram of a computer that executes an operation restriction management program.

  As shown in FIG. 11, the computer 200 as an operation restriction management program is configured by connecting a hard disk drive (HDD) 210, a random access memory (RAM) 220, a read only memory (ROM) 230, and a CPU 240 via a bus 250. Is done.

  The ROM 230 stores in advance a log management program that exhibits the same function as in the above-described embodiment. As shown in FIG. 11, the log management program includes a reception program 231, an extraction program 232, a first comparison program 233, a second comparison program 234, and a restriction program 235. Note that the programs 231 to 235 may be appropriately integrated or distributed in the same manner as each component of the management server 3 shown in FIG.

  Then, the CPU 240 reads these programs 231 to 235 from the ROM 230 and executes them. As shown in FIG. 11, the programs 231 to 235 function as a reception process 241, an extraction process 242, a first comparison process 243, a second comparison process 244, and a restriction process 245.

  The CPU 240 receives first identification information for identifying the first file that is the target of the first operation by the user. The CPU 240 extracts the operation log from the HDD 210 storing the operation log including the second identification information for identifying the second file that is the target of the second operation different from the operation. The CPU 240 compares the second identification information included in the operation log with the first identification information. Based on the result of this comparison, the CPU 240 compares the second identification information with the third identification information designated in advance. The CPU 240 restricts the first operation when the second identification information and the third identification information match. As a result, every time a file operation is accepted, operation restrictions for that file operation can be set automatically.

DESCRIPTION OF SYMBOLS 1 Operation restriction management system 2 Client terminal 3 Management server 41 Operation log database 42 File path accuracy table 44 Trace result storage part 51 Reception part 52 Extraction part 53 Comparison part 53A Accuracy calculation part 53B Specific file determination part 53C Average accuracy calculation part 54 Restriction Part

Claims (7)

On the computer,
A receiving step for receiving first identification information for identifying a first file that is a target of a first operation by a user;
The first operation log is extracted from the storage unit storing the first operation log including the second identification information for identifying the second file that is the target of the second operation different from the operation . an extraction step of,
A first comparison step of comparing the second identification information and the first identification information included in the first operation log;
A second extraction step for extracting a second operation log different from the first operation log from the storage unit based on the result of the first comparison step ;
A second comparison step of comparing the second identification information of the first operation log with the third identification information of the second operation log;
A third comparison step of comparing the second identification information with the pre-designated fourth identification information;
When the second identification information and the fourth identification information match, a limiting step of limiting the first operation is executed based on a result of the second comparison step. Operation restriction management program. In the computer,
Prior to the second comparison step, a first calculation step of calculating the first comparison based on the results of steps, the value of the first file and said second file is an association,
Before Symbol Based on the results of the second comparison step, a second calculation step of calculating the third file and other value indicating the relevant corresponding to the second file and the third identification information,
The operation restriction management program according to claim 1, wherein: Prior to the limiting step in the computer,
Based on the value and the other value, a determination step for determining a restriction content for performing the restriction is performed,
3. The operation restriction management program according to claim 2, wherein in the restriction step, a signal including the determined restriction content is transmitted to another computer operated by the user. In the determining step,
An average value of the value and the other value is calculated, and a storage unit that associates and stores a numerical value range and the restriction content with respect to the numerical value range is stored, and corresponds to the numerical value range including the average value. 4. The operation restriction management program according to claim 3, wherein the restriction contents are acquired. Prior to the accepting step in the computer,
Receiving the operation log from a client device communicating with the computer;
Storing the operation log in the storage unit;
The operation restriction management program according to claim 1, wherein the operation restriction management program is executed. A receiving unit that receives first identification information for identifying a first file that is a target of a first operation by a user;
A storage unit storing a first operation log including second identification information for identifying a second file that is a target of a second operation different from the operation;
From the storage unit, a first extraction unit that to extract the first operation log,
A first comparator for comparing the second identification information and the first identification information included in the first operation log,
A second extraction unit based on said first comparison unit comparing the result of extracting the second operation log which is different from the first operation log from the storage unit,
A second comparison unit that compares the second identification information of the first operation log with the third identification information of the second operation log;
A third comparison unit for comparing the second identification information with the previously specified fourth identification information;
A limiting unit that limits the first operation based on a comparison result of the second comparison unit when the second identification information and the fourth identification information match. Operation restriction management device. Computer that manages the operation restriction,
Receiving first identification information for identifying a first file that is a target of a first operation by a user;
Extracting the first operation log from the storage unit storing the first operation log including the second identification information for identifying the second file that is the target of the second operation different from the operation,
Compare the second identification information and the first identification information included in the first operation log,
Based on a comparison result between the second identification information and the first identification information, a second operation log different from the first operation log is extracted from the storage unit,
Compare the second identification information of the first operation log and the third identification information of the second operation log,
Comparing the second identification information with the pre-designated fourth identification information ;
Comparison with the previous SL when the second identification information and the fourth identification information matches, the third identification information of the second identification information and the second operation log of the first operation log Restrict the first operation based on
An operation restriction management method characterized by executing processing .

Images