JP6108344B2 - Access management apparatus, access management method and program - Google Patents

Description

  The present invention relates to an access management apparatus, an access management method, and a program.

  For example, as represented by smartphones and tablet terminals, portable terminal devices that can be connected to a network by wireless communication have become widespread. When such a portable terminal device accesses a server, a device, or the like that requires user authentication, it is common to use a user name and a password as in Patent Document 1, for example.

JP 2006-107277 A

  The mobile terminal device as described above can be connected not only to the Internet but also to a network such as an in-house wireless LAN (Local Area Network) closed within an organization such as a company. For this reason, companies and the like are paying attention to the ease of carrying portable terminal devices and the like, and connecting portable terminal devices to an in-house wireless LAN for use.

  However, in an environment where a portable terminal device is connected to an in-house wireless LAN and used, a user's portable terminal device that does not have a legitimate access authority due to a user's mistake or an unauthorized intention of a third party is It is necessary not to be connected with. For connection to such a network, user authentication using a user name and a password is generally performed as in Patent Document 1, but in such user authentication, if a user name and a password are leaked. There is an aspect that anyone can access.

To increase security in this regard, for example, for mobile terminal devices, access restrictions are strengthened by reducing the number of accessible files, applications, devices, etc., compared to other stationary terminal devices. Conceivable.
However, if the restrictions are tightened as described above, the mobile terminal device cannot be accessed even though it is necessary for business, for example, and eventually it must move to a stationary terminal device and use it. Inconvenient situations can arise, such as having to. In other words, simply strengthening the access restriction impairs the advantage of the portable terminal device that it can be easily carried and used, and hinders the smooth progress of business.

  The present invention has been made in view of such circumstances, and appropriately sets a range that can be accessed by the mobile terminal device without reducing security against unauthorized connection of the mobile terminal device to the network in the facility. The purpose is to be able to.

In order to solve the above-described problem, an access management device according to an aspect of the present invention includes a communication unit that performs communication with a mobile terminal device via a wireless network, and user authentication information received from the mobile terminal device. A user authentication unit that executes user authentication processing for a user of the mobile terminal device, a position information acquisition unit that acquires position information indicating the position of the user in the facility, and the access authority of the user for whom user authentication is established An access authority setting unit that is set based on the location information acquired by the location information acquisition unit, and whether or not the mobile terminal device can access resources on the network according to the access authority set by the access authority setting unit. and an access control unit that, the access authority setting section, in response to receiving a user group setting request, the Yu A user group to which the user indicated by the position information belongs to a certain area including the position indicated by the position information of the user of the mobile terminal device that is the transmission source of the group setting request belongs, and the user belongs to the user group The access authority is set so that information that should be shared among users is not shared by users who do not belong to the user group, and the access control unit transmits / receives data between portable terminal devices of users belonging to the user group Is controlled so that it cannot be accessed from a portable terminal device of a user who does not belong to the user group.

  The access management apparatus of the present invention further comprises a user-corresponding access authority information storage unit that stores user-corresponding access authority information indicating access authority corresponding to each combination of a user identifier and a location in the facility, and the access authority The setting unit selects the access authority corresponding to the combination of the user identifier of the user for whom user authentication has been established and the position indicated by the position information acquired by the position information acquisition unit from the user-corresponding access authority information, and selects Access authority may be set.

  In the access management apparatus of the present invention, a user group-corresponding access authority that stores user group-corresponding access authority information indicating access authority corresponding to each combination of the user identifiers of the plurality of users belonging to the user group and the location in the facility. The access authority setting unit further includes an access authority corresponding to a combination of a user identifier of a user for whom user authentication has been established and a location indicated by the location information acquired by the location information acquisition unit. The selected access authority may be set by selecting from the group-corresponding access authority information.

According to another aspect of the present invention, an access management method includes: a user authentication step for executing a user authentication process for a user of a mobile terminal device based on user authentication information received from the mobile terminal device via a wireless network; A position information acquisition step for acquiring position information indicating the position of the user in the facility, and an access authority setting step for setting the access authority of the user for whom user authentication has been established based on the position information acquired by the position information acquisition step And an access control step for controlling whether or not the mobile terminal device can access the resources on the network according to the access authority set in the access authority setting step, wherein the access authority setting step includes a user group setting request In response to receiving the user group setting request A user group to which the user indicated by the position information belongs to an area in a certain range including the position indicated by the position information of the user of the transmission source mobile terminal device is set and shared among the users belonging to the user group The access authority is set so that the information to be shared is not shared by users who do not belong to the user group, and the access control step is configured such that data transmitted and received between the mobile terminal devices of the users belonging to the user group is transmitted to the user group. Control is performed so that access is not possible from a portable terminal device of a user who does not belong.

Further, a program as one aspect of the present invention is a user authentication step for executing a user authentication process for a user of a mobile terminal device based on user authentication information received from a mobile terminal device via a wireless network. A position information acquisition step for acquiring position information indicating the position of the user in the facility, and an access authority setting for setting the access authority of the user for whom user authentication has been established based on the position information acquired by the position information acquisition step steps and, in accordance with the access rights set by the access authority setting step, I der intended for executing an access control step of controlling whether the access of the mobile terminal device to a resource on the network, the access The authority setting step is for receiving user group setting requests. And setting a user group to which the user indicated by the position information belongs to an area within a certain range including the position indicated by the position information of the user of the mobile terminal device that is the transmission source of the user group setting request. An access authority is set so that information that should be shared among users belonging to the group is not shared by users who do not belong to the user group, and the access control step is performed between portable terminal devices of users belonging to the user group. Control is performed so that transmitted / received data cannot be accessed from a portable terminal device of a user who does not belong to the user group.

  As described above, according to the present invention, it is possible to appropriately set the accessible range of the mobile terminal device without reducing the security against unauthorized connection of the mobile terminal device to the network in the facility. The effect is obtained.

It is a figure which shows the structural example of the network system in this embodiment. It is a figure which shows the example of a division of the area | region in a facility. It is a figure which shows the structural example of the portable terminal device in this embodiment. It is a figure which shows the structural example of the access management apparatus in this embodiment. It is a figure which shows the structural example of the user information storage part in this embodiment. It is a figure which shows the structural example of the user separate information table in this embodiment. It is a figure which shows the structural example of the user group information table in this embodiment. It is a figure which shows the structural example of the authentication condition information in this embodiment. It is a figure which shows the structural example of the access authority information storage part in this embodiment. It is a figure which shows the example of the content of the access class table in this embodiment. It is a figure which shows the example of the content of the user corresponding | compatible access authority information in this embodiment. It is a figure which shows the example of a process sequence which the access management apparatus in 1st Embodiment performs. It is a figure which shows the example of a process sequence which the access management apparatus in 2nd Embodiment performs.

<First Embodiment>
[Network system configuration example]
FIG. 1 shows a configuration example of a network system including an access management apparatus according to the present embodiment.
The facility FC in this figure is, for example, inside a building and is used by a certain company. In this facility FC, for example, users Y who work at this company carry mobile terminal devices 100 respectively.
The mobile terminal device 100 has a wireless communication function corresponding to, for example, a wireless LAN (Local Area Network) which is one of wireless networks. The mobile terminal device 100 performs wireless communication with the wireless LAN base station 310 provided in the facility FC by this wireless communication function. As a result, it is possible to access devices (including other portable terminal devices 100), servers, and the like that are connected to a closed network constructed including the wireless LAN in the facility FC.

Further, the user Y possesses the position transmitter 210 when entering the facility FC. This position transmitter 210 detects its own position.
The position transmitter 210 stores the user ID of the user who is the owner. The position transmitter 210 transmits the user ID stored therein together with the position information indicating the detected position to the position information unit 220. This position information is information indicating the position of the user who owns the position transmitter 210.
In addition, the position transmitter 210 performs a position detection operation and transmission of position information as a detection result at predetermined time intervals, for example.

The location information unit 220 transmits the received location information to the access management apparatus 500 via a predetermined communication network. The method and method for detecting the position of the position transmitter 210 is not particularly limited. For example, IMES (Indoor Messaging System), visible light communication, infrared communication, wireless LAN, RFID tag, etc. are used. Techniques and methods for indoor positioning can be adopted.
In addition, this figure shows a mode in which the location information unit 220 and the access management device 500 are connected by a communication network different from the in-house wireless LAN. You may connect by in-house wireless LAN.

Each user Y possesses an IC (Integrated Circuit) card 150. The IC card 150 is used, for example, when entering or leaving the facility FC. That is, for example, the user identifier of the user who is the owner is written in the IC card 150. An IC card reader 160 is installed at the entrance of the facility FC.
When the user Y enters the facility FC, the user ID written in the IC card 150 possessed by the user Y is read by the IC card reader 160. The IC card reader 160 generates, for example, entrance information in which the current time (entry time) is added to the read user ID and transmits it to the access management apparatus 500.
When the user Y leaves the facility FC, the user ID written in the IC card 150 possessed by the user Y is read by the IC card reader 160. The IC card reader 160 generates exit information in which the current time (exit time) is added to the read user ID, for example, and transmits the generated exit information to the access management apparatus 500.

When the wireless LAN base station 310 receives data transmitted from the mobile terminal device 100 in the facility FC, the wireless LAN base station 310 transfers the data to the wireless LAN control device 320. The wireless LAN control device 320 performs route control (routing) on the wireless LAN in the facility FC.
For example, the wireless LAN control device 320 further transfers the data transferred from the wireless LAN wireless LAN base station 310 to the destination device via the wireless LAN base station 310 again. For example, when the mobile terminal device 100 having access authority accesses the file server 400, the wireless LAN control device 320 performs path control so that the mobile terminal device 100 is connected to the file server 400.
The file server 400 is a server that provides information such as a file used by the mobile terminal device 100 in the facility FC, for example.

  The access management device 500 sets the access authority for each portable terminal device 100 in the facility FC. In setting the access authority, the access management device 500 uses a user name (user account) and password transmitted by the mobile terminal device 100 for user authentication, and location information indicating the location of the mobile terminal device 100.

[Access privilege setting example]
With reference to FIG. 2, an example of setting access authority by the access management apparatus 500 of this embodiment will be described.
FIG. 2 is a view of a certain floor in the facility FC as seen from the plane direction. As shown in the figure, the facility FC has, for example, a total of seven areas: a hall, a corridor, an office room 1, an office room 2, a meeting room, a boardroom, and a secret area that is a partial area in the boardroom. It is divided into.

In the present embodiment, an area ID is set for each area partitioned in the facility FC. In the example of FIG. 2, the area ID = 0 is set for the entrance hall, the area ID = 1 is set for the corridor, the area ID = 2 is set for the office 1, and the area ID = 3 is set for the office 2. The area ID = 4 is set for the conference room, the area ID = 5 is set for the executive room, and the area ID = 6 is set for the top secret area.
In the present embodiment, a class (access class) related to the access authority is set for each area partitioned in the facility FC.

In the example of FIG. 2, the access class is defined in five levels: “public”, “office”, “restricted”, “confidential”, and “secret” in order from the lowest confidentiality of the accessible information. Corresponds to the case.
The access class of “public” is set corresponding to a highly public area such as an entrance hall or a corridor where an outsider such as a visitor may also exist.
The access class of “office” is set corresponding to an area where normal work is performed, such as office room 1 or office room 2. In such an area, since various types of information relating to business are required, the confidentiality of information exchanged is increased compared to, for example, an entrance hall or a corridor. That is, the access class of “office” is set in an area with higher secrecy than “public”.
In the “restricted” access class, there is a possibility that special information other than general office work may be exchanged, such as a conference room, and the office 1 and office 2 with the “office” access class set. It is set corresponding to a region where the secrecy is further increased as compared with.
The access class of “confidential” is set in an area that requires information important to a company that should be kept secret for general employees, such as a boardroom. That is, the “confidential” access class is set to an area with higher secrecy than the “restricted” access class, for example.
The access class of “secret” is set in an area that requires information very important to a company, such as a place where a desk is placed in a boardroom. Therefore, the “secret” access class has the highest confidentiality among the five access classes.

And the access management apparatus 500 sets the access authority according to the access class set to the division containing the position where this user Y exists about the user Y who has the portable terminal device 100 with which user authentication was materialized.
As an example, the case where the access authority is set to five levels of level 1, level 2, level 3, level 4, and level 5 from low to high confidentiality will be described as an example.
Level 1 allows access to only files that have little confidentiality such as company information that can be viewed even by outsiders, for example, by taking a file stored in the file server 400 as an example. Level access authority.
Level 2 is an access authority of a level that permits access to a confidential file used by a general employee for business or the like.
Level 3 is an access authority of a level that permits access to a file having higher secrecy than level 2 used in, for example, a conference.
Level 4 is an access authority of a level that permits access to a file with higher secrecy than level 3 used by, for example, executives.
Level 5 is an access authority at a level that permits access to a file treated as having the highest confidentiality in the company, for example.
For example, for resources such as files provided in the file server 400 and nodes on an in-house network, any one of the above levels 1 to 5 is taken into consideration in view of its high confidentiality. Level is set.

As an example, the access management apparatus 500 sets access authority for the user Y who is an executive as follows.
In other words, in the area where the access class is “public”, an access authority that allows access to only level 1 files is set.
In the area where the access class is “office”, an access authority that allows access to level 1 and level 2 files is set.
In the area where the access class is “restricted”, an access authority capable of accessing level 1, level 2 and level 3 is set.
In the area where the access class is “confidential”, an access right that allows access to files of level 1, level 2, level 3, and level 4 is set.
In the area where the access class is "secret", set the access authority for all files. That is, the access management apparatus 500 sets an access authority that allows access to files of level 1, level 2, level 3, level 4, and level 5. Then, the access management device 500 controls whether or not the portable terminal device 100 of the executive user Y can be accessed according to the access authority set as described above.

In the case of the setting example described above, in the area where the access class is “public”, the mobile terminal device 100 serving as an executive can access only the level 1 file. For this reason, for example, in the area where the access class is “public”, Even if you are with an outsider, you can avoid accidentally accessing a confidential file and leaking that information.
Then, the user who is an executive moves to a highly confidential place, so that the executive portable terminal device 100 can access a file at a level corresponding to the access class at that place. For example, if you enter a boardroom, you can access Level 4 and Level 5 files.

Further, the access management apparatus 500 sets the access authority as follows for a user who is a general employee, for example.
In other words, in the area where the access class is “public”, an access authority that allows access to only level 1 files is set.
In the area where the access class is “office”, an access authority that allows access to level 1 and level 2 files is set. Thereby, if the employee's portable terminal device 100 is in the office 1 or 2, the employee's portable terminal device 100 can access files necessary for normal work.
In the area where the access class is “restricted”, the access authority that can access the files of level 1, level 2 and level 3 is set. As a result, the employee's portable terminal device 100 can also access the level 3 file during a conference in a conference room, for example.
In the area where the access class is “confidential”, an access right that allows access to level 1 and level 2 files is set. That is, the mobile terminal device 100 of a general employee cannot access a level 4 file even in a boardroom. Further, if the employee is in the area of the “confidential” access class, this means that the employee is not in the conference room, and therefore the employee's mobile terminal device 100 cannot access the level 3 file.
Even in the area where the access class is “secret”, the access authority that allows access to the level 1 and level 2 files is set for the same reason as in the area where the access class is “confidential”.

As described above, in the present embodiment, for the user of the mobile terminal device 100 for which user authentication has been established, according to the confidentiality of the section in the facility FC where the user is located, Access authority is set. Thereby, in this embodiment, a user's access authority is set appropriately, without reducing the security regarding the connection to the network of the portable terminal device in a facility.
In addition, in the present embodiment, as described above, even for the same access class, for example, for each user Y, different access authorities can be set for each content. As a result, for example, for each of a plurality of users Y in the same facility FC, it is possible to set an appropriate access authority for each area according to the status or business content, and the work can be performed while maintaining security. Smoothing can be further promoted.

[Configuration example of portable terminal device]
With reference to FIG. 3, the structural example of the portable terminal device 100 is demonstrated.
A mobile terminal device 100 shown in this figure includes a communication unit 101, a control unit 102, a user authentication information storage unit 103, an operation unit 104, and a display unit 105.
The communication unit 101 executes communication with other devices and servers connected to the in-house network via a wireless LAN.

The control unit 102 executes various controls in the mobile terminal device 100. The function as the control unit 102 can be realized by, for example, a CPU (Central Processing Unit) executing a program.
The user authentication information storage unit 103 stores user authentication information that the mobile terminal device 100 transmits to the access management apparatus 500 in order to receive user authentication. The user authentication information includes, for example, the user name and password of the user of the mobile terminal device 100.

  For example, when the user enters the facility FC while holding the portable terminal device 100 logged out from the in-house wireless LAN, for example, the communication unit 101 of the portable terminal device 100 uses the wireless LAN base station 310 as an access point in-house. Detect LAN. Therefore, the control unit 102 reads the user authentication information from the user authentication information storage unit 103 and transmits a user authentication request including the read user authentication information from the communication unit 101. The wireless LAN control device 320 receives the user authentication request transmitted from the mobile terminal device 100 via the wireless LAN base station 310 and transfers it to the access management device 500. The access management apparatus 500 executes user authentication processing using user authentication information included in the received user authentication request.

The operation unit 104 collectively indicates operators and operation devices provided for the mobile terminal device 100. For example, when the mobile terminal device 100 includes a touch panel integrated with the display unit 105, the touch panel is also included in the operation unit 104.
The display unit 105 is provided so that the screen is displayed on the mobile terminal device 100. The display unit 105 displays an image according to the control of the control unit 102.

[Configuration example of access management device]
Next, a configuration example of the access management apparatus 500 will be described with reference to FIG.
An access management apparatus 500 shown in FIG. 4 includes a location information server 510 and an authentication server 520.
The location information server 510 acquires the location information of the mobile terminal device 100 transmitted from the location information unit 220. The location information server 510 includes a location information acquisition unit 511, a location information transmission unit 512, and a location history storage unit 513.

The position information acquisition unit 511 acquires position information indicating the position of the user Y in the facility FC. That is, the position information unit 220 transmits the position information of the user Y acquired by communication with the position transmitter 210 to the position information server 510 together with the user ID. The position information acquisition unit 511 acquires the position information transmitted in this way and passes it to the position information transmission unit 512.
The position information transmission unit 512 transmits the position information transferred from the position information acquisition unit 511 to the authentication server 520.

In addition, the position information acquisition unit 511 stores the acquired position information history in the position history storage unit 513 in association with each user ID.
The position history storage unit 513 stores a history of position information (position history information) acquired by the position information acquisition unit 511 in association with each user ID, for example.

Further, the position information acquisition unit 511 receives the entrance information or the exit information for each user Y in the facility FC acquired by the IC card reader 160 through communication with the IC card 150. These entrance information and exit information can also be handled as position information indicating whether or not the user Y exists in the facility FC.
The position information acquisition unit 511 also stores the acquired entry information and exit information of the user Y in the position history storage unit 513 so as to be included in the position history information associated with the user ID.
The location information transmission unit 512 appropriately transmits the location history information stored in the location history storage unit 513 to the authentication server 520 in response to a request from the access management device 500.

The authentication server 520 executes user authentication with the mobile terminal device 100 and setting of access authority based on the location information of the user of the mobile terminal device 100 for which user authentication has been established.
For this purpose, the authentication server 520 includes a communication unit 521, a user authentication unit 522, a user information storage unit 523, an authentication status information storage unit 524, an access authority setting unit 525, an access authority information storage unit 526, and an access authority setting information storage unit. 527 and an access control unit 528.

  The communication unit 521 executes communication with the mobile terminal device 100 via an in-house wireless LAN. Note that the communication unit 521 communicates with the mobile terminal device 100 in the facility FC via the wireless LAN control device 320 shown in FIG.

The user authentication unit 522 executes user authentication processing for the user of the mobile terminal device 100 based on the user authentication information received from the mobile terminal device 100.
The user authentication request transmitted by the mobile terminal device 100 is received by the communication unit 521. In response to receiving the user authentication request, the user authentication unit 522 executes user authentication processing, for example, as follows.
That is, the user authentication unit 522 determines whether there is user information that matches the combination of the user name and password included in the user authentication request among the user information stored in the user information storage unit 523. Authentication. In terms of security, portable terminal device 100 preferably encrypts and transmits user authentication information. When the user authentication information is encrypted as described above, the user authentication unit 522 performs user authentication processing after decrypting the received user authentication information.

  The user information storage unit 523 stores user information. In addition, in the in-house network in the present embodiment, user groups of two or more users can be registered. The user information storage unit 523 stores, as user information, a user individual information table that stores user information for each individual user, and a user group information table that stores user group information that is information in units of user groups.

FIG. 5 shows a configuration example of the user information storage unit 523. As shown in this figure, the user information storage unit 523 includes, for example, a user individual information table storage unit 531 and a user group information table storage unit 532.
The user individual information table storage unit 531 stores a user individual information table.
The user group information table storage unit 532 stores a user group information table.

FIG. 6 shows a structural example of the user individual information table stored in the user individual information table storage unit 531.
As shown in this figure, the user individual information table stores user individual information in which a user ID and authentication information are associated with each individual user.
The user ID is an identifier that uniquely identifies the user Y.
The authentication information is information including a user name, a password, and the like registered in advance for each user. The user authentication unit 522 searches for authentication information in the user individual information table that matches the authentication information received together with the user authentication request. In the user individual information table, if there is matching authentication information, the authentication is established, and if there is no matching authentication information, the authentication is not established.

FIG. 7 shows a structural example of a user group information table stored in the user group information table storage unit 532.
The user group information table stores user group information including a user group ID, a belonging user, and a user group designation corresponding to each registered user group.
The user group ID is an identifier that uniquely identifies the user group.
The affiliation user indicates the user ID of the user belonging to the corresponding user group.
The user group designation indicates whether or not the access authority setting corresponding to the user group is currently valid. When the user group designation indicates invalidity, an individual access authority is set for the user Y belonging to the user group. When the user group designation indicates “valid”, the access authority corresponding to the user group is set for the users belonging to the user group.
The user group designation may be such that, for example, the user Y who has the setting authority for the validity / invalidity of the user group is set to be valid / invalid by the operation of the mobile terminal device 100.

In FIG. 4, the authentication status information storage unit 524 stores user authentication status information indicating the current status of user authentication for each user Y.
When the user authentication is established, the user authentication unit 522 generates authentication establishment user information for the user for which the authentication is established. This authentication establishment user information includes the user ID read from the user individual information table, the terminal ID of the mobile terminal device 100 that is the transmission source of the user authentication request, and the time when the authentication is established (login time).
Then, the user authentication unit 522 additionally registers the authentication establishment user information generated in this way in the authentication status information storage unit 524.

  FIG. 8 shows an example of the structure of authentication status information stored in the authentication status information storage unit 524. As shown in this figure, the authentication status information stores authentication establishment user information in which a terminal ID and a login time are associated with a user ID for each user for whom authentication is currently established. The terminal ID attribute indicates the terminal ID of the mobile terminal device 100 that is the transmission source of the user authentication information for the corresponding user. The login time attribute indicates, for example, the time when authentication is established.

  The user authentication unit 522 deletes the authentication establishment user information corresponding to the logged out user from the authentication status information storage unit 524 in response to, for example, a logout request from the mobile terminal device 100 or a timeout after login. Thus, the authentication status information storage unit 524 always stores only the authentication establishment user information of the user of the mobile terminal device 100 currently logged in to the in-house network. That is, the authentication status information is information indicating a user who is logged in to the in-house network.

  In FIG. 4, the access authority setting unit 525 sets the access authority of the user for whom user authentication has been established based on the location information acquired by the location information acquisition unit 511. At this time, the access authority setting unit 525 uses information stored in the access authority information storage unit 526.

FIG. 9 shows a configuration example of the access authority information storage unit 526. The access authority information storage unit 526 shown in this figure includes an access class table storage unit 541, a user-corresponding access authority information storage unit 542, and a user group-corresponding access authority information storage unit 543.
The access class table storage unit 541 stores an access class table. The access class table is a table indicating access classes set for each area partitioned in the facility FC illustrated in FIG. The access class is, for example, a class (class) of access authority set according to the level of confidentiality.

FIG. 10 shows an example of the contents of the access class table stored in the access class table storage unit 541.
The access class table shown in this figure shows access classes for each of the seven areas partitioned in the facility FC of FIG. One record in the access class table indicates the setting contents for one section, and one record includes an area name, an area ID, an area range, and an access class attribute.
The area name attribute indicates the name of the corresponding area. The area ID attribute indicates the area ID assigned to the corresponding area. The region range attribute indicates a physical range in the facility FC for the corresponding region. There are various ways to indicate this area range. As an example, when the shape in the planar direction of each region is a quadrangle, the X axis and the Y axis are made to correspond to the planar direction of the floor of the facility FC as shown in FIG. In addition, the physical range of the region can be indicated by the X and Y coordinates of the four vertices of the quadrangle that is the planar shape of each region.
The access class attribute indicates what access class is set in the corresponding area.

The contents of the access class table in FIG. 10 correspond to the setting contents exemplified in FIG.
That is, the area ID = 0 is set in the entrance hall area, and “public” is set as the access class. Area ID = 1 is set in the hallway area, and “public” is set as the access class. Area ID = 2 is set in the area of office room 1, and “office” is set as the access class. An area ID = 3 is set in the area of the office 2 and “office” is set as the access class. Area ID = 4 is set in the area of the conference room, and “restricted” is set as the access class. Area ID = 5 is set in the executive room area, and “confidential” is set as the access class. Area ID = 6 is set in the top secret area, and “secret” is set as the access class.

  Next, in FIG. 9, the user-corresponding access authority information storage unit 542 stores user-corresponding access authority information. The user-corresponding access authority information indicates the content of access authority set for each access class for an individual user.

FIG. 11 shows an example of the contents of the user-corresponding access authority information. The user-corresponding access authority information shown in this figure shows the access authority contents corresponding to the access classes of “public”, “office”, “restricted”, “confidential”, and “secret” for each user ID. Yes.
In FIG. 11, a user Y whose user ID is “0000” indicates the setting content corresponding to the general employee described in FIG. 2.
That is, the access authority corresponding to the “public” access class indicates that the file of level 1 can be accessed.
The access authority corresponding to the access class of “office” indicates that access to level 1 and level 2 files is possible.
The access authority corresponding to the “restricted” access class indicates that the files of level 1, level 2 and level 3 can be accessed.
The access authority corresponding to the “confidential” access class indicates that the file of level 1 and level 2 can be accessed.
The access authority corresponding to the access class “secret” indicates that access to level 1 and level 2 files is possible.

In addition, in FIG. 11, a user Y whose user ID is “0001” indicates the setting content corresponding to the executive employee described in FIG. 2.
That is, the access authority corresponding to the “public” access class indicates that the file of level 1 can be accessed.
The access authority corresponding to the access class of “office” indicates that access to level 1 and level 2 files is possible.
The access authority corresponding to the “restricted” access class indicates that the files of level 1, level 2 and level 3 can be accessed.
The access authority corresponding to the access class “confidential” indicates that the files of level 1, level 2, level 3, and level 4 can be accessed.
The access authority corresponding to the access class “secret” indicates that the files of level 1, level 2, level 3, level 4, and level 5 can be accessed.

  Thus, in this embodiment, after defining a common access class for each area partitioned in the facility FC, different access authority contents are set for each access class for each user in the user-corresponding access authority information. can do. Thereby, the access authority according to each area can be set with a high degree of freedom in accordance with the position or situation of the user in the company.

Next, the user group-corresponding access authority information storage unit 543 in FIG. 9 stores user group-corresponding access authority information. The user group-corresponding access authority information indicates the content of the access authority set for each access class for the user group.
The structure of the user group access authority information may be based on the user access authority information shown in FIG. 11, for example. That is, in the structure of FIG. 11, instead of the user ID, the user group ID set for each user group is stored. Then, the contents of access authority corresponding to each access class of “public”, “office”, “restricted”, “confidential”, and “secret” may be stored in association with one user group ID.
In this way, even in the access authority information corresponding to the user group, by setting different access authority contents for the access class for each user, the access authority corresponding to each area with a high degree of freedom for each user group. Can be set.

For example, in a state where user authentication is established for the user Y with the user ID “0000”, when the position transmitter 210 of the user Y transmits position information, the position information acquisition unit 511 acquires the position information. Is done.
The access authority setting unit 525 refers to the access class table stored in the access class table storage unit 541 as the location information acquisition unit 511 acquires the location information of the user Y. Thereby, the access authority setting unit 525 specifies an area in the facility FC including the position indicated by the acquired position information, and specifies an access class associated with the specified area.
Next, the access authority setting unit 525 specifies as described above in the access class corresponding to the user ID “0000” in the user access authority information stored in the user access authority information storage unit 542. Select the access authority associated with the access class. The access authority setting unit 525 sets the access authority selected in this way as a setting result.

  When setting the access authority corresponding to the user group, the access authority setting unit 525 refers to the user group-corresponding access authority information stored in the user group-corresponding access authority information storage unit 543 instead of the user-corresponding access authority information. To do. Thereby, for the user Y, not the access authority corresponding to each user but the access authority corresponding to the user group to which the user Y belongs is set.

  Note that the user-corresponding access authority information shown in FIG. 11 uses a file as an example of a resource on the network to which access is set according to the access authority. However, the resources on the network for which access permission is set according to the access authority are not limited to files. For example, even if access permission is set for each node such as a server, router, or various devices. Good. Further, whether to link to the in-house wireless LAN itself may be set.

Whether to set the user-specific access authority or the user group-compatible access authority for the user Y may be determined as follows.
That is, the access authority setting unit 525 identifies which user group the user ID of the access authority setting target user belongs to with reference to the user group information in FIG. Then, the access authority setting unit 525 refers to the user group designation attribute associated with the user group specified in the user group information. If the referred user group designation indicates “invalid”, the access authority for each user is set, and if it indicates “valid”, the access authority corresponding to the user group is set.

The access authority setting unit 525 stores the access authority set as described above in the access authority setting information storage unit 527.
The access authority setting information storage unit 527 stores the contents of the access authority for each user set by the access authority setting unit 525.

The access control unit 528 controls whether the mobile terminal device 100 can access resources on the network according to the access authority set by the access authority setting unit 525.
For example, it is assumed that a certain mobile terminal device 100 makes an access request for accessing a file that cannot be accessed depending on the currently set access authority. This access request is transferred from the wireless LAN base station 310 to the access management device 500 via the wireless LAN control device 320, for example.

In response to the access request being received by the access management apparatus 500, the access control unit 528 determines whether to permit or prohibit access in response to the access request.
For this purpose, the access control unit 528 specifies the user ID of the user Y of the mobile terminal device 100 that is the current access request transmission source by referring to the authentication status information stored in the authentication status information storage unit 524. Next, the access control unit 528 refers to the access authority setting information storage unit 527 and recognizes the content of the access authority set for the specified user ID. Then, the access control unit 528 determines whether or not the access request received this time corresponds to the access authority recognized as described above.

For example, when the access request is an access request for a file, the access control unit 528 indicates that the access at the same level as the file set in the file can be accessed. It is determined whether or not. If the access authority indicates that access is possible, the access control unit 528 determines that access should be permitted.
On the other hand, if the access authority does not indicate that access is possible, it is determined that access should be prohibited.
Specifically, it is assumed that level 3 is set for a file for which access is requested in a state where the access authority setting unit 525 is set to allow access to files of levels 1, 2, and 3. In this case, the access control unit 528 determines that access should be permitted.
On the other hand, it is assumed that level 4 is set for a file requested to be accessed in a state where the access authority setting unit 525 is set to allow access to files of levels 1, 2, and 3. In this case, the access control unit 528 determines that access should be prohibited.

If the access control unit 528 determines that access should be prohibited, the access control unit 528 discards the access request received this time. As a result, the file is not transferred in response to the access request, and access is restricted.
On the other hand, when it is determined that access should be permitted, the access control unit 528 transfers the access request received this time from the wireless LAN control device 320 to the access request destination. As a result, the data in response to the access request is transmitted to the requesting mobile terminal device 100 and accessed.
In this way, the access control unit 528 determines whether or not access is possible according to an access request, for example, and executes control according to the determination result. Thereby, the access control unit 528 can realize access restriction for each portable terminal device 100 in accordance with the access authority set by the access authority setting unit 525.

[Example of processing procedure]
FIG. 12 shows an example of a processing procedure executed by the access management apparatus 500 in the first embodiment.
First, the user authentication unit 522 waits for a user authentication request transmitted from the mobile terminal device 100 to be received (step S101—NO).
In response to the user authentication request received by the communication unit 521 (step S101—YES), the user authentication unit 522 uses the user name and password included in the user authentication request received in step S101 this time. An authentication process is executed (step S102).
In this user authentication process, for example, if there is user information that matches the combination of the user name and password included in the user authentication request among the user information stored in the user information storage unit 523, the authentication is established. On the other hand, if the user information storage unit 523 does not have user information that matches the combination of the user name and password included in the user authentication request, the authentication is not established.

The user authentication unit 522 determines whether or not authentication is established as a result of the user authentication process in step S102 (step S103).
When authentication is not established (step S103—NO), authentication establishment user information corresponding to the current user authentication request is not registered in the authentication status information storage unit 524. The access authority setting unit 525 sets the user Y for which the authentication establishment user information is not stored in the authentication status information storage unit 524 as having no authority to access the in-house wireless LAN (step S109). That is, in this case, the state where the user is logged out is maintained. After finishing the process of step S109, the access authority setting unit 525 returns the process to step S101.

On the other hand, when the authentication is established (step S103—YES), the user authentication unit 522 registers the authentication establishment user information corresponding to the current user authentication request in the authentication status information storage unit 524. The fact that the authentication establishment user information is registered in the authentication status information storage unit 524 indicates that the user Y is logged in.
Accordingly, the access authority setting unit 525 sets the user Y whose authentication establishment user information is stored in the authentication status information storage unit 524 as an access authority setting target.

When setting the access authority for the access authority setting target user Y, the access authority setting unit 525 determines whether or not the user Y is currently entering the facility FC (step S104).
For this purpose, the access authority setting unit 525 acquires, from the position information transmission unit 512, the position history information of the user ID corresponding to the access authority setting target user among the position history information stored in the position history storage unit 513. . The access authority setting unit 525 determines that an entry is in progress if the acquired location history information includes an entry record. On the other hand, if there is no entry record in the acquired position history information, it is determined that the entry is not in progress.

When it is determined that the access authority setting target user Y is not entering (step S104—NO), there is a possibility that the access authority setting target user Y has left the facility FC while the mobile terminal device 100 remains in the login state. is there. Alternatively, there is a possibility that a person different from the user Y whose access authority is set is attempting to log in illegally.
In such a case, the access authority setting unit 525 sets that the user who has made the current user authentication request has no authority to access the in-house wireless LAN (step S109). Thereby, thereafter, the mobile terminal device 100 that is the transmission source of the current user authentication request cannot be connected to the wireless LAN. This corresponds to, for example, a state where the user is logged out from the in-house network.

On the other hand, when it is determined that the user Y who made the user authentication request is entering (step S104-YES), the access authority setting unit 525 can receive the location information of the user Y for which the access authority is set within a certain time. It is determined whether or not (step S105).
If the position information is not received within a certain time (step S105—NO), the user Y who has performed user authentication may have forgotten to have the position transmitter 210. Alternatively, the person may be an unauthorized person such as an outsider who cannot carry the position transmitter 210.
In this case, the access authority setting unit 525 sets that there is no access authority to the wireless LAN (step S109).

On the other hand, if the location information is received within a certain time (step S105-YES), the access authority setting unit 525 further sets the access authority corresponding to the user group for the user Y that is the access authority setting target at present. It is determined whether or not (step S106).
In this determination, as described above, the access authority setting unit 525 refers to the user group information in FIG. 7, and the attribute of the user group designation associated with the user group to which the user Y subject to access authority belongs is “valid. "Or" invalid "may be determined.

When the setting of access authority corresponding to the user group is invalid (step S106-NO), the access authority setting unit 525 sets the access authority for each user (step S107). That is, the access authority setting unit 525 sets the access authority with reference to the access class table stored in the access class table storage unit 541 and the user access authority information stored in the user access authority information storage unit 542. .
On the other hand, when the access authority setting corresponding to the user group is valid (step S106-YES), the access authority setting unit 525 sets the access authority corresponding to the user group (step S108). That is, the access authority setting unit 525 refers to the access class table stored in the access class table storage unit 541 and the user group corresponding access authority information stored in the user group corresponding access authority information storage unit 543 to determine the access authority. Set.
After completing the process of step S107 or S108, the access authority setting unit 525 returns the process to step S104.

<Second Embodiment>
[Overview]
Next, the second embodiment will be described.
In the first embodiment, user groups are registered in advance by the user group information table of FIG. Under this environment, for example, in response to the setting of the access authority corresponding to the user group being validated in response to a request from the group member, the access authority setting unit 525 allows the user Y belonging to the user group to Access permissions for groups were set.

On the other hand, in the second embodiment, a temporary user group (temporary user group) by a plurality of users gathered at an arbitrary place in the facility FC can be set. Thereby, for example, a user group by a plurality of users who urgently gather at the same place in the facility FC can be set without taking time and effort to register the user group information.
By setting the temporary user group in this way, information transmitted and received between the mobile terminal devices 100 of the user Y belonging to the temporary user group is prevented from being received by users who do not belong to the temporary user group. Route control on the network is performed.

The temporary user group in the second embodiment functions effectively by setting in the following situation as an example.
For example, a meeting is urgently held at a certain place in the facility FC, and several users Y gather as meeting members at a table in this place. In this meeting, there is data to be transmitted / received between the mobile terminal devices 100 of the meeting members, but this data is not desired to be accessed from the mobile terminal device 100 of the user Y other than the meeting member. However, the user group corresponding to the current meeting member is not registered in the user group information.
Therefore, a temporary user group is set up by the meeting members in the above situation. In setting the temporary user group, for example, any one user Y among the meeting members may operate the mobile terminal device 100 to transmit a temporary user group setting request to the access management device 500. .

The access management device 500 sets a temporary user group in response to receiving the temporary user group setting request.
For this purpose, the access management apparatus 500 first recognizes the position of the user Y (reference user) of the mobile terminal apparatus 100 that is the transmission source of the temporary user group setting request, and sets this position as the reference position. Next, the access management apparatus 500 sets the user Y (including the reference user) located within a certain range (temporary user group effective range) from the reference position as a user belonging to the temporary user group.
In this way, the temporary user group is a temporary group to which the user indicated by the position information belongs to an area within a certain range including the position indicated by the position information of the user of the mobile terminal device that is the transmission source of the temporary user group setting request. User group.
The area of the temporary user group effective range may be fixed in advance as described above, or may be set by the user when a temporary user group setting request is transmitted, for example.

  When a user belonging to a temporary user group is set as described above, the access management apparatus 500 executes path control corresponding to the temporary user group. That is, the access management device 500 performs path control so that the mobile terminal device 100 of another user Y cannot access the data transmitted and received between the mobile terminal devices 100 of the users belonging to the temporary user group. Thereby, in the network of the facility FC, the communication between the portable terminal devices 100 of the user Y of the temporary user group can be separated from the other portable terminal devices 100.

Further, when a certain user Y who belongs to the temporary user group because he / she is present in the temporary user group effective range is out of the temporary user group effective range because he / she has removed his / her seat, the user Y is in the temporary user group effective range. It is set as not belonging to. Accordingly, the mobile terminal device 100 of the user Y cannot access data transmitted / received between the mobile terminal devices 100 of the users of the temporary user group.
In addition, when a temporary user group is set, if another user Y moves within the effective range of the temporary user group in order to join the meeting later, the user Y becomes a new temporary user. Set as belonging to a group. In response to this, the mobile terminal device 100 of the user Y can access data transmitted and received between the mobile terminal devices 100 of the users of the temporary user group.
Thus, in the state where the temporary user group is set, if the user is located in the effective range of the temporary user group corresponding to the temporary user group, data transmitted and received between the mobile terminal devices 100 of the temporary user group Can have access rights to access.

In order to cancel the temporary user group once set, for example, one of the users Y belonging to the temporary user group operates the mobile terminal device 100 to release the temporary user group to the access management device 500. Send a request.
In response to this temporary user group release request, the access management apparatus 500 stops the path control corresponding to the temporary user group that has been executed so far. Along with this, the setting of the temporary user group is also released.

In addition, for example, it is considered that the user may forget or neglect the operation for transmitting the temporary user group cancellation request even though the temporary user group may be canceled when the meeting ends, for example. Therefore, the temporary user group may be automatically canceled when a certain condition is satisfied.
As an example, for example, the temporary user group may be automatically canceled when a condition that a predetermined time elapses after the setting of the first temporary user group in response to the temporary user group setting request is satisfied. it can.
In addition, the temporary user group can be automatically canceled in accordance with the condition that the number of users Y positioned within the temporary user group effective range is, for example, one or less, such as one.
In addition, the temporary user group can be automatically canceled in accordance with the condition that a predetermined time elapses after the data belonging to the temporary user group is no longer transmitted / received between the mobile terminal devices 100. .

[Example of processing procedure]
FIG. 13 shows an example of a processing procedure executed by the access management apparatus 500 in relation to the temporary user group setting.
In the access management device 500, the access authority setting unit 525 is waiting for a temporary user group setting request transmitted from the mobile terminal device 100 (step S201—NO).

In response to the reception of the temporary user group setting request (step S201-YES), the access authority setting unit 525 sets the reference user among the reference users and the proximity users to be included in the temporary user group (step S202). . That is, the access authority setting unit 525 sets the user Y of the mobile terminal device 100 that is the transmission source of the temporary user group setting request as the reference user.
Next, the access authority setting unit 525 sets the temporary user group effective range based on the reference user set in step S202 (step S203). That is, the access authority setting unit 525 sets, as the temporary user group effective range, a fixed range based on the position indicated by the position information of the reference user from the position information acquired by the position information acquisition unit 511 of the position information server 510. To do. This temporary user group effective range is an area in the facility FC to which the user Y can belong to the temporary user group.

After setting the temporary user group effective range as described above, the access authority setting unit 525 repeatedly executes the processes in steps S204 to S207 until the setting of the temporary user group is cancelled.
That is, the access authority setting unit 525 specifies the user Y located within the temporary user group effective range (step S204). For example, the access authority setting unit 525 selects position information indicating the position within the temporary user group effective range from the position information acquired by the position information acquisition unit 511. Based on the user ID added to the selected position information, the access authority setting unit 525 can specify the user Y located within the temporary user group effective range. In addition, the reference user set in step S202 is also included in the user Y specified as being located within the temporary user group effective range in step S204.
The access authority setting unit 525 recognizes the user Y specified as being located within the temporary user group effective range as a user who currently belongs to the temporary user group.
This step S204 corresponds to setting a temporary user group according to the specification of the user Y located within the temporary user group effective range. Then, according to the setting of the temporary user group, the access authority setting unit 525 sets the access authority so that information that should be shared among the users Y belonging to the temporary user group is not shared by users who do not belong to the user group. To do.

Then, the access control unit 528 executes path control corresponding to the temporary user group set according to step S204 (step S205). That is, data transmitted / received between the mobile terminal devices 100 of the user Y (user belonging to the temporary user group) identified as being located within the temporary user group effective range in step S204 belongs to this temporary user group. Control is performed so that access from the portable terminal device 100 of the user Y who has not been accessed is not possible.
Specifically, for example, the access control unit 528 performs path control so that data transmitted / received between the mobile terminal devices 100 of the user Y belonging to the temporary user group is normally performed. In addition, for example, when access is made from the mobile terminal device 100 of the user Y not belonging to the temporary user group to the mobile terminal device 100 of the user Y belonging to the temporary user group, the access control unit 528 The wireless LAN control unit 320 instructs the wireless LAN control unit 320 to discard the packet transmitted for the communication. Also, when the mobile terminal device 100 of the user belonging to the temporary user group transmits data with the mobile terminal device 100 of the user Y not belonging to the temporary user group as the destination, the access control 528 transfers the packet of this data. The wireless LAN control unit 320 is instructed to be discarded without doing so.

Next, the access authority setting unit 525 determines whether or not a temporary user group release request transmitted from the mobile terminal device 100 of the user Y currently belonging to the temporary user group has been received (step S206).
When the temporary user group release request is not received (step S206—NO), the access authority setting unit 525 further determines whether or not a certain condition for releasing the temporary user group is satisfied (step S207).

When the predetermined condition for canceling the temporary user group is not satisfied (step S207—NO), the access authority setting unit 525 returns the process to step S204. As a result, the access authority setting unit 525 executes path control corresponding to the temporary user group while recognizing the user Y located within the temporary user group effective range as a user belonging to the temporary user group.
When the temporary user group cancellation request is received (step S206—YES), or when certain conditions for temporary user group cancellation are satisfied (step S207—YES), the access authority setting unit 525 The route control corresponding to the user group is stopped (step S208). Along with this, the setting of the temporary user group is canceled.

In the configuration of FIG. 1, the position information is acquired by the position transmitter 210 possessed by the user Y and the position information unit 220 installed in the facility FC. However, for example, position information can be acquired as follows.
In other words, the IC card reader 160 is provided for each room with the area partitioned in the facility FC as a room unit. Then, every time the user Y enters and leaves the room, the IC card reader 160 communicates with the IC card 150 to store the entry record and the exit record information as an entry / exit history for each room. With such a configuration, position information indicating the position of the user Y in units of rooms can be acquired based on the entry / exit history.

  Also, the access management device 500 shown in FIG. 4 has a configuration including the location information server 510 and the authentication server 520. For example, the functional units of the location information server 510 and the authentication server 520 are integrated into one device. You may configure

  In the description so far, the case where the facility FC is an office environment in a company is taken as an example. However, the configuration of the present invention can be applied to various facilities such as public facilities such as a library and a dining room. .

  4 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed. Access authority setting and route control according to this may be performed. Here, the “computer system” includes an OS and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes designs and the like that do not depart from the gist of the present invention.

DESCRIPTION OF SYMBOLS 100 Mobile terminal device 150 IC card 160 IC card reader 210 Location transmitter 220 Location information unit 310 Wireless LAN base station 320 Wireless LAN control device 400 File server 500 Access management device 510 Location information server 511 Location information acquisition unit 512 Location information transmission unit 513 Location history storage unit 520 Authentication server 521 Communication unit 522 User authentication unit 523 User information storage unit 524 Authentication status information storage unit 525 Access authority setting unit 526 Access authority information storage unit 527 Access authority setting information storage unit 528 Access control unit

Claims (5)

A communication unit that communicates with the mobile terminal device via a wireless network;
A user authentication unit that executes user authentication processing for the user of the mobile terminal device based on the user authentication information received from the mobile terminal device;
A position information acquisition unit that acquires position information indicating the position of the user in the facility;
An access authority setting unit that sets an access authority of a user for whom user authentication has been established based on the location information acquired by the location information acquisition unit;
An access control unit that controls whether or not the mobile terminal device can access resources on the network according to the access authority set by the access authority setting unit ;
The access authority setting unit
The user to which the user whose position information indicates that the user group setting request exists in a certain range of area including the position indicated by the user position information of the mobile terminal device that is the transmission source of the user group setting request in response to receiving the user group setting request Set a group, set access rights so that information that should be shared among users belonging to the user group is not shared by users not belonging to the user group,
The access control unit
An access management apparatus that controls data transmitted / received between portable terminal devices of users belonging to the user group so that the data cannot be accessed from portable terminal devices of users not belonging to the user group . A user-accessible access authority information storage unit for storing user-accessible access authority information indicating an access authority corresponding to each combination of a user identifier and a location in the facility;
The access authority setting unit
Select the access authority corresponding to the combination of the user identifier of the user for whom user authentication has been established and the position indicated by the position information acquired by the position information acquisition unit from the user-corresponding access authority information, and set the selected access authority The access management device according to claim 1 . A user group-corresponding access authority information storage unit that stores user group-corresponding access authority information indicating access authority corresponding to each combination of the user identifiers of the plurality of users belonging to the user group and the position in the facility;
The access authority setting unit
The access authority corresponding to the combination of the user identifier of the user for whom user authentication has been established and the position indicated by the position information acquired by the position information acquisition unit is selected from the user group-corresponding access authority information, and the selected access authority is The access management apparatus according to claim 1 or 2 . A user authentication step for executing a user authentication process for the user of the mobile terminal device based on the user authentication information received from the mobile terminal device via a wireless network;
A location information acquisition step for acquiring location information indicating the location of the user in the facility;
An access authority setting step for setting an access authority of a user for whom user authentication has been established based on the position information acquired by the position information acquisition step;
An access control step for controlling whether or not the mobile terminal device can access resources on the network according to the access authority set in the access authority setting step ,
The access authority setting step includes:
The user to which the user whose position information indicates that the user group setting request exists in a certain range of area including the position indicated by the user position information of the mobile terminal device that is the transmission source of the user group setting request in response to receiving the user group setting request Set a group, set access rights so that information that should be shared among users belonging to the user group is not shared by users not belonging to the user group,
The access control step includes
An access management method for controlling data transmitted / received between mobile terminal devices of users belonging to the user group so that the data cannot be accessed from mobile terminal devices of users not belonging to the user group . On the computer,
A user authentication step for executing a user authentication process for the user of the mobile terminal device based on the user authentication information received from the mobile terminal device via a wireless network;
A location information acquisition step for acquiring location information indicating the location of the user in the facility;
An access authority setting step for setting an access authority of a user for whom user authentication has been established based on the position information acquired by the position information acquisition step;
An access control step for controlling whether or not the mobile terminal device can access resources on the network according to the access authority set in the access authority setting step ,
The access authority setting step includes:
The user to which the user whose position information indicates that the user group setting request exists in a certain range of area including the position indicated by the user position information of the mobile terminal device that is the transmission source of the user group setting request in response to receiving the user group setting request Set a group, set access rights so that information that should be shared among users belonging to the user group is not shared by users not belonging to the user group,
The access control step includes
Control is performed so that data transmitted / received between portable terminal devices of users belonging to the user group cannot be accessed from portable terminal devices of users not belonging to the user group.
program.

Images