JP6561707B2 - Data browsing control program, data browsing control method, and data browsing control device - Google Patents

Description

  The present invention relates to a data browsing control program, a data browsing control method, a data browsing control device, a document data management device, a document data management method, and a document data management program.

  In recent years, a system for managing document data such as a form online has been used. The document data may include confidential information such as personal information. In this case, it is preferable to restrict the document data from being viewed by a third party who does not have proper authority.

  As a related technique, a technique has been proposed in which hidden data related to a file is edited in accordance with the file to be used and the authority of the user, and appropriate information is protected according to the file user (for example, (See Patent Document 1).

JP 2009-193164 A

  When restricting browsing of document data including confidential information, for example, encryption may be performed on the entire document data. In this case, since the entire document data including the confidential information is encrypted, it is difficult to limit the browsing of only the confidential information portion.

  Of the document data, browsing of a part of the document data may be restricted by performing a masking process or the like on the information to be restricted. In this case, an area that is subject to browsing restriction is specified in the document data, and masking processing is performed on the identified area, so that browsing restriction control is complicated.

  As one aspect, an object of the present invention is to facilitate browsing control of information included in document data.

In one aspect, a data browsing control device that executes a data browsing control program included in document data, the input request unit for requesting input of authentication information, the input authentication information, and the document data are identified. a transmission unit for transmitting a request including the identification information to the server apparatus, a receiving unit that receives the response sent from the server device that received the request, the response, the authentication based on the input authentication information When it indicates that the authentication has failed, the authentication failure information indicating that the authentication has failed and the document data are combined and displayed on the display unit, and the response is successfully authenticated based on the input authentication information. and indicates that the, and, if it contains information corresponding to the document data identified by the identification information, versus the document data Information is displayed on the document data and the display unit synthesizes the to the response indicates the successful authentication based on authentication information input, and is identified by the authentication information input In the case where it is shown that the right to browse the information corresponding to the document data is not given to the person to be authenticated, right error information indicating that there is no right to browse the information corresponding to the document data; And a control unit that synthesizes the document data and displays the synthesized data on the display unit .

In another aspect, the data browsing control device executes a data browsing control program included in the document data, the input request unit for requesting input of authentication information, the input authentication information, and the document data A transmission unit that transmits a request including identification information to be identified to the server device, a reception unit that receives a response transmitted from the server device that has received the request, and the response is based on the input authentication information If it indicates that the authentication has failed, the data generated in a manner corresponding to the authentication failure information indicating that the authentication has failed is displayed on the display unit, and the response is input. Indicates that the authentication based on the authentication information is successful, and includes information corresponding to the document data identified by the identification information In this case, the information corresponding to the document data and the document data are combined and displayed on the display unit, and the response indicates that authentication based on the input authentication information is successful, and When the authentication target person specified by the input authentication information indicates that the right to view the information corresponding to the document data is not given, the document data is the information corresponding to the document data. A control unit that causes the display unit to display data generated in a mode corresponding to authority error information indicating that the user does not have the browsing authority .

  According to one aspect, browsing control of information included in document data can be facilitated.

It is a figure which shows an example of the whole structure of the system of 1st Embodiment. It is a figure which shows an example of the functional block of the client of 1st Embodiment. It is a figure which shows an example of the functional block of the management part of 1st Embodiment. It is a figure which shows an example of form data. It is a figure which shows an example of various databases (the 1). It is FIG. (2) which shows an example of various databases. It is FIG. (1) which shows the example of various screens. It is FIG. (2) which shows the example of various screens. It is FIG. (3) which shows the example of various screens. It is a flowchart (the 1) which shows an example of the process of 1st Embodiment. It is a flowchart (the 2) which shows an example of the process of 1st Embodiment. It is a flowchart (the 3) which shows an example of the process of 1st Embodiment. It is a figure which shows an example of the area | region information contained in a content. It is a figure which shows an example of the authentication based on network classification and time information. It is a figure which shows an example of various authentication variation. It is a figure which shows an example of the functional block of the client of 2nd Embodiment. It is a flowchart which shows an example of the display process of 2nd Embodiment. It is FIG. (1) which shows an example of the variation of a synthesis | combination of confidential information and content. It is FIG. (2) which shows an example of the variation of a synthesis | combination of confidential information and content. It is FIG. (The 3) which shows an example of the variation of a synthesis | combination of confidential information and a content. It is a figure which shows an example of the functional block of the management part of 3rd Embodiment. It is a figure which shows an example of the functional block of the client of 3rd Embodiment. It is a figure which shows an example of a browsing authority database. It is a flowchart (the 1) which shows an example of the process of 3rd Embodiment. It is a flowchart (the 2) which shows an example of the process of 3rd Embodiment. It is a flowchart (the 3) which shows an example of the process of 3rd Embodiment. It is a figure which shows an example of the hardware constitutions of a client. It is a figure which shows an example of the hardware constitutions of a management server.

<Example of Overall Configuration of First Embodiment>
The first embodiment will be described below. In the following embodiments, it is assumed that the document data is form data. FIG. 1 shows an example of the overall configuration of the first embodiment.

  In FIG. 1, a system 1 includes a client 2 and a management server 3. The client 2 is a terminal operated by a user when browsing the form data, for example. The client 2 acquires form data from the management server 3. Hereinafter, the form data may be referred to as content.

  The acquired form data is stored in the client 2. When the form data stored in the client 2 flows out, confidential information included in the form data also flows out.

  If form data including confidential information is leaked to the outside, even if the form data is encrypted, etc., the form data will be analyzed and leaked to the outside. Confidential information can be misused by third parties who do not.

  In the first embodiment, browsing control of confidential information included in document data is facilitated, and confidential information is protected. Details of the first embodiment will be described below.

  As shown in FIG. 1, the management server 3 includes a management unit 4, a first database group 5, and a second database group 6. The management unit 4 is connected to the first database group 4 and the second database group 5, and returns a response to the request from the client 2.

  The management server 3 is an example of a server device or a document data management device. The client 2 is an example of a terminal device or a data browsing control device.

  The first database group 5 includes a content database 11, a my number database 12, a name database 13, and an address database 14. The content database 11 stores content. From FIG. 1 onward, the database is denoted as “DB”.

  Hereinafter, it is assumed that the content is an electronic file. For example, the content may be displayed on the screen of the client 2 by a browsing application program (hereinafter referred to as a browsing application) executed on the client 2.

  The form data is electronic data of forms such as withholding tax forms and final tax returns. However, the content may be arbitrary document data other than the form data. Further, the form may be other than the withholding slip and final tax return.

  The my number database 12 is a database that stores my numbers. My number is a number that identifies an individual who has a resident card in Japan, and is a number managed by an administrative organization or the like. Utilization of My Number is expected to increase the efficiency of administrative procedures for administrative agencies, for example.

  The name database 13 is a database that stores names. The address database 14 is a database that stores addresses. My number, name and address belong to confidential information. Therefore, it is desirable to manage confidential information individually.

  Accordingly, it is assumed that the my number database 12, the name database 13, and the address database 14 are different databases.

  Next, the second database group 6 will be described. The second database group 6 includes a content type database 21, a browsing authority database 22, a secret item database 23, and a form item database 24.

  The content type database 21 is a database that stores content types (content types). The browsing authority database 22 is a database that stores the browsing authority for confidential information.

  The confidential item database 23 is a database that stores which items included in the form data are concealed according to the form data.

  The form item database 24 is a database that stores area information corresponding to items to be concealed (confidential items) according to the type of form data. An area corresponding to the confidential item is represented by coordinates in the form data, and confidential information is superimposed on the area.

  Information stored in each database of the second database group 6 does not belong to confidential information. Therefore, the information of each database in the second database group 6 may be stored in one database.

  When the client 2 requests the management server 3 to acquire content, the management server 3 transmits content corresponding to the request to the client 2. The management server 3 transmits content including the engine to the client 2. The engine is a program that causes the client 2 to execute a predetermined function, and is an example of a data browsing control program.

  In the first embodiment, when it is detected that a browsing operation has been performed on the content acquired by the client 2, the client 2 executes an engine (data browsing control program). When the engine is executed, the client 2 transmits a confidential information acquisition request (request) corresponding to the content to the management server 3.

  The management server 3 performs authentication based on the request from the client 2 and transmits confidential information to the client 2 as a response. The engine stored in the client 2 superimposes confidential information on the content.

The engine performs control to display content (form data) on which confidential information is superimposed on the screen of the client 2. The engine executed by the client 2 stores content and confidential information in the client 2 as different information.
<Example of client functional blocks>
Next, an example of functional blocks of the client 2 will be described with reference to FIG. The client 2 includes a first input unit 31, a first storage unit 32, a first screen unit 33, a first communication unit 34, and a client processing unit 40.

  The first input unit 31 is provided for an operator who operates the client 2 (hereinafter referred to as a user) to perform an input operation. For example, a mouse, a keyboard, or the like may be applied to the first input unit 31.

  The first storage unit 32 stores content (form data) acquired from the management unit 4 and confidential information included in the content as individual information. The content stored in the first storage unit 32 includes an engine.

  The first screen unit 33 is a display screen provided in the client 2 and displays predetermined information. The first screen unit 33 is a display, for example. The first communication unit 34 communicates with the management unit 4.

  The client processing unit 40 performs predetermined processing by the client 2. The client processing unit 40 includes an acquisition request unit 41, an authentication information input request unit 42, a storage control unit 43, an input operation detection unit 44, a device information detection unit 45, a superimposition unit 46, and a display control unit 47. Each function of the client processing unit 40 may be realized by an engine.

  The acquisition request unit 41 transmits a request for acquiring content and confidential information to the management server 3. The acquisition request unit 41 makes a request for acquiring content to the management server 3 based on a user input operation. The acquisition request unit 41 is an example of an acquisition unit.

  The authentication information input request unit 42 requests the user to input authentication information. The input authentication information may be, for example, a combination of Identification (ID) and a password. The authentication information may be biometric authentication such as a fingerprint or a vein. In this case, the client 2 is provided with a separate biometric authentication device. The authentication information input request unit 42 is an example of an input request unit.

  The storage control unit 43 performs control to store the content acquired from the management server 3 and the confidential information as different information in the first storage unit 32. Further, the storage control unit 43 deletes the content and confidential information stored in the first storage unit 32.

  The input operation detection unit 44 detects an input operation using the first input unit 31 by the user. For example, it is assumed that the user performs an operation for browsing the content stored in the first storage unit 32. The input operation detection unit 44 detects a content browsing operation.

  When a content browsing operation is detected, the client processing unit 40 executes an engine included in the content. When the engine is executed, the acquisition request unit 41 transmits a request for acquiring confidential information corresponding to the content to the management unit 4 to the management server 3.

  The device information detection unit 45 detects device information of the client 2. The device information of the client 2 includes, for example, Media Access Control (MAC) address, network type information, Internet Protocol (IP) address information, etc. of the client 2. In addition, the device information may include time information possessed by the client 2, for example.

  The network type information indicates the type of network, such as whether it is a closed environment network or a network connected to the outside, such as an in-house Local Area Network (LAN). The device information is an example of other authentication information.

  The superimposing unit 46 superimposes confidential information on the content stored in the first storage unit 32. In the first embodiment, the superimposing unit 46 performs processing for superimposing and displaying confidential information on the content. In this case, the confidential information and the content are separate information. Superposition is one aspect of combining confidential information and content. The superimposing unit 46 is an example of a combining unit.

  The display control unit 47 performs control to display content on which confidential information is superimposed on the first screen unit 33. When the client processing unit 40 receives an input operation using the first input unit 31 by the operator, the display control unit 47 performs display control according to the input operation.

<Example of functional block of management unit>
Next, an example of functional blocks of the management unit 4 will be described with reference to FIG. The management unit 4 includes a second input unit 51, a second screen unit 52, a second communication unit 53, and a server processing unit 60.

  The second input unit 51 is provided for an operator who operates the management server 3 (hereinafter referred to as an administrator) to perform an input operation. The second input unit 51 is, for example, a mouse or a keyboard.

  The second screen unit 52 is a display screen provided in the management unit 4 and displays predetermined information. The second screen unit 52 is, for example, a display. The second communication unit 53 communicates with the client 2.

  The server processing unit 60 performs predetermined processing by the management unit 4. The server processing unit 60 includes an authentication unit 61, a determination unit 62, a content acquisition unit 63, a confidential information acquisition unit 64, a transmission information control unit 65, and a browsing authority change unit 66.

  The authentication unit 61 performs authentication for authentication information included in the request from the client 2. As described above, the authentication information may be a combination of an ID and a password, or may be biometric authentication information.

  Further, the authentication information may include device information detected by the device information detection unit 45 of the client 2. The authentication unit 61 may perform authentication based on the MAC address or IP address of the client 2.

  For example, the authentication unit 61 may make the authentication successful only when the network type of the client 2 is an in-house LAN. Further, the authentication unit 61 may perform authentication based on time information included in the device information. For example, when the time information is outside a predetermined time zone, the authentication unit 61 may not make the authentication successful.

  The determination unit 62 determines whether or not each confidential information can be browsed according to the viewing authority of the user.

  In the first embodiment, my number, name, and address belong to confidential information. Depending on the user's viewing authority, for example, all confidential information may be viewable, and some confidential information (for example, only my number, only name, only address, etc.) can be viewed. In some cases, browsing of all confidential information may be restricted.

  The content acquisition unit 63 acquires content from the content database 11. The confidential information acquisition unit 64 acquires confidential information from a database that stores confidential information in the first database group 5. Depending on the viewing authority of the user, the confidential information acquisition unit 64 acquires the My Number from the My Number Database 12, acquires the name from the Name Database 13, and acquires the name from the Address Database 14.

  The transmission information control unit 65 controls transmission information to be transmitted to the client 2 in response to a request from the client 2. The client 2 transmits a request (acquisition request) for acquiring confidential information to the management unit 4 by executing the engine.

  When the authentication by the authentication unit 61 is successful, the transmission information control unit 65 performs control to transmit confidential information corresponding to the user's browsing authority as a response to the client 2. At this time, the transmission information control unit 65 may perform control so that the confidential information is transmitted to the client 2 according to the success of the authentication regardless of the viewing authority of the user.

  For example, when the browsing authority is not set for the confidential information or when the browsing of the confidential information by all users is permitted, the transmission information control unit 65 sets the confidential information according to the success of the authentication. Control to transmit information to the client 2 may be performed.

  The browsing authority changing unit 66 changes the browsing authority by the user set for each confidential information. For example, the viewing authority may be changed by an input operation by an administrator.

  In this case, the administrator uses the second input unit 51 to perform a browsing authority change operation. When the server processing unit 60 accepts a browsing authority changing operation, the browsing authority changing unit 66 changes the browsing authority.

  The viewing authority varies depending on the user. For example, it is preferable that the viewing authority by the user is changed according to a change in the attribute of the user (transfer, retirement, etc.). In this case, the browsing authority changing unit 66 changes the browsing authority for each user.

  For example, when the viewing authority of the user U1 is set so that only the viewing of the My Number is set, the user U1 may not be able to refer to the My Number according to the change in the attribute of the user U1. .

  In this case, the browsing authority changing unit 66 changes the browsing authority so that all confidential information by the user U1 is not browsed. The browsing authority is set based on a predetermined policy (hereinafter, security policy).

<Example of content>
Next, an example of content will be described. FIG. 4 shows an example of a withholding slip as content (form data). FIG. 4A shows an example of the format data of the withholding slip.

  Confidential information is not superimposed on the format data of the withholding slip shown in the example of FIG. For example, the fields of “address or residence”, “address”, and “personal number” are blank. These columns are secret item columns. In FIG. 4, “individual number” indicates my number.

  Confidential information is superimposed on each secret item column of the format data of the withholding slip shown in the example of FIG. For example, confidential information is superimposed on the secret item column of the address, name, and personal number. Note that the payment amount and the like may also be confidential items.

  Of the format data of the withholding slip shown in the example of FIG. 4C, the confidential information in the confidential item column of the name and personal number is concealed. In the example of FIG. 4C, the name and personal number concealment item fields are indicated by asterisks, but may be blank.

  In the case of the example of FIG. 4B, the user of the client 2 has the browsing authority for all confidential information. In the case of the example of FIG. 4C, the user of the client 2 has the authority to browse the address, but does not have the authority to browse the name and my number.

<Examples of various databases>
Next, various databases will be described with reference to the examples of FIGS. FIG. 5A is an example of the content type database 21. The table stored in the content type database 21 has items of form type ID and form type.

  The form type ID is an identifier for identifying the type of form data. The form type indicates the name of the form type. The form type is specified by the form identification ID. For example, the form identification ID “CK00001” indicates that it is a withholding slip.

  FIG. 5B is an example of the browsing authority database 22. The browsing authority database 22 stores a table having items of form type ID, item name, user, and browsing authority. The item name is the name of the secret item. Item names in various databases correspond to content secret items.

  The user is information that identifies the user of the client. The viewing authority indicates whether each confidential item included in the form data specified by the form type ID can be browsed or cannot be browsed for each user. The browsing authority of the browsing authority database 22 in FIG. 5B can be changed.

  For example, the user number other than the user U1 is not permitted to view the My Number item included in the form data of the final tax return identified by the form type ID “CK00002”, but the user U1 can view it. Indicates that it is allowed to do.

  For example, it is assumed that my number included in the final tax return can be viewed by the user U2 due to a change in the attribute of the user U2 (department change or the like).

  In this case, the browsing authority of the browsing authority database 22 is changed based on the security policy. In the example of FIG. 5B, the user is changed from “other than U1” to “other than U1 and U2.”

  Next, an example of the secret item database 23 will be described with reference to FIG. The table stored in the secret item database 23 includes items of form identification ID, item name, and registration number. The form identification ID is identification information for identifying form data.

  As described above, the form type ID is an ID that specifies the type of form data. On the other hand, the form identification ID is an ID for identifying the form data itself. For example, it is assumed that a user views a withholding slip for a specific individual for a predetermined year.

  In this case, the form identification ID is an ID for identifying the form data specified by the form type ID, the individual, and the year, and the form type (withholding slip), the individual, and the year are specified by the form identification ID. The form data is specified. The form identification ID may be a combination of a form type ID and one or more conditions.

  The form identification ID is associated with the item name and the registration number. For example, in the form data specified by the form identification ID “GC00001”, my number is designated as a confidential item, and the registration number “AA12345” is associated with this my number.

  FIG. 6B shows an example of the my number database 12. The table stored in the my number database 12 has items of registration number and my number. The registration number and my number are associated one-to-one.

  Similarly, the name database 13 stores a table in which names and registration numbers are associated with each other. The address database 14 stores a table in which addresses and registration numbers are associated with each other.

  For example, the registration number “AA12345” is associated with my number “123456789012”. Therefore, in the case of FIGS. 6A and 6B, the My Number, which is the secret item of the form data specified by the form identification ID “GC00001”, is “123456789012”.

  For example, in the case of the form identification ID “K500001” in FIG. 6A, my number and name are designated as the confidential items. A registration number is associated with each item of my number and name, and the registration number of the item of my number is associated with the my number in the my number database 12. The registration number of the name item is associated with the name in the name database 13.

  Accordingly, the form data specified by the form identification ID “K500001” is associated with the my number and name, which are the confidential items specified in the form data.

  Next, the form item database 24 will be described with reference to the example of FIG. The table stored in the form item database 24 has items of form type ID, item name, and area information.

  As described above, the type (for example, withholding slip) of the form data is specified by the form type ID. The area information is, for example, information indicating the area of the secret item column in the form data of the withholding slip in the coordinate system (X coordinate, Y coordinate).

  For example, the form data specified by the form type ID “CK00001” shown in the example of FIG. 6C is a withholding slip, and the area information indicates the range of each secret item column in the withholding slip in the XY coordinate system. .

  The my number, name, and address, which are confidential items of the form data of the withholding slip specified by the form type ID “CK00001”, are superimposed on the range indicated by the area information in the form data of the withholding slip.

<Examples of various screens>
FIG. 7 is an example of a screen when confidential information is displayed. As shown in the example of FIG. 7, the content (form data of the withholding slip) stored in the first storage unit 32 of the client 2 does not include confidential information.

  As described above, by executing the engine, confidential information corresponding to the form data of the withholding slip and according to the user's viewing authority is transmitted from the management unit 4 to the client 2 as a response. This response includes area information of each confidential information.

  In the example of FIG. 7, it is assumed that the area information in the my number secret item column is a rectangular area indicated by “(5000,500) − (6000,700)” in the XY coordinate system. The superimposing unit 46 superimposes the acquired my number on the range of the rectangular area indicated by the area information (that is, the column of the secret item of my number).

  Similarly, the superimposing unit 46 superimposes the address in the “address or whereabouts” concealed item field based on the address area information, and based on the name area information, the name is confined to the name concealed item field. Is superimposed. Therefore, my number, address and name are superimposed on the form data of the withholding slip.

  The display control unit 47 displays content (form data) on which confidential information is superimposed on the first screen unit 33. Thereby, the form data of the withholding slip including confidential information is displayed on the first screen section 33.

  FIG. 8 shows an example of a screen when confidential information is not displayed. For example, when authentication by the authentication unit 61 of the management unit 4 fails, the management unit 4 does not transmit confidential information to the client 2.

  When the authentication by the authentication unit 61 fails, the transmission information control unit 65 of the management unit 4 performs control to transmit information indicating that the authentication has failed to the client 2 as a response.

  FIG. 8A shows a screen example of content in which confidential information is not superimposed on each confidential item column due to the failure of authentication. In the example of FIG. 8 (A), the column of each secret item is blank. Each confidential item field may be a character string (for example, an asterisk character string) indicating that confidential information is not displayed.

  FIG. 8B shows a screen example when the display control unit 48 displays the cause that the confidential information is not displayed on the first screen unit 33 as the error message 33M. Thereby, the user can recognize the cause of the confidential information not being displayed based on the first screen unit 33.

  FIG. 9 shows an example of a content screen when authentication is successful but there is no right to view some confidential information. FIG. 9A shows an example of a screen when the user's browsing authority is the address and name browsing authority but the My Number viewing authority is not possible.

  In FIG. 9, the shaded area indicates the secret item column, and the reason why the confidential information is not displayed is superimposed on the secret item column as a character string. .

  The management unit 4 transmits to the client 2 a response indicating that the browsing authority of the user is the browsing authority of the address and the name, but the browsing authority of the my number is impossible.

  In this case, the acquired address and name are displayed in the address and name concealment item column, but the my number is not displayed in the concealment item column of My Number because there is no viewing authority. The superimposing unit 46 superimposes a factor (information indicating that there is no viewing authority) that the My Number is not displayed on the My Number Secret Item column.

  The display control unit 48 displays on the first screen unit 33 the content on which the name and address are superimposed and the factor that the my number is not superimposed is superimposed.

  FIG. 9B is an example of a screen when authentication fails. When the authentication fails, the superimposing unit 46 superimposes information indicating that the authentication has failed in each confidential item column of the form data. The display control unit 47 displays the form data on which the information is superimposed on the first screen unit 33.

<Flowchart of First Embodiment>
Next, the processing flow of the first embodiment will be described with reference to the flowcharts of FIGS. The flowchart of FIG. 10 shows an example of a request process for acquiring content and confidential information from the client 2 to the management unit 4. Therefore, the flowchart of FIG. 10 shows processing performed by the client 2.

  The acquisition request unit 41 of the client 2 performs control to transmit a content acquisition request to the management unit 4. The first communication unit 34 transmits a content acquisition request to the management unit 4 (step S1). This request includes a form identification ID.

  The client 2 acquires content including the engine from the management unit 4 (step S2). The storage control unit 34 stores content including the engine in the first storage unit 32 (step S3).

  If the input operation detection unit 44 does not detect that a content browsing operation has been performed (NO in step S4), the process does not proceed to the next step. When the input operation detection unit 44 detects that a content browsing operation has been performed (YES in step S4), the client processing unit 40 executes an engine included in the content.

  When the engine is executed, the acquisition request unit 41 recognizes the form identification ID of the content stored in the first storage unit 32 (step S5). Further, the device information detection unit 45 detects the device information of the client 2 (step S6). Note that if the device information is not included in the authentication information, step S6 is omitted.

The authentication information input request unit 42 makes an input request for authentication information (step S7 ). For example, the authentication information input request unit 42 controls the display control unit 48 so that a screen for prompting input of an ID and a password is displayed on the first screen unit 33.

  If the input operation detection unit 44 does not detect that the ID and password have been input (NO in step S8), the process does not proceed to the next step. When the input operation detection unit 44 detects that the ID and password have been input (YES in step S8), the acquisition request unit 41 requests acquisition of confidential information not included in the content.

  The acquisition request unit 41 performs control to transmit a request including the recognized form identification ID and authentication information to the management unit 4. This request includes user information. The authentication information may include not only the ID and password input in response to the input request (input authentication information) but also the device information detected in step S6 (other authentication information).

  The first communication unit 34 transmits a request including a form identification ID, authentication information, and information for specifying a user to the management unit 4 (step S9). The processing in steps S5 to S9 is realized by an engine that is executed in response to detection of a content browsing operation. Thus, the request process ends.

  Next, an example of processing performed by the management unit 4 will be described with reference to the flowchart of FIG. When the management server 3 receives a content acquisition request from the client 2, the content acquisition unit 63 acquires content corresponding to the form identification ID included in the request from the content database 11.

  And the transmission information control part 65 performs control which transmits the content containing an engine to the client 2 according to the request | requirement of content acquisition. By this control, the second communication unit 53 transmits content including the engine to the client 2 (step S11).

  The client 2 transmits a request to acquire confidential information by executing an engine included in the content. The server processing unit 60 determines whether a request is received from the client 2 (step S12).

  If no request is received (NO in step S12), the process does not proceed to the next step. When the request is received (YES in step S12), the authentication unit 61 authenticates the authentication information included in the request (step S13).

  When the authentication is successful (YES in step S14), the determination unit 62 recognizes the form identification ID and the user information included in the request. The form type ID is specified by the form identification ID.

  The determination unit 62 refers to the browsing authority database 22 and determines whether the browsing authority for the secret item is possible or impossible based on the form type ID and the user information (step S16). .

  When it is determined that the browsing authority of the confidential item is possible (YES in step S16), the confidential information acquisition unit 64 stores the confidential information corresponding to the browsing authority in the first database group 5 in which the confidential information is stored. (Step S17).

  For example, when the confidential information that can be browsed is only my number, the confidential information acquisition unit 64 acquires the my number from the my number database 12. On the other hand, the confidential information acquisition unit 64 does not acquire name and address information.

  For example, when the confidential information corresponding to the viewing authority is the my number and the name, the confidential information acquisition unit 64 acquires the my number from the my number database 12 and acquires the name from the name database 13. On the other hand, the confidential information acquisition unit 64 does not acquire address information.

  The transmission information control unit 65 performs control to transmit the acquired confidential information as a response to the client 2. The second communication unit 53 transmits the acquired confidential information as a response to the client 2 (step S18).

  If NO in step S14 and NO in step S16, the confidential information is not transmitted to the client 2. In this case, the transmission information control unit 65 performs control to transmit, as a response, information indicating that the authentication has failed or information indicating confidential information with no browsing authority.

  Next, an example of display processing performed by the client 2 will be described with reference to the flowchart of FIG. The client processing unit 40 determines whether or not the client 2 has received a response from the management unit 4 (step S21).

  If no response has been received (NO in step S21), the process does not proceed to the next step. When the response is received (YES in step S21), the client processing unit 40 determines whether or not the received response indicates an authentication failure (step S22). If the response indicates that the authentication has failed (YES in step S22), the superimposing unit 46 superimposes a factor indicating that the authentication has failed as a character string on each confidential item column of the form data (step S22). S23).

  If the response indicates that the authentication is successful (YES in step S23), the client processing unit 40 determines whether or not confidential information is included in the response (step S24).

  If the response includes confidential information (YES in step S24), the storage control unit 43 stores the confidential information and the content as different information in the first storage unit 32 (step S25). For example, the storage control unit 43 stores the confidential information in a storage area different from the storage area in which the content is stored in the first storage unit 32.

  When a plurality of confidential information is received, the storage control unit 43 stores each confidential information in different storage areas of the first storage unit 32. Therefore, when the client 2 acquires a plurality of confidential information, the content and the plurality of confidential information are stored in different areas of the first storage unit 32, respectively.

  The response includes area information indicating an area for displaying confidential information in the content. The superimposing unit 46 superimposes confidential information on the content according to the viewing authority of the user (step S26). At this time, the superimposing unit 46 superimposes the confidential information on the confidential item column based on the area information included in the response.

  When there is confidential information that cannot be browsed by the user, the superimposing unit 46 superimposes a factor indicating that there is no viewing authority in the corresponding confidential item column (step S27). For example, when the user does not have the authority to view some confidential information among the plurality of confidential information, the confidential information is not superimposed on the confidential item column corresponding to the partial confidential information.

  On the other hand, there are cases where the user does not have the authority to view confidential information of all confidential items in the form data. In this case, even if the authentication in step S23 is successful, the response does not include confidential information (NO in step S25).

  In this case, the superimposing unit 46 superimposes a factor indicating that there is no viewing authority on all the secret item fields of the form data.

  The display control unit 48 displays confidential information or content on which the above factors are superimposed on the first screen unit 33 (step S28). As a result, when the response includes confidential information, the first screen unit 33 displays content including the confidential information.

<Others>
In the first embodiment, the client 2 acquires content that does not include confidential information, and acquires confidential information and superimposes it on the content when a content browsing operation is performed. Therefore, since it is not necessary to perform mask processing or the like on the content including confidential information, browsing control of confidential information included in the content can be facilitated.

  Further, the storage control unit 43 stores the content and the confidential information in the first storage unit 32 as different information. For this reason, for example, even if the content stored in the first storage unit 32 leaks to the outside, the content does not contain confidential information, so that the confidential information is protected.

  For example, even if the client 2 acquires content, the client 2 does not acquire confidential information until the engine is executed. During this time, even if the content stored in the first storage unit 32 of the client 2 leaks to the outside, the confidential information does not leak.

  In addition, when the storage control unit 43 acquires a plurality of confidential information, the storage control unit 43 stores the confidential information in different storage areas of the first storage unit 32. For this reason, for example, even if only the My Number leaks to the outside, it is not linked to other information by itself, so that the use of the My Number by a malicious third party can be avoided.

  However, from the viewpoint of protecting confidential information, when the input operation detecting unit 44 detects an operation for ending the display of content including confidential information, the storage control unit 43 stores the confidential information stored in the first storage unit 32. It may be deleted.

  In this case, every time the input operation detection unit 44 detects an operation for displaying content, the engine is executed, and the acquisition request unit 41 transmits a request for acquiring confidential information to the management server 3. Thereby, the confidential information is acquired every time the content is displayed on the first screen unit 33.

  Further, the confidential information acquisition unit 64 of the management unit 4 acquires confidential information from the database according to the user's browsing authority, and the transmission information control unit 65 receives the confidential information according to the user's browsing authority to the client 2. Control to send to.

  Therefore, the management unit 4 can control the confidential information transmitted to the client 2 among the confidential information corresponding to the plurality of confidential items included in the content according to the viewing authority of the user.

  The client 2 superimposes the acquired confidential information on content that does not include confidential information. For this reason, the client 2 can display contents of various secret patterns on the first screen unit 33 according to the confidential information transmitted by the management server 3.

  For example, it is assumed that the management server 3 transmits the name and my number among the confidential information corresponding to each of the plurality of confidential items included in the form data in accordance with the viewing authority of the user. In this case, on the first screen portion 33 of the client 2, the content on which the name and my number are superimposed is displayed.

  Further, it is assumed that the management server 3 transmits only my number according to the viewing authority of the user. In this case, on the first screen portion 33 of the client 2, the content on which only the My Number is superimposed is displayed.

  Accordingly, the first screen unit 33 of the client 2 may display a content having a pattern in which the name and my number are superimposed, or may display a content in which only the my number is superimposed.

  As the number of concealment items included in the content increases, the number of content concealment patterns (patterns displayed or hidden for each of a plurality of confidential information) also increases. Therefore, when the management unit 4 manages each secret pattern, the number of contents to be managed increases.

  For this reason, it is necessary for the management unit 4 to manage the contents of all the secret patterns according to the request from the client 2, and the management of the contents becomes complicated. Further, if the management unit 4 manages all the secret pattern contents, an increase in hardware resources to be used is caused.

  In this regard, in the first embodiment, the management unit 4 transmits confidential information corresponding to the viewing authority of the user to the client 2, and the client 2 displays the acquired confidential information superimposed on the content. For this reason, it is possible to avoid complication of content management and increase of hardware resources to be used.

  The security policy described above may be changed. When the security policy is changed, it is necessary to change the viewing authority of the user. In the first embodiment, the browsing authority changing unit 66 of the management unit 4 changes the browsing authority of the table of the browsing authority database 22. This makes it possible to change the viewing authority for the confidential information of the user.

  When the browsing authority of the browsing authority database 22 is changed, the management unit 4 transmits confidential information to the client 2 in accordance with the browsing authority of the user, so that the confidential information that can be browsed by the user of the client 2 also changes. . This allows flexible operation of the security policy.

  In the first embodiment described above, the area information of the confidential information superimposed on the form data is included in the response to the request transmitted to the management unit 4 when the client 2 executes the engine.

  By including the region information in the response, the superimposing unit 46 of the client 2 can superimpose confidential information in a range based on the region information in the form data. Thereby, the range of the confidential information to be superimposed on the form data can be arbitrarily changed for each response.

  In this regard, when the management unit 4 receives a content acquisition request from the client 2, the management unit 4 may include region information in the content. An example of the area information included in the content is shown in FIG.

  For example, it is assumed that the format of content (form data) is changed based on a predetermined rule. When the position of the confidential information superimposed on the content is changed due to the change of the content format, the area information included in the content is also changed.

  Accordingly, when the client 2 acquires the content (form data) after the format change, the area information has been changed, so the superimposing unit 46 superimposes confidential information on the form data at the position after the format change. can do.

  In addition, when requests and responses are repeated for the same content, if the response includes area information, the amount of communication increases according to the number of times the response is transmitted. On the other hand, when the area information includes the area information, the response does not include the area information, so the communication amount does not increase.

  The authentication unit 61 of the management unit 4 authenticates the authentication information included in the confidential information request. The authentication information includes detected device information as other authentication information. For example, the authentication unit 61 may perform authentication based on the network type and time information in addition to the ID and password.

  FIG. 14 shows an example of authentication based on the network type and time information. In the example of FIG. 14, the authentication unit 61 makes the authentication successful when the network type is “in-house network” and the time information is “working time”, otherwise, the authentication is performed. You may make it fail.

  Next, variations of authentication will be described. FIG. 15A shows an example of authentication variation A. The authentication variation A is an example of the above-described authentication, and the authentication unit 61 of the management unit 4 performs authentication.

  FIG. 15B shows an example of the authentication variation B. As described above, the content is an electronic file, and the content is displayed on the first screen unit 34 of the client 2 by the browsing application executed on the client 2. In FIG. 15, the browsing application is described as “browsing application”.

  Before the display control unit 47 displays the content on the first screen unit 33 based on the user's operation, the browsing application may request input of a password for browsing the content.

  When the client processing unit 40 determines that the password input by the first input unit 31 is a valid password, the browsing application may display the content on the first screen unit 33.

  In the case of the authentication variation B, since the authentication by the authentication unit 61 of the management unit 4 and the authentication by the browsing application executed by the client 2 are performed twice, the security strength is improved.

  FIG. 15C shows an example of the authentication variation C. In the authentication variation C, the engine executed by the client 2 performs authentication. In this case, the management unit 4 may not have an authentication function. Since the client 2 does not need to transmit authentication information to the management unit 4, the authentication information is not transmitted to the network between the client 2 and the management unit 4.

  FIG. 15D shows an example of the authentication variation D. The authentication variation D is an example in which an authentication device that performs authentication performs authentication. The authentication device is connected to a plurality of clients 2 and performs authentication processing for each client collectively. The authentication device is, for example, a device having a single sign-on (SSO) function. Also in the case of the authentication variation D, the management unit 4 does not have to have an authentication function.

  In the example described above, the engine is included in the content. Therefore, the engine is a program corresponding to the content. For this reason, regardless of the environment of the client 2 and the type of browsing application, when the engine is executed, confidential information corresponding to the content is acquired.

  Further, the information superimposed on the content may be information other than confidential information. For example, the content may be advertisement data, and the information superimposed on the content may be data on the content of the advertisement data.

  In this case, the client 2 can dynamically change the content of the advertisement data by acquiring the advertisement data, further acquiring information superimposed on the content, and superimposing the acquired information on the advertisement data. it can. Thereby, control of the content included in the advertisement data can be facilitated.

<Example of Second Embodiment>
Next, a second embodiment will be described. Since the management part 4 of 2nd Embodiment is the same as 1st Embodiment, description is abbreviate | omitted. FIG. 16 illustrates an example of functional blocks of the client 2 according to the second embodiment.

  In the client 2 of the second embodiment, a combining unit 48 is added to the client 2 of the first embodiment, and the superimposing unit 46 is omitted. The combining unit 48 combines the content stored in the first storage unit 32 and the confidential information. Content combined with confidential information becomes one electronic file.

  Generation of content in which confidential information is combined is one aspect of combining, and the combining unit 48 is an example of a combining unit. The content generated by the combining unit 48 (content combined with confidential information) is an example of combining result data.

  Next, an example of the processing flow of the second embodiment will be described. Since the request process shown in FIG. 10 and the server process shown in FIG. 11 are the same as those in the first embodiment, the description thereof is omitted.

  The display process in the second embodiment will be described using the example of FIG. The client processing unit 40 of the client 2 determines whether a response has been received (step S21). If no response has been received (NO in step S21), the process does not proceed to the next step.

  When the client 2 receives the response (YES in step S21), the client processing unit 40 determines whether or not the response indicates a failure of authentication (step S23). The processing from step S21 to step S23 is the same as in the first embodiment.

  When the response indicates failure of authentication (YES in step S23), the combining unit 48 combines the cause of the response failure in each secret item column (step S24-1).

  If the response indicates successful authentication (NO in step S23), the client processing unit 40 determines whether confidential information is included in the response (step S25). If the response includes confidential information (YES in step S25), the storage control unit 43 stores the confidential information and the content as different information (step S26).

  The synthesizing unit 48 synthesizes the content stored in the first storage unit 32 and the confidential information to generate synthesis result data (step S27-1). The confidential information stored in the first storage unit 32 is confidential information according to the viewing authority of the user. Therefore, the synthesizing unit 48 generates synthesis result data obtained by synthesizing confidential information according to the user's browsing authority with the content.

  When there is confidential information that cannot be browsed, the synthesizing unit 48 synthesizes a factor indicating that there is no browsing authority in the column of the confidential item corresponding to the confidential information that cannot be browsed (step S28-1). If the confidential information corresponding to all the confidential items of the content cannot be browsed, the confidential information is not included in the response (NO in step S25).

  In this case, the synthesizing unit 48 synthesizes a factor indicating that there is no viewing authority in all the secret item fields included in the content. In addition, instead of combining and outputting factors, the confidential information column corresponding to confidential information that cannot be browsed is left blank, or a character string such as an asterisk is output so that confidential information cannot be browsed. It is also good to make it.

  The display control unit 47 performs control to display the content combined with the confidential information by the combining unit 48 on the first screen unit 33. Thereby, the content including confidential information is displayed on the first screen section 33 (step S29).

  In the first embodiment described above, since the confidential information and the content are stored in the first storage unit 33 as different information, the confidential information is protected even if the content leaks outside.

  On the other hand, in the second embodiment, content in which confidential information is combined is stored in the first storage unit 33. Therefore, if the content in which the confidential information is combined flows out, it becomes difficult to protect the confidential information.

  Therefore, in the second embodiment, the client 2 may delete the content including confidential information stored in the first storage unit 32 in response to an operation for ending the display of the content. Specifically, for example, in step S29, content including confidential information is displayed on the first screen section 33.

  For example, the user uses the first input unit 31 to perform an operation for terminating the display of the content displayed on the first screen unit 33 (hereinafter referred to as a display end operation). The input operation detection unit 44 determines whether or not a display end operation has been detected (step S30).

  If the display operation is not detected by the input operation detection unit 44 (NO in step S30), the process does not proceed to the next step. That is, content including confidential information is continuously displayed on the first screen unit 33.

  When the display end operation is detected by the input operation detection unit 44 (YES in step S30), the storage control unit 43 deletes the content for which the display end operation has been performed from the first storage unit 32 (step S31).

  Accordingly, the content (synthesis result data) is deleted from the first storage unit 32 in response to the end of display. Thereby, protection of confidential information is achieved. When the client 2 displays the same content again on the first screen unit 33, the processes of FIGS. 10, 11, and 17 are performed.

  Next, variations of combining confidential information and content will be described. The combining unit 48 may combine the confidential information and the content using various methods. 18 and 19 illustrate the synthesis variation A. The combination variation A is an example in which confidential information and content are combined by adding and combining layers.

  In the example of FIG. 18, three layers of a content layer, a non-display layer, and a display layer are shown. The content layer is a content layer that does not include confidential information. The content layer that does not include confidential information is content (form data) that does not include confidential information.

  In the example of FIG. 18, three layers are illustrated together, but when a non-display layer is combined with a content layer, there is a content layer and a non-display layer in one content, and the content includes The display layer is not included. When a display layer is combined with a content layer, one content includes a content layer and a display layer, and the content does not include a non-display layer.

  The non-display layer is a layer for preventing confidential information from being displayed in the column of the secret item of the content. For example, in the example of FIG. 18, an asterisk column is described in a range (a range indicated by the region information) corresponding to the secret item (my number) column in the non-display layer.

  The display layer is a layer for displaying confidential information in the confidential item column of the content. For example, in the example of FIG. 18, the My Number is described in a range (range indicated by the region location method) corresponding to the column of the confidential item (My Number) in the display layer.

  By combining the non-display layer with the content layer, the combining unit 48 conceals the confidential information (my number) of the content. The combining unit 48 combines the non-display layer with the content layer, so that the content and the confidential information are combined. FIG. 19 shows an example when a display layer is combined with a content layer.

  Next, the synthesis variation B will be described. As described above, the content (form data) is an electronic file. For example, assume that a character string described in content is defined by definition information of an electronic file.

  In this case, the combining unit 48 may combine the content and the confidential information by rewriting the definition information (character string) of the electronic file with the confidential information. FIG. 20 shows an example of composition by rewriting definition information.

  Next, the synthetic variation C will be described. For example, it is assumed that a definition that can describe a character string in a range (confidential item column) indicated by region information is set in the content.

  In this case, the synthesizing unit 48 performs processing for describing the confidential information in the above range. For example, the synthesizing unit 48 performs a process of describing the My Number in the My Number column. Thereby, the confidential information and the content are synthesized.

  Next, the synthetic variation D will be described. For example, when a character string can be described in an arbitrary range of the content, the synthesis unit 48 performs a process of describing the acquired confidential information in the designated range.

  In this case, the user uses the first input unit 31 to specify a range in which confidential information is described in the content. The client processing unit 49 receives information in a specified range and performs processing for describing confidential information acquired in the range. Thereby, the confidential information and the content are synthesized.

  In the case of the synthetic variation C and the synthetic variation D, the confidential information synthesized by the synthesizing unit 48 may be rewritten by the user's operation. For this reason, it is preferable that rewriting of confidential information by a user's operation is restricted.

<Example of Third Embodiment>
Next, an example of the third embodiment will be described. In the third embodiment, the management server 3 combines the confidential information and the content, and the content combined with the confidential information is transmitted from the management server 3 to the client 2. Confidential information is an example of synthesis target data.

  In this case, it is conceivable that the content combined with the confidential information is managed by one database by the management server 3. If the content in which the confidential information is combined is managed by one database, the confidential information cannot be protected if the content of the database leaks to the outside.

  Therefore, the management server 3 manages the content and the confidential information individually by using a database that stores the content and a database that stores the confidential information as different databases. Further, when there are a plurality of confidential information included in the content, the management server 3 manages each confidential information by using different databases for storing the confidential information.

  For example, the first database group 5 of the management server 3 includes a content database 11, a my number database 12, a name database 13, and an address database 14. These databases are included in the management server 3 as individual databases.

  Of the information stored in the various databases of the first database group 5, the my number, name and address belong to confidential information. On the other hand, content is data that does not contain confidential information. Therefore, the management server 3 manages confidential information and content individually. Thereby, protection of confidential information is achieved.

  The content database 11 is an example of a first storage unit. In the first database group 5, each database (database storing confidential information) other than the content database 11 is an example of a second storage unit.

  In the first and second embodiments, the client 2 acquires confidential information from the management server 3 when the engine is executed after the content is acquired.

  In the third embodiment, confidential information is combined with content acquired by the client 2. Therefore, the client 2 does not acquire confidential information after content acquisition. The content does not include an engine.

  Details of the third embodiment will be described below. FIG. 21 shows an example of a functional block diagram of the management unit 4. The management unit 4 in FIG. 21 has a composition unit 48 added to the management unit 4 in FIG. Each unit other than the synthesis unit 48 in FIG. 21 is the same as the management unit 4 in FIG. 3.

  The synthesizing unit 48 is the same as that in the second embodiment described above, and synthesizes content and confidential information to generate synthesis result data. The synthesizing unit 48 may synthesize the content and the confidential information using any synthesis variation described in the second embodiment.

  The transmission information control unit 65 illustrated in FIG. 21 is an example of a control unit. The transmission information control unit 65 controls whether the content combined with the confidential information is transmitted to the client 2 or the content not combined with the confidential information is transmitted to the client 2 based on the determination result of the determination unit 62.

  For example, it is assumed that the client 2 operated by a user with browsing authority and the client 2 operated by a user without browsing authority have accessed the management server 3. The transmission information control unit 65 controls the client 2 operated by a user having browsing authority to transmit the content combined with the confidential information to the client 2. On the other hand, the transmission information control unit 65 controls the client 2 operated by a user having no browsing authority to transmit content to which the confidential information is not combined to the client 2.

  FIG. 22 shows an example of a functional block diagram of the client 2. In the client 2 in the example of FIG. 22, the superimposing unit 46 is omitted from the client 2 shown in FIG. Each part of FIG. 22 is the same as each part of the client 2 of FIG.

  FIG. 23 shows an example of the browsing authority database 22. In the browsing authority database 22 of FIG. 23, items of “printability” and “copyability” are added to the respective items of the browsing authority database 22 of FIG. The browsing authority is an example of access authority.

  The browsing authority changing unit 66 changes the browsing authority for each form type ID stored in the browsing authority database 22 based on, for example, an input operation by the administrator. Further, the viewing authority changing unit 66 also changes authority such as whether printing is possible and whether copying is possible.

  The printability indicates whether printing is possible or impossible for each form type ID. The copy permission / inhibition indicates whether printing is possible or impossible for each form type ID. The browsing authority database 22 may include other items.

  Next, the process flow of the third embodiment will be described. FIG. 24 shows an example of processing performed by the client 2. The acquisition request unit 41 performs control to transmit a request for requesting content. This request includes a form identification ID, authentication information, user information, and the like. The first communication unit 34 transmits a request to the management server 3 (step S41).

  The client processing unit 40 determines whether or not the content combined with the confidential information is received as a response from the management server 3 (step S42). If no response has been received (NO in step S42), the process does not proceed to the next step.

  When the response is received (YES in step S42), the storage control unit 43 stores the content including confidential information in the first storage unit 32 (step S43). The display control unit 47 displays the content including the confidential information stored in the first storage unit 32 on the first screen unit 33 (step S44).

  The input operation detection unit 44 determines whether or not a display end operation has been detected (step S45). If the display end operation is not detected (NO in step S45), the process does not proceed to the next step.

  When a display end operation is detected (YES in step S45), the storage control unit 43 deletes confidential information stored in the first storage unit 32 (step S46).

  Next, processing performed by the management server 3 will be described with reference to the flowchart of the example of FIG. The server processing unit 60 determines whether the second communication unit 53 has received a request from the client 2 (step S51). If a request has not been received (NO in step S51), the process does not proceed to the next step.

  When the request is received (YES in step S51), the content acquisition unit 63 acquires the content corresponding to the request from the content database 11 from the content database 11 (step S52).

  The authentication unit 61 authenticates the request based on the authentication information included in the request (step S53). If the authentication fails (NO in step S54), the composition unit 48 synthesizes a factor indicating that the authentication has failed in the respective secret item column of the acquired content (step S55). Instead of combining the factors, the content concealment item column may be blank or an asterisk.

  When the authentication is successful (YES in step S54), the determination unit 62 recognizes the form identification ID and the user information included in the request (step S56).

  The determination unit 62 refers to the browsing authority database 22 and determines whether or not there is a browsing authority based on the form type ID specified by the form identification ID and the user information (step S57).

  If there is a viewing authority (YES in step S57), the confidential information acquisition unit 64 acquires confidential information corresponding to the content from the database storing the confidential information in the first database group 5 (step S58).

  The synthesizer 48 synthesizes the acquired confidential information with the content (step S59). There may be a plurality of confidential information in the content, and there may be confidential information that cannot be browsed among the plurality of confidential information. In this case, the synthesizing unit 48 synthesizes a factor indicating that the user has no viewing authority in the content secret item column (step S60). Instead of combining the factors, the content concealment item column may be blank or an asterisk.

  In some cases, the user does not have the authority to browse all confidential information of the content (NO in step S57). In this case, the synthesizing unit 48 synthesizes a factor indicating that there is no viewing authority in all the secret item columns of the content.

  The transmission information control unit 65 transmits the content combined with the confidential information as a response to the client 2 (step S61).

  Next, referring to FIG. 26, the browsing authority changing process will be described. In the first to third embodiments, the browsing authority of the browsing authority database 22 can be changed. The server processing unit 4 uses the second input unit 51 to determine whether or not a browsing authority change operation has been accepted (step S71).

  When the browsing authority changing operation is not accepted (NO in step S71), the browsing authority changing process does not proceed to the next step. When a browsing authority changing operation is received (YES in step S71), the browsing authority changing unit 66 changes the browsing authority of the browsing authority database 22 (step S72).

  Thereby, the browsing authority of the confidential information of a content is changed for every user. The browsing authority changing unit 66 may change, for example, whether printing is possible or whether copying is possible.

  Therefore, in the third embodiment, the synthesizing unit 48 synthesizes confidential information according to the viewing authority with the content. For this reason, since it is not necessary to perform mask processing or the like on content including confidential information, browsing control of confidential information included in the content can be facilitated.

  In the management server 3, the content database 11 and the database in which confidential information is stored are managed as different databases. Therefore, even if the content stored in the content database 11 leaks to the outside, the confidential information can be protected.

  In the third embodiment, the management server 3 may include authority information such as whether printing is possible or whether copying is possible in the response, and may send it to the client 2. Since the client 2 acquires content including confidential information from the management server 3, the copy operation and the print operation may be restricted based on the authority information included in the response. Thereby, the security strength is improved.

<Example of client hardware configuration>
Next, an example of the hardware configuration of the client 2 will be described with reference to the example of FIG. As shown in the example of FIG. 27, a processor 111, a RAM 112, a ROM 113, an auxiliary storage device 114, a medium connection unit 115, a communication interface 116, and an input / output interface 117 are connected to the bus 100. In FIG. 27, the interface is abbreviated as “IF”.

  The processor 111 is an arbitrary processing circuit. The processor 111 executes a program expanded in the RAM 112. As a program to be executed, a program (data browsing control program) that performs the processing of the embodiment may be applied. The ROM 113 is a non-volatile storage device that stores programs developed in the RAM 112.

  The auxiliary storage device 114 is a storage device that stores various types of information. For example, a hard disk drive or a semiconductor memory may be applied to the auxiliary storage device 114. The medium connection unit 115 is provided so as to be connectable to the portable recording medium 119.

  As the portable recording medium 119, a portable memory or an optical disc (for example, Compact Disc (CD), Digital Versatile Disc (DVD), etc.) may be applied. A program for performing the processing of the embodiment may be recorded on the portable recording medium 119.

  The input / output interface 117 is an interface for inputting / outputting data between an external device (for example, a keyboard 117A, a mouse 117B, a display 117C, etc.) and the client processing unit 40.

  Among the clients 2, the client processing unit 40 may be realized by the processor 111 executing a given data browsing control program. The first input unit 31 may be realized by a keyboard 117A, a mouse 117B, or the like.

  The first screen unit 33 may be realized by the display 117C. The first communication unit 34 may be realized by the communication interface 116.

  The RAM 112, the ROM 113, the auxiliary storage device 114, and the portable recording medium 119 are all examples of a tangible storage medium that can be read by a computer. These tangible storage media are not temporary media such as signal carriers.

<Example of management server hardware configuration>
Next, an example of the hardware configuration of the management server 3 will be described with reference to the example of FIG. As shown in the example of FIG. 28, a processor 211, a RAM 212, a ROM 213, an auxiliary storage device 214, a medium connection unit 215, a communication interface 216, and an input / output interface 217 are connected to the bus 200. Various databases are connected to the bus 200.

  The processor 211 is an arbitrary processing circuit. The processor 211 executes the program expanded in the RAM 212. As a program to be executed, a program for performing the processing of the embodiment may be applied. The ROM 213 is a non-volatile storage device that stores programs developed in the RAM 212.

  The auxiliary storage device 214 is a storage device that stores various types of information. For example, a hard disk drive, a semiconductor memory, or the like may be applied to the auxiliary storage device 214. The medium connection unit 215 is provided so as to be connectable to the portable recording medium 219.

  As the portable recording medium 219, a portable memory or an optical disc (for example, Compact Disc (CD), Digital Versatile Disc (DVD), etc.) may be applied. A program for performing the processing of the embodiment may be recorded on the portable recording medium 219.

  The input / output interface 217 is an interface for inputting / outputting data between an external device (for example, a keyboard 217A, a mouse 217B, a display 217C, etc.) and the server processing unit 60.

  In the management server 3, the client processing unit 40 may be realized by the processor 211 executing a given program. The second input unit 51 may be realized by a keyboard 217A, a mouse 217B, or the like.

  The second screen unit 52 may be realized by the display 217C. The second communication unit 53 may be realized by the communication interface 216.

  The RAM 212, the ROM 213, the auxiliary storage device 214, and the portable recording medium 219 are all examples of a tangible storage medium that can be read by a computer. These tangible storage media are not temporary media such as signal carriers.

<Others>
The present embodiment is not limited to the above-described embodiment, and various configurations or embodiments can be taken without departing from the gist of the present embodiment.

DESCRIPTION OF SYMBOLS 1 System 2 Client 3 Management server 4 Management part 11 Content database 12 My number database 13 Name database 14 Address database 21 Content classification database 22 Viewing authority database 23 Secret item database 24 Form item database 40 Client processing part 41 Acquisition request part 42 Authentication information Input request unit 43 Storage control unit 44 Input operation detection unit 45 Device information detection unit 46 Superimposition unit 47 Display control unit 48 Composition unit 60 Server processing unit 61 Authentication unit 62 Determination unit 63 Content acquisition unit 64 Confidential information acquisition unit 65 Transmission information control Unit 66 Browsing authority changing unit 111, 211 Processor 112, 212 RAM
113, 213 ROM

Claims (12)

A data browsing control program included in document data,
On the computer,
Make a request for authentication information,
A request including the input authentication information and identification information for identifying the document data is transmitted to the server device;
Receiving a response sent from the server device that received the request;
When the response indicates that the authentication based on the input authentication information has failed, the authentication failure information indicating that the authentication has failed and the document data are combined and displayed on the display unit ,
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information , the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. In the case where it is indicated that the document data is combined with the authority error information indicating that there is no viewing authority for the information corresponding to the document data, and displayed on the display unit ,
A data browsing control program characterized by causing processing to be executed. The combination of the information corresponding to the document data and the document data is a process of superimposing the information corresponding to the document data on the document data and displaying the information on the display unit.
The data browsing control program according to claim 1. In the computer,
In the process of performing the input request, the authentication information input request is made in response to detection that the browsing operation of the document data has been performed.
The data browsing control program according to claim 1 or 2, wherein the processing is executed. The viewing authority can be changed respectively.
The data browsing control program according to claim 1 . In addition to the computer,
Storing the document data and information corresponding to the document data as different information in a storage unit;
The data browsing control program according to any one of claims 1 to 4, wherein a process is executed. In the computer,
In the synthesis of the corresponding information to the document data in the document data, it generates the composite result data obtained by synthesizing the corresponding information to the document data in the document data,
The data browsing control program according to claim 1, wherein the process is executed. In the computer,
In the process of combining and displaying the information corresponding to the document data and the document data, the combining result data is displayed on the display unit,
In response to detecting an operation to end the display of the synthesis result data, the synthesized result data is deleted.
The data browsing control program according to claim 6, wherein the process is executed. A data browsing control method in which a computer executes a data browsing control program included in document data,
Make a request for authentication information,
A request including the input authentication information and identification information for identifying the document data is transmitted to the server device;
Receiving a response sent from the server device that received the request;
When the response indicates that the authentication based on the input authentication information has failed, the authentication failure information indicating that the authentication has failed and the document data are combined and displayed on the display unit ,
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information , the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. In the case where it is indicated that the document data is combined with the authority error information indicating that there is no viewing authority for the information corresponding to the document data, and displayed on the display unit ,
A data browsing control method characterized by the above. A data browsing control device that executes a data browsing control program included in document data,
An input request unit for requesting input of authentication information;
A transmission unit for transmitting a request including the input authentication information and identification information for identifying the document data to the server device;
A receiving unit that receives a response sent from the server device that has received the request;
If the response indicates that the authentication based on the input authentication information has failed, the authentication failure information indicating that the authentication has failed and the document data are combined and displayed on the display unit ,
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information , the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. If the document data is not displayed, the document data is combined with authority error information indicating that there is no viewing authority for the information corresponding to the document data and is displayed on the display unit.
A control unit ;
A data browsing control device comprising: A data browsing control program included in document data,
On the computer,
Make a request for authentication information,
A request including the input authentication information and identification information for identifying the document data is transmitted to the server device;
Receiving a response sent from the server device that received the request;
If the response indicates that the authentication based on the input authentication information has failed, the display unit displays data generated in a manner corresponding to the authentication failure information indicating that the authentication has failed. Displayed on the
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information, the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. If it is indicated that the document data is not displayed, data generated in a manner corresponding to authority error information indicating that the document data has no viewing authority for information corresponding to the document data is displayed on the display unit. ,
A data browsing control program characterized by causing processing to be executed. A data browsing control method in which a computer executes a data browsing control program included in document data,
Make a request for authentication information,
A request including the input authentication information and identification information for identifying the document data is transmitted to the server device;
Receiving a response sent from the server device that received the request;
If the response indicates that the authentication based on the input authentication information has failed, the display unit displays data generated in a manner corresponding to the authentication failure information indicating that the authentication has failed. Displayed on the
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information, the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. If it is indicated that the document data is not displayed, data generated in a manner corresponding to authority error information indicating that the document data has no viewing authority for information corresponding to the document data is displayed on the display unit. ,
A data browsing control method characterized by the above. A data browsing control device that executes a data browsing control program included in document data,
An input request unit for requesting input of authentication information;
A transmission unit for transmitting a request including the input authentication information and identification information for identifying the document data to the server device;
A receiving unit that receives a response sent from the server device that has received the request;
If the response indicates that the authentication based on the input authentication information has failed, the display unit displays data generated in a manner corresponding to the authentication failure information indicating that the authentication has failed. Displayed on the
If the response indicates that the authentication based on the input authentication information has succeeded and includes information corresponding to the document data identified by the identification information, the response corresponds to the document data. Information and the document data are combined and displayed on the display unit;
The response indicates that the authentication based on the input authentication information has succeeded, and the right to view the information corresponding to the document data is given to the authentication target specified by the input authentication information. If it is indicated that the document data is not displayed, the display unit displays data generated in a manner corresponding to authority error information indicating that the document data has no viewing authority for information corresponding to the document data.
A control unit;
A data browsing control device comprising:

Images