JP6565497B2 - Information processing apparatus and program - Google Patents

Description

  The present invention relates to an information processing apparatus and a program.

The security setting proposal server described in Patent Document 1 collects security parameters together with user information including demographic information such as age and technical proficiency from a plurality of user terminals, and stores the statistical information in a security set statistical database. Remember. When a security setting proposal request is received together with user information from another user terminal, a security set that is a combination of similar user security parameters is extracted, and a recommended security set is proposed together with statistical information.
The information processing apparatus described in Patent Document 2 selects a profile corresponding to the use location and the current time from the stored profile group, and performs operations related to the security of the information processing apparatus based on the selected profile. Set the environment (file access rights, specific file encryption, network service settings, browser security, virus checker security, specific application startup prohibition).

JP 2014-238675 A JP 2006-127293 A

Patent Documents 1 and 2 disclose an optimal security profile setting method according to each individual. In general, when sharing information in a situation where different security profiles are set for each individual, it is not possible to easily change the security profile due to internal policies, etc. We had to decide how to share information after considering security profiles.
An object of the present invention is to provide common information to a plurality of users in consideration of security profiles respectively set for the plurality of users.

The invention according to claim 1 is a common means for the plurality of users, and means for generating temporary security profiles by integrating security profiles for controlling the security operation of the system respectively set for the plurality of users. When the information is provided, an information processing apparatus is provided that includes display control means for controlling the terminal to display the providing means corresponding to the temporary security profile generated by the generating means.
According to a second aspect of the present invention, in the information processing apparatus according to the first aspect, the display control unit controls the terminal so as to display the providing unit determined according to position information of the plurality of users. .
According to a third aspect of the present invention, in the information processing apparatus according to the second aspect, the display control means displays the providing means determined according to whether the plurality of users are at the same base or a plurality of bases. To control the terminal.
According to a fourth aspect of the present invention, in the information processing apparatus according to the first aspect, the display control unit controls the terminal so as to display the providing unit determined according to the common information.
According to a fifth aspect of the present invention, in the information processing apparatus according to the fourth aspect, the display control means controls the terminal to display the providing means determined according to the size of the common information.
The invention according to claim 6 is the information processing apparatus according to claim 4 or 5, wherein the display control unit controls the terminal to display the providing unit determined according to the format of the common information. To do.
The invention according to claim 7 is the information processing apparatus according to any one of claims 1 to 6, wherein the security profiles respectively set for the plurality of users are permitted or prohibited for each of the plurality of providing means. Is set, and the generation unit generates the temporary security profile by a logical product of the setting values for each providing unit.
The invention according to claim 8 is the information processing apparatus according to any one of claims 1 to 6, wherein the security profile set for each of the plurality of users is permitted or prohibited for each of the plurality of providing means. Is set, and the generating unit totals the setting values for each providing unit, and generates the temporary security profile based on the tabulated values.
The invention according to claim 9 comprises a generating means for generating a temporary security profile by integrating a security profile for controlling a security operation of a system, which is set for each of a plurality of users, and the plurality of the plurality of users. When providing common information to a user, a program is provided for causing a function to serve as a display control unit for controlling a terminal to display a providing unit corresponding to a temporary security profile generated by the generating unit.

According to the first and ninth aspects of the present invention, common information can be provided to a plurality of users in consideration of security profiles respectively set for the plurality of users.
According to the invention which concerns on Claim 2, a provision means can be varied according to the distance between users.
According to the invention which concerns on Claim 3, a provision means can be varied according to whether one or more bases are provided.
According to the invention which concerns on Claim 4, according to the information to provide, a provision means can be varied.
According to the invention which concerns on Claim 5, a provision means can be varied according to the size of the information to provide.
According to the invention which concerns on Claim 6, a provision means can be varied according to the format of the information to provide.
According to the invention which concerns on Claim 7, the provision means which is not prohibited can be selected.
According to the eighth aspect of the present invention, it is possible to reduce the possibility that the providing means cannot be determined as compared with a case where a temporary security profile is generated without counting the set values.

The figure which shows the whole system which concerns on embodiment. The figure which shows the hardware constitutions of the server. The figure which shows the hardware constitutions of the terminal 2. FIG. The figure which shows an evaluation criteria table. The figure which shows the security profile set to each user. The figure which shows the address book displayed on the terminal 2. FIG. The flowchart of operation | movement of the terminal 2 and the server 1. FIG. The figure which shows a group creation screen. The figure which shows group information. The figure which shows the group information with which group ID was linked | related. The figure which shows an acquisition information table. The figure which shows a profile table. The figure which shows the integration result of a security profile. The figure which shows a score calculation table. The figure which shows the evaluation criteria table according to the extension and size of a file.

The present invention relates to so-called mobile device management in which a security profile is set for each terminal. The security profile is a set value that is set to control the security operation of the system, such as a password validity period and a right granted to the user. Hereinafter, an example of an embodiment of the present invention will be described.
FIG. 1 is a diagram illustrating an entire system according to an embodiment. Server 1 and terminal 2 are connected to communication network 3. The communication network 3 may be any network such as a LAN (Local Area Network), the Internet, or a mobile communication network, or may be configured by a combination thereof. The LAN may be a wired LAN or a wireless LAN. The number of terminals 2 connected to the communication network 3 is not limited. The alphabet added to the code | symbol of the terminal 2 represents the user who uses the terminal. For example, the terminal 2A is a terminal used by the user A. The users A, B, C... Are employees of the same company, for example. When there is no need to distinguish between the terminals 2A, 2B, 2C,.

  FIG. 2 is a diagram illustrating a hardware configuration of the server 1. The server 1 is an example of an information processing apparatus according to the present invention. The server 1 includes a control unit 11, a storage unit 12, and a communication unit 13. The control unit 11 includes an arithmetic device such as a CPU (Central Processing Unit) and a storage device such as a ROM (Read Only Memory) and a RAM (Random Access Memory). The ROM stores firmware that describes the startup procedure of hardware and an OS (Operating System). The RAM is used for storing data when the CPU executes an operation. The storage unit 12 includes, for example, a hard disk device, and stores an OS, application programs, and the like. The communication unit 13 includes a communication I / F (Interface) for communicating with the terminal 2 via the communication network 3. A display device 14 and a receiving device 15 are connected to the server 1. The display device 14 includes a liquid crystal display device, for example, and displays a screen or the like for the operator to operate the server 1. The receiving device 15 includes, for example, a keyboard and a mouse, receives an operation performed by the operator, and outputs information corresponding to the operation to the control unit 11.

  FIG. 3 is a diagram illustrating a hardware configuration of the terminal 2. The terminal 2 is a smartphone, a mobile phone, a tablet, a personal computer, or the like. The terminal 2 includes a control unit 21, a storage unit 22, a communication unit 23, a display unit 24, a reception unit 25, and a position information acquisition unit 26. The control unit 21 includes an arithmetic device such as a CPU and a storage device such as a ROM and a RAM. The ROM stores firmware that describes hardware and OS startup procedures. The RAM is used for storing data when the CPU executes an operation. The storage unit 22 includes, for example, a semiconductor memory and a hard disk device, and stores an OS, an application program, and the like. The communication unit 23 includes a communication I / F for communicating with the server 1 via the communication network 3. The display unit 24 includes, for example, a liquid crystal display device, and displays a screen for the operator to operate the terminal 2. The receiving unit 25 includes, for example, a touch panel and a keypad, receives an operation performed by the operator, and outputs information corresponding to the operation to the control unit 21. In the case where the terminal 2 is a personal computer, a display device having the function of the display unit 24 and a reception device having the function of the reception unit 25 may be connected to the terminal 2 in the same manner as the server 1. The position information acquisition unit 26 receives a signal transmitted from, for example, a navigation satellite, and acquires the position information of the own terminal by calculating the position of the own terminal based on the received signal.

  FIG. 4 is a diagram illustrating an evaluation criterion table. The storage unit 12 of the server 1 stores an evaluation criterion table in advance. In this embodiment, common information (hereinafter referred to as common information) is provided to a plurality of users designated as users included in the group. The evaluation criteria table is a table showing evaluation values of providing means for providing common information to the user.

  In the present embodiment, “paper”, “Web browsing (external server)”, “mail”, “Web browsing (internal server)”, and “USB” are shown as providing means. “Paper” refers to providing a user with paper on which common information is printed. “Web browsing (external server)” refers to downloading common information from a Web server provided outside the company to which the users A, B, C. “Mail” refers to sending an electronic mail with common information attached to a user terminal. “Web browsing (in-house server)” refers to downloading common information to a user terminal from a web server provided in the company. “USB” refers to providing a user with a USB (Universal Serial Bus) memory in which common information is stored.

  In this embodiment, evaluation values of “safety”, “convenience (same base)”, and “convenience (multiple bases)” are associated with each providing means. Every item has a higher evaluation value as the evaluation value is higher. The illustrated evaluation value is merely an example, and an evaluation value different from this example may be set in the evaluation reference table.

  “Safety” indicates safety against information leakage. Specifically, it indicates the difficulty of users outside the group acquiring common information provided to a plurality of users included in the group. The higher the difficulty, the higher the safety against information leakage.

  “Convenience” indicates, for example, the amount of work for providing common information to a plurality of users included in a group. The content of the work for providing the common information varies depending on the providing means. For example, when the providing means is “paper”, an operation of printing the common information on paper and distributing it to the user occurs. In the case of “Web browsing”, an operation for instructing the user of the URL of the storage location of the common information or an operation for the user to operate the browser according to the instruction occurs. In the case of “mail”, work for attaching common information to an email and sending it to the user, work for opening the email by the user, and the like occur. In the case of “USB”, an operation of copying the common information to the USB memory and distributing it to the user, an operation of displaying the common information by connecting the USB memory to the terminal, and the like occur. “Convenience (same base)” is convenience when a plurality of users included in the group are all at the same base. “Convenience (multiple locations)” is convenience when a plurality of users included in a group are distributed in a plurality of locations. The “base” is, for example, a room such as a conference room.

  Next, the concept of the evaluation value will be described using an example of convenience (multiple locations). When the providing means is “paper” or “USB”, there is an operation in which a provider of common information goes to a plurality of bases to distribute common information, or a user comes to receive common information from a plurality of bases. . On the other hand, when the providing unit is “mail”, the work of moving between the bases by the provider and the user does not occur. Therefore, the convenience is higher than when the providing unit is “paper” or “USB”. When the providing means is “Web browsing (external server)” or “Web browsing (internal server)”, an email with a URL or the like may be transmitted to the user's terminal. Is equivalent to However, since the work for the user to operate the browser occurs, the amount of work for the user increases as compared with the case of opening the e-mail. Therefore, when the providing means is “Web browsing (external server)” or “Web browsing (internal server)”, the convenience is lower than that of “mail”.

  FIG. 5 is a diagram showing a security profile set for each user. In the figure, (a), (b), and (c) are security profiles of user A, user B, and user C, respectively. A security profile is set for each user. The storage unit 22 of the terminal 2 stores in advance a security profile set for a user who uses the terminal, and the control unit 21 of the terminal 2 limits the functions of the terminal 2 according to the stored security profile.

  The security profile associates user information with setting values related to function restrictions. The user information is information for identifying the user, and is a mail address in this example. The user information may be a terminal IP address or a user ID. The setting value related to the function restriction is a value representing permission or prohibition of use of the function or the degree of function restriction. In this example, setting values related to function restrictions are set for each function of “mail setting”, “Web filtering setting”, “printer setting”, and “USB setting”.

  “Mail setting” is a setting value related to restrictions on sending and receiving of e-mail. “Web filtering setting” is a setting value related to a restriction on a function that prohibits browsing of a specified Web page. “Printer setting” is a setting value relating to the restriction of the function of printing a file with a printer. “USB setting” is a setting value related to the limitation of the connection of the USB memory. In this example, “Allow” or “Prohibit” is set as the setting value for each function. However, for example, only the reception of e-mails from a specific sender is permitted. May be set.

  FIG. 6 is a diagram showing an address book displayed on the terminal 2. The terminal 2 has an address book function for storing the mail addresses of the own terminal and other terminals. This example is an example of the address book of the terminal 2A used by the user A. In addition to the user A, mail addresses of the users B, C, D, E,.

  FIG. 7 is a flowchart of the operation of the terminal 2 and the server 1. The server 1 is installed with an application program for realizing a function for determining providing means. The control unit 11 of the server 1 executes this application program and stands by in preparation for receiving information from the terminal 2. User A is an information provider in charge of providing materials used in the conference. The document is an example of the common information described above. Users B and C are participants who participate in this conference.

<Step S201>
User A installs an agent on terminal 2A. Specifically, the user A activates the browser of the terminal 2A, accesses a known website, and installs the agent. The agent is an application program for causing the terminal 2 to realize a function of acquiring a security profile set in the terminal 2 and transmitting it to the server. The following operation of the terminal 2 is realized by the control unit 21 of the terminal 2 executing the agent.

  User A instructs user B and user C to install the agent. User B and user C install agents in terminal 2B and terminal 2C, respectively, according to the instructions. When the agent is installed, the control unit 21 of each terminal 2 starts the execution of the agent and causes the display unit 24 to display the agent menu screen (not shown).

<Step S202>
When the user A selects a group creation menu (not shown) on the agent menu screen, the control unit 21 causes the display unit 24 to display the group creation screen.
FIG. 8 shows a group creation screen. This screen is a screen in which widgets such as check boxes are arranged for each address in the address book screen. User A designates a user who provides materials (in this example, user A, user B, and user C) using check boxes, and operates a “create group” button. Note that user B and user C stand by without performing a group creation operation. The control units 21 of the terminal 2B and the terminal 2C stand by with the menu screen displayed.

<Step S203>
The control unit 21 of the terminal 2A generates group information.
FIG. 9 is a diagram illustrating group information. This information is information indicating the mail address of the user designated by the user A in step S202. Further, a flag indicating that the user A is a group creator is associated with the mail address of the user A. The group ID is information for identifying the created group, but the group ID is undecided at this point. The control unit 21 of the terminal 2A transmits the generated group information to the server.

<Step S101>
The server 1 receives group information from the terminal 2A.

<Step S102>
The control unit 11 of the server 1 issues a group ID for identifying the group indicated by the received group information, and transmits this group ID to all the terminals 2 included in the group information. In this example, group ID = α. Since the server 1 also determines providing means in other groups, it is necessary to identify the groups. A group ID is used for this identification.

<Step S204>
The control unit 21 of each terminal 2 receives the group ID from the server 1. The control unit 21 of the terminal 2A associates the received group ID with the group information generated in step S203. The control units 21 of the terminals 2B and 2C that have received the group ID store the received group ID.
FIG. 10 is a diagram illustrating group information associated with a group ID.

<Step S205>
The control unit 21 of each terminal 2 acquires information at a determined timing. For example, after the agent is installed, the control unit 21 waits for a predetermined time and periodically acquires information after the end of the waiting. Information acquired by the control unit 21 of each terminal 2 is a group ID, a security profile, and position information. The group ID is the group ID received from the server in step S204. The security profile is a security profile stored in the storage unit 22 in advance. The position information is position information acquired by the position information acquisition unit 26.

<Step S206>
The control unit 21 of each terminal 2 transmits the information acquired in step S205 to the server 1.

<Step S103>
The control unit 11 of the server 1 receives the information transmitted from each terminal 2 and creates an acquisition information table and a profile table using the received information.

  FIG. 11 shows an acquisition information table. This table is a table in which the mail address, group ID, security profile, and position information of each terminal 2 are associated. Here, the control unit 11 generates a profile ID for identifying the security profile of each terminal 2, and writes the profile ID in the security profile column of the acquisition information table.

  FIG. 12 is a diagram showing a profile table. This table is a table showing details of the security profile corresponding to each profile ID.

<Step S104>
The control unit 11 of the server 1 identifies users belonging to the group based on the acquisition information table. In this example, users A, B, and C are specified as users belonging to the group α.

<Step S105>
The control unit 11 of the server 1 generates a temporary security profile by integrating the group security profiles (an example of a generation unit). Specifically, it is as follows.
FIG. 13 is a diagram illustrating a security profile integration result. Integration of security profiles is performed by the logical product of setting values (permitted or prohibited) for each function. For example, according to the profile table, the setting values of the “mail settings” for the users A, B, and C are permission, permission, and prohibition, respectively, and logical product is prohibited.

<Step S106>
The control unit 11 of the server 1 selects a convenience evaluation value. Specifically, it is as follows. In the case of the group α, since the user A is a group creator, the same base and a plurality of bases are determined for the users B and C based on the distance centered on the position of the user A. The same base is a case where the position of a user other than the group creator is, for example, less than 100 meters in radius from the position of the group creator. A plurality of locations is a case where the position of a user other than the group creator is, for example, a radius of 100 meters or more from the group creator position.

  Next, when there is no user determined as a plurality of bases among users other than the group creator, a setting value of “convenience (same base)” is selected from the evaluation criterion table (see FIG. 4). On the other hand, when there is at least one user determined as a plurality of bases among users other than the group creator, a setting value of “convenience (multiple bases)” is selected from the evaluation criterion table. In the example of FIG. 11, since the position information of the users B and C is the same as the position information of the user A, both the users B and C are determined to be the same base. Therefore, the evaluation value of “convenience (same base)” is selected.

<Step S107>
The control unit 11 of the server 1 determines providing means according to the temporary security profile generated by integrating the group security profiles. Specifically, it is as follows.
FIG. 14 is a diagram showing a score calculation table. The score calculation table is a table that associates safety evaluation values, evaluation values of convenience (convenience selected in step S106), security profile integration results (see FIG. 13), and scores for each providing means. The score is calculated as follows.

  First, the control unit 11 extracts providing means whose security profile integration result is permission. In this example, “paper” and “USB” are extracted. Next, the control part 11 calculates a score from the product of both from safety and convenience, for example. In the case of “paper”, 10 (safety) × 5 (convenience) = 50 (score), and in the case of “USB”, 8 (safety) × 1 (convenience) = 8 (score). And the control part 11 selects the provision means used as the highest score among the calculated scores. In this example, “paper” is selected.

<Step S108>
The control unit 11 of the server 1 notifies the providing unit to the control unit 21 of the terminal 2 in order to display the providing unit on the terminal 2. Specifically, the control unit 11 of the server 1 transmits information indicating that “paper” is optimal to each terminal 2 by the providing unit.

<Step S207>
The control unit 21 of each terminal 2 causes the display unit 24 to display information indicating the providing unit. For example, the control unit 21 of each terminal 2 receives from the server 1 information indicating that “paper” is optimal as the providing means, and based on this information, “paper is optimal as the providing means”. The text is displayed on the display unit 24. That is, the notification made by the control unit 11 of the server 1 to the control unit 21 of the terminal 2 in step S108 is a display control unit that controls the terminal 2 so as to display the providing unit corresponding to the temporary security profile. It is an example.
As described above, in order to display the information providing means in consideration of the security profiles individually set for a plurality of users, the information provider must set the security profiles individually set for the plurality of users. It is no longer necessary to determine the optimum information providing means after confirming the above, and information sharing can be smoothly promoted.

<Modification>
The embodiment may be modified as follows. A plurality of modified examples may be combined.
<1>
You may make it determine a provision means based on the evaluation criteria according to the format and size of a file of common information. The file format is represented by, for example, an extension.
FIG. 15 is a diagram showing an evaluation criterion table corresponding to the extension and size of a file.
In this example, for example, when the providing means is paper, a relatively high evaluation value is given because it is suitable for printing a text file, but a relatively low evaluation value because it is not suitable for printing a moving image. Is given. Alternatively, if the providing means is paper and the file size is 10 MB or more, the number of pages increases, so a relatively low evaluation value is given. However, if the file size is less than 10 MB, the number of pages decreases, so comparison is made. High evaluation value is given.

<2>
In the above embodiment, the security profile is integrated by the logical product of the evaluation values for each providing means. However, as the number of participants increases, for example, all the providing means are prohibited, It can be difficult to integrate. In that case, the number of users for whom “permitted” is set may be aggregated for each providing means, the providing means may be ranked in descending order, and the security profiles may be integrated based on this order. For example, the second providing means from the top of the ranking may be “permitted” and the third and lower providing means may be “prohibited”.

<3>
You may make it repeat the process after step S205 regularly.

<4>
In step S102, the control unit 11 of the server 1 may instruct acquisition of information to all the terminals 2 included in the group information, and the control unit 21 of each terminal 2 may acquire information in step S205 according to this instruction. .

<5>
As one of the providing means, remote access from a plurality of terminals to a file on the network may be included.

<6>
In the above-described embodiment, an example in which the above functions are realized by the server and the terminal executing the application program has been described. However, part or all of the above functions may be implemented by a hardware circuit. Further, the application program may be provided by being recorded on a computer-readable recording medium such as an optical recording medium or a semiconductor memory, and the program may be read from the recording medium and installed. In addition, this program may be provided through a telecommunication line.

DESCRIPTION OF SYMBOLS 1 ... Server, 11 ... Control part, 12 ... Storage part, 13 ... Communication part, 14 ... Display apparatus, 15 ... Reception apparatus, 2 ... Terminal, 21 ... Control part, 22 ... Storage part, 23 ... Communication part, 24 ... Display unit, 25 ... reception unit, 26 ... position information acquisition unit

Claims (9)

A generation unit configured to integrate a security profile for controlling the security operation of the system, which is set for each of a plurality of users, to generate a temporary security profile;
An information processing apparatus comprising: a display control unit configured to control a terminal so as to display a providing unit according to a temporary security profile generated by the generating unit when providing common information to the plurality of users.   The information processing apparatus according to claim 1, wherein the display control unit controls the terminal so as to display the providing unit determined according to position information of the plurality of users.   The information processing apparatus according to claim 2, wherein the display control unit controls the terminal to display the providing unit determined according to whether the plurality of users are at the same site or a plurality of sites.   The information processing apparatus according to claim 1, wherein the display control unit controls the terminal to display the providing unit determined according to the common information.   The information processing apparatus according to claim 4, wherein the display control unit controls the terminal so as to display the providing unit determined according to a size of the common information.   The information processing apparatus according to claim 4, wherein the display control unit controls the terminal to display the providing unit determined according to the format of the common information. The security profile set for each of the plurality of users is set with a setting value indicating permission or prohibition for each of the plurality of providing means,
The information processing apparatus according to claim 1, wherein the generation unit generates the temporary security profile by a logical product of the setting values for each of the providing units. The security profile set for each of the plurality of users is set with a setting value indicating permission or prohibition for each of the plurality of providing means,
The information processing apparatus according to any one of claims 1 to 6, wherein the generation unit aggregates the set values for each of the providing units and generates the temporary security profile based on the aggregated values. Computer
A generation unit configured to integrate a security profile for controlling the security operation of the system, which is set for each of a plurality of users, to generate a temporary security profile;
A program for functioning as a display control unit for controlling a terminal to display a providing unit according to a temporary security profile generated by the generating unit when providing common information to the plurality of users.

Images