JPH10320288A - Access controlling method, its system and storage medium storing access control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to switch the contents of service to be utilized or information to be read by certification owned by a member in service permitting only a person having specific authority to use documents, programs, etc., or providing documents, programs, etc., through the Internet. SOLUTION: User identification(ID) information for distinguishing an individual user and user's sort information are stored, application range information expressing a range of users capable of using a certain object and an object body are integrally stored, and when a user requests the object, whether the object requested by the user can be utilized for the user or not is judged by referring to the user's ID information, the user sorting information and the application range information, the use of the object is permitted only to the user corresponding to the application range information in each object to provide the object.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access control method and system, and a storage medium storing an access control program, and more particularly, to a large number of users having various positions and rights, for providing objects such as documents and programs. Use ・
The present invention relates to an access control method and system for performing access control (permission / non-permission of browsing / use) according to a classification of a user in a service enabling browsing, and a storage medium storing an access control program.

[0002]

2. Description of the Related Art In the prior art, the use of objects
The following methods are used to control browsing access. 1. The correspondence between the storage location of the object and the users who can access it is registered in advance as definition information about the service, so that objects in a specific storage location can be accessed from users within the permitted range for each storage location. I do.

[0003] 2. An access control program is created for each service, and which object is provided for each service is controlled.

[0004]

However, in the above-mentioned conventional technology, since the access right to the object is determined for each storage location, fine-grained access right setting is performed in addition to the storage location prepared in advance by the service provider. Cannot be performed by the object creator himself.

Another problem is that it is difficult to provide the same object to different user groups or to add a new service that can use a specific type of object. The present invention has been made in view of the above points,
An access control method that allows only people with specific rights to use documents and programs, and switches the available services and the contents of information that can be browsed according to the membership qualifications of the services provided on the Internet And a storage medium storing a system and an access control program.

[0006]

FIG. 1 is a diagram for explaining the principle of the present invention. The present invention relates to an access control method in a service that enables a large number of users to use and browse objects such as documents and programs, wherein user identification information for distinguishing individual users and classification information of the users are provided. (Step 1), a user classification list (object use range information) indicating which range of users can use a certain object, and the object itself are stored together (step 2). Is requested (step 3), it is determined whether or not the object requested by the user is available to the user with reference to the user identification information, the user classification information, and the user classification list. (Step 4), and only the user corresponding to the user classification list for each object is permitted to use the object (Step 5). Providing object (Step 6).

Further, the present invention relates to an access control method in a service that enables a large number of users to use and browse objects such as documents and programs, wherein user identification information for distinguishing individual users and user identification information are provided. Holds classification information of users, stores object classification information and object bodies integrally, holds object permission information indicating which range of users can use for each object classification, Determines whether or not the user is available, by user identification information, user classification information,
The determination is made with reference to the object permission information, and only the user corresponding to the object permission information for each object is permitted to use the object.

Further, the present invention flexibly changes the range of users of the user classification list or the object permission information. FIG. 2 is a diagram illustrating the principle of the present invention. The present invention
An access control system in a service that allows many users to use and browse objects such as documents and programs, and holds user identification information for distinguishing individual users and classification information of the users User information storage means 30 for performing the operation, first object storage means with access control information 40 for integrally storing a user classification list indicating which range of users can use a certain object and the object body, Use determining means 21 for determining whether an object requested by a user is available from the user by referring to the user information storage means 30 and the first access control information-added object storage means 40
And use permitting means 22 for permitting only the user corresponding to the use classification list for each object to use the object.

The present invention is also an access control system for a service that enables a large number of users to use and browse objects such as documents and programs, and includes user identification information for distinguishing individual users. User information storage means for holding the classification information of the user, object storage means with second access control information for integrally storing the object classification information and the contents of the object main body, Object permission information storage means for storing information indicating whether a user in a range is available; user information storage means for determining whether an object requested by the user is available from the user; second access control information Usage determining means for determining by referring to the contents of the attached object storage means and the object permission information storage means; For each object, only the user to the user of which range corresponds to the information indicating whether available, and a use permission means for permitting the use of the object.

Further, the present invention flexibly limits the range of users who can use an object in the first object storage means with access control information 30, the second object storage means with access control information, and the object permission information storage means. And changing means for changing to In addition, the present invention allows a large number of users to use objects such as documents and programs.
A storage medium storing an access control program in a service enabling browsing, wherein whether or not an object requested by a user can be used by the user is determined by user identification information for distinguishing each user. A usage determination process for determining by referring to the classification information of the user, a user classification list indicating which range of users can use the object, and information storing the object body integrally; And a use permission process for permitting only the user corresponding to the user classification list to use the object.

Further, the present invention is a storage medium storing an access control program in a service that enables a large number of users to use and browse objects such as documents and programs, wherein the object requested by the user is stored in the storage medium. User identification information for distinguishing individual users, the user classification list, object classification information, and what range of users can be used for each object classification The use determination process determines whether the object requested by the user is available to the user by referring to the permission information indicating the use of the object, and restricts the use of the object only to the user corresponding to the permission information for each object. And a use permitting process.

Further, the present invention further has a change process for flexibly changing the range of users who can use the object in the user classification list and the permission information. The present invention provides a user information storage unit that holds information on which user class each user belongs to and, when a user identifier is given, returns a list of user classes to which the user belongs. And an access control information object storage unit that holds object classification information and user classification information on available users as information indicating from which user the object can be used together with the object body. With reference to the information stored in such storage means, it is determined whether or not the user can access the requested object. If access is possible, the object body is taken out from the object storage means with access control information, and Return to the requesting user. At this time, what is input is the user identification information and the identification name of the requested object, and what is output is the access permission / inhibition information and the requested object body.

[0013] Further, according to the present invention, information for identifying which user class can use each object class is stored in the object permission information storage means.
Given an object classification, a list of user classifications to which users who can use the object belong is returned. Thus, if the user is included in the list, an object can be provided.

[0014] Thereby, it is possible to permit only a person with a specific authority to use a document or a program, or to switch a service available on a member provided by the member or a content of information to be browsed in a service provided on the Internet. And a detailed service can be realized.

[0015]

DESCRIPTION OF THE PREFERRED EMBODIMENTS The access control device of the present invention controls whether a user (user identification name: U) can access a requested object (object identification name O) as follows. FIG. 3 shows the configuration of the first access control system of the present invention.

The access control system shown in FIG. 1 includes a user terminal 10, an access control device 20, a user information storage device 30, and an object storage device 40 with access control information. The user terminal 10 sends the user identification name (U) and the requested object information (O) to the access control device 20, and acquires the access permission / inhibition information and the object body from the access control device 20.

The user information storage device 30 holds user identification information for distinguishing individual users and classifications of the users. The object storage device 40 with access control information integrally stores object classification information or a user classification list that stores information indicating which range of users can use an object, and the contents of the object body. .

The access control device 20 is connected to the user terminal 10
The access control of the user name (U) corresponding to the object (O) requested from is performed as follows.
FIG. 4 is a flowchart showing the operation of the first access control device of the present invention. Step 101) The user classification {C _u1 ,..., C _un } for the user is extracted from the user information storage device 30 based on the user identifier U.

Step 102) The object having the object identifier O is taken out together with the access control information from the object storage device 40 with access control information. Step 103) Classification of user who can use the object held as access control information { _Co1
, ..., removed C _om} from the access control information with the object storage device 40 checks whether there is a match with that in the _{{C u1, ..., C um} }. If there is no match, the process proceeds to step 104, and if there is a match, the process proceeds to step 105.

Step 104) If there is no match, the request source is notified that the object cannot be accessed. Step 105) If there is a match, the object body of the object is taken out from the object storage device with access control information 40 together with the information indicating that the object is accessible, and
Return to requester.

Next, a description will be given of a configuration having information indicating which range of users can use each object classification. FIG. 5 shows the configuration of the second access control system of the present invention. The configuration shown in the figure is a configuration in which an object permission information storage device 50 is added to the configuration shown in FIG.

The object permission information storage device 50 holds information for identifying from which user class each user can use each object class. When the object class is given, the object class can be used. The user classification list to which the various users belong
Return to 0. Thereby, the access control device 20
Control of whether or not the user (user identifier: U) can access the requested object (object identifier: O) is performed according to the above-described flowchart of FIG. However, only the operation of step 103 is different.

The operation of the access control device 20 will be described.
FIG. 6 is a flowchart showing the operation of the second access control device of the present invention. Step 201) From the user information storage device 30, based on the user alias U, the user classification ｛C for the user
_u1 , ..., _Cun } are taken out.

Step 202) With access control information
From the object storage device 40, the object identifier O
Retrieve the object along with the access control information. Step 203) In this case, the access control information-added
It is stored in the object storage device 40 as access control information.
Object classification for the object of type II _c1,…,
O_ck｝ Is held. This allows access control
The device 20 has the object classification ｛O_c1, ..., O_ckア ク
From the object storage device 40 with access control information
You.

[0025] Step 204) refers to the object permission information storage device 50, object classification _{{O c1, ..., O ck} } extracted in step 203 the list of accessible users classified with respect to {O _o1, ..., Return O _om ｝. Step 205) The access control device 20 _calculates { _Cu1 ,
, C _un } is checked to see if there is a list of accessible user classifications {C _o1 ,..., C _om }.

Step 206) If there is no match, the request source is notified that the object cannot be accessed. Step 207) If there is a match, the object body of the object is taken out from the object storage device with access control information 40 together with the information indicating that the object is accessible, and
Return to requester.

[0027]

Embodiments of the present invention will be described below with reference to the drawings. The following embodiment will be described based on the configuration shown in FIG. FIG. 7 shows the configuration of a system for limiting the range of documents that can be viewed by a user according to an embodiment of the present invention.

In FIG. 1, the present invention is implemented on the Internet through H
This is an example applied to a service that provides a document described in TML. The system shown in FIG. 1 includes a WWW browser, an access control program (access control device) 20, a user information storage device 30, an HTML file group with access control information 40, an object permission information storage device 50, a WWW server in the user terminal 10. 60 and an HTML access program 70.

In this system, the user's identification name is entered in the first HTML page provided to the user, and this user name is embedded in the information of the HTML page which is subsequently transferred to the user. WWW Browser 1
In subsequent requests from 0, the requested URL always includes the user identification name. WWW server 60
Receives the URL from the WWW browser 10, decomposes the URL into the requested HTML file name and user identification name, activates the HTML access program 70, and passes the information.

The HTML access program 20 starts the access control program 20 corresponding to the access control device 20 in the present invention, and passes the user identification name and the HTML file name. The access control program 20 reads an HTML file 40 with access control information having a specified HTML file name. The HTML file contains, in addition to the HTML information to be displayed as a document,
Information {O _c1 ,..., O _ck } indicating the classification of the document is described as access control information in a format defined by the system (for example, in the form of an extension tag). The access control program 20 stores the user identification name from the user information storage device 30 into the user classification {C _u1 ,
..., C _un } is taken out.

The access control program 20 stores a statement
Information indicating the classification of the book_c1, ..., O _ck｝ The object
Sent to the permission information storage device 50, and
List of accessible user categories $ C_o1, ..., C_om｝
Get. Next, the access control program 20
｛C_u1, ..., C_unIn｝, ｛C_o1, ..., C_omMatches｝
Find out what to do.

If there is no match, the access control program 20 notifies the HTML access program 70 that access is not possible. This allows H
The TML access program 70 generates an HTML including a message indicating that there is no access right, returns the HTML to the WWW server 60, and sends the HTML to the user's WWW browser 10 for display.

If there is a match, the access control program 20 opens the HTML file 40 with access information.
Out of the content (object body) written in HTML from which access control information is removed,
The information is returned to the HTML access program 70 together with information indicating that access is possible. Then, the HTML access program 70 returns the content written in the HTML to the WWW server 60, and the
It is sent to the WW browser 10 and displayed.

The present invention is not limited to the above embodiment, but can be variously modified and applied within the scope of the claims.

[0035]

As described above, according to the present invention, when creating an object body, the access right to the object can be set as the access control information, so that the creator of the object performs fine-grained setting of the access right. be able to. Further, even when the same object is provided to a plurality of different user groups, it is not necessary to prepare a copy of the object for each user group.

According to the present invention, even when a new service that can use a specific type of object is added, the information held in the object permission information storage device includes:
It is only necessary to change the information held in the user information storage device, and it is not necessary to change the object itself.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining the principle of the present invention.

FIG. 2 is a principle configuration diagram of the present invention.

FIG. 3 is a configuration diagram of a first access control system of the present invention.

FIG. 4 is a flowchart illustrating an operation of the first access control device of the present invention.

FIG. 5 is a configuration diagram of a second access control system of the present invention.

FIG. 6 is a flowchart illustrating an operation of the second access control device of the present invention.

FIG. 7 is a configuration diagram of a system for limiting the range of documents that can be viewed by a user according to the first embodiment of this invention.

[Explanation of symbols]

REFERENCE SIGNS LIST 10 user terminal, WWW browser 20 access control device, access control program 21 use determining means 22 use permitting means 30 user information storage means, user information storage device 40 object storage means with access control information, object storage with access control information Device 50 Object permission information storage device 60 WWW server 1 70 HTML access program

Claims (9)

[Claims] 1. An access control method in a service that enables a large number of users to use and browse objects such as documents and programs, wherein user identification information for distinguishing individual users and classification of the users are provided. It stores information, stores a user classification list indicating the range of users who can use an object and the object itself, and determines whether the object requested by the user is available to the user. The user identification information, the classification information of the user, and the user classification list are determined with reference to each other. Only the user corresponding to the user classification list for each object is allowed to use the object. An access control method characterized by permitting. 2. An access control method in a service that enables a large number of users to use and view objects such as documents and programs, wherein user identification information for distinguishing individual users and classification of the users are provided. Information, object classification information and the object itself are stored together, object permission information indicating which range of users can use each object classification is stored, and the object requested by the user is It is determined whether or not the user is available by referring to the user identification information, the classification information of the user, and the object permission information. For each object, only the user corresponding to the object permission information An access control method characterized by permitting use. 3. The access control method according to claim 1, wherein a range of users of the user classification list or the object permission information is flexibly changed. 4. An access control system for a service that enables a large number of users to use and browse objects such as documents and programs, comprising: user identification information for distinguishing individual users; User information storage means for holding classification information of a user, and first storage means with access control information for integrally storing a user classification list indicating which range of users can use a certain object and the object body Use determining means for determining whether an object requested by a user is available from the user by referring to the user information storing means and the first object with access control information storing means; Use permission means for permitting only the users corresponding to the use classification list to use the objects for each of the objects. Access control system according to claim Rukoto. 5. An access control system for a service that enables a large number of users to use and browse objects such as documents and programs, comprising: user identification information for distinguishing individual users; User information storage means for holding the classification information of the object; object storage means with the second access control information for storing the object classification information and the contents of the object body together; Object permission information storage means for holding information indicating whether or not the user can use the information, and whether the object requested by the user is available from the user, the user information storage means, Object storage means, and use determination means for determining by referring to the contents of the object permission information storage means; For each object, an access control system, characterized in that the only user who corresponds to which range information which the user indicates whether available, and a use permission means for permitting the use of the object. 6. The object storage means with the first access control information, the object storage means with the second access control information, and the range of users who can use the object in the object permission information storage means are flexibly changed. 6. The access control system according to claim 4, further comprising a change unit that performs the change. 7. A storage medium storing an access control program in a service that enables a large number of users to use and view objects such as documents and programs, wherein an object requested by the user is used by the user. The user identification information for distinguishing each user, the classification information of the user, the user classification list indicating the range of users who can use an object, and the object body are integrated. And a use permission process for permitting only the user corresponding to the user classification list for each object to use the object for each object. A storage medium storing an access control program. 8. A storage medium storing an access control program in a service that enables a large number of users to use and browse objects such as documents and programs, wherein an object requested by the user is used by the user. Whether or not it is possible is identified by user identification information for distinguishing individual users, the user classification list, object classification information, and permission information indicating which range of users can use each object classification. And a use determination process for determining whether or not the object requested by the user is available from the user, and using the object to allow only the user corresponding to the permission information for each object to use the object. A storage medium storing an access control program, characterized by having an authorization process. 9. The storage storing the access control program according to claim 7, further comprising a change process of flexibly changing a range of users who can use an object in the user classification list and the permission information. Medium.