WO2005081120A1 - コンピュータシステム、アクセス権設定方法、クライアントコンピュータを機能させるためのプログラム並びに当該プログラムを記録した記録媒体 - Google Patents

コンピュータシステム、アクセス権設定方法、クライアントコンピュータを機能させるためのプログラム並びに当該プログラムを記録した記録媒体 Download PDF

Info

Publication number
WO2005081120A1
WO2005081120A1 PCT/JP2005/001041 JP2005001041W WO2005081120A1 WO 2005081120 A1 WO2005081120 A1 WO 2005081120A1 JP 2005001041 W JP2005001041 W JP 2005001041W WO 2005081120 A1 WO2005081120 A1 WO 2005081120A1
Authority
WO
WIPO (PCT)
Prior art keywords
access right
client computer
network
computer
identification code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2005/001041
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
Syouzou Niwata
Yoshihiro Yano
Takayuki Chikada
Fukio Handa
Kazutoshi Kichikawa
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dai Nippon Printing Co Ltd
Original Assignee
Dai Nippon Printing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dai Nippon Printing Co Ltd filed Critical Dai Nippon Printing Co Ltd
Priority to US10/588,324 priority Critical patent/US8646058B2/en
Publication of WO2005081120A1 publication Critical patent/WO2005081120A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • a program for causing the specification to function, and a recording medium on which the program is recorded is recorded.
  • the present invention relates to a computer system and an access right setting method thereof, and more particularly to a technique for securing security when a client computer accesses a server computer via a network.
  • computers are generally connected to each other using a network, and not only companies but also ordinary households have to construct network networks incorporating hubs, LAN switches, and routers. It is being done.
  • a company constructs a dedicated network such as an in-house LAN or WAN, and connects to this network using server computers with various functions according to the business form of each division.
  • server computers with various functions according to the business form of each division.
  • Each employee connects his or her client computer, such as a personal computer, to this network to carry out work while exchanging data with the server computer.
  • security management is very important. In other words, not only can each computer connected to the network be protected from unauthorized access by outsiders, but even employees who belong to the same company, Operations that impose their own access restrictions are indispensable.
  • Japanese Patent Application Laid-Open Nos. 2000-10909 and 2000-3-1226365 disclose a client compilation.
  • a technique for managing access rights unique to each user is disclosed.
  • All of the conventional security management methods are based on the basic idea of setting a predetermined access right for each user.
  • each user is given a specific account (user name) and password, and each account is set up with the specified access rights. If there is a login procedure using a specific account, After confirming that the login procedure is legitimate by checking the password, it is common practice to allow access within the range of access rights set for the account.
  • an object of the present invention is to provide a computer system that can set different access rights to individual users according to the situation (depending on the convenience of a computer or network environment). . Disclosure of the invention
  • a first aspect of the present invention provides a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a computer connected to the client computer. And a portable information recording medium issued to an individual user in a computer system comprising:
  • each client computer On each client computer, record a unique identification code that can be distinguished from other client computers,
  • An identification code corresponding to a specific identification code recorded on a specific client computer is recorded on each portable information recording medium,
  • Interface means for connecting the portable information recording medium to each client computer, and collation of the identification code recorded on the currently connected portable information recording medium with the identification code recorded on itself.
  • An identification code collating means, an access right setting means for setting a predetermined access right based on the collation result, and a server access means for accessing the server computer within the set access right are provided. It was done.
  • a second aspect of the present invention provides a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a connection to the client computer. And a portable information processing device issued to each user for
  • each client computer On each client computer, record a unique identification code that can be distinguished from other client computers,
  • each portable information processing device an identification code corresponding to a specific identification code recorded in a specific client computer is recorded, and
  • Each client computer has interface means for connecting the portable information processing device, and server access means for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device.
  • Identification code collating means for collating the identified identification code with the identification code recorded in itself
  • access right setting means for setting a predetermined access right based on the collation result
  • an access right transmitting means for transmitting the right to the currently connected client computer.
  • a third aspect of the present invention provides the combination system according to the first or second aspect described above,
  • the access right setting means sets the first access right if the collation result matches, and the second access right having more restrictions than the first access right if the collation result does not match Is set.
  • a fourth aspect of the present invention provides the computer system according to the first to third aspects, wherein
  • MAC address assigned to the LAN communication circuit built into the client computer unique data stored in the storage device of the client computer, or the configuration of the application program stored in the storage device of the client computer Is used as a unique identification code for identifying the client convenience.
  • a fifth aspect of the present invention provides a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a computer connected to the client. And a portable information recording medium issued to an individual user in a computer system comprising:
  • each portable information recording medium On each portable information recording medium, environmental information indicating a specific network environment obtained when each client computer is connected to a specific portion of the network is recorded.
  • Interface means for connecting a portable information recording medium to each client computer, and an interface means for recording on the currently connected portable information recording medium
  • Environment collation means for collating the network environment indicated by the environment information with its own current network environment
  • access right setting means for setting a predetermined access right based on the collation result
  • a range of the set access right And a server access means for accessing the server computer within the server.
  • a network In a sixth aspect of the present invention, a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a computer connected to the client computer. And a portable information processing device issued to each user for use.
  • each portable information processing device environmental information indicating a specific network environment obtained when a client computer is connected to a specific portion of the network is recorded.
  • Each client computer has interface means for connecting the portable information processing device, and server access means for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device.
  • the portable information processing device includes environment collation means for collating the network environment of the currently connected client computer with the network environment indicated by the environment information recorded in itself, and based on the collation result.
  • An access right setting means for setting a predetermined access right and an access right transmitting means for transmitting the set access right to a currently connected client computer are provided.
  • the seventh aspect of the present invention is the combination system according to the fifth or sixth aspect, wherein:
  • the access right setting means sets the first access right if the collation results match. If the collation results do not match, a second access right with more restrictions than the first access right is set.
  • the domain name is used as environment information indicating the network environment of the client computer.
  • a ninth embodiment of the present invention provides a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a computer connected to the client computer. And a portable information recording medium issued to each user for use.
  • each client computer On each client computer, record a unique identification code that can be distinguished from other client computers,
  • Each client computer has an interface means for connecting a portable information recording medium, and compares the identification code recorded on the currently connected portable information recording medium with the identification code recorded on itself.
  • the identification code collation means compares the network environment indicated by the environment information recorded on the currently connected portable information recording medium with the current network environment of the user. Environment matching means for matching, an access right setting means for setting a predetermined access right based on a result of the checking, and a server access means for accessing the server computer within the set access right. It is designed to be provided.
  • a tenth aspect of the present invention relates to a network, a server computer connected to the network, a plurality of client computers connectable to the network, and a computer connected to the client computer. And a portable information processing device issued to each user for use.
  • each client computer On each client computer, record a unique identification code that can be distinguished from other client computers,
  • Each portable information processing device has an identification code corresponding to a specific identification code recorded on a specific client computer, and a specific network obtained when each client computer is connected to a specific part of the network. Record environmental information indicating the environment, and
  • Each client computer has interface means for connecting the portable information processing device, and server access means for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device.
  • the portable information processing device includes an identification code matching unit that matches an identification code recorded on a currently connected client computer with an identification code recorded on itself, and a network of the currently connected client computer.
  • Environment collation means for collating the network environment and the network environment indicated by the environment information recorded in itself, access right setting means for setting a predetermined access right based on the collation results, And an access right transmitting means for transmitting the access right to the currently connected client computer. Things.
  • the eleventh aspect of the present invention provides the combination system according to the ninth or tenth aspect
  • the access right setting means sets the first access right when the collation result by the identification code collation means matches, and when the collation result by the environment collation means does not match with the identification code collation means.
  • the 12th aspect of the present invention provides the combination system according to the ninth or 10th aspect,
  • the access right setting means sets the first access right when both the collation result by the identification code collation means and the collation result by the environment collation means match, and the collation result by the identification code collation means matches, but the If the collation results by the collation means do not match, a second access right with more restrictions than the first access right is set, and if none of the collation results match, the second access right is set. Also sets a third access right with more restrictions.
  • a thirteenth aspect of the present invention relates to a computer system including a network, a server computer connected to the network, and a plurality of client computers connectable to the network.
  • a computer system including a network, a server computer connected to the network, and a plurality of client computers connectable to the network.
  • a portable information processing device For each user, a portable information processing device is issued for use by connecting to a client computer, and the portable computer is provided with an identification code recorded on a specific client computer.
  • a specific client computer that can be identified from other client computers.
  • the predetermined client computer When a user connects a predetermined portable information processing device issued to him / her to a predetermined client computer and performs a use start procedure for the predetermined client computer, the predetermined client computer Alternatively, the predetermined portable information processing device causes the identification code recorded on the predetermined client computer to be compared with the identification code recorded on the predetermined portable information processing device. An access right setting step of setting a predetermined access right based on the result;
  • the access right setting stage if the matching result does not match, the access right with more restrictions is set as compared with the case where the matching result matches.
  • a fourteenth aspect of the present invention is directed to a computer system including: a network, a server computer connected to the network, and a plurality of client computers connectable to the network.
  • a method of setting access rights when each user accesses a server computer using a client computer In a method of setting access rights when each user accesses a server computer using a client computer,
  • a portable information processing device for connecting to a client computer for use is issued to each user, and a specific information obtained when the client computer is connected to a specific portion of a network is issued to the portable information processing device.
  • the predetermined portable information processing device compares the current network environment of the predetermined client computer with the network environment indicated by the environment information recorded in the predetermined portable information processing device. Let this light Performing an access right setting step of setting a predetermined access right based on the matching result, and, in the access right setting stage, if the matching result does not match, the restrictions are compared with the case where the matching result matches. It is designed to set access rights that are often used.
  • a fifteenth embodiment of the present invention relates to a computer system including: a network, a server computer connected to the network, and a plurality of client computers connectable to the network.
  • a method of setting an access right when each user accesses a server computer using a client computer In a method of setting an access right when each user accesses a server computer using a client computer,
  • a portable information processing device For each user, a portable information processing device is issued for use by connecting to a client computer, and the portable information processing device has an identification code recorded on a specific client computer.
  • An identification code corresponding to a unique identification code capable of identifying the specific client computer from other client computers, and a specific network environment obtained when the client computer is connected to a specific part of a network.
  • Environmental information that indicates, a preparation stage for recording,
  • the predetermined client computer When a user connects a predetermined portable information processing device issued to him / her to a predetermined client computer and performs a use start procedure for the predetermined client computer, the predetermined client computer Alternatively, the predetermined portable information processing device matches the identification code recorded on the predetermined client computer with the identification code recorded on the predetermined portable information processing device, and The current network environment of the predetermined client computer is compared with the network environment indicated by the environment information recorded in the predetermined portable information processing device, and based on the result of the comparison, the predetermined network environment is determined.
  • An access right setting step for setting an access right In the case where the matching result of the identification code matches If the matching result of the identification code does not match but the matching result of the network environment matches, the second access right with more restrictions than the first access right is set. If no matching result is found, a third access right with more restrictions than the second access right is set.
  • a sixteenth aspect of the present invention relates to a computer system comprising: a network, a server computer connected to the network, and a plurality of client computers connectable to the network.
  • a method of setting access rights when each user accesses a server computer using a client computer In a method of setting access rights when each user accesses a server computer using a client computer,
  • the portable information processing device uses an identification code recorded on a specific client computer, An identification code corresponding to a unique identification code that can identify one client computer from another client computer and a specific network environment obtained when the client computer is connected to a specific part of the network Environmental information and the preparation stage for recording
  • the predetermined client computer When a user connects a predetermined portable information processing device issued to him / her to a predetermined client computer and performs a use start procedure for the predetermined client computer, the predetermined client computer Alternatively, the predetermined portable information processing device matches the identification code recorded on the predetermined client computer with the identification code recorded on the predetermined portable information processing device, and The current network environment of the predetermined client computer is compared with the network environment indicated by the environment information recorded in the predetermined portable information processing device, and the predetermined access right is determined based on the result of the comparison.
  • the access right setting stage if the matching result of the identification code and the matching result of the network environment match, the first access right is set, and the matching result of the identification code matches, If the environment comparison results do not match, a second access right with more restrictions than the first access right is set, and if none of the comparison results match, the second access right is set.
  • the third access right which has more restrictions, is set.
  • a program for causing a computer to function as a client computer in the computer system according to the above-described first to twelfth aspects and the program can be read by a computer. It is recorded on a recording medium and can be distributed.
  • the client computer used by the user is a specific client computer prepared for the user, or whether the client computer is prepared for the user.
  • access rights can be set, so that different access rights can be set for individual users according to the situation. Becomes possible. Brief explanation of drawings
  • FIG. 1 is a block diagram showing a general computer system configured by connecting a server computer and a client computer to a network.
  • FIG. 2 is a block diagram for explaining the first embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • FIG. 3 is a block diagram showing a configuration of a client computer for performing the first embodiment shown in FIG.
  • FIG. 4 shows the portable information processing device according to the first embodiment shown in FIG.
  • FIG. 14 is a block diagram illustrating a configuration of a modification that executes a combination process and an access right setting process.
  • FIG. 5 is a block diagram for explaining a second embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • FIG. 6 is a block diagram showing a configuration of a client computer for performing the second embodiment shown in FIG.
  • FIG. 7 is a block diagram showing a configuration of a modification in which the portable information processing device executes the matching process and the access right setting process in the second embodiment shown in FIG.
  • FIG. 8 is a block diagram for explaining a third embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • FIG. 9 is a block diagram showing a configuration of a client computer for performing the third embodiment shown in FIG.
  • FIG. 10 is a block diagram showing a configuration of a modification of the third embodiment shown in FIG. 8 in which the portable information processing device executes a matching process and an access right setting process.
  • FIG. 11 is a flowchart illustrating an example of an access right setting method according to the third embodiment of the present invention.
  • FIG. 12 is a flowchart showing another example of a method for setting an access right according to the third embodiment of the present invention.
  • FIG. 3 is a block diagram showing a model of a computer system configured by connecting eight client computers 11, 12, 13, 14, 21, 22, 23 and 31.
  • a computer system used by a general company uses a larger number of server computers and a larger number of client computers.
  • the simple model shown in the figure is described here. I will do it.
  • the network 100 is generally composed of a large number of routers and various lines connecting them. Generally, there are various forms of the network, such as LAN, WAN, and Inuichi Net, but the network 100 may be configured in any form. Also, in the figure, the network 100 and each client computer are connected by a line, but a wired connection is not necessarily required between them, and a wireless LAN may be used.
  • this computer system is a system used by a certain company, and client computers 11, 12, 13, 14 are installed in the human resources department 10 of this company.
  • the client computers 21, 22 and 23 are set up in the common room 20 of the company, and the client computer 31 is set up in one room of the employee dormitory 30 of the company.
  • one employee belonging to the human resources department is called a user A, and it is assumed that a client computer 11 is installed on the desk of the user's report in the human resources department 10.
  • the client is provided with a client computer 11 from the company, and the user can operate the client computer 11 while performing his daily work while heading to his desk. Become.
  • the server computers 110, 120 store various data related to the business of this company, and individual employees can access the server computers 110, 120 from the client computer as needed. And the necessary de night Read, write, modify, etc.
  • the server computer 110 stores general-purpose business data to which all employees should be allowed access, and the server computer 120 belongs to a specific department. Suppose you have stored a highly confidential business process that should only be accessed by employees who work.
  • security management is important.
  • individual employees are assigned unique access rights according to their affiliations and responsibilities.
  • the user A which is a personnel department, has, for example, an access right that permits reading of general-purpose business data in the server computer 110 and business data dedicated to the human resources department in the server computer 120. And the access right to permit Z-write is set.
  • a predetermined account (user name) and a password are assigned to each user, and the predetermined access rights are set for each individual account. If there is a login procedure with a specific account, verify that the login procedure is legitimate by verifying the password, and then check the range of access rights set for the account. The operation of permitting access within is performed. For example, in the above example, when the user A, which is a human resources department, activates the client computer 11 installed on his desk and performs the procedure for starting use, he enters a predetermined account and password. Operation to be performed. If the account and password entered here are authenticated as legitimate, then access to the server computers 110 and 120 is possible within the scope of the access rights set in advance for the user. .
  • an implicit understanding of a human resources department might be a rule that an employee's payslip must not be shown to someone in another department.
  • the user A which is a human resources department
  • the user A since the user A, which is a human resources department, has been given access to the HR department-specific business data in the server computer 120, the user A has the client computer 1 on his desk. It is possible to display the pay details of each employee on the screen 1 and browse it on the spot. However, under such circumstances, it is unlikely that any act that would violate the above-mentioned implicit understanding will be performed.
  • the room where the client computer 11 is located is filled with other staff from the Human Resources department, and may be supervised by the boss, so friends from other departments can be brought to the side of their desks. It is hard to imagine doing something like calling and viewing the pay statement displayed on the client computer 11.
  • surveillance cameras may be installed at the entrances and exits of the departments, or maintenance personnel may be required to check when entering and exiting.
  • Such departments even if they store confidential data on floppy disks or CD-Rs or print them out, have difficulty taking them outside of the department, which could lead to rule violations. Is low. However, if the same access right is given even when using the client computer 31 installed in the employee dormitory 30, even if the access to the relevant department is strict, there is no point in terms of security. .
  • a method of building a firewall is usually adopted.
  • a large number of routers are incorporated in the network 100, and each area has its own area. If an operation such as rejecting access via the nodes N2 and N3 to the server computer 120 is performed by constructing a firewall at It is possible to prevent fraud.
  • this requires complicated network settings such as where and what firewalls to install.
  • the present invention solves such a security problem by another approach described below.
  • FIG. 2 is a block diagram for explaining the first embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • the basic concept of the first embodiment is that an original client computer is defined for each user, and when each user accesses using the original client computer, Access is granted using the original access rights set in the user, but if access is made using other client computers, there are more restrictions than the original access rights set for the user.
  • the operation is to allow only access based on access rights.
  • a portable information recording medium for connecting to and using a client computer is issued to each user.
  • Fig. 2 shows an example in which portable information recording media R11, R12, and R21 have been issued to three users A, B, and C, respectively.
  • This portable information recording medium R 11, R 12, R 21 can be easily carried by each user, and if it has a function of recording data overnight, Anything is fine.
  • the IC card is excellent in portability and can secure sufficient security for recorded data.
  • the portable information recording medium does not need to be a dedicated medium for use in the present invention, and can also be used for other purposes.
  • employee ID cards are employee cards composed of IC cards issued to Users A, B, and C, respectively.
  • the following explanation will be given.
  • the identification code of a specific client computer is recorded on each portable information recording medium R11, R12, R21.
  • the specific client computer is the original computer that each user should use.
  • the portable information recording medium R l1 issued to the user A includes the client computer 11 which the user A should originally use. ID code (1 1) is recorded.
  • the identification code ID (12) of the client computer 12 that should be originally used by the user B is recorded on the medium R12 (IC card issued as the employee card of the user B)
  • the identification code ID (21) of the client computer 21 that should be used by the user C is recorded on the information recording medium R21 (an IC card issued as an employee card of the user C).
  • the identification code of the client computer is an identification code recorded in any part of the client computer, and is a unique identification code capable of identifying the client computer from other client computers. Any code can be used.
  • a MAC address (Media Access Control Address) assigned to a LAN communication circuit built in a client computer can be used as an identification code in the present invention.
  • Each client computer has a LAN communication circuit for connecting to the network 100.
  • the standard LAN communication circuit for Ethernet is given a unique MAC address set by each manufacturer.
  • this MAC address is recorded on the IC chip in the LAN communication circuit, and can be read by using the OS function of the client computer if necessary. Therefore, if this MAC address is used as an identification code, all client computers can be identified from each other.
  • the portable information recording medium R11 issued as an employee card of the user A shall include the MAC address of the LAN communication circuit built into the client computer 11 with the identification code ID (1 1). It should just be recorded as.
  • the code that can be used as the identification code in the present invention is not limited to the MAC address, but may be any unique data stored in the storage device of the client computer in the same manner as the MAC address. It is possible to use as. For example, individual client Each evening, a unique serial number is assigned, and if this serial number is recorded in some form inside each client computer, the serial number can be used as an identification code. . Alternatively, it is possible to intentionally write a unique serial number to a specific area of the hard disk of each client computer and use this as an identification code.
  • information indicating the configuration of the application program stored in the storage device of each client computer can be used as a unique identification code for identifying the client computer.
  • a predetermined application program is installed in each client computer according to its work, so that the fact that a specific application program is installed can be used as an identification code.
  • the serial number input when the application program was installed is used as information indicating the configuration of the application program. It can be used as an identification code. That is, a general application program requires input of a predetermined serial number at the time of installation, and the input serial code is often recorded on a hard disk device or the like. Therefore, even if the serial number for the application program is used as an identification code, individual client computers can be distinguished from each other.
  • the portable information storage media R11, R12, and R21 issued to each of the users A, B, and C have a specific client computer
  • the client computer when each user uses the client computer provided, It is required to connect an Ic card issued as an employee ID card, that is, a portable information recording medium to the client computer.
  • an Ic card issued as an employee ID card that is, a portable information recording medium
  • the portable information recording medium R 11 which is an IC card issued as an employee ID card to the client computer 11.
  • a prescribed use start procedure generally, a procedure referred to as an oral login procedure or a logon procedure. Therefore, in this embodiment, each client computer is equipped with a reader / writer device for an IC card.
  • the basic principle of security management in the computer system is as follows.
  • a user connects a predetermined portable information recording medium issued to the user to a predetermined client computer, and starts using the predetermined client computer.
  • the identification code recorded on the predetermined client computer is compared with the identification code recorded on the predetermined portable information recording medium, and the predetermined access right is determined based on the result of the verification. Is set. More specifically, when the collation results do not match, access rights with more restrictions are set than when the collation results match.
  • the user A connects the portable information recording medium R 11 issued as his / her own employee ID card to the client computer 11 that should be used in the personnel department 10 and should be used originally.
  • the identification code ID (1 1) recorded on the client computer 11 and the identification code ID (1 1) recorded on the portable information recording medium R 11 Collation work is performed.
  • an access right is set based on this collation result.
  • the original access right set to the user A is given to the user A's access using the client computer 11.
  • user A has server computer 1 1
  • An access right that permits readout of general-purpose business data in 0 and an access right that permits readout and write of business data dedicated to the human resources department in the server combination 120 is given.
  • the user A accesses using the client computer 21 installed in the lounge 20.
  • the user A connects the portable information recording medium Rl1 to the client computer 21 and performs a procedure for starting use.
  • the identification code ID (2 1) does not match the identification code ID (1 1) recorded on the portable information recording medium Rl1, and in this case, the access right is more restricted than in the case where the matching result matches. Is set. For example, access to the general-purpose business server in the server computer 110 is permitted, but access to the human resources department dedicated server in the server computer 120 is completely prohibited. Right is granted.
  • each user will eventually be given the original access right to the case where the original client computer is used; & If the client computer is used, the access rights of the user will be restricted.
  • the user A which is the personnel department, has access to each server computer with the original access right given to the personnel department as long as he works on the client computer 11 installed in the personnel department 10. It will be possible, but if you use a client computer installed in the lounge 20 or the employee dormitory 30, you will not be able to obtain the original access right. Therefore, the security problem described in ⁇ 0 can be solved.
  • FIG. 3 shows a client for performing the first embodiment.
  • FIG. 2 is a block diagram illustrating a configuration of a computer 11.
  • the client computer 11 is provided with a server access means 11A, an access right setting means 1 IB, an identification code collating means 11C, and an interface means 11D.
  • the client computer 11 also includes various components (eg, a CPU, a memory, a hard disk, and the like for executing an OS program and an application program) for performing a function as the client computer. , Input / output devices, etc.), but their explanation is omitted here.
  • this client computer 11 has a unique identification code ID (11) that can be distinguished from other client computers. For example, if the MAC address is used as the identification code ID (1 1), the identification code ID (1 1) is originally built into the client computer 11, so the identification code is used as the identification code ID (1 1). There is no need to write anything in 1 1. On the other hand, the identification code ID (1 1) is also recorded on the portable information recording medium R 11. This requires writing by the administrator of this computer system. In the example shown here, the portable information recording medium R 11 is an IC card issued as an employee card of the user A, so that many data other than the identification code ID (1 1) are also recorded therein. However, their description is omitted here.
  • the interface means 11D is a component for connecting the portable information recording medium R11, and in this example, is constituted by a reader / writer device for an IC card.
  • the user inserts the portable information recording medium R 11 as an IC card into the interface means 11 D as a reader / writer device, thereby enabling the both.
  • Can be connected.
  • the IC card is separated from the reader / writer by pulling it out from the reader / writer. Can.
  • the identification code collating means 11 C is a component having a function of collating the identification code recorded on the currently connected portable information recording medium with the identification code recorded on itself, and has an access right.
  • the setting means 11 B is a component having a function of setting a predetermined access right based on the result of the comparison.
  • the access right setting means 11 1 B sets the first access right when the collation result matches, and sets the first access right when the collation result does not match. Many Second permissions will be set.
  • the server access means 11A is a component for accessing the server computers 110 and 120 within the range of the set access right.
  • the identification code verification means 11C Collation results match. That is, the identification code collating means 11 C is connected to the identification code ID (11) in the portable information recording medium R 11 read out via the interface means 11 D and the client computer 11. In this case, the matching result is obtained. Therefore, the access right setting means 11 B Set the first access right.
  • the identification code matching means 21 C in the client computer 21 shows a mismatch result, and the access right setting means 21 B Will set a second access right.
  • the first access right is to permit reading of general-purpose business data in the server computer 110 and to allow the server computer 1 The right to read and write the business data dedicated to the human resources department in 20 is set
  • the second access right is to allow reading to the general-purpose business data in the server computer 110, but the server computer The right to prohibit any access to the data in 120 will be set.
  • access right setting means in the client computer.
  • the access right setting means only one of the first access right and the second access right is set, and detailed setting of access permission is performed by the server computer side. It is preferred to do so.
  • a setting such as rejecting any access may be made.
  • authentication of access from User A may be performed by collating the account name and password given to User A as in the past.
  • the identification code collation processing and the access right setting processing according to the collation result need not always be performed on the client computer side. That is, when the portable information recording medium has an information processing function, it is possible to execute these processes on the portable information recording medium side.
  • the IC card used for employee ID cards has not only a function as an information recording medium but also a function as an information processing device with a built-in CPU. If a portable information recording medium having such an information processing function (hereinafter referred to as a portable information processing device) is used, identification code collation processing and access right setting processing can be performed on the portable information processing device side. It is possible to do.
  • FIG. 4 is a block diagram showing a configuration of a modification of the first embodiment in which the portable information processing device executes a matching process and an access right setting process.
  • a unique identification code ID (1 1) is recorded in the client computer 11, and the identification code recorded in the client computer 11 is recorded in the portable information processing device P 11.
  • the point that the corresponding identification code ID (11) is recorded is exactly the same as the example shown in FIG.
  • the client computer 11 has server access means 11A for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device, and portable information.
  • interface means 11 D for connecting the processing device, there is no identification code collation means and no access right setting means.
  • the portable information processing device P 11 is an IC card having an information processing function as described above, and as shown in the figure, the identification code matching means 11 E, the access right setting means 11 F, the access right It has transmission means 1 1 G.
  • the identification code collating means 11E is a component for collating the identification code recorded in the currently connected client computer with the identification code recorded in itself
  • the access right setting means 11F is The access right transmitting means 11G is a component for setting a predetermined access right based on the collation result, and transmitting the set access right to the currently connected client computer.
  • the code collating means 11 E includes an identification code ID (11) in the client computer 11 read out through the interface means 11 D and an identification code recorded in the portable information processing device PI 1.
  • the process of comparing and collating with the code ID (1 1) is performed.
  • the access right setting means 11 1F sets the first access right, and the set access right becomes the interface 1 1 1 Via D, it is transmitted to the server access means 11 A.
  • server access Step 11A will access the server computer based on the first access right.
  • the server access means 11A accesses the server computer based on the second access right.
  • FIG. 5 is a block diagram for explaining a second embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • the basic concept of the second embodiment is that instead of defining the original client combination for each user, the original network environment is defined and each user is connected to the original network environment. If an access is made using the client convenience, access is granted using the original access rights set for the user, but access is made using a client computer connected to other network environments. In such a case, only the access rights with more restrictions than the original access rights set for the user are permitted.
  • the network environment refers to a case where a client computer is connected to a specific part of the network 100. This means an environment that can be obtained.
  • a client computer that accesses the server computers 110 and 120 via the node N1 of the network 100
  • Client computers 2 to access server computers 110 and 120 via nodes 1 to 14 and node N 2;!
  • Each of the client computers 31 accessing the 110 and 120 is a convenience store having a different network environment.
  • the network environment only indicates a connection environment to the network 100 and is not directly related to individual client computers.
  • the client computer 23 installed in the lounge 20 shown in Fig. 1 is removed from the LAN in the lounge 20, moved to the Human Resources Department 10, and then relocated to the LAN in the Human Resources Department 10. If connected, the network environment will change even though the client combination is the same. Conversely, if the client computer 11 installed in the human resources department 10 breaks down and is replaced with a new client computer 15 at the same installation location, the client computer itself will be different. However, there is no change in the network environment.
  • the identification code will change when the computer is replaced with a new one. In that case, it is necessary to rewrite the identification code recorded on the portable information recording medium with a new one.
  • the access right is set based on the determination of the identity of the network environment, not the identity of the client computer itself. Therefore, as long as the identity of the network environment is ensured. Convenience-Even if the evening is changed, there is no need to rewrite the contents recorded on the portable information recording medium.
  • each of the portable information recording media R11, R12, and R21 is an employee ID card composed of an IC card issued to users A, B, and C, respectively.
  • each portable information recording medium R 11, R 12, R 21 has an environment indicating a specific network environment obtained when a client computer is connected to a specific portion of the network 100.
  • Information will be recorded.
  • the environment information recorded here indicates the original network environment that each user should use.
  • the portable information recording medium R l1 (IC card issued as an employee card of the user A) indicating the network environment that the user A should use originally is shown on the portable information recording medium R l1 issued to the user A.
  • Environmental information ENV (1 1) is recorded. Specifically, the environment information E NV (1 1) indicating the network environment of the client computer 11 used by the user A at his desk is directly recorded in the portable information recording medium R 11. You will be.
  • the portable information recording medium R 12 (IC card issued as an employee card of User B) issued to User B contains environmental information ENV (12) indicating the network environment that User B should use. Is recorded on the portable information recording medium R21 (IC card issued as an employee card of User Hei), which contains the environmental information ENV ( 21) is recorded.
  • any information may be used as long as the information indicates a specific network environment obtained when a client computer is connected to a specific portion of the network 100.
  • specific information that can be used as environmental information.
  • the IP address given to the client computer is It is possible to use as.
  • computers that make up a computer system of a company are automatically assigned a predetermined IP address by using Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the allocated address range differs depending on the connection point to the network 100.
  • routers are provided at the nodes N 1, N 2, and N 3 of the network 100, respectively, and the client computers 11 1 of the human resources department 10 connected to the node N 1 are provided.
  • 12, 13, 14 are assigned IP addresses belonging to the first address range
  • the client computers 21, 22 of the lounge 20 connected to the node N 2 are assigned.
  • IP , 23 are assigned an IP address belonging to the second address range
  • the client computer 31 in the dormitory 30 connected to the no FN 3 is assigned the third address range. If an IP address that belongs to a client computer is assigned to the client computer, the IP address currently assigned to the client computer can be checked to see which address range it belongs to. It is possible to recognize the network environment. For example, if the IP address assigned to a client computer belongs to the first address range, the client user computer may be a computer of the human resources department 10 connected to node N1. Can be recognized. In the case of IPv4, an IP address is represented by a 32-bit number.For example, a client computer connected to the same node needs an IP address with the same high-order 24 bits but different only in the low-order 8 bits.
  • the upper 24 bits of the IP address can be used as it is as environment information indicating the network environment.
  • environment information indicating the network environment.
  • the upper 24 bits of each IP address of client computers 11, 12, 13, and 14 belonging to the human resources department 10 are Since they are the same, this can be used as it is as environment information.
  • the default gateway address set on the client computer can also be used as environment information indicating the network environment. For example, in the example shown in FIG. 1, if routers are installed at nodes Nl, N2, and N3, respectively, the default gate address set for each client computer is set at each node. It will be the IP address of Ruyu. For example, the IP address of the router installed at node N1 is set as the common default gateway address for the client computers 11, 12, 13, 14 of the human resources department 10. On the other hand, the IP address of the router installed in the node N2 is set as the common default gateway address in the client computers 21, 22, 23 in the lounge 20. Therefore, these default gateway addresses can be used as they are as environment information indicating the network environment.
  • a proxy server is installed at nodes Nl, N2, and N3 instead of a router, use the proxy server address set on the client computer as environment information that indicates the network environment. You can also.
  • a common proxy server address is set for the client computers 11, 12, 13, and 14 of the HR department 10, but the client computers 21, 22 of the lounge 20 are set. , 23 are set to different common proxy server addresses.
  • a domain name that can be queried by the DNS server used by the client computer can be used as environment information indicating the network environment of the client computer.
  • the DNS server is a server computer that has a conversion table function to convert between domain names and IP addresses. In the example shown in FIG. 1, if a DNS server referred to by each client computer installed in the human resources department 10 and each client installed in the lounge 20 If the DNS server referred to by the client computer is different and the contents of each translation table are different, use this difference to recognize which DNS server is the client computer that refers to. Becomes possible.
  • the DNS server referenced by each client computer installed in the Human Resources Department 10 has a table prepared to convert the domain name "Melon" to an IP address, but it has been installed in the lounge 20. If the DNS server referenced by each client computer does not have a table for translating the domain name "Melon”, the operation of searching for the domain name "Melon" from one client computer is performed. If successful, it can be recognized that the client computer is a client computer installed in the human resources department 10.
  • various information indicating a specific network environment obtained when a client computer is connected to a specific portion of the network 100 can be used as environment information in the second embodiment. It is.
  • specific environmental information is recorded on the portable information recording media R11, R12, and R21 issued to each of the users A, B, and Hei, respectively, as shown in Fig. 5.
  • the environmental information ENV (11) recorded in the portable information recording medium Rl1 which is the employee card of the user A, is information indicating the original network environment used by the user A. Is the upper 24 bits of the IP address assigned to the client computer 11, the IP address of the router installed at node N1 (the default gateway address), and the It may be the address of the proxy server installed in 1.
  • the network environment of the client computer 11 and the network environment of the client computer 12 are the same, and the environment information ENV (1 1) and environmental information ENV (12) are the same. However, since the network environment of the client computer 21 is different, the environment information ENV (21) is also different.
  • the basic principle of security management in the computer system is as follows.
  • a user connects a predetermined portable information recording medium issued to the user to a predetermined client computer, and starts using the predetermined client computer.
  • the procedure is performed, the current network environment of the predetermined client computer is compared with the network environment indicated by the environment information recorded on the predetermined portable information recording medium. That is, a predetermined access right is set based on the access right. More specifically, when the collation results do not match, access rights with more restrictions are set than when the collation results match. This is similar to the first embodiment described above.
  • the user A connected the portable information recording medium R 11 issued as his / her own employee ID card to the client computer 11 of the human resources department 10 and performed a use start procedure.
  • collation work is performed between the environment information ENV (1 1) indicating the network environment of the client computer 11 and the environment information ENV (1 1) recorded on the portable information recording medium R 11.
  • an access right is set based on this collation result.
  • the access right of the user A using the client computer 11 is given the original access right set by the user A.
  • the user A is given an access right that permits reading of the general-purpose business data in the server computer 110 and an access right that permits reading and writing of the HR department business data in the server computer 120. .
  • the environment information ENV (11) and the environment information ENV (12) are the same. Therefore, even when the user A uses the client computer 12, the same access right as in the above-mentioned case is given.
  • the client computer 11 is replaced with a new client computer 15 and the new client computer 15 is used, the same access right is given.
  • operation with a higher degree of freedom than in the first embodiment described above is possible.
  • the user A when the user A makes an access using the client computer 21 installed in the lounge 20, the situation changes. In this case, the user A connects the portable information recording medium Rl1 to the client computer 21 and performs a use start procedure.
  • the environment information ENV (2) indicating the network environment of the client computer 21 is required. 1) does not match the environmental information ENV (1 1) recorded on the portable information recording medium R 11, and in this case, the access right has more restrictions than when the matching result matches. Is set. For example, access to general-purpose business data in the server computer 110 is allowed, but access to the human resources department-specific business data in the server computer 120 is completely prohibited. .
  • each user will be given the original access right as long as the user accesses from the predetermined original network environment. However, access from other network environments will be granted. If so, the user's access rights will be restricted.
  • the user A which is a human resources department, provides each service with the original access right given to the human resources department as long as the client computer 11-14 installed in the human resources department 10 can access. Access to One Computer is available, but if you use the Client Computer installed in the lounge 20 or employee dormitory 30, you will be able to obtain the original access right. I can not do such a thing. Therefore, the security problem described in ⁇ 0 can be solved.
  • FIG. 6 is a block diagram showing a configuration of a client computer 11 for performing the second embodiment.
  • the client computer 11 is provided with server access means 11A, access right setting means 11B, environment matching means 11H, and interface means 11D.
  • the client computer 11 also includes various other components (for example, a CPU, a memory, a hard disk, and an input / output (I / O) for executing an OS program and an application program) for performing the function as the client computer. Equipment, etc.), but the description is omitted here.
  • the client computer 11 is connected to the network 100 under a specific network environment, and the specific network environment can be indicated by predetermined environment information ENV (11). As described above, the IP address, default gateway address, proxy server address, and the like set in the client computer 11 can be used as the environmental information ENV (11).
  • the interface means 11D is a component for connecting the portable information recording medium R11, similarly to the embodiment shown in FIG. 3, and is constituted by a reader / writer device for an IC card. .
  • the user loads the portable information recording medium R 11 as an IC card into the interface means 11 D as a reader / writer, Both can be connected.
  • the environment collation means 11H is a component having a function of collating environment information recorded on the currently connected portable information recording medium with environment information indicating the current network environment of the client computer 11, and
  • the right setting means 11 B is a component having a function of setting a predetermined access right based on the result of the comparison.
  • the access right setting means 11 1B sets the first access right when the collation results match, and sets the first access right having more restrictions than the first access right when the collation results do not match. 2 access rights will be set.
  • the server access means 11A is a component for accessing the server computers 110 and 120 within the set access right.
  • the user A uses the portable information recording medium R11, which is his / her own employee ID card, to perform the procedure for starting use of the client computer 11, so that the environment collation means 11H The matching results match. That is, the environment collation means 11H is configured to read the environment information ENV (1 1) in the portable information recording medium R 11 read out via the interface means 11D and the environment information indicating the current network environment of the client computer 11 In the case of this example, a result that the two match is obtained, and the access right setting means 1 1 B sets the first access right. I do.
  • FIG. 7 is a block diagram showing a configuration of a modification in which the portable information processing device executes the matching process and the access right setting process in the second embodiment.
  • the client computer 11 has server access means 11 A for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device, and a portable computer 11.
  • server access means 11 A for accessing the server computer within the range of the access right transmitted from the currently connected portable information processing device
  • portable computer 11 for connecting the information processing device
  • the interface means 11 D for connecting the information processing device is provided, the environment checking means and the access right setting means are not provided.
  • the portable information processing device P 11 is an IC card having an information processing function.
  • the environment checking means 11 I, the access right setting means 11 F, and the access right transmitting means 11 1 It has G.
  • the environment collation means 11 I is a component for collating environment information indicating the network environment of the currently connected client computer with environment information recorded in itself
  • the access right setting means 11 F includes:
  • the access right transmitting means 11G is a component for setting a predetermined access right based on the collation result, and transmitting the set access right to the currently connected client computer.
  • the environment The matching means 11 I is composed of environment information ENV (11) indicating the network environment of the client computer 11 read out through the interface means 11 D and the environment recorded in the portable information processing device P 11. Processing to compare and check with the information ENV (1 1) is performed.
  • the access right setting means 11F sets the first access right
  • the set access right sets the in-face face means 11D.
  • the server access means 11A via the server.
  • the server access means 11 A accesses the server computer based on the first access right.
  • the server access means 11A accesses the server computer based on the second access right.
  • the third embodiment described here corresponds to a combination of the first embodiment described in ⁇ 1 and the second embodiment described in ⁇ 2. That is, the feature of the first embodiment is that a specific client computer to be originally used is set for each user, and the access right is determined by whether or not the client computer accesses the client computer.
  • the second embodiment is characterized in that a specific network environment that should be used for each user is set for each user, and whether or not access is made from the network environment. Therefore, the setting of access rights is to be changed.
  • the feature of the third embodiment described here is that, for each user, a specific client computer that should be used originally and a specific network environment that should be originally used are set, and the client computer receives the information from the client computer. The point is to change the setting of the access right in consideration of whether access is made or not and whether access is made from the network environment.
  • a specific identification code and environment information indicating a specific network environment are recorded on a portable information recording medium issued to each user.
  • the collation process between the identification code recorded on the client computer and the identification code recorded on the portable information recording medium is performed.
  • a collation process between the current network environment of the client computer and the network environment indicated by the environment information recorded on the portable information recording medium, and a predetermined process is performed based on these collation results. Access rights are set.
  • FIG. 8 is a block diagram for explaining a third embodiment of the present invention, and shows a part of the computer system shown in FIG.
  • portable information recording media R11, R12, and R21 are issued to three users A, B, and Hei, respectively.
  • predetermined environmental information is recorded together with a predetermined identification code.
  • the portable information recording medium R11 issued to the user A includes the identification code ID (1) of the client computer 11 which the user A should originally use. 1) and environmental information ENV (1 1) indicating the network environment that the user should use originally.
  • the portable information recording medium R12 issued to the user B contains the identification code ID (12) of the client computer 12 that the user B should originally use and an environment indicating the network environment that the user B should originally use.
  • the information ENV (12) and are recorded, and the portable information recording medium R 21 issued to the user C contains the identification code ID (21) of the client computer 21 that the user C should originally use, and the user C Is recorded as environmental information EN V (21) indicating the network environment that should be used.
  • the user A connects the portable information recording medium R 11 issued as his / her own employee ID card to the client convenience 11 of the human resources department 10 and performs a use start procedure.
  • the identification code ID (1 1) in the client computer 11 is compared with the identification code (1 1) recorded on the portable information recording medium R 11 and the client computer 1 Environment information ENV (1 1) indicating the network environment of data 11 and portable information
  • the collation work is performed with the environmental information ENV (1 1) recorded on the recording medium R11.
  • an access right is set based on these collation results. In this example, the two results match.
  • the identification code ID (1 2) in the client computer 12 and the portable computer can be used.
  • the collation work is performed with the identification code (1 1) recorded on the information recording medium R 11, the environment information ENV (1 2) indicating the network environment of the client computer 12 and the portable information recording medium R l
  • the collation work with the environmental information ENV (1 1) recorded in 1 is performed.
  • ID (1 1) ID (2 1) ID (1 1) in the collation work on the code, but does not match ENV (1 1) ⁇ ENV (2 1) in the collation work on the network environment.
  • FIG. 9 is a block diagram showing a configuration of a client computer 11 for performing the third embodiment.
  • the configuration of FIG. 3 and the configuration of FIG. 6 are combined. Equivalent to Since the functions of the individual components are as described in ⁇ 1 and ⁇ 2, the description of the function of each component is omitted here.
  • both the identification code ID (11) and the environmental information ENV (11) are recorded on the portable information recording medium R11.
  • the client computer 11 is provided with both identification code matching means 11 C for matching identification codes and environment matching means 11 H for matching network environments.
  • the setting unit 11B sets a predetermined access right based on the two comparison results.
  • FIG. 10 is a block diagram showing a configuration of a modification of the third embodiment in which the portable information processing device executes the matching process and the access right setting process.
  • This block diagram is equivalent to a combination of the configuration in FIG. 4 and the configuration in FIG.
  • the functions of the individual components are as described in ⁇ 1 and ⁇ 2, respectively, and the description of the function of each component is omitted.
  • the portable information processing device P 11 has both the identification code ID (11) and the environmental information E NV (11) recorded therein, and performs the collation work of the identification code.
  • Both identification code matching means 11 E and environment matching means 11 I for matching the network environment are provided.
  • the access right setting means 11 F sets a predetermined access right based on the result of the two comparisons.
  • the first algorithm sets the first access right regardless of the matching result of the network environment when the matching result of the identification code matches, and sets the identification code. If the matching result of the network does not match but the matching result of the network environment matches, the second access right with more restrictions than the first access right is set, and both matching results are If they do not match, the third access right is set with more restrictions than the second access right. According to this method, access right management according to the actual operation of the computer system becomes possible.
  • FIG. 11 is a flowchart showing a method of setting an access right based on such a policy.
  • collation work of the identification code is performed in step S2.
  • the process branches to step S6 via step S3, and the first access right with few restrictions is set. In this case, there is no need to check the network environment.
  • the process proceeds to step S4 via step S3, where the network environment is collated. If the network environments match, the process branches to step S7 via step S5, and a second access right with moderate restrictions is set. On the other hand, if the network environment does not match, the process branches to step S8 via step S5, and a third access right with many restrictions is set.
  • the access right is set based on the algorithm shown in Fig. 11, as long as the user uses the original client computer provided to himself, he can use it in any network environment. Even if they do, the highest level of the first access right (the access right that should be granted to the user) will be granted. On the other hand, if the user accesses using other client computers, if the access is from the original network environment, a second level of medium-level access right will be granted. If the access is from another network environment, the third lowest access right will be granted. On the other hand, the second algorithm sets the first access right when both the matching result by the identification code matching unit and the matching result by the environment matching unit match, and the matching result by the identification code matching unit matches.
  • FIG. 12 is a flowchart showing a method of setting an access right based on such a policy. First, assuming that the user has performed a procedure for starting use of a predetermined client computer in step S1, collation work of the identification code is performed in step S2. Here, if the identification codes match, the flow branches to step S4 via step S3, and the network environment is collated.
  • step S6 via step S5
  • step S7 via step S5
  • step S8 a third access right with many restrictions is set. In this case, there is no need to check the network environment.
  • access rights are set based on the algorithm shown in Fig. 12, if the user uses the original client computer provided to him / her in the original network environment, the highest level can be achieved.
  • the first access right (the access right that should be originally given to the user) is given.
  • the medium-level second access right is granted. This is given It becomes.
  • the third lowest access level is granted regardless of the network environment. Will be.
  • the access right setting in the present invention is freely performed so as to be adapted to individual computer systems. It is not limited to the examples described above. For example, four types of access rights may be set based on four types of matching results.
  • the feature of the present invention resides in that a predetermined access right is set based on a result of collation of an identification code or a result of collation of a network environment. As described above, it can be used in combination with a method of authenticating a user with an account and a password and giving a predetermined access right set for each user in advance.
  • the identification code and the environment information recorded in the portable information recording medium are single, but a plurality of identification codes and a plurality of network environments are recorded. And collation may be performed for each.
  • different access rights can be set depending on which identification code matches or which network environment matches.
  • two identification codes ID (11-1) and ID (11-2) are recorded in the portable information recording medium Rl1 issued to the user A, and the identification information is recorded. Set the first access right if the different code ID (1 1-1) matches, and set the second access right if the identification code ID (1 1-2) matches. It is also possible.
  • the access right in the present invention includes not only the right to permit reading and writing to a file, but also the right to various processes such as the right to print out the contents of the file.
  • the “server computer” broadly refers to a computer that provides data and services
  • the “client computer” broadly refers to a computer that receives data and services. Things. Therefore, for example, in the configuration shown in FIG. 1, when the client computer 11 executes a process for transferring data stored in the client computer 14 over a network, such a process is performed. With regard to, the client computer 14 will function as a “server computer”.
  • Fig. 3 Fig. 4, Fig. 6, Fig. 7, Fig. 9, and Fig. 10
  • the individual components of the client computer and the portable information processing device are shown as blocks, respectively.
  • each of these blocks is actually a component realized by a program embedded in a computer or IC card.
  • the program can be recorded on a computer-readable recording medium such as a CD-ROM and distributed.
  • INDUSTRIAL APPLICABILITY The present invention is widely applicable to a system in which a large number of computers functioning as servers and clients are connected to a network.
  • a dedicated network such as an in-house LAN or WAN
  • servers with various functions are connected to this network, and each employee accesses the server using a personal computer or the like. This is ideal for setting different access rights for individual employees depending on the situation.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
PCT/JP2005/001041 2004-02-23 2005-01-20 コンピュータシステム、アクセス権設定方法、クライアントコンピュータを機能させるためのプログラム並びに当該プログラムを記録した記録媒体 Ceased WO2005081120A1 (ja)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/588,324 US8646058B2 (en) 2004-02-23 2005-01-20 Computer system and access right setting method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004-045974 2004-02-23
JP2004045974A JP4250100B2 (ja) 2004-02-23 2004-02-23 コンピュータシステム

Publications (1)

Publication Number Publication Date
WO2005081120A1 true WO2005081120A1 (ja) 2005-09-01

Family

ID=34879425

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2005/001041 Ceased WO2005081120A1 (ja) 2004-02-23 2005-01-20 コンピュータシステム、アクセス権設定方法、クライアントコンピュータを機能させるためのプログラム並びに当該プログラムを記録した記録媒体

Country Status (3)

Country Link
US (1) US8646058B2 (https=)
JP (1) JP4250100B2 (https=)
WO (1) WO2005081120A1 (https=)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008158828A (ja) * 2006-12-25 2008-07-10 Dainippon Printing Co Ltd 電子機器の環境設定装置
JP2008262258A (ja) * 2007-04-10 2008-10-30 Sky Kk 誤操作防止システム
JP2009176270A (ja) * 2007-12-27 2009-08-06 Quality Corp 携帯端末装置,ファイル管理プログラムおよびファイル管理システム
JP2011022636A (ja) * 2009-07-13 2011-02-03 Meet Co Ltd 情報交換システム
US8082325B2 (en) 2003-12-24 2011-12-20 Dai Nippon Printing Co., Ltd. Data storing system using network

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4442487B2 (ja) * 2005-03-29 2010-03-31 セイコーエプソン株式会社 親展印刷制御装置及び親展印刷制御方法
US8438657B2 (en) * 2006-02-07 2013-05-07 Siemens Aktiengesellschaft Method for controlling the access to a data network
JP4473256B2 (ja) 2006-12-27 2010-06-02 インターナショナル・ビジネス・マシーンズ・コーポレーション アプリケーションプログラムによるリソースアクセスを制御するための情報処理装置、方法、及びプログラム
JP4737220B2 (ja) * 2008-04-05 2011-07-27 コニカミノルタビジネステクノロジーズ株式会社 画像形成装置、認証方法および認証プログラム
JP2010086177A (ja) * 2008-09-30 2010-04-15 Dainippon Printing Co Ltd アクセス制御システム及び方法
JP5212718B2 (ja) * 2008-10-30 2013-06-19 大日本印刷株式会社 プラットフォームの完全性検証システム及び方法
RU2469396C1 (ru) * 2011-03-31 2012-12-10 Игорь Владимирович Тимошенко Способ авторизации абонента в системе коллективного пользования
WO2012177681A2 (en) * 2011-06-20 2012-12-27 Aces & Eights Corporation Systems and methods for digital forensic triage
WO2015151980A1 (ja) * 2014-04-02 2015-10-08 ソニー株式会社 情報処理システム及びコンピュータプログラム
KR102264992B1 (ko) 2014-12-31 2021-06-15 삼성전자 주식회사 무선 통신 시스템에서 서버 할당 방법 및 장치

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0462636A (ja) * 1990-06-29 1992-02-27 Matsushita Electric Ind Co Ltd カード作動型コンピュータシステム
JPH04252350A (ja) * 1991-01-28 1992-09-08 Hitachi Ltd セキュリティチェック方法
JPH11328120A (ja) * 1998-05-20 1999-11-30 Nec Field Service Ltd 機密情報漏洩防止機能付きコンピュータネットワーク
JP2000090038A (ja) * 1998-09-10 2000-03-31 Nippon Telegr & Teleph Corp <Ntt> ネットワーク情報処理方法及びシステム装置
JP2002215254A (ja) * 2001-01-23 2002-07-31 Canon Inc 可搬型情報記憶媒体、情報処理装置、ソフトウェアの配布システム、情報処理方法及びコンピュータ読み取り可能な記憶媒体
JP2004046460A (ja) * 2002-07-10 2004-02-12 Nec Corp ファイル管理システムにおけるアクセス制御方式

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07191940A (ja) 1993-12-27 1995-07-28 Mitsubishi Electric Corp 計算機の資源利用方式
US6308273B1 (en) 1998-06-12 2001-10-23 Microsoft Corporation Method and system of security location discrimination
JP2000010930A (ja) 1998-06-24 2000-01-14 Hitachi Ltd ネットワークシステムでのアクセス制御方法
JP4207292B2 (ja) 1999-03-03 2009-01-14 沖電気工業株式会社 端末装置のアクセス制限システム及びicカード
JP2000330668A (ja) 1999-05-24 2000-11-30 Sharp Corp 情報処理装置
US6668322B1 (en) * 1999-08-05 2003-12-23 Sun Microsystems, Inc. Access management system and method employing secure credentials
JP4280036B2 (ja) 2001-08-03 2009-06-17 パナソニック株式会社 アクセス権制御システム
US6990592B2 (en) * 2002-02-08 2006-01-24 Enterasys Networks, Inc. Controlling concurrent usage of network resources by multiple users at an entry point to a communications network based on identities of the users
JP4252350B2 (ja) 2003-04-18 2009-04-08 関東自動車工業株式会社 パネル接合方法
US7458093B2 (en) * 2003-08-29 2008-11-25 Yahoo! Inc. System and method for presenting fantasy sports content with broadcast content
US7346556B2 (en) * 2003-08-29 2008-03-18 Yahoo! Inc. System and method for performing purchase transactions utilizing a broadcast-based device
WO2006039771A1 (en) * 2004-10-12 2006-04-20 Bce Inc. System and method for access control

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0462636A (ja) * 1990-06-29 1992-02-27 Matsushita Electric Ind Co Ltd カード作動型コンピュータシステム
JPH04252350A (ja) * 1991-01-28 1992-09-08 Hitachi Ltd セキュリティチェック方法
JPH11328120A (ja) * 1998-05-20 1999-11-30 Nec Field Service Ltd 機密情報漏洩防止機能付きコンピュータネットワーク
JP2000090038A (ja) * 1998-09-10 2000-03-31 Nippon Telegr & Teleph Corp <Ntt> ネットワーク情報処理方法及びシステム装置
JP2002215254A (ja) * 2001-01-23 2002-07-31 Canon Inc 可搬型情報記憶媒体、情報処理装置、ソフトウェアの配布システム、情報処理方法及びコンピュータ読み取り可能な記憶媒体
JP2004046460A (ja) * 2002-07-10 2004-02-12 Nec Corp ファイル管理システムにおけるアクセス制御方式

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8082325B2 (en) 2003-12-24 2011-12-20 Dai Nippon Printing Co., Ltd. Data storing system using network
JP2008158828A (ja) * 2006-12-25 2008-07-10 Dainippon Printing Co Ltd 電子機器の環境設定装置
JP2008262258A (ja) * 2007-04-10 2008-10-30 Sky Kk 誤操作防止システム
JP2009176270A (ja) * 2007-12-27 2009-08-06 Quality Corp 携帯端末装置,ファイル管理プログラムおよびファイル管理システム
JP2011022636A (ja) * 2009-07-13 2011-02-03 Meet Co Ltd 情報交換システム

Also Published As

Publication number Publication date
JP2005235056A (ja) 2005-09-02
US8646058B2 (en) 2014-02-04
JP4250100B2 (ja) 2009-04-08
US20080276307A1 (en) 2008-11-06

Similar Documents

Publication Publication Date Title
WO2005081120A1 (ja) コンピュータシステム、アクセス権設定方法、クライアントコンピュータを機能させるためのプログラム並びに当該プログラムを記録した記録媒体
US6449651B1 (en) System and method for providing temporary remote access to a computer
RU2523113C1 (ru) Система и способ целевой установки сконфигурированного программного обеспечения
JP5696227B2 (ja) コンピュータシステムへのアクセスを制御するための方法およびデバイス
US20030041085A1 (en) Management system and method for network devices using information recordable medium
US20060294580A1 (en) Administration of access to computer resources on a network
US7895645B2 (en) Multiple user credentials
Kim et al. Challenges in access right assignment for secure home networks
US20110131339A1 (en) Data access control method and system
JP2014086083A (ja) ネットワークアクセス及び受付制御のためのソーシャルグラフの利用
JPWO2020213522A1 (ja) 期限管理サーバー、エージェント・プログラム及び端末貸出システム
CN108881218B (zh) 一种基于云存储管理平台的数据安全增强方法及系统
US20030233440A1 (en) Network system including host server and method of setting up host server
CN1601954B (zh) 不中断服务地横跨安全边界移动主体
US20080229396A1 (en) Issuing a command and multiple user credentials to a remote system
KR20030015068A (ko) 웹 상에서의 유에스비(usb) 키를 이용한 사용자 인증방법
JP4420966B2 (ja) コンピュータシステムおよびそのアクセス権設定方法
JPWO2002071269A1 (ja) インターネットによる特許または実用新案の情報検索管理システム
US7814330B2 (en) Method and apparatus for facilitating multi-level computer system authentication
CN101714920A (zh) 集中多服务帐号的权限管理系统及其方法
US20100146070A1 (en) Filtering transferred data
JP5330970B2 (ja) 会議資料データ管理システム
JP2004239053A (ja) 保管ケース管理システム
US8590015B2 (en) Method and device to suspend the access to a service
US11871229B2 (en) Wireless network security system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 10588324

Country of ref document: US

122 Ep: pct application non-entry in european phase