WO2011070676A1 - Information processor, control method for information processor, control program for information processor, and control program for system controller - Google Patents

Information processor, control method for information processor, control program for information processor, and control program for system controller Download PDF

Info

Publication number
WO2011070676A1
WO2011070676A1 PCT/JP2009/070761 JP2009070761W WO2011070676A1 WO 2011070676 A1 WO2011070676 A1 WO 2011070676A1 JP 2009070761 W JP2009070761 W JP 2009070761W WO 2011070676 A1 WO2011070676 A1 WO 2011070676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
processing device
user information
processing apparatus
Prior art date
Application number
PCT/JP2009/070761
Other languages
French (fr)
Japanese (ja)
Inventor
浩二 成廣
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2009/070761 priority Critical patent/WO2011070676A1/en
Publication of WO2011070676A1 publication Critical patent/WO2011070676A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the technology disclosed in this specification relates to an information processing apparatus, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control program for the system control apparatus.
  • Hardware resources including computing resources such as a CPU (Central Processing Unit) as an arithmetic processing unit possessed by a server as an information processing device or a system board (System Board) as a processing device are logically divided into a plurality of partitions.
  • a partitioning technique for constructing an independent OS (Operating System) environment in each partition is known.
  • the server divided into a plurality of partitions has a system control device such as a service processor (SVP) that monitors and controls hardware resources.
  • SVP service processor
  • Each partition is provided with a monitoring agent that assists the function of the system control device.
  • the monitoring agent acquires the usage status of hardware resources by the partition in which the monitoring agent is installed, and notifies the usage status to the system control device via a control line connected to the system control device.
  • the system control device monitors and controls hardware resources.
  • the partition and the system control apparatus have independent user authentication functions, and manage users based on independent user information.
  • the user needs to log into the system control device and the OS on the partition separately.
  • the above-described technique has a problem that the workload of an administrator who manages user information in the server increases according to the number of partitions on the server and the number of users. For example, when a user is added or deleted, the administrator must change user information in the partition and the system control device.
  • the present invention has been made to solve the above-described problems, and is an information processing apparatus that can easily change user information, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control for the system control apparatus.
  • the purpose is to provide a program.
  • An information processing device includes a plurality of first processing devices each having an arithmetic processing device, and a second processing device that controls the arithmetic processing devices included in each of the plurality of first processing devices.
  • the first processing device of any one of the plurality of first processing devices includes first user information indicating a first user who has an access right to the first processing device.
  • the second user When the first storage unit to be stored and the second user information indicating the second user are input, based on the second user information and the first user information, by the second user A first determination unit that determines whether or not to permit access to the one first processing device; a detection unit that detects a change in the first user information in the first storage unit; The first user information is changed by the detection unit A first transmission unit that transmits change information indicating a change content of the first user information to the second processing device when the second processing device is issued, and the second processing device includes the second processing.
  • the fourth user When a second storage unit that stores third user information indicating a third user who has authority to access the device and fourth user information indicating a fourth user are input, the fourth user A second determination unit that determines whether to permit access to the second processing device by the fourth user based on the information and the third user information; and the first transmission unit A first receiving unit that receives the change information transmitted from the first update unit, and updates the third user information in the second storage unit based on the change information received by the first receiving unit.
  • a first updating unit A first updating unit.
  • the control program for the information processing device is a control program for the information processing device that controls the information processing device having the arithmetic processing device, and when the first user information indicating the first user is input, the first program
  • the information processing apparatus by the first user based on the user information and the second user information indicating the second user who has the authority to access the information processing apparatus stored in the first storage unit Determining whether to permit access to the device, detecting the change of the second user information in the first storage unit, and detecting the change of the second user information, Transmitting the change information indicating the change contents of the second user information to the system control device that controls the arithmetic processing device included in the information processing device. That.
  • the control program of the system control device is a control program of the system control device that controls the arithmetic processing devices included in each of the plurality of information processing devices, and when the first user information indicating the first user is input,
  • the system by the first user based on first user information and second user information indicating a second user having access authority to the system control device stored in the first storage unit Determining whether or not to permit access to the control device; and the first first stored in the second storage unit of any one of the plurality of information processing devices.
  • the user information can be easily changed.
  • FIG. 1 is a block diagram illustrating a hardware configuration of a server as an information processing apparatus according to an embodiment.
  • the server 1 includes an SVP 11, SB (System board) 12A to 12N, IOB (I / O Board) 13A to 13B, and HDD (Hard Disk Drive) 14.
  • the SVP 11 is connected to the SBs 12A to 12N and the HDD 14 through control lines.
  • the SVP 11 transmits user information, which will be described later, from the SBs 12A to 12N via the control line.
  • the SVP 11 is connected to a console 2 as a terminal device outside the server 1 and a network.
  • the SBs 12A to 12N and the IOBs 13A to 13N are connected via a bus, and the IOBs 13A to 13N are connected to a network.
  • the server 1 logically divides the SBs 12A to 12N, the IOBs 13A to 13N, and the HDD 14 into a plurality of partitions according to a user definition, and constructs an independent OS environment for each. For example, the server 1 cooperates the SBs 12A to 12B, the IOBs 13A to 13C, and the HDD 14 to construct a partition that is operated using one OS. Note that the user appropriately sets the number of partitions and how many SBs and IOBs are used to construct each partition.
  • the SVP 11 realizes a system control device that controls and monitors hardware resources such as the SBs 12A to 12N.
  • the SVP 11 has a CPU 111 and a memory 112.
  • the SVP 11 acquires input information such as a user account and a password input by the user to the console 2. Further, the SVP 11 acquires input information input by a user to an external terminal device via a network.
  • the SBs 12A to 12N have a CPU 121 and a memory 122. Input information and the like are input to the IOBs 13A to 13N from the network.
  • the SBs 12A to 12N obtain input information and the like from the IOBs 13A to 13N via the bus.
  • the HDD 14 stores a plurality of OSs operated on the partition, user information, and the like.
  • FIG. 2 is a diagram for explaining the partitions in the server 1 and the system control apparatus according to the embodiment.
  • the partition 41A includes an OS 411A, a user authentication unit 412A and a monitoring agent unit 413 operating on the OS 411A, user information 414A used for user authentication, and a user information save file 415A.
  • the OS 411A preferably has a user information change notification function for sending a user information change notification indicating the change of the user information 414A to the monitoring agent unit 413 when the user information 414A is changed.
  • the OS 411A is, for example, Linux (registered trademark) having an initiating function for monitoring events in the file system.
  • the partitions 41B to 41N have the same configuration as that of the partition 41A, but the SBs 12A to 12N and IOBs 13A to 13N constituting the partitions are different.
  • the SB and IOB for constructing each partition are different, but one partition may be constructed by a plurality of SBs and IOBs. A plurality of partitions may be constructed by the same SB and IOB.
  • the OSs 411A to 411N, the user authentication units 412A to 412N, the user information save files 415A to 415N, and the user information 414A to 414N are different from each other. Note that these may be the same or only part of the partitions may be the same.
  • the user authentication units 412A to 412N are realized by the cooperation of the CPU 121 and the memory 122, and have user authentication functions that the OSs 411A to 411N support as standard.
  • User authentication units 412A to 412N accept user operations such as login (access) to a partition from a terminal device connected to a network or hardware for building a partition, and determine whether or not the user can log in I do. For example, it is assumed that a user logs in (accesses) to the partition 41A. In this case, the user authentication unit 412A performs a user authentication process based on the input information input by the user and the user information 414A using the user authentication function.
  • the user can access the user authentication units 412A to 412N by any method. If the user can select and set in advance and the user can access the user authentication units 412A to 412N, communication other than via the network may be selected.
  • the monitoring agent unit 413 is realized by the cooperation of the CPU 121 and the program stored in the memory 122, acquires the usage status of the hardware resources that construct the partitions 41A to 41N, and is connected to the system controller 5. The usage status is notified to the system control device 5 via the control line. In addition, the monitoring agent unit 413 transmits data such as user information 414 ⁇ / b> A to the system control device 5 via a control line. The monitoring agent unit 413 generates and updates the user information save file 415A.
  • the system control device 5 is realized by the SVP 11 and includes a user authentication unit 51 and user information 52 used for user authentication.
  • the user authentication unit 51 is realized by the cooperation of the CPU 111 and a program stored in the memory 112.
  • the user authentication unit 51 performs user authentication processing for determining whether or not the user can be authenticated based on the input information input by the user and the user information 52.
  • the user authentication unit 51 makes an authentication request, which will be described later, to the user authentication units 412A to 412N using the user account and password of the user who logs in to the system control device 5.
  • the user authentication unit 51 accesses the user authentication units 412A to 412N via the network.
  • FIG. 3 is a diagram for explaining the user information 414A in the partition 41A.
  • the user information 414A is information indicating a plurality of users having access authority to the partition 41A.
  • the user information 414A has individual information used for user authentication of the plurality of users.
  • the individual information includes valid / invalid information indicating whether or not the individual information is valid, a user account for logging in to the partition 41A, and user detailed information.
  • the user detailed information includes authority information indicating a user authority capable of logging in to the system control device 5, a password for logging in to the partition 41A, and attached information.
  • Examples of the attached information include a user name, a telephone number, and an expiration date when the user can log in to the partition. Note that the format of the user information 414A to 414N differs depending on the type of OS, user authentication unit, etc. of the partitions 41A to 41N.
  • FIG. 4 is a diagram for explaining the user information save file 415A.
  • the user information save file 415A has user accounts of a plurality of users having access authority to the partition 41A. Specifically, the user information 414A has only a user account associated with authority information.
  • the user information save files 415B to 415N have user accounts associated with authority information among users who can log in to the partition.
  • the user information save files 415A to 415N are preferably set so that they cannot be changed by the user.
  • the user information 414A to 414N and the user information saving files 415A to 415N are stored in the storage area of the HDD 14 that constructs each partition.
  • the individual information of the user information 414A to 414N and the contents of the user information save files 415A to 415N are different from each other.
  • the user information 414A to 414N and the user information save files 415A to 415N may be stored in the memory 122.
  • FIG. 5 is a diagram for explaining the user information 52 in the system control device 5.
  • the user information 52 is information indicating a plurality of users having access authority to the system control device 5.
  • the user information 52 includes individual information used for user authentication of the plurality of users.
  • the individual information is information indicating a user account, valid / invalid information, a partition number that is an identifier indicating a partition to which the user of the individual information belongs, a user account for logging in to the system control device 5, and a user Detailed information.
  • the user detailed information includes authority information, a password for logging in to the system control device 5, and attached information.
  • the attached information includes, for example, a user name, a telephone number, and an expiration date when the user can log in to the system control device 5.
  • the partition number when the user does not belong to any of the partitions 41A to 41N, “0” indicating that the user does not belong to the partition is set as the partition number. If the user does not belong to any of the partitions 41A to 41N, the partition number may not be added to the individual information.
  • the user account and password when logging in to the partition 41A of the user associated with the authority information are the same as the user account and password when logging in to the system control device 5.
  • the user information 52 is assumed to be stored in the HDD 14. Note that the user information 52 may be stored in the memory 112.
  • FIG. 6 is a diagram for explaining the operation of the partition 41A and the system control device 5.
  • the administrator 81 has authority to install the OS 411 and the monitoring agent unit 413, and to add and delete user information to the partition 41A.
  • the user 82 has an access right to log in to the partition 41A or the system control device 5.
  • the user authentication processing performed by the user authentication unit 51 differs depending on the state of the partition 41A to which the user 82 belongs.
  • the stopped state is a state in which the SBs 12A to 12N and IOBs 13A to 13N that construct the partition are stopped.
  • the state (1) will be described. In the state (1), the user 82 does not yet have a user account in the partition 41A and the system control device 5.
  • the monitoring agent unit 413 reads the user information 414A.
  • the user information 414A is generated by the administrator 81 at the time of installation. Further, the user information 414A may be stored in advance in the storage area of the HDD 14 that constructs the partition 41A.
  • the monitoring agent unit 413 After reading, the monitoring agent unit 413 generates a user information save file 415A based on the read user information 414A.
  • the monitoring agent unit 413 transmits a part of the user information 414A such as a user account and authority information to the user authentication unit 51, and the user authentication unit 51 monitors the received part of the user information 414A and the transmission source.
  • the user information 52 is updated based on the partition number of the partition 41A to which the agent unit 413 belongs.
  • the user authentication unit 51 searches the user information 52 when access from the user 82, that is, input information is input. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A with the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 uses the user account and password of the input information to communicate with the user authentication unit 412A via the network or control line. Send authentication request. The authentication request shows the user account and password of the input information. The user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
  • the administrator 81 may additionally register user information such as the user account, authority information, and password of the user 82 in the system control device 5.
  • the user authentication unit 51 searches the user information 52 based on the input information from the user 82 and determines whether or not to log in.
  • the user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A of the partition number corresponding to the user account of the input information is not in operation, the user authentication unit 51 acquires a password from the user information 52, searches for the password of the input information, and searches for the password and the password of the user information 52 And compare. When the password input by the user 82 matches the password of the user information 52, the user authentication unit 51 authenticates the user 82 and permits the user 82 to log in.
  • the user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is determined whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A having the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 sends an authentication request to the user authentication unit 412A via the network using the user account and password of the input information. Send.
  • the user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
  • the change of the user information 414A performed by the administrator 81 or the user 82 includes the following three types. (1) Add individual information. (2) Deletion of individual information. (3) User detailed information change. First, (1) addition of individual information will be described.
  • the monitoring agent unit 413 monitors whether the user information 414A has been changed.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the change content of the user information is addition of individual information of the user 82.
  • the authority of an administrator who can add and delete individual information is set in the partition 41A, and the administrator 81 performs setting with this administrator authority.
  • the monitoring agent unit 413 determines that there is an additional change of the individual information, the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and user information
  • the save file 415A is updated.
  • the user authentication unit 51 that has received the additional information adds the user account and authority information indicated in the additional information to the user information 52.
  • the user 82 can log in to the system control device 5.
  • the user 82 can log in to the partition 41A.
  • the login to the system control device 5 is the same processing as that in the above-described partition state (3) when the partition is in operation, and the description thereof will be omitted.
  • the monitoring agent unit 413 or the user authentication unit 51 may notify the administrator 81 that the addition of the individual information has ended after the addition of the individual information has been completed.
  • the administrator 81 logs into the partition 41A and deletes the individual information of the user 82.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the user authentication unit 51 receives the deletion information including the user account and authority information of the individual information of the deleted user 82 via the control line.
  • the user information save file 415A is updated.
  • the user authentication unit 51 that has received the deletion information deletes the individual information from the user information 52.
  • the change of the user detailed information includes a change of authority information and a password.
  • the change of authority information is addition or deletion of authority information.
  • the administrator 81 logs in to the partition 41A and changes the authority information of the user 82.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and
  • the information save file 415A is updated.
  • the process of the user authentication unit 51 that has received the additional information is the same process as (1) addition of individual information in the change of the user information 414A described above, and thus the description thereof is omitted.
  • the monitoring agent unit 413 determines that the change content is deletion of authority information
  • the monitoring agent unit 413 sends authority deletion information including the user account of the user 82 and authority information to be deleted to the user authentication unit 51 via the control line.
  • the user information save file 415A is updated.
  • the user authentication unit 51 that has received the authority deletion information deletes the authority information of the user account in the user information 52.
  • the changed authority information in the user information 52 becomes valid from the next login to the system control device 5.
  • the user 82 logs in to the partition 41A and changes the password. After changing the password, the user 82 logs in to the system control device 5 with the changed new password.
  • the user authentication unit 51 searches the user information 52. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. If it is in operation, the user authentication unit 51 transmits an authentication request to the user authentication unit 412A via the network using the user account and password of the input information.
  • the user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. .
  • the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the new password of the input information to the user information 52.
  • FIG. 7 is a diagram illustrating functional blocks of the monitoring agent unit 413.
  • the monitoring agent unit 413 includes a determination unit 61, a reading unit 62, an execution unit 63, a change detection unit 64, and a transmission unit 65.
  • the determination unit 61 determines whether or not the user information save files 415A to 415N exist, determines the change contents of the user information 414A to 414N, determines whether or not the user information change notification function exists.
  • the reading unit 62 reads the user information 414A.
  • the execution unit 63 updates the user information save files 415A to 415N, generates the user information save files 415A to 415N, and the like.
  • the change detection unit 64 detects changes in the user information 414A to 414N.
  • the transmission unit 65 transmits change information, additional information, and the like to the user authentication unit 51.
  • FIG. 8 is a diagram showing functional blocks of the user authentication unit 51 of the system control device 5.
  • the user authentication unit 51 includes a determination unit 71, a transmission / reception unit 72, and an execution unit 73.
  • the determination unit 71 determines whether or not the transmission / reception unit 72 has received input information, change information, or the like.
  • the transmission / reception unit 72 receives input information from the user 82, change information from the monitoring agent unit 413, and the like. In addition, the transmission / reception unit 72 transmits an authentication request or the like.
  • the execution unit 73 compares the input information with the user information 52, updates the user information 52, and the like.
  • FIG. 9 is a flowchart illustrating an operation of information synchronization processing in the monitoring agent unit 413 according to the embodiment.
  • the monitoring agent unit 413 of the partition 41A will be described as an example. The same operation is performed in the monitoring agent unit 413 in other partitions.
  • the determination unit 61 determines whether there is a user information save file 415A (S102). When it is determined that the user information save file 415A exists (S102, YES), the reading unit 62 reads the user information 414A (S103). After reading, the determination unit 61 determines whether there is an increase or decrease in the number of users who can log in to the system control device 5 and addition of authority information based on the comparison between the user information save file 415A and the user information 414A (S104). ).
  • the determination unit 61 includes, among the individual information of the user information 414A, a user account associated with authority information (hereinafter referred to as user account A) and a user account of the user information save file 415A (hereinafter referred to as user account A).
  • user account A a user account associated with authority information
  • user account B a user account of the user information save file 415A
  • the determination unit 61 determines whether there is a user account in the user account A that is not in the user account B and whether there is a user account in the user account B that is not in the user account A. If there is a user account in user account A that is not in user account B, determination unit 61 determines that individual information has been added to user information 414A or that authority information has been added to the individual information in user information 414A.
  • the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line ( S105).
  • the user authentication unit 52 receives the change information and updates the user information 52 based on the change information.
  • the changed content becomes additional information when individual information is added by the determining unit 61 or when it is determined that authority information is added, and becomes deleted information when it is determined that the individual information is deleted. .
  • the determination unit 61 determines whether the authority information has been deleted based on the user information save file 415A and the user information 414A (S106).
  • the determination unit 61 compares the user account of individual information of the user information 414A (hereinafter referred to as user account C) with the user account B. Based on this comparison, the determination unit 61 determines whether the user account B has a user account that is not associated with the authority information of the user account C. When there is a user account in the user account B that is not associated with the authority information of the user account C, the determining unit 61 determines that the authority information of the user account has been deleted. On the other hand, the determination unit 61 determines that the authority information is not deleted when there is no user account B associated with the authority information of the user account C in the user account B.
  • the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line (S107).
  • the user authentication unit 52 receives the change information and updates the user information 52 based on the change information.
  • the change content is authority deletion information.
  • the execution unit 63 updates the user information save file 415A based on the change information (S108).
  • the determination unit 61 determines whether or not the OS 411A has a user information change notification function (S109).
  • the change detection unit 64 waits for a user information change notification notified from the OS 411A (S110).
  • a function for waiting for a user information change notification it is desirable to use an innotify function for monitoring events in the file system when the OS is Linux (registered trademark).
  • step S102 If it is determined in step S102 that there is no user information save file 415A (S102, NO), the reading unit 62 reads the user information 414A (S111). After reading, the execution unit 63 generates the user information save file 415A based on the user information 414A (S112). After the generation, the transmission unit 65 transmits additional information including the user account associated with the authority information in the user information 414A, the authority information, and the like to the user authentication unit 51 based on the user information 414A (S113). . The user authentication unit 51 receives the additional information and updates the user information 52 based on the additional information. After the transmission, processing for determining whether or not there is a user information change notification function is performed in step S109.
  • step S104 when it is determined that there is no increase or decrease of users who can log in to the system control device 5 and no authority information is added (NO in S104), a process for determining whether or not the authority information is deleted in step S106. Done. If it is determined in step S106 that the authority information has not been deleted (S106, NO), a process of updating the user information save file 415A based on the change information is performed in step S108. If there is no change information in step S108, the execution unit 63 does not update the user information save file 415A.
  • the change detection unit 64 monitors the user information 414A and polls until there is a change (S114).
  • the change detection unit 64 periodically reads the user information 414A and detects a change.
  • the change detection unit 64 stores the user information 414A in the memory 122 when read, and compares the user information 414A with the user information 414A read after a certain time. After the comparison, the change detection unit 64 stores the current user information 414A in the memory 122 and repeats this. Further, the change detection unit 64 may detect a command for changing the user information 414A.
  • the process returns to step S102 to determine whether or not the user information save file 415A exists.
  • FIG. 10 is a flowchart showing the operation of the user authentication unit 51 of the system control apparatus 5 according to the embodiment.
  • the determination unit 71 determines whether or not the transmission / reception unit 72 has received input information from the user 82 (S201).
  • S201 YES
  • a user authentication process described later is executed (S202).
  • the process returns to step S201, and a process of determining whether or not input information from the user 82 is received again is performed.
  • the determination unit 71 determines whether the transmission / reception unit 72 has received the change information from the monitoring agent unit 413 (S203). When it is determined that the change information has been received (S203, YES), the execution unit 73 updates the user information 52 based on the received change information. For example, if the change information is additional information, the execution unit 73 writes the user account and authority information indicated in the additional information to the user information 52. If the change content is deletion information, the execution unit 73 indicates the deletion information from the user information 52. Delete the individual information corresponding to the user account. Note that the validity / invalidity information of the user account may be invalidated.
  • the execution unit 73 deletes the authority information of the user account in the user information 52 corresponding to the user account indicated in the authority deletion information.
  • the execution unit 73 determines that the additional information is addition of authority information, and sends the user account and authority information indicated in the additional information to the user information 52. Write. In this case, the authority information is written without changing the user account.
  • step S201 After the update, the process returns to step S201, and the process of determining whether or not the input information from the user 82 has been received again is performed. If it is determined that the change information has not been received (S203, NO), the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received is performed again.
  • FIG. 11 is a flowchart showing an operation of user authentication processing in the user authentication unit 51 of the system control apparatus 5 according to the embodiment.
  • the determination unit 71 determines whether or not the user information 52 is included in the user information 52 (S301).
  • the determination unit 71 determines whether or not the user 82 is a user belonging to a partition (S302). . Specifically, the determination unit 71 determines based on whether or not the individual information having the user account in the user information 52 corresponding to the user account of the input information has a partition number.
  • the determination unit 71 determines whether or not the OS of the partition to which the user 82 belongs is operating ( S303).
  • the partition to which the user 82 belongs is the partition 41A. This determination is made by the determination unit 71 using a function of monitoring hardware resources that construct each partition of the system control device 5. Note that the state of hardware resources for constructing each partition and the operating state of the OS of each partition may be stored in the memory 112 in advance, and the determination unit 71 may read this and make a determination.
  • the transmission / reception unit 72 transmits an authentication request to the user authentication unit 412A of the partition 41A using the user account and password of the received input information ( S304).
  • the determination unit 71 determines whether or not the user account and password indicated in the authentication request have been authenticated (S305). This determination is based on a determination by the user authentication unit 412A as to whether or not the user information and password indicated in the authentication request are in the user information 414A. Specifically, the user authentication unit 412A determines whether or not the user information 414A matches the user account and password indicated in the received authentication request. After the determination, the user authentication unit 412A transmits the determination result to the user authentication unit 51. Here, when it is determined that the user account and the password match, the determination result indicates authentication of the user account and password indicated in the authentication request. On the other hand, when it is determined that the user account and the password do not match, the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated. The transmission / reception unit 72 receives the determination result transmitted from the user authentication unit 412A.
  • the execution unit 73 matches the user information 52 of the input information with the user account of the input information. Is written in the HDD 14 in association with the user account (S306), and the user information 52 is updated. After the writing, the transmission / reception unit 72 notifies the user 82 of login permission (S307). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed.
  • step S302 determines whether or not the user 82 is not a user belonging to the partition (S302, NO).
  • the determination unit 71 determines whether or not the password of the input information has already been set in the user information 52. (S308). When it is determined that the password is already set in the user information 52 (S308, YES), the determination unit 71 determines the password of the input information and the password of the user account in the user information 52 corresponding to the user account of the input information. To determine whether or not the passwords match (S309). If it is determined that the passwords match (S309, YES), a process of notifying the user 82 of login permission is performed in step S307.
  • step S308 when it is determined in step S308 that the password is not set in the user information 52 (S308, NO), the transmission / reception unit 72 notifies the user 82 of rejection of login (S310). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed.
  • step S301 When it is determined in step S301 that the user account indicated in the input information is not in the user information 52 (S301, NO), a process of notifying the user 82 in step S310 of login rejection is performed.
  • step S305 If it is determined in step S305 that the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated (NO in step S305), a process of notifying the user 82 in step S310 of login rejection is performed. Is called. If it is determined in step S309 that the passwords do not match (S309, NO), a process of notifying login rejection to the user 82 in step S310 is performed.
  • the execution unit 73 After the process of determining whether or not the user account indicated in the input information in step S301 is in the user information 52, the execution unit 73 notifies the user 82 to input the password. After the notification, the determination unit 71 determines whether or not a password has been input within a specified time. When the password is input, a process of determining whether or not the user 82 in step S302 is a user belonging to a partition is executed.
  • the user information save files 415A to 415N have been described as having user accounts of a plurality of users having the authority to access their own partitions, but may include all the user information 414A to 414N information.
  • the user information 52 has been described as information indicating a plurality of users having access authority to the system control apparatus 5, but may include information on users who do not have access authority to the system control apparatus 5. .
  • An authentication server is built outside the server 1 or in one partition in the server 1, and the system controller 5 can support the partitions 41A to 41N, and uses LDAP (Lightweight Directory Access Protocol) that accesses the authentication server.
  • LDAP Lightweight Directory Access Protocol
  • a user authentication function (hereinafter referred to as an extended user authentication function) is additionally constructed. By constructing the extended user authentication function and the authentication server, the user information 414A to 414N of the partitions 41A to 41N and the partitions 41A to 41N and the user information 52 of the system control device 5 are synchronized.
  • FIG. 12 is a diagram for explaining a server to which the technology disclosed in this specification is not applied.
  • the server 8 has monitoring agent units 82A to 82N instead of the monitoring agent unit 413 in the partitions 41A to 41N, respectively.
  • the server 8 includes extended user authentication units 83A to 83N having an extended user authentication function in each of the partitions 41A to 41N.
  • the system control device 84 includes a user authentication unit 85 instead of the user authentication unit 51 and an extended user authentication unit 86 having an extended user authentication function that can be selected by setting.
  • the authentication server 87 is constructed on the network.
  • the authentication server 87 is connected to hardware resources and the system control device 84 that construct the partitions 41A to 41N via the network.
  • the authentication server 87 has user information 871 in which user information 414A to 414N and user information 52 are associated with each other.
  • the monitoring agents 82A to 82N acquire the usage status of the hardware resources that construct the partitions 41A to 41N, and notify the usage status to the system control device 84 via the control line connected to the system control device 84.
  • the user authentication unit 85 performs a user authentication process for determining whether or not the user can be authenticated based on a user account and a password input by the user.
  • Extended user authentication units 83A to 83N access user information of a partition to which the extended user authentication unit 83A to 83N belongs.
  • the extended user authentication unit 86 accesses the user information 52 of the system control device 84.
  • the authentication server 87 synchronizes the user information 414A to 414N and the user information 52 via the extended user authentication units 83A to 83N and the extended user authentication unit 86.
  • the user information 414A to 414N and the user information 52 can be easily changed.
  • the user information 414A to 414N, the user information 52, and the like can be obtained using the user authentication units 412A to 412N having the standard user authentication function of each OS without additionally constructing the authentication server 87 and the extended user authentication units 83A to 83N and 86.
  • information on users who can log in to the partition 41A and the system control apparatus 5 can be shared by the partition 41A and the system control apparatus 5.
  • the administrator 81 can add or delete a user to or from the system control apparatus 5 only with the effort of adding or deleting a user to or from the partition 41A.
  • the monitoring agent 413 When synchronizing the user information 414A to 414N and the user information 52, the monitoring agent 413 synchronizes the user account and authority information that are rarely updated by data transmission, but does not synchronize the password by data transmission.
  • the user authentication units 412A to 412N use the input information from the user 82 to determine authentication, and if the password is authenticated, the password of the input information is written in the user information 52. Updated. From this, it is possible to reduce the amount of information such as the number of data transmissions and data transmissions from the partitions 41A to 41N to the system control apparatus 5. Furthermore, since the system controller 5 does not access the partitions 41A to 41N except for the partition status check and the authentication request, the influence on the security of the partitions 41A to 41N can be reduced.
  • the user 82 and the like require a large amount of setting work for additionally constructing the extended user authentication units 83A to 83N, and the setting work becomes complicated when the number of partitions increases. There is a possibility of becoming.
  • the setting work since it is not necessary for the user 82 or the like to additionally construct the extended user authentication units 83A to 83N, the setting work does not require a great effort, and even when the number of partitions increases, Setting work can be facilitated.
  • the extended user authentication function of the extended user authentication units 83A to 83N is limited to the extended user authentication function that can be supported by the system control device 84. Therefore, if the extended user authentication functions of the extended user authentication units 83A to 83N in the partition requested by the user 82 or the like are different for each partition, the authentication server may not be unified into one server or may not be used. However, according to the embodiment, since the extended user authentication units 83A to 83N and the authentication server 87 are not used, this possibility does not exist.
  • the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system control device 84 due to the requirements for construction of the partitions 41A to 41N. Further, due to security such as prohibiting information update in the partitions 41A to 41N from devices outside the partitions 41A to 41N, there is a possibility that the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system controller 84. is there.
  • the embodiment since only one-way data transmission from the monitoring agent unit 413 to the user authentication unit 51 is performed, the information operation of the user information 414A to 414N is not performed from the outside. Therefore, the user information can be synchronized between the partitions 41A to 41N and the system control apparatus 5 without being affected by the security restrictions of the partitions 41A to 41N.
  • the user information 414A to 414N and the user information 52 are not synchronized, but an authentication server is constructed on the partition, and only the user authentication function of the authentication server is used to log in to the partition and the system control device.
  • the authentication server is stopped. Therefore, the user 82 cannot operate the system control device and cannot power on the partition. Therefore, a special user who can operate the system control device is always registered in the system control device.
  • information on users who can log in to the partition 41A and the system control apparatus 5 is shared by the partition 41A and the system control apparatus 5 without using an authentication server.
  • FIG. 13 is a diagram illustrating an example of a server to which the present invention is applied.
  • a server 901 illustrated in FIG. 13 includes a main body 902 that includes a CPU, a disk drive, and the like, and a communication device 903 that accesses an external database and downloads programs and the like stored in another computer system.
  • the communication device 903 may be a network communication card, a modem, or the like.
  • a program for executing the above steps in the server 901 constituting the server 1 can be provided as a control program.
  • the server 901 constituting the server 1 can execute the program.
  • Each program for executing the above steps is stored in a portable recording medium such as a disk 910 or downloaded from a recording medium 920 of another server or computer system by the communication device 903.
  • a control program (control software) that causes the server 901 to have at least a control function is input to the server 901 and compiled.
  • This program causes the server 901 to operate as the server 1 having a control function.
  • these programs may be stored in a computer-readable recording medium such as a disk 910, for example.
  • the recording medium that can be read by the server 901 includes an internal storage device such as a ROM and a RAM, a portable storage medium such as a disk 910, a flexible disk, a DVD disk, a magneto-optical disk, and an IC card. Or a database holding a computer program, or another server or computer system, and these databases, or various recording media accessible by a server or computer system connected via communication means such as the communication device 903 .
  • the first processing device, the first first processing device, and the third processing device are, for example, partitions 41A to 41N, and the second processing device and the system control device are, for example, the system control device 5.
  • the information processing apparatus is, for example, the server 1 or the partitions 41A to 41N.
  • the first storage unit and the second storage unit are, for example, the HDD 14.
  • the first user information and the second user information are, for example, user information 414A to 414N, and the third user information is, for example, the user information 52.
  • the fourth user information is, for example, input information
  • the fifth user information is, for example, authority information.
  • the sixth user information is, for example, user information save files 415A to 415N, and the determination information is, for example, a determination result.
  • the first determination unit, the fourth determination unit, the second reception unit, and the third transmission unit are, for example, user authentication units 412A to 412N.
  • the second update unit is, for example, the execution unit 63
  • the first transmission unit is, for example, the transmission unit 65.
  • the detection unit is, for example, the change detection unit 64.
  • the second determination unit, the third determination unit, and the permission unit are, for example, the determination unit 71, and the first reception unit, the third reception unit, and the second transmission unit are, for example, the transmission / reception unit 72.
  • the first updating unit and writing unit are, for example, the execution unit 73.

Abstract

One first processor of a plurality of first processors is provided with a first storage section for storing first user information indicating a first user having access authority to the one first processor, a first determination section for determining whether or not to permit access to the one first processor by a second user when second user information indicating the second user is input, a detection section for detecting a change in the first user information within the first storage section, and a first transmission section for transmitting change information indicating the content of the change in the first user information to a second processor, and the second processor is provided with a second storage section for storing third user information indicating a third user having access authority to the second processor, a second determination section for determining whether or not to permit access to the second processor by a fourth user when fourth user information indicating the fourth user is input, a first reception section for receiving the change information transmitted from the first transmission section, and a first updating section for updating the third user information within the second storage section.

Description

情報処理装置、情報処理装置の制御方法、情報処理装置の制御プログラム、システム制御装置の制御プログラムInformation processing apparatus, information processing apparatus control method, information processing apparatus control program, and system control apparatus control program
 本明細書に開示された技術は、情報処理装置、情報処理装置の制御方法、情報処理装置の制御プログラム、システム制御装置の制御プログラムに関する。 The technology disclosed in this specification relates to an information processing apparatus, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control program for the system control apparatus.
 情報処理装置としてのサーバが有する演算処理装置としてのCPU(Central Processing Unit)等または処理装置としてのシステムボード(System Board)等の計算資源を含むハードウェア資源を論理的に複数のパーティションに分割し、それぞれのパーティションで独立したOS(Operating System)環境を構築するパーティショニング技術が知られている。このように、複数のパーティションに分割されるサーバは、ハードウェア資源の監視、制御を行うサービスプロセッサ(SVP:Service Processor)等のシステム制御装置を有する。また、各パーティションには、システム制御装置の機能を補助する監視エージェントがそれぞれ実装されている。この監視エージェントは、自身が実装されたパーティションによるハードウェア資源の利用状況を取得し、システム制御装置に接続された制御線を介して利用状況をシステム制御装置へ通知する。この利用状況に基づいて、システム制御装置は、ハードウェア資源を監視し、制御する。また、パーティション及びシステム制御装置は、それぞれ独立したユーザ認証機能を持ち、それぞれ独立したユーザ情報によりユーザを管理する。また、ユーザは、システム制御装置とパーティション上のOSにそれぞれ別個にログインする必要がある。 Hardware resources including computing resources such as a CPU (Central Processing Unit) as an arithmetic processing unit possessed by a server as an information processing device or a system board (System Board) as a processing device are logically divided into a plurality of partitions. A partitioning technique for constructing an independent OS (Operating System) environment in each partition is known. As described above, the server divided into a plurality of partitions has a system control device such as a service processor (SVP) that monitors and controls hardware resources. Each partition is provided with a monitoring agent that assists the function of the system control device. The monitoring agent acquires the usage status of hardware resources by the partition in which the monitoring agent is installed, and notifies the usage status to the system control device via a control line connected to the system control device. Based on this usage status, the system control device monitors and controls hardware resources. Moreover, the partition and the system control apparatus have independent user authentication functions, and manage users based on independent user information. In addition, the user needs to log into the system control device and the OS on the partition separately.
特開2004-342039号公報JP 2004-342039 A 特開2005-149341号公報JP 2005-149341 A
 しかしながら、上述した技術には、サーバにおけるユーザ情報を管理する管理者の仕事量は、サーバ上のパーティションの数やユーザの数に応じて増大するという問題がある。例えば、ユーザの追加や削除を行う場合、管理者はパーティションとシステム制御装置とにおけるユーザ情報それぞれに変更を加えなくてはならない。 However, the above-described technique has a problem that the workload of an administrator who manages user information in the server increases according to the number of partitions on the server and the number of users. For example, when a user is added or deleted, the administrator must change user information in the partition and the system control device.
 本発明は上述した問題点を解決するためになされたものであり、ユーザ情報の変更作業を容易に行える情報処理装置、情報処理装置の制御方法、情報処理装置の制御プログラム、システム制御装置の制御プログラムを提供することを目的とする。 The present invention has been made to solve the above-described problems, and is an information processing apparatus that can easily change user information, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control for the system control apparatus. The purpose is to provide a program.
 情報処理装置は、それぞれが演算処理装置を有する複数の第1の処理装置と、前記複数の第1の処理装置のそれぞれが有する演算処理装置を制御する第2の処理装置とを備える情報処理装置であって、前記複数の第1の処理装置のいずれか一の第1の処理装置は、前記一の第1の処理装置へのアクセス権限を有する第1のユーザを示す第1のユーザ情報を記憶する第1の記憶部と、第2のユーザを示す第2のユーザ情報が入力された場合、前記第2のユーザ情報と前記第1のユーザ情報とに基づいて、前記第2のユーザによる前記一の第1の処理装置へのアクセスを許可するか否かを判断する第1の判断部と、前記第1の記憶部内における前記第1のユーザ情報の変更を検出する検出部と、前記第1のユーザ情報の変更が前記検出部により検出された場合、前記第1のユーザ情報の変更内容を示す変更情報を前記第2の処理装置へ送信する第1の送信部とを備え、前記第2の処理装置は、前記第2の処理装置へのアクセス権限を有する第3のユーザを示す第3のユーザ情報を記憶する第2の記憶部と、第4のユーザを示す第4のユーザ情報が入力された場合、前記第4のユーザ情報と前記第3のユーザ情報とに基づいて、前記第4のユーザによる前記第2の処理装置へのアクセスを許可するか否かを判断する第2の判断部と、前記第1の送信部から送信された前記変更情報を受信する第1の受信部と、前記第1の受信部により受信された前記変更情報に基づいて、前記第2の記憶部内の前記第3のユーザ情報を更新する第1の更新部とを有する。 An information processing device includes a plurality of first processing devices each having an arithmetic processing device, and a second processing device that controls the arithmetic processing devices included in each of the plurality of first processing devices. The first processing device of any one of the plurality of first processing devices includes first user information indicating a first user who has an access right to the first processing device. When the first storage unit to be stored and the second user information indicating the second user are input, based on the second user information and the first user information, by the second user A first determination unit that determines whether or not to permit access to the one first processing device; a detection unit that detects a change in the first user information in the first storage unit; The first user information is changed by the detection unit A first transmission unit that transmits change information indicating a change content of the first user information to the second processing device when the second processing device is issued, and the second processing device includes the second processing. When a second storage unit that stores third user information indicating a third user who has authority to access the device and fourth user information indicating a fourth user are input, the fourth user A second determination unit that determines whether to permit access to the second processing device by the fourth user based on the information and the third user information; and the first transmission unit A first receiving unit that receives the change information transmitted from the first update unit, and updates the third user information in the second storage unit based on the change information received by the first receiving unit. A first updating unit.
 情報処理装置の制御プログラムは、演算処理装置を有する情報処理装置を制御する、情報処理装置の制御プログラムであって、第1のユーザを示す第1のユーザ情報が入力された場合、前記第1のユーザ情報と、第1の記憶部により記憶された前記情報処理装置へのアクセス権限を有する第2のユーザを示す第2のユーザ情報とに基づいて、前記第1のユーザによる前記情報処理装置へのアクセスを許可するか否かを判断するステップと、前記第1の記憶部内における前記第2のユーザ情報の変更を検出するステップと、前記第2のユーザ情報の変更が検出された場合、前記第2のユーザ情報の変更内容を示す変更情報を、前記情報処理装置が有する演算処理装置を制御するシステム制御装置へ送信するステップとを情報処理装置に実行させる。 The control program for the information processing device is a control program for the information processing device that controls the information processing device having the arithmetic processing device, and when the first user information indicating the first user is input, the first program The information processing apparatus by the first user based on the user information and the second user information indicating the second user who has the authority to access the information processing apparatus stored in the first storage unit Determining whether to permit access to the device, detecting the change of the second user information in the first storage unit, and detecting the change of the second user information, Transmitting the change information indicating the change contents of the second user information to the system control device that controls the arithmetic processing device included in the information processing device. That.
 システム制御装置の制御プログラムは、複数の情報処理装置がそれぞれ有する演算処理装置を制御するシステム制御装置の制御プログラムであって、第1のユーザを示す第1のユーザ情報が入力された場合、前記第1のユーザ情報と、第1の記憶部により記憶される前記システム制御装置へのアクセス権限を有する第2のユーザを示す第2のユーザ情報とに基づいて、前記第1のユーザによる前記システム制御装置へのアクセスを許可するか否かを判断するステップと、前記複数の情報処理装置のいずれか一の第1の処理装置が有する第2の記憶部により記憶された前記一の第1の処理装置へのアクセス権限を有する第3のユーザの第3のユーザ情報の変更内容を示す変更情報を前記一の第1の処理装置から受信するステップと、受信された前記変更情報に基づいて、前記第1の記憶部内の前記第2のユーザ情報を更新するステップとをシステム制御装置に実行させる。 The control program of the system control device is a control program of the system control device that controls the arithmetic processing devices included in each of the plurality of information processing devices, and when the first user information indicating the first user is input, The system by the first user based on first user information and second user information indicating a second user having access authority to the system control device stored in the first storage unit Determining whether or not to permit access to the control device; and the first first stored in the second storage unit of any one of the plurality of information processing devices. Receiving, from the first first processing device, change information indicating the change contents of the third user information of the third user having access authority to the processing device; Based on the change information, and a step of updating the second user information in the first storage unit to the system controller.
 この出願に開示された情報処理装置、情報処理装置の制御方法、情報処理装置の制御プログラム、システム制御装置の制御プログラムによれば、ユーザ情報の変更作業を容易に行える。 According to the information processing apparatus, the information processing apparatus control method, the information processing apparatus control program, and the system control apparatus control program disclosed in this application, the user information can be easily changed.
実施の形態に係る情報処理装置としてのサーバのハードウェア構成を示すブロック図である。It is a block diagram which shows the hardware constitutions of the server as an information processing apparatus which concerns on embodiment. 実施の形態に係るサーバ内のパーティションおよびシステム制御装置を説明するための図である。It is a figure for demonstrating the partition in a server and system control apparatus which concern on embodiment. パーティション内のユーザ情報を説明するための図である。It is a figure for demonstrating the user information in a partition. ユーザ情報退避ファイルを説明するための図である。It is a figure for demonstrating a user information backup file. システム制御装置内のユーザ情報を説明するための図である。It is a figure for demonstrating the user information in a system control apparatus. パーティションおよびシステム制御装置の動作を説明するための図である。It is a figure for demonstrating operation | movement of a partition and a system control apparatus. 監視エージェント部の機能ブロックを示す図である。It is a figure which shows the functional block of a monitoring agent part. システム制御装置のユーザ認証部の機能ブロックを示す図である。It is a figure which shows the functional block of the user authentication part of a system control apparatus. 実施の形態に係る監視エージェント部における情報同期処理の動作を示すフローチャートである。It is a flowchart which shows the operation | movement of the information synchronous process in the monitoring agent part which concerns on embodiment. 実施の形態に係るシステム制御装置のユーザ認証部の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the user authentication part of the system control apparatus which concerns on embodiment. 実施の形態に係るシステム制御装置のユーザ認証部におけるユーザ認証処理の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the user authentication process in the user authentication part of the system control apparatus which concerns on embodiment. この明細書に開示された技術を適用しないサーバを説明するための図である。It is a figure for demonstrating the server which does not apply the technique disclosed by this specification. 本発明が適用されるサーバの一例を示す図である。It is a figure which shows an example of the server to which this invention is applied.
 以下、実施の形態を、図を用いて説明する。 Hereinafter, embodiments will be described with reference to the drawings.
 図1は、実施の形態に係る情報処理装置としてのサーバのハードウェア構成を示すブロック図である。サーバ1は、SVP11と、SB(System board)12A~12Nと、IOB(I/O Board)13A~13Bと、HDD(Hard Disk Drive)14とを有する。SVP11は、SB12A~12NおよびHDD14と制御線を介して接続されている。SVP11は、SB12A~12Nから制御線を介して後述するユーザ情報等が送信される。SVP11は、サーバ1外部の端末装置としてのコンソール2とネットワークとに接続されている。SB12A~12NとIOB13A~13Nとはバスを介して接続されており、IOB13A~13Nは、ネットワークと接続されている。 FIG. 1 is a block diagram illustrating a hardware configuration of a server as an information processing apparatus according to an embodiment. The server 1 includes an SVP 11, SB (System board) 12A to 12N, IOB (I / O Board) 13A to 13B, and HDD (Hard Disk Drive) 14. The SVP 11 is connected to the SBs 12A to 12N and the HDD 14 through control lines. The SVP 11 transmits user information, which will be described later, from the SBs 12A to 12N via the control line. The SVP 11 is connected to a console 2 as a terminal device outside the server 1 and a network. The SBs 12A to 12N and the IOBs 13A to 13N are connected via a bus, and the IOBs 13A to 13N are connected to a network.
 サーバ1は、ユーザの定義により、SB12A~12NとIOB13A~13NとHDD14とを論理的に複数のパーティションに分割し、それぞれで独立したOS環境を構築する。例えば、サーバ1は、SB12A~12BとIOB13A~13CとHDD14とを協働させ1つのOSを用いて運用されるパーティションを構築する。なお、パーティションの数やSBおよびIOBをいくつ用いて各々のパーティションを構築するか等の設定は、適宜ユーザが行う。 The server 1 logically divides the SBs 12A to 12N, the IOBs 13A to 13N, and the HDD 14 into a plurality of partitions according to a user definition, and constructs an independent OS environment for each. For example, the server 1 cooperates the SBs 12A to 12B, the IOBs 13A to 13C, and the HDD 14 to construct a partition that is operated using one OS. Note that the user appropriately sets the number of partitions and how many SBs and IOBs are used to construct each partition.
 SVP11は、SB12A~12N等のハードウェア資源の制御および監視を行うシステム制御装置を実現する。SVP11は、CPU111とメモリ112とを有する。SVP11は、ユーザがコンソール2へ入力したユーザアカウントおよびパスワード等の入力情報を取得する。また、SVP11は、ユーザが外部の端末装置へ入力した入力情報を、ネットワークを介して取得する。 The SVP 11 realizes a system control device that controls and monitors hardware resources such as the SBs 12A to 12N. The SVP 11 has a CPU 111 and a memory 112. The SVP 11 acquires input information such as a user account and a password input by the user to the console 2. Further, the SVP 11 acquires input information input by a user to an external terminal device via a network.
 SB12A~12Nは、CPU121とメモリ122とを有する。IOB13A~13Nには、ネットワークから入力情報等が入力される。SB12A~12Nは、IOB13A~13Nからバスを介して入力情報等を取得する。HDD14は、パーティション上で運用される複数のOSおよびユーザ情報等が記憶される。 The SBs 12A to 12N have a CPU 121 and a memory 122. Input information and the like are input to the IOBs 13A to 13N from the network. The SBs 12A to 12N obtain input information and the like from the IOBs 13A to 13N via the bus. The HDD 14 stores a plurality of OSs operated on the partition, user information, and the like.
 図2は、実施の形態に係るサーバ1内のパーティションおよびシステム制御装置を説明するための図である。パーティション41Aは、OS411Aと、OS411A上で動作するユーザ認証部412Aおよび監視エージェント部413と、ユーザ認証に用いられるユーザ情報414Aとユーザ情報退避ファイル415Aとを有する。なお、OS411Aには、ユーザ情報414Aに変更が発生した場合、監視エージェント部413にユーザ情報414Aの変更を示すユーザ情報変更通知を送るユーザ情報変更通知機能を有するものが望ましい。OS411Aは、例えばファイルシステムにおけるイベントを監視するinotifyの機能を有するLinux(登録商標)である。パーティション41B~41Nは、パーティション41Aと同様の構成となるが、各パーティションを構築するSB12A~12NおよびIOB13A~13Nは異なっている。なお、この実施の形態では、各パーティションを構築するSBおよびIOBは異なっているが、複数のSBおよびIOBにより1つのパーティションが構築されてもよい。また、同一のSBおよびIOBにより複数のパーティションが構築されてもよい。 FIG. 2 is a diagram for explaining the partitions in the server 1 and the system control apparatus according to the embodiment. The partition 41A includes an OS 411A, a user authentication unit 412A and a monitoring agent unit 413 operating on the OS 411A, user information 414A used for user authentication, and a user information save file 415A. The OS 411A preferably has a user information change notification function for sending a user information change notification indicating the change of the user information 414A to the monitoring agent unit 413 when the user information 414A is changed. The OS 411A is, for example, Linux (registered trademark) having an initiating function for monitoring events in the file system. The partitions 41B to 41N have the same configuration as that of the partition 41A, but the SBs 12A to 12N and IOBs 13A to 13N constituting the partitions are different. In this embodiment, the SB and IOB for constructing each partition are different, but one partition may be constructed by a plurality of SBs and IOBs. A plurality of partitions may be constructed by the same SB and IOB.
 実施の形態において、OS411A~411N、ユーザ認証部412A~412N、ユーザ情報退避ファイル415A~415Nおよびユーザ情報414A~414Nは、それぞれ異なっているものとする。なお、これらは、全て同一または一部のパーティションのみ同一であってもよい。 In the embodiment, it is assumed that the OSs 411A to 411N, the user authentication units 412A to 412N, the user information save files 415A to 415N, and the user information 414A to 414N are different from each other. Note that these may be the same or only part of the partitions may be the same.
 ユーザ認証部412A~412Nは、CPU121とメモリ122とが協働することにより実現され、OS411A~411Nがそれぞれ標準にサポートするユーザ認証機能を有する。ユーザ認証部412A~412Nは、ネットワークまたはパーティションを構築するハードウェアに接続された端末装置から、ユーザによるパーティションへのログイン(アクセス)等の操作を受け付け、ユーザのログインの可否を判断するユーザ認証処理を行う。例えば、パーティション41Aに対しユーザがログイン(アクセス)する状況を仮定する。この場合、ユーザ認証部412Aは、ユーザ認証機能を用いて、ユーザが入力する入力情報とユーザ情報414Aとに基づいてユーザ認証処理を行う。 The user authentication units 412A to 412N are realized by the cooperation of the CPU 121 and the memory 122, and have user authentication functions that the OSs 411A to 411N support as standard. User authentication units 412A to 412N accept user operations such as login (access) to a partition from a terminal device connected to a network or hardware for building a partition, and determine whether or not the user can log in I do. For example, it is assumed that a user logs in (accesses) to the partition 41A. In this case, the user authentication unit 412A performs a user authentication process based on the input information input by the user and the user information 414A using the user authentication function.
 なお、ユーザがユーザ認証部412A~412Nにアクセスする方法は、いかなる方法であってもよい。予めユーザが選択し設定することが可能であり、ユーザがユーザ認証部412A~412Nにアクセス可能であれば、ネットワークを介する以外の通信を選択してもよい。 Note that the user can access the user authentication units 412A to 412N by any method. If the user can select and set in advance and the user can access the user authentication units 412A to 412N, communication other than via the network may be selected.
 監視エージェント部413は、CPU121とメモリ122に格納されたプログラムとが協働することにより実現され、パーティション41A~41Nを構築するハードウェア資源の利用状況を取得し、システム制御装置5と接続された制御線を介して利用状況をシステム制御装置5へ通知する。また、監視エージェント部413は、システム制御装置5に対し、制御線を介してユーザ情報414A等のデータを送信する。監視エージェント部413は、ユーザ情報退避ファイル415Aの生成および更新等を行う。 The monitoring agent unit 413 is realized by the cooperation of the CPU 121 and the program stored in the memory 122, acquires the usage status of the hardware resources that construct the partitions 41A to 41N, and is connected to the system controller 5. The usage status is notified to the system control device 5 via the control line. In addition, the monitoring agent unit 413 transmits data such as user information 414 </ b> A to the system control device 5 via a control line. The monitoring agent unit 413 generates and updates the user information save file 415A.
 システム制御装置5は、SVP11により実現され、ユーザ認証部51と、ユーザ認証に用いられるユーザ情報52とを有する。ユーザ認証部51は、CPU111とメモリ112に格納されたプログラムとが協働することにより実現される。システム制御装置5に対しユーザがログインする際、ユーザ認証部51は、ユーザが入力する入力情報とユーザ情報52とに基づいてユーザの認証の可否を判断するユーザ認証処理を行う。また、ユーザ認証部51は、ユーザ認証部412A~412Nに対し、システム制御装置5へログインするユーザのユーザアカウントおよびパスワードを用いて後述する認証依頼を行う。なお、ユーザ認証部51は、ネットワークを介してユーザ認証部412A~412Nにアクセスする。 The system control device 5 is realized by the SVP 11 and includes a user authentication unit 51 and user information 52 used for user authentication. The user authentication unit 51 is realized by the cooperation of the CPU 111 and a program stored in the memory 112. When the user logs in to the system control device 5, the user authentication unit 51 performs user authentication processing for determining whether or not the user can be authenticated based on the input information input by the user and the user information 52. In addition, the user authentication unit 51 makes an authentication request, which will be described later, to the user authentication units 412A to 412N using the user account and password of the user who logs in to the system control device 5. The user authentication unit 51 accesses the user authentication units 412A to 412N via the network.
 次に、ユーザ情報414Aをユーザ情報414A~414Nの一例として説明する。図3は、パーティション41A内のユーザ情報414Aを説明するための図である。ユーザ情報414Aは、パーティション41Aへのアクセス権限を有する複数のユーザを示す情報である。ユーザ情報414Aは、当該複数ユーザのユーザ認証等に用いられる個別情報を有する。個別情報は、当該個別情報が有効であるか否かを示す有効・無効情報と、パーティション41Aにログインする際のユーザアカウントと、ユーザ詳細情報とを有する。ユーザ詳細情報は、システム制御装置5へログイン可能なユーザ権限を示す権限情報、パーティション41Aにログインする際のパスワードおよび付属情報を有する。付属情報の例として、ユーザの名前、電話番号およびユーザがパーティションにログイン可能な有効期限等が挙げられる。なお、ユーザ情報414A~414Nのフォーマットは、パーティション41A~41Nが有するOSの種類、ユーザ認証部等により異なる。 Next, user information 414A will be described as an example of user information 414A to 414N. FIG. 3 is a diagram for explaining the user information 414A in the partition 41A. The user information 414A is information indicating a plurality of users having access authority to the partition 41A. The user information 414A has individual information used for user authentication of the plurality of users. The individual information includes valid / invalid information indicating whether or not the individual information is valid, a user account for logging in to the partition 41A, and user detailed information. The user detailed information includes authority information indicating a user authority capable of logging in to the system control device 5, a password for logging in to the partition 41A, and attached information. Examples of the attached information include a user name, a telephone number, and an expiration date when the user can log in to the partition. Note that the format of the user information 414A to 414N differs depending on the type of OS, user authentication unit, etc. of the partitions 41A to 41N.
 次に、ユーザ情報退避ファイル415Aをユーザ情報退避ファイル415A~415Nの一例として説明する。図4は、ユーザ情報退避ファイル415Aを説明するための図である。ユーザ情報退避ファイル415Aは、パーティション41Aへのアクセス権限を有する複数のユーザのユーザアカウントを有する。具体的には、ユーザ情報414Aのうち、権限情報が対応付けられたユーザアカウントのみを有する。ユーザ情報退避ファイル415B~415Nは、ユーザ情報退避ファイル415Aと同様、パーティションにログイン可能なユーザのうち、権限情報が対応付けられたユーザアカウントを有する。ユーザ情報退避ファイル415A~415Nは、ユーザからは変更できないよう設定されることが望ましい。 Next, the user information save file 415A will be described as an example of the user information save files 415A to 415N. FIG. 4 is a diagram for explaining the user information save file 415A. The user information save file 415A has user accounts of a plurality of users having access authority to the partition 41A. Specifically, the user information 414A has only a user account associated with authority information. Similarly to the user information save file 415A, the user information save files 415B to 415N have user accounts associated with authority information among users who can log in to the partition. The user information save files 415A to 415N are preferably set so that they cannot be changed by the user.
 実施の形態において、ユーザ情報414A~414Nおよびユーザ情報退避ファイル415A~415Nは、各パーティションを構築するHDD14の記憶領域にそれぞれ記憶されるものとする。また、ユーザ情報414A~414Nの個別情報およびユーザ情報退避ファイル415A~415Nは、その内容がそれぞれ異なっているものとする。なお、ユーザ情報414A~414Nおよびユーザ情報退避ファイル415A~415Nは、メモリ122に記憶されていてもよい。 In the embodiment, it is assumed that the user information 414A to 414N and the user information saving files 415A to 415N are stored in the storage area of the HDD 14 that constructs each partition. The individual information of the user information 414A to 414N and the contents of the user information save files 415A to 415N are different from each other. Note that the user information 414A to 414N and the user information save files 415A to 415N may be stored in the memory 122.
 次に、ユーザ情報52を説明する。図5は、システム制御装置5内のユーザ情報52を説明するための図である。ユーザ情報52は、システム制御装置5へのアクセス権限を有する複数のユーザを示す情報である。ユーザ情報52は、当該複数ユーザのユーザ認証等に用いられる個別情報を有する。個別情報は、ユーザアカウントを示す情報であり、有効・無効情報と、当該個別情報のユーザが所属するパーティションを示す識別子であるパーティション番号と、システム制御装置5にログインする際のユーザアカウントと、ユーザ詳細情報とを有する。ユーザ詳細情報は、権限情報、システム制御装置5へログインする際のパスワードおよび付属情報を有する。付属情報には、例えば、ユーザの名前、電話番号およびユーザがシステム制御装置5にログイン可能な有効期限等がある。 Next, the user information 52 will be described. FIG. 5 is a diagram for explaining the user information 52 in the system control device 5. The user information 52 is information indicating a plurality of users having access authority to the system control device 5. The user information 52 includes individual information used for user authentication of the plurality of users. The individual information is information indicating a user account, valid / invalid information, a partition number that is an identifier indicating a partition to which the user of the individual information belongs, a user account for logging in to the system control device 5, and a user Detailed information. The user detailed information includes authority information, a password for logging in to the system control device 5, and attached information. The attached information includes, for example, a user name, a telephone number, and an expiration date when the user can log in to the system control device 5.
 なお、パーティション番号は、ユーザがパーティション41A~41Nのいずれにも所属していない場合、当該ユーザがパーティションに所属していないことを示す「0」が設定されるものとする。また、ユーザがパーティション41A~41Nのいずれにも所属していない場合、パーティション番号は、個別情報に付加されなくてもよい。実施の形態においては、権限情報が対応付けられたユーザのパーティション41Aにログインする際のユーザアカウントおよびパスワードは、システム制御装置5へログインする際のユーザアカウントおよびパスワードと同一とする。また、ユーザ情報52は、HDD14に記憶されるものとする。なお、ユーザ情報52は、メモリ112に記憶されていてもよい。 Note that, when the user does not belong to any of the partitions 41A to 41N, “0” indicating that the user does not belong to the partition is set as the partition number. If the user does not belong to any of the partitions 41A to 41N, the partition number may not be added to the individual information. In the embodiment, the user account and password when logging in to the partition 41A of the user associated with the authority information are the same as the user account and password when logging in to the system control device 5. The user information 52 is assumed to be stored in the HDD 14. Note that the user information 52 may be stored in the memory 112.
 次に、パーティション41A~41Nおよびシステム制御装置5の動作を、図6を用いて簡単に説明する。まず、ユーザがシステム制御装置5にログインする際のパーティション41Aおよびシステム制御装置5の動作を説明する。 Next, operations of the partitions 41A to 41N and the system controller 5 will be briefly described with reference to FIG. First, operations of the partition 41A and the system control device 5 when the user logs in to the system control device 5 will be described.
 図6は、パーティション41Aおよびシステム制御装置5の動作を説明するための図である。この図において、管理者81は、パーティション41Aに対しOS411および監視エージェント部413等のインストール、ユーザ情報の追加および削除等を実行する権限を持つものとする。また、ユーザ82は、パーティション41Aまたはシステム制御装置5へログインするアクセス権限を持つものとする。 FIG. 6 is a diagram for explaining the operation of the partition 41A and the system control device 5. In this figure, it is assumed that the administrator 81 has authority to install the OS 411 and the monitoring agent unit 413, and to add and delete user information to the partition 41A. Further, it is assumed that the user 82 has an access right to log in to the partition 41A or the system control device 5.
 ユーザ82がシステム制御装置5にアクセスする際、ユーザ82が属するパーティション41Aの状態により、ユーザ認証部51が行うユーザ認証処理は異なる。パーティション41Aの状態には、以下の3通りがある。(1)パーティション41Aが停止状態であり、OS411Aおよび監視エージェント部413がインストールされていない状態。(2)パーティション41Aが停止状態であり、OS411Aおよび監視エージェント部413が既にインストールされた状態。(3)パーティション41Aが運用中の状態。なお、停止状態とは、パーティションを構築するSB12A~12NおよびIOB13A~13Nが停止している状態である。まず、(1)の状態について説明する。なお、(1)の状態である場合、ユーザ82は未だパーティション41Aおよびシステム制御装置5にユーザアカウントを持っていない状態である。 When the user 82 accesses the system control device 5, the user authentication processing performed by the user authentication unit 51 differs depending on the state of the partition 41A to which the user 82 belongs. There are the following three states of the partition 41A. (1) A state where the partition 41A is in a stopped state and the OS 411A and the monitoring agent unit 413 are not installed. (2) A state in which the partition 41A is in a stopped state and the OS 411A and the monitoring agent unit 413 are already installed. (3) A state in which the partition 41A is in operation. The stopped state is a state in which the SBs 12A to 12N and IOBs 13A to 13N that construct the partition are stopped. First, the state (1) will be described. In the state (1), the user 82 does not yet have a user account in the partition 41A and the system control device 5.
 管理者81により、パーティション41Aに対しOS411Aおよび監視エージェント部413がインストールされると、監視エージェント部413は、ユーザ情報414Aを読み出す。なお、ユーザ情報414Aは、インストール時に管理者81により生成される。また、ユーザ情報414Aは、パーティション41Aを構築するHDD14の記憶領域にユーザ情報414Aが予め記憶されていてもよい。読み出し後、監視エージェント部413は、読み出したユーザ情報414Aに基づいて、ユーザ情報退避ファイル415Aを生成する。生成後、監視エージェント部413は、ユーザアカウントや権限情報等のユーザ情報414Aの一部をユーザ認証部51へ送信し、ユーザ認証部51は、受信したユーザ情報414Aの一部および送信元の監視エージェント部413が属するパーティション41Aのパーティション番号に基づいて、ユーザ情報52を更新する。 When the administrator 81 installs the OS 411A and the monitoring agent unit 413 for the partition 41A, the monitoring agent unit 413 reads the user information 414A. The user information 414A is generated by the administrator 81 at the time of installation. Further, the user information 414A may be stored in advance in the storage area of the HDD 14 that constructs the partition 41A. After reading, the monitoring agent unit 413 generates a user information save file 415A based on the read user information 414A. After generation, the monitoring agent unit 413 transmits a part of the user information 414A such as a user account and authority information to the user authentication unit 51, and the user authentication unit 51 monitors the received part of the user information 414A and the transmission source. The user information 52 is updated based on the partition number of the partition 41A to which the agent unit 413 belongs.
 更新後、ユーザ認証部51は、ユーザ82からのアクセス、つまり入力情報が入力された場合、ユーザ情報52を検索する。検索後、入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aに対し、運用中であるか否かの状態確認を行う。入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aが運用中である場合、ユーザ認証部51は、入力情報のユーザアカウントとパスワードとを用いて、ネットワークまたは制御線を介してユーザ認証部412Aに認証依頼を送信する。認証依頼には、入力情報のユーザアカウントとパスワードとが示されている。ユーザ認証部412Aは、ユーザ認証部51からの認証依頼に応じてユーザ情報414Aを検索し、認証依頼に示されるユーザアカウントとパスワードとがユーザ情報414Aにある場合、ユーザアカウントとパスワードとを認証する。認証後、ユーザ認証部51は、ユーザ82のシステム制御装置5へのログインを許可すると共に、ユーザ情報52にユーザ82が入力したパスワードを書き込む。 After the update, the user authentication unit 51 searches the user information 52 when access from the user 82, that is, input information is input. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A with the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 uses the user account and password of the input information to communicate with the user authentication unit 412A via the network or control line. Send authentication request. The authentication request shows the user account and password of the input information. The user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
 なお、上述したユーザ認証処理以外にも、管理者81はシステム制御装置5へユーザ82のユーザアカウント、権限情報およびパスワード等のユーザ情報の追加登録を行ってもよい。この場合、ユーザ認証部51は、ユーザ82からの入力情報に基づいてユーザ情報52を検索し、ログインの可否を行う。 In addition to the user authentication process described above, the administrator 81 may additionally register user information such as the user account, authority information, and password of the user 82 in the system control device 5. In this case, the user authentication unit 51 searches the user information 52 based on the input information from the user 82 and determines whether or not to log in.
 次に、(2)の状態について説明する。ユーザ認証部51は、ユーザ82から入力情報が入力された場合、ユーザ情報52を検索する。検索後、入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aに対し、運用中であるか否かの状態確認を行う。入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aが運用中でない場合、ユーザ認証部51は、ユーザ情報52からパスワードを取得し、入力情報のパスワードを検索し、当該パスワードとユーザ情報52のパスワードとを比較する。ユーザ82が入力したパスワードとユーザ情報52のパスワードとが一致した場合、ユーザ認証部51は、ユーザ82を認証し、ユーザ82のログインを許可する。 Next, the state (2) will be described. The user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A of the partition number corresponding to the user account of the input information is not in operation, the user authentication unit 51 acquires a password from the user information 52, searches for the password of the input information, and searches for the password and the password of the user information 52 And compare. When the password input by the user 82 matches the password of the user information 52, the user authentication unit 51 authenticates the user 82 and permits the user 82 to log in.
 次に、(3)の状態について説明する。ユーザ認証部51は、ユーザ82から入力情報が入力された場合、ユーザ情報52を検索する。検索後、入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aに対し、運用中であるか否かの判断を行う。入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aが運用中である場合、ユーザ認証部51は、入力情報のユーザアカウントとパスワードとを用いて、ネットワークを介してユーザ認証部412Aに認証依頼を送信する。ユーザ認証部412Aは、ユーザ認証部51からの認証依頼に応じてユーザ情報414Aを検索し、認証依頼に示されるユーザアカウントとパスワードとがユーザ情報414Aにある場合、ユーザアカウントとパスワードとを認証する。認証後、ユーザ認証部51は、ユーザ82のシステム制御装置5へのログインを許可すると共に、ユーザ情報52にユーザ82が入力したパスワードを書き込む。 Next, the state (3) will be described. The user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is determined whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A having the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 sends an authentication request to the user authentication unit 412A via the network using the user account and password of the input information. Send. The user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
 次に、パーティション41Aのユーザ情報414A変更時の監視エージェント部413とユーザ認証部51とによるユーザ情報414Aとユーザ情報52とを同期させる同期処理を説明する。管理者81またはユーザ82が行うユーザ情報414Aの変更には、以下の3通りがある。(1)個別情報の追加。(2)個別情報の削除。(3)ユーザ詳細情報変更。まず、(1)個別情報の追加について説明する。 Next, a synchronization process for synchronizing the user information 414A and the user information 52 by the monitoring agent unit 413 and the user authentication unit 51 when the user information 414A of the partition 41A is changed will be described. The change of the user information 414A performed by the administrator 81 or the user 82 includes the following three types. (1) Add individual information. (2) Deletion of individual information. (3) User detailed information change. First, (1) addition of individual information will be described.
 監視エージェント部413は、ユーザ情報414Aが変更されたか否かを監視する。ここで、管理者81がパーティション41Aにログインし、ユーザ情報を変更した場合、監視エージェント部413は、ユーザ情報414Aが変更されたと判断する。ここで、ユーザ情報の変更内容は、ユーザ82の個別情報の追加である。なお、パーティション41Aには個別情報の追加および削除等を実行可能な管理者の権限が設定されており、管理者81はこの管理者権限で設定を行う。監視エージェント部413は、個別情報の追加の変更があると判断した場合、ユーザ82のユーザアカウントと権限情報とを含む追加情報を、制御線を介してユーザ認証部51に送信すると共に、ユーザ情報退避ファイル415Aを更新する。追加情報を受信したユーザ認証部51は、ユーザ情報52に追加情報に示されるユーザアカウントと権限情報とを追加する。 The monitoring agent unit 413 monitors whether the user information 414A has been changed. Here, when the administrator 81 logs in to the partition 41A and changes the user information, the monitoring agent unit 413 determines that the user information 414A has been changed. Here, the change content of the user information is addition of individual information of the user 82. Note that the authority of an administrator who can add and delete individual information is set in the partition 41A, and the administrator 81 performs setting with this administrator authority. When the monitoring agent unit 413 determines that there is an additional change of the individual information, the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and user information The save file 415A is updated. The user authentication unit 51 that has received the additional information adds the user account and authority information indicated in the additional information to the user information 52.
 パーティション41Aへのパスワード登録等の個別情報の追加が終了し、ユーザ情報52が更新された後、ユーザ82のシステム制御装置5へのログインが可能となる。また、パーティション41Aへのパスワード登録等の個別情報の追加が終了しているため、ユーザ82のパーティション41Aへのログインは可能である。システム制御装置5へのログインは、上述したパーティションの状態のうち、(3)パーティションが運用中の状態の場合と同様の処理となるので、説明は省略する。なお、監視エージェント部413またはユーザ認証部51から管理者81に対し、個別情報の追加終了後に、当該個別情報の追加が終了したことを通知してもよい。 After the addition of individual information such as password registration to the partition 41A is completed and the user information 52 is updated, the user 82 can log in to the system control device 5. In addition, since the addition of individual information such as password registration to the partition 41A has been completed, the user 82 can log in to the partition 41A. The login to the system control device 5 is the same processing as that in the above-described partition state (3) when the partition is in operation, and the description thereof will be omitted. The monitoring agent unit 413 or the user authentication unit 51 may notify the administrator 81 that the addition of the individual information has ended after the addition of the individual information has been completed.
 次に、ユーザ情報414Aの変更のうち、(2)個別情報の削除について説明する。管理者81は、パーティション41Aにログインし、ユーザ82の個別情報の削除を行う。ここで、監視エージェント部413は、ユーザ情報414Aが変更されたと判断する。監視エージェント部413は、変更内容が個別情報の削除であると判断した場合、削除されたユーザ82の個別情報のユーザアカウントと権限情報とを含む削除情報を、制御線を介してユーザ認証部51に送信すると共に、ユーザ情報退避ファイル415Aを更新する。削除情報を受信したユーザ認証部51は、ユーザ情報52から当該個別情報を削除する。削除後、ユーザ82がパーティション41Aおよびシステム制御装置5へログインする場合、ユーザ認証部412Aおよびユーザ認証部51による各ユーザ情報の検索時に個別情報がないと判断されるため、ログインは不可となる。 Next, of the changes in the user information 414A, (2) deletion of individual information will be described. The administrator 81 logs into the partition 41A and deletes the individual information of the user 82. Here, the monitoring agent unit 413 determines that the user information 414A has been changed. When the monitoring agent unit 413 determines that the change content is deletion of individual information, the user authentication unit 51 receives the deletion information including the user account and authority information of the individual information of the deleted user 82 via the control line. And the user information save file 415A is updated. The user authentication unit 51 that has received the deletion information deletes the individual information from the user information 52. When the user 82 logs in to the partition 41A and the system control device 5 after the deletion, it is determined that there is no individual information when searching for each piece of user information by the user authentication unit 412A and the user authentication unit 51, and login is impossible.
 次に、ユーザ情報414Aの変更のうち、(3)ユーザ詳細情報変更について説明する。ユーザ詳細情報の変更としては、権限情報およびパスワードの変更がある。まず、権限情報の変更について説明する。なお、権限情報の変更とは、権限情報の追加または削除である。 Next, of the changes in the user information 414A, (3) User detailed information change will be described. The change of the user detailed information includes a change of authority information and a password. First, the change of authority information will be described. The change of authority information is addition or deletion of authority information.
 管理者81は、パーティション41Aにログインし、ユーザ82の権限情報の変更を行う。ここで、監視エージェント部413は、ユーザ情報414Aが変更されたと判断する。監視エージェント部413は、変更内容が権限情報の追加であると判断した場合、ユーザ82のユーザアカウントと権限情報とを含む追加情報を、制御線を介してユーザ認証部51に送信すると共に、ユーザ情報退避ファイル415Aを更新する。追加情報を受信したユーザ認証部51の処理は、上述したユーザ情報414Aの変更のうち、(1)個別情報の追加と同様の処理となるので、説明は省略する。一方、監視エージェント部413は、変更内容が権限情報の削除であると判断した場合、ユーザ82のユーザアカウントと削除する権限情報とを含む権限削除情報を、制御線を介してユーザ認証部51に送信すると共に、ユーザ情報退避ファイル415Aを更新する。権限削除情報を受信したユーザ認証部51は、ユーザ情報52における当該ユーザアカウントの権限情報を削除する。なお、ユーザ情報52における変更された権限情報は、次回のシステム制御装置5へのログイン時から有効となる。 The administrator 81 logs in to the partition 41A and changes the authority information of the user 82. Here, the monitoring agent unit 413 determines that the user information 414A has been changed. When the monitoring agent unit 413 determines that the change content is addition of authority information, the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and The information save file 415A is updated. The process of the user authentication unit 51 that has received the additional information is the same process as (1) addition of individual information in the change of the user information 414A described above, and thus the description thereof is omitted. On the other hand, if the monitoring agent unit 413 determines that the change content is deletion of authority information, the monitoring agent unit 413 sends authority deletion information including the user account of the user 82 and authority information to be deleted to the user authentication unit 51 via the control line. At the same time, the user information save file 415A is updated. The user authentication unit 51 that has received the authority deletion information deletes the authority information of the user account in the user information 52. The changed authority information in the user information 52 becomes valid from the next login to the system control device 5.
 次に、パスワードの変更について説明する。ユーザ82は、パーティション41Aにログインし、パスワードの変更を行う。パスワードの変更後、ユーザ82は、変更した新パスワードでシステム制御装置5へログインする。ユーザ認証部51は、ユーザ82から入力情報の入力があった場合、ユーザ情報52を検索する。検索後、入力情報のユーザアカウントに対応するパーティション番号のパーティション41Aに対し、運用中であるか否かの状態確認を行う。運用中である場合、ユーザ認証部51は、入力情報のユーザアカウントとパスワードとを用いて、ネットワークを介してユーザ認証部412Aに認証依頼を送信する。ユーザ認証部412Aは、ユーザ認証部51からの認証依頼に応じてユーザ情報414Aを検索し、認証依頼に示されるユーザアカウントとパスワードとがユーザ情報414Aにある場合、ユーザアカウントとパスワードとを認証する。認証後、ユーザ認証部51は、ユーザ82のシステム制御装置5へのログインを許可すると共に、ユーザ情報52へ入力情報の新パスワードを書き込む。 Next, the password change will be explained. The user 82 logs in to the partition 41A and changes the password. After changing the password, the user 82 logs in to the system control device 5 with the changed new password. When there is input information from the user 82, the user authentication unit 51 searches the user information 52. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. If it is in operation, the user authentication unit 51 transmits an authentication request to the user authentication unit 412A via the network using the user account and password of the input information. The user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the new password of the input information to the user information 52.
 次に、監視エージェント部413とユーザ認証部52の機能ブロックを図7および図8を用いて説明する。図7は、監視エージェント部413の機能ブロックを示す図である。監視エージェント部413は、判断部61と、読出部62と、実行部63と、変更検出部64と、送信部65とを有する。判断部61は、ユーザ情報退避ファイル415A~415Nが有るか否かの判断、ユーザ情報414A~414Nの変更内容の判断、およびユーザ情報変更通知機能の有無の判断等を行う。読出部62は、ユーザ情報414Aの読み出しを行う。実行部63は、ユーザ情報退避ファイル415A~415Nの更新、およびユーザ情報退避ファイル415A~415Nの生成等を行う。変更検出部64は、ユーザ情報414A~414Nの変更等の検出を行う。送信部65は、変更情報、追加情報等のユーザ認証部51への送信を行う。 Next, functional blocks of the monitoring agent unit 413 and the user authentication unit 52 will be described with reference to FIGS. FIG. 7 is a diagram illustrating functional blocks of the monitoring agent unit 413. The monitoring agent unit 413 includes a determination unit 61, a reading unit 62, an execution unit 63, a change detection unit 64, and a transmission unit 65. The determination unit 61 determines whether or not the user information save files 415A to 415N exist, determines the change contents of the user information 414A to 414N, determines whether or not the user information change notification function exists. The reading unit 62 reads the user information 414A. The execution unit 63 updates the user information save files 415A to 415N, generates the user information save files 415A to 415N, and the like. The change detection unit 64 detects changes in the user information 414A to 414N. The transmission unit 65 transmits change information, additional information, and the like to the user authentication unit 51.
 図8は、システム制御装置5のユーザ認証部51の機能ブロックを示す図である。ユーザ認証部51は、判断部71と、送受信部72と、実行部73とを有する。判断部71は、送受信部72が入力情報または変更情報等を受信したか否かの判断等を行う。送受信部72は、ユーザ82からの入力情報、監視エージェント部413からの変更情報等の受信を行う。また、送受信部72は、認証依頼等の送信を行う。実行部73は、入力情報とユーザ情報52との比較、ユーザ情報52の更新等を行う。 FIG. 8 is a diagram showing functional blocks of the user authentication unit 51 of the system control device 5. The user authentication unit 51 includes a determination unit 71, a transmission / reception unit 72, and an execution unit 73. The determination unit 71 determines whether or not the transmission / reception unit 72 has received input information, change information, or the like. The transmission / reception unit 72 receives input information from the user 82, change information from the monitoring agent unit 413, and the like. In addition, the transmission / reception unit 72 transmits an authentication request or the like. The execution unit 73 compares the input information with the user information 52, updates the user information 52, and the like.
 次に、図9および図10を用いて、監視エージェント部413およびユーザ認証部51の動作の詳細を説明する。図9は、実施の形態に係る監視エージェント部413における情報同期処理の動作を示すフローチャートである。このフローチャートでは、パーティション41Aの監視エージェント部413を例示して説明を行う。なお、他のパーティションにおける監視エージェント部413においても同様の動作となる。 Next, details of operations of the monitoring agent unit 413 and the user authentication unit 51 will be described with reference to FIGS. 9 and 10. FIG. 9 is a flowchart illustrating an operation of information synchronization processing in the monitoring agent unit 413 according to the embodiment. In this flowchart, the monitoring agent unit 413 of the partition 41A will be described as an example. The same operation is performed in the monitoring agent unit 413 in other partitions.
 まず、管理者81によるコンソール2等を用いた操作により、監視エージェント部413が起動されると(S101)、判断部61は、ユーザ情報退避ファイル415Aがあるか否を判断する(S102)。ユーザ情報退避ファイル415Aがあると判断された場合(S102,YES)、読出部62は、ユーザ情報414Aを読み出す(S103)。読み出し後、判断部61は、ユーザ情報退避ファイル415Aとユーザ情報414Aとの比較に基づいて、システム制御装置5へログイン可能なユーザの増減および権限情報の追加があるか否かを判断する(S104)。 First, when the monitoring agent unit 413 is activated by an operation using the console 2 or the like by the administrator 81 (S101), the determination unit 61 determines whether there is a user information save file 415A (S102). When it is determined that the user information save file 415A exists (S102, YES), the reading unit 62 reads the user information 414A (S103). After reading, the determination unit 61 determines whether there is an increase or decrease in the number of users who can log in to the system control device 5 and addition of authority information based on the comparison between the user information save file 415A and the user information 414A (S104). ).
 具体的には、判断部61は、ユーザ情報414Aの個別情報のうち、権限情報が対応付けられたユーザアカウント(以後、ユーザアカウントAと称する)と、ユーザ情報退避ファイル415Aのユーザアカウント(以後、ユーザアカウントBと称する)とを比較する。判断部61は、この比較により、ユーザアカウントBにないユーザアカウントがユーザアカウントAにあるか否かおよびユーザアカウントAにないユーザアカウントがユーザアカウントBにあるか否かを判断する。判断部61は、ユーザアカウントBにないユーザアカウントがユーザアカウントAにある場合、ユーザ情報414Aに個別情報が追加された、またはユーザ情報414Aの個別情報に権限情報が追加されたと判断する。一方、ユーザアカウントAにないユーザアカウントがユーザアカウントBにある場合、ユーザ情報414Aの個別情報が削除されたと判断する。一方、ユーザアカウントAとユーザアカウントBとが一致する場合、判断部61は、ユーザの増減および権限情報の追加がないと判断する。 Specifically, the determination unit 61 includes, among the individual information of the user information 414A, a user account associated with authority information (hereinafter referred to as user account A) and a user account of the user information save file 415A (hereinafter referred to as user account A). User account B). Based on this comparison, the determination unit 61 determines whether there is a user account in the user account A that is not in the user account B and whether there is a user account in the user account B that is not in the user account A. If there is a user account in user account A that is not in user account B, determination unit 61 determines that individual information has been added to user information 414A or that authority information has been added to the individual information in user information 414A. On the other hand, when there is a user account in user account B that is not in user account A, it is determined that the individual information in user information 414A has been deleted. On the other hand, when the user account A and the user account B match, the determination unit 61 determines that there is no increase / decrease of users and addition of authority information.
 ユーザの増減または権限情報が追加されたと判断された場合(S104,YES)、送信部65は、制御線を介してユーザ認証部51に、ユーザ情報414Aの変更内容を示す変更情報を送信する(S105)。なお、ユーザ認証部52は、変更情報を受信し、当該変更情報に基づいてユーザ情報52を更新する。ここで、変更内容は、判断部61により個別情報の追加がなされた、または権限情報が追加されたと判断された場合、追加情報となり、個別情報が削除されたと判断された場合、削除情報となる。送信後、判断部61は、ユーザ情報退避ファイル415Aとユーザ情報414Aとに基づいて、権限情報が削除されたか否かを判断する(S106)。 When it is determined that the increase / decrease of the user or the authority information is added (S104, YES), the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line ( S105). The user authentication unit 52 receives the change information and updates the user information 52 based on the change information. Here, the changed content becomes additional information when individual information is added by the determining unit 61 or when it is determined that authority information is added, and becomes deleted information when it is determined that the individual information is deleted. . After the transmission, the determination unit 61 determines whether the authority information has been deleted based on the user information save file 415A and the user information 414A (S106).
 具体的には、判断部61は、ユーザ情報414Aの個別情報のユーザアカウント(以後、ユーザアカウントCと称する)と、ユーザアカウントBとを比較する。判断部61は、この比較により、ユーザアカウントCの権限情報が対応付けられていないユーザアカウントがユーザアカウントBにあるか否かを判断する。判断部61は、ユーザアカウントCの権限情報が対応付けられていないユーザアカウントがユーザアカウントBにある場合、当該ユーザアカウントの権限情報が削除されたと判断する。一方、判断部61は、ユーザアカウントCの権限情報が対応付けられていないユーザアカウントがユーザアカウントBにない場合、権限情報は削除されていないと判断する。 Specifically, the determination unit 61 compares the user account of individual information of the user information 414A (hereinafter referred to as user account C) with the user account B. Based on this comparison, the determination unit 61 determines whether the user account B has a user account that is not associated with the authority information of the user account C. When there is a user account in the user account B that is not associated with the authority information of the user account C, the determining unit 61 determines that the authority information of the user account has been deleted. On the other hand, the determination unit 61 determines that the authority information is not deleted when there is no user account B associated with the authority information of the user account C in the user account B.
 権限情報が削除されたと判断された場合(S106,YES)、送信部65は、制御線を介してユーザ認証部51に、ユーザ情報414Aの変更内容を示す変更情報を送信する(S107)。なお、ユーザ認証部52は、変更情報を受信し、当該変更情報に基づいてユーザ情報52を更新する。ここで、変更内容は、権限削除情報である。送信後、実行部63は、変更情報に基づいて、ユーザ情報退避ファイル415Aを更新する(S108)。 If it is determined that the authority information has been deleted (S106, YES), the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line (S107). The user authentication unit 52 receives the change information and updates the user information 52 based on the change information. Here, the change content is authority deletion information. After the transmission, the execution unit 63 updates the user information save file 415A based on the change information (S108).
 次に、判断部61は、OS411Aにユーザ情報変更通知機能があるか否かを判断する(S109)。ユーザ情報変更通知機能があると判断された場合(S109,YES)、変更検出部64は、OS411Aから通知されるユーザ情報変更通知を待つ(S110)。ここで、ユーザ情報変更通知を待つ機能としては、OSがLinux(登録商標)である場合、ファイルシステムにおけるイベントを監視するinotifyの機能を用いることが望ましい。変更検出部64へOS411Aからユーザ情報変更通知が通知されると、ステップS102に戻ってユーザ情報退避ファイル415Aがあるか否を判断する処理が行われる。 Next, the determination unit 61 determines whether or not the OS 411A has a user information change notification function (S109). When it is determined that there is a user information change notification function (S109, YES), the change detection unit 64 waits for a user information change notification notified from the OS 411A (S110). Here, as a function for waiting for a user information change notification, it is desirable to use an innotify function for monitoring events in the file system when the OS is Linux (registered trademark). When the user information change notification is notified from the OS 411A to the change detection unit 64, the process returns to step S102 to determine whether or not the user information save file 415A exists.
 ステップS102において、ユーザ情報退避ファイル415Aがないと判断された場合(S102,NO)、読出部62は、ユーザ情報414Aを読み出す(S111)。読み出し後、実行部63は、ユーザ情報414Aに基づいて、ユーザ情報退避ファイル415Aを生成する(S112)。生成後、送信部65は、ユーザ情報414Aに基づいて、ユーザ情報414Aにある権限情報が対応付けられたユーザアカウントと当該権限情報等とを含む追加情報をユーザ認証部51へ送信する(S113)。なお、ユーザ認証部51は、追加情報を受信し、当該追加情報に基づいてユーザ情報52を更新する。送信後、ステップS109にてユーザ情報変更通知機能があるか否かを判断する処理が行われる。 If it is determined in step S102 that there is no user information save file 415A (S102, NO), the reading unit 62 reads the user information 414A (S111). After reading, the execution unit 63 generates the user information save file 415A based on the user information 414A (S112). After the generation, the transmission unit 65 transmits additional information including the user account associated with the authority information in the user information 414A, the authority information, and the like to the user authentication unit 51 based on the user information 414A (S113). . The user authentication unit 51 receives the additional information and updates the user information 52 based on the additional information. After the transmission, processing for determining whether or not there is a user information change notification function is performed in step S109.
 ステップS104において、システム制御装置5へログイン可能なユーザの増減および権限情報の追加がないと判断された場合(S104,NO)、ステップS106にて権限情報が削除されたか否かを判断する処理が行われる。ステップS106において、権限情報が削除されていないと判断された場合(S106,NO)、ステップS108にて変更情報に基づいてユーザ情報退避ファイル415Aを更新させる処理が行われる。なお、ステップS108にて、変更情報がなければ、実行部63は、ユーザ情報退避ファイル415Aを更新しない。 In step S104, when it is determined that there is no increase or decrease of users who can log in to the system control device 5 and no authority information is added (NO in S104), a process for determining whether or not the authority information is deleted in step S106. Done. If it is determined in step S106 that the authority information has not been deleted (S106, NO), a process of updating the user information save file 415A based on the change information is performed in step S108. If there is no change information in step S108, the execution unit 63 does not update the user information save file 415A.
 ステップS109において、ユーザ情報変更通知機能がないと判断された場合(S109,NO)、変更検出部64は、ユーザ情報414Aを監視し、変更があるまでポーリングする(S114)。ここで、変更検出部64は、定期的にユーザ情報414Aを読み出し、変更を検出する。検出方法としては、例えば、変更検出部64は、読み出した際にユーザ情報414Aをメモリ122へ記憶させ、当該ユーザ情報414Aと一定時間後に読み出したユーザ情報414Aとを比較する。比較後、変更検出部64は、現在のユーザ情報414Aをメモリ122へ記憶させ、これを繰り返す。また、変更検出部64は、ユーザ情報414Aを変更するコマンドを検出してもよい。変更検出部64により、ユーザ情報414Aの変更が検出されると、ステップS102に戻ってユーザ情報退避ファイル415Aがあるか否を判断する処理が行われる。 If it is determined in step S109 that there is no user information change notification function (S109, NO), the change detection unit 64 monitors the user information 414A and polls until there is a change (S114). Here, the change detection unit 64 periodically reads the user information 414A and detects a change. As a detection method, for example, the change detection unit 64 stores the user information 414A in the memory 122 when read, and compares the user information 414A with the user information 414A read after a certain time. After the comparison, the change detection unit 64 stores the current user information 414A in the memory 122 and repeats this. Further, the change detection unit 64 may detect a command for changing the user information 414A. When the change detection unit 64 detects a change in the user information 414A, the process returns to step S102 to determine whether or not the user information save file 415A exists.
 図10は、実施の形態に係るシステム制御装置5のユーザ認証部51の動作を示すフローチャートである。まず、判断部71は、送受信部72がユーザ82からの入力情報を受信したか否かを判断する(S201)。入力情報が受信されたと判断された場合(S201,YES)、後述するユーザ認証処理が実行される(S202)。ユーザ認証処理後、ステップS201に戻り、再度ユーザ82からの入力情報を受信したか否かを判断する処理が行なわれる。 FIG. 10 is a flowchart showing the operation of the user authentication unit 51 of the system control apparatus 5 according to the embodiment. First, the determination unit 71 determines whether or not the transmission / reception unit 72 has received input information from the user 82 (S201). When it is determined that the input information has been received (S201, YES), a user authentication process described later is executed (S202). After the user authentication process, the process returns to step S201, and a process of determining whether or not input information from the user 82 is received again is performed.
 入力情報が受信されていないと判断された場合(S201,NO)、判断部71は、送受信部72が監視エージェント部413からの変更情報を受信したか否かを判断する(S203)。変更情報が受信されたと判断された場合(S203,YES)、実行部73は、受信された変更情報に基づいて、ユーザ情報52を更新する。例えば、変更情報が追加情報であれば、実行部73は、追加情報に示されるユーザアカウントおよび権限情報をユーザ情報52へ書き込み、変更内容が削除情報であれば、ユーザ情報52から削除情報に示されるユーザアカウントに対応する個別情報を削除する。なお、ユーザアカウントの有効・無効情報が無効とされてもよい。変更情報が権限削除情報であれば、実行部73は、権限削除情報に示されるユーザアカウントに対応するユーザ情報52におけるユーザアカウントの権限情報を削除する。ここで、追加情報のユーザアカウントが既にユーザ情報52にある場合、実行部73は、追加情報が権限情報の追加であると判断し、追加情報に示されるユーザアカウントおよび権限情報をユーザ情報52へ書き込む。この場合、当該ユーザアカウントは変わらず、権限情報が書き込まれる。 When it is determined that the input information has not been received (S201, NO), the determination unit 71 determines whether the transmission / reception unit 72 has received the change information from the monitoring agent unit 413 (S203). When it is determined that the change information has been received (S203, YES), the execution unit 73 updates the user information 52 based on the received change information. For example, if the change information is additional information, the execution unit 73 writes the user account and authority information indicated in the additional information to the user information 52. If the change content is deletion information, the execution unit 73 indicates the deletion information from the user information 52. Delete the individual information corresponding to the user account. Note that the validity / invalidity information of the user account may be invalidated. If the change information is authority deletion information, the execution unit 73 deletes the authority information of the user account in the user information 52 corresponding to the user account indicated in the authority deletion information. Here, when the user account of the additional information is already in the user information 52, the execution unit 73 determines that the additional information is addition of authority information, and sends the user account and authority information indicated in the additional information to the user information 52. Write. In this case, the authority information is written without changing the user account.
 更新後、ステップS201に戻り、再度ユーザ82からの入力情報を受信したか否かを判断する処理が行なわれる。また、変更情報が受信されていないと判断された場合(S203,NO)、ステップS201に戻り、再度ユーザ82からの入力情報を受信したか否かを判断する処理が行なわれる。 After the update, the process returns to step S201, and the process of determining whether or not the input information from the user 82 has been received again is performed. If it is determined that the change information has not been received (S203, NO), the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received is performed again.
 次にステップS202におけるユーザ認証処理を説明する。図11は、実施の形態に係るシステム制御装置5のユーザ認証部51におけるユーザ認証処理の動作を示すフローチャートである。入力情報が受信されたと判断された場合(S201,YES)、判断部71は、入力情報に示されるユーザアカウントがユーザ情報52にあるか否かを判断する(S301)。入力情報に示されるユーザアカウントがユーザ情報52にあると判断された場合(S301,YES)、判断部71は、ユーザ82がパーティションに所属しているユーザであるか否かを判断する(S302)。具体的には、判断部71は、入力情報のユーザアカウントに対応するユーザ情報52におけるユーザアカウントがある個別情報に、パーティション番号があるか否かに基づいて判断する。 Next, the user authentication process in step S202 will be described. FIG. 11 is a flowchart showing an operation of user authentication processing in the user authentication unit 51 of the system control apparatus 5 according to the embodiment. When it is determined that the input information has been received (S201, YES), the determination unit 71 determines whether or not the user information 52 is included in the user information 52 (S301). When it is determined that the user account indicated by the input information is in the user information 52 (S301, YES), the determination unit 71 determines whether or not the user 82 is a user belonging to a partition (S302). . Specifically, the determination unit 71 determines based on whether or not the individual information having the user account in the user information 52 corresponding to the user account of the input information has a partition number.
 ユーザ82がパーティションに所属しているユーザであると判断された場合、(S302,YES)、判断部71は、ユーザ82が所属しているパーティションのOSが稼動しているか否かを判断する(S303)。ここで、説明上、ユーザ82が所属するパーティションは、パーティション41Aとする。この判断は、判断部71が、システム制御装置5が有する各パーティションを構築するハードウェア資源を監視する機能を用いることにより判断される。なお、予めメモリ112に各パーティションを構築するハードウェア資源の状態および各パーティションのOSの稼動状態を記憶しておき、判断部71は、これを読み出し、判断を行ってもよい。OS411Aが稼動していると判断された場合(S303,YES)、送受信部72は、受信した入力情報のユーザアカウントとパスワードとを用いて、パーティション41Aのユーザ認証部412Aへ認証依頼を送信する(S304)。 When it is determined that the user 82 is a user belonging to a partition (S302, YES), the determination unit 71 determines whether or not the OS of the partition to which the user 82 belongs is operating ( S303). Here, for explanation, it is assumed that the partition to which the user 82 belongs is the partition 41A. This determination is made by the determination unit 71 using a function of monitoring hardware resources that construct each partition of the system control device 5. Note that the state of hardware resources for constructing each partition and the operating state of the OS of each partition may be stored in the memory 112 in advance, and the determination unit 71 may read this and make a determination. When it is determined that the OS 411A is operating (S303, YES), the transmission / reception unit 72 transmits an authentication request to the user authentication unit 412A of the partition 41A using the user account and password of the received input information ( S304).
 送信後、判断部71は、認証依頼に示されるユーザアカウントおよびパスワードが認証されたか否かを判断する(S305)。この判断は、ユーザ認証部412Aによる、認証依頼に示されるユーザアカウントおよびパスワードがユーザ情報414Aにあるか否かの判断に基づく。具体的には、ユーザ認証部412Aは、受信した認証依頼に示されるユーザアカウントおよびパスワードと一致するユーザアカウントおよびパスワードがユーザ情報414Aにあるか否かを判断する。判断後、ユーザ認証部412Aは、当該判断結果をユーザ認証部51へ送信する。ここで、ユーザアカウントおよびパスワードが一致すると判断された場合、判断結果は、認証依頼に示されるユーザアカウントおよびパスワードの認証を示す。一方、ユーザアカウントおよびパスワードが一致しないと判断された場合、判断結果は、認証依頼に示されるユーザアカウントおよびパスワードの認証不可を示す。送受信部72は、ユーザ認証部412Aから送信された判断結果を受信する。 After transmission, the determination unit 71 determines whether or not the user account and password indicated in the authentication request have been authenticated (S305). This determination is based on a determination by the user authentication unit 412A as to whether or not the user information and password indicated in the authentication request are in the user information 414A. Specifically, the user authentication unit 412A determines whether or not the user information 414A matches the user account and password indicated in the received authentication request. After the determination, the user authentication unit 412A transmits the determination result to the user authentication unit 51. Here, when it is determined that the user account and the password match, the determination result indicates authentication of the user account and password indicated in the authentication request. On the other hand, when it is determined that the user account and the password do not match, the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated. The transmission / reception unit 72 receives the determination result transmitted from the user authentication unit 412A.
 判断結果が、認証依頼に示されるユーザアカウントおよびパスワードの認証を示すと判断された場合(S305,YES)、実行部73は、入力情報のパスワードを当該入力情報のユーザアカウントと一致するユーザ情報52におけるユーザアカウントに対応付けてHDD14へ書き込み(S306)、ユーザ情報52を更新する。書き込み後、送受信部72は、ユーザ82に対し、ログインの許可を通知する(S307)。通知後、ステップS201に戻り、再度ユーザ82からの入力情報を受信したか否かを判断する処理が行なわれる。 When it is determined that the determination result indicates authentication of the user account and password indicated in the authentication request (S305, YES), the execution unit 73 matches the user information 52 of the input information with the user account of the input information. Is written in the HDD 14 in association with the user account (S306), and the user information 52 is updated. After the writing, the transmission / reception unit 72 notifies the user 82 of login permission (S307). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed.
 ステップS302において、ユーザ82がパーティションに所属しているユーザでないと判断された場合、(S302,NO)、判断部71は、入力情報のパスワードがユーザ情報52に既に設定されているか否かを判断する(S308)。当該パスワードがユーザ情報52にすでに設定されていると判断された場合(S308,YES)、判断部71は、入力情報のパスワードと、入力情報のユーザアカウントに対応するユーザ情報52におけるユーザアカウントのパスワードとを比較し、パスワードが一致するか否かを判断する(S309)。パスワードが一致すると判断された場合(S309,YES)、ステップS307においてユーザ82に対し、ログインの許可を通知する処理が行われる。 If it is determined in step S302 that the user 82 is not a user belonging to the partition (S302, NO), the determination unit 71 determines whether or not the password of the input information has already been set in the user information 52. (S308). When it is determined that the password is already set in the user information 52 (S308, YES), the determination unit 71 determines the password of the input information and the password of the user account in the user information 52 corresponding to the user account of the input information. To determine whether or not the passwords match (S309). If it is determined that the passwords match (S309, YES), a process of notifying the user 82 of login permission is performed in step S307.
 一方、ステップS308において、パスワードがユーザ情報52に設定されていないと判断された場合(S308,NO)、送受信部72は、ユーザ82に対し、ログインの拒絶を通知する(S310)。通知後、ステップS201に戻り、再度ユーザ82からの入力情報を受信したか否かを判断する処理が行なわれる。ステップS301において、入力情報に示されるユーザアカウントがユーザ情報52にないと判断された場合(S301,NO)、ステップS310のユーザ82に対し、ログインの拒絶を通知する処理が行われる。ステップS305において、判断結果が、認証依頼に示されるユーザアカウントおよびパスワードの認証不可を示すと判断された場合(S305,NO)、ステップS310のユーザ82に対し、ログインの拒絶を通知する処理が行われる。ステップS309において、パスワードが一致しないと判断された場合(S309,NO)、ステップS310のユーザ82に対し、ログインの拒絶を通知する処理が行われる。 On the other hand, when it is determined in step S308 that the password is not set in the user information 52 (S308, NO), the transmission / reception unit 72 notifies the user 82 of rejection of login (S310). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed. When it is determined in step S301 that the user account indicated in the input information is not in the user information 52 (S301, NO), a process of notifying the user 82 in step S310 of login rejection is performed. If it is determined in step S305 that the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated (NO in step S305), a process of notifying the user 82 in step S310 of login rejection is performed. Is called. If it is determined in step S309 that the passwords do not match (S309, NO), a process of notifying login rejection to the user 82 in step S310 is performed.
 なお、実施の形態において、ステップS201ではユーザ82からの入力があるか否かを判断したが、ユーザアカウントの入力が入力されたか否かを判断してもよい。この場合、ステップS301の入力情報に示されるユーザアカウントがユーザ情報52にあるか否かが判断される処理後に、実行部73は、ユーザ82に対しパスワードを入力するよう通知を行う。通知後、判断部71は、規定の時間内にパスワードが入力されたか否かを判断する。パスワードが入力された場合、ステップS302のユーザ82がパーティションに所属しているユーザであるか否かを判断する処理が実行される。 In the embodiment, it is determined whether or not there is an input from the user 82 in step S201, but it may be determined whether or not an input of a user account is input. In this case, after the process of determining whether or not the user account indicated in the input information in step S301 is in the user information 52, the execution unit 73 notifies the user 82 to input the password. After the notification, the determination unit 71 determines whether or not a password has been input within a specified time. When the password is input, a process of determining whether or not the user 82 in step S302 is a user belonging to a partition is executed.
 ユーザ情報退避ファイル415A~415Nは、自己のパーティションへのアクセス権限を有する複数のユーザのユーザアカウントを有すると説明したが、ユーザ情報414A~414Nの情報を全て含んでいてもよい。ユーザ情報52は、システム制御装置5へのアクセス権限を有する複数のユーザを示す情報であると説明したが、システム制御装置5へのアクセス権限を有さないユーザの情報を有していてもよい。 The user information save files 415A to 415N have been described as having user accounts of a plurality of users having the authority to access their own partitions, but may include all the user information 414A to 414N information. The user information 52 has been described as information indicating a plurality of users having access authority to the system control apparatus 5, but may include information on users who do not have access authority to the system control apparatus 5. .
 次に、比較例として、この明細書に開示された技術を適用しない情報処理装置の制御方法を説明する。この明細書に開示された技術を適用せずパーティション41A~41Nのユーザ情報414A~414Nと、システム制御装置5のユーザ情報52とを同期させる場合、例えば、以下の方法がある。サーバ1の外部あるいはサーバ1内の1つのパーティションに、認証サーバを構築し、パーティション41A~41Nにシステム制御装置5がサポートでき、認証サーバ等にアクセスするLDAP(Lightweight Directory Access Protocol)等を用いたユーザ認証機能(以後、拡張ユーザ認証機能と称する)を追加構築する。拡張ユーザ認証機能と認証サーバとを構築することにより、パーティション41A~41Nとパーティション41A~41Nのユーザ情報414A~414Nと、システム制御装置5のユーザ情報52とを同期させる。 Next, as a comparative example, a method for controlling an information processing apparatus that does not apply the technology disclosed in this specification will be described. When synchronizing the user information 414A to 414N of the partitions 41A to 41N and the user information 52 of the system control device 5 without applying the technique disclosed in this specification, for example, there are the following methods. An authentication server is built outside the server 1 or in one partition in the server 1, and the system controller 5 can support the partitions 41A to 41N, and uses LDAP (Lightweight Directory Access Protocol) that accesses the authentication server. A user authentication function (hereinafter referred to as an extended user authentication function) is additionally constructed. By constructing the extended user authentication function and the authentication server, the user information 414A to 414N of the partitions 41A to 41N and the partitions 41A to 41N and the user information 52 of the system control device 5 are synchronized.
 図12は、この明細書に開示された技術を適用しないサーバを説明するための図である。図2に示すサーバ1と比べると、サーバ8は、パーティション41A~41Nのそれぞれに、監視エージェント部413の代わりに監視エージェント部82A~82Nを有する。また、サーバ8は、パーティション41A~41Nのそれぞれに、拡張ユーザ認証機能を有する拡張ユーザ認証部83A~83Nを有する。システム制御装置84は、図2に示すサーバ1と比べると、ユーザ認証部51の代わりにユーザ認証部85と、設定により選択可能な拡張ユーザ認証機能を有する拡張ユーザ認証部86とを有する。 FIG. 12 is a diagram for explaining a server to which the technology disclosed in this specification is not applied. Compared with the server 1 shown in FIG. 2, the server 8 has monitoring agent units 82A to 82N instead of the monitoring agent unit 413 in the partitions 41A to 41N, respectively. The server 8 includes extended user authentication units 83A to 83N having an extended user authentication function in each of the partitions 41A to 41N. Compared with the server 1 shown in FIG. 2, the system control device 84 includes a user authentication unit 85 instead of the user authentication unit 51 and an extended user authentication unit 86 having an extended user authentication function that can be selected by setting.
 認証サーバ87は、ネットワーク上に構築されている。認証サーバ87は、ネットワークによりパーティション41A~41Nを構築するハードウェア資源およびシステム制御装置84と接続されている。認証サーバ87は、ユーザ情報414A~414Nとユーザ情報52とが対応付けられたユーザ情報871を有する。 The authentication server 87 is constructed on the network. The authentication server 87 is connected to hardware resources and the system control device 84 that construct the partitions 41A to 41N via the network. The authentication server 87 has user information 871 in which user information 414A to 414N and user information 52 are associated with each other.
 監視エージェント82A~82Nは、パーティション41A~41Nを構築するハードウェア資源の利用状況を取得し、システム制御装置84と接続された制御線を介して利用状況をシステム制御装置84へ通知する。ユーザ認証部85は、ユーザが入力するユーザアカウントおよびパスワード等に基づいてユーザの認証の可否を判断するユーザ認証処理を行う。 The monitoring agents 82A to 82N acquire the usage status of the hardware resources that construct the partitions 41A to 41N, and notify the usage status to the system control device 84 via the control line connected to the system control device 84. The user authentication unit 85 performs a user authentication process for determining whether or not the user can be authenticated based on a user account and a password input by the user.
 拡張ユーザ認証部83A~83Nは、自己が属するパーティションのユーザ情報にアクセスする。拡張ユーザ認証部86は、システム制御装置84のユーザ情報52にアクセスする。拡張ユーザ認証部83A~83Nおよび拡張ユーザ認証部86を介して、認証サーバ87は、ユーザ情報414A~414Nおよびユーザ情報52の同期を行う。 Extended user authentication units 83A to 83N access user information of a partition to which the extended user authentication unit 83A to 83N belongs. The extended user authentication unit 86 accesses the user information 52 of the system control device 84. The authentication server 87 synchronizes the user information 414A to 414N and the user information 52 via the extended user authentication units 83A to 83N and the extended user authentication unit 86.
 実施の形態によれば、ユーザ情報414A~414Nとユーザ情報52とを同期させることにより、ユーザ情報414A~414Nおよびユーザ情報52の変更作業が容易となる効果を奏する。認証サーバ87や拡張ユーザ認証部83A~83N及び86を追加構築することなく、各OSの標準のユーザ認証機能を有するユーザ認証部412A~412N等を用いてユーザ情報414A~414Nとユーザ情報52とを同期させることができる。例えば、パーティション41Aとシステム制御装置5とにログイン可能なユーザの情報は、パーティション41Aとシステム制御装置5とが共有することができる。このため、管理者81は、パーティション41Aに対しユーザの追加または削除を行う手間のみでシステム制御装置5に対してもユーザの追加または削除を実行できる。 According to the embodiment, by synchronizing the user information 414A to 414N and the user information 52, the user information 414A to 414N and the user information 52 can be easily changed. The user information 414A to 414N, the user information 52, and the like can be obtained using the user authentication units 412A to 412N having the standard user authentication function of each OS without additionally constructing the authentication server 87 and the extended user authentication units 83A to 83N and 86. Can be synchronized. For example, information on users who can log in to the partition 41A and the system control apparatus 5 can be shared by the partition 41A and the system control apparatus 5. For this reason, the administrator 81 can add or delete a user to or from the system control apparatus 5 only with the effort of adding or deleting a user to or from the partition 41A.
 ユーザ情報414A~414Nとユーザ情報52とを同期させる場合、監視エージェント413は、更新されることが稀なユーザアカウントおよび権限情報をデータ送信により同期させるが、パスワードは、データ送信により同期させない。パスワードは、システム制御装置5へのログイン時に、ユーザ82からの入力情報を用いてユーザ認証部412A~412Nにより認証の判断をさせ、認証された場合、入力情報のパスワードがユーザ情報52に書き込まれることにより、更新される。このことから、パーティション41A~41Nからシステム制御装置5へのデータ送信回数、データ送信等の情報量を低減できる。更に、システム制御装置5からパーティション41A~41Nへは、パーティションの状態確認および認証依頼以外のアクセスは行わないため、パーティション41A~41Nのセキュリティに対する影響を低減できる。 When synchronizing the user information 414A to 414N and the user information 52, the monitoring agent 413 synchronizes the user account and authority information that are rarely updated by data transmission, but does not synchronize the password by data transmission. When the user logs in to the system control device 5, the user authentication units 412A to 412N use the input information from the user 82 to determine authentication, and if the password is authenticated, the password of the input information is written in the user information 52. Updated. From this, it is possible to reduce the amount of information such as the number of data transmissions and data transmissions from the partitions 41A to 41N to the system control apparatus 5. Furthermore, since the system controller 5 does not access the partitions 41A to 41N except for the partition status check and the authentication request, the influence on the security of the partitions 41A to 41N can be reduced.
 比較例では、パーティション41A~41Nの各OSがそれぞれ異なる場合、ユーザ82等が拡張ユーザ認証部83A~83Nを追加構築する設定作業に大きな労力を要し、パーティションの数が増大すると設定作業が複雑化する可能性がある。しかしながら、実施の形態によれば、ユーザ82等が拡張ユーザ認証部83A~83Nを追加構築する必要はないため、設定作業に大きな労力を要することはなく、パーティションの数が増大した場合においても、設定作業を容易にできる。 In the comparative example, when the OSs of the partitions 41A to 41N are different from each other, the user 82 and the like require a large amount of setting work for additionally constructing the extended user authentication units 83A to 83N, and the setting work becomes complicated when the number of partitions increases. There is a possibility of becoming. However, according to the embodiment, since it is not necessary for the user 82 or the like to additionally construct the extended user authentication units 83A to 83N, the setting work does not require a great effort, and even when the number of partitions increases, Setting work can be facilitated.
 比較例では、拡張ユーザ認証部83A~83Nの拡張ユーザ認証機能は、システム制御装置84がサポート可能な拡張ユーザ認証機能に限定される。このため、ユーザ82等の要求するパーティションにおける拡張ユーザ認証部83A~83Nの拡張ユーザ認証機能がパーティション毎に異なる場合、認証サーバを1つのサーバに統一できない、或いは、使用できない可能性がある。しかしながら、実施の形態によれば、拡張ユーザ認証部83A~83Nおよび認証サーバ87を用いないため、この可能性はない。 In the comparative example, the extended user authentication function of the extended user authentication units 83A to 83N is limited to the extended user authentication function that can be supported by the system control device 84. Therefore, if the extended user authentication functions of the extended user authentication units 83A to 83N in the partition requested by the user 82 or the like are different for each partition, the authentication server may not be unified into one server or may not be used. However, according to the embodiment, since the extended user authentication units 83A to 83N and the authentication server 87 are not used, this possibility does not exist.
 比較例では、パーティション41A~41Nの構築上の要件により、SEのユーザ情報は、パーティション41A~41Nとシステム制御装置84との間で同期できない可能性がある。また、パーティション41A~41N外の装置からパーティション41A~41N内の情報更新を禁止する等のセキュリティにより、SEのユーザ情報は、パーティション41A~41Nとシステム制御装置84との間で同期できない可能性がある。しかしながら、実施の形態によれば、監視エージェント部413からユーザ認証部51への単方向のデータ送信のみを行うため、外部からユーザ情報414A~414Nの情報操作が行われない。このため、パーティション41A~41Nのセキュリティ上の制限に影響されずに、パーティション41A~41Nとシステム制御装置5とでユーザ情報を同期できる。 In the comparative example, there is a possibility that the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system control device 84 due to the requirements for construction of the partitions 41A to 41N. Further, due to security such as prohibiting information update in the partitions 41A to 41N from devices outside the partitions 41A to 41N, there is a possibility that the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system controller 84. is there. However, according to the embodiment, since only one-way data transmission from the monitoring agent unit 413 to the user authentication unit 51 is performed, the information operation of the user information 414A to 414N is not performed from the outside. Therefore, the user information can be synchronized between the partitions 41A to 41N and the system control apparatus 5 without being affected by the security restrictions of the partitions 41A to 41N.
 ユーザ情報414A~414Nとユーザ情報52とを同期させず、パーティション上に認証サーバを構築し、当該認証サーバのユーザ認証機能のみを用い、パーティションとシステム制御装置にログインする場合がある。この場合、ユーザ82が認証サーバを構築したパーティションのハードウェア資源の電源切断等を行うと、当該認証サーバが停止するため、ユーザ82がシステム制御装置を操作できず、パーティションの電源が投入できない。そのため、システム制御装置を操作可能な特別なユーザが常にシステム制御装置に登録される。しかしながら、実施の形態によれば、例えばパーティション41Aとシステム制御装置5とにログイン可能なユーザの情報は、認証サーバを用いることなく、パーティション41Aとシステム制御装置5とが共有している。このため、パーティション41Aが停止状態であっても、当該ユーザは、別途システム制御装置5へユーザ登録することなく、システム制御装置にログインすることができる。従って、パーティション41Aの運用・停止に係わらず、システム制御装置5へのログインが可能となるため、特別なユーザを常にシステム制御装置5に登録しなくてもよい。 In some cases, the user information 414A to 414N and the user information 52 are not synchronized, but an authentication server is constructed on the partition, and only the user authentication function of the authentication server is used to log in to the partition and the system control device. In this case, if the user 82 powers off the hardware resources of the partition on which the authentication server is constructed, the authentication server is stopped. Therefore, the user 82 cannot operate the system control device and cannot power on the partition. Therefore, a special user who can operate the system control device is always registered in the system control device. However, according to the embodiment, for example, information on users who can log in to the partition 41A and the system control apparatus 5 is shared by the partition 41A and the system control apparatus 5 without using an authentication server. For this reason, even when the partition 41A is in the stopped state, the user can log in to the system control apparatus without registering the user in the system control apparatus 5 separately. Accordingly, it is possible to log in to the system control device 5 regardless of the operation / stop of the partition 41A. Therefore, it is not always necessary to register a special user in the system control device 5.
 本発明は以下に示すようなサーバにおいて適用可能である。図13は、本発明が適用されるサーバの一例を示す図である。図13に示すサーバ901は、CPUやディスクドライブ等を内蔵した本体部902及び外部のデータベース等にアクセスして他のコンピュータシステムに記憶されているプログラム等をダウンロードする通信装置903を有する。通信装置903は、ネットワーク通信カード、モデムなどが考えられる。 The present invention can be applied to the following servers. FIG. 13 is a diagram illustrating an example of a server to which the present invention is applied. A server 901 illustrated in FIG. 13 includes a main body 902 that includes a CPU, a disk drive, and the like, and a communication device 903 that accesses an external database and downloads programs and the like stored in another computer system. The communication device 903 may be a network communication card, a modem, or the like.
 上述したような、サーバ1を構成するサーバ901において上述した各ステップを実行させるプログラムを、制御プログラムとして提供することができる。このプログラムは、サーバ901により読取り可能な記録媒体に記憶させることによって、サーバ1を構成するサーバ901に実行させることが可能となる。上述した各ステップを実行する各プログラムは、ディスク910等の可搬型記録媒体に格納されるか、通信装置903により他のサーバまたはコンピュータシステムの記録媒体920からダウンロードされる。また、サーバ901に少なくとも制御機能を持たせる制御プログラム(制御ソフトウェア)は、サーバ901に入力されてコンパイルされる。このプログラムは、サーバ901を、制御機能を有するサーバ1として動作させる。また、これらプログラムは、例えばディスク910等のコンピュータ読み取り可能な記録媒体に格納されていても良い。ここで、サーバ901により読取り可能な記録媒体としては、ROMやRAM等のコンピュータに内部実装される内部記憶装置、ディスク910やフレキシブルディスク、DVDディスク、光磁気ディスク、ICカード等の可搬型記憶媒体や、コンピュータプログラムを保持するデータベース、或いは、他のサーバまたはコンピュータシステム並びにこれらのデータベースや、通信装置903のような通信手段を介して接続されるサーバまたはコンピュータシステムでアクセス可能な各種記録媒体を含む。 As described above, a program for executing the above steps in the server 901 constituting the server 1 can be provided as a control program. By storing this program in a recording medium readable by the server 901, the server 901 constituting the server 1 can execute the program. Each program for executing the above steps is stored in a portable recording medium such as a disk 910 or downloaded from a recording medium 920 of another server or computer system by the communication device 903. Also, a control program (control software) that causes the server 901 to have at least a control function is input to the server 901 and compiled. This program causes the server 901 to operate as the server 1 having a control function. Further, these programs may be stored in a computer-readable recording medium such as a disk 910, for example. Here, the recording medium that can be read by the server 901 includes an internal storage device such as a ROM and a RAM, a portable storage medium such as a disk 910, a flexible disk, a DVD disk, a magneto-optical disk, and an IC card. Or a database holding a computer program, or another server or computer system, and these databases, or various recording media accessible by a server or computer system connected via communication means such as the communication device 903 .
 第1の処理装置、一の第1の処理装置、第3の処理装置は、例えば、パーティション41A~41Nであり、第2の処理装置およびシステム制御装置は、例えばシステム制御装置5である。情報処理装置は、例えば、サーバ1またはパーティション41A~41Nである。第1の記憶部および第2の記憶部は、例えば、HDD14である。第1のユーザ情報および第2のユーザ情報は、例えば、ユーザ情報414A~414Nであり、第3のユーザ情報は、例えば、ユーザ情報52である。第4のユーザ情報は、例えば、入力情報であり、第5のユーザ情報は、例えば、権限情報である。第6のユーザ情報は、例えば、ユーザ情報退避ファイル415A~415Nであり、判断情報は、例えば、判断結果である。第1の判断部、第4の判断部、第2の受信部および第3の送信部は、例えば、ユーザ認証部412A~412Nである。第2の更新部は、例えば、実行部63であり、第1の送信部は、例えば、送信部65である。検出部は、例えば、変更検出部64である。第2の判断部、第3の判断部および許可部は、例えば、判断部71であり、第1の受信部、第3の受信部および第2の送信部は、例えば、送受信部72である。第1の更新部および書込部は、例えば、実行部73である。 The first processing device, the first first processing device, and the third processing device are, for example, partitions 41A to 41N, and the second processing device and the system control device are, for example, the system control device 5. The information processing apparatus is, for example, the server 1 or the partitions 41A to 41N. The first storage unit and the second storage unit are, for example, the HDD 14. The first user information and the second user information are, for example, user information 414A to 414N, and the third user information is, for example, the user information 52. The fourth user information is, for example, input information, and the fifth user information is, for example, authority information. The sixth user information is, for example, user information save files 415A to 415N, and the determination information is, for example, a determination result. The first determination unit, the fourth determination unit, the second reception unit, and the third transmission unit are, for example, user authentication units 412A to 412N. The second update unit is, for example, the execution unit 63, and the first transmission unit is, for example, the transmission unit 65. The detection unit is, for example, the change detection unit 64. The second determination unit, the third determination unit, and the permission unit are, for example, the determination unit 71, and the first reception unit, the third reception unit, and the second transmission unit are, for example, the transmission / reception unit 72. . The first updating unit and writing unit are, for example, the execution unit 73.
 1 サーバ、2 コンソール、5 システム制御装置、11 SVP、12A~12N SB、13A~13N IOB、14 HDD、41A~41N パーティション、51 ユーザ認証部、52 ユーザ情報、61 判断部、62 読出部、63 実行部、64 変更検出部、65 送信部、71 判断部、72 送受信部、73 実行部、81 管理者、82 ユーザ、111 CPU、112 メモリ、121 CPU、122 メモリ、411A~411N OS、412A~412N ユーザ認証部、413 監視エージェント部、414A~414N ユーザ情報、415A~415N ユーザ情報退避ファイル。 1 server, 2 console, 5 system controller, 11 SVP, 12A-12N SB, 13A-13N IOB, 14 HDD, 41A-41N partition, 51 user authentication part, 52 user information, 61 judgment part, 62 reading part, 63 Execution unit, 64 change detection unit, 65 transmission unit, 71 determination unit, 72 transmission / reception unit, 73 execution unit, 81 administrator, 82 user, 111 CPU, 112 memory, 121 CPU, 122 memory, 411A to 411N OS, 412A to 412N user authentication part, 413 monitoring agent part, 414A-414N user information, 415A-415N user information save file.

Claims (18)

  1.  それぞれが演算処理装置を有する複数の第1の処理装置と、前記複数の第1の処理装置のそれぞれが有する演算処理装置を制御する第2の処理装置とを備える情報処理装置であって、
     前記複数の第1の処理装置のいずれか一の第1の処理装置は、
     前記一の第1の処理装置へのアクセス権限を有する第1のユーザを示す第1のユーザ情報を記憶する第1の記憶部と、
     第2のユーザを示す第2のユーザ情報が入力された場合、前記第2のユーザ情報と前記第1のユーザ情報とに基づいて、前記第2のユーザによる前記一の第1の処理装置へのアクセスを許可するか否かを判断する第1の判断部と、
     前記第1の記憶部内における前記第1のユーザ情報の変更を検出する検出部と、
     前記第1のユーザ情報の変更が前記検出部により検出された場合、前記第1のユーザ情報の変更内容を示す変更情報を前記第2の処理装置へ送信する第1の送信部とを備え、
     前記第2の処理装置は、
     前記第2の処理装置へのアクセス権限を有する第3のユーザを示す第3のユーザ情報を記憶する第2の記憶部と、
     第4のユーザを示す第4のユーザ情報が入力された場合、前記第4のユーザ情報と前記第3のユーザ情報とに基づいて、前記第4のユーザによる前記第2の処理装置へのアクセスを許可するか否かを判断する第2の判断部と、
     前記第1の送信部から送信された前記変更情報を受信する第1の受信部と、
     前記第1の受信部により受信された前記変更情報に基づいて、前記第2の記憶部内の前記第3のユーザ情報を更新する第1の更新部と
     を備えることを特徴とする情報処理装置。     An information processing apparatus comprising: a plurality of first processing devices each having an arithmetic processing device; and a second processing device that controls the arithmetic processing devices included in each of the plurality of first processing devices,
    The first processing device of any one of the plurality of first processing devices is
    A first storage unit that stores first user information indicating a first user who has access authority to the first processing apparatus;
    When the second user information indicating the second user is input, based on the second user information and the first user information, to the one first processing device by the second user A first determination unit for determining whether or not to allow access to
    A detection unit for detecting a change in the first user information in the first storage unit;
    A first transmission unit configured to transmit change information indicating a change content of the first user information to the second processing device when a change in the first user information is detected by the detection unit;
    The second processing device includes:
    A second storage unit for storing third user information indicating a third user who has an access right to the second processing device;
    When the fourth user information indicating the fourth user is input, the fourth user accesses the second processing device based on the fourth user information and the third user information. A second determination unit that determines whether or not to permit
    A first receiver for receiving the change information transmitted from the first transmitter;
    An information processing apparatus comprising: a first updating unit that updates the third user information in the second storage unit based on the change information received by the first receiving unit.
  2.  前記情報処理装置において、
     前記第1のユーザ情報は、前記第1のユーザごとに、前記第1のユーザが前記第2の処理装置へのアクセス権限を有する第5のユーザであるか否かを示す第5のユーザ情報を含み、
     前記第1の記憶部は、前記第1のユーザのうち、前記第5のユーザを示す第6のユーザ情報を更に記憶し、
     前記検出部は、前記第1のユーザ情報と前記第6のユーザ情報とに基づいて前記第5のユーザ情報の変更を検出し、
     前記変更情報は、前記第5のユーザ情報の変更を示すことを特徴とする請求項1に記載の情報処理装置。     In the information processing apparatus,
    The first user information includes, for each first user, fifth user information indicating whether or not the first user is a fifth user who has an access right to the second processing device. Including
    The first storage unit further stores sixth user information indicating the fifth user among the first users,
    The detection unit detects a change in the fifth user information based on the first user information and the sixth user information,
    The information processing apparatus according to claim 1, wherein the change information indicates a change of the fifth user information.
  3.  前記情報処理装置において、
     前記一の第1の処理装置は、
     前記第1の記憶部内における前記第5のユーザ情報の変更が前記検出部により検出された場合、前記変更情報に基づいて、前記第1の記憶部内の前記第6のユーザ情報を更新する第2の更新部を更に備えることを特徴とする請求項2に記載の情報処理装置。     In the information processing apparatus,
    The one first processing apparatus includes:
    When the change in the fifth user information in the first storage unit is detected by the detection unit, the second user information in the first storage unit is updated based on the change information. The information processing apparatus according to claim 2, further comprising an update unit.
  4.  前記情報処理装置において、
     前記第3のユーザ情報は、第5のユーザのユーザアカウントと、前記複数の第1の処理装置のうち、第5のユーザによりアクセス可能な第3の処理装置の識別子とを含み、
     前記第4のユーザ情報は、前記第4のユーザのユーザアカウントを含み、
     前記第2の処理装置は、
     前記第3のユーザ情報と前記第4のユーザ情報とに基づいて、前記第4のユーザが第5ユーザのであるか否かを判断する第3の判断部を更に備えることを特徴とする請求項2または請求項3に記載の情報処理装置。     In the information processing apparatus,
    The third user information includes a user account of a fifth user, and an identifier of a third processing device that can be accessed by a fifth user among the plurality of first processing devices,
    The fourth user information includes a user account of the fourth user,
    The second processing device includes:
    The apparatus further comprises a third determination unit that determines whether or not the fourth user is a fifth user based on the third user information and the fourth user information. The information processing apparatus according to claim 2 or claim 3.
  5.  前記情報処理装置において、
     前記第1のユーザ情報は、第5のユーザのユーザアカウントと、該ユーザアカウントに対応するパスワードとを含み、
     前記第3のユーザ情報は、第5のユーザのユーザアカウントに対応するパスワードを含み、
     前記第4のユーザ情報は、前記第4のユーザのユーザアカウントに対応するパスワードを含み、
     前記第2の処理装置は、
     前記第4のユーザが第5のユーザであると前記第3の判断部により判断された場合、前記第4のユーザに対応する識別子により示される第3の処理装置へ前記第4のユーザ情報を送信する第2の送信部を更に備え、
     前記第1の処理装置は、
     前記第2の送信部により送信された前記第4のユーザ情報を受信する第2の受信部と、
     前記第2の受信部により受信された前記第4のユーザ情報が示す前記第4のユーザのユーザアカウントおよびパスワードが前記第1のユーザ情報に含まれているか否かを判断する第4の判断部と
     を更に備えることを特徴とする請求項4に記載の情報処理装置。     In the information processing apparatus,
    The first user information includes a user account of a fifth user and a password corresponding to the user account,
    The third user information includes a password corresponding to the user account of the fifth user,
    The fourth user information includes a password corresponding to the user account of the fourth user,
    The second processing device includes:
    When the third determination unit determines that the fourth user is the fifth user, the fourth user information is sent to the third processing device indicated by the identifier corresponding to the fourth user. A second transmission unit for transmitting,
    The first processing device includes:
    A second receiver for receiving the fourth user information transmitted by the second transmitter;
    A fourth determination unit configured to determine whether the first user information includes a user account and a password of the fourth user indicated by the fourth user information received by the second reception unit; The information processing apparatus according to claim 4, further comprising:
  6.  前記情報処理装置において、
     前記第1の処理装置は、
     受信された前記第4のユーザ情報のユーザアカウントおよびパスワードが前記第1のユーザ情報に含まれていると前記第4の判断部により判断された場合、該判断の結果を示す判断情報を前記第2の処理装置へ送信する第3の送信部を更に備え、
     前記第2の処理装置は、
     前記第3の送信部により送信された前記判断情報を受信する第3の受信部と、
     前記第3の受信部により前記判断情報が受信された場合、前記第4のユーザのアクセスを許可する許可部と
     を更に備えることを特徴とする請求項5に記載の情報処理装置。     In the information processing apparatus,
    The first processing device includes:
    When the fourth determination unit determines that the received user account and password of the fourth user information are included in the first user information, determination information indicating a result of the determination A third transmitter for transmitting to the second processing device;
    The second processing device includes:
    A third receiver for receiving the determination information transmitted by the third transmitter;
    The information processing apparatus according to claim 5, further comprising: a permission unit that permits access of the fourth user when the determination information is received by the third reception unit.
  7.  前記情報処理装置において、
     前記第2の処理装置は、
     前記第3の受信部により前記判断情報が受信された場合、前記第4のユーザ情報内のパスワードを、前記第4のユーザのユーザアカウントに対応付けて前記第2の記憶部へ書き込む書込部を更に備えることを特徴とする請求項6に記載の情報処理装置。     In the information processing apparatus,
    The second processing device includes:
    A writing unit that writes the password in the fourth user information in the second storage unit in association with the user account of the fourth user when the determination information is received by the third receiving unit The information processing apparatus according to claim 6, further comprising:
  8.  前記情報処理装置において、
     前記第4のユーザが第5のユーザでないと前記第3の判断部により判断された場合、前記第2の判断部は、前記第4のユーザ情報と前記第3のユーザ情報とに基づいて、前記第4のユーザのアクセスを許可するか否かを判断することを特徴とする請求項4に記載の情報処理装置。     In the information processing apparatus,
    When it is determined by the third determination unit that the fourth user is not the fifth user, the second determination unit is configured based on the fourth user information and the third user information. The information processing apparatus according to claim 4, wherein it is determined whether to permit access by the fourth user.
  9.  前記情報処理装置において、
     前記第4のユーザが第5のユーザであると前記第3の判断部により判断され前記第4のユーザに対応する識別子により示される第3の処理装置が停止状態である場合、前記第2の判断部は、前記第4のユーザ情報と前記第3のユーザ情報とに基づいて、前記第4のユーザのアクセスを許可するか否かを判断することを特徴とする請求項4に記載の情報処理装置。     In the information processing apparatus,
    When the third processing unit determined by the third determination unit that the fourth user is the fifth user and indicated by the identifier corresponding to the fourth user is in the stopped state, the second user 5. The information according to claim 4, wherein the determination unit determines whether to permit access of the fourth user based on the fourth user information and the third user information. Processing equipment.
  10.  それぞれが演算処理装置を有する複数の第1の処理装置と、前記複数の第1の処理装置のそれぞれが有する演算処理装置を制御する第2の処理装置とを備える情報処理装置の制御方法であって、
     第1のユーザを示す第1のユーザ情報が前記複数の第1の処理装置のいずれか一の第1の処理装置に入力された場合、前記第1のユーザ情報と、前記一の第1の処理装置が有する第1の記憶部により記憶された前記一の第1の処理装置へのアクセス権限を有する第2のユーザを示す第2のユーザ情報とに基づいて、前記第1のユーザによる前記一の第1の処理装置へのアクセスを許可するか否かを前記一の第1の処理装置により判断するステップと、
     前記第1の記憶部内における前記第2のユーザ情報の変更を前記一の第1の処理装置により検出するステップと、
     前記第2のユーザ情報の変更が前記一の第1の処理装置により検出された場合、前記第2のユーザ情報の変更内容を示す変更情報を前記一の第1の処理装置により前記第2の処理装置へ送信するステップと、
     第3のユーザを示す第3のユーザ情報が入力された場合、前記第3のユーザ情報と、前記第2の処理装置が有する第2の記憶部により記憶される前記第2の処理装置へのアクセス権限を有する第4のユーザを示す第4のユーザ情報とに基づいて、前記第3のユーザによる前記第2の処理装置へのアクセスを許可するか否かを前記第2の処理装置により判断するステップと、
     前記第1の処理装置から送信された前記変更情報を前記第2の処理装置により受信するステップと、
     前記第2の処理装置により受信された前記変更情報に基づいて、前記第2の記憶部内の前記第4のユーザ情報を前記第2の処理装置により更新するステップと
     を前記情報処理装置に実行させることを特徴とする情報処理装置の制御方法。     A control method for an information processing apparatus, comprising: a plurality of first processing devices each having an arithmetic processing device; and a second processing device that controls the arithmetic processing devices included in each of the plurality of first processing devices. And
    When first user information indicating a first user is input to any one of the plurality of first processing devices, the first user information and the first first information Based on the second user information indicating the second user who has the authority to access the first processing device stored in the first storage unit of the processing device, the first user performs the Determining whether to allow access to one first processing apparatus by the first first processing apparatus;
    Detecting the change of the second user information in the first storage unit by the first processing device;
    When the change of the second user information is detected by the first first processing device, the second processing information indicating the change content of the second user information is received by the first first processing device. Transmitting to the processing device;
    When the third user information indicating the third user is input, the third user information and the second processing device stored in the second storage unit of the second processing device are stored. Based on the fourth user information indicating the fourth user having access authority, the second processing device determines whether or not to permit the third user to access the second processing device. And steps to
    Receiving the change information transmitted from the first processing device by the second processing device;
    Causing the information processing apparatus to execute the step of updating the fourth user information in the second storage unit by the second processing apparatus based on the change information received by the second processing apparatus. A method for controlling an information processing apparatus.
  11.  前記情報処理装置の制御方法において、
     前記第2のユーザ情報は、前記第2のユーザごとに、前記第2のユーザが前記第2の処理装置へのアクセス権限を有する第5のユーザであるか否かを示す第5のユーザ情報を含み、
     前記第1の記憶部は、前記第2のユーザのうち、前記第5のユーザを示す第6のユーザ情報を更に記憶し、
     前記第1の記憶部内における前記第2のユーザ情報の変更を前記一の第1の処理装置により検出するステップは、前記第2のユーザ情報と前記第6のユーザ情報とに基づいて前記第5のユーザ情報の変更を検出し、
     前記変更情報は、前記第5のユーザ情報の変更を示すことを特徴とする請求項10に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    The second user information is, for each second user, fifth user information indicating whether or not the second user is a fifth user who has an access right to the second processing device. Including
    The first storage unit further stores sixth user information indicating the fifth user among the second users,
    The step of detecting the change of the second user information in the first storage unit by the first processing device is based on the second user information and the sixth user information. Detects changes in user information for
    The method according to claim 10, wherein the change information indicates a change of the fifth user information.
  12.  前記情報処理装置の制御方法において、
     前記第1の記憶部内における前記第5のユーザ情報の変更が前記一の第1の処理装置により検出された場合、前記変更情報に基づいて、前記第1の記憶部内の前記第6のユーザ情報を前記一の第1の処理装置により更新するステップを更に前記情報処理装置に実行させることを特徴とする請求項11に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    If the change of the fifth user information in the first storage unit is detected by the first processing device, the sixth user information in the first storage unit based on the change information The information processing apparatus control method according to claim 11, further causing the information processing apparatus to execute a step of updating the information by the first processing apparatus.
  13.  前記情報処理装置の制御方法において、
     前記第4のユーザ情報は、第5のユーザのユーザアカウントと、前記複数の第1の処理装置のうち、第5のユーザによりアクセス可能な第3の処理装置の識別子とを含み、
     前記第3のユーザ情報は、前記第3のユーザのユーザアカウントを含み、
     前記第4のユーザ情報と前記第3のユーザ情報とに基づいて、前記第3のユーザが第5のユーザであるか否かを前記第2の処理装置により判断するステップを更に前記情報処理装置に実行させることを特徴とする請求項11または請求項12に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    The fourth user information includes a user account of a fifth user and an identifier of a third processing device that can be accessed by a fifth user among the plurality of first processing devices,
    The third user information includes a user account of the third user,
    The information processing apparatus further includes a step of determining by the second processing apparatus whether or not the third user is a fifth user based on the fourth user information and the third user information. The information processing apparatus control method according to claim 11, wherein the control method is executed.
  14.  前記情報処理装置の制御方法において、
     前記第2のユーザ情報は、第5のユーザのユーザアカウントと、該ユーザアカウントに対応するパスワードとを含み、
     前記第4のユーザ情報は、第5のユーザのユーザアカウントに対応するパスワードを含み、
     前記第3のユーザ情報は、前記第3のユーザのユーザアカウントに対応するパスワードを含み、
     前記第3のユーザが第5のユーザであると前記第2の処理装置により判断された場合、前記第3のユーザに対応する識別子により示される第3の処理装置へ前記第3のユーザ情報を前記第2の処理装置により送信するステップと、
     前記第2の処理装置により送信された前記第3のユーザ情報を前記第3の処理装置により受信するステップと、
     前記第3の処理装置により受信された前記第3のユーザ情報が示す前記第3のユーザのユーザアカウントおよびパスワードが前記第2のユーザ情報に含まれているか否かを前記第3の処理装置により判断するステップと
     を更に前記情報処理装置に実行させることを特徴とする請求項13に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    The second user information includes a user account of a fifth user and a password corresponding to the user account,
    The fourth user information includes a password corresponding to the user account of the fifth user,
    The third user information includes a password corresponding to the user account of the third user,
    When the second processing device determines that the third user is the fifth user, the third user information is sent to the third processing device indicated by the identifier corresponding to the third user. Transmitting by the second processing device;
    Receiving the third user information transmitted by the second processing device by the third processing device;
    Whether or not the second user information includes the user account and password of the third user indicated by the third user information received by the third processing device is determined by the third processing device. The information processing apparatus control method according to claim 13, further comprising: causing the information processing apparatus to execute a determining step.
  15.  前記情報処理装置の制御方法において、
     受信された前記第3のユーザ情報のユーザアカウントおよびパスワードが前記第2のユーザ情報に含まれていると前記第3の処理装置により判断された場合、該判断の結果を示す判断情報を前記第2の処理装置へ前記第3の処理装置により送信するステップと、
     前記第3の処理装置により送信された前記判断情報を前記第2の処理装置により受信するステップと、
     前記第2の処理装置により前記判断情報が受信された場合、前記第3のユーザのアクセスを前記第2の処理装置により許可するステップと
     を更に前記情報処理装置に実行させることを特徴とする請求項14に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    When the third processing device determines that the received user account and password of the third user information are included in the second user information, determination information indicating a result of the determination is displayed as the first information. Transmitting to the second processing device by the third processing device;
    Receiving the determination information transmitted by the third processing device by the second processing device;
    When the determination information is received by the second processing device, the information processing device is further caused to execute the step of permitting the third processing device access by the second processing device. Item 15. A method for controlling an information processing apparatus according to Item 14.
  16.  前記情報処理装置の制御方法において、
     前記第2の処理装置により前記判断情報が受信された場合、前記第3のユーザ情報内のパスワードを、前記第3のユーザのユーザアカウントに対応付けて前記第2の記憶部へ前記第2の処理装置により書き込むステップを更に前記情報処理装置に実行させることを特徴とする請求項15に記載の情報処理装置の制御方法。     In the control method of the information processing apparatus,
    When the determination information is received by the second processing device, the password in the third user information is associated with the user account of the third user and stored in the second storage unit. The information processing apparatus control method according to claim 15, further causing the information processing apparatus to execute a step of writing by the processing apparatus.
  17.  演算処理装置を有する情報処理装置を制御する、情報処理装置の制御プログラムであって、
     第1のユーザを示す第1のユーザ情報が入力された場合、前記第1のユーザ情報と、第1の記憶部により記憶された前記情報処理装置へのアクセス権限を有する第2のユーザを示す第2のユーザ情報とに基づいて、前記第1のユーザによる前記情報処理装置へのアクセスを許可するか否かを判断するステップと、
     前記第1の記憶部内における前記第2のユーザ情報の変更を検出するステップと、
     前記第2のユーザ情報の変更が検出された場合、前記第2のユーザ情報の変更内容を示す変更情報を、前記情報処理装置が有する演算処理装置を制御するシステム制御装置へ送信するステップと
     を情報処理装置に実行させることを特徴とする情報処理装置の制御プログラム。     An information processing apparatus control program for controlling an information processing apparatus having an arithmetic processing unit,
    When the first user information indicating the first user is input, the first user information and the second user who has access authority to the information processing apparatus stored in the first storage unit are shown. Determining whether to allow access to the information processing apparatus by the first user based on second user information;
    Detecting a change in the second user information in the first storage unit;
    When the change of the second user information is detected, the step of transmitting the change information indicating the change content of the second user information to a system control device that controls the arithmetic processing device included in the information processing device; An information processing apparatus control program that is executed by an information processing apparatus.
  18.  複数の情報処理装置がそれぞれ有する演算処理装置を制御するシステム制御装置の制御プログラムであって、
     第1のユーザを示す第1のユーザ情報が入力された場合、前記第1のユーザ情報と、第1の記憶部により記憶される前記システム制御装置へのアクセス権限を有する第2のユーザを示す第2のユーザ情報とに基づいて、前記第1のユーザによる前記システム制御装置へのアクセスを許可するか否かを判断するステップと、
     前記複数の情報処理装置のいずれか一の第1の処理装置が有する第2の記憶部により記憶された前記一の第1の処理装置へのアクセス権限を有する第3のユーザの第3のユーザ情報の変更内容を示す変更情報を前記一の第1の処理装置から受信するステップと、
     受信された前記変更情報に基づいて、前記第1の記憶部内の前記第2のユーザ情報を更新するステップと
     をシステム制御装置に実行させることを特徴とするシステム制御装置の制御プログラム。     A control program for a system control device that controls arithmetic processing devices respectively included in a plurality of information processing devices,
    When the first user information indicating the first user is input, the first user information and the second user who has access authority to the system control device stored in the first storage unit are shown. Determining whether to permit access to the system controller by the first user based on second user information;
    A third user of a third user who has access authority to the first first processing device stored in the second storage unit included in the first processing device of any one of the plurality of information processing devices. Receiving change information indicating a change content of the information from the first processing device;
    A control program for a system control apparatus, causing the system control apparatus to execute a step of updating the second user information in the first storage unit based on the received change information.
PCT/JP2009/070761 2009-12-11 2009-12-11 Information processor, control method for information processor, control program for information processor, and control program for system controller WO2011070676A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/070761 WO2011070676A1 (en) 2009-12-11 2009-12-11 Information processor, control method for information processor, control program for information processor, and control program for system controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/070761 WO2011070676A1 (en) 2009-12-11 2009-12-11 Information processor, control method for information processor, control program for information processor, and control program for system controller

Publications (1)

Publication Number Publication Date
WO2011070676A1 true WO2011070676A1 (en) 2011-06-16

Family

ID=44145245

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/070761 WO2011070676A1 (en) 2009-12-11 2009-12-11 Information processor, control method for information processor, control program for information processor, and control program for system controller

Country Status (1)

Country Link
WO (1) WO2011070676A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134104A (en) * 2015-01-21 2016-07-25 日立電線ネットワークス株式会社 Authentication system and authentication server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000194630A (en) * 1998-12-28 2000-07-14 Fujitsu Ltd Information management device for plural systems and recording medium
JP2001067318A (en) * 1999-08-30 2001-03-16 Nec Corp User/password batch control system
JP2003044442A (en) * 2001-07-30 2003-02-14 Fujitsu Support & Service Kk Method and device for data authentication
JP2004070935A (en) * 2002-06-27 2004-03-04 Internatl Business Mach Corp <Ibm> Method, program and system for dynamic reconfiguration of resource of logical partition
JP2007537520A (en) * 2004-05-13 2007-12-20 インターナショナル・ビジネス・マシーンズ・コーポレーション Dynamic memory management of unallocated memory in a logically partitioned data processing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000194630A (en) * 1998-12-28 2000-07-14 Fujitsu Ltd Information management device for plural systems and recording medium
JP2001067318A (en) * 1999-08-30 2001-03-16 Nec Corp User/password batch control system
JP2003044442A (en) * 2001-07-30 2003-02-14 Fujitsu Support & Service Kk Method and device for data authentication
JP2004070935A (en) * 2002-06-27 2004-03-04 Internatl Business Mach Corp <Ibm> Method, program and system for dynamic reconfiguration of resource of logical partition
JP2007537520A (en) * 2004-05-13 2007-12-20 インターナショナル・ビジネス・マシーンズ・コーポレーション Dynamic memory management of unallocated memory in a logically partitioned data processing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PETER PAWLAK: "Windows Server 2003 R2 de Kyoka suru Saishin ID Kanri (Windows Server 2003 R2 ID Management)", DIRECTIONS ON MICROSOFT JAPANESE VERSION, vol. 1, no. 20, 16 November 2005 (2005-11-16), pages 14 - 20 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134104A (en) * 2015-01-21 2016-07-25 日立電線ネットワークス株式会社 Authentication system and authentication server

Similar Documents

Publication Publication Date Title
JP6603791B2 (en) Synchronization protocol for multi-premises hosting of digital content items
US10244001B2 (en) System, apparatus and method for access control list processing in a constrained environment
US8254579B1 (en) Cryptographic key distribution using a trusted computing platform
US20160205541A1 (en) Apparatus For End-User Transparent Utilization of Computational, Storage, and Network Capacity of Mobile Devices, and Associated Methods
JP2018537740A (en) Synchronization protocol for multi-premises hosting of digital content items
JP5340610B2 (en) Computer system, method and computer program for managing a plurality of components
CA2910249C (en) Synchronizing device association data among computing devices
KR20110128846A (en) Programming model for synchronizing browser caches across devices and web services
CN102763095A (en) Portable storage interface
US11356531B2 (en) Data caching for cloud services
US9001364B2 (en) Management system, image forming apparatus, management system control method, and image forming apparatus control method for migration of setting values of an application that operates in the image forimng apparatus
US9602614B1 (en) Distributed caching cluster client configuration
CN1964262A (en) Information processing system and method of assigning information processing device
WO2015074512A1 (en) Method and apparatus for accessing physical resources
EP3085052A1 (en) Pre-authorizing a client application to access a user account on a content management system
US8930532B2 (en) Session management in a thin client system for effective use of the client environment
CN112805964B (en) Method and system for reliable operation of a communication device
JP2011215688A (en) Database access system and method
WO2011070676A1 (en) Information processor, control method for information processor, control program for information processor, and control program for system controller
CN113010498A (en) Data synchronization method and device, computer equipment and storage medium
JP2013161353A (en) Network system
KR101182464B1 (en) Method and System for Managing User Virtual Machines by the Service Provider
WO2024054350A1 (en) Sponsored access to multi-item document bundles
KR20150115237A (en) Cloud computing method, clould computing server performing the same and storage media storing the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09852072

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09852072

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP