WO2023148952A1 - Authority management system - Google Patents

Authority management system Download PDF

Info

Publication number
WO2023148952A1
WO2023148952A1 PCT/JP2022/004598 JP2022004598W WO2023148952A1 WO 2023148952 A1 WO2023148952 A1 WO 2023148952A1 JP 2022004598 W JP2022004598 W JP 2022004598W WO 2023148952 A1 WO2023148952 A1 WO 2023148952A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
authority
branch office
personal
Prior art date
Application number
PCT/JP2022/004598
Other languages
French (fr)
Japanese (ja)
Inventor
智子 富田
拓也 新村
常大 細田
善宏 堂岸
敢 江間
守真 横田
Original Assignee
三菱電機ビルソリューションズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機ビルソリューションズ株式会社 filed Critical 三菱電機ビルソリューションズ株式会社
Priority to PCT/JP2022/004598 priority Critical patent/WO2023148952A1/en
Publication of WO2023148952A1 publication Critical patent/WO2023148952A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to an authority management system, and in particular to collective management of user authority in multiple systems.
  • a business system may be formed for each task such as report creation, equipment information, and work management, and a corporate system may be constructed so that multiple branch offices can use the desired business system.
  • An employee, etc. belonging to one of the branch offices logs into the business system used for business from a terminal such as a PC installed at the branch office, and the business system is used within the scope of authority granted Use the functions provided.
  • An object of the present invention is to facilitate the management of authority information for each user in each business system when multiple business systems are used by users of multiple branch offices.
  • An authority management system responds to an inquiry about authority setting for a user from a business system shared by a plurality of users belonging to one of the branch offices, and assigns personal authority unique to the user to the business system. If the information is set, the personal authority information is answered as the access authority to be set for the user, and if the personal authority information is not set for the user, the access authority preset for each branch office
  • the present invention is characterized by having an authority information providing means for responding with default information regarding access authority to be set for the user.
  • the personal authority information is characterized in that information on authority setting is stored and managed separately for the branch office to which the user belongs and other branch offices.
  • FIG. 1 is a schematic overall configuration diagram of a company system in this embodiment;
  • FIG. 1 is a block configuration diagram showing an authority management system in this embodiment;
  • FIG. 4 is a diagram showing a data configuration example of default information in the embodiment;
  • FIG. 4 is a diagram showing a data configuration example of personal authority information in the embodiment;
  • FIG. 4 is a flow chart showing user authority setting processing according to the present embodiment.
  • FIG. 1 is a schematic overall configuration diagram of a company system according to this embodiment.
  • FIG. 1 shows a plurality of branch servers 1, a plurality of business systems 2, and an authority management system 3.
  • FIG. The branch server 1 and business system 2, and the business system 2 and authority management system 3 can communicate with each other via a network (not shown).
  • the branch office server 1 is a server computer provided for each branch office of a company.
  • "Branch office server 1", “Branch office server 2", and “Branch office server 3" are abstractly illustrated.
  • a company has branch offices at a plurality of bases and a head office.
  • an in-house system including the branch server 1 is constructed, and in addition to the branch office server 1, each in-house system includes information processing devices such as PCs and network devices used by users of the branch office.
  • FIG. 1 only the branch office server 1 is illustrated.
  • the business system 2 is a computer system provided for each business performed in the company.
  • business system A business system A
  • a user who belongs to one of the branch offices logs into the applicable business system 2 and uses the functions provided by the logged-in business system 2 when performing work.
  • the user cannot use all the functions provided by the business system 2 without any restrictions. Limited.
  • "access permitted” or “access permitted” to a function means that the function can be used.
  • “Not available” is synonymous with not being able to use the function.
  • the authority management system 3 is a system that collectively manages the access authority of each user to each business system 2 .
  • the hardware configuration of the authority management system 3 in this embodiment can be realized by a general-purpose server computer. That is, the authority management system 3 is configured by connecting a CPU, a ROM, a RAM, a hard disk drive as storage means, and a network interface provided as communication means to an internal bus. Further, in the case of this embodiment, a user interface including input means such as a mouse and a keyboard and display means such as a display is provided for setting access authority.
  • FIG. 2 is a block configuration diagram showing the authority management system 3 according to this embodiment.
  • the authority management system 3 in this embodiment has an authority information setting section 31 , an information management section 32 , a user authority information providing section 33 and a storage section 34 . Components that are not used in the description of this embodiment are omitted from the drawing.
  • the authority information setting unit 31 sets default information and personal authority information stored in the storage unit 34 according to the setting operation by the administrator.
  • the information management unit 32 manages information such as addition, update, and deletion of various types of information stored in the storage unit 34 according to setting operations by the administrator.
  • the user authority information providing unit 33 responds to an inquiry about authority setting for a user from any business system 2, and if the personal authority information of the user is set, the personal authority information of the user is sent to the personal authority of the user. If the authority information is not set, the default information is returned, thereby providing the business system 2 of the inquiry source with the access authority to be set for the user.
  • the storage unit 34 stores default information, personal authority information, business system management information, and user master information.
  • FIG. 3 is a diagram showing a data configuration example of default information in this embodiment.
  • authority information as an initial value is classified for each business system 2 and set. Since the business system 2 in this embodiment provides one or a plurality of functions to the user, "authority information" means that the user can access the business system 2 or each function provided by the business system 2. This is setting information regarding whether or not it is possible.
  • authority information is set for each function.
  • the authority information is set in the default information for each branch office to which the user belongs. That is, by specifying the branch office to which each user belongs, the access authority to be set for the user is specified. In FIG. 3, whether or not access is permitted is indicated by symbols “ ⁇ ” and “ ⁇ ”.
  • the access authority to be set for the user is specified by the personal authority information or the authority information set in the default information. Therefore, in this embodiment, "access authority” and “authority information” are used as similar terms.
  • one of the functions is "activate TOP screen". It is a function to start the top screen provided first to the logged-in user. Other functions are set to be activated by selecting a predetermined button or the like displayed on the top screen. Therefore, if access to the "TOP screen activation” function is disabled, access to other functions in the business system 2 is also disabled. In this way, functions that cannot be accessed because the "activate TOP screen” function cannot be accessed are indicated by "-" in FIG.
  • the report creation system provides an information registration function for maintenance, an information registration function for repair, a report download function, etc., in addition to the "top screen activation" function. For each such function, default information is set as to whether the branch office user can access the function (“ ⁇ ”) or not (“x” or “-”).
  • FIG. 4 is a diagram showing a data configuration example of personal authority information in this embodiment.
  • Default information is information shared by all users, and there is only one in the entire enterprise system.
  • the personal authority information is set for users who are not granted access authority as set in the default information.
  • the individual authority information is configured by associating authority information set for the individual with the man number.
  • FIG. 4 exemplifies the personal authority information of the user A specified by the man number "ABC1234". ) is set for each individual as necessary by the administrator of
  • the personal authority information as in the default information, authority information indicating whether or not access is permitted for the user is set for each function of each business system and each branch office. .
  • the access authority set in the default information for the own branch office is set.
  • FIG. 4 exemplifies the personal authority information of user A who belongs to branch office B as described above.
  • the personal authority information is set so that the information on the branch office D can also be accessed.
  • personal authority information is information related to authority settings set for an individual user, but as shown in FIG.
  • the user authority information includes personal authority information set for each user described above, except for information corresponding to the user's own branch office authority information.
  • information related to the own branch office for user A, authority information corresponding to branch office B is selected and set from among the personal authority information.
  • branch office C Assume that user A is transferred to branch office C.
  • his own branch office is branch office C, and branch office B is no longer his own branch office.
  • the personal authority information is set when the user belongs to the branch office B, so it is not necessarily preferable to take over the setting as it is, and it is preferable to invalidate it by transferring.
  • the settings for the branch office other than the own branch office there are cases where it is desired to take over the settings related to the own branch office as they are. Therefore, in the present embodiment, assuming such a case, among the personal authority information, information relating to one's own branch is stored and managed separately from information of other branches. That is, the setting for branch B, which was the own branch, is applied to branch C, which is the new own branch.
  • the authority information setting unit 31 in accordance with an instruction from the administrator, Only by reflecting the setting contents of the information in the branch office C, there is no need to set the own branch office again. Since branch B is a branch other than its own branch, it will be set to be inaccessible in the same way as branch offices other than its own (branch A, etc.) unless otherwise set by the administrator.
  • the business system management information is information for managing the business system 2 included in the enterprise system in this embodiment.
  • the business system management information is generated by associating the identification information of each business system 2 with information related to the functions provided by the business system 2 .
  • User master information includes information about users of the corporate system.
  • User master information is generated by associating man numbers as identification information that individually identifies each user with authentication information including user IDs and passwords, and information such as affiliation and duties indicating the user's position in the company. be.
  • personnel information may be separately managed by a personnel information management server or the like. bottom.
  • User master information needs to be updated to the latest information each time personnel information is updated. However, it is also possible to refer to the latest personnel information in the personnel information management server each time it is necessary without having the user master information internally.
  • Each component 31 to 33 in the authority management system 3 is realized by cooperative operation between a computer forming the authority management system 3 and a program running on a CPU installed in the computer.
  • the storage unit 34 is realized by an HDD installed in the authority management system 3 .
  • RAM or external storage means may be used via a network.
  • the program used in this embodiment can be provided not only by communication means, but also by being stored in a computer-readable recording medium such as a CD-ROM or USB memory.
  • a program provided from a communication means or a recording medium is installed in a computer, and various processes are realized by the CPU of the computer sequentially executing the program.
  • the authority management system 3 collectively manages the access authority of each user, and the business system 2 cannot independently specify the access authority of each user. Therefore, when a user starts using the business system 2, the business system 2 to be used asks the authority management system 3 what kind of access authority is set for the user. will be acquired, and the function will be used within the acquired range.
  • setting of access authority for a user in the present embodiment will be described with reference to the flowchart shown in FIG.
  • the user specifies authentication information and logs into the business system 2 corresponding to the business to be performed, for example, from a PC in the branch office.
  • authentication is performed by an existing method and the user has been successfully authenticated.
  • the business system 2 designates the login ID (same as the "user ID") included in the authentication information, and makes an inquiry regarding the authority setting for the user to the authority management system 3.
  • the user authority information provision unit 33 in the authority management system 3 receives an inquiry from the business system 2 (step 110). Subsequently, the user authority information providing unit 33 acquires the man number and the user's position (affiliated branch office and duties) by searching the user master information based on the user ID specified in the inquiry (step 120). Then, since the man number is associated with the personal authority information, the user authority information providing unit 33 confirms whether or not the personal authority information associated with the obtained man number is set.
  • the user authority information providing unit 33 acquires the personal authority information (step 140), and sets it to the user. Reply as access authority (step 150).
  • the user authority information providing unit 33 acquires the authority information of the branch office to which the user belongs, which is set in the default information. (Step 160), and reply as the access authority to be set for the user (Step 150).
  • the information returned to the business system 2 may be limited to authority information corresponding to the business system 2 that made the inquiry.
  • the business system 2 controls access for logged-in users according to the authority information returned from the authority management system 3. That is, the business system 2 determines the functions available to the user according to the authority information.
  • each business system 2 acquires the access authority for the logged-in user by inquiring of the user authority information providing unit 33 .
  • the authority management system 3 is provided to collectively manage the authority information of each user to be managed by each business system 2. Therefore, the authority information of each user in each business system 2 can be easily managed. be able to. In addition, it is possible to respond quickly and flexibly to changes in authority information settings that accompany user transfers. Furthermore, even when the business system 2 is added to the enterprise system, the enterprise system can be put into operation at an early stage simply by adding information about the business system 2 to the default information described above.
  • the access authority for the user is set as default information according to the branch office to which the user belongs. Authority information may be set for each position described above.
  • access to the functions provided by the business system 2 is set for each branch office.
  • branch offices may be grouped according to predetermined rules for access control.
  • each branch office is divided into multiple branch office areas (Hokkaido same area, Tohoku area, Yokohama area, etc.) according to the location of the base,
  • the authority information may be set as default information so that the customer information managed by can be accessed. In this case, information indicating the correspondence relationship between the branch office and the branch office area is required.
  • 1 branch server 2 business system, 3 authority management system, 31 authority information setting section, 32 information management section, 33 user authority information providing section, 34 storage section.

Abstract

The present invention enables authorization information to be easily managed for each user in each business system when users at a plurality of branch offices use a plurality of business systems. In a corporation system including a business system (2) provided to each business engaged in by a corporation, and a branch office server provided to each branch office of the corporation, an authorization management system (3) has a user authorization information provision unit (33) that, in response to an inquiry from the business system (2) regarding user authorization information that was used to log in, replies with personal authorization information serving as access authorization to be set for the user if unique personal authorization information is set for said user, and if personal personal authorization information is not set for said user, replies with default information set for the branch office to which said user belongs from among default information regarding access authorization preset for each branch office, said default information serving as access authorization to be set for said user.

Description

権限管理システムRights management system
 本発明は、権限管理システム、特に複数のシステムにおけるユーザ権限の一括管理に関する。 The present invention relates to an authority management system, and in particular to collective management of user authority in multiple systems.
 大規模な企業では、例えば、報告書作成、設備情報や作業管理などの業務毎に業務システムを形成し、複数の支社から所望する業務システムを利用できるように企業システムを構築する場合がある。 In large-scale companies, for example, a business system may be formed for each task such as report creation, equipment information, and work management, and a corporate system may be constructed so that multiple branch offices can use the desired business system.
 いずれかの支社に所属する従業員等(以下、「ユーザ」)は、支社に設置のPC等の端末から、業務で利用する業務システムにログインし、付与された権限範囲内で当該業務システムが提供する機能を利用する。 An employee, etc. belonging to one of the branch offices (hereinafter referred to as "user") logs into the business system used for business from a terminal such as a PC installed at the branch office, and the business system is used within the scope of authority granted Use the functions provided.
 このように、ユーザに対してアクセス権限、すなわち業務システムが提供する各機能の利用権限をユーザ毎に設定してシステムを運用する際、システム導入時には、業務システム毎に全ユーザに対して各機能に対するアクセス権限を設定する必要がある。 In this way, when operating the system by setting the access authority for users, that is, the usage authority for each function provided by the business system for each user, at the time of system introduction, each function is assigned to all users for each business system. You need to set access permissions for
特開2020-052759号公報JP 2020-052759 A 特開2014-182708号公報JP 2014-182708 A 特開2010-170208号公報Japanese Unexamined Patent Application Publication No. 2010-170208 特開2015-087930号公報JP 2015-087930 A 特開2019-087019号公報JP 2019-087019 A 特開2021-022201号公報Japanese Patent Application Laid-Open No. 2021-022201
 しかしながら、システム全体の規模が大きくなるほど、例えば業務システムの数やユーザ数が多いほど、アクセス権限の設定に要する負荷が多大となってくる。また、システム導入後のアクセス権限の設定変更にも大きな作業負荷を要してくる。 However, the larger the scale of the entire system, for example, the greater the number of business systems and users, the greater the load required to set access rights. In addition, a large workload is required to change the setting of access authority after system introduction.
 本発明は、複数の業務システムを複数の支社のユーザが利用する場合において、各業務システムにおける各ユーザの権限情報の管理を容易に行えるようにすることを目的とする。 An object of the present invention is to facilitate the management of authority information for each user in each business system when multiple business systems are used by users of multiple branch offices.
 本発明に係る権限管理システムは、いずれかの支社に所属する複数のユーザにより共有される業務システムからのユーザに対する権限設定に関する問合せに応じて、前記業務システムに対して当該ユーザに固有の個人権限情報が設定されている場合、当該個人権限情報を当該ユーザに設定すべきアクセス権限として返答し、当該ユーザに前記個人権限情報が設定されていない場合、前記支社毎に予め設定されているアクセス権限に関するデフォルト情報を当該ユーザに設定すべきアクセス権限として返答する権限情報提供手段を有することを特徴とする。 An authority management system according to the present invention responds to an inquiry about authority setting for a user from a business system shared by a plurality of users belonging to one of the branch offices, and assigns personal authority unique to the user to the business system. If the information is set, the personal authority information is answered as the access authority to be set for the user, and if the personal authority information is not set for the user, the access authority preset for each branch office The present invention is characterized by having an authority information providing means for responding with default information regarding access authority to be set for the user.
 また、前記個人権限情報は、当該ユーザが所属する支社とそれ以外の支社とに分けて権限設定に関する情報が保持管理されることを特徴とする。 In addition, the personal authority information is characterized in that information on authority setting is stored and managed separately for the branch office to which the user belongs and other branch offices.
 本発明によれば、複数の業務システムを複数の支社のユーザが利用する場合において、各業務システムにおける各ユーザの権限情報の管理を容易に行うことができる。 According to the present invention, when multiple business systems are used by users of multiple branch offices, it is possible to easily manage the authority information of each user in each business system.
本実施の形態における企業システムの概略的な全体構成図である。1 is a schematic overall configuration diagram of a company system in this embodiment; FIG. 本実施の形態における権限管理システムを示すブロック構成図である。1 is a block configuration diagram showing an authority management system in this embodiment; FIG. 本実施の形態におけるデフォルト情報のデータ構成例を示す図である。4 is a diagram showing a data configuration example of default information in the embodiment; FIG. 本実施の形態における個人権限情報のデータ構成例を示す図である。4 is a diagram showing a data configuration example of personal authority information in the embodiment; FIG. 本実施の形態におけるユーザ権限設定処理を示すフローチャートである。4 is a flow chart showing user authority setting processing according to the present embodiment.
 以下、図面に基づいて、本発明の好適な実施の形態について説明する。 Preferred embodiments of the present invention will be described below based on the drawings.
 図1は、本実施の形態における企業システムの概略的な全体構成図である。図1には、複数の支社サーバ1と、複数の業務システム2と、権限管理システム3と、が示されている。支社サーバ1と業務システム2、業務システム2と権限管理システム3は、図示しないネットワークを介して相互に通信可能である。 FIG. 1 is a schematic overall configuration diagram of a company system according to this embodiment. FIG. 1 shows a plurality of branch servers 1, a plurality of business systems 2, and an authority management system 3. FIG. The branch server 1 and business system 2, and the business system 2 and authority management system 3 can communicate with each other via a network (not shown).
 支社サーバ1は、企業の支社毎に設けられるサーバコンピュータである。図1では、「支社サーバ1」,「支社サーバ2」,「支社サーバ3」と抽象化して図示しているが、支社サーバ1は、例えば北海道、東北、東京、横浜などと地区毎の拠点に設けられる。企業は、複数の拠点に支社を設けると共に本社も設けているが、本実施の形態では、本社や支社、更に協力会社に設置のサーバも含めて「支社サーバ」と総称する。また、各支社には,上記支社サーバ1を含む社内システムが構築され、各社内システムには、支社サーバ1の他に当該支社のユーザが使用するPC等の情報処理装置やネットワーク機器が含まれるが、図1では、支社サーバ1のみを図示している。 The branch office server 1 is a server computer provided for each branch office of a company. In FIG. 1, "Branch office server 1", "Branch office server 2", and "Branch office server 3" are abstractly illustrated. provided in A company has branch offices at a plurality of bases and a head office. In each branch office, an in-house system including the branch server 1 is constructed, and in addition to the branch office server 1, each in-house system includes information processing devices such as PCs and network devices used by users of the branch office. However, in FIG. 1, only the branch office server 1 is illustrated.
 業務システム2は、企業において行う業務毎に設けられるコンピュータシステムである。図1では、「業務システムA」、「業務システムB」、「業務システムC」と抽象化して図示しているが、業務システム2は、例えば報告書作成、設備情報や作業管理などの業務毎に設けられる。 The business system 2 is a computer system provided for each business performed in the company. In FIG. 1, "business system A", "business system B", and "business system C" are abstracted for illustration. provided in
 いずれかの支社に所属するユーザは、業務を遂行する際に、該当する業務システム2にログインし、ログインした業務システム2が提供する機能を使用する。本実施の形態の場合、ユーザは、何の制限もなく業務システム2が提供する全ての機能を利用できるわけではなく、仮にログインできたとしても、設定されている権限情報によって利用可能な機能が制限されている。なお、本実施の形態において、機能に「アクセス可」あるいは「アクセスが許可される」というのは、当該機能を利用できることと同義であり、その一方、機能に「アクセス不可」あるいは「アクセスが許可されない」というのは、当該機能を利用できないことと同義である。 A user who belongs to one of the branch offices logs into the applicable business system 2 and uses the functions provided by the logged-in business system 2 when performing work. In the case of this embodiment, the user cannot use all the functions provided by the business system 2 without any restrictions. Limited. In this embodiment, "access permitted" or "access permitted" to a function means that the function can be used. "Not available" is synonymous with not being able to use the function.
 権限管理システム3は、各ユーザの各業務システム2に対するアクセス権限を一括して管理するシステムである。本実施の形態における権限管理システム3のハードウェア構成は、汎用的なサーバコンピュータで実現可能である。すなわち、権限管理システム3は、CPU、ROM、RAM、記憶手段としてのハードディスクドライブ、通信手段として設けられたネットワークインタフェースを内部バスに接続して構成される。また、本実施の形態の場合、アクセス権限の設定のために、マウスやキーボード等の入力手段及びディスプレイ等の表示手段を含むユーザインタフェースを備えている。 The authority management system 3 is a system that collectively manages the access authority of each user to each business system 2 . The hardware configuration of the authority management system 3 in this embodiment can be realized by a general-purpose server computer. That is, the authority management system 3 is configured by connecting a CPU, a ROM, a RAM, a hard disk drive as storage means, and a network interface provided as communication means to an internal bus. Further, in the case of this embodiment, a user interface including input means such as a mouse and a keyboard and display means such as a display is provided for setting access authority.
 図2は、本実施の形態における権限管理システム3を示すブロック構成図である。本実施の形態における権限管理システム3は、権限情報設定部31、情報管理部32、ユーザ権限情報提供部33及び記憶部34を有している。なお、本実施の形態の説明に用いない構成要素は、図から省略している。 FIG. 2 is a block configuration diagram showing the authority management system 3 according to this embodiment. The authority management system 3 in this embodiment has an authority information setting section 31 , an information management section 32 , a user authority information providing section 33 and a storage section 34 . Components that are not used in the description of this embodiment are omitted from the drawing.
 権限情報設定部31は、管理者による設定操作に応じて、記憶部34に記憶されるデフォルト情報及び個人権限情報の設定を行う。情報管理部32は、管理者による設定操作に応じて、記憶部34に記憶される各種情報の追加、更新、削除等情報の管理を行う。ユーザ権限情報提供部33は、いずれかの業務システム2からのユーザに対する権限設定に関する問合せに応じて、当該ユーザの個人権限情報が設定されている場合にはその個人権限情報を、当該ユーザの個人権限情報が設定されていない場合にはデフォルト情報を、返答することによって、当該ユーザに設定すべきアクセス権限を問合せ元の業務システム2に提供する。 The authority information setting unit 31 sets default information and personal authority information stored in the storage unit 34 according to the setting operation by the administrator. The information management unit 32 manages information such as addition, update, and deletion of various types of information stored in the storage unit 34 according to setting operations by the administrator. The user authority information providing unit 33 responds to an inquiry about authority setting for a user from any business system 2, and if the personal authority information of the user is set, the personal authority information of the user is sent to the personal authority of the user. If the authority information is not set, the default information is returned, thereby providing the business system 2 of the inquiry source with the access authority to be set for the user.
 記憶部34には、デフォルト情報、個人権限情報、業務システム管理情報及びユーザマスタ情報が記憶される。 The storage unit 34 stores default information, personal authority information, business system management information, and user master information.
 図3は、本実施の形態におけるデフォルト情報のデータ構成例を示す図である。デフォルト情報には、初期値としての権限情報が業務システム2毎に分類されて設定される。本実施の形態における業務システム2は、ユーザに対して1又は複数の機能を提供するので、「権限情報」というのは、ユーザが業務システム2あるいは業務システム2が提供する各機能について、アクセスができるか否かに関する設定情報である。本実施の形態においては、権限情報を機能毎に設定している。デフォルト情報には、その権限情報を、ユーザの所属先となる支社毎に設定している。すなわち、各ユーザが所属する支社が特定されることによって、当該ユーザに設定すべきアクセス権限が特定される。図3では、アクセスの可と不可を“○” 、“×”の記号で示している。 FIG. 3 is a diagram showing a data configuration example of default information in this embodiment. In the default information, authority information as an initial value is classified for each business system 2 and set. Since the business system 2 in this embodiment provides one or a plurality of functions to the user, "authority information" means that the user can access the business system 2 or each function provided by the business system 2. This is setting information regarding whether or not it is possible. In this embodiment, authority information is set for each function. The authority information is set in the default information for each branch office to which the user belongs. That is, by specifying the branch office to which each user belongs, the access authority to be set for the user is specified. In FIG. 3, whether or not access is permitted is indicated by symbols “○” and “×”.
 ちなみに、ユーザに設定すべきアクセス権限は、個人権限情報又はデフォルト情報に設定されている権限情報によって特定される。従って、本実施の形態では、「アクセス権限」と「権限情報」を同様な用語として用いている。 By the way, the access authority to be set for the user is specified by the personal authority information or the authority information set in the default information. Therefore, in this embodiment, "access authority" and "authority information" are used as similar terms.
 なお、本実施の形態では、図3に例示するように、機能の1つとして“TOP画面起動”が存在するが、“TOP画面起動”という機能は、業務システム2が業務を遂行する際にログインしたユーザに最初に提供するトップ画面を起動する機能である。そして、その他の機能は、トップ画面に表示される所定のボタン等が選択されて起動されるよう機能の関係が設定されている。従って、“TOP画面起動”機能へのアクセスが不可の場合には、その業務システム2における他の機能もアクセスできないことになる。このように、“TOP画面起動”機能へのアクセスができないためにアクセスできない機能に対しては、図3では“-”を対応付けて示している。 In this embodiment, as shown in FIG. 3, one of the functions is "activate TOP screen". It is a function to start the top screen provided first to the logged-in user. Other functions are set to be activated by selecting a predetermined button or the like displayed on the top screen. Therefore, if access to the "TOP screen activation" function is disabled, access to other functions in the business system 2 is also disabled. In this way, functions that cannot be accessed because the "activate TOP screen" function cannot be accessed are indicated by "-" in FIG.
 例えば、報告書作成システムという業務システム2があるとする。報告書作成システムは、“TOP画面起動”機能の他に、保守用の情報登録機能や修理用の情報登録機能、また報告書のダウンロード機能等を提供する。このような機能毎に、支社のユーザが当該機能にアクセスできる(“○”)か、あるいはできない(“×” 又は“-”)かがデフォルト情報として設定される。 For example, suppose there is a business system 2 called a report creation system. The report creation system provides an information registration function for maintenance, an information registration function for repair, a report download function, etc., in addition to the "top screen activation" function. For each such function, default information is set as to whether the branch office user can access the function (“○”) or not (“x” or “-”).
 図4は、本実施の形態における個人権限情報のデータ構成例を示す図である。デフォルト情報は、全ユーザに共有される情報であって、企業システム全体において1つのみである。これに対し、個人権限情報は、デフォルト情報の設定通りにアクセス権限を付与しないユーザに対して設定される。個人権限情報は、マンナンバに、当該個人に設定されている権限情報が対応付けして構成される。図4では、マンナンバ“ABC1234”から特定されるユーザAの個人権限情報を例示しているが、個人権限情報は、権限管理システム3又は当該ユーザが所属する支社(以下、「自支社」ともいう)の管理者等により、必要により個人毎に設定される、 FIG. 4 is a diagram showing a data configuration example of personal authority information in this embodiment. Default information is information shared by all users, and there is only one in the entire enterprise system. On the other hand, the personal authority information is set for users who are not granted access authority as set in the default information. The individual authority information is configured by associating authority information set for the individual with the man number. FIG. 4 exemplifies the personal authority information of the user A specified by the man number "ABC1234". ) is set for each individual as necessary by the administrator of
 デフォルト情報のデータ構成と比較すれば明らかなように、個人権限情報では、デフォルト情報と同様に業務システム毎機能毎に、更に支社毎に、当該ユーザにおけるアクセスの可否を示す権限情報が設定される。通常であれば、あるユーザに対して、自支社に対してデフォルト情報で設定されているアクセス権限が設定される。また、自支社以外の支社に関する情報に対しては、当該機能を用いてアクセスすることはできない。ただ、例外的に自支社以外の情報に当該機能を利用してアクセスを許可したい場合がある。また、自支社であってもアクセスを許可しないようにしたい場合も想定しうる。図4では、上記の通り支社Bに所属するユーザAの個人権限情報が例示されているが、デフォルト情報と比較すれば明らかなように、ユーザAは、業務システムBが提供する機能3にアクセスができない一方、業務システムCが提供する機能を利用する際には、支社Dに関する情報に関してもアクセスができるように個人権限情報に設定されている。 As is clear from a comparison with the data structure of the default information, in the personal authority information, as in the default information, authority information indicating whether or not access is permitted for the user is set for each function of each business system and each branch office. . Ordinarily, for a given user, the access authority set in the default information for the own branch office is set. In addition, it is not possible to access information related to branch offices other than one's own branch office using this function. However, there are cases where you want to allow access to information other than your own branch using this function. In addition, it is possible to assume a case where it is desired not to allow access even if the branch office is one's own. FIG. 4 exemplifies the personal authority information of user A who belongs to branch office B as described above. On the other hand, when using the functions provided by the business system C, the personal authority information is set so that the information on the branch office D can also be accessed.
 ところで、個人権限情報は、ユーザ個人に対して設定された権限設定に関する情報であるが、図2に示すようにユーザ権限情報とユーザ自支社権限情報に分けて管理される。ユーザ権限情報には、ユーザ自支社権限情報に該当する情報を除き、前述したユーザ毎に設定される個人権限情報が含まれる。一方、ユーザ自支社権限情報には、個人権限情報のうち自支社に関する情報(ユーザAにおいては、支社Bに該当する権限情報)が選択されて設定される。 By the way, personal authority information is information related to authority settings set for an individual user, but as shown in FIG. The user authority information includes personal authority information set for each user described above, except for information corresponding to the user's own branch office authority information. On the other hand, as the user's own branch office authority information, information related to the own branch office (for user A, authority information corresponding to branch office B) is selected and set from among the personal authority information.
 仮に、ユーザAが支社Cに転属されたとする。この場合、ユーザAにとって自支社は支社Cになり、支社Bは自支社でなくなる。通常、個人権限情報は、支社Bに所属しているときに設定されているため、その設定をそのまま引き継ぐことは必ずしも好ましくなく、転属により無効とするのが好ましいと考えられる。ただ、自支社以外の支社に対する設定とは異なり、自支社に関する設定はそのまま引き継ぎたい場合もある。そこで、本実施の形態では、このような場合を想定して、個人権限情報のうち自支社に関する情報を、自支社以外の支社の情報と分けて保持管理するようにした。つまり、自支社であった支社Bに対する設定を、新たに自支社となった支社Cに適用する。 Assume that user A is transferred to branch office C. In this case, for user A, his own branch office is branch office C, and branch office B is no longer his own branch office. Normally, the personal authority information is set when the user belongs to the branch office B, so it is not necessarily preferable to take over the setting as it is, and it is preferable to invalidate it by transferring. However, unlike the settings for the branch office other than the own branch office, there are cases where it is desired to take over the settings related to the own branch office as they are. Therefore, in the present embodiment, assuming such a case, among the personal authority information, information relating to one's own branch is stored and managed separately from information of other branches. That is, the setting for branch B, which was the own branch, is applied to branch C, which is the new own branch.
 例えば、ユーザAの転属後に、ユーザAに対して個人権限情報を改めて設定する場合、権限情報設定部31は、管理者による指示に応じて、ユーザ自支社権限情報に記憶されている支社Bに対する情報の設定内容を支社Cに反映させるだけで、自支社に対する設定を改めて行わずにすむ。そして、支社Bは、自支社以外の支社になるので、管理者により設定されない限り、自支社以外の支社(支社A等)と同様にアクセス不可に設定変更されることになる。 For example, when personal authority information is set again for user A after transfer of user A, the authority information setting unit 31, in accordance with an instruction from the administrator, Only by reflecting the setting contents of the information in the branch office C, there is no need to set the own branch office again. Since branch B is a branch other than its own branch, it will be set to be inaccessible in the same way as branch offices other than its own (branch A, etc.) unless otherwise set by the administrator.
 業務システム管理情報は、本実施の形態における企業システムに含まれる業務システム2を管理するための情報である。業務システム管理情報は、各業務システム2の識別情報に、当該業務システム2が提供する機能に関する情報が対応付けして生成される。 The business system management information is information for managing the business system 2 included in the enterprise system in this embodiment. The business system management information is generated by associating the identification information of each business system 2 with information related to the functions provided by the business system 2 .
 ユーザマスタ情報は、企業システムのユーザに関する情報を含む。ユーザマスタ情報は、各ユーザを個別に識別する識別情報としてのマンナンバに、ユーザID及びパスワードを含む認証情報、当該ユーザの当該企業における立場を示す所属、職務等の情報が対応付けして生成される。企業によっては、人事情報を人事情報管理サーバ等にて別途管理している場合があるが、本実施の形態では、その人事情報をコピーしてユーザマスタ情報として権限管理システム3に持たせるようにした。ユーザマスタ情報は、人事情報が更新されることによって、その都度最新の情報に更新する必要がある。ただ、ユーザマスタ情報を内部に持たずに、最新の人事情報を人事情報管理サーバに必要なタイミングで、その都度、参照するようにしてもよい。 User master information includes information about users of the corporate system. User master information is generated by associating man numbers as identification information that individually identifies each user with authentication information including user IDs and passwords, and information such as affiliation and duties indicating the user's position in the company. be. Depending on the company, personnel information may be separately managed by a personnel information management server or the like. bottom. User master information needs to be updated to the latest information each time personnel information is updated. However, it is also possible to refer to the latest personnel information in the personnel information management server each time it is necessary without having the user master information internally.
 権限管理システム3における各構成要素31~33は、権限管理システム3を形成するコンピュータと、コンピュータに搭載されたCPUで動作するプログラムとの協調動作により実現される。また、記憶部34は、権限管理システム3に搭載されたHDDにて実現される。あるいは、RAM又は外部にある記憶手段をネットワーク経由で利用してもよい。 Each component 31 to 33 in the authority management system 3 is realized by cooperative operation between a computer forming the authority management system 3 and a program running on a CPU installed in the computer. Also, the storage unit 34 is realized by an HDD installed in the authority management system 3 . Alternatively, RAM or external storage means may be used via a network.
 また、本実施の形態で用いるプログラムは、通信手段により提供することはもちろん、CD-ROMやUSBメモリ等のコンピュータ読み取り可能な記録媒体に格納して提供することも可能である。通信手段や記録媒体から提供されたプログラムはコンピュータにインストールされ、コンピュータのCPUがプログラムを順次実行することで各種処理が実現される。 In addition, the program used in this embodiment can be provided not only by communication means, but also by being stored in a computer-readable recording medium such as a CD-ROM or USB memory. A program provided from a communication means or a recording medium is installed in a computer, and various processes are realized by the CPU of the computer sequentially executing the program.
 次に、本実施の形態における動作について説明する。 Next, the operation in this embodiment will be described.
 前述したように、企業システムの運用を開始する前に、管理者によってデフォルト情報及び必要なユーザに対して個人権限情報が権限管理システム3に設定されている必要がある。ここでは、すでに設定されているものとして説明を続ける。本実施の形態では、権限管理システム3が各ユーザのアクセス権限を一括管理しており、業務システム2は、各ユーザのアクセス権限を単独で特定することはできない。そのため、ユーザが業務システム2の利用を開始する際に、利用が開始される業務システム2は、権限管理システム3に問い合わせることによって、そのユーザに対してどのようなアクセス権限が設定されているのかを取得し、取得した範囲内で機能を利用させることになる。以下、本実施の形態において、ユーザに対するアクセス権限の設定について、図5に示すフローチャートを用いて説明する。 As described above, before starting the operation of the enterprise system, it is necessary for the administrator to set default information and personal authority information for necessary users in the authority management system 3. Here, the explanation is continued assuming that the settings have already been made. In this embodiment, the authority management system 3 collectively manages the access authority of each user, and the business system 2 cannot independently specify the access authority of each user. Therefore, when a user starts using the business system 2, the business system 2 to be used asks the authority management system 3 what kind of access authority is set for the user. will be acquired, and the function will be used within the acquired range. Hereinafter, setting of access authority for a user in the present embodiment will be described with reference to the flowchart shown in FIG.
 ユーザが、例えば支社内のPCから、遂行したい業務に対応する業務システム2に認証情報を指定してログインする。なお、ここでは、既存の方法にて認証を行い、ユーザの認証に成功したものとして説明を続ける。業務システム2は、 認証情報に含まれているログインID(「ユーザID」と同じ)を指定して、ユーザに対する権限設定に関する問合せを権限管理システム3に行う。 The user specifies authentication information and logs into the business system 2 corresponding to the business to be performed, for example, from a PC in the branch office. Here, it is assumed that authentication is performed by an existing method and the user has been successfully authenticated. The business system 2 designates the login ID (same as the "user ID") included in the authentication information, and makes an inquiry regarding the authority setting for the user to the authority management system 3.
 権限管理システム3におけるユーザ権限情報提供部33は、業務システム2からの問合せを受け付ける(ステップ110)。続いて、ユーザ権限情報提供部33は、問合せに指定されているユーザIDに基づきユーザマスタ情報を検索することによってマンナンバ及び当該ユーザの立場(所属する支社及び職務)を取得する(ステップ120)。そして、個人権限情報には、マンナンバが紐付いているので、ユーザ権限情報提供部33は、取得したマンナンバに紐付く個人権限情報が設定されているかどうかを確認する。 The user authority information provision unit 33 in the authority management system 3 receives an inquiry from the business system 2 (step 110). Subsequently, the user authority information providing unit 33 acquires the man number and the user's position (affiliated branch office and duties) by searching the user master information based on the user ID specified in the inquiry (step 120). Then, since the man number is associated with the personal authority information, the user authority information providing unit 33 confirms whether or not the personal authority information associated with the obtained man number is set.
 ここで、当該ユーザに紐付く個人権限情報が設定されている場合(ステップ130でY)、ユーザ権限情報提供部33は、その個人権限情報を取得し(ステップ140)、当該ユーザに設定すべきアクセス権限として返答する(ステップ150)。 Here, if personal authority information associated with the user has been set (Y in step 130), the user authority information providing unit 33 acquires the personal authority information (step 140), and sets it to the user. Reply as access authority (step 150).
 一方、当該ユーザに紐付く個人権限情報が設定されていない場合(ステップ130でY)、ユーザ権限情報提供部33は、デフォルト情報に設定されている当該ユーザが所属する支社の権限情報を取得し(ステップ160)、当該ユーザに設定すべきアクセス権限として返答する(ステップ150)。 On the other hand, if the personal authority information associated with the user is not set (Y in step 130), the user authority information providing unit 33 acquires the authority information of the branch office to which the user belongs, which is set in the default information. (Step 160), and reply as the access authority to be set for the user (Step 150).
 なお、業務システム2に返答する情報は、問合せ元の業務システム2に対応する権限情報に限定してもよい。 The information returned to the business system 2 may be limited to authority information corresponding to the business system 2 that made the inquiry.
 業務システム2は、権限管理システム3から返答されてきた権限情報に従って、ログインしたユーザに対するアクセスを制御する。すなわち、業務システム2は、権限情報に従ってユーザが利用可能な機能を判断する。 The business system 2 controls access for logged-in users according to the authority information returned from the authority management system 3. That is, the business system 2 determines the functions available to the user according to the authority information.
 本実施の形態によれば、以上のようにして、各業務システム2は、ログインしたユーザに対するアクセス権限を、ユーザ権限情報提供部33に問い合わせることによって取得する。本実施の形態では、権限管理システム3を設けて、各業務システム2が行うべきユーザの権限情報を一括管理するようにしたので、各業務システム2における各ユーザの権限情報の管理を容易に行うことができる。また、ユーザの転属等に伴う権限情報の設定変更にも迅速かつ柔軟に対応することができる。更に、企業システムに業務システム2を追加する場合でも、前述したデフォルト情報に当該業務システム2に関する情報を追加するだけで、企業システムを早期に運用開始することができる。 According to the present embodiment, as described above, each business system 2 acquires the access authority for the logged-in user by inquiring of the user authority information providing unit 33 . In this embodiment, the authority management system 3 is provided to collectively manage the authority information of each user to be managed by each business system 2. Therefore, the authority information of each user in each business system 2 can be easily managed. be able to. In addition, it is possible to respond quickly and flexibly to changes in authority information settings that accompany user transfers. Furthermore, even when the business system 2 is added to the enterprise system, the enterprise system can be put into operation at an early stage simply by adding information about the business system 2 to the default information described above.
 また、本実施の形態においては、ユーザが所属する支社に応じて当該ユーザに対するアクセス権限をデフォルト情報として設定したが、例えば、所属するユーザの職務等によって支社を細分化して支社毎職務毎、すなわち前述した立場毎に権限情報を設定するようにしてもよい。 In the present embodiment, the access authority for the user is set as default information according to the branch office to which the user belongs. Authority information may be set for each position described above.
 また、本実施の形態においては、業務システム2が提供する機能のアクセスの可否を支社単位に設定するようにした。更に、所定の規則に従って支社をグループ分けしてアクセスの制御ができるようにしてもよい。 Also, in the present embodiment, access to the functions provided by the business system 2 is set for each branch office. Further, branch offices may be grouped according to predetermined rules for access control.
 例えば、各支社は、拠点の場所に応じて複数の支社エリア(北海道同地区、東北地区、横浜地区等)に分けられていて、各支社は、当該支社が属する支社エリア内の、他の支社が管理する顧客の情報をアクセスできるように権限情報をデフォルト情報に設定してもよい。この場合、支社と支社エリアとの対応関係を示す情報が必要になる。 For example, each branch office is divided into multiple branch office areas (Hokkaido same area, Tohoku area, Yokohama area, etc.) according to the location of the base, The authority information may be set as default information so that the customer information managed by can be accessed. In this case, information indicating the correspondence relationship between the branch office and the branch office area is required.
 1 支社サーバ、2 業務システム、3 権限管理システム、31 権限情報設定部、32 情報管理部、33 ユーザ権限情報提供部、34 記憶部。
  1 branch server, 2 business system, 3 authority management system, 31 authority information setting section, 32 information management section, 33 user authority information providing section, 34 storage section.

Claims (2)

  1.  いずれかの支社に所属する複数のユーザにより共有される業務システムからのユーザに対する権限設定に関する問合せに応じて、前記業務システムに対して当該ユーザに固有の個人権限情報が設定されている場合、当該個人権限情報を当該ユーザに設定すべきアクセス権限として返答し、当該ユーザに前記個人権限情報が設定されていない場合、前記支社毎に予め設定されているアクセス権限に関するデフォルト情報を当該ユーザに設定すべきアクセス権限として返答する権限情報提供手段を有することを特徴とする権限管理システム。 In response to an inquiry about authority setting for a user from a business system shared by multiple users belonging to one of the branch offices, if personal authority information unique to the user is set for the business system, Personal authority information is returned as the access authority to be set for the user, and if the personal authority information is not set for the user, default information regarding the access authority preset for each branch office is set for the user. 1. An authority management system characterized by having authority information providing means for replying as an access authority to be granted.
  2.  前記個人権限情報は、当該ユーザが所属する支社とそれ以外の支社とに分けて権限設定に関する情報が保持管理されることを特徴とする請求項1に記載の権限管理システム。
          2. The authority management system according to claim 1, wherein the personal authority information is stored and managed separately for the branch office to which the user belongs and for other branch offices.
PCT/JP2022/004598 2022-02-07 2022-02-07 Authority management system WO2023148952A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/004598 WO2023148952A1 (en) 2022-02-07 2022-02-07 Authority management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/004598 WO2023148952A1 (en) 2022-02-07 2022-02-07 Authority management system

Publications (1)

Publication Number Publication Date
WO2023148952A1 true WO2023148952A1 (en) 2023-08-10

Family

ID=87551985

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/004598 WO2023148952A1 (en) 2022-02-07 2022-02-07 Authority management system

Country Status (1)

Country Link
WO (1) WO2023148952A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001005727A (en) * 1999-06-22 2001-01-12 Kyocera Communication Systems Co Ltd Access management device
JP2006331120A (en) * 2005-05-26 2006-12-07 Konica Minolta Business Technologies Inc Information processor, management method therefor and computer program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001005727A (en) * 1999-06-22 2001-01-12 Kyocera Communication Systems Co Ltd Access management device
JP2006331120A (en) * 2005-05-26 2006-12-07 Konica Minolta Business Technologies Inc Information processor, management method therefor and computer program

Similar Documents

Publication Publication Date Title
JP4959282B2 (en) Application operation control system and application operation control method
US9288213B2 (en) System and service providing apparatus
US7219234B1 (en) System and method for managing access rights and privileges in a data processing system
EP3734932B1 (en) Implicitly linking access policies using group names
JP3415456B2 (en) Network system, command use authority control method, and storage medium storing control program
JP5340610B2 (en) Computer system, method and computer program for managing a plurality of components
US8271528B1 (en) Database for access control center
US8312515B2 (en) Method of role creation
JP2009539183A (en) Convert role-based access control policies to resource authorization policies
US20030041154A1 (en) System and method for controlling UNIX group access using LDAP
JP2009217327A (en) Client environment generation system, client environment generation method, client environment generation program and storage medium
JP7457270B2 (en) Device management equipment and programs
JP2007299295A (en) Customer information registration system, application server and terminal device
JP2022003591A (en) Device, method, and program for affiliation management
US20210360038A1 (en) Machine policy configuration for managed devices
JP5090809B2 (en) Management server, management method, program, and recording medium
WO2023148952A1 (en) Authority management system
US11468184B2 (en) Data protection system, data protection method, and recording medium
JP2004062241A (en) Controller and method for controlling user access right
JP2005107984A (en) User authentication system
JP2004054779A (en) Access right management system
US20050172149A1 (en) Method and system for management of information for access control
CN110637294A (en) Data distributed integration management system
KR102157743B1 (en) Method for controlling user access to resources in system using sso authentication
KR102081173B1 (en) System and method for affiliation identification and management of terminal in cloud environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22924862

Country of ref document: EP

Kind code of ref document: A1