WO2003083678A1 - Access control apparatus and data management apparatus - Google Patents

Abstract

An access control apparatus (1) has a plurality of interface ports (A-D) connected to external devices (2) and can set the types of permitted accesses to hard disks (3) connected to access ports (a-d) associated with the respective interface ports (A-D). Since the settings can be performed in accordance with the natures of the external devices (2) connected to the respective interface ports, shared data stored in the hard disks (3) can be prevented from being tampered or destroyed by user’s operating error or intentionally.

Description

 ,

Description Access control device and data management device

 The present invention relates to an access control device for controlling an access from an external device such as reading, rewriting, writing, and deleting data to a storage device such as a hard disk that stores data shared by a plurality of users. And data management equipment. Background art

Conventionally, shared data is stored in a server device or a server device in which shared data is stored so that a plurality of users can use data stored in a storage device such as a hard disk (hereinafter, referred to as shared data). A management device for the administrator who manages the shared data and a personal terminal for the user who uses the shared data were connected to the network. Also, in order to prevent the above-mentioned shared data from being rewritten or destroyed due to erroneous operation of the user, many network systems rewrite, write, and write the shared data to the user. Deletion is prohibited, and only reading (downloading) of shared data is permitted. In particular, in the case of a server device that discloses shared data on the Internet, since an unspecified number of users have access to it, prohibiting users from rewriting, writing, and deleting shared data. There are many cases. For example, when rewriting, writing, and deleting shared data from a server device, authentication using a password or the like (a person who is allowed to rewrite, write, or delete shared data from a storage device (shared data (Authentication as to whether or not the user is the administrator), the rewriting, writing, and deletion of the shared data was prohibited for anyone (user) who did not know the password. „

Note that the user does not need to rewrite, write, and delete the shared data, as long as the shared data can be downloaded from the server device and used.

 The term “rewriting” as used herein refers to an update of a change in shared data stored in the server device, and the term “writing” refers to adding new shared data to the server device.

 However, the number of crimes that alter (deliberately rewrite) or destroy the shared data stored on the server device (criminals by hackers) has increased, and the rewriting, writing, and The method that allows deletion has the problem that the security of shared data is low.

 In addition, when a user uses shared data read from a storage device, a network system operated in an environment in which new shared data is created or the shared data stored in the storage device changes due to the use. There is. For example, hospitals use a chart system that stores the patient's chart in a storage device. The medical chart system is a system that enables doctors (users of the medical chart system) to perform appropriate medical practices on patients. The doctor reads the patient's medical record from the storage device, checks the medical history of the patient so far, and determines the contents of the current medical practice for the patient. After completing the current medical practice for the patient, the physician must replace the patient's medical record stored in the storage device with a medical record in which the contents of the current medical practice have been added. For this reason, if the medical chart system is configured with a network system that does not allow doctors to rewrite medical records (shared data), the contents of medical actions performed by doctors on patients cannot be registered in the patient's medical records. . In this case, the medical practice cannot be performed properly, for example, the same medical practice is performed repeatedly on the patient, and the possibility of a medical accident increases. For this reason, the chart system consisted of a network system that allowed doctors to rewrite the patient's chart, which is shared data.

Thus, the user can rewrite the shared data stored in the storage device. „

Many network systems are operated in an authorized environment. Network systems operated in such an environment are subject to unnecessary rewriting of shared data due to user's erroneous operation and falsification of shared data by malicious parties. Shared data was not adequately protected.

 An object of the present invention is to provide an access control device that improves the security of the data by preventing data stored in the storage device from being tampered with or destroyed by a user's erroneous operation or intentional purpose, and a data control device. To provide a management device. Disclosure of the invention

 The access control device of the present invention includes:

 A plurality of interface ports to which external devices are connected,

 An access port to which a storage device for storing data is connected, and an access type permitted for the storage device are set for each of the interface ports. A control unit that, when input to the port, determines whether or not the input access request can be executed based on the type of access permitted to the interface port.

 In this configuration, the type of access permitted to the storage device connected to the access port is set in the control unit for each interface port to which an external device is connected. The external device referred to here is a personal terminal operated by a user who uses data (shared data) stored in a storage device, or a pipe operated by an administrator who manages shared data stored in the storage device. It is a physical device.

 The type of access is, for example,

 ① Read out the shared data stored in the storage device,

② Rewriting of the shared data stored in the storage device, ,

③ Write shared data to storage device,

 削除 Delete shared data stored in the storage device,

 It is. The control unit is one of the above ① ~ ① for each interface port

Make settings that allow for, or more than one.

 Further, when a request for access to the storage device is input to any one of the interface ports, the control unit may determine whether the access request is input based on the type of access permitted to the interface port. It is determined whether the request can be executed.

 For example, in an interface port where the type of access permitted is only (1), if the input access request is (2), it is determined that the access request can be executed. On the other hand, if the access request input at the interface port is (1) to (4), it is determined that the input request cannot be executed. For this reason, for a user who permits only the down-link of the shared data stored in the storage device, a setting may be made such that only reading of the shared data is permitted to the interface port to which the user is connected. In addition, it is possible to prevent the user connected to the interface port from erroneous operation and intentionally altering or destroying the shared data stored in the storage device.

 In addition, the setting of the type of access allowed for each interface port is configured so that it can be set by operating the device itself, and cannot be set by remote control from external devices. The security can be further improved.

In addition, for the interface connected to the device (external device) operated by the administrator who manages the shared data, all of the above items (1) to (4) are permitted to be shared by the administrator. Data management does not have to be complicated. Also, if the above steps (1) and (3) are permitted for the interface port, the user connected to the interface port will share data. In addition to reading data, you can also add shared data. With this setting, the user can show the shared data to the user, obtain an impression of the shared data from the user, use it as a new shared data, etc., and use it as a system. Since the user cannot rewrite or delete the shared data, sufficient security for the shared data can be ensured.

 Furthermore, since each interface port can be set to allow one or more of the above (1) to (4), settings can be made according to the nature of the user connected to the interface port, and shared while supporting various uses. Data security can be sufficiently secured.

 The invention also provides:

 An interface port to which an external device is connected,

 A plurality of access ports to which a storage device for storing data is connected, and the type of access permitted to the connected storage device are set for each of the access ports, and any one of the access ports is set. When a request for access to the storage device connected to the storage device is input to the interface port, the type of access permitted to the access port to which the storage device requested to access is connected is And a control unit for determining whether or not the input access request can be executed based on the information.

 In this configuration, the control unit sets the type of access (① to ① described above) permitted for the storage device connected to each access port. Further, when there is a request for access to a storage device connected to any one of the access ports at the interface port, the control unit, based on the type of access permitted to the access port, Then, it is determined whether or not the input access request can be executed.

For example, an access request entered for a storage device connected to an access port whose access type is „

If the above is ①, it is determined that this access request can be executed. On the other hand, if the request for the access to the storage device connected to the access port is the above (1) to (4), it is determined that the input request cannot be executed.

 In this way, the type of access allowed to the connected storage device can be set for each access port, so that the user can display the properties of the shared data stored in the storage device, for example, the shared data to the user. Therefore, if the system obtains the impression of the shared data from the user, the storage device for storing the shared data to be presented to the user, the storage device for storing the obtained impression of the user, etc. Allowed types can be set.

 Note that the access port to which the storage device that stores the shared data to be presented to the user is connected only needs to permit reading of the shared data, and the storage device that stores the obtained user's impression is connected. Only the writing of the shared data need be permitted for the access port to be used.

 The invention also provides:

 An interface port to which an external device is connected,

 An access port to which a storage device is connected;

 The type of access permitted to the storage device connected to the access port is set to data reading and new writing, and the request for access to the storage device input to the interface port is a data request. A control unit for executing the input access request if the request is either reading or writing new data, and ignoring the input access request if not requesting reading or writing new data file. , And.

In this configuration, a storage device that stores data, for example, a hard disk, is connected to the access port, and an external device that uses data stored in the storage device is connected to the interface port. The control unit If there is a request to read data or write new data from an external device connected to the interface port, the request is executed, but other than reading the above data or writing new data from an external device connected to the interface port For example, if there is a request to rewrite (overwrite) or delete data, this request is ignored.

 Therefore, data stored in the storage device connected to the access port cannot be rewritten or deleted. As a result, data stored in the storage device connected to the access port can be sufficiently protected from useless rewriting due to a user's erroneous operation and falsification by a malicious person.

 Also, when a request for new writing of data to the storage device is input to the interface port, the request is executed, so that a system used in an environment where the user needs to update data stored in the storage device. Even so, updated data can be stored in the storage device by newly writing the newly generated data in the storage device. BRIEF DESCRIPTION OF THE FIGURES

 FIG. 1 is a diagram showing a configuration of a network system to which an access control device according to an embodiment of the present invention is applied.

 FIG. 2 is a diagram showing a configuration of the access control device according to the embodiment of the present invention. FIG. 3 is a flowchart showing the operation of the access control device according to the embodiment of the present invention.

 FIG. 4 is a flowchart showing a read process of shared data in the access control device according to the embodiment of the present invention.

 FIG. 5 is a flowchart showing a rewriting process for shared data in the access control device according to the embodiment of the present invention.

FIG. 6 is a flowchart showing a write process of the shared data in the access control device according to the embodiment of the present invention. FIG. 7 is a flowchart showing a shared data deletion process in the access control apparatus according to the embodiment of the present invention.

 FIG. 8 is a diagram showing an example in which the access control apparatus according to the embodiment of the present invention is applied to an Internet.

 FIG. 9 is a flowchart showing a process of reading shared data in an access control device according to another embodiment of the present invention.

 FIG. 10 is a diagram for explaining a method of setting the type of access permitted for each of the interface ports A to D and for each of the access ports a to d.

 FIG. 11 is a diagram showing a network system to which an access control device according to still another embodiment of the present invention is applied.

 FIG. 12 is a diagram showing a configuration of an access control device according to still another embodiment of the present invention.

 Figure 13 shows the chart file name.

 FIG. 14 is a flowchart showing the operation of the access control device according to still another embodiment of the present invention.

 FIG. 15 is a flowchart showing the operation of the access control device according to still another embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION

 Hereinafter, an access control device according to an embodiment of the present invention will be described in detail.

FIG. 1 is a diagram showing a network system to which an access control device according to an embodiment of the present invention is applied. In the figure, reference numeral 1 denotes an access control device according to an embodiment of the present invention. The access control device 1 includes a plurality of (four in this embodiment) interface ports A to D to which external devices 2 (2A to 2D) are connected, and a hard disk 3 (3a to 3d) (this A plurality (four in this embodiment) of access ports to which the storage device of the invention is connected To d. The external device 2 is a personal terminal of a user who uses the shared data or a management device for an administrator who manages the shared data stored in the storage device 3. The type of the external device 2 is not particularly limited as long as the device has a data communication function, such as a personal computer or a portable terminal. The access control device 1 and the external device 2 may be configured to be directly connected by a cable, or may be configured to be connected via a network such as a LAN Internet. The access control device 1 and the hard disk 3 constitute a server device. The server device may be configured such that the access control device 1 and the hard disk 3 are integrated.

 FIG. 2 is a diagram showing a configuration of the access control device according to the embodiment of the present invention. The access control device 1 includes a control unit 11 that controls the operation of the main unit and an interface controller 12 that controls input and output for each of the interface ports A to D to which the external device 2 is connected. A to 12D), a FIFO 13 (13A to 13D) that temporarily stores data input and output for each interface port A to D, and a cache controller that controls the cache memory 14 15 and a FIFO 16 (16a to 16d) that temporarily stores data input and output for each access port a to d to which the hard disk 3 is connected, and a connection to each access port a to d And a device controller 17 for controlling the hard disk 3 (3 a to 3 d). The interface controller 12 controls connection with other devices (external devices) through an interface such as SCS I or I DE. The device controller 17 controls data reading and writing to and from the hard disk 3 connected to the access ports a to d.

The access control device 1 sets the type of access permitted to the hard disk 3 connected to the access ports a to d for each of the interface ports A to D. This setting can be changed only on the operation unit (not shown) provided in the access control device 1. It is configured so that it cannot be changed from the external device 2 connected to A to D.

 In each evening face port A ~ D,

 ①Read out the shared data stored in the hard disk 3,

 ② Rewriting of shared data stored in the hard disk 3 (change of stored shared data),

 ③ Writing new shared data to hard disk 3,

 共有 Deletion of shared data stored on Hard Disk 3,

 Permission is set for one or more of. When a request for access to the hard disk 3 is input, each interface controller 12 determines whether the type of the access is a type permitted by the control unit 11 and is permitted. If the request is determined, the request is accepted, and if it is determined that the request is not permitted, the request is rejected.

 In this embodiment, interface port A is set to permit only reading of shared data, interface port B is set to permit reading of shared data and rewriting of shared data, and interface port C is set to permit reading of shared data. This setting allows reading and writing of shared data.Interface port D is a setting that allows reading of shared data, rewriting of shared data, writing of shared data, and deletion of shared data. Take an example.

A personal terminal (external device 2A) of a user (general user) who only downloads and uses the shared data is connected to interface port A. In addition, a user who not only downloads and uses the shared data but also rewrites the shared data as necessary is connected to the interface port B. Users who not only download and use shared data but also write new shared data as needed are connected to interface port C. In addition, read, rewrite, write, and delete shared data as necessary. The administrator of the shared data is connected to interface port D.

 Further, a system of R AID level 0 Z 1 is constituted by four hard disks connected to the access ports a to d. Specifically, two hard disks 3a and 3b connected to the access ports a and b function as data storage for storing shared data, and are connected to the access ports c and d. One hard disk 3c, 3d functions as a mirror for the hard disk 3 connected to the access ports a, b, respectively. Further, the shared data divided into blocks of a predetermined size is stored in two hard disks 3 a and 3 b connected to the access ports a and b. Specifically, the odd-numbered blocks are stored on the hard disk 3a, and the even-numbered blocks are stored on the hard disk 3b.

 The hard disk 3c for mirroring stores odd-numbered blocks, and the hard disk 3d stores even-numbered blocks.

 The hard disk 3c functions as a backup for the hard disk 3a, and the hard disk 3d functions as a backup for the hard disk 3b.

When rewriting or writing shared data, the device controller 17 divides the shared data to be rewritten or the shared data to be written into blocks of a predetermined size, and hard drives connected to the access ports a and b. Write to 3a, 3b. At this time, the shared data divided into blocks of a predetermined size is also written to the hard disks 3c and 3d connected to the access ports c and d. The shared data written to the hard disks 3a and 3c are the same block, and the shared data written to the hard disks 3b and 3d are the same block. When deleting the shared data, the device controller 17 stores the corresponding shared data in the hard disks 3 a to 3 d connected to the access ports a to d. Set the reserved area as a free area. Further, when reading the shared data, the device controller 17 reads the odd-numbered data divided into blocks of a predetermined size from the hard disk 3 a connected to the access port a, and performs the access. Read the even-numbered data divided into blocks of a predetermined size from the hard disk 3 b connected to port b, and create a shared data by arranging them in order (for blocks of a predetermined size). Combine the divided shared data.)

 Hereinafter, the operation of the access control device 1 of this embodiment will be described. FIG. 3 is a flowchart showing the operation of the access control device. Each of the interface controllers 12A to 12D waits for an access request to the hard disk 3 connected to the access ports a to d to be input to the interface ports A to D, respectively. Yes (si). Access requests input to interface ports A to D are read, rewrite, write, or delete shared data.

 When a request for access to the hard disk 3 is input to the connected interface port, the interface controller 12 is of a type permitted for the interface port to which the request for access is connected. Judge whether or not (s2). When the interface controller 12 determines that the type of the access request is permitted in s2, the interface controller 12 executes a process based on the request (S3). Conversely, if it is determined in s2 that the type is not permitted, an error command is transmitted to the external device 2 that has transmitted the access request (s4).

 When completing the process of s3 or s4, the access control device 1 returns to s i and repeats the above process.

As described above, in the access control device 1 of this embodiment, the type of access to be permitted is set for each interface port, and when an access request of an unauthorized type is input, Reject the request . Therefore, settings can be made according to the properties of the external device 2 connected to the interface port. For example, if the interface port for connecting the external device 2 of the user who only downloads and uses the shared data stored on the hard disk 3 is set to allow only reading of the shared data, It is possible to prevent the shared data from being falsified or destroyed due to erroneous operation or intention of the user. As a result, the security of the shared data can be improved.

 In addition, since the above user only downloads and uses the shared data, there is no problem even if the rewriting, writing, or deleting of the shared data is prohibited.

 In addition, by providing an interface port such as interface port C that permits reading and writing of shared data, the shared data is presented to the user, and an impression of the presented shared data is obtained from the user. It is possible to correspond to a system such as However, as for the external device 2 connected to this interface port C, the request for access to the rewriting or deletion of the shared data is rejected, so the shared data is falsified by the user's erroneous operation or intentional operation. Or be destroyed.

 Furthermore, for an interface port that permits reading, rewriting, writing, and deleting shared data, such as an in-house display D, connect the external device 2 of the administrator who manages the shared data. I just need. This allows the administrator to manage the shared data stored in the hard disk 3 smoothly.

 Note that the security of the shared data can be further improved by performing authentication using a password when rewriting or deleting the shared data. Conversely, if the authentication using the password is eliminated, the workability when rewriting or deleting shared data can be improved.

The processing executed in s3 above is one of reading, changing, adding, and deleting shared data. Figure 4 is a flowchart showing the shared data read process It is. The interface controller 12 to which the access request has been input transfers a shared data read request to the cache controller 15 (s 11). This read request includes data for specifying the shared data to be read.

 The cache controller 15 determines whether or not the shared data (the corresponding shared data) requested by the transferred read request is stored in the cache memory 14 (s12). When the cache controller 15 determines that the shared data corresponding to the cache memory is stored in si 2, the interface controller 12 A to 12 D that transmitted the read request transmits the read request. , The completion of reading of the shared data is notified (si5). Conversely, if it is determined in s12 that the data is not stored in the cache memory, the device controller 17 is instructed to read the corresponding shared data (s13).

The device controller 17 instructed to read the shared data reads the corresponding shared data from the hard disks 3 a and 3 b connected to the access ports a and b, and writes the same to the cache memory 14. (Sl 4 As described above, the shared data is divided into blocks of a predetermined size, the odd-numbered data is stored in the hard disk 3 a connected to the access port a, and the hard disk 3 a is connected to the access port b. Even-numbered data is stored in the hard disk 3 b Shared data read from the hard disks 3 a and 3 b is temporarily stored in the FIFOs 16 a and 16 b. Retrieves the stored shared data from the FIFOs 16a and 16b alternately and writes them to the cache memory 14 in the order in which they were retrieved. The shared data that has been divided into blocks of a predetermined size and stored in 3b is integrated (creating an appropriate shared data.) In addition, the shared data is simultaneously transferred from the hard disks 3a and 3b. Since the evening is read, the time required to read the shared data stored on the hard disk 3 is about half as compared with the case where the shared data is stored on a single hard disk without being divided.

 When completing reading of the corresponding shared data, the device controller 17 notifies the cache controller 15 of the completion (s15).

 When the cache controller 15 is notified of the completion of reading the corresponding shared data from the device controller 17, the cache controller 15 transfers the read completion to the interface controller 12 which has transmitted the read request for the shared data this time. Yes (s16) Also, the cache controller 15 transfers the corresponding shared data stored in the cache memory 14 to the interface controller 12 (s17). The cache controller 15 sequentially reads out the corresponding shared data stored in the cache memory 14 in si 7 and records the same in FIFO 13. '

 The interface controller 12, to which the read completion of the shared data has been transferred from the cache controller 15, sequentially reads the shared data stored in the FIFO 13, and accesses the hard disk 3 this time (read the shared data). ), The shared data is output from the interface port to the external device 2 that has requested (S18).

 This allows the external device 2 connected to the interface port permitted to read the shared data to download and use the shared data.

Next, a process of rewriting shared data executed in s3 will be described. FIG. 5 is a flowchart showing a process of rewriting shared data. The interface controller 12 transfers the shared data rewrite request to the cache controller 15 (s21). This rewrite request includes data for specifying the shared data to be rewritten. The interface controller 12 transmits the shared data rewrite request from the external device 2 together with the request. (S22) The cache controller 15 secures an empty area in the cache memory 14 (s23), reads out the shared data to be rewritten from the FI FO 13, and It is stored in the free area secured here (s24). When the shared data to be rewritten is stored in the cache memory 14, the cache controller 15 instructs the device controller 17 to rewrite the shared data (s25). The controller 17 instructs the four hard disks 3a to 3d connected to the access ports a to d to rewrite the shared data (s26). Further, the device controller 17 reads out the corresponding ^ present data (shared data to be rewritten) stored in the cache memory 14 and writes the shared data divided into predetermined blocks into the FIFOs 16a and 16b. Go by. At this time, the device controller 17 writes the same data as the data written to the FIFO 16a to the FIFO 16c, and also writes the same data as the data written to the FIFO 16b to the FIFO 16b. Writing to 6 d.

 The hard disks 3a to 3d take in the shared data stored in the FIFO 16a to 6d, respectively, and rewrite the corresponding shared data (s27)

Next, the writing process of the shared data executed in s3 will be described. FIG. 6 is a flowchart showing the writing process of the shared data. The interface controller 12 to which the access request has been input transfers the write request of the shared data to the cache controller 15 (s31). This write request includes shared data to be written to the hard disk 3. In addition, the interface controller 12 sends an external ^ ^

The shared data written to the hard disk 3 sent from the external device 2 is written to FIF F13 (s32).

 The cache controller 15 secures an empty area in the cache memory 14 (s33), reads out the shared data to be written from the FIFO 13 and stores it in the empty area secured here (S34). When the cache controller 15 stores the shared data to be written in the cache memory 14, the cache controller 15 instructs the device controller 17 to write the shared data (s 35). Writes the shared data from the cache controller 15. The instructed device controller 17 instructs the four hard disks 3a to 3d connected to the access ports a to d to write shared data (s36). Also, the device controller 17 reads out the corresponding shared data (shared data to be written) stored in the cache memory 14 and divides the data into blocks of a predetermined size, thereby obtaining the odd-numbered blocks. Write the data to FIFO 16a and write the data of the even-numbered block to FIFO 16b. At this time, the device controller 17 writes the same data as the data written to the FIFO 16a to the FIFO 16c, and also writes the same data to the FIFO 16b as the data written to the FIFO 16b. The hard disks 3a to 3d that are writing to the fetch the shared data stored in the FIFOs 16a to 16d, respectively, and write the shared data corresponding to the empty area (s37).

 The time required to write this shared data is about half that of storing the shared data on a single hard disk without dividing it.

Further, a process of deleting shared data executed in s3 will be described. FIG. 7 is a flowchart showing the shared data deletion process. The interface controller 12 to which the access request is input is A request to delete the shared data is transferred to the roller 15 (s41). This deletion request includes data for specifying the shared data to be deleted. The cache controller 15 transfers the deletion request transmitted from the interface controller 12 to the device controller 17 ( s 4 2).

 The device controller 17 instructs the hard disks 3a to 3d to delete the shared data specified by the deletion request (S43). The hard disks 3a to 3d delete the specified shared data by making the storage area storing the shared data specified to be deleted this time free. The area set as the free area here (the area storing the deleted shared data) is used as the area for writing the shared data in the writing process.

 As described above, since the four hard disks 3 a to 3 d connected to the access ports a to d constitute the RAID level 0-1, it is possible to read, rewrite, and write shared data at high speed. . Also, even if any one of the hard disks 3a to 3d fails, the shared data stored on the failed hard disk is stored on another hard disk, so that the shared data is not lost. .

 In the above embodiment, the four hard disks 3 a to 3 d connected to the access ports a to d constitute the RAID level 0-1.However, the present invention is not limited to this, and the RAID level is different. Or RAID may not be configured.

Next, an embodiment will be described in which the data management devices 1 and 3 in which the access control device 1 and the hard disk 3 of the above embodiment are integrated are applied to a system for publishing shared data on the Internet. FIG. 8 is a diagram showing a configuration of a system according to this embodiment. Share via Internet 2 1 The personal terminal 2 A (external device 2 A) of the user who downloads the data is connected to the interface port A of the data management devices 1 and 3 that are permitted to read out the shared data only through the web server 23. ing. In addition, a management server device 24 of an administrator connected to the intranet 22 is connected to the interface port D permitted to read, rewrite, write, and delete the shared data. The management device 2D (external device 2D) operated by the administrator of the shared data is connected to the intranet 22 and accesses the data management devices 1 and 3 via the management server device 24.

 The user accesses the data management devices 1 and 3 via the internet 21 and the web server 23 and requests downloading (reading) of shared data. The request for access to the data management devices 1 and 3 output from the personal terminal 2 A operated by the user is input to the interface port A, so that the user downloads the shared data as described above. Can be used. On the other hand, rewriting, writing, and deleting of shared data are rejected even if the user requests the data management devices 1 and 3. Therefore, it is possible to prevent the shared data from being falsified or broken due to erroneous operation or intentional operation of a user connected via the Internet 21.

 In addition, the management device 2D for the administrator who manages the shared data includes an interface D (shared data) provided in the data management devices 1 and 3 via the intranet 22 and the management server device 24. Interface port that is allowed to read, rewrite, write, and delete. Therefore, the administrator can read, rewrite, write, and delete the shared data managed by the data management devices 1 and 3. Therefore, the administrator can manage the shared data smoothly.

Note that the administrator only needs to be able to read, rewrite, write, and delete shared data in any of the management devices 2D connected to the intranet 22. Also, if the interface port to which the personal terminal 2 A operated by the user is connected (the interface port to which the web server 23 is connected) is allowed to read and write shared data, From the user who downloaded the shared data, the impression of the downloaded shared data can be obtained as new shared data. As a result, it is possible to construct various systems such as a system in which a plurality of users connected to the data management device 13 via the Internet 21 Web server 23 interact with each other, and a system for conducting a questionnaire to users. it can. In addition, the personal terminal 2 of the user connected via the Internet 21 is not permitted to rewrite or delete the shared data. Can be prevented from being tampered with or destroyed. '

 As described above, the access control device 1 according to the present embodiment has a configuration in which the type of access to be permitted is set for each interface port to which the external device 2 is connected. In addition, the security of the shared data can be sufficiently ensured.

 Next, another embodiment of the present invention will be described.

 In the above embodiment, the type of access permitted to the hard disk 3a 3d is set for each interface port AD, but in this embodiment, the hard disk 3a connected to each access port ad is set. This is an embodiment in which the type of access permitted for 3d is set.

 Is

 ① For the hard disk 3 a connected to access port a, set to allow only reading of shared data.

(2) For the hard disk 3 b connected to the access port b, the settings are such that only the shared data can be rewritten. ③ For hard disk 3 c connected to access port c, set to allow only writing of shared data,

 (4) For hard disk 3 d connected to access port d, the setting shall be such that reading, rewriting, writing, and deletion of shared data are rejected.

 The hard disk 3c connected to the access port c is for backup of the hard disk 3a connected to the access port a. '

 FIG. 9 is a flowchart showing the operation of the access control device of this embodiment. Each of the interface controllers 12A to 12D waits for a request for access to the hard disk 3 connected to the access ports a to d to be input to the interface ports A to D (s51). . The access request input to the interface ports A to D is to read, rewrite, write, or delete shared data.

 The interface controller 12 determines whether the access request input to the connected interface port is reading, rewriting, writing, or deleting shared data (s52 to s 5 4). If it is determined that the data is to be read, the process of reading the shared data is executed for the hard disk 3a connected to the access port a (s55). If it is determined that rewriting is performed, rewriting processing of the shared data is executed for the hard disk 3b connected to the access port b (s56). Further, if it is determined that the data is to be written, the shared data is written to the hard disk 3c connected to the access port c (s57). On the other hand, if it is determined that the access is to be deleted (when it is determined that the access is not any of read, rewrite, and write), an error command is transmitted to the external device 2 that has transmitted the access request (s5). 8).

The processing of s55, s56, and s57 is substantially the same as the processing shown in FIGS. 4, 5, and 6, respectively, and thus detailed description is omitted here. Shared data The only difference is that reading, rewriting, and writing of data are performed on a single hard disk 3.

 As described above, according to the access control device 1 of this embodiment, the hard disk on which the shared data is rewritten or written is specified, so that the user is erroneously operated or intentionally falsified or destroyed. Even if the operation is performed, there is no problem because the shared data remains on the hard disk 3a. Even if the hard disk 3a fails, the shared data is backed up on the hard disk 3d, so that the shared data is not lost.

 Also, the configuration may be such that the type of access permitted to each hard disk 3 (hard disk 3 connected to each access port a to d) can be set for each of the interface ports A to D. For example, the type of access permitted to each hard disk 3 is set for each of the interface ports A to D using a table (see FIG. 10). This allows, for example,

 ① For interface port A,

 Permits only reading of shared data to hard disk 3a connected to access port a,

 Access ports b, c, d Disable all access to connected hard disks 3 b, 3 c, 3 d.

 ② For interface port B,

 Permits only reading of shared data to hard disk 3a connected to access port a,

 Permits only rewriting of shared data to hard disk 3 b connected to access port b,

 Permits only writing of shared data to hard disk 3c connected to access port c,

For all hard disks 3 d connected to access port d, Access is not allowed.

 ③ About the evening face C

 Only rewriting of shared data is allowed for hard disk 3a connected to access port a,

 Permits only writing and rewriting of shared data to hard disk 3 b connected to access port b,

 Permits only reading of shared data to the hard disk 3c connected to access port c,

 Disable all access to hard disk 3 d connected to access port d.

 About interface port D

 Permits writing of shared data only to hard disk 3a connected to access port a,

 Permits only reading of shared data to hard disk 3 b connected to access port b,

 Only rewriting of shared data is allowed for hard disk 3 c connected to access port c,

 Disable all access to hard disk 3 d connected to access port d.

 Thus, for each of the interface ports A to D, each access port a

The type of access allowed to the hard disk 3 connected to ~ d can be set. Thereby, the setting according to the property of the external device 2 connected to each of the interface ports A to D and the property of the hard disk 3 connected to each of the access ports a to d can be performed. Thereby, it is possible to cope with various systems, and it is possible to sufficiently secure the security of the shared data stored in the hard disk 3.

FIG. 11 shows an access control device according to still another embodiment of the present invention. FIG. 2 is a diagram illustrating a network system to which the present invention is applied.

 In the figure, an access control device 1 includes a plurality of (two in this embodiment) interface ports A and B to which server devices 6 (6A and 6B) are connected, and a hard disk 3 (3a to 3d) ( It has a plurality (four in this embodiment) of access ports a to d to which a storage device according to the present invention is connected. The hard disk 3 stores a chart of each patient.

 In the data storage device according to the present invention, the access control device 1 and the hard disks 3a to 3d are integrally configured.

 For interface port A, only reading of data (patient's chart) from hard disk 3 connected to access ports a to d is permitted, and new writing, rewriting (overwriting), and deletion of data to hard disk 3 are allowed. Is not allowed. The interface port B is a port that is only allowed to newly write data (patient's chart) to the hard disk 3 connected to the access points a to d. Reading, rewriting, or deleting is not allowed.

 The server device 6A connected to the interface port A is a server device that controls reading of data stored in the hard disk 3 connected to the access ports a to d. The server device 6B connected to the interface port B is a server device that controls new writing of data to the hard disks 3a to 3d connected to the access ports a to d. is there.

In addition, 4 shown in FIG. 11 is a network such as a LAN, and 5 is a terminal device such as a personal computer connected to the network 4. The terminal device 5 is an external device operated by a user who reads out and uses the chart stored in the hard disk 3. The terminal device 5 cannot be connected to both the server device 6A and the server device 6B at the same time, but can be selectively connected to either one of them. The user who operates the terminal device 5 is a hard disk Connect to the server 6A when reading the chart stored in the disk 3 and connect to the server 6B when writing the chart on the hard disk 3.

 In this embodiment, the terminal device 5 is connected to the interface port of the access control device 1 via the server devices 6A and 6B. However, the terminal device 5 is connected directly to the access control device 1 without passing through the server devices 6A and 6B. It may be configured to be connected to interface A and B.

 FIG. 12 is a diagram showing a configuration of an access control device according to an embodiment of the present invention. The access control device 1 includes a control unit 11 that controls the operation of the main unit, and an interface controller 12 (12A, 12B) that controls input and output for each of interface ports A and B to which the server devices 6A and 6B are connected. ), A FIFO 13 (13A, 13B) that temporarily stores data input and output for each interface port A and B, and a cache controller 15 that controls the cache memory 14. And FIF 016 (16 a to 16 d) for temporarily storing data input and output for each access port a to d to which the hard disk 3 is connected, and connected to each access port a to d And a device controller 17 for controlling the hard disk 3 (3a to 3d). The interface controller 12 controls connection with the server devices 6A and 6B by an interface such as an SCS I or an IDE. The device controller 17 controls reading and writing of data to and from the hard disk 3 connected to the access ports a to d.

 Hereinafter, the operation of the embodiment of the present invention will be described using a chart system to which the network system shown in FIG. 11 is applied as an example.

The hard disk 3 stores a medical record for each patient in a text file format. Each patient has an identification number. The medical record stored on the hard disk 3 is managed by a file name including the identification number of the patient (feature code according to the present invention) and the serial number of the medical record of the patient (quantity code according to the present invention). ing. Hard disk 3 The file name of the medical record stored in

 Patient identification number—serial number. T x t

 (See Figure 13). The patient identification number and serial number are separated by a “one”. Therefore, by using the identification number of a patient as a key, a medical record of a desired patient stored in the hard disk 3 can be searched. Further, when a plurality of medical records of a desired patient are stored in the hard disk 3, the latest medical record can be searched by the serial number. In this embodiment, the larger the serial number included in the file name, the newer the chart.

 First, the operation of the access control device 1 when the doctor operates the terminal device 5 to read the patient's chart stored in the hard disk 3 will be described with reference to FIG.

 The doctor operates the terminal device 5 and connects the terminal device 5 to the server device 6A. When the terminal device 5 is connected to the server device 6A, the doctor sends a chart reading request stored in the hard disk 3 to the server device 6A.

. The server device 6A transfers the request transmitted from the terminal device 5 to the interface port A of the access control device 1.

 In this embodiment, when a request for access to the hard disk 3 is made from the terminal device 5 via the network 4, the server device 6 A transmits the type of this access request (reading a chart, newly writing, rewriting, deleting, etc.). ) Regardless of, the request is transferred to the access control device 1.

When a request for access to the hard disk 3 is input to the interface port A (S60), the interface controller 12A determines whether the request is a chart reading request (s61). If the interface controller 12A determines in s61 that the request is not a chart reading request (if it is a request related to new writing, rewriting, or deletion of the chart), the access controller 12A of this time accesses the hard disk 3 this time. Ignore the request and end this process As described above, if the access request to the hard disk 3 input to the interface port A is a request other than the chart reading request, the access control device 1 ignores the request.

 The server 6A determines whether the request for access to the hard disk 3 is a chart reading request. When the server 6A determines that the request is other than a chart reading request, the server 6A interprets the request. It may be configured not to transfer to one spot A.

 If the interface controller 12A determines that the request is for reading a medical record in s21, the interface controller 12A sends the request for reading the medical record input to the interface A this time via the cache controller 15. The data is transferred to the device controller 17 (s62). The request for reading the medical chart transferred to the device controller 17 in s22 includes the identification number ^ of the patient whose medical chart is to be read.The device controller 17 requests the reading of the medical chart transferred in s62. Searching for the hard disk 3 a to 3 d connected to the access ports a to d using the identification number contained in the key (s 63), and reading out the patient's chart (s 64) . At this time, the device controller 17 searches the medical record of the corresponding patient stored in the hard disk 3 using the identification number included in the read request, and further searches for the file name in the medical record searched here. Read out the chart with the highest serial number, ie, the latest chart for the patient identified by the identification number.

 The medical records read from the hard disks 3 a to 3 d at s 64 are written to the cache memory 14. When the reading of the chart at s63 is completed (s65), the device controller 17 notifies the cache controller 15 of the completion (s66).

Cache controller 15 When the completion of reading the chart is notified, the completion of reading the chart is transferred to the interface controller 12A (s67). Further, the cache controller 15 transfers the corresponding chart stored in the cache memory 14 to the interface controller 12A (s68). The cache controller 15 sequentially reads out the corresponding medical records stored in the cache memory 14 at s68 and records them in the FIFO 13A.

 The interface controller 12A to which the completion of reading the chart has been transferred from the cache controller 15 reads the chart stored in the FIFO 13A in order, and reads the chart connected to the interface port A. Output to the device 6A (s69).

 The server device 6A transmits, via the network 4, the chart transmitted from the access control device 1 to the terminal device 5 which has transmitted the request for reading the chart this time. '

 Therefore, the user transmits the request for reading the chart stored in the hard disks 3 a to 3 d to the server device 6 A connected via the network 4 on the terminal device 5, thereby including the request in the read request. The latest medical record of the patient identified by the identification number can be obtained. Therefore, the doctor can easily confirm the latest medical record of any patient with the terminal device 5.

Next, an operation of the access control device 1 when newly writing a medical chart of a patient who has completed a medical practice on the hard disks 3a to 3d will be described with reference to FIG. When the current medical practice for the patient is completed, the doctor adds the contents of the current medical practice to the patient's medical record read out earlier on the terminal device 5. As mentioned above, since the medical record is a text file, the contents of this medical practice can be added to the medical record with simple operations. When the doctor creates a medical record with the contents of the current medical practice added, he connects the terminal device 5 to the server device 6B and sends a request to write the medical record to the hard disk 3. This writing request includes the chart and patient to which the content of this medical practice was added. ID number is included.

 The server device 6B transfers the request transmitted from the terminal device 5 to the interface port B of the access control device 1.

 In this embodiment, when a request for access to the hard disk 3 is made from the terminal device 5 via the network 4, the server device 6 B transmits the type of the access request (data read, new write, rewrite, delete ) Regardless of, the request is transferred to the access control device 1.

 When a request for access to the hard disk 3 is input to the interface port B (S70), the interface controller 12B determines whether the request is a new medical record write request (S71). ). If the interface controller 1 2 B determines in s 71 that the request is not a new medical record write request (if it is a request related to reading, rewriting, or deleting a medical record), it requests access to the hard disk 3 this time. Is ignored and this process ends.

 As described above, the access control device 1 ignores the request for access to the hard disk 3 input to the interface port B if the request is other than a request to newly write a chart.

 The server 6B determines whether or not the request for access to the hard disk 3 is a chart writing request. When the server 6B determines that the request is other than a new writing request, the request is determined. May not be forwarded to interface port B.

When the interface controller 12B determines in S31 that the request is a new chart writing request, the new chart writing request input to the interface port B is decompiled via the cache controller 15 this time. The data is transferred to the controller 17 (S72). At this time, the interface controller 12B sequentially writes the medical record, to which the contents of the current medical action input to the interface port B are added, into the FIFO 13B. Cash co The controller 15 sequentially reads out the medical record written in the FIFO 13 B and writes it in the empty area secured in the cache memory 14.

 The device controller 17 to which the new medical record write request has been transferred from the cache controller 15 searches the hard disks 3a to 3d using the patient identification number included in the new write request as a key. This time, the file names of the medical records to be stored in the hard disks 3a to 3d are determined (s73). Specifically, the file name including the identification number included in the write request is searched for the medical records stored on the hard disks 3a to 3d, and further included in the file name in the searched medical records. Determine the maximum value of the serial number. The device controller 17 determines the serial number of the file name of the chart to be stored this time to a value obtained by incrementing the maximum value determined here by one.

 The identification number included in the file name is the identification number of the patient included in the write request.

 When the device controller 17 determines the file name of the medical record to be written to the hard disk 3a to 3 in s73, the device controller 17 writes the medical record in which the contents of this medical practice are added to the free space of the hard disk 3a to 3d (s 7 4). At this time, the device controller 17 sequentially reads out the corresponding charts written in the cache memory 14 and sends them to the access ports a to d to which the hard disks 3 a to 3 d for storing the charts are connected. Write to the connected FIFO16. The hard disk 3 stores the charts sequentially read from FIF〇16 in the free space of the hard disks 3a to 3d.

In this manner, the terminal device 5 can newly write the patient's medical record on the hard disks 3.a to 3d. That is, the patient's chart is read first, and a new medical action content is added to the chart. In this embodiment, when newly writing a medical record on the hard disk 3a to 3d, the patient's medical record stored on the hard disk 3a to 3d is written. Will not be deleted or overwritten (rewritten) on the patient's medical record that has been stored, so even if a doctor mistakenly operates the terminal device 5, the medical record already stored on the hard disks 3a to 3d will be destroyed. Never. In addition, the charts stored on the hard disks 3a to 3d cannot be deleted or rewritten, and the charts stored on the hard disks 3a to 3d are falsified by unauthorized access by malicious parties. Can be prevented from being deleted or deleted.

 Further, the access control device 1 can read out the latest medical record of the patient from the medical records stored in the hard disks 3a to 3d by using the identification number of the patient as a key when reading the medical record. At the time of writing the medical record, the file name of the medical record to be written to the hard disks 3a to 3d is automatically determined using the identification number of the patient, so that the operability of the doctor at the terminal device 5 is not reduced. '

In addition, since the doctor operating the terminal device 5 selects the server device 6 A or 6 B to be connected while being aware of the operation to be performed, the data is stored in the hard disks 3 a to 3 d. When reading a medical record, it is connected to the server device 6A, and when writing a medical record on the hard disks 3a to 3d, it is connected to the server device 6B.) The frequency of erroneous operations by doctors can be reduced. However, even if a doctor makes an erroneous operation, it is possible to prevent the rewriting or deletion of the chart stored in the hard disks 3a to 3d as described above. The medical records stored on the hard disks 3a to 3d can be sufficiently protected. Also, a doctor's access to a medical record usually means reading out the medical record and adding and writing the contents of the medical practice, so if the terminal 5 performs an access operation to the medical record (for example, an operation of a medical charter), It is also possible to program so that it is automatically connected to the server device 6A to be in the read state, and then, when the chart button is operated again, it is automatically connected to the server device 6B and becomes the write state. is there. ^

In addition, since all the medical records are stored in the hard disks 3a to 3d as the update history of the medical records for each patient, even if the medical records have been tampered with, it can be determined whether or not the medical records have been tampered with.

 In the above embodiment, the interface port A is only allowed to read the chart, and the interface port B is only allowed to write a new chart. However, both the interface ports A and B are used to read the chart and to write a new chart. It may be configured to allow both and ignore requests (rewrite, delete, etc.) other than read and write. In this case, when a request for access to the hard disk 3 is input to the interface A or B, the access control device 1 determines whether the access request is for reading a chart or for newly writing a chart. It is determined whether it is other than reading and new writing of the medical chart, and if the reading of the medical chart is performed, the above-described processing of s 62 and above is performed. It may be configured so that it is ignored unless it is other than the 'reading of a medical record' and new writing.

 In the above embodiment, the medical records are stored in the hard disk 3a to 3d in a text file format. However, the medical records may be stored in a print image format or in another file format. Further, the present invention can be applied to a network system other than the above chart system.

 In the above embodiment, the entire medical chart is rewritten when writing the medical chart. However, the content added by the doctor (the current medical treatment by the doctor) is additionally recorded (appended) to the patient's medical chart. Is also good. In this way, the storage capacity of the hard disks 3a to 3d required to store the patient's chart can be reduced.

In the above embodiment, the medical records stored in the hard disks 3a to 3d cannot be rewritten or deleted. However, a password may be given to an administrator or the like to enable the deletion. In this way, unnecessary medical records stored on the hard disks 3a to 3d can be removed, oo

The storage capacity of the hard disks 3a to 3d required for storing the patient's chart can be reduced. However, in this case, it is preferable that rewriting cannot be performed.

 As described above, according to the present invention, it is possible to prevent data stored in the storage device from being falsified, broken, or deleted due to a user's erroneous operation, intentional operation, or unauthorized access. it can. Thereby, the security of the data stored in the storage device can be improved. Industrial applications

 INDUSTRIAL APPLICABILITY The present invention is applied to a device that prevents illegal tampering with medical records in which a patient's medical history and medical activities are recorded, hacks to servers connected to LAN and the Internet, and illegally writes by cracking. Can be.

Claims

The scope of the claims (1) A plurality of interface ports to which external devices are connected, an access port to which a storage device for storing data is connected, and an access permitted to the storage device for each of the interface ports When a request for access to the storage device is input to any of the interface ports, the execution of the input access request is performed based on the type of access permitted to the interface port. An access control device comprising: a control unit that determines whether or not the access is possible.  (2) A plurality of the above access ports are provided,  2. The access control device according to claim 1, wherein the control unit divides and stores data in a plurality of storage devices connected to different access ports.  (3) Provide a plurality of the above access ports,  2. The access control device according to claim 1, wherein the control unit causes the same data to be stored in a plurality of storage devices connected to different access ports.  (4) The access control device according to claim 1,  A data management device comprising: a storage device connected to the access port; (5) an interface port to which an external device is connected; A plurality of access ports to which a storage device for storing data is connected, and a type of access permitted for the connected storage device are set for each of the access ports, and the access device is connected to any one of the access ports. When a request for access to the storage device is input to the interface port, the input is performed based on the type of access permitted to the access port to which the storage device requested to access is connected. And a control unit for determining whether the requested access request can be executed. Control device.  (6) A plurality of interface ports to which external devices are connected, a plurality of access ports to which a storage device for storing data is connected, and an access permitted for each storage device for each of the above interface ports. When a request for access to the storage device is input to any of the interface ports, based on the type of access permitted from the interface port to the access port, A control unit that determines whether the input access request can be executed or not;  (7) An interface port to which an external device is connected,  An access port to which a storage device is connected;  The type of access permitted to the storage device connected to the access port is set to data reading and new writing, and a request for access to the storage device input to the interface port is a data request. A control unit that executes the input access request regardless of whether the data file is read or newly written, and ignores the input access request if the request is not a data file read or new write. An access control device comprising:  (8) a plurality of interface ports to which external devices are connected, an access port to which a storage device is connected, For each of the interface ports, the type of access permitted to the storage device connected to the access port is set to one of data reading and new writing, and data reading is permitted. If the request for access to the storage device input to the interface port is a data read, the input access request is executed; if the request is other than data read, the input access request is ignored, Further, if the request for access to the storage device input to the interface port that has permitted the new writing of data is a new writing of data, the input access request is executed, An access control device comprising: a control unit that ignores an input access request if the request is not a new write of data.  (9) For the data newly written in the storage device, the control unit includes: a feature code indicating the feature of the data; a number code indicating the number of data having the same feature code at that time; 2. The access control device according to claim 1, wherein a file name including:  (10) The access control device according to claim 1,  A storage device connected to the access port of the access control device.  (11) A plurality of interface ports for inputting a medical record read request or a new write request from a terminal device operated by a doctor,  An access port to which a storage device storing medical record data is connected;  For each interface port, the type of access permitted to the storage device connected to the access port is set to one of data reading and new writing, and the type of access permitted for data reading is set. If the access request to the storage device input to the interface port is a data read request, the input access request is executed. If the request is other than data read, the input access request is input. Is ignored, and new writing of data is permitted. If the access request to the storage device input to the interface port is a new writing of data, the input access request is executed. And a control unit for ignoring the input access request if the request is other than a new write request overnight.