[go: up one dir, main page]

WO2008032405A1 - Dispositif et programme de gestion des informations - Google Patents

Dispositif et programme de gestion des informations Download PDF

Info

Publication number
WO2008032405A1
WO2008032405A1 PCT/JP2006/318401 JP2006318401W WO2008032405A1 WO 2008032405 A1 WO2008032405 A1 WO 2008032405A1 JP 2006318401 W JP2006318401 W JP 2006318401W WO 2008032405 A1 WO2008032405 A1 WO 2008032405A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification information
user
installation environment
information
work group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2006/318401
Other languages
English (en)
Japanese (ja)
Inventor
Noboru Yamada
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Priority to PCT/JP2006/318401 priority Critical patent/WO2008032405A1/fr
Publication of WO2008032405A1 publication Critical patent/WO2008032405A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Definitions

  • the present invention relates to an information management program and an information processing apparatus, and in particular, information for acquiring user identification information from a wireless communication device that holds user identification information and restricting use according to the acquired user identification information.
  • the present invention relates to a management program and an information processing apparatus.
  • a user authentication is performed to restrict users who access information in the information processing system.
  • the most widespread user authentication is a method in which a user inputs an ID and a password and determines whether or not the user can use the user by authenticity.
  • user authentication using RFID (Radio Frequency Identification System), which is contactless wireless communication, is being introduced to ensure security and reduce user burden.
  • FIG. 17 is a diagram showing an outline of a conventional authentication system using RFID. The figure shows user authentication applied to a personal computer (PC).
  • PC personal computer
  • RFID receiver built-in PC910 built in RFID receiver RFID reader (receiver) 911 that reads information recorded in the RFID tag, and use that authenticates users based on the information read by the RFID reader 911 Person authentication means 912.
  • the user 921 has an RFID tag 922 that records its identification information (user ID).
  • the RFID reader 911 causes the user ID recorded in the RFID tag 922 to be read.
  • the RFID reader 911 performs wireless communication to read the user ID and sends it to the user authentication unit 912.
  • User authentication means 912 authenticates the user using the acquired user ID. Once authenticated, use is permitted and access to the information stored inside is possible.
  • Patent Document 1 Japanese Patent Laid-Open No. 2003-317044
  • the present invention has been made in view of these points, and provides an information management program and an information processing apparatus capable of limiting the user's available range according to the surrounding environment. Objective.
  • the present invention provides an information management program for causing a computer to execute the processing shown in FIG.
  • the information management program according to the present invention is applied to the information processing apparatus 1 and can cause a computer to execute the following processing.
  • Information processing device 1 identifies communication means la functioning as a receiver, work group ID storage means lb for storing work group identification information for identifying work group members, and identifies the installation environment of information processing device 1 Installation environment identification means lc to be used, and use restriction means Id to restrict the use of users.
  • the communication means la exists within a communicable range and performs wireless communication with the wireless communication devices 2a, 2b, 2c, 2d that hold predetermined identification information for identifying a user or a device, and identifies each of them. Collect information.
  • the work group ID storage means lb stores work group identification information in which identification information for identifying a work group member including a user or a device existing in a safety area where a predetermined work is permitted is registered.
  • the installation environment identification means lc compares the identification information collected by the communication means la with the work group identification information stored in the work group ID storage means lb, so that the installation environment of the information processing apparatus 1 is safe. Identify whether or not.
  • Usage restriction means Id restricts the use of the user according to the installation environment of the information processing apparatus 1 identified by the installation environment identification means lc.
  • the work group ID storage means lb is registered with work group identification information in which identification information of work group members existing in a safe area where a predetermined work is permitted is registered. Information is stored.
  • the information processing device 1 uses the communication means la to identify identification information (in the figure, the user ID in the figure) of the wireless communication apparatuses (in the figure, the wireless communication apparatuses 2a, 2b, 2c, 2d) that are within the communicable range. ).
  • the wireless communication device 2a performs a predetermined work using the information processing device 1
  • the installation environment identification unit lc The work group identification information on the work group ID storage means lb force is read out and collated with the identification information collected by the communication means la.
  • the usage restriction means Id limits the usage that can be performed by the user.
  • an information processing device that acquires user identification information from a wireless communication device that holds the user identification information and restricts the use according to the acquired user identification information
  • Communication means for collecting identification information through wireless communication with a wireless communication device that exists within a communicable range and that retains predetermined identification information for identifying a user or a device, and a predetermined operation is permitted.
  • the work group identification information storage means for storing the identification information of the work group member including the user or the device existing in the safety area is registered, and the desired work from the work group identification information storage means is stored.
  • the installation environment identification means for identifying whether the installation environment is safe by reading the work group identification information related to the information and collating with the identification information collected by the communication means, and the installation environment
  • an information processing apparatus characterized by having usage restriction means for restricting the use of a user according to the installation environment identified by the boundary identification means.
  • identification information is collected from the radio communication device existing in the communicable range by the communication means.
  • the installation environment identification means reads the work group identification information related to the work desired by the user from the work group identification information storage means, compares it with the collected identification information, and determines whether the installation environment of the information processing apparatus is safe. Separate.
  • the use restriction means restricts the use of the user according to the identified installation environment.
  • the information processing apparatus stores work group identification information in which identification information of a work group member including a user or a device that exists in a safe area where a predetermined work is permitted is stored. .
  • surrounding identification information is collected and collated with work group identification information to identify whether the installation environment of the information processing device is within the safe area. Then, the user's usage is restricted according to the identification result.
  • FIG. 1 is a conceptual diagram of an invention applied to an embodiment.
  • FIG. 2 is a block diagram showing a configuration of a PC security system and a hardware configuration example of a PC according to the present embodiment.
  • FIG. 3 is a diagram showing an example of the configuration of the PC security system according to the embodiment of the present invention.
  • FIG. 4 is a diagram showing an example of registration information (administrator information and file protection information) according to the embodiment of the present invention.
  • FIG. 5 is a diagram showing an example of registration information (input information necessary for operation) according to the embodiment of the present invention.
  • FIG. 6 is a flowchart showing a procedure of the same work group ID candidate collection process in the registration unit of the embodiment of the present invention.
  • FIG. 7 is a diagram showing an authentication process at the time of login in the PC according to the embodiment of the present invention.
  • FIG. 8 is a diagram showing a login authentication process when an ID card is forgotten in the PC according to the embodiment of the present invention.
  • FIG. 9 is a diagram showing processing when login authentication is not permitted in the PC according to the embodiment of the present invention.
  • FIG. 10 is a diagram showing a process for restricting the use of a file with file access restrictions according to the embodiment of the present invention.
  • FIG. 11 is a diagram showing use restriction processing (if not permitted) of a file with file access restriction according to the embodiment of the present invention.
  • FIG.12 File with restricted file access (requires multiple IDs) according to the embodiment of the present invention
  • FIG. 13 is a flowchart showing a procedure of file Z folder access control processing in the embodiment of the present invention.
  • FIG. 14 is a diagram showing a first stage processing procedure in the installation environment diagnosis according to the embodiment of the present invention.
  • FIG. 15 is a diagram showing a processing procedure of a second stage in the installation environment diagnosis according to the embodiment of the present invention.
  • FIG. 16 is a diagram showing an example of another embodiment of the present invention.
  • FIG. 17 is a diagram showing an outline of a conventional authentication system using RFID.
  • FIG. 1 is a conceptual diagram of the invention applied to the embodiment.
  • the information management system holds user identification information (hereinafter referred to as user ID), and has a wireless communication function that transmits the held user ID in response to a request.
  • Communication devices 2a, 2b, 2c, and 2d, and an information processing apparatus 1 that collects user IDs and restricts the use of the users based on the collected user IDs.
  • the wireless communication devices 2a, 2b, 2c, 2d are RFID tags mounted on an ID card or the like carried by each user.
  • a user ID stored in the internal memory is transmitted.
  • the wireless communication devices 2a, 2b, 2c, and 2d may be information terminal devices or PCs that are carried by the user with the power of the user's ID card.
  • the internal memory may hold the device ID.
  • user and device identification information is collectively referred to as user ID.
  • the user ID forms the same work group 3 for each member (including users and devices) of the work group that performs a predetermined work.
  • the user IDs of the members belonging to this same work group 3 are stored as work group identification information in the work group ID storage means lb of the information processing apparatus 1.
  • the information processing device 1 is a communication means (receiver) that performs communication with the wireless communication devices 2a, 2b, 2c, 2d La, work group ID storage means lb for storing the work group ID of the same work group 3, installation environment identification means lc for checking the installation environment, use restriction means for restricting the use of the user according to the surrounding environment ld, and a protection information database (hereinafter referred to as DB) le that stores protection information.
  • DB protection information database
  • the communication means (receiver) la performs wireless communication with the wireless communication devices 2a, 2b, 2c, and 2d that store the user ID when requested by a predetermined cycle or other processing means. Go and collect the user IDs that each stores.
  • the work group ID storage means lb is a work group identification information (hereinafter referred to as a work group) in which user IDs of users or work group members including a device existing in a safe area where a predetermined work is permitted are registered.
  • Storage means for storing ID For example, if the work is done at your own seat in the company, colleagues in the surrounding seats can be set as the same work duplication. In other words, if the user IDs of colleagues who should be in the surrounding seats can be collected, the user can be regarded as working in the company's own seat.
  • the work group ID storage means lb a certain area where the information processing apparatus 1 is used is set as a safety area, and user IDs of colleagues and devices in the safety area are registered as work group IDs.
  • a group of registered work group members is referred to as the same work group.
  • the user ID of the wireless communication device 2a, the user ID of the wireless communication device 2b, the user ID of the wireless communication device 2c, and the user ID of the wireless communication device 2d Is registered in the work group ID and stored in the work group ID storage means lb.
  • the installation environment identification means lc reads the work group ID of the work group member stored in the work group ID storage means lb, and compares it with the surrounding user IDs collected by the communication means la. Then, the collation result identifies whether the environment in which the information processing apparatus 1 is installed is in the safe area. If multiple work group IDs are registered, how many or more user IDs corresponding to the work group IDs are considered safe areas may be set! .
  • Usage restriction means Id restricts the use of the user based on the installation environment identified by the installation environment identification means lc. To use, log in to the information processing device 1 and enter the specified operation. And access to protected information DBle, and usage restrictions are considered for each. If the user is logged in, the user ID of the user obtained through the communication means la is confirmed, and if the installation environment identification means lc confirms that the user ID is within the safe area, the mouth guin is permitted. In addition, after the login is approved, depending on the contents of the work, the installation environment is checked by the installation environment identification means lc at the time of the work request, and the work is permitted only when it is identified as a safe area. At this time, more detailed conditions may be set.
  • access to a file can be done only if the user IDs of specific members of the same work group 3 are collected! /, But other files can be accessed by any two people in the same work group.
  • Set conditions according to importance such as user ID. Permit this work when set conditions are met. When such conditions are set, if there are members of the same work group 3 in the surrounding area, it is regarded as a safe area and general work is allowed. However, if a user ID of a specific member is required, the operation is not permitted unless the user ID of that member is collected. In this way, user use can be restricted as necessary.
  • user authentication may be substituted by entering a password or the like if it is identified as a safe area by the installation environment identification means lc. . Even if the user ID of the user cannot be confirmed, there are members of the same work group 3 around it, so safety can be confirmed from the installation environment. In this way, even if the user forgets the ID tag, the robustness of the authentication can be maintained by confirming the safety based on the installation environment.
  • the use restriction unit Id activates the installation environment identification unit lc at a fixed period to confirm the safety of the installation environment. If the installation environment identification means lc continues to identify the installation environment as unsafe for a certain period of time, protection to prevent leakage of protected information that must be kept confidential Execute the process.
  • the work group ID storage means lb user IDs of predetermined work group members are registered and stored in the work group ID.
  • the communication means la collects user IDs from the wireless communication devices 2a, 2b, 2c, 2d and sends them to the installation environment identification means lc.
  • Installation environment identification means LC Verifies the collected user ID with the user ID registered in the work group ID stored in the work group ID storage means lb. Here, if even one collected user ID matches, it is identified as a safe area.
  • the use restriction means Id obtains the user ID of the user through the communication means 1a and confirms the user, and the installation environment identification means lc determines the installation environment. Let me check. If the user ID is confirmed and the installation environment is identified as safe, login is permitted. If the installation environment is safe, authentication using a password can be used.
  • the usage restriction means Id checks the safety area by the installation environment identification means lc and when more detailed environmental conditions are set. Check its environmental conditions. When these conditions are met, the operation is permitted. If it is not identified as a safe area, the condition is not checked and access is denied immediately.
  • the installation environment identification means lc identifies that the installation environment is not safe for a certain period of time, it may be considered that the information processing device 1 is installed outside the safe area. Yes, you can do some kind of maintenance! ,.
  • the user ID of the user is used to identify whether or not the surrounding environment is a safe area that satisfies a preset condition. Is done. Then, if it is identified that the information processing apparatus 1 is installed outside the safe area, its use is restricted. Furthermore, if the condition outside the safe area continues for a certain period of time, it may be possible to take maintenance measures such as deleting the information to be protected.
  • Figure 2 shows the configuration of the PC security system and the hardware configuration of the PC in this embodiment. It is a block diagram which shows a composition example.
  • the PC security system includes an ID force code 20 in which a user ID is recorded, and a PC 10 that reads the ID and performs security management.
  • the entire PC 10 is controlled by a CPU (Central Processing Unit) 101.
  • a random access memory (RAM) 102, a hard disk drive (HDD) 103, a graphic processing device 104, an input interface 105, a communication interface 106, and an RFID interface 107 are connected to the CPU 101 via a bus 108. ing.
  • the RAM 102 temporarily stores at least part of an OS (Operating System) program application program to be executed by the CPU 101.
  • the RAM 102 stores various data necessary for processing by the CPU 101.
  • the HDD 103 stores the OS and application programs.
  • a monitor 110 is connected to the graphic processing device 104, and an image is displayed on the screen of the monitor 110 in accordance with a command from the CPU 101.
  • a keyboard 111 and a mouse 112 are connected to the input interface 105, and signals sent from the keyboard 111 and the mouse 112 are transmitted to the CPU 101 via the bus 108.
  • the communication interface 106 is connected to a network 109 and transmits / receives data to / from other devices via the network 109.
  • the RFID interface 107 controls the RFID reader 11 that performs wireless communication with the RFID tag 200 and reads the user information recorded in the RFID tag, and sends the read ID via the bus 108. To CPU101.
  • the RFID tag 200 includes a memory 201 that records an ID, a control unit 202 that performs read control, and a communication processing unit 203.
  • the communication processing unit 203 receives a read signal from the RFID reader 11, it transmits a read request to the control unit 202.
  • the control unit 202 reads the ID stored in the memory 201 and returns the ID to the RFID reader 11 via the communication processing unit 203.
  • FIG. 3 is a diagram showing an example of the configuration of the PC security system according to the embodiment of the present invention.
  • the figure shows an example of the software configuration of the PC 10 and an example of a neighboring person holding an ID card.
  • the PC security system includes a PC 10 that reads an ID and manages internal protection information, and an ID card 20, 21, 22, 23 that transmits an ID held in response to a request. , 24, 25, 26, 27.
  • the PC 10 includes an RFID reader 11, a registration unit 12, an installation environment identification unit 13, a use restriction unit 14, and a protection information DB 16.
  • the RFID reader (receiver) 11 performs wireless communication with the RFID tag 200 in the communicable area and collects IDs held by the RFID tag 200.
  • the registration unit 12 determines a work group member, and generates the same work group ID 15 in which an ID for identifying the work group member is registered.
  • the surrounding ID is collected by the RFID reader 11, and the collected ID is provided as a work group member candidate to the registered user.
  • the user corrects this and a final identical work group ID 15 is generated.
  • the condition setting for permitting the operation request and the protection processing method for the protection target information stored in the protection information DB 16 are also set.
  • the installation environment identification unit 13 compares the surrounding ID collected by the RFID reader 11 with the same work group ID 15 to determine whether the installation environment is safe. Identify The identification result is notified to the use restriction unit 14 together with the detected ID.
  • the usage restriction unit 14 activates the installation environment identification unit 13 to check the installation environment when logging in by the user, when requesting an operation from the user, and during periodic installation environment diagnosis. Limit the use of users accordingly. At this time, the same work group ID 15 is referenced as necessary. Details will be described later.
  • the same work group ID 15 stores the same work group ID registered in the same work group.
  • the protection information DB 16 stores the information to be protected that must be prevented from being leaked.
  • the ID card 20 stores an ID (ID: A) of the user A who uses the PC 10, as shown in FIG. 3, and transmits the held ID in response to the read request. It comprises.
  • the other ID cards 21, 22, 23, 24, 25, 26, 27 have the same configuration.
  • ⁇ IJ user A has colleague B holding ID card (ID: B) 21, colleague C holding ID card (ID: C) 22, and ID card (ID: D) 23. Form same working group 3 with colleague D.
  • the registration unit 12 is activated, and the same work group ID 15 in which members belonging to the same work group 3 are registered is generated.
  • the conditions for accepting operation requests and the protection processing method related to protection target information are also set.
  • the usage restriction unit 14 checks the ID read from the user's ID card and the installation environment, and if authenticated, permits the login. Even if the user does not hold an ID card, if the members of the same work group 3 can confirm, the user may be authenticated by an authentication method such as a password.
  • the setting of the condition for allowing the operation request set in advance is checked together with the confirmation of the installation environment. If the installation environment is confirmed to be safe and it meets the conditions allowing the operation request, the operation request is permitted. If it is specified that confirmation is not required, including confirmation of the installation environment, the operation request is allowed unconditionally.
  • the use restriction unit 14 also periodically activates the installation environment identification unit 13 to check the installation environment. If the installation environment identification unit 13 continues to be identified as unsafe for a certain period of time, the protection process determined by the registration process is performed. The protection process is For example, it is divided into two stages. If the same work group ID is not detected and the setting time of the first stage continues, access to the protection information DB 16 is prohibited. If an access request is entered, the access request is disallowed. If a certain amount of time has passed since the completion of the first step, the information stored in the protection information DB 16 is deleted as the second step. For example, overwrite another data so that the original information cannot be read.
  • the protection information is automatically obtained when the PC 10 can be used and if the force is outside the safe area and the force has passed for a certain period of time. Since is deleted, it is possible to ensure a higher level of security.
  • the administrator is registered, the operation process is registered when the PC is lost or stolen, the necessary conditions for authorizing the operation request are registered, and the ID of the same work group is registered.
  • FIG. 4 is a diagram showing an example of registration information (administrator information and file protection information) according to the embodiment of the present invention.
  • an ID of an administrator who performs PC security management is registered as administrator information.
  • the ID of administrator G24 is registered.
  • “File deletion start time” is set to “8 hours later”
  • “File deletion target” is set to “Filel, File2, File3, File4, ...”. ing. That is, it was identified as unsafe by the installation environment identification unit 13. It is stipulated that “Filel, File2, File3, File4,...” Should be “deleted” if the state continues for “8 hours”.
  • FIG. 5 is a diagram showing an example of registration information (input information necessary for operation) according to the embodiment of the present invention.
  • the figure shows an RFID tag (HD information from which RFID tag power is also read), ID (information from which power such as a keyboard is input), or password (information from which power such as a keyboard is input) in response to an operation request from user A Of which is needed.
  • RFID tag HD information from which RFID tag power is also read
  • ID information from which power such as a keyboard is input
  • password information from which power such as a keyboard is input
  • Usage authentication 403 registers that "user A ID (keyboard input)" and "user A password” are required as user authentication requirements. If the ID can be read from the RFID tag of user A, the usage authentication 403 is not referred to.
  • file access 406 necessary conditions for permitting access to the file are registered in units of each file or a group of files (folders) in which the files are collected.
  • file B access requires “colleague B RFID tag”
  • file C access requires “colleague C RFID tag”
  • folder D access requires “colleague D” RFID tag.
  • Access to folder E requires “RFID tags of at least three of the members (user A, colleagues B, C, D) of the same work group 3”.
  • folder F “RFID tags of all members of the same work group 3 (users A, colleagues B, C, D)” are required.
  • the RFID reader 11 is used to collect surrounding IDs and display a list on the monitor 110 to reduce the registration burden.
  • Figure 6 shows the 10 is a flowchart showing a procedure of the same work group ID candidate collection process in the registration unit according to the present embodiment.
  • Step S11 The collection time is set. When collecting candidates for the same work group ID, collection is repeated for a predetermined collection time. IDs collected during the collection time are candidates for the same work group ID.
  • Step S12 The RFID reader 11 is activated at regular intervals, and RFID tags existing in a certain range (the communication range of the RFID reader 11) are read.
  • Step S13 Time is measured to determine whether the collection time set in step S11 has been exceeded. If it exceeds, the process is terminated.
  • Step S14 It is determined whether or not the RFID reader 11 detects the HD information of the RFID tag. If not, return to step S12 and wait for the next collection cycle
  • Step S15 When the RFID reader 11 detects the HD information of the RFID tag, the collected tag information is stored in the temporary storage memory.
  • the ID detected within the collection time is stored in the time storage memory.
  • the ID stored in the temporary storage memory becomes the same work group ID candidate.
  • User A confirming the list on monitor 110 edits the same work group ID, and deletes the IDs of business traveler E and business traveler F who do not belong to the same work group 3. Also, the ID of colleague D who has not been collected is registered. As a result, four users, User A, Colleague B, Colleague C, and Colleague D, are registered in the same work group ID15.
  • the usage restriction process executed by the usage restriction unit 14 includes usage restrictions based on user authentication at login, usage restrictions at the time of operation requests, and usage restrictions according to periodic installation environment diagnosis.
  • FIG. 7 is a diagram showing authentication processing at the time of login in the PC according to the embodiment of the present invention.
  • the use restriction unit 14 activates the installation environment identification unit 13 to identify the installation environment.
  • the installation environment identification unit 13 activates the RFID reader 11 to collect IDs.
  • the R FID reader 11 collects IDs from RFID tag B201 of colleague B and RFID tag C202 of colleague C along with information on RFID tag A200 of user A.
  • the installation environment identification unit 13 uses the ID (user A, colleague B, colleague C) collected by the RFID reader 11 and the ID registered in the same work group ID 150 (ID: A, ID: B, ID: C, Match with ID: D). Since the IDs of multiple people in the same work group were detected, the installation environment is identified as being within the safe area. Since the ID of user A is also confirmed, the use restriction unit 14 permits login by user A and allows access to general PC information 160 that is not restricted.
  • FIG. 8 is a diagram showing login authentication processing when the ID card is forgotten in the PC according to the embodiment of the present invention.
  • the RFID reader 11 collects IDs from the RFID tag B201 of the colleague B who sits next to it and the RFI D tag C202 of the colleague C.
  • the installation environment identification unit 13 uses the ID (colleague B, colleague C) collected by the RFID reader 11 and the ID (ID: A, ID: B, ID: C, ID: D) registered in the same work group ID 150. Match. Since the IDs of multiple people in the same work group were detected, the installation environment is identified as being within the safe area.
  • Usage restriction part 14 is that PC10 is in the safe area. Since it has been confirmed, user A is requested to input an ID and password based on the setting of the usage authentication 403 shown in FIG. User authentication is performed using the entered ID and password. If authenticated, user A is allowed to log in, and access to general PC information 160, which was once restricted, is permitted.
  • FIG. 9 is a diagram showing processing when login authentication in the PC according to the embodiment of the present invention is not permitted.
  • the installation environment identification unit 13 compares the ID (third party H) collected by the RFID reader 11 with the ID (ID: A, ID: B, ID: C, ID: D) registered in the same work group ID150. To do. Since the IDs of multiple people in the same work group are not detected, the installation environment is identified as being outside the safe area.
  • Usage restriction unit 14 does not allow login because PC 10 is identified as being outside the safe area. Therefore, the PC information 160 cannot be accessed.
  • FIG. 10 is a diagram showing a file use restriction process for which file access restriction is performed according to the embodiment of this invention.
  • file B requires RFID tag information of colleague B during operation.
  • usage restriction unit 14 requests installation environment identification unit 13 to identify the installation environment.
  • the installation environment identification unit 13 uses the RFID reader 11 to collect the ID of the RFID tag A200 of the user A and the ID of the RFID tag B201 of the colleague B.
  • the collected environment (User A, Colleague B) is checked against the ID (ID: A, ID: B, ID: C, ID: D) registered in the same work group ID 150, and the installation environment is in the safe area. Identifies as within.
  • the detection ID (user A, colleague B) is notified to the usage restriction unit 14 along with the identification result.
  • Usage restriction unit 14 permits the update of file B1 61 because the ID of RFID tag B of colleague B, which is a condition for permitting access request to file B, is detected in the installation environment is a safe area. .
  • FIG. 11 is a diagram showing a file use restriction process (in a case where permission is not allowed) of a file with restricted file access according to the embodiment of the present invention.
  • the RFID reader 11 that receives a request to update the file B161 by the user A is a case where the information of the RFID tag B201 of the colleague B cannot be collected. It is assumed that the installation environment is confirmed to be a safe area by a colleague C (not shown). In this case, the usage restriction unit 14 is in a safe area, but the ID of the RFID tag B of the colleague B, which is a condition for permitting the access request to the file B, is not detected! Do not update.
  • FIG. 12 is a diagram showing a file use restriction process in which file access restriction (requires multiple persons' IDs) according to the embodiment of the present invention is performed.
  • folder E has three or more RFI members out of four members of the same work group at the time of operation. D tag information is required.
  • usage restriction unit 14 requests installation environment identification unit 13 to identify the installation environment.
  • the installation environment identification unit 13 uses the RFID reader 11 to collect the ID of the RFID tag A200 of the user A, the ID of the RFID tag B201 of the colleague B, and the ID of the RFID tag C202 of the colleague C.
  • the collected ID (User A, Colleague B, Colleague C) is checked against the ID (ID: A, ID: B, ID: C, ID: D) registered in the same work group ID 150. Identify as being within the safe area.
  • the detection ID (User A, Colleague B, Colleague C) is notified to the usage restriction unit 14.
  • the use restriction unit 14 detects that three or more IDs of the same work group ID 150, which is a condition for permitting an access request to the folder E, in the installation environment is a safe area, Allow update.
  • an arbitrary constraint condition can be set according to the importance of the file.
  • FIG. 13 is a flowchart showing the procedure of the file Z folder access control process in the embodiment of the present invention.
  • Step S21 Determine whether access control of file Z folder using detection of file Z folder force ID is requested. The determination is made with reference to the file access 406 regarding the file Z folder. If there is no setting, ID detection is not required. If not, proceed to A.
  • Step S22 When access control by ID detection is necessary, it is determined whether or not the ID detection power specific ID is detected. If a specific ID, that is, a single ID is specified, the process proceeds to step S23. If it is not a specific ID, that is, if a plurality of IDs are specified, the process proceeds to step S24.
  • Step S23 When a specific (single) ID is specified, determine whether the ID has been detected by comparing the ID collected by the RFID reader 11 with the specified ID. To do. If detected, proceed to A. If not detected, proceed to step S27 [0090]
  • a check time (check method) is determined. If the check method is access, the process proceeds to step S25. If the check method is login, the process proceeds to step S26.
  • Step S25 If the check method is access, it is determined whether or not the ID specified at the time of access is detected. If “75% or more member IDs of the same work group members” or “3 or more members of the same work group members” is specified, check the number and make a decision. If ID detection conditions are met, proceed to A. If the ID detection condition is not satisfied, the process proceeds to step S27.
  • Step S26 If the check method is login, it is determined whether or not the ID specified at login is detected. In this case, the judgment result at the time of login or the ID detected at the time of login is saved and the judgment is made. The details of the determination are the same as in step S25. If ID detection conditions are met, proceed to A. If the ID detection condition is not satisfied, the process proceeds to step S27.
  • Step S27 Since the condition is not satisfied and the corresponding ID is not detected, access is disabled and the process is terminated.
  • Step S28 Since the conditions are met and the corresponding ID is detected, access is permitted and the process is terminated.
  • the installation environment diagnosis starts when the PC 10 is turned on, and periodically diagnoses the installation environment. Based on the file protection information 402 shown in FIG. 4, as the first stage, when the access restriction start time is reached, an access restriction process is performed. Subsequently, as the second stage, when the file deletion start time is reached, file deletion processing is performed.
  • FIG. 14 is a diagram showing a processing procedure of the first stage in the installation environment diagnosis according to the embodiment of the present invention. The power is turned on and processing is started.
  • Step S31 The elapsed time information for counting the elapsed time is also initialized.
  • Step S32 The RFID reader 11 is activated at regular intervals to collect HD information of surrounding RFID tags. Store the collected ID tags in the temporary storage memory.
  • Step S33 The elapsed time is updated and compared with the set time (first stage access restriction start time) to determine whether the elapsed time exceeds the set time. If so, the process proceeds to step S36.
  • Step S34 Since the set time has not been exceeded, it is determined whether or not the ID tag collected in Step S32 has been detected. If no ID tag is detected, proceed to step S3.
  • Step S35 Since the ID tag is detected, it is determined whether or not the detected ID tag is registered in the same (work) group. If it falls under the same work group, it is regarded as a safe area, the process returns to step S31, and the process from the initialization of the elapsed time is performed. If not detected, the process returns to step S32 to wait for the next collection process.
  • Step S36 Since the period during which no ID tag of the same group is detected has exceeded the set time, the target file is made unreadable.
  • Step S37 Send an e-mail to the administrator to notify them that the first stage of processing has been performed. Thereafter, the process proceeds to C shown in FIG.
  • FIG. 15 is a diagram showing a second stage processing procedure in the installation environment diagnosis according to the embodiment of the present invention.
  • Step S41 Activate RFID reader 11 at regular intervals to collect HD information of surrounding RFID tags. Store the collected ID tags in the temporary storage memory.
  • Step S42 The elapsed time is updated and compared with the set time (second stage file deletion start time) to determine whether the elapsed time exceeds the set time. If so, the process proceeds to step S46.
  • Step S43 Since the set time has not been exceeded, it is determined whether or not the ID tag collected in Step S41 has been detected. If the ID tag is not detected, the process returns to step S41 and waits for the next collection process.
  • Step S44 Since the ID tag is detected, the detected ID tag is the same (work) group. It is determined whether it is registered in the group. If it falls under the same work group, the process returns to step S41 and waits for the next collection process.
  • Step S45 If they fall under the same work group, they are considered to be in the safety area, and the process returns to B (initial key) shown in FIG. 14, and the process from the initialization of the elapsed time is performed.
  • Step S46 If the ID tag of the same group is not detected and the period has exceeded the set time, the target file is overwritten with different data so that it cannot be read.
  • Step S47 The target file information is deleted so that the target file cannot be accessed.
  • Step S48 An e-mail is sent to the administrator, notifying that the second stage of processing has been performed, and the processing ends.
  • the registration of the same work group ID is changed as necessary. For example, when a work group member is switched, or when the PC 10 is portable and the surrounding members change during work, etc., the registration is changed according to the environment. Since the registration change requires the conditions shown in the setting operation 405 in FIG. 5, the registration change can be performed safely.
  • the power for confirming the installation environment based on the information of the RFID tag possessed by the user or the like is not limited to this.
  • Other wireless communication functions can be used by using RFID tags.
  • FIG. 16 is a diagram showing an example of another embodiment of the present invention.
  • the PC 510 includes a memory 511 that stores device identification information, and an information management unit 512 that performs information management.
  • the PC 520 includes a memory 521, an information management unit 522, and a wireless communication circuit 523.
  • PC 510 and PC 520 exchange device identification information with each other via wireless communication circuit 513 and wireless communication circuit 523.
  • the device identification information of PC550 is also collected.
  • the information management unit 512 includes device identification information collected from other PCs and a preset safety area. Compare with the device identification information of other PCs that indicate the area, and identify whether the installation environment is in the safe area.
  • the above processing functions can be realized by a computer.
  • a program describing the processing contents of the functions that the information processing apparatus should have is provided.
  • the above processing functions are realized on the computer.
  • the program describing the processing contents can be recorded on a computer-readable recording medium.
  • the computer-readable recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.
  • Magnetic recording devices include hard disk drives (HDD), flexible disks (FD), and magnetic tapes.
  • Optical discs include DVD (Digital Versatile Disc), DVD—RAM (Random Access Memory), CD—ROM (Compact Disc Read Only Memory), and CD—R (Recordable) ZRW (Rewritable).
  • Magneto-optical recording media include MO (Magneto-Optical disk).
  • the computer that executes the program stores, for example, the program recorded on the portable recording medium or the server computer-transferred program in its own storage device. Then, the computer reads its own storage device power program and executes processing according to the program. The computer can also read the program directly from the portable recording medium and execute processing according to the program. In addition, each time the server computer program is transferred, the computer can also execute processing according to the received program.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne les cas d'utilisation restreinte pour les utilisateurs, conformément à l'environnement alentour. Un moyen de mémoire d'identifiants du groupe de travail (1b) stocke des informations d'identification du groupe de travail pour identifier les éléments du groupe de travail qui existent dans une région sûre, où un travail prédéterminé est autorisé. Un dispositif de traitement des informations (1) collecte l'identifiant des utilisateurs pour les dispositifs de communication sans fil (2a), (2b), (2c) et (2d) via un moyen de communication (1a). Dans le cas, par exemple, où un utilisateur du dispositif de communication sans fil (2a) effectue un travail prédéterminé en utilisant le dispositif de traitement des informations (1), un moyen d'identification de l'environnement de paramétrage (1c) lit les informations d'identification du groupe de travail à partir du moyen de mémoire des identifiants du groupe de travail (1b), les compare avec des identifiants utilisateur collectés par le moyen de communication (1a), vérifie si les éléments du groupe de travail sont disponibles dans le voisinage et identifie si un travail sécurisé peut être réalisé dans l'environnement de paramétrage du dispositif de traitement des informations (1). Conformément au résultat identifié, un moyen de restriction d'utilisation (1d) restreint l'utilisation réalisable par les utilisateurs.
PCT/JP2006/318401 2006-09-15 2006-09-15 Dispositif et programme de gestion des informations Ceased WO2008032405A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2006/318401 WO2008032405A1 (fr) 2006-09-15 2006-09-15 Dispositif et programme de gestion des informations

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2006/318401 WO2008032405A1 (fr) 2006-09-15 2006-09-15 Dispositif et programme de gestion des informations

Publications (1)

Publication Number Publication Date
WO2008032405A1 true WO2008032405A1 (fr) 2008-03-20

Family

ID=39183476

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2006/318401 Ceased WO2008032405A1 (fr) 2006-09-15 2006-09-15 Dispositif et programme de gestion des informations

Country Status (1)

Country Link
WO (1) WO2008032405A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246419A (ja) * 2003-02-10 2004-09-02 Sharp Corp データ処理装置
JP2005228351A (ja) * 2005-03-04 2005-08-25 Sharp Corp 通信ネットワークにおける簡易セキュリティ設定方法およびそのための装置、ならびに通信ネットワークにおける簡易セキュリティ設定プログラムを記録したコンピュータで読取可能な記録媒体
JP2005293034A (ja) * 2004-03-31 2005-10-20 Fuji Photo Film Co Ltd 医療情報管理方法及びサーバ及びプログラム
JP2005322240A (ja) * 2004-05-03 2005-11-17 Sony Computer Entertainment Inc インデックス付きレジスタアクセス用の方法および装置
JP2006092170A (ja) * 2004-09-22 2006-04-06 Fuji Xerox Co Ltd リソースアクセス管理システムおよびリソースアクセス管理方法
JP2006092367A (ja) * 2004-09-24 2006-04-06 Fuji Xerox Co Ltd 共同作業空間形成装置、共同作業空間形成方法およびプログラム

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246419A (ja) * 2003-02-10 2004-09-02 Sharp Corp データ処理装置
JP2005293034A (ja) * 2004-03-31 2005-10-20 Fuji Photo Film Co Ltd 医療情報管理方法及びサーバ及びプログラム
JP2005322240A (ja) * 2004-05-03 2005-11-17 Sony Computer Entertainment Inc インデックス付きレジスタアクセス用の方法および装置
JP2006092170A (ja) * 2004-09-22 2006-04-06 Fuji Xerox Co Ltd リソースアクセス管理システムおよびリソースアクセス管理方法
JP2006092367A (ja) * 2004-09-24 2006-04-06 Fuji Xerox Co Ltd 共同作業空間形成装置、共同作業空間形成方法およびプログラム
JP2005228351A (ja) * 2005-03-04 2005-08-25 Sharp Corp 通信ネットワークにおける簡易セキュリティ設定方法およびそのための装置、ならびに通信ネットワークにおける簡易セキュリティ設定プログラムを記録したコンピュータで読取可能な記録媒体

Similar Documents

Publication Publication Date Title
US8041787B2 (en) Application software and data management method, management system, and thin client terminal, management server and remote computer used therefor
JP5270694B2 (ja) 機密ファイルを保護するためのクライアント・コンピュータ、及びそのサーバ・コンピュータ、並びにその方法及びコンピュータ・プログラム
EP3777082B1 (fr) Jeton d'accès prépayé basé sur un module de plate-forme de confiance, pour services iot commerciaux en ligne
CN101371259B (zh) 文件管理系统及方法、以及便携终端装置
JP4781692B2 (ja) クライアントのi/oアクセスを制限する方法、プログラム、システム
CN1985260A (zh) 使用外部设备的计算机控制方法及计算机控制系统
JP2005122474A (ja) 情報漏洩防止プログラムおよびその記録媒体並びに情報漏洩防止装置
RU2581559C2 (ru) Система и способ применения политик безопасности к накопителю в сети
JP4044126B1 (ja) 情報漏洩抑止装置、情報漏洩抑止プログラム、情報漏洩抑止記録媒体、及び情報漏洩抑止システム
JP2005284679A (ja) リソース利用ログ取得プログラム
US9471808B2 (en) File management system and method
JP2005157429A (ja) 情報処理装置、情報処理システム及びプログラム
JP4786501B2 (ja) データ管理システム、データ管理方法、情報処理装置
CN101765821A (zh) 指纹读取器重置系统和方法
JPWO2004084075A1 (ja) 情報アクセス制御方法、アクセス制御プログラム及び外部記録媒体
JP4613198B2 (ja) 画像形成システム
US20050162992A1 (en) Information access control method, access control program, and external recording medium
WO2008032405A1 (fr) Dispositif et programme de gestion des informations
US20070055478A1 (en) System and method for active data protection in a computer system in response to a request to access to a resource of the computer system
JP4444554B2 (ja) パスワード保存制限方法
KR100778749B1 (ko) 컴퓨터 단말기의 보안 장치 및 상기 보안 장치의 동작 방법
JP2003323344A (ja) アクセス制御システム、アクセス制御方法及びアクセス制御プログラム
JP2004185255A (ja) 個人情報管理及び生体認証を兼ね備えたフロッピー(登録商標)ディスク型生体情報認証装置
JP2006236028A (ja) 画像出力装置、ホスト装置及び画像出力システム
KR20060065923A (ko) 네트워크 기반의 금융 자동화기기 보안관리 시스템 및 그제어방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06810193

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06810193

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP