JP2001175601A - Guarantee system for uniqueness of access right - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a system which guarantee the uniqueness of the right to access a computer terminal. SOLUTION: This system includes a user position detection part 10 which detects position information on a user, a terminal position management part 12 which manages position information on plural terminals, and an access managing means 12 which compares the user position information with position information on a terminal where the user makes an access request when the access request accompanied by prescribed right information to an object computer resource 17 to be guaranteed is accepted from the user and accepts the access request only when those pieces of information have presribed relation.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] The present invention relates to a security technique for operating a computer terminal. More specifically,
The present invention relates to a method of specifying an area where an authorized user of a computer terminal is located, thereby guaranteeing the right to access the computer terminal, that is, the uniqueness of the access right.

[0002]

2. Description of the Related Art In the case of a computer terminal that manages highly secure information, a user is requested to input authority information such as a user ID (Identifier) and a password at the time of an access request. After confirming, it is common to grant an access right to enable access to the computer terminal. In some cases, the access authority is determined hierarchically, and the access authority at a level corresponding to the content of the managed information is given.

Recently, network technology has been developed, and it has become common to construct an intranet by connecting a plurality of computer terminals via a network and to share information in the net. An intranet is a network system built in an organization, and is generally considered to have a certain trust relationship between users. Therefore, conventionally, the security of the access authority tends to be regarded as less important than the security of a wide area network that can be accessed by unspecified persons.

[0004]

However, unauthorized access is not a problem even in an intranet. Conversely, an intranet may need to be more secure than a wide area network. This is because, because of the intranet, certain information may be of common interest to a plurality of users. The access authority is given on condition that the authority information predetermined for each user is valid, but if the authority information is stolen, the unauthorized access person can impersonate the authorized user at any time and It becomes possible to access a computer terminal for a user.
In this case, the authorized user usually does not know that his / her own authority information has been leaked, and thus cannot take appropriate measures. Such a problem can be solved by guaranteeing unique access rights.

SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide a system that can guarantee the uniqueness of access authority to a computer terminal. It is another object of the present invention to provide a method capable of confirming that a user who has accessed a terminal is a true user, and a recording medium suitable for implementing the method.

[0006]

In order to solve the above problems, the present invention provides a uniqueness assurance system and a uniqueness assurance method for an access right. The basic configuration of the uniqueness assurance system of the present invention includes a user position detecting means for detecting position information of a user, a terminal position managing means for managing position information of a plurality of terminals, and a user request for a computer resource to be guaranteed. When an access request accompanied by predetermined authority information is received, the user location information is compared with the location information of the terminal to which the user has made the access request, and the information has a predetermined relationship. And access management means for permitting the access request. The “computer resource” here refers to the terminal hardware, the memory in the terminal, the logical file in the memory, the data in the logical file, and the like.

The user position detecting means includes, for example, a plurality of entry / exit detection sensors for detecting entry / exit status of each of a predetermined area of one or a plurality of users, and positional information indicating a deployment position of each entry / exit detection sensor. A location area specifying means for specifying a location area of the user based on the entry / exit status of the user detected by any of the entry / exit detection sensors. The area is more effective when a floor or a room in the same building and the presence of a user in another area cannot be confirmed from within one area.

[0008] More preferably, the user position detecting means further comprises a portable terminal to which non-rewritable identification information for uniquely specifying the user's unique information is assigned. In this case, the entry / exit detection sensor detects the entry / exit status of the user for each predetermined area by acquiring the identification information of the portable terminal accompanying the user. As the portable terminal, for example, a card medium equipped with a non-contact type IC chip can be used. The card medium is
It can be used as a company emblem, nameplate, and key ring.

[0009] The user position detecting means includes a portable terminal with a built-in GPS receiver to which identification information for uniquely specifying the user's unique information is assigned, and identification information of the portable terminal accompanying the user and GPS. It may be configured to include location information specifying means for receiving the location information of the portable terminal obtained by the receiver and specifying the location area of the user based on the received information.

[0010] The terminal location management means associates, for example, information on the location where each terminal is to be deployed with the identifier of the data link layer of the terminal, and associates the location information of the terminal that has made the access request with the information. It is configured to specify by the information of the position corresponding to the identifier included in the access request. From the viewpoint of enhancing security, each identifier is associated with the unique information of the authorized user of the terminal corresponding to the identifier, and when the unique information of the authorized user is identified, the position information is identified. It is constituted so that.

[0011] The access management means may, for example, be such that the user location information is present in a management area predetermined by the user, and the location information of the terminal making the access request is in the same management area. The terminal is configured to permit the access request when the terminal is an installed terminal. When the portable terminal has a built-in GPS receiver, the access management means includes the GPS transmitted from the portable terminal.
When the position information of the portable terminal obtained by the receiver exists in a predetermined geographical area, the access request is permitted.

In order to make it easy to identify a person who has attempted unauthorized access, the access management means may be configured to accumulate information of all users who have been granted the access authority and to output the accumulated information at any time. desirable.

[0013] The uniqueness assurance method of the present invention detects a position of a portable terminal to which non-rewritable identification information for uniquely identifying a user's unique information is assigned, thereby detecting the user possessing the portable terminal. A method executed in a computer system capable of detecting the entry / exit status of each predetermined area and notifying the detection result to control means for managing computer resources to be assured. Specifying the location area of the user based on the information, and that when the predetermined authority information for the computer resource is input, the authorized user of the terminal exists in the area where the terminal that has input the authority information exists. On the condition that the entered authority information is valid, so that the computer resources can be accessed. And a step of imparting access authority, the access to the computer resource based on the same authority information after applying the access privileges is a method which is characterized in that to regulate this. Accepting the setting of the operation permission area of the terminal determined by the authorized user, holding the information of the set operation permission area for each unique information of the authorized user who set it, and inputting predetermined authority information to a certain terminal. Alternatively, it may be determined whether or not the access right is to be granted with an additional condition that the area where the terminal is located is set as the operation permission area.

[0014] A recording medium provided by the present invention is provided in a predetermined area of a user having the portable terminal by detecting the position of the portable terminal to which identification information for uniquely specifying the user's unique information is assigned. A computer-readable recording in which a program code for executing the following processing is recorded on a computer capable of detecting the entry / exit status of each of the computers and notifying the detection result to the control means for managing the computer resources to be guaranteed. Medium. (1) a process of specifying the location of the user based on the detected entry / exit status of the user; (2) when predetermined authority information for the computer resource is input, there is a terminal that has input the authority information. A process of confirming that an authorized user of the terminal is present in the area and granting access authority to enable access to the computer resources, provided that the entered authority information is valid; (3) Processing for restricting access to the computer resource based on the same authority information after the access authority has been granted.

Although it is not always impossible for a person who attempts unauthorized access to try to analyze the contents of the authority information of another person, in the case of the uniqueness assurance method of the present invention, a legitimate user exists in the corresponding area. Since the content analysis can be performed only for a short period of time, the content of the authority information does not leak in effect. In addition, if an authorized user (within the area) accesses while the unauthorized user is accessing based on the illegally acquired authority information while the authorized user is staying in a certain area. Since the access of the authorized user is restricted, it can be seen that the authorized user accesses the unauthorized user in the vicinity of the authorized user using his / her own authority information. Therefore, it can be confirmed that the self-authority information has been leaked, and it also causes psychological pressure on the unauthorized access person. In other words, an unauthorized access person is highly likely to be found because the legitimate user is near him, and he does not know when the legitimate user accesses. When access is made, there is a psychological pressure that the legitimate user knows that he or she is accessing it first. This makes it possible to psychologically suppress unauthorized access, and in this respect, the uniqueness of access authority is guaranteed.

[0016]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment in which the present invention is applied to security management of an in-house computer system in which an intranet is constructed in a building having a plurality of floors and booths will be described below. <First Embodiment> FIG. 1 is a configuration diagram showing a first embodiment of this computer system, and FIG. 2 is a configuration diagram of a network between floors. The illustrated example shows an example of a four-floor structure. The computer system 1 includes an entry / exit management device 10, a non-contact type IC card (not shown) carried by a user, and a plurality of non-contact type IC cards arranged near entrance / exit gates on each floor and / or booths on each floor. Card reader 11a, electric lock 11b for opening and closing an entrance gate on each floor, a plurality of user terminals (1F to 4F user terminal group) 13 to 16 arranged on each floor (F), various services for users (Application) server 17 having computer resources for providing the service, and an authentication server 12 for managing access rights (including access rights to computer resources) to the AP server 17 from individual user terminals. You.

Entry / exit management device 10, user terminal groups 13-1
6. The authentication server 12, the AP server 17 is the network 2
The card reader 11a and the electric lock 11b are connected to the entry / exit management device 10 by dedicated cables. Individual card reader 11
a and the electric lock 11b are each installed with one corresponding to the other. Information on the position where each card reader 11a is provided (floor information, booth information)
Are managed by the entry / exit management device 10.

An IC card is an example of a portable terminal, and is an IC card having a CPU, a RAM, a ROM, and an EEPROM.
The C chip is mounted on a card medium. An antenna for communicating with the card reader 11 and its control means are embedded in the card medium. The ROM contains C
A program that is read and executed by the PU, such as an authentication program and an encryption algorithm, is recorded.
In the EEPROM, identification information (identifier: ID) for uniquely specifying the unique information of the user who owns the EEPROM.
Are recorded in an unrenewable state at the time of manufacture.
The RAM is a work area for the CPU. Access control device 1
Reference numeral 0 denotes a workstation, a personal computer, or the like, which manages the entry or exit of the user by cooperative execution of an OS (operating system) and a predetermined entry / exit management program.

FIG. 3 is a configuration diagram of a main part of the access control device 10. The access control device 10 includes a network interface unit 21 for controlling communication with the network 2, a main control unit 22 for controlling the entire access control device 10, and a card reader interface unit for receiving data output from the card reader 11a. 23, an electric lock control unit 24 that controls opening and closing of the electric lock 11b, and a user management database 25 that manages the ID of a user who is an insider (hereinafter referred to as “D
B), an entry / exit information management DB 26 for managing the entry / exit information of each user, and a card reader management DB 27 for managing the installation position information of the card reader 11a (information on the floor where the card reader is provided). are doing. As shown in FIG. 5, the user management DB 25 stores user identification information (expressed as “user ID”) and entry / exit authority information set in advance in accordance with the identification information, for example, It manages the 1ID and the first password (these are collectively referred to as an “entry”). User ID
Is user-specific information for uniquely specifying each user, and is associated one-to-one with identification information recorded in an IC card in a non-updatable form.

As shown in FIG. 6, the entry / exit information management DB 26 stores the above-mentioned user ID and the entry / exit status of the user (for example, information for specifying the floor that entered or exited, entry time, exit time, etc.). Are managed in association with each other. The user terminals arranged on each floor are general-purpose computer devices, each of which includes a network interface unit, and is provided with another user terminal, an authentication server 12,
It can communicate with the AP server 17 and the like.

FIG. 4 is a configuration diagram of a main part of the authentication server 12. The authentication server 12 includes a network interface unit 31 that controls communication with the network 2, a main control unit 32 that controls the entire authentication server 12, and a connection status that stores a connection status of each user terminal to the AP server 17. A storage unit 33, a user authentication DB 34 for managing authentication data of a user who operates a user terminal, a terminal location management DB 35 for managing a location where each user terminal is installed for each department and department, Has a user operable area setting table 36 in which the positions of the user terminals permitted to operate are stored in association with each other.

FIG. 7 shows an example of the data structure of the user authentication DB 34, FIG. 8 shows an example of the data structure of the terminal location management DB 35, and FIG. 9 shows an example of the contents of the user operable area table 36. As shown in FIG. 7, the user authentication DB 34 manages authority information for logging in to the intranet, for example, a second user ID and a second password in association with each other. As shown in FIG. 8, information on the installation location of the user terminal, for example, general affairs 10B (meaning the tenth booth of general affairs clerk) is associated with the terminal ID on a one-to-one basis.

The terminal ID is data link layer information for uniquely specifying the terminal. In the present embodiment, an identifier included in a frame of a layer lower than the protocol address used in the network 2, for example, M
Use an AC (Media Access Control) address.
Depending on the type of network, DLCI (Data Link
Connection Identifier), VPI (Virtual Path Iden)
tifier) / VCI (Virtual Channel Identifier) can also be used. Unlike the protocol address, the data link layer identifier cannot be arbitrarily changed by the user. By using this, it is possible to effectively prevent impersonation of another user by "spoofing".

As shown in FIG. 9, the user operable area table 36 includes an operable area set by the user,
That is, the installation position of the user terminal that the user wants to operate is recorded. The settings can be dynamically updated by the user at any time.

An embodiment of a method for guaranteeing unique access right in the computer system 1 configured as described above will be described. First, a user entry / exit management process performed by the entry / exit management device 10 will be described. The entry / exit management processing includes an IC card accompanying the user, the main control unit 22,
It is performed by cooperation of the user management DB 25, the entry / exit information management DB 26, the card reader management DB 27, and the card reader 11a.

When the user approaches the entrance / exit gate on each floor, a card reader 11a provided near the gate reads the identification information of the IC card possessed by the user in a non-contact manner and transmits it to the entrance / exit management device 10. . Upon receiving the identification information, the entry / exit management device 10 searches the user management DB 25 for an entry corresponding to the identification information. If there is a corresponding entry in the user management DB 25,
With reference to the entry / exit authority information in the entry, it is determined whether or not the user is allowed to enter the room. When permitting entry, the electric lock 11b provided at the entrance / exit gate is unlocked via the electric lock control unit 24. If not,
The lock of the electric lock 11b is maintained. If entry to the room is permitted, information on the entry of the user into the entry / exit information management D
Record in B26.

When the user goes out of the floor, the exit of the user is changed to the entry / exit information management D by the same processing as described above.
Record in B26. Since the information about the user's entry into the room has already been recorded, only the information about the exit from the user may be recorded. By this entry / exit management processing, the entry / exit management device 10 can specify on which floor, when, or when all users who have IC cards have entered or exited the room.

Next, the user authentication processing by the authentication server 12 will be described. The authentication process is performed by the main control unit 32,
This is performed by the cooperation of the connection status storage unit 33, the user authentication DB 34, the terminal position management DB 35, the user operable area setting table 36, and the entry / exit management device 10. FIG. 10 is a flowchart of the authentication process.

A user who wants to access the AP server 17 inputs access authority information, that is, a second user ID and a second password, to the authentication server 12 to make an access request (step S101). Upon receiving the access request, the authentication server 12 sends the access management device 1
Inquire about the position of the user who has made the access request to 0 (step S102). Upon receiving the inquiry, the entry / exit management device 10 searches the entry / exit information management DB 26 and returns information on the area where the user is located.

The authentication server 12 having received the information on the location area searches the terminal location management DB 35 to find out on which floor or booth the user terminal to which the user has made an access request is located. , Determine whether the user is on the floor or booth where the user terminal is installed (step S10)
3). If it is determined that the user is on the same floor or booth (S103: Yes), the user authentication DB 34 is searched to determine whether the combination of the second user ID and the second password is correct (steps S104 and S10).
5). If the authentication result is positive, the access permission to the AP server 17 is given to the user (step 106).

On the other hand, if it is determined in step S103 that the user is not on the same floor as the user terminal (S103: No), the authentication server 12 rejects access by the user (step: S107). If the authentication result is negative, the access by the user is rejected (step S105: No, S107).

According to such processing, in addition to the conventional authentication based on the authority information, the consistency between the user's location area and the position of the user terminal to which the access request is transmitted is checked, and the reliability of the authentication is confirmed. Increase. If an access request is made from a user terminal installed on a floor or booth where the user should not be,
In other words, such an access request can be rejected because there is no other way than that another person is trying to access using the user ID and password of the user (by stealing).

Further, a person who tries to gain unauthorized access to a certain user terminal can only try to access it while a legitimate user of the user terminal is present.
When an authorized user accesses, the access of the authorized user is denied, so that the authorized user is notified of the fact of the unauthorized access. Therefore, the unauthorized access can be psychologically suppressed. As described above, in the present embodiment, the uniqueness of the access authority for each user is guaranteed.

In the above description, the authentication server 12
By checking the consistency between the user's location area and the location of the user terminal from which the access request is sent,
This is an example of granting access authority to the user terminal. The access authority is granted according to whether the user has entered authority information from the operation permission area (floor) of the user terminal set by the user. Is also good. FIG.
Is a diagram showing an authentication procedure in this case. That is,
In the procedure shown in FIG. 10, after step S102, the user terminal to be accessed checks by using the user operable area table 36 whether or not the user terminal exists on the floor to which the user's operation is permitted (step S201). If the user is on the floor, the process proceeds to step S104 (step S201: No), and if not, step S104.
The process proceeds to the process of Step 107 (Step S201: Yes).

<Second Embodiment> A second embodiment of the present invention will be described. Here, in addition to the entry / exit management device 10 used in the first embodiment, a GPS (Global Positioning System) is used.
m) Mobile terminal with built-in receiver ("GPS terminal") and GP
An S-compatible user location management device is used. GPS terminal
Receives the current position where the self is present along with its time information,
It has a function of transmitting received information to a GPS-compatible user location management device together with identification information (for example, an identifier of a data link layer) for uniquely identifying itself. Existing GPS
By adding a function of transmitting the above identification information to the GPS-compatible user location management device to the terminal, it can be easily realized. The connection between the GPS terminal and the GPS-compatible user position management device can be realized by being connected to the network 2 via a wireless line and / or a public telephone line. Such a connection form is a well-known technique. As for other components, the components of the first embodiment shown in FIG. 1 can be used as they are.

The GPS-compatible user position management device is based on a GPS terminal management DB for managing identification information of GPS terminals registered by a user in advance, and current position information such as absolute latitude and absolute longitude obtained by a GPS receiver. It is provided with a known geographic information database management system capable of specifying a current geographical location by using a user and a user location management DB. Normally, this GPS-compatible user location management device is additionally connected to the network 2 of the first embodiment and used for operation.

The functions of this GPS-compatible user location management device are generally as follows. First, based on the current position information included in the reception information sent from the GPS terminal, the current position of the user having the GPS terminal is specified. Then, the specified current position is recorded in the user position management DB for each user. When a command is input, the current position of the user is read, and this is notified to the request source of the command. The current position for each user is updated at any time. The management content of the user location management DB may be linked to the above-described user management DB 25 or the like, or may be collectively managed in the user management DB 25 or the like.

Next, a procedure of a method for guaranteeing uniqueness of access authority according to the second embodiment will be described with reference to FIG. A
A user who wants to access the P server 17 sends a second user ID and a second user ID from the GPS terminal to the authentication server 12.
Until you enter your password and make an access request,
Same as 0. Upon receiving the access request, the authentication server 12 determines whether the GPS terminal is a pre-registered GPS terminal based on the GPS terminal management DB of the GPS-compatible user position management device (step S30).
1). If the request is not an access request from a registered GPS terminal, it is a request from a normal user terminal, and the process shifts to step S102 in FIG. 10 (step S301: No). On the other hand, if the GPS terminal is a registered GPS terminal, the user's location area is specified with reference to the user location management DB of the GPS-compatible user location management device. Then, it is determined whether the specified location area is a previously permitted location recorded in the user operable area setting table 36 (step S302). If the user is located in the permitted place (S302:
(Yes), the process proceeds to the process of step S104 in FIG. 10 (step S302: Yes). If the user is not at the permitted place, the process proceeds to step S107 (step S302: Yes).

By performing such processing, in the second embodiment, in addition to the conventional authentication using the user ID and the password, the matching between the position of the GPS terminal held by the user and the previously permitted geographical position is authenticated. As a result, the reliability of the user authentication is improved. For example, when it is desired to permit only access from a specific business office, the position of the business office on the map is specified by latitude and longitude, and this is recorded in the user operable area setting table 36.
An operation mode in which access is permitted only when the GPS terminal is operated at the business office becomes possible. Even if an unauthorized user who does not know such a place tries to access from another place using the stolen user ID and password,
Access will be denied.

As described above, the present invention has been described according to the specific embodiments. However, the contents of the present invention are not limited to the above embodiments. For example, when each floor or booth is further divided into several rooms, a card reader 11a is provided for each room, and the user can enter a preset room (in many cases, there is a desk for the user. As long as the user stays in the room, it may be accessible only from the user terminal in the room.

The AP server 17 and the accessing user terminal may be the same computer device.
In other words, the hardware configuration of the computer system 1 may be arbitrary since the authentication processing by the authentication server 12 may be interposed when accessing the resources in the AP server 17.

The user operable area setting table 3
It is also possible to configure so that the system administrator can change the contents of No. 6 as needed.

In addition, when an access is made by a user, an object requiring authentication according to the present invention is the AP of the above embodiment.
It is not limited to the server 17. For example, a storage device inside each user terminal, a specific file in the storage device, a file server connected to the network, a specific file in the file server, a service provided from a server connected to the network, and the like are also subjected to the authentication. Becomes

Further, the access status and access history information of each user stored in the authentication server 12 may be stored, and may be output as needed.
For example, it is conceivable that the system administrator can constantly monitor the access status of the user.

Further, for each user, the user
It is also possible to limit the user terminals that can be operated when accessing the server 17. For example, for the user A, only the user terminal installed on the first floor 1
For the user B, only the user terminal installed on the floor 2 is provided. This is realized by storing the user identification information and the numbers of one or more user terminals installed on a specific floor in the user operable area setting DB 36 in the authentication server 11 in association with each other. It is possible.

Although the above-described entry / exit management device 10, authentication server 12, and GPS-compatible user location management device have been described as examples in the case where they exist as devices or systems programmed in advance, these devices, especially the central components of these devices, are described. Each D
B25-27, 34-35, GPS terminal management DB, etc., user operable area setting table 36, various function blocks 22, 24, 32, 33, functions of the geographic information database management system, etc.
1, 31 to a general-purpose computer equipped with a function equivalent to the card reader interface unit 23 and a recording medium in which required program codes are recorded in a computer-readable form.

The recording medium is usually the computer C
PUs are fixed disks and semiconductor memories that can be read at any time, but flexible disks, hard disks,
Optical disk, magneto-optical disk, CD-ROM, DVD
(Digital Video Disk), a portable medium such as a magnetic tape, or a program code server or the like which can be accessed by the computer, which is recorded and distributed, and which is installed on the fixed disk during operation. The CPU executes the above program code to form not only the DBs 25 to 27, but also the OS (Operating System) based on the instruction of the program code.
ating system) may perform a part of the actual processing, and the DBs 25 to 27, 34 to 35, and the like may be formed through the processing.

Further, it is possible to limit the user terminals that can be operated when accessing the AP server 17 for all users. For example, for the user A, only the user terminal installed in the general affairs first booth on the floor 2, and for the user B, only the user terminal installed in the technology A12 booth on the floor 3. This is because the user operable area setting DB 36 in the authentication server 12 stores identification information of all users and terminal IDs of one or more user terminals installed in a specific installation location in association with each other. It can be realized by putting. In this case, it is desirable that the user terminal that can be operated by the user can be freely set or updated as needed.

[0049]

As is apparent from the above description, according to the present invention, since the uniqueness of the access authority to the computer resource is guaranteed, the security of the computer resource is more securely secured. Has the effect.

[Brief description of the drawings]

FIG. 1 is an overall configuration diagram of a computer system according to a first embodiment of the present invention.

FIG. 2 is an exemplary view showing an arrangement state of a building in which the computer system of the first embodiment is deployed.

FIG. 3 is a main part configuration diagram of an entry / exit management device.

FIG. 4 is a configuration diagram of a main part of an authentication server.

FIG. 5 is a diagram showing an example of a data structure of a user management DB.

FIG. 6 is a diagram showing an example of a data structure of an entry / exit information management DB.

FIG. 7 is a diagram showing an example of a data structure of a user authentication DB.

FIG. 8 is a diagram showing an example of a data structure of a terminal location management DB.

FIG. 9 is a diagram showing an example of a data structure of a user operable area setting table.

FIG. 10 is a flowchart illustrating an authentication procedure according to the first embodiment.

FIG. 11 is a flowchart (main part) showing another authentication procedure.

FIG. 12 is a flowchart (main part) showing an authentication procedure according to the second embodiment of the present invention.

[Explanation of symbols]

 Reference Signs List 10 entry / exit management device 11a card reader 11b electric lock 12 authentication server 13 1F user terminal group 14 2F user terminal group 15 3F user terminal group 16 4F user terminal group 17 AP server 25 user management DB 26 entry / exit information management DB 27 card reader Management DB 33 Connection status storage unit 34 User authentication DB 35 Terminal location management DB 36 User operable area setting table

Claims (14)

[Claims] 1. A user position detecting means for detecting position information of a user, a terminal position managing means for managing position information of a plurality of terminals, and predetermined authority information from a user for a computer resource to be guaranteed. When the access request is received, the user location information is compared with the location information of the terminal that made the access request by the user, and only when the information has a predetermined relationship, the access request is An access control means for permitting, a uniqueness assurance system for access authority. 2. A plurality of entry / exit detection sensors for detecting entry / exit status of each of a predetermined area of one or a plurality of users, wherein the user position detection means comprises: a plurality of entry / exit detection sensors; 2. The uniqueness assurance system according to claim 1, further comprising: a location area specifying unit configured to specify a location area of the user based on the entry / exit status of the user detected by any of the entry / exit detection sensors. 3. 3. A portable terminal to which non-rewritable identification information for uniquely identifying user's unique information is assigned, wherein each entry / exit detection sensor identifies the portable terminal accompanying the user. The uniqueness assurance system according to claim 2, wherein the uniqueness assurance system is configured to detect a user entering / leaving status for each predetermined area by acquiring information. 4. The uniqueness guarantee according to claim 2, wherein the area is a floor or a room in the same building, and the presence of a user in another area cannot be confirmed from within one area. system. 5. The uniqueness assurance system according to claim 3, wherein the portable terminal is a card medium on which a non-contact type IC chip is mounted. 6. A portable terminal with a built-in GPS receiver to which the user position detecting means is assigned identification information for uniquely identifying user's unique information, and identification information of the portable terminal accompanying the user. And location information specifying means for receiving the location information of the portable terminal obtained by the GPS receiver and identifying the location area of the user based on the received information. Sex assurance system. 7. The terminal location management means associates information on the location where each terminal is to be deployed with an identifier of the data link layer of the terminal, and associates the location information of the terminal that has made the access request with the information. The uniqueness assurance system according to claim 1, wherein the uniqueness assurance system is configured to be specified by information of a position corresponding to an identifier included in the access request. 8. The terminal location management means associates each identifier with unique information of a regular user of a terminal corresponding to the identifier, and sets the position when the unique information of the regular user is specified. The uniqueness assurance system according to claim 7, wherein the uniqueness assurance system is configured to specify the information of: 9. The access management unit according to claim 1, wherein the user location information is in a management area predetermined by the user, and the location information of the terminal making the access request is in the same management area. The uniqueness assurance system according to claim 1, wherein the uniqueness assurance system is configured to permit the access request when the terminal is an installed terminal. 10. The method according to claim 1, wherein the access control unit is configured to perform the access when position information of the portable terminal obtained by a GPS receiver transmitted from the portable terminal exists in a predetermined geographical area. 7. The uniqueness assurance system of claim 6, wherein the uniqueness assurance system is configured to grant the request. 11. The uniqueness assurance system according to claim 1, wherein the access management means is configured to accumulate information of all users who have been granted the access authority and to be able to output the accumulated information as needed. 12. Entry / exit of a user having the portable terminal for each predetermined area by detecting the position of the portable terminal to which non-rewritable identification information for uniquely identifying the user's unique information is assigned. A method executed in a computer system capable of detecting a situation and notifying a control means for managing computer resources to be assured of the result of the detection, the method comprising the steps of: And, when predetermined authority information for the computer resource is input, confirms that an authorized user of the terminal is present in an area where the terminal that has input the authority information is present and is input. Provided that the authority information is valid,
Granting an access right to enable access to the computer resource, and restricting access to the computer resource based on the same right information after granting the access right. The method of guaranteeing the uniqueness of access rights. 13. Accepting a setting of an operation permission area of a terminal determined by the authorized user, holding information of the set operation permitted area for each unique information of the authorized user who has set the information, and a predetermined information for a certain terminal. 13. The uniqueness according to claim 12, wherein at the time of inputting the authority information, it is determined whether or not to grant the access authority with an additional condition that an area where the terminal is located is set as the operation permission area. Guarantee method. 14. Detecting the entry / exit status of a user having the portable terminal for each predetermined area by detecting the position of the portable terminal to which identification information for uniquely specifying the user's unique information is assigned. A computer-readable recording medium storing a program code for causing a computer capable of notifying a control unit connected to a terminal to be guaranteed of the detection result to execute the following processing. (1) a process of specifying the location of the user based on the detected entry / exit status of the user; (2) when predetermined authority information for the computer resource is input, there is a terminal that has input the authority information. A process of confirming that an authorized user of the terminal is present in the area and granting access authority to enable access to the computer resources, provided that the entered authority information is valid; (3) Processing for restricting access to the computer resource based on the same authority information after the access authority has been granted.