JP2006119719A - Computer system and user authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To secure the security of a computer system by providing the function of authenticating an alternative user, thus enabling a user with a different authority to alternatively perform operations for increasing operating efficiency and convenience, while identifying within the system the user who did the proxy operations and the user who made a request. <P>SOLUTION: When an alternative user ID and an alternative user password are inputted from a login screen of a terminal device 2, a business system 100 requests the user ID and the password of the alternative user from the terminal device 2. Once the user ID and the password of the alternative user are inputted from the terminal device 2, the operations that the alternative user can alternatively perform are determined on the basis of the inputted user ID, password, alternative user ID, alternative user password, and the content of an alternative authentication information file 163 and the execution of the operations is permitted. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a computer system and a user authentication having a function of performing user authentication based on input unique user identification information and permitting execution of work according to the authority of the user when the user is an authorized user Regarding the method.

  Conventionally, in order to ensure the security of a computer system, when a user logs in to the system, user authentication using a user name and a password is performed, and only authorized users are permitted to log in to the system. Further, the authority in the computer system, that is, accessible functions and data is determined for each user, and access to the functions and data in the system is restricted based on user authentication.

  In business using an actual computer system, work is often performed from the viewpoint of work efficiency and convenience, and there may be a case where the user has to access an unauthorized function or data. In such a case, the person requesting the proxy discloses his / her password to the proxy, but informing the password to the other person causes a decrease in the security level, and a third party may intercept the password. In addition, there is a problem that it is difficult to track the security audit because the log recording is different from the actual user.

Therefore, for example, in Patent Document 1, in order to solve the above-mentioned problem that occurs when a manager of a management computer performs a part of maintenance and management work on a managed side, the management computer manages the managed computer. Sends an e-mail in a predetermined format including the sender and maintenance command to the computer on the side, compares the sender and command contents stored in advance on the managed side, and authenticates the maintenance command by e-mail when they match A system is disclosed.
JP-A-5-233493

  However, the technique of Patent Document 1 is applicable when the user to whom authority is delegated, the authority to be delegated, and the device used by the user are limited. Since there is no such limitation, it is not applicable.

  An object of the present invention is to provide a substitute user authentication function in a computer system, so that users with different authorities can perform a substitute work, improve work efficiency and convenience, and perform a substitute user and request. It is to be able to identify the user who performed the operation in the system and ensure the security.

In order to solve the above-mentioned problem, the invention described in claim 1
User authentication is performed based on the input unique user identification information, and when the user who has input the unique user identification information is one user having a predetermined work authority, according to the authority of the one user In a computer system provided with an authentication means that permits execution of work,
The proxy user identification information to be used when another user performs a task within the authority of the one user, the unique user identification information of the proxy user who performs the proxy task, and the work that can be performed by the proxy user Storage means for storing information in association with each other;
When the proxy user identification information is input, the proxy user requests unique user identification information, performs user authentication based on the proxy user's own unique user identification information input in response to the request, and Based on the input substitute user identification information, the unique user identification information of the substitute user, and the contents of the storage means, the substitute work that can be performed by the substitute user is determined, and the permission of the determined substitute work is permitted. Proxy authentication means to give,
It is characterized by having.

The invention according to claim 2 is the invention according to claim 1,
A log recording means is provided for recording a log so that the contents of the one user, the substitute user who performed the substitute work, and the substitute work can be identified when the substitute work is performed in the computer system. Yes.

The invention according to claim 3 is the invention according to claim 1 or 2,
It is characterized by comprising setting means for setting the proxy user identification information, the user who performs the proxy work, and the work that can be performed by the proxy user.

The invention according to claim 4
User authentication is performed based on the input unique user identification information, and when the user who has input the unique user identification information is one user having a predetermined work authority, according to the authority of the one user A user authentication method in a computer system that permits work to be performed,
The proxy user identification information to be used when another user performs a task within the authority of the one user, the unique user identification information of the proxy user who performs the proxy task, and the work that can be performed by the proxy user Store information in association,
When the proxy user identification information is input, the proxy user requests unique user identification information, performs user authentication based on the proxy user's own unique user identification information input in response to the request, and Based on the input substitute user identification information, the unique user identification information of the substitute user, and the contents of the storage means, the substitute work that can be performed by the substitute user is determined, and the permission of the determined substitute work is permitted. It is characterized by giving.

  According to the first and fourth aspects of the invention, in the computer system, the substitute user identification information used when another user acts on behalf of the work within the authority of one user, and the substitute user who performs the substitute work The unique user identification information and the information indicating the work that can be performed by the substitute user are stored in the storage means in association with each other, and when the substitute user identification information is input, the unique user identification information of the substitute user is requested and the request is made. In addition to performing user authentication based on the unique user identification information of the substitute user input in response, the substitute user implements based on the input substitute user identification information, the unique user identification information of the substitute user, and the contents of the storage means A possible proxy work is determined, and permission to perform the determined proxy work is given. Therefore, since it is possible to perform work with different work authority in the computer system, work efficiency and convenience can be improved. In addition, the proxy user and the originally authorized user can be identified on the system, and security audit tracking is facilitated. In addition, it is possible to prevent the proxy user from performing other tasks of the original authorized user beyond the predetermined proxy task authority. Furthermore, when an authorized user requests an agency user to work, even if a third party who does not have the authority to access the system intercepts the agency user identification information, the system is not permitted, so security can be ensured. .

  According to the invention described in claim 2, when a substitute operation is performed in the computer system, the log is recorded so that one user, the substitute user who performed the substitute operation, and the contents of the substitute operation can be identified. Security audit tracking is easier.

  According to the third aspect of the present invention, since the proxy user identification information, the user who performs the proxy work, and the setting means for setting the work that can be performed by the proxy user, the authorized user sets the information. It becomes possible.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the scope of the invention is not limited to the illustrated examples.

First, the configuration will be described.
FIG. 1 shows a system configuration of a business system 100 in the present embodiment.
The business system 100 is, for example, a computer system installed in a company. As shown in FIG. 1, the server 1 and the terminal device 2 are connected to a network N such as a LAN (Local Area Network) and a WAN (Wide Area Network). And is connected so that data can be transmitted and received. In addition, the installation number of the terminal device 2 is not specifically limited.

  The server 1 performs user authentication based on the unique user identification information (here, user ID and password) input from the login screen of the terminal device 2, and if the user is an authorized user, Then, various functions requested by the user through the terminal device 2 are executed. The terminal device 2 displays a login screen, various setting screens for performing various settings, various input screens for requesting the server 1 to execute various functions, and accepts a function execution request from the user to the server 1. Display processing results.

Hereinafter, the internal configuration of the server 1 will be described. FIG. 2 shows the internal configuration of the server 1.
As shown in FIG. 2, the server 1 includes a CPU 11, an operation unit 12, a display unit 13, a communication control unit 14, a RAM (Random Access Memory) 15, and a storage unit 16, and each unit is connected by a bus 17. .

  The CPU 11 reads the system program stored in the storage unit 16 and develops it in a work area formed in the RAM 15 and controls each unit according to the system program. Further, the CPU 11 reads out various processing programs including the authentication processing program stored in the storage unit 16 and develops them in the work area, and executes various processing including authentication processing (see FIG. 8) described later. .

  The operation unit 12 includes a keyboard having cursor keys, numeric input keys, various function keys, and the like, and a pointing device such as a mouse. The operation signal is input to the CPU 11 through key operations on the keyboard and mouse operations. Output. The operation unit 12 may include a touch panel on the display screen of the display unit 13. In this case, the operation unit 12 outputs an instruction signal input via the touch panel to the CPU 11.

  The display unit 13 includes an LCD (Liquid Crystal Display), a CRT (Cathode Ray Tube), and the like, and displays various screens according to instructions of a display signal input from the CPU 11.

  The communication control unit 14 includes a communication interface such as a network interface card (NIC) or a modem, and exchanges data with external devices on the network N.

  The RAM 15 forms a work area for temporarily storing various programs executed by the CPU 11 and data related to these programs.

  The storage unit 16 includes an HDD (Hard Disc Drive), a non-volatile semiconductor memory, and the like, and includes a system program executed by the CPU 11, various programs including an authentication processing program corresponding to the system program, various application programs, Stores various data. These various programs are stored in the form of readable program codes, and the CPU 11 sequentially executes operations according to the program codes.

  As shown in FIG. 2, the storage unit 16 includes an authentication information file 161, an authority file 162, a proxy authentication information file 163, and a log file 164 as storage means.

  FIG. 3 shows an example of the authentication information file 161. As shown in FIG. 3, the authentication information file 161 includes a user ID (for example, usra, usrb, usrc,...) And a password (for example, usra, usrb, usrc,...) As unique user identification information for each user who can access the business system 100. 12345, 56789, 23456,...) And information (for example, authority A, authority B, authority B,...) Indicating the work authority that the user has in the system are stored in association with each other.

  FIG. 4 shows an example of the authority file 162. As shown in FIG. 4, the authority file 162 stores information (for example, operations 1 to 10, operation 5) indicating a work range that can be performed for each authority (for example, authority A, authority B, authority C,...). -10, operations 7-10, ...) are stored in association with each other.

  FIG. 5 shows an example of the proxy authentication information file 163. As shown in FIG. 5, the proxy authentication information file 163 is a proxy that is used when another user acts on behalf of a user ID (for example, usra, usrd,...) And work within the authority of the user. Proxy user IDs (eg, daikoa, daikod,...) And proxy passwords (eg, 98765, 55667,...) As user identification information, and user IDs of users who can use the proxy user ID and proxy password. (For example, usrx, usry, usrz,...) And information indicating the work performed by each user who can use the proxy user ID and password (for example, work 1, work 2, work 3,...) And information indicating the expiration date of the proxy password (for example, 200040930, 20041231, 20041001,...) Are stored in association with each other.

  Each information stored in the authentication information file 161 and each information stored in the proxy authentication information file 163 are associated through a user ID.

The system administrator or the like sets the authority of each user stored in the authentication information file 161 and the work range that can be performed for each authority stored in the authority file 162 via the operation unit 12. The user can access functions and data necessary for performing work in the work range corresponding to the authority defined in the authentication information file 161 in the business system 100.
Each user can set the user ID, password, and contents stored in the proxy authentication information file 163 stored in the authentication information file 161 from the terminal device 2 (see FIG. 7).

  The log file 164 records the date and contents of the work performed by the user in the business system 100.

  Hereinafter, the internal configuration of the terminal device 2 will be described. FIG. 6 shows an internal configuration of the terminal device 2.

  As illustrated in FIG. 6, the terminal device 2 includes a CPU 21, an operation unit 22, a display unit 23, a communication control unit 24, a RAM 25, a storage unit 26, and the like (not shown). Has been. The configurations of the CPU 21, the operation unit 22, the display unit 23, the communication control unit 24, the RAM 25, and the storage unit 26 are respectively the CPU 11, the operation unit 12, the display unit 13, the communication control unit 14, the RAM 15, and the storage unit 16 described in FIG. Is substantially the same.

  The display unit 23 displays a substitute password setting screen 231 shown in FIG. 7 in response to a request input from the operation unit 22. The substitute password setting screen 231 is a setting unit, and performs a substitute user ID, a substitute password, and a substitute work that are used when a user who is requested to log in logs in when a user requests a substitute for work from another user. It is a screen for setting the expiration date of the substitute user, the work performed by the substitute user, and the substitute password. When an input is made from this screen and the “set” button 231 a is pressed, the contents of the proxy authentication information file 163 are updated in the server 1.

Next, the operation of the present embodiment will be described.
FIG. 8 shows an authentication process executed by the CPU 11 of the server 1. CPU11 performs the said process by the software process by cooperation with the authentication process program memorize | stored in the memory | storage part 16. FIG. By executing the processing, an authentication unit, a proxy authentication unit, and a log recording unit are realized.

  When the user ID and password, or the substitute user ID and substitute user password are input from the login screen of the terminal device 2 via the communication control unit 14 (step S1), the authentication information file 161 is referred to and a login request is made. It is determined whether or not the user who has been authorized is the authorized user (step S2).

  If it is determined in step S2 that the user who requested the login is an authorized user (step S2; YES), the user has authority based on the input authentication condition, that is, the user ID and password. The work performed is discriminated and the execution is permitted (step S3), and the date and time when the work was performed, the work content, and information indicating the user who performed the work are recorded in the log file 164 (step S9).

  On the other hand, when it is determined in step S2 that the user who requested the login is not the authorized user (step S2; NO), the proxy authentication information file 163 is referred to, and the content input from the login screen is the proxy user. It is determined whether the ID and the substitute password are used (step S4).

  In step S4, if it is determined that the contents input from the login screen are the substitute user ID and the substitute password (step S4; YES), the user ID and password of the substitute person are requested from the terminal device 2 (step S4). S5) When the user ID and password of the substitute user are input from the terminal device 2 (step S6), the authentication information file 161 and the substitute authentication information file 163 are referred to, and the user is permitted to access the business system 100. It is determined whether or not the user has been authorized and whether or not the user is authorized (step S7).

  If it is determined in step S7 that the user is permitted to access and act on the system (step S7; YES), the input authentication conditions, that is, the user ID, password, surrogate user ID, and surrogate user password Based on the contents of the proxy authentication information file 163, the work that the user can substitute is determined, the execution is permitted (step S8), the date and time when the work was performed, the user who requested the work, and the work was performed. Information representing the proxy user and the work content is recorded in the log file 164 (step S9).

  On the other hand, when it is determined that the content input from the login screen is not the user ID and password of the user, but also the substitute user ID and password (step S4; NO), the process proceeds to step S10 and access is performed. The failure is recorded in the log file 164 in association with the input content and date (step S10). If it is determined in step S7 that the user is not permitted to access and / or substitute for the system (step S7; YES), the process proceeds to step S10, and the terminal indicates that the access has failed. The contents input from the device 2 and the access date and time are associated with each other and recorded in the log file 164 (step S10).

FIG. 9 shows a proxy procedure when the higher-level authority user A requests the lower-level authority user X for the higher level work 1 that can be performed only by the higher-level authority, and the lower-level authority user X performs the proxy work.
First, the upper authority user A passes the substitute user ID and the substitute password to the lower authority user X and requests work 1 (step T1).
The subordinate authority user X who has received the request inputs the substitute user ID and substitute password of the superordinate authority user A from the login screen (step T2).
When the substitute user ID and password are entered, the user ID and password of the subordinate authority user X are requested from the login screen, and therefore, the subordinate authority user X inputs his user ID and password (step T3).
When the execution of the work 1 is permitted, the lower-privileged user X performs the work 1 (step T4).

  FIG. 10 shows an example of a log recorded in the log file 164 when the lower authority user X performs the work 1 in response to the request from the upper authority user A in the procedure of FIG. As shown in FIG. 10, when a proxy work is performed, the date and time when the work was performed, the user who performed the work, the user who requested the work, and information indicating the work content are recorded as a log.

  As described above, according to the business system 100, when the proxy user ID and the proxy user password are input from the login screen of the terminal device 2, the user ID and password of the proxy himself / herself are requested to the terminal device 2, and the terminal When the user ID and password of the substitute user are input from the device 2, the authentication information file 161 and the substitute authentication information file 163 are referred to, and whether or not the user is permitted to access the business system 100. And if it is determined whether or not the user is permitted to perform the proxy, and if it is determined that the user is permitted to access and proxy the system, the input authentication conditions, that is, the user ID, the password, and the proxy Based on the user ID, the proxy user password, and the contents of the proxy authentication information file 163, the user can proxy It is discriminated Do work, its implementation is allowed, the date and time the work was carried out, work, the user who requested the work, information indicating the delegated user with working is recorded in the log file 164.

  Therefore, since the user can perform a substitute for work with different work authority in the business system 100, work efficiency and convenience can be improved. In addition, it is possible to identify on the system the user who has the original authority and the authorized user and has requested the work, and the security audit can be easily traced. In addition, it is possible to prevent the substitute user from performing other work of the user who requested the work beyond the predetermined substitute work authority. Moreover, even when a third party who does not have access authority to the system intercepts the substitute user identification information when requesting the substitute user, security is ensured because the system is not permitted.

  In addition, the description content in embodiment mentioned above is a suitable example of the business system 100 which concerns on this invention, and is not limited to this.

  For example, in the above embodiment, the user ID and password are used as the unique user identification information, and the user authentication is performed based on the information input from the terminal device 2, but the present invention is not limited to this. For example, the user may have an ID card in which unique user identification information is recorded, and authentication may be performed using information obtained by reading the ID card from the terminal device 2. In addition, user authentication may be performed using biometric information such as a fingerprint, a voiceprint, and an iris as unique user identification information.

  Conventionally, a common user ID and password is provided for each work, such as for reception work and approval work, and a plurality of users log in using a common user ID and password set for each work and perform work. However, it was a problem that the system could not identify which user performed the work. Therefore, when applying the present invention and attempting to log in with a common user ID and password, request the user's own user ID and password, perform user authentication based on the input user ID and password, and record in a log This is preferable because the user who performed the work is identified on the system and can be traced in the security audit.

  In addition, the detailed configuration and detailed operation of the components of the business system 100 can be changed as appropriate without departing from the spirit of the present invention.

It is a figure which shows the whole structure of the business system 100 which concerns on this invention. It is a block diagram which shows the functional structure of the server 1 of FIG. It is a figure which shows the example of a data storage of the authentication information file 161 memorize | stored in the memory | storage part 16 of FIG. It is a figure which shows the example of data storage of the authority file 162 memorize | stored in the memory | storage part 16 of FIG. It is a figure which shows the example of data storage of the proxy authentication information file 163 memorize | stored in the memory | storage part 16 of FIG. It is a block diagram which shows the functional structure of the terminal device 2 of FIG. It is a figure which shows the substitute password setting screen 231 displayed on the display part 23 of FIG. It is a flowchart which shows the authentication process performed by CPU11 of FIG. It is a figure which shows the substitute procedure at the time of the high-order authority user A request | requires the high-order work 1 which only a high-order authority can implement to the low-order authority user X, and the low-order authority user X implements a substitute work. 5 is a diagram illustrating an example of contents recorded in a log file 164. FIG.

Explanation of symbols

100 business system 1 server 2 terminal device 11, 21 CPU
12, 22 Operation unit 13, 23 Display unit 14, 24 Communication control unit 15, 25 RAM
16, 26 Storage unit 161 Authentication information file 162 Authority file 163 Proxy authentication information file 164 Log file 17, 27 Bus

Claims (4)

User authentication is performed based on the input unique user identification information, and when the user who has input the unique user identification information is one user having a predetermined work authority, according to the authority of the one user In a computer system provided with an authentication means that permits execution of work,
The proxy user identification information to be used when another user performs a task within the authority of the one user, the unique user identification information of the proxy user who performs the proxy task, and the work that can be performed by the proxy user Storage means for storing information in association with each other;
When the proxy user identification information is input, the proxy user requests unique user identification information, performs user authentication based on the proxy user's own unique user identification information input in response to the request, and Based on the input substitute user identification information, the unique user identification information of the substitute user, and the contents of the storage means, the substitute work that can be performed by the substitute user is determined, and permission for the execution of the determined substitute work is permitted. Proxy authentication means to give,
A computer system comprising:   When a substitute work is performed in the computer system, the log system includes a log recording unit that records the log so that the one user, the substitute user who performed the substitute work, and the contents of the substitute work can be identified. The computer system according to claim 1.   The computer system according to claim 1, further comprising a setting unit configured to set the proxy user identification information, a user who performs the proxy task, and a task that can be performed by the proxy user. User authentication is performed based on the input unique user identification information, and when the user who has input the unique user identification information is one user having a predetermined work authority, according to the authority of the one user A user authentication method in a computer system that permits work to be performed,
The proxy user identification information to be used when another user performs a task within the authority of the one user, the unique user identification information of the proxy user who performs the proxy task, and the work that can be performed by the proxy user Store information in association,
When the proxy user identification information is input, the proxy user requests unique user identification information, performs user authentication based on the proxy user's own unique user identification information input in response to the request, and Based on the input substitute user identification information, the unique user identification information of the substitute user, and the contents of the storage means, the substitute work that can be performed by the substitute user is determined, and permission for the execution of the determined substitute work is permitted. A user authentication method.

Images