JP2014215699A - Authority management device and method of the same, authentication device, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authority management device or the like capable of speedily determining authority information and efficiently managing it even when the authority information is given to a user in a condition that the user belongs to one or more groups.SOLUTION: The monitoring controller 1 includes: a composite group information search unit 2 for obtaining a specific authority ID from composite group information 111 on the basis of belonged group information 101 including one or more group IDs; and an authority information search unit 3 for obtaining the authority information associated with the specific authority ID from first authority information 112 on the basis of the obtained specific authority ID.

Description

  The present invention relates to a technical field for controlling and managing authority information related to a user using an information processing apparatus, for example.

  In recent years, there are a plurality of websites due to the spread of the Internet. As a system for efficiently managing a plurality of websites, for example, a portal site (hereinafter referred to as “portal site system” or simply “portal”) is generally known.

  The portal site not only has various functions such as mail, schedule management, document management, and telephone directory, but also has a function for centrally managing access to various business systems.

  Therefore, for example, a company that introduces a portal site can efficiently perform business by sharing a plurality of information scattered throughout the company through the portal site.

  From such a background, for example, even if a user who uses a portal site belongs to a plurality of companies (organizations), the administrator of the company or the portal site is responsible for the user for each company to which the user belongs. There is a desire to manage authority information such as content access authority, right to refer to various information, and update authority.

  Here, as a related technique existing prior to the application of the present application, for example, Patent Document 1 discloses a technique related to an authentication system, an authentication information providing apparatus, a use authority control apparatus, an authentication method, and a program.

  The file management apparatus of the authentication system disclosed in Patent Literature 1 is based on the organization information provided from the authentication information providing apparatus and the history information of at least one of the integration and division of the organization. Judge whether there is usage authority for.

  As a result, Patent Document 1 can reduce the work burden of granting access authority to an organization or group after integration or division when the integration or division of the organization or group occurs.

  Patent Document 2 discloses a technology related to an information processing apparatus, an information management system, an information management method, a program, and a storage medium.

  The information processing apparatus disclosed in Patent Document 2 sets access rights for users and groups according to access right setting conditions set for each folder when a personnel organization change occurs.

  As a result, Patent Document 2 can set access rights for newly created users and groups, and users and groups that have been transferred, simply by setting access right setting conditions.

JP 2011-013982 A JP 2007-323357 A

  By the way, a generally known authentication apparatus has user information including a user identifier (Identification: hereinafter referred to as “ID”) that can uniquely identify a user, and information about a group to which the user belongs (hereinafter, “group”). It is known to authenticate a user and grant authority information such as an appropriate access right using information on the authority for the user or group (hereinafter referred to as “authority information”). ing.

  As an example, a method for granting authority information for each user or group in the authentication apparatus is a method for assigning authority information for each user, a user belonging to a group, and authority information for each group. There is a method.

  However, if you want to grant authority information on the condition that you belong to multiple groups, in the method of granting authority information for each such group, define a group for each condition and authority information to the defined group Need to be defined.

  Furthermore, in the method of granting authority information for each user, management such as defining authority information for each user is required. For example, when a change occurs in the department or position to which a user belongs due to personnel changes or the like, such a method needs to update not only user information but also authority information.

  In other words, these two methods require a large number of man-hours for managing the various types of information described above.

  Patent Documents 1 and 2 only describe managing access rights to various information such as documents and folders assigned to organizational units or group units, and access rights to user units. Management of such authority is not taken into account and nothing is stated.

  The main object of the present invention is to obtain authority information promptly and to manage it efficiently, even when authority information is given on the condition that it belongs to one or more groups. Is to provide.

  In order to achieve the above object, an authority management apparatus according to the present invention has the following configuration.

That is, the authority management device according to the present invention is
A composite group name defined based on one or more group information including the group name, based on group information including one or more group IDs capable of identifying a group name defined for each attribute, and the composite group A composite group information search unit for obtaining a specific authority ID associated with the one or more group IDs from the composite group information including an authority ID that can identify the authority information defined in the name;
An authority information search unit for obtaining authority information associated with the specific authority ID from the first authority information including the authority information and the specific authority ID based on the specific authority ID;
It is characterized by providing.

  Alternatively, the same object can be achieved by an authentication device including the authority management device described above.

  In order to achieve the object, an authority management method according to the present invention is characterized by having the following configuration.

That is, the authority management method according to the present invention is:
The authority management device
A composite group name defined based on one or more group information including the group name, based on group information including one or more group IDs capable of identifying a group name defined for each attribute, and the composite group Obtaining a specific authority ID associated with the one or more group IDs from the composite group information including the authority ID that can identify the authority information defined in the name;
Based on the specific authority ID, the authority information associated with the specific authority ID is obtained from the first authority information including the authority information and the specific authority ID.
It is characterized by that.

  This object is also achieved by a computer program that implements the authority management apparatus and method having the above-described configurations by a computer, and a computer-readable storage medium that stores the computer program.

  According to the present invention, even when authority information is given on the condition that it belongs to one or more groups, it is possible to promptly obtain authority information and efficiently manage it.

It is a block diagram which shows the structure of the authority management apparatus in the 1st Embodiment of this invention. It is the figure which illustrated concretely the composition of group information (1st group information) contained in the group information group in a 1st embodiment of the present invention. It is the figure which illustrated concretely the composition of group information (the 2nd group information) contained in the group information group in a 1st embodiment of the present invention. It is the figure which illustrated concretely the composition of compound group information in a 1st embodiment of the present invention. It is the figure which illustrated concretely the composition of the 1st authority information in a 1st embodiment of the present invention. It is a block diagram which shows the structure of the authority management apparatus in the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the authentication apparatus containing the authority management apparatus in the 3rd Embodiment of this invention. It is the figure which illustrated concretely the composition of user information in a 3rd embodiment of the present invention. It is a flowchart which shows the operation | movement at the time of providing the authority information which the authentication apparatus containing the authority management apparatus in the 3rd Embodiment of this invention performs. It is a flowchart which shows the operation | movement at the time of updating the user information which the authentication apparatus containing the authority management apparatus in the 3rd Embodiment of this invention performs. It is a block diagram explaining illustratively the hardware constitutions of the information processor which can realize each embodiment concerning the present invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

<First Embodiment>
FIG. 1 is a block diagram showing the configuration of the authority management device 1 according to the first embodiment of the present invention. In FIG. 1, the authority management device 1 includes a composite group information search unit 2 and an authority information search unit 3.

  More specifically, the composite group information search unit 2 searches the composite group information 111 based on the acquired belonging group information 101 in response to acquiring the belonging group information 101 (for the composite group information 111, This will be described later in this embodiment).

  Here, the affiliation group information 101 includes a group ID for which a group name is defined for each attribute such as “department” and “position” to which the user belongs, and the group name can be identified. More specifically, for example, when the user belongs to one or more groups, the belonging group information 101 includes one or more group IDs to which the user belongs.

  Next, the composite group information search unit 2 searches the composite group information 111 based on the acquired affiliation group information 101. As a result, the affiliation group information 101 (that is, one or more group IDs) is retrieved from the composite group information 111. ) To obtain a specific authority ID (hereinafter, also simply referred to as “authority ID”) that can identify the authority information associated with (), and transmits the determined specific authority ID to the authority information search unit 3.

  The authority information search unit 3 receives the specific authority ID from the composite group information search unit 2 and searches the first authority information 112 based on the received specific authority ID (for the first authority information 112). Will be described later in this embodiment).

  Next, the authority information search unit 3 searches the first authority information 112 based on the received specific authority ID, and as a result, authority information associated with the specific authority ID from the first authority information 112. Ask for.

  Thereby, for example, an authentication device (not shown) can give the user the authority information obtained by the authority information search unit 3.

  The storage unit 4 is a storage device that can read and write data by a computer.

  More specifically, as an example, the storage unit 4 can employ a nonvolatile storage device such as an HDD mounted on an electronic device such as a server device.

  For example, the storage unit 4 may employ a storage device (not shown) connected to a communication network (not shown). However, the present invention described using this embodiment as an example is not limited to these (the same applies to the following embodiments).

  The storage unit 4 stores a group information group 110, composite group information 111, and first authority information 112.

  The group information group 110 includes one or more group information. More specifically, as an example, when managing personnel information, the group information group 110 includes information (group information) including one or more group names defined for each company organization (that is, department) or post. It is.

  In the following description, for convenience of description, as an example, the group information group 110 includes first group information (FIG. 2A) and second group information (FIG. 2B).

  2A and 2B are diagrams specifically illustrating the configuration of group information included in the group information group 110 according to the first embodiment of the present invention.

  More specifically, FIG. 2A (first group information) is group information in which “departments” constituting a company are defined as one group.

  In FIG. 2A, the second column shows “HR Department”, “Sales Department”, etc., which are department names, as group names. The first column shows a group ID that can identify the group name. The third column shows the authority ID that can identify the authority information defined for each group name.

  FIG. 2B (second group information) is group information in which “positions” belonging to a department are defined as one group.

  In FIG. 2B, the second column shows the titles of “department manager”, “section manager”, etc. as group names. The first column shows a group ID that can identify the group name. The third column shows the authority ID that can identify the authority information defined for each group name.

  In the above-described embodiment, for convenience of explanation, the group information group 110 has been described as an example in which the group information group 110 includes two pieces of group information, ie, first group information and second group information. However, the embodiment according to the present invention is not limited to such a configuration, and the group information group 110 may adopt a configuration including one or more pieces of group information.

  Next, FIG. 3 is a diagram specifically illustrating the configuration of the composite group information 111 in the first embodiment of the present invention.

  More specifically, the composite group information 111 is included in the group information group 110, for example, a group name defined by combining the first group information and the second group information (hereinafter, for convenience of explanation) (Referred to as “complex group name”). The composite group information 111 includes an authority ID that can identify the authority information defined for the composite group.

  In FIG. 3, the second column indicates the composite group name. The first column shows a group ID that can identify the composite group name. The third column shows the group ID (inclusion group ID) included in the composite group. The fourth column shows the authority ID that can identify the authority information defined for each composite group name.

  In the present embodiment described above, for convenience of explanation, as an example, the composite group information 111 has a configuration defined by combining the first group information and the second group information included in the group information group 110. Explained in the example. However, the embodiment according to the present invention is not limited to such a configuration.

  The composite group information 111 may be configured by combining one or more pieces of group information included in the group information group 110.

  In this case, for example, when the group information group 110 includes the first group information, the second group information, and the third group information, the composite group information 111 combines the first and third group information. The first to third group information may be combined, or the second and third group information may be combined.

  That is, the composite group information 111 may be configured, for example, by combining one or more pieces of group information desired by the system administrator. For example, the composite group information 111 may indicate that the user belongs to one or more specific groups. When authority information is given to the user in the condition, it may be configured by combining the specific one or more group information.

  Note that the composite group information 111 may be configured by combining any one of the above-described configurations or one or more configurations.

  Further, the group information group 110 and the composite group information 111 may adopt a configuration defined in advance by a system administrator, for example. However, the present invention described using this embodiment as an example is not limited to these configurations (hereinafter, the same applies to each embodiment).

  Next, FIG. 4 is a diagram specifically illustrating the configuration of the first authority information 112 in the first embodiment of the present invention.

  More specifically, the first authority information 112 includes an authority ID that can identify the authority information and authority information (authority name) associated with the authority ID.

  In FIG. 4, the first column shows the authority ID. The second column shows authority information (authority name).

  As described above, according to the authority management device 1 according to the present embodiment, even when authority information is given on the condition that it belongs to one or more groups, the authority information is promptly obtained and efficiently obtained. Can be managed. The reason is as described below.

  That is, the composite group information search unit 2 can promptly obtain a specific authority ID from the composite group information 111 composed of one or more groups based on the affiliation group information 101. Moreover, the authority information search part 3 calculates | requires the authority information linked | related with the said authority ID from the 1st authority information 112 based on the calculated | required specific authority ID. That is, the composite group information search unit 2 only needs to search the composite group information 111, and does not need to search for each group defined on the condition that it belongs to one or more generally known groups. .

  Further, for example, the system administrator may manage only the composite group information 111 instead of managing the group defined for each condition. Therefore, the system administrator can efficiently manage the group information and the authority information.

  Furthermore, since authority information is not managed for each user, even if a change occurs in the group to which the user belongs, the system administrator can perform the group information group 110, the composite group information 111, and the first authority information. There is no need to update 112.

<Second Embodiment>
Next, a second embodiment based on the authority management device 1 according to the first embodiment of the present invention described above will be described. In the following description, the characteristic part according to the present embodiment will be mainly described. At this time, the same reference numerals are assigned to the same configurations as those in the above-described embodiments, and duplicate descriptions are omitted.

  FIG. 5 is a block diagram illustrating a configuration of the authority management device 10 according to the second exemplary embodiment of the present invention.

  In FIG. 5, the authority management apparatus 10 is different from the authority management apparatus 1 described in the first embodiment in that it includes a group information search unit 11.

  The group information search unit 11 searches the group information group 110 based on the acquired group information 101 in response to acquiring the group information 101.

  As a result of searching the group information group 110 based on the acquired group information 101, the group information search unit 11 obtains the authority ID associated with the group information 101 from the group information group 110, and the obtained authority. The ID is transmitted to the authority information search unit 3.

  That is, the group information search unit 11 obtains the authority ID associated with the group ID from the group information corresponding to the group ID included in the group information group 110 based on each group ID included in the belonging group information 101.

  The process of the authority information search unit 3 when receiving the authority ID is the same as the process described in the first embodiment. Therefore, the overlapping description is omitted.

  As described above, according to the authority management apparatus 10 according to the present embodiment, the effect described in the first embodiment can be enjoyed, and even if the user does not belong to a plurality of groups, the authority can be promptly obtained. You can ask for information. The reason is that the authority management apparatus 10 further includes a group information search unit 11. This is because the group information search unit 11 can promptly obtain an authority ID from the group information group 110 based on the belonging group information 101.

<Third Embodiment>
Next, a third embodiment based on the authority management apparatus 10 according to the second embodiment of the present invention described above will be described. In the following description, the characteristic part according to the present embodiment will be mainly described. At this time, the same reference numerals are assigned to the same configurations as those in the above-described embodiments, and duplicate descriptions are omitted.

  FIG. 6 is a block diagram showing a configuration of the authentication device 20 including the authority management device 22 according to the third embodiment of the present invention.

  The authentication device 20 roughly includes an information processing unit 21 including an authority management device 22 and a storage unit 4.

  More specifically, the information processing unit 21 includes a user information management unit 23, a group information unit 24, a user information search unit 25, and an authority management device 22.

  The authority management device 22 is different from the authority management device 10 described in the second embodiment in that it includes a composite group information management unit 26.

  The composite group information management unit 26 updates the composite group information 111.

  More specifically, the composite group information management unit 26 assigns authority information (authority name) included in the first authority information 112 corresponding to the composite group name, the composite group name, and the information (composite name), for example. (Group ID, composite group name, inclusion group ID, authority ID) are managed.

  The user information management unit 23 updates the user information 113 (the user information 113 will be described later in this embodiment).

  The group information unit 24 updates the group information group 110.

  More specifically, for example, the group information unit 24 grants authority information (authority name) included in the first authority information 112 corresponding to the group name, and the information (group ID, group name, authority ID). Manage.

  In addition, since the technology itself in which the user information management unit 23, the group information unit 24, and the composite group information management unit 26 update various kinds of information can be generally adopted, for example, a technology for updating a database can be adopted. Detailed description in this embodiment will be omitted (hereinafter, the same applies to each embodiment).

  For example, when receiving a user ID that can identify a user and a password associated with the user ID, the user information search unit 25 searches the user information 113 based on the received user ID and password. .

  As a result of searching the user information 113 based on the user ID and password, the user information search unit 25 obtains the group ID of the group name (affiliation group name) associated with the user ID and password.

  Further, the user information search unit 25 transmits the group ID obtained from the user information 113 to the authority management device 22 as the belonging group information 101.

  The storage unit 4 further stores user information 113.

  FIG. 7 is a diagram specifically illustrating the configuration of the user information 113 in the third embodiment of the present invention.

  More specifically, the user information 113 includes, for example, information in which a user ID, a password, a name, and a group ID of all groups (groups) to which the user belongs can be uniquely identified.

  In FIG. 7, the first column shows the user ID. The second column shows the password. The third column shows the name of the user. The fourth column shows all group IDs to which the user belongs.

  Next, a more specific operation of the authority management device 22 according to the third exemplary embodiment of the present invention will be described with reference to FIGS. 2 to 4 and FIGS. 6 to 9.

  FIG. 8 is a flowchart showing an operation when granting authority information performed by the authentication apparatus 20 including the authority management apparatus 22 according to the third embodiment of the present invention.

  Here, in the following description, for convenience of description, as an example, the authentication device 20 acquires a user ID and a password in response to a user operating a business application (not illustrated) (that is, a login operation). I will do it.

  Also, the authentication device 20 grants authority information set for the user.

  For convenience of explanation, the above-described configuration will be described as an example, but the present invention is not limited to this.

Step S1:
When the user information search unit 25 receives the user ID and the password, the user information search unit 25 searches the user information 113 based on the received user ID and password.

  That is, the user information search unit 25 performs an authentication process based on the received user ID and password.

  Here, as an example, the user information search unit 25 receives the user ID “U-00001” and the password “Pwd00001”.

“YES” in step S2:
When the user information search unit 25 searches the user information 113 based on the user ID and the password, and the user information 113 includes the user ID and the password, the process proceeds to step S3.

  That is, the user information search unit 25 determines that the authentication by the user ID is successful when the user ID and the password are in the user information 113.

“NO” in step S2:
As a result of searching the user information 113 based on the user ID and the password, the user information search unit 25 ends the process when the user information 113 does not include the user ID and the password.

  That is, when the user information and the password are not included in the user information 113, the user information search unit 25 determines that the authentication by the user ID has failed.

Step S3:
As a result of searching the user information 113 based on the user ID and the password, the user information search unit 25 obtains a group (group ID) associated with the user ID and the password from the user information 113.

  Further, the user information search unit 25 transmits the obtained belonging group as belonging group information 101 to the authority management apparatus 22.

  Here, it is assumed that the user information search unit 25 obtains the belonging group “D-HR, G-SM” associated with the user ID “U-00001” and the password “Pwd00001” from the user information 113.

Step S4:
The group information search unit 11 searches the group information group 110 based on the acquired group information 101 in response to acquiring the group information 101.

Step S5:
As a result of searching the group information group 110 based on the belonging group information 101, the group information searching unit 11 obtains an authority ID associated with each group ID included in the belonging group information 101 from the group information group 110. At the same time, the obtained authority ID is transmitted to the authority information search unit 3.

  Here, the group information search unit 11 obtains the authority ID “HR-REF” associated with the belonging group “D-HR”. Further, the group information search unit 11 obtains the authority ID “HR-REF, BT-APP, EXP-APP” associated with the belonging group “G-SM”.

Step S6:
The composite group information search unit 2 searches the composite group information 111 based on the acquired group information 101 in response to acquiring the group information 101.

Step S7:
As a result of searching the composite group information 111 based on the affiliation group information 101, the composite group information search unit 2 obtains the authority ID associated with the affiliation group information 101 from the composite group information 111, and the obtained authority ID. Is transmitted to the authority information search unit 3.

  Here, it is assumed that the composite group information search unit 2 obtains the authority ID “HR-APP” that includes the group “D-HR, G-SM”.

Step S8:
The authority information search unit 3 receives the authority ID from the composite group information search unit 2 and the group information search unit 11 and searches for the first authority information 112 based on the received authority ID.

  In the above-described embodiment, for the sake of convenience of explanation, the information processing unit 21 has been described as an example of a configuration having one authority information search unit 3 as an example. However, the embodiment according to the present invention is not limited to such a configuration, and the information processing unit 21 may employ a configuration having two authority information search units 3.

  In that case, one authority information search unit 3 receives the authority ID from the composite group information search unit 2. The other authority information search unit 3 may adopt a configuration for receiving an authority ID from the group information search unit 11.

Step S9:
As a result of searching the first authority information 112 based on the received authority ID, the authority information search unit 3 obtains authority information associated with the authority ID.

  Accordingly, the authentication device 20 can give the authority information obtained by the authority information search unit 3 to a user who operates a business application (not shown).

  FIG. 9 is a flowchart showing an operation when updating the user information 113 performed by the authentication device 20 including the authority management device 22 according to the third embodiment of the present invention.

  Here, in the following description, for convenience of explanation, as an example, the authentication apparatus 20 receives an update request for user information 113 from the system in response to a user operating a system that manages personnel information (not shown). I decided to.

  Further, for example, the user information 113 is changed from the “HR department” to which the user “Taro Yamada” belongs to “sales department” due to personnel changes.

  For convenience of explanation, the above-described configuration will be described as an example, but the present invention is not limited to this.

Step S21:
In response to receiving the update request for the user information 113, the user information management unit 23 searches the user information 113 based on the user ID included in the update request.

  Here, the update request includes the user ID “U-00001” and the group ID “D-SALES, G-SM”.

Step S22:
As a result of searching the user information 113 based on the update request, the user information management unit 23 updates the group ID associated with the user ID to the group ID included in the update request.

  Here, the user information management unit 23 updates the group ID included in the user information 113 from “D-HR, G-SM” to “D-SALES, G-SM”.

  As described above, according to the authority management device 22 according to the present embodiment, the effects described in the embodiments can be enjoyed, and the authority information can be managed efficiently. The reason is that the authority information is not managed for each user, so even if a change occurs in the group to which the user belongs, the system administrator only has to update the user information 113, and the group information group 110, There is no need to update the composite group information 111 and the first authority information 112. That is, the system administrator can manage authority information efficiently.

  Further, the authority management device 22 is suitable for application to a generally known authentication device, for example.

(Hardware configuration example)
In the embodiment described above, each unit shown in FIGS. 1, 5, and 6 can be regarded as a function (processing) unit (software module) of a software program. However, the division of each part shown in these drawings is a configuration for convenience of explanation, and various configurations can be assumed for mounting. An example of the hardware environment in this case will be described with reference to FIG.

  FIG. 10 is a diagram illustrating an exemplary configuration of an information processing apparatus 300 (computer) that can execute the monitoring control apparatus according to the exemplary embodiment of the present invention. That is, FIG. 10 can implement the authority management apparatus 1 shown in FIG. 1, or the authority management apparatus 10 shown in FIG. 5 or the authority management apparatus 22 shown in FIG. This is a configuration of a computer (information processing apparatus) such as a server or a host computer, and represents a hardware environment capable of realizing each function in the above-described embodiment.

  The information processing apparatus 300 illustrated in FIG. 10 includes a CPU (Central_Processing_Unit) 301, a ROM (Read_Only_Memory) 302, a RAM (Random_Access_Memory) 303, a hard disk 304 (storage device), and a communication interface (Interface: hereinafter “I”). / F ”) 305, and a reader / writer 308 capable of reading and writing data stored in a storage medium 307 such as a CD-ROM (Compact_Disc_Read_Only_Memory), and these components are connected via a bus 306 (communication line). It is a general computer.

  The present invention described by taking each of the above-described embodiments as an example is a block configuration diagram (FIGS. 1, 5, and 6) referred to in the description of the information processing apparatus 300 illustrated in FIG. Alternatively, it is achieved by supplying a computer program capable of realizing the functions of the flowcharts (FIGS. 8 and 9), reading the computer program to the CPU 301 of the hardware, and interpreting and executing the computer program. The computer program supplied to the apparatus may be stored in a readable / writable volatile storage memory (RAM 303) or a nonvolatile storage device such as the hard disk 304.

  In the above case, the computer program can be supplied to the hardware by a method of installing the computer program via various storage media 307 such as a CD-ROM or a communication line such as the Internet. Currently, a general procedure can be adopted, such as a method of downloading from the outside. In such a case, the present invention can be understood to be configured by a code constituting the computer program or a storage medium 307 in which the code is stored.

  The present invention is not limited to the embodiments described above. The present invention is applicable to various systems equipped with a function for managing various authority information such as a portal site system and groupware.

DESCRIPTION OF SYMBOLS 1 Authority management apparatus 2 Composite group information search part 3 Authority information search part 4 Memory | storage part 10 Authority management apparatus 11 Group information search part 20 Authentication apparatus 21 Information processing part 22 Authority management apparatus 23 User information management part 24 Group information part 25 User information Search unit 26 Composite group information management unit 101 Affiliated group information 110 Group information group 111 Composite group information 112 First authority information 113 User information 300 Information processing device 301 CPU
302 ROM
303 RAM
304 Hard Disk 305 Communication Interface 306 Bus 307 Storage Medium 308 Reader / Writer

Claims (9)

A composite group name defined based on one or more group information including the group name, based on group information including one or more group IDs capable of identifying a group name defined for each attribute, and the composite group A composite group information search unit for obtaining a specific authority ID associated with the one or more group IDs from the composite group information including an authority ID that can identify the authority information defined in the name;
An authority information search unit for obtaining authority information associated with the specific authority ID from the first authority information including the authority information and the specific authority ID based on the specific authority ID;
An authority management device comprising: Based on the one or more group IDs, the one or more group information is referred to, and the specific authority ID associated with the group ID is selected from the group information corresponding to each group ID. The group information search department
The authority management apparatus according to claim 1, further comprising: The composite group information is:
A composite group name defined by combining the one or more group information, the one or more group IDs included in the composite group name, the composite group ID, and the composite group name The authority management apparatus according to claim 1, wherein the authority management apparatus includes the defined authority ID. The group information is
The group name defined for each attribute, the group ID that can identify the group name, and the authority ID defined for the group name are included. 4. The authority management device according to any one of 3.   An authentication apparatus comprising the authority management apparatus according to claim 1. The authority management device
A composite group name defined based on one or more group information including the group name, based on group information including one or more group IDs capable of identifying a group name defined for each attribute, and the composite group Obtaining a specific authority ID associated with the one or more group IDs from the composite group information including the authority ID that can identify the authority information defined in the name;
Based on the specific authority ID, the authority information associated with the specific authority ID is obtained from the first authority information including the authority information and the specific authority ID.
An authority management method characterized by that.   Based on the one or more group IDs, the one or more group information is referred to, and the specific authority ID associated with the group ID is selected from the group information corresponding to each group ID. The authority management method according to claim 6, further obtained. A computer program for controlling the operation of the authority management device, the computer program,
A composite group name defined based on one or more group information including the group name, based on group information including one or more group IDs capable of identifying a group name defined for each attribute, and the composite group A function for obtaining a specific authority ID associated with the one or more group IDs from composite group information including an authority ID that can identify the authority information defined in the name;
A function for obtaining authority information associated with the specific authority ID from the first authority information including the authority information and the specific authority ID based on the specific authority ID;
A computer program characterized in that a computer is realized. Based on the one or more group IDs, the one or more group information is referred to, and the specific authority ID associated with the group ID is selected from the group information corresponding to each group ID. The group information search department
The computer program according to claim 8, further comprising:

Images