Automatic authorization device, automatic authorization method, and automatic authorization program

Abstract

The objective is to provide an automated authorization system that can automatically allocate permissions based on employee personnel information. [Solution] In this embodiment, (1) a function is constructed to automatically create and delete users and allocate system usage rights based on employee information registered in the personnel system, and (2) since the timing of changes varies depending on the event, the timing of reflection can be switched according to the date of issuance of personnel information, thereby achieving both pre-setting for the future and immediate reflection.

Description

【Technical Field】 【0001】 The present invention relates to an automatic authority granting device, an automatic authority granting method, and an automatic authority granting program. 【Background Art】 【0002】 Patent Document 1 describes an access right management device and the like for grasping appropriate access rights to a system. 【Prior Art Documents】 【Patent Documents】 【0003】 【Patent Document 1】 Japanese Unexamined Patent Application Publication No. 2024-134346 【Summary of the Invention】 【Problems to be Solved by the Invention】 【0004】 Here, in an integrated business system such as an ERP for corporate use, it is common for an administrator to create individual user accounts and restrict the available scope according to the management area. For example, when an employee joins or leaves the company, the creation and deletion of user accounts are performed. When a person logs in to the system, the person in charge of the business system grants administrator rights to the corresponding area, and a general employee can only use the approval part according to the employee's personal use screen and job responsibilities, etc., and the operable functions are differentiated. 【0005】 When an employee joins, transfers, or leaves the company, it is necessary to immediately and accurately change the setting of the system usage rights. For example, when an employee is hired, the new employee should be able to log in to the system from the first day of work and clock in and out, settle expenses, input employment and recruitment documents, and declare personal information. The joining dates of mid-career hires and part-time workers occur at any time without consistency. Therefore, it is necessary to catch up on the employment information and respond immediately. 【0006】 Furthermore, when there are changes in department or job responsibilities, it is necessary to promptly adjust the login destination, grant permissions to enable approval actions, and increase or decrease the number of systems available to the transferred employee, in line with the transfer date. For example, changes may be required for the transferred employee's time clock, expense reimbursement, workflow, and payslip. During large-scale annual organizational restructuring, settings changes will occur for a large number of users at once. 【0007】 Furthermore, when an employee leaves the company, it is necessary to restrict their access to the system for information control and to optimize the number of user licenses. For example, it may be necessary to restrict or prohibit former employees from accessing time clocking, expense reports, workflows, and payslips. In this case, there may also be temporary requirements, such as allowing access to specific systems, such as payslips, for a certain period, such as one year after leaving the company. 【0008】 When there are frequent employee turnovers or transfers, or when managing complex and numerous permission patterns for each business function within an integrated solution, performing accurate configuration immediately becomes a significant burden. 【0009】 Therefore, in companies with high employee turnover and transfers, there is a need to reduce the workload of maintaining login user records for systems used by all employees each time. Furthermore, when system access rights change due to departmental transfers or changes in job responsibilities, it is necessary to immediately acquire information and accurately grant permissions. 【0010】 The present invention has been made in view of the above problems, and aims to provide an automatic authority granting device, an automatic authority granting method, and an automatic authority granting program that can automatically allocate authority based on employee personnel information. [Means for solving the problem] 【0011】 To solve the above-mentioned problems and achieve the objective, the authorization automatic granting device according to the present invention includes: a data management unit that accepts the prior registration of master data and the registration of a mapping table for authorization assignment and manages the master data and the mapping table, and registers or updates employee data when employee information is registered in accordance with personnel events; a current employment data creation unit that creates current employment data regarding each employee's affiliation, position, employee category, and employment status based on the employee data as of the batch processing execution date; a user creation unit that creates users for newly hired employees who are employed as of the batch processing execution date but whose users have not yet been registered, and adds the users of the newly hired employees to the user master, and the user The system is characterized by comprising: an existing user update unit that updates the information of existing users registered in the master, updates the user's usage expiration date for employees whose retirement date has passed as of the batch processing execution date, and updates the username if the employee has changed their name; a mapping processing unit that refers to the mapping table according to the user's usage expiration date in the user master, or the current job data and the contents of the master, identifies the user group to which the user should belong, and assigns the user to the identified user group; and a setting reflection unit that automatically reflects the jobs available to the employee in the login menu according to the permissions of the assigned user group, and makes the necessary tasks available. 【0012】 Furthermore, in the authorization automatic granting device according to the present invention, the master includes a job master, a job group master, a job group member, a user group master, a security setting master, a business office master, an affiliation master, a job title master, and an employee classification master. The job master stores the job ID and job name. The job group master stores the job group code and job group name. The job group member stores the job group code and job ID. The user group master stores the user group code and user group The loop name may be stored in the security settings master, the user group code, job group code, and permission status may be stored in the business location master, the company number, establishment date, business location name, abolition date, business location code, and business location classification may be stored in the department master, the company number, establishment date, department name, abolition date, department code, and department classification may be stored in the job title master, the company number, establishment date, job title name, abolition date, job title code, and job title classification may be stored in the employee classification master, the company number, establishment date, employee classification name, abolition date, employee classification code, and employee classification classification. 【0013】 Furthermore, in the authorization automatic granting device according to the present invention, the mapping table may store company No., business establishment classification, department classification, job title classification, employee category classification, leave of absence processing flag, retirement processing flag, and user group code. 【0014】 Furthermore, in the automatic authorization granting device according to the present invention, the employee data may include employee basic data and employee appointment history data, wherein the employee basic data stores company No., employee code, name, gender, date of birth, date of joining the company, date of leaving the company, and user ID, and the employee appointment history data may store company No., employee code, date of appointment, appointment category, business location, department, position, employee category, qualification grade, salary grade, and work location. 【0015】 Furthermore, in the automatic authorization device according to the present invention, the current employment data may store company number, employee code, business location, department, position, employee category, date of joining the company, date of leaving the company, user ID, leave of absence flag, and resignation flag. 【0016】 Furthermore, in the automatic authorization granting device according to the present invention, the current position data creation unit may create the current position data as of the batch processing execution date based on the employee basic data and employee appointment history data for the most recent appointment date as of the batch processing execution date. 【0017】 Furthermore, in the automated authorization granting device according to the present invention, the user creation unit may create a new user based on data from the current employment data that satisfies the conditions that the date of joining the company is on or after the batch processing execution date and the user ID is not yet registered. 【0018】 Furthermore, in the automatic authorization granting device according to the present invention, when the mapping processing unit refers to the mapping table in accordance with the current job data and the contents of the master, it may also compare the business establishment, department, position, and employee classification by first going through the classifications of the business establishment master, department master, position master, and employee classification master and then matching them with the mapping table. 【0019】 Furthermore, in the authorization automatic granting device according to the present invention, the mapping processing unit may extract those in which all the conditional items match when compared with the mapping table, identify the user group to be updated, and register the user and the identified user group as a user group member. 【0020】 Furthermore, in the automatic authorization granting device according to the present invention, the setting reflection unit may trace the following path: login user ID → user group member → user group code → job group code of the associated security setting master with authorization permissions → job group member → job, ultimately identifying a list of available jobs and displaying it in the login menu. 【0021】 Furthermore, the automatic authorization granting method according to the present invention is an automatic authorization granting method executed by an information processing device, comprising: a data management step which accepts the prior registration of a master and the registration of a mapping table for authorization assignment and manages the master and the mapping table, and registers or updates employee data when employee information is registered in accordance with a personnel event; a current employment data creation step which creates current employment data relating to the affiliation, position, employee category, and employment status of each employee based on the employee data as of the batch processing execution date; a user creation step which creates users for newly hired employees who are employed as of the batch processing execution date but whose users have not yet been registered, and adds the users of the newly hired employees to the user master, and the The process includes: an existing user update step that updates the information of existing users registered in the user master, updates the user's expiration date for employees whose retirement date has passed as of the batch processing execution date, and updates the username if the employee has changed their name; a mapping processing step that refers to the mapping table according to the user's expiration date in the user master, or the current employment data and the contents of the master, identifies the user group to which the user should belong, and assigns the user to the identified user group; and a setting reflection step that automatically reflects the jobs available to the employee in the login menu according to their permissions, in accordance with the permissions of the assigned user group, and makes the necessary tasks available. 【0022】 In addition, the authority automatic assignment program according to the present invention receives in advance the registration of a master and the registration of a mapping table for authority assignment, manages the master and the mapping table, and performs data registration or update of employee data when employee information is registered according to a personnel event. A data management step; a current position data creation step of creating current position data regarding the affiliation, position, employee classification, and in-service status of each employee based on the employee data at the time of batch processing execution; and based on the current position data, a new employee who has not yet been registered as a user among the in-service employees at the time of batch processing execution A user creation step of creating a user and newly adding the user of the newly joined employee to the user master; an existing user update step of updating the information of the existing user registered in the user master, updating the expiration date of use of the user for an employee who has reached the retirement date at the time of batch processing execution, and updating the user name if the employee has changed his / her name; and according to the expiration date of use of the user in the user master, or according to the content of the current position data and the master, referring to the mapping table, identifying the user group to which the user should belong, and performing assignment to the identified user group A mapping process step; and a setting reflection step of automatically reflecting the jobs available to employees in the login menu according to the authority according to the authority of the assigned user group and making the necessary operations available, which is characterized by causing a computer to execute. 【Effect of the Invention】 【0023】 The present invention has the effect of being able to automatically allocate authorities based on the personnel information of employees. 【Brief Description of the Drawings】 【0024】 [Figure 1] FIG. 1 is a block diagram showing an example of the configuration of an authority automatic assignment device. [Figure 2] FIG. 2 is a diagram showing an example of an in-company master, a security mapping table, employee registration data, and employee current position data. [Figure 3] FIG. 3 is a diagram showing an example of an authority automatic assignment process. [Figure 4]Figure 4 is an overall diagram showing the relationships between tables and the read / update relationships. [Figure 5] Figure 5 shows an example of the information stored in the Job Master, Job Group Master, Job Group Member, User Group Master, and Security Settings Master. [Figure 6] Figure 6 shows an example of the information stored in the business establishment master and department master. [Figure 7] Figure 7 shows an example of the information stored in the job title master and employee classification master. [Figure 8] Figure 8 shows an example of the information stored in the security mapping table. [Figure 9] Figure 9 shows an example of the information stored in employee basic data and employee order history data. [Figure 10] Figure 10 shows an example of how to create current employee data. [Figure 11] Figure 11 shows an example of user creation for a newly hired employee. [Figure 12] Figure 12 shows an example of updating information for an existing user. [Figure 13] Figure 13 shows an example of a reference for each master. [Figure 14] Figure 14 shows an example of assignment to a user security group. [Figure 15] Figure 15 shows an example of how security settings are applied. [Modes for carrying out the invention] 【0025】 Embodiments of the automatic authorization device, automatic authorization method, and automatic authorization program according to the present invention will be described in detail below with reference to the drawings. However, the present invention is not limited to these embodiments. 【0026】 [1. Structure] An example of the configuration of the automatic authorization granting device 100 according to this embodiment will be described with reference to Figure 1, etc. Figure 1 is a block diagram showing an example of the configuration of the automatic authorization granting device 100. 【0027】 The automatic authorization granting device 100 is built on a commercially available desktop personal computer. However, the automatic authorization granting device 100 is not limited to being built on a stationary information processing device such as a desktop personal computer, but may also be built on a portable information processing device such as a commercially available notebook personal computer, PDA (Personal Digital Assistant), smartphone, or tablet personal computer. 【0028】 The automatic authorization granting device 100 comprises a control unit 102, a communication interface unit 104, a storage unit 106, and an input / output interface unit 108. Each component of the automatic authorization granting device 100 is connected to communicate via any communication path. 【0029】 The communication interface unit 104 connects the automatic authorization granting device 100 to the network 300 via a communication device such as a router and a wired or wireless communication line such as a dedicated line. The communication interface unit 104 has the function of communicating data with other devices via a communication line. Here, the network 300 has the function of connecting the automatic authorization granting device 100 and the server 200 so that they can communicate with each other, and is, for example, the internet or a LAN (Local Area Network). The data stored in the storage unit 106 may be stored in, for example, the server 200. 【0030】 The input / output interface unit 108 is connected to an input device 112 and an output device 114 (corresponding to the output unit of the present invention). The output device 114 can be a monitor (including a household television), a speaker, or a printer. The input device 112 can be a keyboard, a mouse, a microphone, or a monitor that works in conjunction with a mouse to provide pointing device functionality. In the following, the output device 114 may be referred to as the monitor 114, and the input device 112 may be referred to as the keyboard 112 or mouse 112. 【0031】 The memory unit 106 stores various databases, tables, and files. The memory unit 106 also stores computer programs that work in cooperation with the OS (Operating System) to issue commands to the CPU (Central Processing Unit) for various processing tasks. The memory unit 106 can be, for example, a memory device such as RAM (Random Access Memory) or ROM (Read Only Memory), a fixed disk device such as a hard disk, a flexible disk, or an optical disk. Note that the CPU is merely one example of a processor. 【0032】 The storage unit 106 stores the company master data 106a, the security mapping table 106b, employee registration data 106c, and employee current job data 106d, etc. Figure 2 shows an example of the company master data 106a, the security mapping table 106b, employee registration data 106c, and employee current job data 106d. 【0033】 Internal master data 106a includes job master 106a1, job group master 106a2, job group member 106a3, user group master 106a4, security settings master 106a5, office master 106a6, department master 106a7, job title master 106a8, employee classification master 106a9, user master 106a10, user group member 106a11, etc. 【0034】 The job master 106a1 is used to manage information about jobs, which are units of programs (functions) that users can execute. As shown in Figure 2, the job master 106a1 stores the job ID, job name, and other information. 【0035】 The job group master 106a2 is used to manage information about job groups, which are grouping units of jobs with different permissions. As shown in Figure 2, the job group master 106a2 stores the job group code, job group name, and other information. 【0036】 The job group member 106a3 is used to manage information about jobs belonging to a job group. As shown in Figure 2, the job group member 106a3 stores the job group code, job ID, and other information. 【0037】 The user group master 106a4 is used to manage information about user groups, which are grouping units of users with different permissions. As shown in Figure 2, the user group master 106a4 stores the user group code, user group name, and other information. 【0038】 The security settings master 106a5 is used to manage group association settings and permission-related information according to permissions. As shown in Figure 2, the security settings master 106a5 stores user group codes, job group codes, permission status, etc. 【0039】 The business location master 106a6 is used to manage information about business locations (offices). As shown in Figure 2, the business location master 106a6 stores information such as company number (identification number), establishment date, business location name, closure date, business location code, and business location classification. 【0040】 The Department Master 106a7 is used to manage information about the organization of employees. Note that "employee" can be read as "worker". As shown in Figure 2, the Department Master 106a7 stores information such as company number, establishment date, department name, abolition date, department code, and department classification. 【0041】 The job title master 106a8 is used to manage information about employees' job titles. As shown in Figure 2, the job title master 106a8 stores information such as company number, establishment date, job title name, abolition date, job title code, and job title classification. 【0042】 The employee classification master 106a9 is used to manage information such as employee status. As shown in Figure 2, the employee classification master 106a9 stores company number, establishment date, employee classification name, abolition date, employee classification code, employee classification category, etc. 【0043】 User master 106a10 is used to manage information about the system's login accounts. As shown in Figure 2, user master 106a10 stores user ID, username, password, expiration date, etc. 【0044】 User group member 106a11 is used to manage information about users belonging to a user group. As shown in Figure 2, user group member 106a11 stores the user group code, user ID, etc. 【0045】 The security mapping table 106b is used to manage information from the mapping table for assigning permissions. As shown in Figure 2, the security mapping table 106b stores information such as company number, business location classification, department classification, job title classification, employee classification, leave of absence processing flag, retirement processing flag, and user group code. 【0046】 Employee registration data 106c includes employee basic data 106c1, employee appointment history data 106c2, etc. 【0047】 Employee Basic Data 106c1 is used to manage basic employee information (only the most recent information). As shown in Figure 2, Employee Basic Data 106c1 stores company number, employee code, name, gender, date of birth, date of joining the company, date of leaving the company, user ID, etc. 【0048】 The employee appointment history data 106c2 is used to manage employee career information (history). As shown in Figure 2, the employee appointment history data 106c2 stores information such as company number, employee code, appointment date, appointment category, business location, department, position, employee category, qualification grade, salary grade, and work location. 【0049】 Employee status data 106d is used to manage the latest information on employees at their current time. As shown in Figure 2, employee status data 106d stores company number, employee code, business location, department, job title, employee category, date of joining the company, date of leaving the company, user ID, leave of absence flag, and resignation flag. 【0050】 Returning to Figure 1, the control unit 102 is a processor such as a CPU that comprehensively controls the automatic authorization device 100. The control unit 102 has internal memory for storing control programs such as the OS, programs that define various processing procedures, and required data, and executes various information processing based on these stored programs. 【0051】 Functionally, the control unit 102 includes a data management unit 102a, an active data creation unit 102b, a user creation unit 102c, an existing user update unit 102d, a mapping processing unit 102e, and a setting reflection unit 102f. 【0052】 The data management unit 102a accepts pre-configured master data registration from the system administrator. At this time, the data management unit 102a acquires, creates, or updates the internal master data 106a according to the master settings required for the system, which have been made in advance by the system administrator via the master maintenance screen, etc., and stores and manages it in the storage unit 106. 【0053】 Furthermore, the data management unit 102a accepts the registration of a mapping table for permission assignment by the system administrator. At this time, the data management unit 102a stores in the storage unit 106 as a security mapping table 106b the mapping table set by the system administrator, which links the combination of business establishment classification / affiliation classification / job title classification / employee classification and leave of absence processing flag / retirement processing flag to user groups, which are the units of permission to be set. As an initial setup registration before operation, the system administrator registers a table that defines what kind of security permissions will be granted to combinations of attribute information stored in master information such as affiliation and job title. 【0054】 Furthermore, the data management unit 102a accepts employee information registration when a human resources department employee registers employee information in the human resources system. At this time, the data management unit 102a retrieves, creates, or updates employee registration data 106c according to the employee information registered by the human resources department employee from the employee information management screen in accordance with each human resources event, and stores and manages it in the storage unit 106. The human resources department employee registers (updates) employee information in accordance with employee information change events. It is possible to pre-register before the start date or transfer date arrives. 【0055】 The current employment data creation unit 102b creates current employment data. For example, the current employment data creation unit 102b generates data on each employee's affiliation, position, employee category, and employment status as of the batch processing execution date. At this time, the current employment data creation unit 102b creates employee current employment data 106d as of the batch processing execution date, based on the employee basic data 106c1 and employee appointment history data 106c2 from the most recent appointment date as of the batch processing execution date. The employee appointment history data 106c2 manages internal company history such as joining the company, transfer, promotion, leave of absence / return to work, concurrent positions, secondment, and retirement. In addition, the employee appointment history data 106c2 reflects the latest information prior to the batch processing execution date. 【0056】 The user creation unit 102c creates users for newly hired employees. For example, the user creation unit 102c registers new users (accounts) for employees who are currently employed as of the batch processing execution date but have not yet been registered as users. In this case, the user creation unit 102c creates new users for employees whose hiring date has arrived as of the batch processing execution date and who do not yet have a user ID registered in the user master 106a10. 【0057】 The existing user update unit 102d updates the information of existing users. For example, the existing user update unit 102d updates the user's expiration date for employees whose retirement date has passed as of the batch processing execution date. The existing user update unit 102d also updates the name (user name) if an employee has changed their name. At this time, the existing user update unit 102d determines the retirement date if the employee has retired and updates the expiration date in the user master 106a10. 【0058】 The mapping processing unit 102e assigns users to security groups. For example, the mapping processing unit 102e assigns each employee to an appropriate permission group based on pre-configured mapping information and each employee's attribute information as of the batch processing execution date. At this time, the mapping processing unit 102e refers to the security mapping table 106b according to each item of the user master 106a10, the expiration date of the user master 106a10, and the employee's current job data 106d, identifies the user group to which the user should belong, and updates the user group member data. The mapping processing unit 102e also matches the business location, department, job title, and employee category with the security mapping table 106b by first going through each classification in each master. For employees who should not be automatically assigned based on attribute information, this can be handled by setting an automatic update exclusion. 【0059】 The configuration reflection unit 102f reflects security settings. For example, the configuration reflection unit 102f performs processes to actually enable new users to log in, and processes to reflect the expansion of user privileges or changes to the login destination. At this time, the configuration reflection unit 102f automatically reflects available jobs in the login menu according to the permissions, according to the security assigned in the user security group assignment, and makes the necessary tasks available. For example, the configuration reflection unit 102f traces the login user ID → user group members → user group code → permission job group code of the associated security setting master → job group members → jobs, finally identifying a list of available jobs and displaying it in the login menu. 【0060】 [2. Specific examples of processing] Specific examples of the processes performed by the automatic authorization granting device 100 will be explained in detail with reference to Figures 3 to 15, following an example of a business flow performed using the automatic authorization granting device 100. Figure 3 is a diagram showing an example of the automatic authorization granting process. Figure 4 is an overall diagram showing the relationships between tables and the read / update relationships. 【0061】 [2-1. Pre-configuration by the system administrator] The data management unit 102a accepts pre-configured master registration by the system administrator (step S11). At this time, the system administrator makes the necessary master settings in the system in advance using the master maintenance screen, etc. The data management unit 102a acquires, creates, or updates the company's master data 106a according to the master settings and stores and manages it in the storage unit 106. 【0062】 For example, a system administrator registers the following settings as internal master data 106a, as shown in Figures 5 to 7: job master 106a1, job group master 106a2, job group member 106a3, user group master 106a4, security settings master 106a5, office master 106a6, department master 106a7, job title master 106a8, and employee classification master 106a9. Figure 5 shows an example of the information stored in the job master, job group master, job group member, user group master, and security settings master. Figure 6 shows an example of the information stored in the office master and department master. Figure 7 shows an example of the information stored in the job title master and employee classification master. 【0063】 As shown in Figure 5, the job master 106a1 stores job IDs such as Job A, Job B, Job C, Job D, etc., and job names such as Attendance Clock-in, Expense Reimbursement, Workflow, Payroll Statement, etc. 【0064】 Furthermore, the job group master 106a2 stores job group codes such as Job Group A, Job Group B, Job Group C, etc., and job group names such as Attendance Input Menu, Workflow Entry Menu, Individual Payroll Menu, etc. 【0065】 Furthermore, job group member 106a3 stores job group codes such as Job Group A, Job Group B, Job Group C, etc., and job IDs such as Job A, Job B, Job C, Job D, etc. 【0066】 Furthermore, User Group Master 106a4 stores user group codes such as 1110, 1120, 1130, 1210, 1220, 1230, 2110, 2120, 2130, 2210, 2220, 2230, 8000, 9000, etc., and user group names such as Tokyo Store General Group, Tokyo Store General (Dispatch) Group, Tokyo Store Manager Group, Tokyo Headquarters General Group, Tokyo Headquarters General (Dispatch) Group, Tokyo Headquarters Management Group, Kansai Store General Group, Kansai Store General (Dispatch) Group, Kansai Store Manager Group, Kansai Headquarters General Group, Kansai Headquarters General (Dispatch) Group, Kansai Headquarters Management Group, On Leave Group, Retired Employees Group, etc. 【0067】 Furthermore, the security settings master 106a5 stores user group codes such as 1110, 1120, 1130, 1210, 1220, and 1230, job group codes such as Job Group A, Job Group B, and Job Group C, and permission status such as Allowed or Denied. For example, dispatched workers may be granted different permissions, such as being unable to use the workflow / payroll menu and only being able to clock in and out. 【0068】 As shown in Figure 6, the business location master 106a6 stores company numbers such as 100, establishment dates such as 2000 / 1 / 1, business location names such as Tokyo Head Office, Tokyo Head Office XX Branch, Kansai Branch Headquarters, Kansai Branch Kyoto Branch, Kansai Branch Nara Branch, etc., initially left blank for the closing date, business location codes such as TKY, TKYXX, KSY, KTO, NRA, etc., and business location classifications such as 100: Tokyo Head Office, 200: Kansai Branch. In this way, even if the organization of business locations changes, classifying them by units that affect authority, such as major locations, simplifies the classification used for security mapping, and reduces the operational burden by not having to frequently modify security mapping even when the organization changes. The same approach is also adopted for other departments, positions, and employee classifications. 【0069】 Furthermore, the affiliation master 106a7 stores company numbers such as 100, establishment dates such as 2000 / 1 / 1, affiliation names such as Human Resources and General Affairs Department, Tokyo Sales Department Sales Section 1, Tokyo Store Business Division Section 2 Marunouchi Store, Kansai Accounting Department, Kansai Sales Department Sales Section 5 Team 2, Tokyo Sales Department Sales Section 2 Team 1, Tokyo Sales Department Sales Promotion Team, Kansai Store Business Division, Nagoya Store Business Division, the abolition date is initially left blank, the affiliation code is a code corresponding to the affiliation name, and the affiliation classification is 1: Headquarters affiliation, 0: Store affiliation, etc. 【0070】 As shown in Figure 7, the job title master 106a8 stores a company number such as 100, an inception date such as 2000 / 1 / 1, a job title such as section chief, store manager, leader, general staff, etc., initially nothing is stored (blank) for the abolition date, a code corresponding to the job title is stored as the job title code, and a job title classification such as 0: general staff (no job title), 1: store manager, 2: section chief or above. 【0071】 Furthermore, the employee classification master 106a9 stores company numbers such as 100, establishment dates such as 2000 / 1 / 1, employee classification names such as executives, regular employees, seconded employees, contract employees, and dispatched employees, initially nothing is stored (blank) for the discontinuation date, employee classification codes such as codes corresponding to the employee classification names, and employee classification categories such as 0: non-dispatched employees, 1: dispatched employees, etc. 【0072】 Next, the data management unit 102a accepts the registration of a mapping table for permission assignment by the system administrator (step S12). At this time, the system administrator sets up a mapping table that links the combination of business establishment classification / affiliation classification / job title classification / employee classification and leave processing flag / retirement processing flag to the user group, which is the unit of permission to be set. The data management unit 102a stores this set mapping table in the storage unit 106 as a security mapping table 106b. 【0073】 For example, a system administrator can register settings for the security mapping table 106b, as shown in Figure 8. The security mapping table 106b includes conditions such as business establishment classification, department classification, job title classification, employee classification, leave of absence processing flag, and retirement processing flag, and updates such as user groups. Figure 8 shows an example of the information stored in the security mapping table. 【0074】 As shown in Figure 8, the security mapping table 106b stores conditions such as: business establishment classification (100: Tokyo Head Office, 200: Kansai Branch, -1: ALL); affiliation classification (0: Store Affiliation, 1: Head Office Affiliation, -1: ALL); job title classification (0: General (No Title), 1: Store Manager, 2: Section Manager or higher, -1: ALL); employee classification (0: Non-Temporary Employee, 1: Temporary Employee, -1: ALL); leave of absence processing flag (0: Not Applicable, 1: Applicable, -1: ALL); and retirement processing flag (0: Not Applicable, 1: Applicable, -1: ALL). Note that this business establishment classification is a combination of company number and business establishment classification. 【0075】 Furthermore, the security mapping table 106b stores user groups from the updated information, such as 1110: Tokyo Store General Group, 1120: Tokyo Store General (Dispatched) Group, 1130: Tokyo Store Manager Group, 1210: Tokyo Headquarters General Group, 1220: Tokyo Headquarters General (Dispatched) Group, 1230: Tokyo Headquarters Management Group, 2110: Kansai Store General Group, 2120: Kansai Store General (Dispatched) Group, 2130: Kansai Store Manager Group, 2210: Kansai Headquarters General Group, 2220: Kansai Headquarters General (Dispatched) Group, 2230: Kansai Headquarters Management Group, 8000: On Leave Group, 9000: Retired Employee Group, etc. Note that these user groups are a combination of user group code and user group name. 【0076】 The system administrator or data management department 102a establishes classifications for each master data point: business location, department, job title, and employee category. This allows for the setting of only the minimum units necessary for security allocation. However, if settings were to be made for each business location, department, job title, and employee category, the number of possible combinations of settings would be numerous and complex. In practice, focusing on the fact that the same mapping is possible for multiple business locations, etc., each master data point is given a classification, and the combination of each classification is used as the minimum unit of mapping. Furthermore, by not directly linking business locations, departments, job titles, and employee categories in the settings, the system becomes less susceptible to the effects of changes in the master data system, such as organizational changes, resulting in higher maintainability of the settings. Set "-1" to use as a wildcard. 【0077】 [2-2. Management of employee information by HR personnel] The data management unit 102a accepts the registration of employee information when a human resources department employee registers employee information in the human resources system (step S21). In practice, the data management unit 102a may be linked or integrated with the human resources system. At this time, the human resources department employee registers employee information from the employee information management screen according to each human resources event. The data management unit 102a acquires, creates, or updates employee registration data 106c according to the employee information and stores and manages it in the storage unit 106. 【0078】 For example, a human resources staff member registers employee basic data 106c1 and employee appointment history data 106c2 as employee registration data 106c, as shown in Figure 9. Figure 9 is a diagram showing an example of the information stored in the employee basic data and employee appointment history data. 【0079】 As shown in Figure 9, employee basic data 106c1 stores company numbers such as 100, employee codes such as 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, and names such as Obic Taro, Obic Jiro, Obic Haruko, Obic Saburo, Obic Natsuko, Obic Shiro, Obic Goro, Obic It stores names like Akiko, genders such as 1 (male), 2 (female), dates of birth such as 1985 / 7 / 28, 1988 / 2 / 1, 1990 / 11 / 11, 1992 / 10 / 23, 1997 / 6 / 12, 1995 / 10 / 3, 2001 / 12 / 20, 2001 / 9 / 13, and dates of joining the company such as 2000 / 4 / 1, 2003 It stores dates such as / 4 / 1, 2010 / 7 / 1, 2017 / 4 / 1, 2022 / 12 / 1, 2023 / 9 / 15, 2024 / 4 / 1, and retirement dates such as 2024 / 3 / 31, NULL, and user IDs such as U10001, U10002, U10003, U10004, U10005, U10006, NULL, etc. 【0080】 Furthermore, employee appointment history data 106c2 stores company numbers such as 100, employee codes such as 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, appointment dates such as 2021 / 11 / 1, 2023 / 4 / 1, 2024 / 3 / 31, 2024 / 7 / 1, appointment categories such as 6000 (reinstatement), 2100 (promotion), 7000 (retirement), 5000 (leave of absence), 2000 (transfer of department), 1000 (new graduate recruitment), and business locations such as Tokyo Head Office, Kansai Branch Kyoto Branch, Kansai Branch Headquarters, etc. The database includes entries for departments such as Human Resources and General Affairs, Tokyo Sales Department Sales Section 1, Tokyo Store Business Division Section 2 Marunouchi Store, Kansai Accounting Department, Kansai Sales Department Sales Section 5 Team 2, Tokyo Sales Department Sales Section 2 Team 1, Tokyo Sales Department Sales Promotion Team, and Kansai Store Business Division. It also includes job titles such as Leader, Assistant Section Manager, Section Manager, Store Manager, and General Staff, employee classifications such as Full-time Employee, Contract Employee, and Part-time Employee, qualification levels such as Grade 3, Grade 4, Grade 5, Grade 7, Grade 8, and None, salary grades such as Grade 20, Grade 30, Grade 40, Grade 35, Grade 32, Grade 24, Grade 15, Grade 10, and None, and work locations such as Tokyo, Kyoto, and Osaka. 【0081】 [2-3. System-driven automated processes] The current employment data creation unit 102b creates the current employment data (step S31). At this time, the current employment data creation unit 102b creates the employee current employment data 106d as of the batch processing execution date, based on the employee basic data 106c1 and employee appointment history data 106c2 with the most recent appointment date as of the batch processing execution date. The employee appointment history data 106c2 manages the employee's internal career history, such as joining the company, transfer, promotion, leave of absence / return to work, concurrent positions, secondment, and retirement. Figure 10 shows an example of the creation of current employment data. The employee current employment data 106d is obtained by replacing the employee appointment history data 106c2 with the most recent (latest as of the execution date) as of the batch processing execution date, with one record per person. 【0082】 As shown in Figure 10, if the current employment data creation unit 102b performs batch processing on the employee appointment history data 106c2 on 2011 / 3 / 1, the employee with employee code "10001" was transferred to a different department on the appointment date "2010 / 10 / 1", so the current employment data 106d is created with the following information: Company No. "100", employee code "10001", business location "Kansai Branch Headquarters", department "Kansai Sales Department Sales 5th Section 2nd Team", position "Leader", employee category "Regular Employee", date of joining "2000 / 4 / 1", date of leaving "NULL", user ID "U10001", leave of absence flag "Not applicable", and resignation flag "Not applicable". The date of joining the company ("2000 / 4 / 1"), the date of leaving the company ("NULL"), and the user ID ("U10001") are obtained from the most recent employee basic data 106c1 as of the batch processing execution date. 【0083】 Furthermore, if the current employment data creation unit 102b performs batch processing on the employee appointment history data 106c2 on 2024 / 4 / 1, the employee with employee code "10001" will have resigned on the appointment date "2024 / 3 / 31", and will create current employment data 106d for the employee with company no. "100", employee code "10001", business location "Tokyo Head Office", department "Human Resources Department General Affairs Section", position "Deputy Section Manager", employee category "Regular Employee", date of joining "2000 / 4 / 1", date of resignation "2024 / 3 / 31", user ID "U10001", leave of absence flag "Not applicable", and resignation flag "Applicable". 【0084】 Next, the user creation unit 102c creates users for newly hired employees (step S32). At this time, the user creation unit 102c creates new users (accounts) for employees whose hiring date has arrived as of the batch processing execution date and for whom a user ID has not yet been registered in the user master 106a10. Figure 11 shows an example of user creation for newly hired employees. The user master 106a10 stores account information used when logging into the system. 【0085】 As shown in Figure 11, when batch processing is performed on the employee current employment data 106d on 2024 / 4 / 1, the user creation unit 102c creates new users from the employee current employment data 106d based on the current employment data that satisfies the conditions "Date of joining the company ≤ Date of batch processing execution" and "User ID IS NULL" (User ID = NULL). In this case, two employees, employee code "10007" and employee code "10008", have a date of joining the company "2024 / 4 / 1" and a user ID "NULL", thus satisfying the above conditions. Therefore, the user creation unit 102c creates new users with user ID "U10007", username "Obic Goro", password "********", and expiration date "NULL", and user ID "U10008", username "Obic Akiko", password "********", and expiration date "NULL", and adds them to the user master 106a10. 【0086】 Next, the existing user update unit 102d updates the information of existing users (step S33). At this time, the existing user update unit 102d determines the date of retirement if the employee has retired and updates the expiration date of the user master 106a10. Figure 12 shows an example of updating existing user information. 【0087】 As shown in Figure 12, if the existing user update unit 102d performs batch processing on the employee current employment data 106d on April 1, 2024, the employee with employee code "10001" will have retired on the effective date "March 31, 2024". Therefore, the unit sets the retirement date to the expiration date of the user (account) with employee code "10001" in the user master 106a10. In other words, the existing user update unit 102d updates the expiration date of the user with employee code "10001" from "NULL" to "March 31, 2024". 【0088】 Next, the mapping processing unit 102e assigns users to user security groups (step S34). At this time, the mapping processing unit 102e refers to the security mapping table 106b according to the user master 106a10, the expiration date of the user master 106a10, and the employee current position data 106d obtained in the above process, identifies the user group to which the user should belong, and updates the user group member data. The mapping processing unit 102e also matches the business location, department, position, and employee classification with the security mapping table 106b by first going through each classification in each master. Figure 13 shows an example of referencing each master. Figure 14 shows an example of assignment to user security groups. 【0089】 As shown in Figure 13, if the mapping processing unit 102e performs batch processing on the employee current employment data 106d on 2024 / 4 / 1, the employee with employee code "10001" has retired as of the notice date "2024 / 3 / 31". Therefore, as shown in Figure 14, the update contents of the security mapping table 106b are assigned to the user group "9000: Retired Employees Group", and the user and user group are linked in user group member 106a11. Here, the mapping processing unit 102e links the user ID "U10001" with the user group code "9000: Retired Employees Group" in user group member 106a11. 【0090】 Furthermore, as shown in Figure 13, if the mapping processing unit 102e performs batch processing on the employee current employment data 106d as of 2024 / 4 / 1, the employee code "10002" is located at the "Tokyo Head Office" business location, in the "Tokyo Sales Department, Sales Section 1" department, with the position "Section Chief" and employee classification "Regular Employee". Therefore, it refers to the business location classification "100: Tokyo Head Office" associated with the business location name "Tokyo Head Office" in the business location master 106a6. It also refers to the department classification "1: Head Office" associated with the department name "Tokyo Sales Department, Sales Section 1" in the department master 106a7. It also refers to the position classification "2: Section Chief or higher" associated with the position name "Section Chief" in the position master 106a8. Finally, it refers to the employee classification classification "0: Other than dispatched employee" associated with the employee classification "Regular Employee" in the employee classification master 106a9. 【0091】 Then, as shown in Figure 14, the mapping processing unit 102e assigns the updated content linked to the conditions of business establishment classification "100: Tokyo Head Office", department classification "1: Head Office Department", job title classification "2: Manager or higher", and employee classification "0: Non-temporary employee" in the security mapping table 106b to the user group "1230: Tokyo Head Office Management Group", and links the user and the user group in user group member 106a11. Here, the mapping processing unit 102e links the user ID "U10002" and the user group code "1230: Tokyo Head Office Management Group" in user group member 106a11. 【0092】 Next, the settings reflection unit 102f reflects the security settings (step S35). At this time, the settings reflection unit 102f automatically reflects the available jobs in the login menu according to the permissions, in accordance with the security (user group permissions) assigned in step S34 (assignment to user security group), making the necessary tasks available. After processing steps S31 to S34, each employee executes a menu item available in the login menu according to their own permissions when they log in. Figure 15 shows an example of the reflection of security settings. 【0093】 As shown in Figure 15, the setting reflection unit 102f traces the path from the login user ID → user group members → user group code → the job group code of the associated security setting master's permission → job group members → job, finally identifying a list of available jobs and displaying it in the login menu. 【0094】 In this way, the automatic authorization device 100 performs the above steps S31 to S34 in a periodic batch execution, automatically updating the employee current status data 106d, user master 106a10, and user group member 106a11 respectively, thereby ensuring that the authorization settings reflect the current employees and security mappings. 【0095】 [2-4. Summary] In companies with high employee turnover and transfers, there is a need to reduce the workload of repeatedly maintaining login user records for systems used by all employees. Furthermore, when system access rights change due to departmental transfers or changes in job responsibilities, it is necessary to immediately acquire information and accurately grant permissions. 【0096】 Therefore, in this embodiment, a function was constructed to automatically create and delete users and allocate system usage rights based on employee information registered in the personnel system. Furthermore, since the timing of changes varies depending on the event, the timing of reflection can be switched according to the date of issuance of personnel information, thereby achieving both pre-configuration for the future and immediate reflection. 【0097】 [3. Contribution to the United Nations-led Sustainable Development Goals (SDGs)] This embodiment can contribute to improving operational efficiency and promoting appropriate management decisions within companies, thereby enabling contributions to SDGs Goals 8 and 9. 【0098】 Furthermore, this embodiment can contribute to reducing waste and promoting paperless and digital processes, thereby contributing to SDGs Goals 12, 13, and 15. 【0099】 Furthermore, this embodiment can contribute to strengthening control and governance, thereby enabling contributions to SDG Goal 16. 【0100】 [4. Other Embodiments] In addition to the embodiments described above, the present invention may be implemented in various different embodiments within the scope of the technical idea described in the claims. 【0101】 For example, among the processes described in the embodiments, all or part of the processes described as being performed automatically can be performed manually, or all or part of the processes described as being performed manually can be performed automatically by known methods. 【0102】 Furthermore, the processing procedures, control procedures, specific names, information including parameters such as registration data and search conditions for each process, screen examples, and database configuration shown in this specification and in the drawings may be changed at will unless otherwise specified. 【0103】 Furthermore, with respect to the automatic authorization granting device 100, each component shown in the diagram is a functional concept and does not necessarily need to be physically configured as shown. 【0104】 For example, the processing functions of the automatic authorization granting device 100, particularly those performed in the control unit, may be implemented in whole or in part by a CPU and a program interpreted and executed by the CPU, or they may be implemented as wired logic hardware. The program is recorded on a non-temporary computer-readable recording medium containing programmed instructions for causing the information processing device to execute the processing described in this embodiment, and is mechanically read by the automatic authorization granting device 100 as needed. That is, a storage unit such as ROM or HDD (Hard Disk Drive) contains a computer program that works in cooperation with the OS to give instructions to the CPU and perform various processing. This computer program is executed by being loaded into RAM and works in cooperation with the CPU to constitute the control unit. Note that the CPU is merely one example of a processor. 【0105】 Furthermore, this computer program may be stored on an application program server connected to the automatic authorization device 100 via any network, and it is possible to download all or part of it as needed. 【0106】 Furthermore, the program for executing the processing described in this embodiment may be stored on a non-temporary computer-readable recording medium, or it may be configured as a program product. Here, "recording medium" includes any "portable physical medium" such as memory cards, USB (Universal Serial Bus) memory, SD (Secure Digital) cards, flexible disks, magneto-optical disks, ROMs, EPROMs (Erasable Programmable Read Only Memory), EEPROMs (Registered Trademark) (Electrically Erasable and Programmable Read Only Memory), CD-ROMs (Compact Disk Read Only Memory), MOs (Magneto-Optical disks), DVDs (Digital Versatile Disks), and Blu-ray (Registered Trademark) Discs. 【0107】 Furthermore, "program" refers to a data processing method described in any language or writing method, regardless of its format, such as source code or binary code. Note that "program" is not necessarily limited to a single, monolithic structure; it also includes distributed structures consisting of multiple modules or libraries, and those that work in cooperation with other programs, such as an operating system, to achieve their functions. Regarding the specific configuration and reading procedures for reading the recording medium in each device shown in the embodiments, as well as the installation procedures after reading, well-known configurations and procedures can be used. 【0108】 The various databases stored in the memory unit are memory devices such as RAM and ROM, fixed disk devices such as hard disks, flexible disks, and optical disks, and store various programs, tables, databases, and web page files used for various processes and website provision. 【0109】 Furthermore, the automatic authorization granting device 100 may be configured as an information processing device such as a known personal computer or workstation, or as an information processing device to which any peripheral device is connected. Alternatively, the automatic authorization granting device 100 may be implemented by installing software (including programs or data, etc.) on the device that enables the processing described in this embodiment. 【0110】 Furthermore, the specific forms of distribution and integration of the devices are not limited to those shown in the figures, and all or part of them can be configured by functionally or physically distributing and integrating them in any unit according to various additions or functional loads. In other words, the embodiments described above may be implemented in any combination, or the embodiments may be implemented selectively. [Industrial applicability] 【0111】 This invention is useful for general incorporated associations and general incorporated foundations that manage employee hiring and departures, transfers, and business system permissions for each task. [Explanation of symbols] 【0112】 100 Automatic authorization device 102 Control Unit 102a Data Management Department 102b Current Employee Data Creation Department 102c User-Created Section 102d Existing User Update Section 102e Mapping Processing Unit 102f Setting reflection section 104 Communication Interface Section 106 Storage section 106a Internal Master 106b Security Mapping Table 106c Employee Registration Data 106d Employee Current Position Data 108 Input / Output Interface Section 112 Input device 114 Output device 200 servers 300 Networks

Claims

[Claim 1] A data management unit accepts the registration of master data and mapping tables for authority assignment in advance, manages the master data and mapping tables, and registers or updates employee data when employee information is registered in response to personnel events. Based on employee data as of the batch processing execution date, the Current Employment Data Creation Department creates current employment data for each employee, including their department, position, employee category, and employment status. Based on the aforementioned current employment data, the user creation unit creates users for newly hired employees who are currently employed as of the batch processing execution date but whose users have not yet been registered, and adds these newly hired employees' users to the user master. The existing user update unit updates the information of existing users registered in the user master, updates the user's expiration date for employees whose retirement date has passed as of the batch processing execution date, and updates the username if the employee has changed their name. A mapping processing unit that, based on the user's usage expiration date in the user master, or the current job data and the contents of the master, refers to the mapping table to identify the user group to which the user should belong, and assigns the user to the identified user group, A configuration reflection unit that automatically reflects the jobs available to employees in the login menu according to their assigned user group permissions, and makes the necessary tasks available. An automatic authorization granting device characterized by comprising the following features. [Claim 2] The aforementioned master data includes job master, job group master, job group member, user group master, security settings master, business location master, affiliation master, job title master, and employee classification master. The aforementioned job master stores the job ID and job name, The aforementioned job group master stores the job group code and job group name. The aforementioned job group member stores the job group code and job ID, The aforementioned user group master stores the user group code and user group name. The aforementioned security settings master stores user group codes, job group codes, and permission status. The aforementioned business establishment master data stores company number, establishment date, business establishment name, closure date, business establishment code, and business establishment classification. The aforementioned affiliation master stores company number, establishment date, affiliation name, abolition date, affiliation code, and affiliation classification. The aforementioned job title master stores company number, establishment date, job title name, abolition date, job title code, and job title classification. The aforementioned employee classification master data stores company number, establishment date, employee classification name, abolition date, employee classification code, and employee classification category. The authorization automatic granting device according to feature 1. [Claim 3] The aforementioned mapping table stores company number, business establishment classification, department classification, job title classification, employee category classification, leave of absence processing flag, retirement processing flag, and user group code. The authorization granting device according to feature 2. [Claim 4] The aforementioned employee data includes basic employee data and employee appointment history data. The aforementioned employee basic data stores company number, employee code, name, gender, date of birth, date of joining the company, date of leaving the company, and user ID. The aforementioned employee appointment history data stores company number, employee code, appointment date, appointment category, business location, department, position, employee category, qualification grade, salary grade, and work location. The authorization automatic granting device according to feature 3. [Claim 5] The aforementioned current employment data stores company number, employee code, business location, department, position, employee category, date of joining the company, date of leaving the company, user ID, leave of absence flag, and resignation flag. The authorization granting device according to feature 4. [Claim 6] The aforementioned current employment data creation unit creates the aforementioned current employment data as of the batch processing execution date, based on the aforementioned employee basic data and employee appointment history data for the most recent appointment date as of the batch processing execution date. The authorization automatic granting device according to feature 5. [Claim 7] The user creation unit creates new users based on the current employment data, specifically data where the date of joining the company is on or after the batch processing execution date and the user ID is not yet registered. The authorization granting device according to feature 6. [Claim 8] The mapping processing unit, when referring to the mapping table according to the current job data and the contents of the master data, matches the business establishment, department, position, and employee category with the mapping table by first going through the classifications of the business establishment master, department master, position master, and employee category master. The authorization granting device according to feature 6. [Claim 9] The mapping processing unit, upon matching with the mapping table, extracts entries where all the required items match, identifies the user group to be updated, and registers the user and the identified user group as a user group member. The authorization granting device according to feature 8. [Claim 10] The aforementioned settings reflection unit traces the following path: Login User ID → User Group Members → User Group Code → Job Group Code of the associated Security Settings Master with permission → Job Group Members → Jobs, ultimately identifying a list of available jobs and displaying it in the login menu. The authorization granting device according to feature 9. [Claim 11] A method for automatically granting permissions to be performed by an information processing device, A data management step that accepts the registration of master data and the registration of mapping tables for authority assignment in advance, manages the master data and mapping tables, and registers or updates employee data when employee information is registered in response to a personnel event, Based on employee data as of the batch processing execution date, a current employment data creation step is performed to create current employment data for each employee, including their department, position, employee category, and employment status. Based on the aforementioned current employment data, a user creation step is performed to create users for newly hired employees who are currently employed but have not yet registered as users as of the batch processing execution date, and to add these newly hired employees' users to the user master. The existing user update step updates the information of existing users registered in the user master, updates the user's expiration date for employees whose retirement date has passed as of the batch processing execution date, and updates the username if the employee has changed their name. A mapping processing step which involves referring to the mapping table based on the user's usage expiration date in the user master, or the current job data and the contents of the master, to identify the user group to which the user should belong, and assigning the user to the identified user group; The settings update step automatically reflects the jobs available to employees in the login menu according to their assigned user group permissions, making the necessary tasks available. A method for automatically granting permissions, characterized by including the following: [Claim 12] A data management step that accepts the registration of master data and the registration of mapping tables for authority assignment in advance, manages the master data and mapping tables, and registers or updates employee data when employee information is registered in response to a personnel event, Based on employee data as of the batch processing execution date, a current employment data creation step is performed to create current employment data for each employee, including their department, position, employee category, and employment status. Based on the aforementioned current employment data, a user creation step is performed to create users for newly hired employees who are currently employed but have not yet registered as users as of the batch processing execution date, and to add these newly hired employees' users to the user master. The existing user update step updates the information of existing users registered in the user master, updates the user's expiration date for employees whose retirement date has passed as of the batch processing execution date, and updates the username if the employee has changed their name. A mapping processing step which involves referring to the mapping table based on the user's usage expiration date in the user master, or the current job data and the contents of the master, to identify the user group to which the user should belong, and assigning the user to the identified user group; The settings update step automatically reflects the jobs available to employees in the login menu according to their assigned user group permissions, making the necessary tasks available. A program that automatically grants permissions, characterized by having a computer execute a command.

Images