Access control device, method, and program

The authorization management device dynamically grants and revokes permissions based on task duration, effectively reducing the risk of unauthorized and incorrect operations by ensuring high privileges are only provided when needed.

JP2026111390APending Publication Date: 2026-07-03NTT TECHNOCROSS CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
NTT TECHNOCROSS CORP
Filing Date
2024-12-23
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies for monitoring unauthorized and incorrect operations on terminals cannot prevent such operations in advance, leading to potential significant impacts when high-privilege accounts are used.

Method used

An authorization management device that grants and removes permissions dynamically based on a specified period, ensuring that high privileges are only provided when necessary for specific tasks.

Benefits of technology

Reduces the risk of unauthorized and incorrect operations by limiting high privileges to the duration required for tasks, thereby minimizing the risk of errors and misuse.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026111390000001_ABST
    Figure 2026111390000001_ABST
Patent Text Reader

Abstract

To provide technology that can reduce the risks associated with specific operations. [Solution] An authorization management device according to one aspect of the present disclosure grants the account to which authorization is to be granted, the type of authorization, and the period for which authorization is granted, to the account when the start date and time of the period for which authorization is granted has elapsed, and to remove the type of authorization from the account when the end date and time of the period for which authorization is granted has elapsed.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to an authority management device, method, and program.

Background Art

[0002] Techniques for recording operations on a screen displayed on a terminal are known for the purpose of monitoring unauthorized operations and incorrect operations on terminals such as personal computers (PCs). For example, Patent Document 1 discloses a technique for recording operations on a screen by capturing the screen displayed on a terminal as an image at predetermined intervals and using a video composed of those images.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] However, in techniques for the purpose of monitoring unauthorized operations and incorrect operations, while unauthorized operations and incorrect operations can be monitored retrospectively, they cannot be prevented in advance. For this reason, for example, when unauthorized operations or incorrect operations are performed using an account with high privileges, the impact of those operations may be significant.

[0005] This disclosure has been made in view of the above points, and provides a technique capable of reducing the risk when a specific operation is performed.

Means for Solving the Problems

[0006] An authorization management device according to one aspect of this disclosure grants the account to which authorization is to be granted, the type of authorization, and the period for which authorization is granted, to the account when the start date and time of the period for which authorization is granted has elapsed, and to remove the type of authorization from the account when the end date and time of the period for which authorization is granted has elapsed. [Effects of the Invention]

[0007] It can reduce the risks associated with certain operations. [Brief explanation of the drawing]

[0008] [Figure 1] This figure shows an example of the overall configuration of the system according to this embodiment. [Figure 2] This figure shows an example of the functional configuration of the system according to this embodiment. [Figure 3] This sequence diagram illustrates an example of the process when granting and removing permissions for an account. [Figure 4] This is a diagram showing an example of an application screen. [Figure 5] This figure shows an example of an approval screen. [Modes for carrying out the invention]

[0009] Hereinafter, one embodiment of the present invention will be described in detail with reference to the drawings. In the following embodiment, we will assume that a specific operation is an unauthorized or erroneous operation on a cloud service, and will describe a case in which the risks when such an unauthorized or erroneous operation occurs are reduced by managing the permissions of the account for that cloud service.

[0010] Here, a cloud service refers to a service provided by an external service provider via a communication network such as the internet. While cloud services are not limited to specific services, in the following discussion, we will primarily assume cloud services that provide at least storage resources. This is because if unauthorized operations or errors occur, such as illegally copying data stored in storage resources (an example of unauthorized operation) or accidentally deleting data stored in storage resources (an example of an error), risks such as information leakage and reputational damage may arise. However, a cloud service that provides at least storage resources is just one example, and the following embodiments can be similarly applied to cloud services other than this one.

[0011] Furthermore, in the following, cloud service accounts are granted permissions (e.g., administrator privileges, general user privileges), and the functions available on the cloud service differ depending on the permissions. For example, an account with administrator privileges can use a wide range of functions (e.g., create, copy, read, update, delete data, etc.), while an account with general user privileges can only use a limited number of functions (e.g., only read data). For simplicity, in the following, we will assume that cloud service accounts have administrator privileges and general user privileges. Administrator privileges are also called high privileges or privileges, and general user privileges are also called general privileges. However, the existence of administrator privileges and general user privileges is just one example, and various types of privileges may exist depending on the cloud service.

[0012] <Example of overall system configuration> Figure 1 is a diagram showing an example of the overall configuration of the system according to this embodiment. As shown in Figure 1, the system according to this embodiment includes one or more user terminals 10, one or more applicant terminals 20, one or more approver terminals 30, an authority management device 40, and a cloud service provision system 50. Each of these entities (user terminal 10, applicant terminal 20, approver terminal 30, authority management device 40, cloud service provision system 50) is connected to communicate via a communication network 60, including the Internet. The user terminal 10, applicant terminal 20, and approver terminal 30 reside in a system environment E, such as an internal company network. In the example shown in Figure 1, there is only one cloud service provision system 50, but there may be multiple cloud service provision systems 50.

[0013] User terminals 10 are various terminals operated by users who utilize the cloud services provided by the cloud service provision system 50. Hereinafter, it is assumed that users possess an account with general user privileges for the cloud services they use. The account possessed by a user will also be referred to as a "user-owned account." Furthermore, a user-owned account will be represented by a combination of a user ID and its corresponding password, with the email address used as the user ID. While PCs (personal computers) and the like are used as user terminals 10, they are not limited to these, and for example, smartphones, tablet devices, wearable devices, etc., may also be used.

[0014] It should be noted that a user's account may be represented by a combination of a user ID and password, using an email address as the user ID, but this is just one example and not the only one. For example, the user ID may be a string that uniquely identifies the user on the cloud service, or a phone number or the like may be used as the user ID instead of an email address.

[0015] The applicant terminal 20 is various terminals operated by an applicant who makes an application to grant administrative authority to the user-owned account of a user when the user plans to perform work that requires administrative authority on a cloud service. As the applicant terminal 20, a PC or the like is used, but it is not limited thereto. For example, a smartphone, a tablet terminal, a wearable device, or the like may be used. The applicant may be, for example, a person in charge of a management department that manages work on a cloud service.

[0016] The approver terminal 30 is various terminals operated by an approver who approves an application made by an applicant. As the approver terminal 30, a PC or the like is used, but it is not limited thereto. For example, a smartphone, a tablet terminal, a wearable device, or the like may be used. The approver may be, for example, a person in charge of a management department that manages work on a cloud service.

[0017] The authority management device 40 is a general-purpose server or a system composed of them that grants administrative authority to a user-owned account targeted by an application before the start of work or deletes administrative authority after the end of work in response to the approval of an approver for an application from an applicant.

[0018] The cloud service providing system 50 is an external system that provides a cloud service (for example, a cloud service that provides at least storage resources).

[0019] Note that the overall configuration of the system shown in FIG. 1 is an example and is not limited thereto. For example, when the user and the applicant are the same person, the user terminal 10 may function as the applicant terminal 20, and the applicant terminal 20 may not be included.

[0020] <Functional configuration example of the system> FIG. 2 is a diagram showing a functional configuration example of the system according to the present embodiment.

[0021] ≪User terminal 10≫ As shown in FIG. 2, the user terminal 10 according to the present embodiment includes a UI providing unit 101. The UI providing unit 101 is realized, for example, by a process in which one or more programs installed in the user terminal 10 cause an arithmetic device such as a CPU (Central Processing Unit) to execute.

[0022] The UI providing unit 101 displays various screens including a login screen to a cloud service on a display and accepts operations on these various screens. Note that the UI providing unit 101 can be realized, for example, using a web browser or the like.

[0023] ≪Applicant Terminal 20≫ As shown in FIG. 2, the applicant terminal 20 according to the present embodiment includes a UI providing unit 201. The UI providing unit 201 is realized, for example, by a process in which one or more programs installed in the applicant terminal 20 cause an arithmetic device such as a CPU to execute.

[0024] The UI providing unit 201 displays various screens including an application screen for applying for administrator authority for a user-owned account on a display and accepts operations on these various screens. Note that the UI providing unit 201 can be realized, for example, using a web browser or the like.

[0025] ≪Approver Terminal 30≫ As shown in FIG. 2, the approver terminal 30 according to the present embodiment includes a UI providing unit 301. The UI providing unit 301 is realized, for example, by a process in which one or more programs installed in the approver terminal 30 cause an arithmetic device such as a CPU to execute.

[0026] The UI providing unit 301 displays various screens including an approval screen for approving an application for granting administrator authority for a user-owned account on a display and accepts operations on these various screens. Note that the UI providing unit 301 can be realized, for example, using a web browser or the like.

[0027] ≪Authority Management Device 40≫ As shown in Figure 2, the authorization management device 40 according to this embodiment includes an application management unit 401 and an authorization management unit 402. Each of these units is realized, for example, by a process in which one or more programs installed on the authorization management device 40 are executed by a processing unit such as a CPU. The authorization management device 40 according to this embodiment also includes an application management information storage unit 403. The application management information storage unit 403 is realized, for example, by the storage area of ​​a storage device (e.g., HDD (Hard Disk Drive), SSD (Solid State Drive), flash memory, etc.) owned by the authorization management device 40. However, the application management information storage unit 403 may also be realized, for example, by the storage area of ​​a storage device (e.g., a storage device owned by a database server) that is communicatively connected to the authorization management device 40.

[0028] When the application management unit 401 receives application information from the applicant terminal 20 representing an application to grant administrator privileges to a user-owned account, it creates application management information from this application information and stores it in the application management information storage unit 403. Furthermore, when the application management unit 401 receives approval information representing approval of an application to grant administrator privileges to a user-owned account, it approves the application management information corresponding to this approval information.

[0029] The Authority Management Unit 402 grants administrator privileges to user accounts corresponding to approved application management information before the start of the work period included in said application management information, and revokes administrator privileges after the end of that work period.

[0030] The application management information storage unit 403 stores application management information. Here, the application management information includes, for example, an application ID, which is identification information that uniquely identifies the application; a user ID of the user account to which the authority will be granted; the type of authority; a work period, which represents the period for which the authority will be granted; and an approval category, which represents whether or not the application has been approved. In other words, the application management information is represented in the format, for example, (application ID, user ID, type of authority, work period, approval category).

[0031] <Example of actions taken when granting and removing permissions for user-owned accounts> The following explains, with reference to Figure 3, an example of how to grant and revoke administrator privileges to a user's account, assuming that the user is performing tasks on a cloud service that require administrator privileges.

[0032] The UI provider unit 201 of the applicant terminal 20 displays an application screen for requesting the granting of administrator privileges to a user-owned account (step S101). An example of the application screen is shown in Figure 4. The application screen 1000 shown in Figure 4 includes a setting field 1001 for entering or selecting the user ID of the user-owned account to be granted privileges, a setting field 1002 for entering or selecting the type of privilege, a setting field 1003 for entering or selecting the work period representing the period for which the privileges will be granted, and an application button 1004. The applicant can perform the application operation by setting the user ID of the user-owned account in setting field 1001, administrator privileges in setting field 1002, and the work period in setting field 1003, and then pressing the application button 1004. Hereafter, it will be assumed that the application operation has been performed by the applicant on the application screen.

[0033] The UI provision unit 201 of the applicant terminal 20 accepts the application operation by the applicant (step S102).

[0034] When the UI provision unit 201 of the applicant terminal 20 receives an application operation from the applicant, it creates application information that includes the user ID, type of permission, and work period set on the application screen, and sends the said application information to the permission management device 40 (step S103). For example, when the application button 1004 is pressed on the application screen 1000 shown in Figure 4, application information such as (user ID, type of permission, work period) = (yamada@aaa.co.jp, administrator permission, 2024 / 2 / 9 10:00~2024 / 2 / 9 12:00) is created and sent. Hereafter, the start date and time of the work period will be referred to as the "work start date and time," and the end date and time of the said work period will be referred to as the "work end date and time."

[0035] When the application management unit 401 of the authorization management device 40 receives application information from the applicant terminal 20, it creates application management information by adding an application ID and an approval category with a value indicating unapproved to the application information (step S104).

[0036] The application management unit 401 of the authorization management device 40 stores the application management information created in step S104 above in the application management information storage unit 403 (step S105).

[0037] When the application management information is stored in the application management information storage unit 403 in step S105 of the authorization management device 40, the application management unit 401 of the authorization management device 40 sends an approval request for this application management information to the approver terminal 30 (step S106). This approval request includes, for example, the application ID, user ID, type of authorization, and work period of the application management information. This notifies the approver that there is an application that requires approval.

[0038] The UI provision unit 301 of the approver terminal 30 displays an approval screen for approving an application to grant administrator privileges to a user-owned account (step S107). An example of the approval screen is shown in Figure 5. The approval screen 2000 shown in Figure 5 is the approval screen when an application operation is performed on the application screen 1000 shown in Figure 4, and includes a display field 2001 that displays the user ID of the user-owned account to which the privileges will be granted, a display field 2002 that displays the type of privilege, a display field 2003 that displays the work period representing the period for which the privileges will be granted, an approve button 2004, and a reject button 2005. The approver can perform an approval operation by pressing the approve button 2004, and a rejection operation by pressing the reject button 2005. Hereafter, it will be assumed that an approval operation has been performed by the approver on the approval screen.

[0039] The UI provision unit 301 of the approver terminal 30 accepts approval operations from the approver (step S108).

[0040] When the UI provision unit 301 of the approver terminal 30 receives an approval operation from the approver, it transmits approval information, which includes at least the application ID included in the approval request, to the authorization management device 40 (step S109). In addition to the application ID, the approval information may also include, for example, a value representing approval.

[0041] When the application management unit 401 of the authorization management device 40 receives approval information from the approver terminal 30, it updates the value of the approval category in the application management information of the application ID contained in this approval information to a value indicating approval (step S110). This means that the application to grant administrator privileges to the user's account has been approved. Hereafter, the application management information in which the approval category is set to a value indicating approval will also be referred to as "approved application management information".

[0042] The authority management unit 402 of the authority management device 40 grants the user account of the user ID included in the approved application management information (i.e., administrator privileges) to the user account of the user ID included in the application management information when it is immediately before the start date and time of the work period included in the approved application management information stored in the application management information storage unit 403 (step S111). "Immediately before the start date and time of the work" means, for example, the time when it is a predetermined time until the start date and time of the work (e.g., 5 minutes before the start date and time of the work).

[0043] Furthermore, the authorization management unit 402 may grant administrator privileges or other privileges to user accounts using means or methods determined by the cloud service provided by the cloud service provision system 50. For example, if the cloud service provides a Web API for granting or deleting privileges, the authorization management unit 402 can use this Web API to grant administrator privileges to user accounts. Alternatively, if the cloud service provides a management screen for granting or deleting privileges, the authorization management unit 402 can use this management screen to grant administrator privileges to user accounts.

[0044] When performing work on a cloud service, the UI provision unit 101 of the user terminal 10 accesses the cloud service provision system 50 that provides the cloud service and obtains the login screen (step S112).

[0045] The UI provision unit 101 of the user terminal 10 displays the login screen obtained in step S112 above (step S113). The user can log in by entering the user ID and password of the user's account on the login screen. Hereafter, it will be assumed that the user has logged in on the login screen.

[0046] The UI provision unit 101 of the user terminal 10 accepts a login operation from the user (step S114).

[0047] The UI provider unit 101 of the user terminal 10 logs into the cloud service (step S115). This allows the user to perform tasks requiring administrator privileges using their user-owned account, which is granted administrator privileges. Hereafter, it is assumed that the user completes their tasks and logs out by the task completion date and time.

[0048] The UI provision unit 101 of the user terminal 10 accepts a logout operation from the user (step S116).

[0049] The UI provision unit 101 of the user terminal 10 logs out of the cloud service (step S117).

[0050] The authority management unit 402 of the authority management device 40 deletes the type of authority included in the application management information (i.e., administrator authority) from the user account of the user ID included in the application management information (step S118) immediately after the end date and time of the work period included in the approved application management information stored in the application management information storage unit 403. Immediately after the end date and time of the work is, for example, a predetermined time that has elapsed from the end date and time of the work (e.g., 5 minutes after the end date and time of the work).

[0051] Furthermore, similar to step S111 above, the authorization management unit 402 may remove administrator privileges, etc., from a user's account using means or methods determined by the cloud service provided by the cloud service provision system 50. For example, if the cloud service provides a Web API for granting or removing privileges, the authorization management unit 402 can use this Web API to remove administrator privileges from the user's account. Alternatively, if the cloud service provides a management screen for granting or removing privileges, the authorization management unit 402 can use this management screen to remove administrator privileges from the user's account.

[0052] <Variation> In the above embodiment, high-level privileges such as administrator privileges were granted to the user's account, but various types of privileges may be granted. For example, suppose there are "A privileges" that can only manipulate data in storage area A on the cloud service, "B privileges" that can only manipulate data in storage area B, and "C privileges" that can only manipulate data in storage area C. In this case, at least one of the A privileges to C privileges may be granted to the user's account in response to an application and approval.

[0053] <Summary> As described above, in this embodiment, when a user performs a task requiring high privileges on the cloud service, the user's account, which normally only has general user privileges, is granted high privileges such as administrator privileges for the duration of that task. Therefore, compared to, for example, a case where a user's account performing a task requiring high privileges is always granted high privileges, the risk of unauthorized or incorrect operations by that user can be reduced.

[0054] More specifically, for example, if a user's account is always granted high privileges, that user will use that account even when performing general tasks on the cloud service that do not necessarily require high privileges. Since general tasks are performed relatively frequently, there are many opportunities for unintentional errors to occur. In addition, there is a possibility that malicious third parties may misuse the account if the user leaks the user's account information. For this reason, if a user's account is always granted high privileges, the risk of misuse or unauthorized operation becomes very high.

[0055] In contrast, in this embodiment, high privileges are granted to user accounts that currently only have general user privileges, only for the period required when performing tasks that require high privileges on the cloud service. Therefore, even if an error occurs during general work, or if a user account is leaked during a period other than when tasks requiring high privileges are being performed, the risk of errors or unauthorized operations can be reduced.

[0056] The present invention is not limited to the embodiments specifically disclosed above, and various modifications, changes, and combinations with known technologies are possible without departing from the scope of the claims. [Explanation of Symbols]

[0057] 10. User terminals 20 Applicant terminal 30 Approver terminals 40. Access Control Device 50 Cloud Service Provisioning Systems 60 Communication Networks 101 UI provision department 201 UI provision department 301 UI provision department 401 Application Management Department 402 Authority Management Department 403 Application management information storage unit

Claims

1. Based on the account to which the permission is to be granted, the type of permission, and the period for which the permission is granted, if the start date and time of the grant period have elapsed, the permission of the said type shall be granted to the said account. If the end date and time of the grant period have elapsed, the permission of the aforementioned type will be removed from the account. Access control device.

2. The authorization management device according to claim 1, which, based on approval of an application indicating the granting of the said type of authorization to the account during the said granting period, grants the said type of authorization to the account when the start date and time of the said granting period has elapsed.

3. The aforementioned account is an account with general user privileges, and the type of privilege is administrator privileges. The authority management device according to claim 1 or 2, which grants the administrator privileges to the account when the start date and time of the grant period have elapsed.

4. Based on the account to which the permission is to be granted, the type of permission, and the period for which the permission is granted, if the start date and time of the grant period have elapsed, the permission of the said type shall be granted to the said account. If the end date and time of the grant period have elapsed, the permission of the aforementioned type will be removed from the account. The method by which a computer performs a process.

5. Based on the account to which the permission is to be granted, the type of permission, and the period for which the permission is granted, if the start date and time of the grant period have elapsed, the permission of the said type shall be granted to the said account. If the end date and time of the grant period have elapsed, the permission of the aforementioned type will be removed from the account. A program that instructs a computer to perform a process.