1. Field of the Invention
The present invention generally relates to systems for performing routine business operations, and particularly relates to a method of controlling data circulation between servers and clients in a system equipped with a data storage function, a data circulation function, and a security management function for achieving computerized work flow.
2. Description of the Related Art
A work-flow system defines a flow of business operations so that the business operations involving a number of people are carried out according to the defined flow. In a system for circulating electronic documents in a network, for example, an order of circulation is registered in a work-flow server in advance, and the documents are circulated or processed in the defined order. In such a system, it is necessary to control data storage, data circulation, and data security.
In a work-flow system, data is stored in a registration-source server, and a client accesses the registration-source server to download necessary data. The client may modify the data, and uploads the data to a circulation-destination server (which may or may not be different from the registration-source server). This is the way business operations are typically performed in a work-flow system.
FIGS. 9A through 9C are illustrative drawings for explaining a related-art work-flow system.
In FIGS. 9A through 9C, a registration-source server 80 stores registered files. The registered files include issues that need to be solved, and are registered by other clients. A user uses a client 81 to download a file from the registration-source server 80, and modifies the downloaded file. A circulation-destination server 82 receives a file uploaded from the client 81 after the file is modified in the client 81. The modified file may include answers to the issues to be solved.
In the following, a description will be given with regard to a related-art method of controlling data circulation between servers and clients in a work-flow system.
In FIG. 9A, a user download a file from the registration-source server 80 to the client 81. After modifying the file in the client 81, the user uploads the file to the circulation-destination server 82. At the time of uploading, no check is made as to whether the file is modified according to a correct procedure by a legitimate user.
In the system of FIG. 9A, the client 81 can illegally download a file from a server different from the registration-source server 80. In such a case, the circulation-destination server 82 simply accepts the file when the file after modification is submitted from the client 81.
In FIG. 9B, the client 81 downloads a file from the registration-source server 80. If the registration-source server 80 does not retain the downloaded file, and if the client 81 loses data of the file, the data cannot be recovered.
If the registration-source server 80 retains the file without deleting it, there will be no opportune occasion on which the circulated data is removed.
In FIG. 9C, a server/client system based on a centralized server is structured by combining the registration-source server and the circulation-destination server. In this configuration, the load on the server is undesirably heavy. Further, a chance of losing data is high when the server suffers malfunction to stop providing services.
A technology relating to a work-flow data management, by which programs and files are downloaded from a server to a client and are returned to a server after modification thereof, is disclosed in Japanese Patent Laid-open Applications No. 9-91402, No. 9-138824, and No. 9-198326. No. 9-91402 teaches retaining data when a system malfunction or a system down occurs. No. 9-138824 teaches checking and correcting circulated documents in a work-flow system, and discloses controlling date-and-time indications of circulars. No. 9-198326 teaches identifying a user who has handled a document upon finding of a problem in the document in response to a user request.
The method of controlling data circulation between servers and clients in the related-art work-flow system as described above has the following problems.
There is no check function to check the contents of a file when the file is downloaded from a server to a client and is uploaded to a circulation-destination server after modification of the file. Because of lack of such a check function, an illegal file can be uploaded to the circulation-destination server. Also, there is no way of detecting a tampering when a user or an administrator tampers with registered data stored in the registration-source server.
Further, there is no check function to verify legality of a user and a file between the registration-source server and the circulation-destination server. For example, any user can upload a file to the circulation-destination server without properly downloading the file from the registration-source server. This poses a security problem.
Moreover, when a file is downloaded from a registration-source server to a client, loss of data of the file on the client side results in no possibility of recovering data since the server does not retain the downloaded data. As previously mentioned, if the server retains the data, there will be no seasonal timing to delete the data after the circulation thereof.
In a system in which a single server functions as the registration-source server and the circulation-destination server, the load on the server is excessively heavy. Also, there is a risk of mistakenly rewriting data of the registration-source server.
Accordingly, there is a need for such a method of controlling data circulation between servers and clients in a work-flow system that an illegal user is prevented from downloading or uploading a file from or to a server.
There is another need for such a method of controlling data circulation between servers and clients in a work-flow system that a check can be made as to illegality of files between servers.
There is still another need for such a method of controlling data circulation between servers and clients in a work-flow system that a file can be recovered when a user mistakenly deletes the file.
There is yet another need for such a method of controlling data circulation between servers and clients in a work-flow system that erroneous erasure of files is prevented in the registration-source server.
Accordingly, it is a general object of the present invention to provide a method of controlling data circulation between servers and clients in a work-flow system such that the method can satisfy the needs described above.
It is another and more specific object of the present invention to provide such a method of controlling data circulation between servers and clients in a work-flow system that an illegal user is prevented from downloading or uploading a file from or to a server.
It is another object of the present invention to provide such a method of controlling data circulation between servers and clients in a work-flow system that a check can be made as to illegality of files between servers.
It is still another object of the present invention to provide such a method of controlling data circulation between servers and clients in a work-flow system that a file can be recovered when a user mistakenly deletes the file.
It is still another object of the present invention to provide such a method of controlling data circulation between servers and clients in a work-flow system that erroneous erasure of files is prevented in the registration-source server.
In order to achieve the above objects according to the present invention, a method of circulating data between servers while updating the data between the servers includes the steps of downloading registered data having a first access key attached thereto from a source server to a client, the first access key including a server identifier of the source server and a first user identifier of a user who registered the registered data, uploading a file from the client to a destination server, the file including updating data and the registered data having the first access key attached thereto, comparing, in the destination server, the registered data and the first access key uploaded from the client with the registered data and the first access key that are obtained from the source server in response to a request sent from the destination server to the source server, and registering the file in the destination server if the comparison gives a match.
The method described above insures that a check can be made as to illegality of files between the servers.
According to one aspect of the present invention, the method as described above further includes the steps of including in the first access key a second user identifier of a user who is entitled to download the registered data, comparing, in the source server, the second user identifier with a user identifier of a user who attempts to download the registered data when the clients attempts to download the registered data, and allowing the client to download the registered data if the comparison of the user identifiers gives a match.
The method described above insures that an illegal user is prevented from downloading a file from the source server.
According to another aspect of the present invention, the method as described above is such that the step of uploading a file includes uploading, as part of the file, a second access key that includes a server identifier of the destination server and a second user identifier of a user who generated the updating data, the method further comprising a step of checking, in the destination server, whether the second user identifier included in the uploaded second access key matches a user identifier of a user who uploaded the file.
The method described above insures that an illegal user is prevented from uploading a file to the destination server.
According to another aspect of the present invention, the method as described above further includes the steps of sending from the destination server to the source server a message indicative of registration of the file when the file is registered in the destination server, and deleting the registered data and the first access key in the source server when the source server receives the message.
The method described above insures that a file can be recovered when a user mistakenly deletes the file, and that erroneous erasure of files is prevented in the source server.