Network systems are mainly categorized into those including domain controllers and those not including any domain controller. Large network systems including a large number of nodes generally include multiple domains, and each of the domains includes a domain controller that collectively manages user accounts. Including domain controllers enables efficient and secure management and operation of a large network system.
In contrast to the above, small network systems such as a work group including a small number of nodes do not generally include any domain controller, and individual nodes manage user accounts. In other words, in a network system (also referred to as an individual-management network system) that does not include any domain controller, each user needs to create his/her own account at each node that the user desires to access (see PTL 1, for example).
More specifically, in a network system not including any domain controller, each user needs to input an account creation request including an account name and a password to each node that the user desires to access and needs to store account information including the account name, an account ID, and the password in each node in advance. The above-mentioned account name is, for example, a character string to be used by a person for identifying the account. The above-mentioned account ID is an identifier to be used by the node for uniquely identifying the account and is generated by the node itself. The account ID is also referred to as a security identifier (SID). Even when account creation requests including the same account name and password are input to multiple respective nodes, the account IDs generated at the respective nodes are not necessarily the same since the nodes individually generate the account IDs. The account information registered as described above is used for authentication. When receiving an authentication request including an account name and a password from a node used by a user, a node compares registered account information and the information received from a terminal unit and permits access to the node itself when the matching is successful.
In order to increase the security, some network systems perform access control using an access control list (ACL) on an object such as a file or a folder (see PTL 2, for example). An access control list of a certain object includes access control entries (ACEs) in each of which the account ID and the access right of an account having permission to access the object are recorded. When an account having a certain account ID (e.g., IDX) issues a request to access the object and the access control list of the object does not include any access control entry including the account ID “IDX”, the access is denied. When the access control list includes such an access request entry, a determination is further made about whether to permit access, on the basis of the access right recorded in association with the account ID “IDX” and the contents of the access request.