1. Field of the Invention
The present invention relates to a method, apparatus, and computer program for managing access to documents distributed to users. More particularly, the present invention relates to a method, apparatus, and computer program stored in a computer-readable medium which collect an access log of a document for managing access thereto.
2. Description of the Related Art
Documents created on a computer can easily be made available to multiple users on a network. Specifically, the author can make his/her documents open to other online users by uploading them to a file server on a network system. The file server offers document management functions including user access control. Some existing techniques permit a file server to store records of past access to documents. See, for example, Japanese Unexamined Patent Application Publication No. 2002-175300.
A file server acts as a document management platform, making it easy to detect an improper access to those documents. One drawback of this method is that availability of documents is limited to those who can access the server via a network. Another drawback is that the author is unable to manage how the document is handled on the recipient side once it is distributed to clients for browsing.
To solve the above shortcomings, some researchers have proposed a system in which the users are allowed to browse a distributed document only if their client computers are equipped with a prescribed document browsing function. Documents adapted to this management system are delivered from a mail server to users as an email attachment.
FIG. 32 shows an example of a conventional file management system. The author writes a document 941 on his/her client computer (hereafter, “client”) 910. Before distributing the document 941 over the network, the author interacts with the document access management server 920 through the client 910 to establish an access policy 942 for access control of the document 941. This access policy 942 may be modified later in a similar way whenever the author needs it.
The access policy 942 is a set of parameters specifying access conditions for the document 941. For example, the access policy 942 includes a list of users who are eligible for browsing the document 941.
The document access management server 920 manages how the distributed document 941 is used at the recipient's end. Suppose, for example, that the user of a client 930 is attempting to read the document 941. The document access management server 920 thus sends a relevant access policy 942 to the client 930. The client 930 consults this access policy 942 to determine whether to permit access to the access policy 942, upon receipt of a user command requesting browse access to the document 941. The requesting user can view the document 941 on a monitor screen of the client 930 only when the access policy 942 permits it.
To record the above access to the document 941, the client 930 produces an access log 943, which contains, for example, the time stamp of browsing, user name, and other information in the case of browse access. The produced access log 943 is transferred from the client 930 to the document access management server 920 when, for example, the client 930 can reach the document access management server 920 for the first time after the access log 943 is produced. The document access management server 920 saves the received access log 943 in an access log database 921.
The access log database 921 accumulates access logs concerning the document 941, including records of access from other users. The access log database 921 also receives access logs of other documents. Besides storing a time stamp and user name of each access event, those access logs also provide information about whether each access attempt is valid (i.e., authorized by the corresponding access policy).
The above-described conventional method detects an improper access attempt to a document, but is unable to identify the reason why that access attempt was denied as being improper, since the conventional method relies on access logs alone. Most document management systems allow the access policies to be modified during operations. For this reason, one cannot find the exact reason of access denial by simply examining obtained access logs in comparison with the current access policies. From the viewpoint of access management, changing access policies in the middle of operations is problematic because it obscures some important information about user status, such as: who are eligible for browsing, who have actually read the document, who is leaving the document unread, and who have let their permission period expire.