A subject name of a personal certificate is used to easily perform access control. An authentication unit implements an authentication procedure between a client terminal and a web server. The authentication unit receives a certificate from the client terminal for executing the authentication procedure, and its subject name is supplied to an element extracting unit. The element extracting unit follows a hierarchy structure of the subject name to extract a predetermined element. A right determining unit determines an access right for accessing a document based on a type and a value of the element extracted, and allocates this to a session number. A right registering unit registers a relation between the session number and the access right. Thereafter, while the session continues, an access right is allowed based on the session number.