CN102082887B - Image forming system and image forming apparatus - Google Patents

Abstract

An image forming system according to an aspect of the present disclosure includes an image forming apparatus, a directory server device, an authorization information registration device, and a user-manager server device that are connected to a network. The directory server device includes registration information data on one of a domain group and domain user. The authorization information registration device acquires list data based on the registration information data on the one of the domain group and domain user from the directory server device, determines information on the one of the domain group and domain user within the list data, and registers the determined authorization information to the user-manager server device in association with the one of the domain group and domain user as authorization information data. The user-manager server device transmits, to the image forming apparatus, the authorization information on a logged-in user to the image forming apparatus based on the authorization information data on the one of the domain group and domain user.

Description

Image formation system and image processing system

Technical field

The present invention relates to image formation system and image processing system.

Background technology

In recent years, for the user in network system for managing and equipment and introduced the directory services such as Active Directory (Active Directory), e catalogue.In the image processing systems such as printer, photocopier, digital complex machine, there is network function, by directory service, can carry out the management of user or group.When carrying out user management by directory service, the user for carried out registration operation at image processing system, can carry out user and authenticate by the server unit of directory service.

In image processing system, only make to be registered in various functions the permit process that the function of user's license can be used.In permit process, for each user, preset and be used to specify the License Info that allows to use or ban use of function, according to this License Info, limit the function that registered user uses.

In addition, also exist to use according to each user, to there is the intermediary service apparatus of License Info, the system of registered user's License Info is provided to image processing system.In this system, can to each user's License Info, manage concentratedly by intermediary service apparatus, but be difficult to set neatly License Info for user and group.

For example, in the situation that set License Info for groups different from territory group (Domain Group) in LIST SERVER, owing to cannot setting in the lump License Info, therefore must set respectively License Info to belonging to a plurality of users of this group.Therefore, the setting operation of License Info becomes numerous and diverse.Although can consider that Yi Zuwei unit adds License Info to be set in directory service, the directory service of using in possibility Dui Yi enterprise exerts an influence.

Summary of the invention

The present invention relates to manage concentratedly and user and group are set to image formation system and the image processing system of License Info neatly License Info.

The image formation system of one aspect of the present invention, comprises image processing system connected to the network, directory service apparatus, License Info calling mechanism and customer administrator's server unit.Described directory service apparatus is connected to the network, and has territory group and/or territory user's register information data.Described License Info calling mechanism obtains the table data of the described register information data based on described territory group and/or territory user from described directory service apparatus, determine described territory group in described list and/or territory user's License Info, and determined described License Info and described territory group and/or territory user-association are risen and be used as License Info data and register to described customer administrator's server unit.The described License Info data of described customer administrator's server unit based on described territory group and/or territory user send to described image processing system by the registered user's of described image processing system License Info.

The image processing system of one aspect of the present invention, comprises input unit, input registered user's authentication information, judging part, by the customer administrator's server unit being connected with described network, described registered user's authentication information is sent to the directory service apparatus that is connected to described network from described image processing system, judge that whether described authentication information is proper, be judged as proper in the situation that, described registered user's user profile is not sent to described customer administrator's server unit, determine that the License Info corresponding with described registered user's user profile sends to described image processing system, and based on described License Info, determine the function of the use of forbidding in the function that described image processing system has or allowing to be undertaken by described registered user, storage represents whether allow about described function the data of using, and control part, based on described data, make described registered user only use the function of licensed use.

Accompanying drawing explanation

Fig. 1 means the block diagram of the structure of the image formation system that embodiment of the present invention relates to;

Fig. 2 means the block diagram of the structure of the digital complex machine in Fig. 1;

Fig. 3 means the block diagram of the structure of the customer administrator's server unit in Fig. 1;

Fig. 4 means the figure of the structure example of admission policy (policy) data in Fig. 3;

Fig. 5 means the figure of the structure of the directory service apparatus in Fig. 1;

Fig. 6 means the block diagram of the structure of the terminal installation in Fig. 1;

Fig. 7 means the precedence diagram that the action of each device when user in the system shown in Fig. 1 has been registered to digital complex machine describes;

Fig. 8 means the flow chart to the action of the terminal installation during to customer administrator's server unit registration permission message in the system shown in Fig. 1;

Fig. 9 means the figure of an example of the key frame showing in the terminal installation of Fig. 1;

Figure 10 means the figure of example of the displaying contents of certain viewing area while having selected the <OU1> of organization unit's (group) from the tree of Fig. 9, in key frame;

Figure 11 means the figure of example of the displaying contents of certain viewing area while having selected the <OU1> of organization unit's (group) from the tree of Fig. 9, in key frame;

Figure 12 means the figure of example of the displaying contents of certain viewing area while having selected the <OU1> of organization unit's (group) from the tree of Fig. 9, in key frame;

Figure 13 means the figure that waits the example of the input picture of registering admission policy (Policy) minute timing demonstration in the terminal installation of Fig. 1 to group;

Figure 14 means the figure of the example of the input picture while being presented at registration admission policy in the terminal installation of Fig. 1.

Embodiment

Fig. 1 means the block diagram of the structure of the image formation system that embodiments of the present invention relate to.A plurality of digital complex machines (MFP) 1A, 1B are connected with network 2, and on this network 2, are also connected with customer administrator's server unit 3 and directory service apparatus 4 and terminal installation 5 (example of License Info calling mechanism).

MFP 1A has printer function, scanner function, copy function, facsimile function etc., is according to the instruction of the guidance panel from MFP 1A, the host apparatus that is connected with network 2, carries out the image processing system of various tasks according to these functions.MFP 1B is also same image processing system.

The user authentication request that customer administrator's server unit 3 receives from MFP 1A, 1B, and provide the License Info about registered user to MFP 1A, 1B.In addition, directory service apparatus 4 provides the directory services such as Active Directory, e catalogue.

Fig. 2 means the block diagram of the structure of the MFP 1A in Fig. 1.MFP 1B also has same structure.MFP 1A has guidance panel 21, modulator-demodulator 22, network interface 23, printer 24, scanner 25 and control device 26.

Guidance panel 21 is arranged in the framework of MFP 1A, has to user and shows the display unit 21a of various information and the input unit 21b that receives user's operation.Display unit 21a is such as being liquid crystal display, various indicating device (Indicator) etc.Input unit 21b is such as being touch panel, key switch etc.

Modulator-demodulator 22 can add telephone line network to be connected with public switch telephone network (PSTN) etc., is the communicator that carries out facsimile data transmitting-receiving.

Network interface 23 can be connected with wired or wireless computer network 2, and can and be connected between other devices (server unit 3, not shown host apparatus etc.) of network 2 and carry out data communication.

Printer 24 is according to printing request, to print and discharge on paper the interior arrangement of printed article.The in the situation that of electronic photo mode, printer 24 is after making photosensitive drums charged, based on printed data, make light source luminescent, on photosensitive drum surface, form thus electrostatic latent image, and make this latent electrostatic image developing by toner, toner image is transferred to photographic fixing on paper, and this paper is discharged as printed article.

Scanner 25 is following interior arrangements: one side or double-sided illumination light to the original copy being provided by auto document paper feed or the original copy that loaded by user, and receive its reverberation etc., original image is exported as reads image data.

Control device 26 is controlled each portion in MFP 1A and carries out data processing.Control device 26 is for example constituted as (the Central Processing Unit that has CPU, central processing unit), ROM (Read Only Memory, read-only memory), the computer of RAM (Random Access Memory, random access memory) etc.In control device 26, CPU is loaded into the program being stored in ROM or other storage devices (flash memory etc.) in RAM and carries out, and realizes thus each handling part.In this control device 26, realize FAX Department of Communication Force 31, network service portion 32, control part 33 and judging part 34.

FAX Department of Communication Force 31 is controlled modulator-demodulator 22 data of receiving faxes.FAX Department of Communication Force 31 receives after facsimile data, and printing request is offered to printing control unit 34.

Network service portion 32 controls network interfaces 23, and by various communication protocol and network 2 on device between carry out data communication.For example, network service portion 32 is sent in user name (user ID) and the password that is input to guidance panel 21 when user registers to customer administrator's server unit 3, and from customer administrator's server unit 3, receives registered user's License Info.In addition, for example network service portion 32 receives the printing requests such as PDL (Page Description Language, page-description language) data from main frame, and this printing request is offered to control part 33.

Control part 33 receives the task requests of guidance panel 21 being carried out by user's operation or the task requests receiving from host apparatus by network interface 23 and network service portion 32, controls each portion in MFP1A, carries out the task corresponding with this task requests.As task requests, have: printing request, scan request, fax send request etc.In addition, when thering is when operation registration, control part 33 use network service portions 32 to customer administrator's server unit 3 ask that users authenticate, License Info etc.

In addition, control part 33 generates task record (log) information with running succeeded when having carried out the registered user's that user authenticates task, and explicitly task record information is sent to customer administrator's server unit 3 with registered user.

Judging part 34 according to that receive from customer administrator's server unit 3 by network interface 23 and network service portion 32, about registered user's License Info, determine the function of forbidding or allowing registered user to use in the function that these MFP 1A have, by representing, about each function, whether allow the data of using to be for example stored on RAM.Control part 33 limits the use of registered user to MFP 1A with reference to these data.For example,, limit use color copying capability for registered user in the situation that, in guidance panel 21, cannot select the mode of color photocopying to show the menu of copy function.For example, the colored selection button in monochrome/colour is carried out tone demonstration (grey-out).

Fig. 3 means the block diagram of the structure of the customer administrator's server unit 3 in Fig. 1.Customer administrator's server unit 3 has storage device 41, network interface 42 and carrying processing device 43.

Storage device 41 storage programs and data.Storage device 41 uses nonvolatile semiconductor memory, hard disk drive etc.Storage device 41 storing authorization policy datas 51, local user data 52 and local group data 53.

Admission policy data 51 are the License Info data that comprise License Info, and this License Info is for determining the function that can permit that registered user uses MFP 1A, 1B.In admission policy data 51, comprise user's License Info and the License Info of group.User's License Info is applied to this user, and the License Info of group is applied to belong to the user of this group.In admission policy data 51, as user's the License Info License Info that comprises the territory user who registers to directory service apparatus 4 and the License Info that registers to the local user of this customer administrator's server unit 3.In admission policy data 51, the License Info of group comprises: register to the License Info of territory group of directory service apparatus 4 and the License Info that registers to this locality group of this customer administrator's server unit 3.The information (for example functional identity) that comprises user ID and or the function that ban use of licensed about this user about user's License Info.The License Info of group comprises group ID and for example, about belonging to the information (functional identity) of the licensed or function that bans use of of the user of this group.For example, the licensed or function that bans use of, except comprising the large projects such as printing, scanning, duplicating, fax transmission, also comprises the subsidiary small project of each large project (for example colour/monochrome selection function).

Fig. 4 means the figure of structure example of the admission policy data 51 of Fig. 3.

Territory group A IncFlds user A1, B1, C1, D1.Local group A ' comprises local user A2, B2 and territory user B1, D1.For territory group A, set admission policy #1 (policy data that comprises License Info).For the territory user A1 that belongs to territory group A, set admission policy #2.For this locality group A ', set admission policy #3.For the local user A2 that belongs to local group A ', set admission policy #4.For the territory user B1 that belongs to territory group A, set admission policy #5.For territory user E, set admission policy #6.For local user C2, set admission policy #7.

Local user data 52 is register information data of the authentication information (for example user ID and password) that comprises local user.Local user is different from the territory user who registers in directory service apparatus 4, is registered in this customer administrator's server unit 3.

Local group data 53 are the register information data that comprise the local authentication information of organizing (group ID and the user ID that belongs to the user of group).Local group is different from the territory group that registers to directory service apparatus 4, is registered in this customer administrator's server unit 3.Local group comprises local user and territory user.That is local group and local group of being formed by local user and territory user, set local group of only being formed by local user, only by territory user, being formed.

Network interface 42 is connected with wired or wireless computer network 2, and and other devices of being connected on network 2 carry out data communication between (MFP 1A, 1B, server unit 4).

In addition, arithmetic processing apparatus 43 be constituted as there is CPU, the computer of ROM, RAM etc., the program in ROM or storage device 41 of being stored in is loaded into RAM upper, by carried out to realize various handling parts by CPU.In this arithmetic processing apparatus 43, can realize network service portion 61, user authentication process portion 62 and permit process portion 63.

Network service portion 61 controls network interfaces 42, and by various communication protocol and network 2 on device between carry out data communication.Network service portion 61 receives user name (user ID) and password from MFP 1A, and the License Info about this user is sent to MFP 1A.Network service portion 61 sends to directory service apparatus 4 by user authentication request, and receives this authentication result and user profile from directory service apparatus 4.

The registered user that user authentication process portion 62 is used network interface 42 to carry out MFP1A, 1B in directory service apparatus 4 authenticates.

In the situation that user's authentication success, the registered user of MFP 1A or MFP 1B belongs to local group, permit process portion 63 extracts the License Info for this this locality group from admission policy data 51, and uses network interface 42 to send to MFP 1A or MFP 1B as the License Info about this registered user.On the other hand, in the situation that user's authentication success registered user do not belong to local group, permit process portion 63 extracts the License Info for Zu Huo territory, the territory user under this registered user from admission policy data 51, and uses network interface 42 to send to MFP 1A or MFP 1B as the License Info about this registered user.

For example, the in the situation that of Fig. 4, when territory user A1 is registered on MFP 1A, admission policy #2 and admission policy #3 are sent to MFP 1A.In addition, when in the situation that exist the license of competition to set in the admission policy of user and group (admission policy #2 and admission policy #1), can set of applications or user in the setting of predetermined admission policy.

When territory user B1 is registered in MFP 1A, admission policy #5, admission policy #3 and admission policy #1 are sent in MFP 1A.While existing the license of competing to set in the admission policy (admission policy #1 and admission policy #3) in territory group and local group, the setting of predetermined admission policy in application domain group or local user.

When territory user C1 is registered in MFP 1A, admission policy #1 is sent in MFP 1A.In addition, in this case, when territory user D1 is registered in MFP 1A, admission policy #1 and admission policy #3 are sent in MFP 1A.

When territory user E is registered in MFP 1A, admission policy #6 is sent to MFP 1A.

When local user A2 is registered in MFP 1A, admission policy #4 and admission policy #3 are sent in MFP 1A.

When local user B2 is registered in MFP 1A, admission policy #3 is sent in MFP 1A.

When local user C2 is registered in MFP 1A, admission policy #7 is sent in MFP 1A.

In addition, when certain registered user's admission policy exists in a plurality of situations, in customer administrator's server unit 3, permit process portion 63 can generate an admission policy in conjunction with these admission policies, and sends the admission policy of this generation.In this situation, for the setting item of competing in a plurality of admission policies, application is according to selected any admission policy of predetermined rule.

For example, when being applied to registered user's admission policy, there is (for example local group License Info and territory user's License Info, territory group License Info and local group License Info, local user's License Info and local group License Info) in a plurality of situations, in server unit 3, permit process portion 63 generates an admission policy in conjunction with these admission policies, and sends the admission policy of this generation.In the situation that should be applied to certain registered user's admission policy, have a plurality ofly, permit process portion 63 generates admission policies, this admission policy in any of these admission policies all the use of the function of permission to use permit.That is, permit process portion 63 generates admission policies, and this admission policy is forbidden the use of the function all banning use of in any of these admission policies.

Task is followed the tracks of handling part 64 and is used network interface 42 from MFP 1A, 1B, to receive task record information, and gathers task record information as user task history according to each territory user or local user.In the situation that not setting local user, task record information is gathered according to each territory user for user task history.Task record information be in MFP 1A, 1B, carry out user's authentication success registered user's task time the information that generates, the user ID that comprises registered user, task classification (print, scanning, duplicate, fax sends etc.), (incidental informations) such as count values of the number of pages of other attribute informations (colour, monochrome, printed on both sides etc.).In the situation that there is the user shown in Fig. 4, about each in each and the local user A2～C2 of territory user A1～E, the task record information with each user's user ID gathered for user task historical.Therefore, user task history is sent to predetermined address or is made as and can be read by Email, file transfer protocol (FTP) etc., can confirm thus what kind of task user has carried out in the past.

Fig. 5 means the block diagram of the structure of the directory service apparatus 4 in Fig. 1.Directory service apparatus 4 has storage device 71, network interface 72 and arithmetic processing apparatus 73.

Storage device 71 storage programs and data.Storage device 71 uses nonvolatile semiconductor memory, hard disk drive etc.Storage device 71 is constructed the database 91 of directory service.Database 91 comprises user data 91a and group data 91b.User data 91a is the registration information data that comprises authentication information (for example user ID, password) and user profile (telephone number, fax number, e-mail address, other attribute informations of contact destination).Group data 91b is the registration information data that comprises authentication information (for example organize ID, belong to the user's of group user ID) and group information (contact destination, director, other attribute informations).

Network interface 72 is connected with wired or wireless computer network 2, and carries out data communication between other devices (server unit 3 etc.) that are connected with network 2.

Arithmetic processing apparatus 73 be constituted as there is CPU, the computer of ROM, RAM etc., the program in ROM or storage device 71 of being stored in is loaded into RAM upper, by carried out to realize various handling parts by CPU.In this arithmetic processing apparatus 73, can realize network service portion 81 and directory service handling part 82.

Network service portion 81 controls network interfaces 72, and by various communication protocol and network 2 on device between carry out data communication.For example, network service portion 81 receives user authentication request and sends this authentication result and user data.

Directory service handling part 82 management domain users and territory group.Registration and deletion, the user that directory service handling part 82 carries out territory user and territory group authenticates, the providing etc. of territory user's user profile and the group information of territory group.User, authenticate middle use LDAP (Lightweight Directory AccessProtocol, Lightweight Directory Access Protocol) authentication, kerberos authentication etc.In the situation that directory service is Active Directory, destination service handling part 82 moves as domain controller.

Fig. 6 means the block diagram of the structure of the terminal installation 5 (example of License Info calling mechanism) in Fig. 1.Terminal installation 5 has storage device 101, network interface 102, display unit 103, input unit 104 and arithmetic processing apparatus 105.Terminal installation 5 is for example that pre-programmed personal computer is installed.

Storage device 101 storage programs and data.Storage device 101 uses nonvolatile semiconductor memory, hard disk drive etc.In storage device 101, store tactical management program 101a.

Network interface 102 is connected with wired or wireless computer network 2, and carries out data communication between other devices (server unit 3,4 etc.) that are connected with network 2.

Display unit 103 (such as liquid crystal display etc.) shows various information to user.Display unit 103 display field and local group and user's when the registration of execute permission information structure, admission policy list etc.Input unit 104 (such as keyboard, mouse etc.) is accepted operation, and exports to arithmetic processing apparatus 105 by operating the corresponding signal of telecommunication with user.

Arithmetic processing apparatus 105 be constituted as there is CPU, the computer of ROM, RAM etc., the program in ROM or storage device 101 of being stored in is loaded into RAM upper, by carried out to realize various handling parts by CPU.In arithmetic processing apparatus 105, by tactical management program 101a, can realize network service portion 111, GUI handling part 112, retrieval process portion 113, registration process portion 114 and location registration process portion 115.

Network service portion 111 controls network interfaces 102, and by various communication protocol and network 2 on device between carry out data communication.

GUI handling part 112 makes display unit 103 show various graphical user interface (GUI) picture, and detects being input to user's operation of input unit 104.GUI handling part 112 with the form display field of tree (tree) and local group and/or user's subordinate relation, and shows to have the admission policy list about the license set point of predetermined functional item in display unit 103.Information based on by server unit 3,4 collections of these trees and list and showing.

Retrieval process portion 113 is used network service portion 111 and network interface 102 from 4 retrievals of directory service apparatus, to be registered in territory group and/or the territory user directory service via network 2, and obtains the table data (lists of group name, user name or group ID, user ID etc.) of the registration information data based on this territory group and/or territory user.Retrieval process portion 113 is used network service portion 111 and network interface 102 from customer administrator's server unit 3, to retrieve local group and/or the local user who is registered via network 2, and obtains the table data (lists of group name, user name or group ID, user ID etc.) of the register information data based on this this locality group and/or local user.

Registration process portion 114 determines the License Info for the territory group in the table data of being obtained by retrieval process portion 113 and/or territory user, and uses network service portion 111 and network interface 102 that the License Info of being determined and this territory group and/or territory user-association are got up and register to customer administrator's server unit 3 as License Info data via network 2.Registration process portion 114 determines local group and/or local user's License Info in the table data of being obtained by retrieval process portion 113, and determined License Info and this this locality group and/or local user are associated via network 2 and register to customer administrator's server unit 3 as License Info data.In addition, the admission policy that the admission policy list from shown is selected by registration process portion 114 and Zu Huo territory, the territory user-association of selecting from being presented at the group of display unit 103 and/or user's tree, and be set in the admission policy data about Zu Huo territory, this territory user.

Location registration process portion 115 carries out user for the user of terminal installation 5 and authenticates in directory service apparatus 4, and only to user's authentication success administrator, allow the registration process of execute permission information etc.

The action of each device when then, user in the image formation system shown in Fig. 1 is registered to MFP 1A describes.Fig. 7 is the precedence diagram that the action of each device when user in the image formation system shown in Fig. 1 has been registered to MFP 1A describes.When user has been registered to MFP1B, each device is also similarly to move.

The user name (user ID) that guidance panel 21 detections of MFP 1A are undertaken by user and the input operation (S1) of password.Control part 33 is used network service portion 32 and network interface 23 that this username and password is sent to customer administrator's server unit 3 (S2).

In customer administrator's server unit 3, user authentication process portion 62 is used network service portion 61 and network interface portion 42 to receive this user name and password, and this username and password and authentication request are sent to directory service apparatus 4 (S3) by predetermined agreement (LDAP etc.).

In directory service apparatus 4, directory service handling part 82 is used network service portion 81 and network interface 72 by predetermined agreement, this username and password and authentication request to be received, and reference list database 91 judges whether this username and password is proper user (S4).

Directory service handling part 82 use network service portions 81 and network interface 72 using this judged result (authentication result) and at authentication success in situation this user's user profile as the response of authentication request, send to customer administrator's server unit 3 (S5).

In customer administrator's server unit 3, user authentication process portion 62 is used network service portion 61 and network interface 42 to receive this authentication result as the response of authentication request.At authentication success in the situation that, user authentication process portion 62 receives user profile, the License Info (being applied to this user's admission policy) that permit process portion 63 determines this user with reference to admission policy data 51 (S6).Permit process portion 63 is used network service portion 61, with network interface 42, the response that represents authentication success is sent to MFP 1A (S7) with this License Info together with user profile.

In MFP 1A, control part 33 is used network service portion 32 and network interface 23 to receive this License Info and user profile, and this License Info is offered to judging part 34 (S8).Each predetermined function that judging part 34 has for MFP 1A based on this License Info and by the whether licensed data setting of the use that represents this user on RAM.

According to this License Info, carrying out under the state of limit of functions, allowing user to use MFP 1A (S9).In MFP 1A, control part 33, with reference to the data of setting by judging part 34, only receives and carries out the task of having used the function that allows this user's use.

At user authentication failure in the situation that, only the response that represents authentification failure is sent to MFP 1A from customer administrator's server unit 3.MFP 1A, when having received the response of expression authentification failure, is presented at the message that represents authentification failure on guidance panel 21, and forbids using MFP1A by this user.

In MFP 1A, user's authentication success of the every execution of control part 33 registered user's task, just generate task record information.Control part 33 is used network service portion 32 and network interface 23 that task record information is sent to customer administrator's server unit 3 (S10).

Task tracking server 64 is used network service portion 61 and network interface 42 to receive task record information, and is stored in RAM or storage device 41.Task is followed the tracks of handling part 64 according to the request from not shown host apparatus MFP 1A, 1B etc. or automatically according to territory user and local user, is gathered task record information (S11).For example, by the user's operation that MFP 1A is scheduled in registration, the control part 33 of MFP 1A sends to customer administrator's server unit 3 together with the total request of task record information and this user's user ID.The task of customer administrator's server unit 3 is followed the tracks of handling part 64 when receiving this request, extract task record information combination about the user of received user ID together with this request, gather for user task history, and the response using the task record information gathering as request sends to MFP 1A.The control part 33 of MFP 1A, when receiving this task record information, shows in guidance panel 21 grades.In addition, task tracking handling part 64 can, when receiving task record information, be classified and gather for user task history according to each user.

As mentioned above, according to above-mentioned execution mode, can be in the situation that the register information data of the authentication information that comprises territory group in directory service, territory user not be exerted an influence, and divide in the customer administrator's server unit being arranged at the server unit with directory service, new group of comprising territory user in directory service of formation, and this group is set to License Info.Can manage concentratedly License Info, and set neatly License Info for user and user's group.

In addition, according to above-mentioned execution mode, can not exert an influence to existing subscriber authentication server (that is, directory service apparatus), can by each user, to the use history of image processing system, carry out unified management to intrasystem.

Then, to used terminal installation 5 (example of License Info calling mechanism), the registration of the License Info data of customer administrator's server unit 3 is described.Fig. 8 is in the image formation system shown in Fig. 1, the flow chart that the action of the terminal installation 5 when License Info is registered in to customer administrator's server unit 3 describes.

When implementation strategy hypervisor 101a, location registration process portion 115 carries out location registration process (S21).Location registration process portion 115 use GUI handling parts 112 make display unit 103 show the dialogue of the input field with user ID (or user name) and password, and promote the input of user ID (or user name) and password.When location registration process portion 115 use GUI handling parts 112 detect for the user ID (or user name) of input unit 104 and the input of password, use network service portion 111 to connect 102 with network user authentication request is sent to directory service apparatus 4 together with the user ID being transfused to (or user name) and password, and receive from directory service apparatus 4 result that user authenticates.As administrator and user's authentication success in the situation that, location registration process portion 115 allows to carry out following processing.As administrator and user authentication failure in the situation that, location registration process portion 115 does not allow to carry out following processing and end process.

As administrator and user's authentication success in the situation that, 113 pairs of directory service apparatuses of retrieval process portion 4 carry out access, and obtain the territory group that is registered in directory service and territory user's table data, and customer administrator's server unit 3 is carried out to access, obtain the table data of this locality group set at current time, local user's table data and the admission policy data 51 (S22) that comprise License Info.Retrieval process portion 113 sends to customer administrator's server unit 3 via network 2 by sending request of these table datas and admission policy data 51.The permit process portion 63 of customer administrator's server unit 3, when receiving this and send request, will send to retrieval process portion 113 based on local group of data 52,53 and local user's table data and admission policy data 51.

The information of GUI handling part 112 based on collecting at S22 and make display unit 103 show key frames (S23).Fig. 9 means the figure of an example of the key frame showing in the terminal installation 5 of Fig. 1.Key frame comprises three viewing areas 201～203.In viewing area 201, show main menu.In key frame, main menu has " file ", " editor ", " management " and " help " these projects.Each project consists of drop-down menu, can also select the operation item of wishing according to the drop-down menu of each project.For example, in project " management ", comprise about admission policy, local group and local user's interpolation and the project of deletion.When selecting these projects, execute permission strategy, local group and local user's interpolation and deletion respectively.In viewing area 202, show list, the group in representative domain (" aaa.com " in Fig. 9) and user's the tree of structure of admission policy and the tree that represents local group and user's structure.In viewing area 203, show in admission policy list and these tree the current set condition of the project about being selected by cursor 211, and show for changing the GUI input part about the choice menus of the set condition of this project or input field etc.In Fig. 9, owing to passing through the title of cursor 211 selection strategy lists, the list of the admission policy being therefore registered is displayed in viewing area 203.

Starting after demonstration of key frame, when by user's input device 104, come selection strategy list and tree in sundry item time, GUI handling part 112 detects this operation (S24), and the displaying contents of viewing area 203 is changed into the information corresponding with this project (S25).

Figure 10, Figure 11 and Figure 12 mean the figure of the example of displaying contents while selecting the <OU1> of organization unit's (group) from the tree of Fig. 9, viewing area 203.During group in selecting tree, tactful label 221, group label 222 and user tag 223 are displayed in viewing area 203.As shown in figure 10, when selection strategy label 221, the license of the current time based on obtaining in S22 is set, and display application is in the list 232 of the admission policy list 231 of this group and the admission policy that hyte is inherited this group.As shown in figure 11, when selection group label 222, the license of the current time based on being obtained by S22 sets to show the list of the lower hyte (subgroup) of this group <OU1>.As shown in figure 12, when selecting user tag 223, the license of the current time based on obtaining at S22 is set, and shows the user's who belongs to this group <OU1> list.

User's input when the GUI input part based on in main menu 201 or viewing area 203, and while detecting any edit operation of interpolation, change and deletion that interpolation, change and deletion for admission policy and admission policy distribute, GUI handling part 112 changes the displaying contents of key frame based on this content of edit.When detecting when determining definite operation of content of this edit operation (S26), registration process portion 114 will carry out based on edit operation and in interpolation, change and the deletion of interpolation, change and the deletion of the admission policy of appointment and admission policy distribution the request of any send to customer administrator's server unit 3 (S27).Customer administrator's server unit 3, when receiving this request, upgrades admission policy data 51 according to this request.In admission policy server unit 3, permit process portion 63 receives this request, and admission policy data 51 are edited.In the situation that carry out interpolation or the change of admission policy or admission policy distribution, the content that new admission policy or admission policy distribute is sent out together with request, in customer administrator's server unit 3, based on this content, upgrade admission policy data 51.

After key frame starts to show, when GUI handling part 112 detects predetermined end operation (S28), finish the execution of tactical management program 101a.

Here, illustrate the registration that distributes to the admission policy of group etc. and the registration of admission policy.

(a) registration distributing to the admission policy of group etc.

Figure 13 means that in the terminal installation 5 of Fig. 1 registration divides the figure of the example of the input picture that timing shows to the admission policy of group etc.The admission policy distributing is by cursor 211, to select in the admission policy list from viewing area 202.When this operation being detected, GUI handling part 112 makes viewing area 203 show folding three panels 241,242,243, application button 251 and pause button 252.

Registration to group etc. admission policy divide timing, panel 241 is opened.When this operation being detected, as shown in figure 13, GUI handling part 112 makes panel 241 show the strategy names about selecteed admission policy (<policy1> in Figure 13), group and user's list 261, tactful distribution button 262,263 and the tactful de-allocation button 264 that this admission policy is assigned with.

When pressing strategy distribution button 262, GUI handling part 112 shows users' (territory user and local user) list.When the user who detects the user who select to distribute this admission policy when GUI handling part 112 operates, by selecteed user add in list 261.When pressing strategy and distribute button 263, the list of GUI handling part 112 demonstration groups (territory group and local group).When the user who the group of select distributing this admission policy detected when GUI handling part 112 operates, selecteed group is added in list 261.When tactful de-allocation button 264 is pressed, GUI handling part 112 is deleted the group or the user that from list 261, select from list 261.

When application button 251 is pressed, GUI handling part 112 is while detecting this operation, registration process portion 113 sends to customer administrator's server unit 3 by the request that changes the distribution of admission policy be constantly comprised in group in list 261 and/or access list at this together with.Pressing of application button 251 is equivalent to determine operation.

(b) registration of admission policy

Figure 14 means the figure of the example of the input picture showing while registering admission policy in the terminal installation 5 of Fig. 1.

The admission policy distributing is selected in the list of the admission policy from viewing area 202 by cursor 211.When detecting this operation, GUI handling part 112 makes viewing area 203 show folding three panels 241,242,243, application button 251 and pause button 252.

When registration admission policy, panel 242,243 is opened.When this operation being detected, as shown in figure 14, GUI handling part 112 by the registered user about selecteed admission policy (<policy1> in Figure 14) to the access rights rank of MFP 1A, 1B in the set point (general user or administrator) of current time can be presented at by the state of the changes such as drop-down list box or drop-down menu panel 243.The set point of the current time that GUI handling part 112 limits tasks carrying is being presented in panel 243 by the state of the changes such as drop-down list box or drop-down menu.In the example shown in Figure 14, for projects (that is, each function of MFP 1A, 1B) of tasks carrying restriction, be set as some in " closing ", " restriction " and " without setting ".The project of " without setting " for being set to, inherit in this project on the value set of hyte.

When the application button 251 that is pressed, GUI handling part 112 detect this operation, registration process portion 113 sends to customer administrator's server unit 3 by the request of the distribution of change admission policy with together with value that in counter plate 242,243, each project is set constantly at this.Pressing of application button 251 is equivalent to determine operation.

As mentioned above, according to above-mentioned execution mode, because License Info calling mechanism is automatically collected group and the user that should set License Info data, therefore can License Info data be registered to customer administrator's server unit 3 by shirtsleeve operation.

In image formation system of the present invention, when registration, without user, user name is input to MFP1A, and can uses the ID card (for example IC-card) of distributing to user.

On MFP 1A, connect IC card reader, when nearly this IC card reader of ID clamping, control part 33 is used IC card reader from ID card, to read the card ID of ID card.Control part 33 sends to customer administrator's server unit 3 by card ID together with the same password of inputting of same execution mode 1.

Pre-stored in the storage device 4 of customer administrator's server unit 3 have a translation data, and described translation data associates the card ID of ID card with the user ID that has been assigned with the user of this ID card.User authentication process portion 62, when receiving card ID and password, determines the user ID corresponding with this card ID with reference to translation data, and the user ID based on definite and the password receiving carry out user and authenticate in directory service apparatus 4.

Although used IC-card as ID card, also can use the card (magnetic card etc.) of the recording medium with other modes.In this case, can replace IC card reader and use the card reader that reads card ID from this has the card of recording medium of other modes.And, also can not use ID card and use the Biont informations such as fingerprint.In this situation, do not use IC card reader and use and can obtain from user the card reader of this Biont information, the characteristic quantity obtaining from this Biont information is used as ID.

As mentioned above, the storage device 41 of customer administrator's server unit 3 has translation data, the card ID that described translation data comprises ID card and be assigned with the corresponding relation between user's the user ID of this ID card.User authentication process portion 62 receives card ID and the password of ID card from MFP 1A, 1B, and according to this translation data, from received card ID, determines registered user's user ID, and uses this user ID to carry out user to authenticate.

Thus, in customer administrator's server unit 3, due to the card ID of energy management ID card, therefore in directory service, do not need control card ID, in the system having turned round in directory service, can add simply the Accreditation System based on ID card.

In the above-described embodiment, local user and territory user mix and are comprised in local group, but can be also local group that only has local group of local user or only have territory user.

In the above-described embodiment, can customer administrator's server unit 3 be connected with network 2, but be connected on other networks different from network 2, at these other networks, be connected directory service apparatus 4 with on network 2, customer administrator's server unit 3 and directory service apparatus 4 carry out data communication via this different network.

Although used MFP 1A, 1B as image processing system, also can replace, use printer, photocopier etc.In addition, in the above-described embodiment, the image processing system of system is two, but also can use more than one or three.

In License Info, can comprise the access rights rank to MFP.For example, as access rights rank, be set as some in keeper and general user.In the situation that being set as keeper, can working service etc. the function that cannot use of general user.

Claims (4)

1. an image formation system, comprising:

Image processing system, connected to the network;

Directory service apparatus, is connected with described network, and has territory group and/or territory user's register information data;

License Info calling mechanism, from described directory service apparatus, obtain the table data of the described register information data based on described territory group and/or territory user, determine described territory group in described list and/or territory user's License Info, and determined described License Info and described territory group and/or territory user-association are risen and be used as License Info data and register to described customer administrator's server unit; And

Customer administrator's server unit, is connected with described network, and the described License Info data based on described territory group and/or territory user send to described image processing system by the registered user's of described image processing system License Info;

Described customer administrator's server unit has the territory group different from registering to the described territory group of described directory service apparatus and/or described territory user and/or local user's register information data,

Described License Info calling mechanism obtains the table data of the register information data based on described local group and/or local user from described customer administrator's server unit, and described local group and/or local user's License Info in definite described table data, determined described License Info and described local group and/or local user are associated as described License Info data and register to described customer administrator's server unit

Described customer administrator's server unit is carried out following action:

(i), in the situation that described registered user belongs to described local group, the License Info using described local group and/or local user's License Info as this registered user sends to described image processing system,

(ii) in the situation that described registered user does not belong to described local group, described territory group and/or territory user's License Info is sent to described image processing system as the License Info about this registered user.

2. image formation system as claimed in claim 1, wherein,

Described image processing system sends to described customer administrator's server unit by registered user's authentication information,

Described customer administrator's server unit sends to described directory service apparatus by the described authentication information receiving,

The register information data of described directory service apparatus based on described authentication information and described territory user are carried out registered user's authentication, and this authentication result and described registered user's user profile is sent to described customer administrator's server unit.

3. image formation system as claimed in claim 1, wherein,

Described image processing system generates task record information when carrying out described registered user's task, after described task record information and described registered user are associated, sends to described customer administrator's server unit,

Described customer administrator's server unit receives described task record information from described image processing system, and according to territory user described in each and described local user, described task record information is gathered as user task historical.

4. an image processing system, comprising:

Input unit, this input unit is connected to the network, input registered user's authentication information;

Judging part, by the customer administrator's server unit being connected with described network, described registered user's authentication information is sent to the directory service apparatus that is connected to described network from described image processing system, judge that whether described authentication information is proper, be judged as proper in the situation that, described registered user's user profile is sent to described customer administrator's server unit, determine that the License Info corresponding with described registered user's user profile sends to described image processing system, and based on described License Info, determine the function of forbidding or allowing to be used by described registered user in the function that described image processing system has, storage represents whether allow about described function the data of using, and

Control part, makes described registered user only use the function of licensed use based on described data;

Described directory service apparatus has territory group and/or territory user's register information data,

Described customer administrator's server unit has local group and/or local user's the register information data different from registering to the described territory group of described directory service apparatus and/or described territory user,

Described customer administrator's server unit is carried out following action:

(i), in the situation that described registered user belongs to described local group, the License Info using described local group and/or local user's License Info as this registered user sends to described image processing system,

(ii) in the situation that described registered user does not belong to described local group, described territory group and/or territory user's License Info is sent to described image processing system as the License Info about this registered user.