JP2010277557A - Image forming apparatus, authentication system, authentication method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To achieve high-speed authentication by providing a multifunction machine (image forming apparatus) that is likely to be used by a user, with a cache for authentication information, according to entry of the user. <P>SOLUTION: In the multifunction machine, first identification information of the user authorized, an authentication request including the first accepted identification information is transmitted to an authentication server. When the first identification is authenticated by transmitting the authentication request, the first authenticated information is stored in the multifunction machine as authentication information, and second identification information for identifying the user is accepted in order that the user uses the multifunction machine. When it is determined that the authentication information including the first identification information coincident with the second accepted information is stored, use of the multifunction machine is permitted. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an information processing system, an authentication server, a processing method thereof, and a program capable of easily registering identification information of an object to be read using an image forming apparatus.

  Conventionally, a system for performing user authentication when using a multifunction machine has been proposed.

  In such an authentication system, the user is authenticated by the following procedure. First, authentication information for user identification is registered in advance in the authentication server. Next, using the authentication information entered by the user, the IC card or magnetic card carried by the user, or biometric information such as fingerprints, voiceprints, palmprints, irises, veins, etc., it communicates with the authentication server to verify the identity. .

  If the identity verification is successful, the use of the multifunction device is permitted, and if it fails, the use of the multifunction device is not permitted. This makes it possible to restrict the use of the multifunction machine by a third party who is not registered.

  However, in such an authentication system, there is a problem that it takes time for authentication and makes the user wait until the multifunction device is used, which is inconvenient. Examples of authentication that take time include authentication algorithms such as biometric information when the network is congested, when there are many registered users, or when it is necessary to perform pre-authentication to search for authentication information There are various cases such as when the authentication data is complicated and the authentication data is enormous.

  In order to solve this problem, Patent Document 1 proposes a method of providing a multifunction machine with a cache of authentication information. The above patent is a technique applied to a configuration in which a user authentication system and a secure printing system are combined. A user authentication system is a system that performs user authentication when using a multifunction device. A secure print system temporarily stores a print job received from a user in a storage area of the multifunction device without immediately outputting it from the multifunction device. Technology.

  In Patent Document 1, first, a user inputs a print job from a client PC to the multifunction peripheral. The multifunction device accepts the print job and saves it in a storage area inside the multifunction device. At this time, the multifunction peripheral acquires user information included in the print job. Subsequently, communication with the authentication server is performed, and authentication information associated with the acquired user information is acquired. The multifunction device caches the acquired authentication information.

  In this way, once the user submits a print job to the multifunction device, a cache of authentication information is created in the multifunction device. Therefore, when the user performs authentication when using the multifunction device, the multifunction device can authenticate with the cache information without communicating with the authentication server. With such a mechanism, high-speed authentication is realized.

JP 2008-242851 A

  However, when the technique disclosed in Patent Document 1 is used, when the multifunction machine is used for the purpose of scanning, faxing, or copying, the authentication speed cannot be increased. This is because the technique disclosed in Patent Document 1 caches authentication information when a print job is received, and therefore authentication information cannot be cached in advance when a function that does not perform printing, such as scanning, faxing, or copying, is used.

  Unlike multifunction printers, MFPs have various functions in addition to scanning, faxing, copying, and other functions, so if authentication information can only be cached when a print job is received, authentication speedup can be applied. Will be limited.

  In addition, there is a method in which a print job is stored in a print server instead of a multi-function peripheral, and the multi-function peripheral acquires a print job from the print server and executes printing at the time of print execution. Accordingly, there is an advantage that the user can output his / her print job from any multifunction device.

  In this case, at the time when the print job is stored in the print server, it is impossible to apply the technique disclosed in Patent Document 1 because it is not known from which MFP the user outputs the print job. In order to solve the above problem by using this technique, a method is conceivable in which all MFPs have a cache of authentication information when a print job is stored in the print server.

  However, this method not only has a security problem, but also places a load on the network.

  Furthermore, in general, companies operate as a separate system from the system for entering and leaving the room and the system for using a multifunction machine (authentication system), and are not linked to entry and exit. The result of performing could not be used. For this reason, it has been difficult to increase the authentication efficiency for the authentication for using the multi-function peripheral.

  Therefore, according to the present invention, when a multifunction machine (image forming apparatus) is used, a multifunction machine (image forming apparatus) that the user may use is provided with a cache of authentication information in accordance with the user's entry. The purpose is to provide a mechanism to speed up the authentication process.

  The present invention for achieving the above-described object is an image forming apparatus capable of communicating via a network with a management server for managing user entry / exit, an authentication server for authenticating use of the image forming apparatus, First identification information receiving means for receiving first identification information of a user permitted to enter the room by the management server, based on first identification information for identifying the user received when the user enters the room; A first authentication request transmitting unit that transmits an authentication request including the first identification information received by the identification information receiving unit to the authentication server, and an authentication request is transmitted by the first authentication request unit. Storage means for storing the authenticated first identification information as authentication information in the image forming apparatus when the first identification information is authenticated, and the user using the image forming apparatus Therefore, second identification information receiving means for receiving second identification information for identifying a user, and first identification information that matches the second identification information received by the second identification information receiving means It is determined that storage identification means for determining whether or not authentication information including is stored in the storage means, and that the first identification information that matches the second identification information is stored by the storage determination means In this case, the image forming apparatus includes a permission unit that permits use of the image forming apparatus.

  According to the present invention, it is possible to speed up authentication processing when using a multifunction machine, not limited to printing.

  Also, users who have introduced a print server and have introduced a mechanism that can output print jobs from any multifunction device can speed up the authentication process and speed up the time from authentication to print processing. Can do.

The figure which shows an example of a structure of the authentication system 1 which concerns on this invention A block diagram showing an example of the hardware configuration of the authentication server 102, entrance / exit management server 103, client PC 105, and print server 106 Block diagram showing an example of the hardware configuration of the multifunction machine 100 The block diagram which shows an example of a function structure of the authentication system 1 Process overview of authentication system 1 The flowchart which shows an example of the entrance / exit processing of the authentication system 1 The flowchart which shows an example of the multifunctional device utilization process of the authentication system 1 The flowchart which shows an example of the job input process of the authentication system 1 The flowchart which shows an example of the printing process of the authentication system 1 An image diagram illustrating an example of a display screen displayed on the operation unit 3030 of the multifunction peripheral 100 The figure which shows an example of IC card 900 The figure which shows an example of the gate setting information 603 The figure which shows an example of authentication DB403 and entrance / exit authentication DB503 The figure which shows an example of the authentication cache 254 The figure which shows an example of the application setting information 253 The figure which shows an example of bibliographic DB803 The figure which shows an example of job DB804 Figure showing an example of authority values The figure which shows an example of a structure of the authentication system 2 which concerns on this invention The block diagram which shows an example of a function structure of the authentication system 2 Process overview diagram of authentication system 2 The flowchart which shows an example of the job input process of the authentication system 2 The flowchart which shows an example of the printing process of the authentication system 2

  Hereinafter, preferred embodiments of an authentication system 1 according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a diagram showing an example of the configuration of an authentication system 1 according to the present invention.

  As shown in FIG. 1, for example, one or a plurality of multifunction peripherals 100 installed at each floor, one or a plurality of authentication servers 102 (for example, installed at each base), one or a plurality of entrance / exit management servers 103 (for example, at each base) 1 or a plurality of entrance / exit card readers 104 (for example, installed for each floor), 1 or a plurality of client PCs 105 (for example, one for an administrator, one for each user), one or a plurality of print servers 106 (For example, installed at each site) is connected via a LAN (Local Area Network) 110. Further, a card reader 101 is connected to the multifunction device 100.

  The multi-function device 100 is an image forming apparatus having functions of a printer, a scanner, a copy, a facsimile, and the like, and a user's use of each function of the printer, scanner, copy, and facsimile according to the use authority corresponding to the card ID read by the card reader 101. Can be restricted (permitted or not permitted).

  The authentication server 102 is a server for the MFP 100 to perform user authentication. It has data such as user name, e-mail address, and usage authority associated with the card ID. The authentication server 102 has a function of responding to an inquiry from the multi-function device 100 with the presence or absence of a user and, when there is a user, the user information. The authentication server 102 may be composed of one server.

  Further, the authentication server 102 may be constituted by two servers, a primary server and a secondary server. Further, the authentication server 102 may be configured by three or more servers.

  The entry / exit management server 103 is a server for managing user floor entry / exit information. It has data such as user name, e-mail address, and usage authority associated with the card ID.

  The entry / exit management server 103 has a function of responding to an inquiry from the entry / exit card reader 104 and returning the user information when there is a user and when there is a user. The entrance / exit management server 103 may be composed of one server. Further, the entrance / exit management server 103 may be constituted by two servers, a primary server and a secondary server. Further, the entrance / exit management server 103 may be constituted by three or more servers.

  The entrance / exit card reader 104 is connected to the entrance / exit management server 103 via the LAN 110. The entry / exit card reader 104 reads information in the card when an IC card (for example, FeliCa (registered trademark) of Sony (registered trademark)) is held over and notifies the entry / exit management server 103.

  Further, the floor door can be unlocked by holding the IC card over the entrance / exit card reader 104. Specifically, when the user enters an entry / exit card reader 104 when entering the floor, the user communicates with the entry / exit management server 103 to perform user authentication. When the authentication is successful, the door to which the electronic lock (not shown) is attached is temporarily unlocked via the electronic lock controller connected to the entry / exit card reader 104. Moreover, the same process can be performed when leaving the room, and the door can be unlocked.

  This makes it possible to restrict entry / exit from users other than those permitted in advance.

  In this embodiment, an IC card is used for explanation. However, when biometric information such as a fingerprint or a vein is used, it is realized by replacing the card reader 104 with a biometric information reader capable of reading each biometric information. Is possible.

  The client PC 105 is a PC for setting the multifunction device 100, and has a function capable of communicating with the multifunction device 100 via the network via HTTP (Hyper Text Transfer Protocol) (for example, Microsoft Internet Explorer (registered trademark)). It is a mounted PC. It is also a PC for submitting a print job from the user. The user generates a print job from an application via a printer driver, and the printer driver uses an LPR (Line Printer Daemon) or other print protocol to print the print job. Can be transmitted to the MFP 100 or the print server 106.

  The print server 106 is a server that receives a print job from the client PC 105, analyzes the print job, acquires job information, and stores the print job. Also, a function for receiving a print request from the multi-function peripheral 100, searching for a user job from the stored job based on the user name included in the print request, and issuing a print instruction to the multi-function peripheral 100 for the found user job. It is a server with

  The card reader 101 is connected to the multi-function device 100 via a USB (Universal Serial Bus) cable (not shown). When an IC card (for example, FeliCa (registered trademark) of Sony (registered trademark)) is held over the card reader 101, the card reader 101 reads information in the card and notifies the multifunction device 100.

  In this embodiment, an IC card is used for explanation. However, when biometric information such as a fingerprint or a vein is used, it is realized by replacing the card reader 101 with a biometric information reader capable of reading each biometric information. Is possible.

  Next, the authentication server 102, the entrance / exit management server 103, the client PC 105, the print server 106, and the multifunction peripheral 100 will be described with reference to FIGS.

  FIG. 2 is a diagram illustrating the hardware configuration of the authentication server 102, the entrance / exit management server 103, the client PC 105, and the print server 106, and FIG. 3 is a diagram illustrating the hardware configuration of the multifunction peripheral 100.

  As shown in FIG. 2, in the authentication server 102, the entrance / exit management server 103, the client PC 105, and the print server 106, a CPU (Central Processing Unit) 2001, a RAM (Random Access Memory) 2002, a ROM (Read) Only Memory 2003, an input controller 2005, a video controller 2006, a memory controller 2007, and a communication I / F controller 2008 are connected.

  The CPU 2001 controls each device and controller connected to the system bus 2004 in an integrated manner.

  The ROM 2003 or the external memory 2011 holds a basic input / output system (BIOS) and an operating system (OS) that are control programs of the CPU 2001, various programs executed by each server or each PC, and the like.

  A RAM 2002 functions as a main memory, work area, and the like for the CPU 2001. The CPU 2001 implements various operations by loading a program necessary for execution of processing from the ROM 2003 or the external memory 2011 to the RAM 2002 and executing the loaded program.

  An input controller 2005 controls input from a pointing device such as a keyboard (KB) 2009 or a mouse (not shown).

  The video controller 2006 controls display on a display device such as a CRT (Cathode Ray Tube) 2010. The display is not limited to the CRT, but may be another display such as a liquid crystal display. These are used by the administrator as needed.

  The memory controller 2007 is a hard disk (HD), flexible disk (FD), or PCMCIA (Personal Computer Memory Card International Association) that stores a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 2011 such as a compact flash (registered trademark) memory connected to the card slot via an adapter.

  A communication I / F controller 2008 connects and communicates with an external device via a network such as the LAN 110, and executes communication control processing on the network. The communication I / F controller 2008 can perform communication using, for example, TCP / IP (Transmission Control Protocol / Internet Protocol), UDP (User Datagram Protocol), and the like.

  The CPU 2001 can display on the CRT 2010 by executing outline font rasterization processing on a display information area in the RAM 2002, for example. Further, the CPU 2001 enables a user instruction using a mouse cursor (not shown) on the CRT 2010 or the like.

Various programs that operate on the hardware of the authentication server 102, the entrance / exit management server 103, the client PC 105, and the print server 106 are recorded in the external memory 2011, loaded into the RAM 2002 as necessary, and executed by the CPU 2001. . Definition files and various information tables (FIGS. 13, 16, and 17) used when executing the program are stored in the external memory 2011.
Next, the hardware configuration of the multifunction machine 100 will be described.

  As shown in FIG. 3, the multi-function device 100 is configured to have hardware configurations of a controller unit 3020, an operation unit 3030, a card reader 101, a printer 3050, and a scanner 3060.

  The controller unit 3020 includes a CPU 3001, a RAM 3002, a ROM 3003, a hard disk drive (HDD) 3004, a network interface (Network I / F) 3005, a modem (MODEM) 3006, and an operation unit interface (operation unit I / F). F) 3007, image bus interface (IMAGE BUS I / F) 3008, external interface (external I / F) 3009, system bus 3010, raster image processor (RIP) 3011, printer interface (printer I / F) ) 3012, a scanner interface (scanner I / F) 3013, an image processing unit 3014, and an image bus 3015.

  The controller unit 3020 is connected to a scanner 3060 that functions as an image input device and a printer 3050 that functions as an image output device, while the network 110 and, for example, a PSTN (Public Switched Telephone Network) or ISDN (Integrated Services Digital Network). By connecting to a public network (WAN), image data and device information are input and output.

  The CPU 3001 is a processor that comprehensively controls each device connected to the system bus 3010 and the image bus 3015.

  A RAM 3002 is a work memory for the CPU 3001 to operate, and also has functions of a program memory for recording a program and an image memory for temporarily recording image data. For example, the card ID read by the card reader 101 is stored.

  The ROM 3003 stores a system boot program and various control programs. The HDD 3004 stores various programs for controlling the system, image data, and the like. The ROM 3003 or the HDD 3004 stores application setting information shown in FIG.

  A network I / F 3005 is connected to the LAN 110 and performs data input / output. The MODEM 3006 is connected to a public line network and inputs / outputs data such as transmission / reception by FAX.

  An operation unit I / F 3007 is an interface in the operation unit 3030 that is a user interface (UI), and outputs image data to be displayed on the operation unit 3030 to the operation unit 3030. The operation unit I / F 3007 plays a role of transmitting information (for example, user information) input from the operation unit 3030 by the user of this system to the CPU 3001. Note that the operation unit 3030 includes a display unit having a touch panel corresponding to a keyboard, and performs various instructions by a user pressing (touching with a finger or the like) a button on the keyboard displayed on the display unit. Can do.

  The IMAGE BUS I / F 3008 is a bus bridge that connects the system bus 3010 and an image bus 3015 that transfers image data at high speed and converts the data structure.

  The external I / F 3009 is an interface that accepts external inputs such as USB, IEEE 1394, printer port, and RS-232C. In this embodiment, the external I / F 3009 is connected to a card reader 101 for reading information on an IC card that is necessary for IC card authentication.

  The CPU 3001 can control reading of information from the IC card by the card reader 101 via the external I / F 3009, and can acquire information read from the IC card. In this embodiment, an IC card is used for explanation. However, when biometric information such as a fingerprint or a vein is used, it is realized by replacing the card reader 101 with a biometric information reader capable of reading each biometric information. Is possible.

  The above devices 3001 to 3009 are arranged on the system bus 3010 and can communicate with each other.

  For example, the RIP 3011 expands vector data such as a PDL code into a bitmap image.

  A printer I / F 3012 connects the printer 3050 and the controller unit 3020, and performs synchronous / asynchronous conversion of image data.

  A scanner I / F 3013 connects the scanner 3060 and the controller unit 3020, and performs synchronous / asynchronous conversion of image data.

  An image processing unit 3014 performs correction processing, processing processing, and editing processing on input image data, and performs printer correction processing, resolution conversion processing, and the like on print output image data. In addition to these processes, the image processing unit 3014 performs rotation processing of image data, compression / decompression processing such as JPEG for multi-valued image data, JBIG, MMR, MH, etc. for binary image data. I do.

  The devices shown in the above 3008, 3011-3014 are arranged on the image bus 3015 and can communicate with each other. The image bus 3015 is constituted by, for example, a PCI (Peripheral Component Interconnect) bus or IEEE1394.

  Specifically, the operation unit 3030 has an LCD (Liquid Crystal Display) display unit, and a touch panel sheet is pasted on the LCD display unit to display the operation screen of the present system and the displayed operation screen. When a key (button) is pressed, the position information is transmitted to the CPU 3001 via the operation unit I / F 3007. The operation unit 3030 includes keyboard functions such as a start key, a stop key, an ID key, and a reset key as various operation keys.

  Here, the start key of the operation unit 3030 is operated, for example, when starting a document image reading operation. At the center of the start key, for example, there are two colors of LEDs (Light Emitting Diode) of green and red, and whether or not the start key can be used is indicated by light emission of each color. Further, the stop key of the operation unit 3030 is operated, for example, when stopping an operation in operation. The ID key of the operation unit 3030 is operated when, for example, the user ID of the user (user) is input. The reset key of the operation unit 3030 is operated, for example, when initializing settings by the operation unit 3030.

  The card reader 101 reads user identification information stored in an IC card corresponding to an authentication card (for example, FeliCa (registered trademark) of Sony (registered trademark)) under the control of the CPU 3001. is there. The user identification information read by the card reader 101 is notified to the CPU 3001 via the external I / F 3009.

  The printer 3050 converts, for example, raster image data as an image on paper. The conversion method includes an electrophotographic method using a photosensitive drum and a photosensitive belt, and an ink jet method in which an image is directly printed on paper by ejecting ink from a minute nozzle array. It doesn't matter. Activation of the printing operation of the printer 3050 is started by an instruction from the CPU 3001. The printer 3050 includes a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and a paper cassette corresponding to each paper feed stage is provided.

  The scanner 3060 illuminates an image on paper as a document, and scans the document using a CCD (Charge Coupled Device) line sensor, thereby converting the image of the document into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the user of the MFP 100 issues a reading start instruction from the operation unit 3030, the CPU 3001 gives an instruction to the scanner 3060, and the feeder feeds the original paper one by one. Read the original image.

  With the configuration as described above, the multi-function device 100 can transmit the image data read from the scanner 3060 to the LAN 110 and print out the print data received from the LAN 110 with the printer 3050. Further, the multi-function device 100 can transmit the image data read from the scanner 3060 by FAX from the MODEM 3006 to the public line network, and print out the image data received by FAX from the public line network by the printer 3050.

  Next, functions of the authentication system 1 and data to be used will be described with reference to FIGS. 4, 10, 11, 12, 13, 14, 15, 16, 17, and 18.

  4 is a block diagram illustrating a functional configuration of the authentication system 1 according to the present invention, FIG. 10 is an image diagram illustrating an example of a display screen displayed on the operation unit 3030 of the multifunction peripheral 100, and FIG. FIG. 12 is a diagram illustrating an example of the gate setting information 603, FIG. 13 is a diagram illustrating an example of the authentication DB 403 and the entry / exit authentication DB 503, and FIG. 14 is a diagram illustrating an example of the authentication cache 254. 15 is a diagram illustrating an example of the application setting information 253, FIG. 16 is a diagram illustrating an example of the bibliography DB 803, FIG. 17 is a diagram illustrating an example of the job DB 804, and FIG. 18 is a diagram illustrating an example of an authority value. .

  The function of each device of the present embodiment will be described with reference to FIG.

  First, a function for executing the processing of the authentication server 102 will be described.

  The authentication server 102 includes a data management unit 400, an authentication management unit 401, an N / W (Network) communication unit 402, an authentication DB 403, and the like. The authentication server 102 can have a redundant configuration, and a plurality of authentication servers may be installed.

  Since the authentication server 102 has a role of searching for user information in the system, any type of information processing apparatus having user information storing and searching functions can be used.

  The data management unit 400 provides a function for managing the authentication DB 403. Specifically, the authentication DB 403 is written, read, deleted, updated, etc. to the external memory 2011 of the authentication server 102.

  The authentication management unit 401 responds to an inquiry from the outside using the data of the authentication DB 403. For example, a user can be authenticated by receiving an authentication request using an authentication protocol such as NTLM or Kerberos. It is also possible to search for user information by receiving a search request using a search protocol such as LDAP (Lightweight Directory Access Protocol). The authentication management unit 401 is intended to perform authentication and search, and the authentication method and protocol are not limited to the above.

  In addition, the authentication management unit 401 returns user information 920 to be described later in response to a search request from the multifunction device 100.

  As illustrated in FIG. 13, the authentication DB 403 is information stored in the external memory 2011 of the authentication server 102. The authentication DB 403 is information necessary for performing an authentication process when the authentication server 102 receives an authentication request from the multifunction device 100. The authentication DB 403 has one or a plurality of one or a plurality of user information 920.

  The user information 920 includes a card ID 921, a user name 922, a mail address 923, a group 924, an authority 925, an entrance / exit flag 926, an entrance zone 927, and the like.

  The card ID 921 serves as an external key for searching for specific user information 920 from a plurality of user information 920. The ID of the user's IC card 900 is registered and is a unique value in the user information 920 and the privilege card information 930.

  The user name 922 is a user name when using the multifunction device 100. This information is displayed on the operation log or operation screen of the multifunction device 100.

  The e-mail address 923 becomes information necessary for the user to send e-mail from the multifunction device 100. For example, it is used when image data scanned by the multifunction device 100 is transmitted by e-mail.

  The group 924 is information representing a group to which the user belongs. For example, it is used when managing the usage record of the multifunction device 100 for each group or when restricting the usage of the multifunction device 100 for each group.

  The authority 925 is information representing the user's authority to use the multifunction device. As shown in FIG. 18, the authority 925 includes a use function 971, a use authority 972, and the like. The use function 971 represents a function of the multifunction peripheral 100, and is an item prepared for the number of functions of the multifunction peripheral 100. The use authority 972 is an item prepared for each use function and indicates whether or not the use of the function of the multifunction device is permitted.

  For example, when the usage function 971 is color copy and the usage authority 972 is x, color copying is prohibited, and when the usage function 971 is monochrome copying and the usage authority 972 is ○, monochrome copying is permitted. By using this authority 925, it is possible to apply detailed usage restrictions for each user, and high security can be ensured.

  The entrance / exit flag 926 is information indicating whether the user has entered any zone. The zone described in this embodiment means a space partitioned by physical obstacles such as partitions and walls. In addition, it is assumed that security is provided in this space so that it can only be entered and exited through the door with the electronic lock. Further, in the present embodiment, for example, it is assumed that there are a plurality of zones in one segment.

  In the entry / exit flag 926, information of “entrance” or “exit” is set. Specifically, “enter” is set when the user has entered any zone, and “exit” is set when the user has not entered any zone. In the present embodiment, the default value of the entry / exit flag 926 is “exit”.

  The entrance zone 927 is information indicating which zone the user is entering. In the entrance zone 927, information for identifying the zone is set. If the user does not enter any zone, no information is set.

  In this embodiment, since the default value of the entrance / exit flag 926 is “exit”, no information is set as the default value of the entrance zone 927.

  The authentication server 102 is configured not to have an entrance / exit flag 926 and an entrance zone 927.

  The N / W communication unit 402 connects and communicates with an external device via a network such as the LAN 110, and controls communication according to a communication protocol such as TCP / IP or UDP. As a result, the authentication server 102 can communicate with the MFP 100, the entrance / exit management server 103, the entrance / exit card reader 104, the client PC 105, the print server 106, and the like that are also connected to the LAN 110.

  Next, functions for executing the processing of the card reader 101 will be described.

  The card reader 101 includes a card communication unit 300, a data calculation unit 301, a USB communication unit 302, and the like.

  The card communication unit 300 is for reading the card ID 901 from the IC card 900. When the IC card 900 is held over the card reader 101, information such as the card ID 901 is read from the IC card 900 and the information is transmitted to other devices connected via the USB communication unit 302.

  As shown in FIG. 11, the IC card 900 stores a card ID 901 therein. The IC card 900 is used as a login card for a user, a guest card that enables the user's authority on different floors, and a super card that supplements the authority that the user lacks. Although it is specified here as an IC card, the medium is not limited to an IC card as long as it is a medium for specifying a user or authority, and may be a medium such as a magnetic card, a USB memory, or an RFID (Radio Frequency IDentification) tag.

  The data calculation unit 301 is for performing data calculation necessary when reading the card ID 901 from the IC card 900. Performs various processing operations required for communication with the IC card 900, calculates the address where the card ID 901 in the IC card 900 is stored, converts the acquired binary data into a character string with an appropriate encoding, etc. Has the function of

  The USB communication unit 302 is for communicating with other connected devices. Data communication such as control transfer, interrupt transfer, bulk transfer, and isochronous transfer is performed according to the USB specification. Data transfer is a necessary condition, and the transfer speed, USB version, etc. are not particularly limited.

  In this embodiment, an IC card (reading object) is used. However, when user authentication is performed, it is desired to grant authority using biometric information such as a fingerprint or a vein (reading object). An IC card may be used. In this case, it is assumed that a reader for reading biometric information is connected to the multifunction device 100.

  Further, when user authentication is performed, an IC card may be used when it is desired to grant authority using a keyboard authentication screen 1100 of FIG. 10 described later.

  That is, as information used for user authentication, identification information (card ID, biometric information, user name / password) for specifying a user may be input.

  Next, functions for executing the processing of the multifunction machine 100 will be described.

  The multifunction device 100 includes a multifunction device OS (Operation System) unit 200, an application unit 250, and the like.

  The MFP OS unit 200 includes an N / W communication unit 201, a panel display unit 202, a USB communication unit 203, an application management unit 204, a print control unit 205, a drawing unit 206, a printer box 207, a printer engine unit 208, and the like.

  The N / W communication unit 201 has a function equivalent to that of the N / W communication unit 402 included in the authentication server 102.

  The panel display unit 202 is for displaying a screen for the user to operate the multifunction device 100 on the operation unit 3030 of the multifunction device 100. For example, screens such as an IC card authentication screen 1000, a keyboard authentication screen 1100, an error dialog 1200, a copy screen 1300, and a print screen 1400 shown in FIG. 10 are displayed.

  The IC card authentication screen 1000 is a screen for the user to authenticate using the IC card 900. In order to allow a user who has forgotten the IC card 900 to authenticate, a transition button 1001 to a keyboard authentication screen 1100 is provided.

  The keyboard authentication screen 1100 is a screen for the user to input / select a user name, password, and login destination, and to authenticate to the multifunction device 100 by pressing a login button 1101.

  The error dialog 1200 is a dialog for notifying the user that an error has occurred during the processing in the multifunction device 100. An error message indicating the details of the error is displayed, and the user can return to the original screen by pressing an OK button 1201.

  The copy screen 1300 is a screen for the user to perform copying with the multifunction peripheral 100. Normally, when the user performs IC card authentication or keyboard authentication, the screen transitions to this screen. A menu is displayed at the top of the screen, and when a copy button 1301 or a print button 1302 is pressed, the screen changes to a screen for using each function. The display / non-display of these functions is switched according to the authority of the user who has logged in (permitted to use) the MFP 100. For example, the print button 1302 is not displayed for a user who cannot print at all. This realizes printing prohibition.

  A color button 1303 can be used to switch between copy color and monochrome. For example, the color button 1303 is not displayed for a user who cannot perform color copying. This realizes color copy prohibition.

  A print screen 1400 is a screen for a user to print a print job stored in the printer box 207 of the multifunction peripheral 100 or a user to print a print job stored in the job DB 804 of the print server 106. A list is displayed on the screen, and a list of print jobs that can be printed by the user is displayed. The user can print a selected print job by selecting a print job to be printed from the list and pressing a print button 1403. It is also possible to update the list and delete print jobs displayed in the list.

  The USB communication unit 203 has a function equivalent to that of the USB communication unit 302 included in the card reader 101.

  The application management unit 204 is for logically connecting the application unit 250 installed in the multifunction peripheral 100 and various functions of the multifunction peripheral 100. For example, mediation of communication between the card reader 101 and the card reader control unit 251 is performed, a screen instructed by the application unit 250 is displayed on the panel display unit 202, or communication between the authentication server 102 and the authentication management unit 252 is performed. Or mediate.

  The print control unit 205 is for controlling the printer 3050 of the multifunction peripheral 100. The print job selected on the print screen 1400 is taken out from the printer box 207 or acquired from the print server 106, converted into image data by the drawing unit 206, passed to the printer engine unit 208, and output as a printed matter.

  The drawing unit 206 actually draws a drawing object temporarily stored in a drawing buffer (not shown) to generate image data that is a bitmap image.

  The printer box 207 is for logically storing a print job received from the user. The print job is physically stored in the HDD 3004 of the multifunction machine 100. The stored print job is displayed on the print screen 1400 or the like.

  The printer engine unit 208 receives the bitmap image generated by the drawing unit 206 and prints it on a medium such as paper using a known printing technique.

  The application unit 250 includes a card reader control unit 251, an authentication management unit 252, application setting information 253, an authentication cache 254, and the like.

  The card reader control unit 251 is for the application unit 250 to control the card reader 101. An event notification that the IC card 900 is held over the card reader 101 is received, or a command is issued to read the card ID 901 from the held IC card 900.

  The authentication management unit 252 is for communicating with the authentication server 102. The card ID 901 read from the IC card 900 is transmitted to the authentication server 102 and user information 920 is received.

  As shown in FIG. 15, the application setting information 253 is stored in the HDD 3004 of the multi-function device 100 and holds information for determining the operation of the application unit 250. The administrator mainly sets this information when the multifunction peripheral 100 is installed. The application setting information 253 includes an authentication server (name) 941, an authentication port 942, a guest (strong) authority 943, a guest (weak) authority 944, a zone 945, and the like.

  The guest (strong) authority 943 is first authority information applied to a user who has information indicating leaving. In other words, the authority information is used when the user enters and leaves the room once, but enters the room again due to sharing.

  This is second authority information applied to a user (weak) authority 944 and a user who has never entered the zone to which the MFP 100 belongs. That is, the authority information is used when the user has never entered the zone in which the multifunction peripheral is installed (there is no authentication cache) but has entered the room due to sharing.

  The guest (strong) authority 943 is authority information higher than the guest (weak) authority 944, and the guest (strong) authority 943 has more functions and operations that can be used in the MFP 100.

  The authentication server 941 and the authentication port 942 are information for determining the communication destination authentication server 102.

  The guest (strong) authority 943 and the guest (weak) authority 944 are information representing the user's authority to use the MFP. The information shown in FIG. 18 is the same as the authority 925 described above.

  The guest (strong) authority 943 and the guest (weak) authority 944 are information on the entry / exit flag 926 of the user information 920 managed by the authentication DB 403 of the authentication server 102 and the authentication cache 254 of the multifunction peripheral 100, and the actual entry / exit of the user. Used when the exit status does not match.

  For example, if the IC card is held by holding the IC card and following the person who unlocked the door, the IC card is not held over the entrance / exit card reader 104, or the authentication cache 254 is limited to the upper limit. Information inconsistency occurs when the cache is deleted at the timing of periodic authentication cache 254 deletion.

  In such a case, the user actually enters the room and wants to use the multifunction device 100. However, since the user enters the room in an illegal situation or the consistency with the managed information does not match, I do not want to use with the authority of. The guest (strong) authority 943 and the guest (weak) authority 944 are information used when the user's authority is restricted and the MFP 100 is desired to be used. In addition, there are several patterns in which information inconsistencies occur, so by preparing (strong) (weak) guest authority, it is possible to use the authority in detail according to the situation.

  In the present embodiment, the configuration is included in the application setting information 253, but the configuration may be included in the user information 920. Since the former can set information for each MFP 100, management can be performed in a lump, but detailed authority setting cannot be made for each user. In the latter case, since information can be set for each user, fine authority setting for each user is possible, but it takes time and effort for installation and operation.

  Further, the configuration may be included in both the application setting information 253 and the user information 920. In this case, the guest authority of the user information 920 is used when the guest authority is set in the user information 920, and the guest authority of the application setting information 253 is used when the guest authority is not set in the user information 920. It is done.

  The zone 945 is information representing the zone where the multi-function device 100 is installed. The entry / exit card reader 104 notifies the user's entry / exit information to all the installed multifunction devices 100. The zone 945 is used to determine whether the multifunction device 100 that has received the user's entry / exit information has entered the same zone as the multifunction device 100 or a different zone.

  As shown in FIG. 14, the authentication cache 254 is stored in the RAM 3002 of the multifunction device 100 and is information for caching the user information 920 of the user who has entered the same zone as the multifunction device 100. The authentication cache 254 includes user information 920, a time stamp 932, and the like. Note that the user information 920 and the time stamp 932 are managed as a set, and the authentication cache 254 includes one or a plurality of these sets.

  The user information 920 is as shown in FIG. 13 as described above.

  The time stamp 932 is information for holding time information when the user information 920 is registered in the authentication cache 254 or when the user information 920 in the authentication cache 254 is updated. By using the time stamp 932, it is possible to periodically delete information that has not been used for a long period of time, preventing the cache from growing without limit and squeezing the RAM 3002. The time stamp 932 is for determining date and time information, so any format can be used as long as it can be determined.

  Next, functions for executing processing of the entry / exit card reader 104 will be described.

  The entrance / exit card reader 104 includes a card communication unit 600, a data calculation unit 601, an N / W communication unit 602, gate setting information 603, and the like. In the present embodiment, the zone is partitioned by physical walls and partitions, and is configured such that it can only be entered and exited through the gate.

  The gate is locked with an electronic lock, and the IC card 900 is held over the entrance / exit card reader 104 to unlock the electronic lock. The entrance / exit card reader 104 includes an entrance card reader and an exit card reader, which are installed inside and outside the zone.

  Specifically, an entrance card reader is installed near the gate outside the zone, and an exit card reader is installed near the gate inside the zone. In addition, a configuration in which there is no exit card reader is also conceivable.

  In this case, it is conceivable that the user uses the card reader held up when entering the room when leaving the room. In the present embodiment, the card readers for both entering and leaving the room are used because the processing on the program of the entering and leaving card readers is almost the same, or there is a configuration in which the entering card reader is used in combination with the leaving card reader. Are combined into one as an entry / exit card reader.

  The card communication unit 600 has a function equivalent to that of the card communication unit 300 included in the card reader 101.

  The data calculation unit 601 has a function equivalent to that of the data calculation unit 301 included in the card reader 101.

  The N / W communication unit 602 has a function equivalent to that of the N / W communication unit 402 included in the authentication server 102.

  As shown in FIG. 12, the gate setting information 603 holds information for determining the operation of the entry / exit card reader 104. The administrator mainly sets this information when installing the entrance / exit card reader 104. The gate setting information 603 includes a connection destination 911, a port 912, a zone 913, and the like.

  The connection destination 911 and the port 912 are information for determining the communication destination entry / exit management server 103. The connection destination 911 may be in any format as long as it can identify the communication destination entrance / exit management server 103 such as an IP address format or a host name format.

  The zone 913 is information representing a zone where the entrance / exit card reader 104 is installed.

  Next, a function for executing the processing of the entry / exit management server 103 will be described.

  The entrance / exit management server 103 includes a data management unit 500, an entrance / exit management unit 501, an N / W communication unit 502, an entrance / exit authentication DB 503, and the like. The entrance / exit management server 103 may be configured with the same housing as the authentication server 102. At this time, the entry / exit authentication DB 503 and the authentication DB 403 may share information as a single DB, not as separate DBs. In this embodiment, the entrance / exit management server 103 and the authentication server 102 are configured as separate cases, and the entrance / exit authentication DB 503 and the authentication DB 403 are configured as separate databases. This is a configuration that considers the case where it is desired to manage each authentication separately, such as entering the room but not using the multifunction device 100.

  The data management unit 500 provides a function for managing the entrance / exit authentication DB 503. Specifically, the entry / exit authentication DB 503 is written, read, deleted, updated, etc., to the external memory 2011 of the entry / exit management server 103.

  The entry / exit management unit 501 responds to an inquiry from the outside using the data of the entry / exit authentication DB 503. For example, a user can be authenticated by receiving an authentication request using an authentication protocol such as NTLM or Kerberos. It is also possible to search for user information by receiving a search request using a search protocol such as LDAP (Lightweight Directory Access Protocol). The purpose of the entry / exit management unit 501 is to perform authentication and search, and the authentication method and protocol are not limited to the above.

  In response to the authentication request from the entrance / exit card reader 104, the entrance / exit management unit 501 determines whether a user exists in the entrance / exit authentication DB 503 and returns the result.

  The N / W communication unit 502 has a function equivalent to that of the N / W communication unit 402 included in the authentication server 102.

  As shown in FIG. 13, the entrance / exit authentication DB 503 is information stored in the external memory 2011 of the entrance / exit management server 103. The entrance / exit authentication DB 503 is information necessary for the authentication process when the entrance / exit management server 103 receives an authentication request from the entrance / exit card reader 104. The entrance / exit authentication DB 503 has one or a plurality of user information 920.

  Next, functions for executing processing of the print server 106 will be described.

  The print server 106 includes a bibliographic management unit 800, a job management unit 801, an N / W communication unit 802, a bibliographic DB 803, a job DB 804, and the like. In this embodiment, the print server 106 is configured as a single housing, but the bibliographic function including the bibliographic management unit 800 and the bibliographic DB 803 and the virtual printer function including the job management unit 801 and the job DB 804 are provided. You may comprise by another housing | casing.

  The bibliographic management unit 800 manages bibliographic information 961 included in the job 960. The bibliographic management unit 800 analyzes the job 960 received from the client PC 105 and acquires bibliographic information 961. Further, the bibliographic management unit 800 provides a function for managing the bibliographic DB 803. Specifically, the bibliographic DB 803 is written to, read from, deleted from, or updated to the external memory 2011 of the print server 106.

  The job management unit 801 provides a function for receiving a job 960 from the client PC 105, a function for managing the received job 960, and a function for transmitting a job to the multifunction peripheral 100. As for job reception, communication with the client PC 105 is performed, and a job 960 is received using LPR, RAW, and other printing protocols. Regarding job management, the received job 960 is managed by the job DB 804. Specifically, the job DB 804 is written to, read from, deleted from, or updated to the external memory 2011 of the print server 106. As for job transmission, a request such as a list request or a print request is accepted from the multifunction peripheral 100. When the list request is received, a job list of the user who has logged in to the multifunction peripheral 100 is transmitted. When a print request is received, the job 960 stored in the job DB 804 is transmitted to the multifunction peripheral 100 using a print protocol.

  The N / W communication unit 802 has a function equivalent to that of the N / W communication unit 402 included in the authentication server 102.

  As shown in FIG. 16, the bibliographic DB 803 is information stored in the external memory 2011 of the print server 106. The bibliographic DB 803 stores the bibliographic information 961 of the job 960 received from the client PC 105. The bibliographic DB 803 includes one or a plurality of bibliographic information 950. 950 includes a job owner 951, a job name 952, a printing method 953, a color mode 954, and the like.

  The job owner 951 is information representing the name of the user who created the job. This is used when collating with the user name 922 of the user information 920 of the user who has logged into the multifunction peripheral 100 to identify the user's job.

  The job name 952 is information for identifying a job. This is displayed as a job name in the job list on the print screen 1400.

  The printing method 953 is information representing the appearance when the job 960 is printed. For example, information such as single-sided printing, double-sided printing, and bookbinding printing is set.

  The color mode 954 is information representing a print color when the job 960 is printed. For example, information such as color, monochrome, and auto is set.

  In addition to the job name, the bibliographic information DB is configured to hold a time stamp for identifying the job. Further, in order to obtain a job corresponding to the bibliographic information, a job storage destination path is stored in the bibliographic information DB. That is, when a print instruction request including a time stamp (for example, step S420 described later) is acquired from the multi-function device 100, the bibliographic information is specified by the time stamp, and the job is stored according to the job storage path included in the bibliographic information. A job is acquired from a DB (job storage folder) and printed.

  As illustrated in FIG. 17, the job DB 804 is information stored in the external memory 2011 of the print server 106. The job DB 804 is a DB that stores the job 960 received from the client PC 105.

  The job DB 804 includes one or a plurality of jobs 960. The job 960 includes bibliographic information 961, PDL data 962, and the like.

  The bibliographic information 961 is information shown in FIG. 16 as described above.

  The PDL data 962 describes image data in a language that can be printed by the multifunction peripheral 100.

  Next, functions for executing processing of the client PC 105 will be described.

  The client PC 105 includes an application unit 700, a printer driver unit 701, an N / W communication unit 702, and the like.

  The application unit 700 provides a user with a GUI (Graphic User Interface), and generates image data suitable for the user's purpose.

  The printer driver unit 701 converts the image data generated by the application unit 700 into page description language (PDL) data that can be printed by the multifunction peripheral 100. Further, as shown in FIG. 16, 950 including job information such as job owner 951, job name 952, printing method 953, color mode 954, etc. is assigned to the PDL data to create a job 960 shown in FIG. .

  The N / W communication unit 702 has a function equivalent to that of the N / W communication unit 402 included in the authentication server 102.

Next, an outline of processing of the authentication system 1 according to the present invention will be described with reference to FIG.
FIG. 5 is a process outline diagram of the authentication system 1.

  In order to enter a specific zone, the user holds the IC card over the entry / exit card reader 104 to accept the card ID of the IC card (1-1). The entrance / exit card reader 104 reads the card ID 901 from the IC card 900 and makes an authentication request to the entrance / exit management server 103 (1-2).

  The entrance / exit management server 103 receives the authentication request, searches the entrance / exit authentication DB 503 for the card ID 901 included in the authentication request (1-3), and sends an authentication response to the entrance / exit card reader 104 (1-4). When the entrance / exit card reader 104 accepts the authentication reply and determines that the authentication is successful, the entrance / exit card reader 104 notifies the multifunction peripheral 100 of the card ID 901 with the successful authentication (1-5).

  The multi-function device 100 makes an authentication request to the authentication server 102 based on the notified card ID 901 (1-6).

  The authentication server 102 searches the authentication DB 403 for user information 920 associated with the card ID 901 included in the authentication request (1-7), and sends an authentication response to the multifunction peripheral 100 (1-8).

  The multi-function device 100 accepts the authentication reply, and updates the authentication cache 254 with the user information 920 included in the accepted authentication reply (1-9).

  The entrance / exit card reader 104 unlocks the gate installed in the zone so that the user can enter the room.

  The user logs in to the client PC 105 and issues a data print instruction (2-1). The print server 106 analyzes the job 960 and stores the analyzed bibliographic information 950 in the bibliographic DB 803 (2-2). The print server 106 stores the analyzed job 960 in the job DB 804 (2-3).

  The user inputs the card ID by holding the IC card 900 over the card reader 101 connected to the multifunction peripheral 100 (3-1). The card reader 101 reads a card ID 901 from the IC card 900. The multi-function device 100 searches the authentication cache 254 for user information 920 associated with the card ID 901 (3-2). The multi-function device 100 performs log-in processing using the searched user information 920 and makes a job list acquisition request including the user name of the logged-in user to the print server 106 (3-3).

  The print server 106 searches the bibliographic database 803 for bibliographic information 950 having the same user name 922 (3-4), and returns the bibliographic information 950 to the multifunction peripheral 100 (3-5). The multi-function device 100 displays the received user job list on the screen and accepts a selection from the user. The user selects a job displayed on the screen and executes printing.

  The multi-function device 100 issues a print request for the selected job 960 to the print server 106 (3-6). The print server 106 retrieves the corresponding job 960 from the job DB (3-7), and instructs the multifunction peripheral 100 to print (3-8).

  Next, detailed processing of the authentication system 1 according to the present invention will be described with reference to FIGS.

  Note that the first feature in the present embodiment is the processing of step S020, step S021, step S025, step S030, step S103, step S104, and step S107.

  In addition, other features in the present embodiment are processes such as step S022, step S024, step S029, step S106, step S108, step S110, step S116, step S117, step S314, and step S417.

  6 is a flowchart illustrating an example of an entry / exit process of the authentication system 1, FIG. 7 is a flowchart illustrating an example of a multifunction machine use process of the authentication system 1, and FIG. 8 illustrates an example of a job input process of the authentication system 1. FIG. 9 is a flowchart illustrating an example of the printing process of the authentication system 1.

  First, the entrance / exit processing of the authentication system 1 will be described with reference to FIG.

  In FIG. 6, the entry / exit card reader 104 detects and reads the IC card 900 held by the user. The entrance / exit card reader 104 receives the read result (IC card ID) and makes an authentication request including the card ID to the entrance / exit management server 103.

  The entrance / exit management server 103 performs authentication in accordance with the authentication request including the sent card ID, and returns the result to the entrance / exit card reader 104. The entry / exit card reader 104 notifies the multifunction device 100 of the user's entry / exit status. The multi-function device 100 communicates with the authentication server 102 based on the received information and updates the authentication cache 254.

  As shown in FIG. 6, the entrance / exit card reader 104 detects the IC card 900 (step S001), and reads the card ID 901 stored therein (step S002). The entrance / exit card reader 104 transmits the read card ID 901 to the entrance / exit management server 103 (step S003). At this time, the entrance / exit management server 103 of the communication destination determines based on the information of the connection destination 911 and the port 912 stored in the gate setting information 603 of the entrance / exit card reader 104.

  The entrance / exit management server 103 accepts a search request including the card ID 901 from the entrance / exit card reader 104 (step S004). The entrance / exit card reader 104 searches the entrance / exit authentication DB 503 for user information 920 in accordance with the card ID 901 (step S005).

  Specifically, it is determined whether any one of the card IDs 921 of the user information 920 included in the entry / exit authentication DB 503 matches the card ID 901 received from the entry / exit card reader 104 (authentication). As a result of the determination, if there is matching user information 920, the result is success, and if there is no matching user information 920, the result is failure. The entry / exit management server 103 notifies the entry / exit card reader 104 of the search result (entrance / exit permission, entry / exit permission) (step S006).

  In other words, it is a process of outputting (authentication result output) to notify the multifunction peripheral in the zone permitted to enter / exit to the information permitted to enter the room.

  The entrance / exit card reader 104 receives the search result from the entrance / exit management server 103 (step S007). The entrance / exit card reader 104 determines whether the received search result is successful or unsuccessful (step S008).

  If it is determined in step S008 that the search has failed, the entrance / exit card reader 104 issues an error notification (step S013). Specifically, an error beep is sounded or an error message is displayed on a display unit (not shown). At this time, since the gate is not unlocked, it is possible to restrict entry of users who are not managed by the entrance / exit management server 103. In addition, entry of users who do not have the IC card 900 can be restricted. As described above, entry into the zone by a third party can be restricted, so that security in the zone can be enhanced.

  When it is determined that the search is successful as a result of the determination in step S008, the entrance / exit card reader 104 searches for the multifunction peripheral 100 (step S009). Various search methods can be considered. For example, a method of broadcasting (simultaneous reporting to unspecified number of people) to the same network segment is considered. In addition, SNMP (Simple Network Management Protocol) is used as means for determining whether or not the communication partner that performed the broadcast is a multifunction peripheral. SNMP is a protocol implemented in many information processing apparatuses, and various information of the information processing apparatus is hierarchically stored in the information processing apparatus itself as an OID (Object IDentifier).

  Since a value unique to the multifunction device is also defined in this OID, it is possible to determine whether the information processing apparatus is a multifunction device by searching for the OID unique to the multifunction device using SNMP. In this way, the MFP 100 of the same segment is searched using the SNMP broadcast. Although an example of SNMP has been described here, the protocol is not limited to SNMP as long as the information processing apparatus can be identified as a multifunction peripheral.

  Further, the MFP 100 belonging to the same zone as the entrance / exit card reader 104 may be set in the gate setting information 603 in advance, so that the search process in step S009 may be omitted.

  The entry / exit card reader 104 notifies the multifunction peripheral 100 searched in step S009 of user entry / exit information (step S010). At this time, the zone 913 set in the gate setting information 603 and the card ID 901 read in step S002 are transmitted. Information about whether the user is entering or leaving the zone is also transmitted. Specifically, the entrance / exit information is transmitted by the following method.

  For example, when the entrance card reader and the exit card reader are installed separately, the entrance card reader always transmits the entrance information, and the exit card reader always transmits the exit information. For example, when the entrance card reader also serves as the exit card reader, the entrance / exit card reader is provided with buttons for entering and exiting. When the entry button is pressed, entry information is transmitted, and when the exit button is pressed, exit information is transmitted. In this case, as long as the entry / exit can be distinguished, a method other than the distinction by the button may be used.

  The entry / exit card reader 104 determines whether entry / exit information has been notified to all the searched multifunction devices 100 (step S011). If there is a multifunction device 100 that has not yet been notified, the entry / exit card reader 104 notifies the other multifunction device 100 of the entry / exit information again.

  When the entrance / exit information is notified to all the multifunction peripherals 100, the entrance / exit card reader 104 instructs the gate unlocking (step S012). As a result, only a user who has succeeded in authentication can pass through the gate and enter the zone.

  In this embodiment, the gate is unlocked by notifying all the MFPs 100 of the entrance / exit information, but the gate unlocking instruction is given first, and after all the gate unlocking instructions are given to all the MFPs 100 You may make it notify entry / exit information.

  The multifunction device 100 accepts entry / exit information including the card ID from the entry / exit card reader 104 (first identification information acceptance) (step S020). The multi-function device 100 determines whether the information received from the entry / exit card reader 104 is entry information or exit information (step S021).

  If the result of determination in step S021 is that the room has been entered, the multi-function device 100 performs zone verification (step S022). Specifically, the zone 913 notified from the entrance / exit card reader 104 is compared with the zone 945 set in the application setting information 253 of the multifunction peripheral 100. The zone collation here is because, as described above, in the present embodiment, it is assumed that a plurality of zones exist in one segment. In addition, by performing zone matching, usability can be improved and resources can be used efficiently.

  The improvement in usability is realized by minimizing the number of user information 920 managed by the authentication cache 254 and improving the authentication speed. First, in order for the user to use the multifunction device 100, it is necessary to enter a zone where the multifunction device 100 is installed. In order for the user to enter the zone, the entry / exit card reader 104 must authenticate.

  That is, only the MFP 100 installed in the same zone as the entry / exit card reader 104 needs to update the authentication cache 254 based on the entry information. Therefore, the MFP 100 that receives the notification from the entry / exit card reader 104 collates the zone information, so that the MFP 100 can prevent unnecessary caching of the user information 920. There are two reasons for minimizing the number of management cases.

  The first point is that since the authentication cache 254 is used when a user logs in to the multifunction peripheral 100, the search speed increases as the number of cases decreases.

  Second, when the authentication cache 254 increases and the old user information 920 is deleted, if there is a user who wants to log in using the user information 920, the cache information cannot be used and communication with the authentication server 102 occurs. The performance will be degraded.

  Since the authentication cache 254 is information stored in the RAM 3002 or the HDD 3004, the information that can be stored has an upper limit. Therefore, if the upper limit is exceeded, storage may not be possible, and when the upper limit is reached, the old user information 920 of the time stamp 932 is deleted.

  The efficient use of resources is realized by minimizing communication with the authentication server 102. When all the multifunction peripherals 100 that have received the room entry information communicate with the authentication server 102, network communication occurs every time the room enters, and network traffic increases. Further, since the authentication server 102 accepts authentication requests from many multifunction devices 100, depending on the server performance, the processing is concentrated and the performance is degraded. Only the MFP 100 whose zone matches in the zone collation communicates with the authentication server 102, so that network traffic and server resources can be used efficiently.

  When it is determined that the zones do not match as a result of the determination in step S022, the multi-function device 100 searches the authentication cache 254 (step S023). Specifically, the user information 920 in which the card ID 901 notified from the entry / exit card reader 104 matches the card ID 921 of the user information 920 in the authentication cache 254 is searched.

  When it is determined that the user leaves the room as a result of the determination in step S021, or when the user information 920 is found as a result of the determination in step S023, the multi-function device 100 updates the authentication cache 254 (step S024).

  Specifically, first, user information 920 included in the authentication cache 254 is searched. At this time, the user information 920 in which the card ID 901 received from the entry / exit card reader 104 matches the card ID 921 of the user information 920 is searched. When the matching user information 920 is found, the entrance / exit flag 926 of the user information 920 included in the authentication cache 254 is changed to exit (entrance / exit information update).

  At the same time, the entry zone 927 of the user information 920 is not set. Further, the current date and time is set in the time stamp 932 corresponding to the user information 920 in the authentication cache 254. Further, the user information 920 may be deleted from the authentication cache 254 without being updated, and the authentication cache may be stored again.

  Furthermore, in this embodiment, it is considered to update or delete when leaving the room. However, when a certain number of caches accumulate, the old cache is automatically deleted or the old cache is periodically deleted. May be. In either case, it is possible to determine whether the cached user information 920 is new or old by using the time stamp 932 managed in a pair with the user information 920 in the authentication cache 254.

  By rewriting the authentication cache 254 in the case of a zone mismatch, it is possible to place restrictions on the use of the multifunction device 100 for users who should have left the room, thereby realizing an authentication system with higher security.

  For example, when leaving the room without holding the IC card 900 when leaving the room, the entry / exit flag 926 of the user information 920 of the authentication cache 254 of each MFP 100 remains in the room. When entry is detected in a certain zone, it can be considered that the other zones have left, so this processing is performed in consideration of the above case.

  If it is determined in step S022 that the zones match, the multi-function device 100 makes a user information search request (authentication request transmission) to the authentication server 102 (step S025). At this time, the authentication server 102 of the communication destination determines based on the information of the authentication server 941 and the authentication port 942 stored in the application setting information 253 of the multifunction peripheral 100. Further, the card ID 901 (first identification information) received from the entrance / exit card reader 104 is transmitted as a user information search request.

  The authentication server 102 receives a search request from the multifunction device 100 (step S026).

  The authentication server 102 retrieves the user information 920 from the authentication DB 403 (step S027). Specifically, it is determined whether any one of the card IDs 921 of the one or more pieces of user information 920 included in the authentication DB 403 matches the card ID 901 received from the multifunction device 100. As a result of the determination, if there is matching user information 920, the result is success, and if there is no matching user information 920, the result is failure. The authentication server 102 notifies the MFP 100 of the search result (step S028).

  Although logically a search failure can be considered, it is unlikely that a search failure will occur in operation. This is because the user information is managed by the entrance / exit management server 103 and the authentication server 102 and is searched by the entrance / exit management server 103 before searching by the authentication server 102.

  If the search fails in the entrance / exit management server 103, the search in the authentication server 102 is not performed, and therefore it is usually impossible for the search to fail. However, when the user information is registered in the entrance / exit management server 103 and the user information is not registered in the authentication server 102, the search fails. This is because a company generally manages an entrance / exit management system and an authentication system for authenticating a multifunction machine separately.

  The multi-function device 100 receives the search result from the authentication server 102 (step S029). As a search result, user information acquired by authenticating the card ID by the authentication server 102 is received. In other words, the authentication result of the first identification information included in the authentication request is received (authentication result reception).

  The multi-function device 100 receives the search result, determines whether or not the search is successful, and updates the authentication cache 254 if the search is successful (step S030). Specifically, user information 920 (authentication information) including at least the card ID 921 (first identification information) received as a search result is set (stored) in the authentication cache 254.

  The card ID 921 may be stored using a card ID read from the IC card. That is, the card ID (first identification information) used for authentication or the card ID (first identification information) included in the search result is stored.

  The user information 920 includes authority 925 (authorization information), and a card ID (first identification information) and authority (authorization information) are stored in the authentication cache 254 in association with each other. Further, the entry / exit flag is set to information indicating entry.

  If the same user information 920 is already stored in the authentication cache 254, the user information 920 is overwritten. At the same time, the current date and time is set in the time stamp 932.

  The newness of the authentication cache 254 can be maintained by overwriting the information acquired from the authentication server 102 here. Therefore, even if the user information 920 is changed in the authentication server 102, the user information 920 is reflected in the cache when entering the next time, thus realizing a system that is easier to use.

  In the present embodiment, the entrance / exit card reader 104 performs the entrance / exit notification (step S009) to the multifunction peripheral 100. However, the entrance / exit management server 103 may perform the processing from step S008 to step S023. . In addition, although the MFP 100 performs the zone verification 013, it may be configured such that the zone verification is performed in advance in the entrance / exit card reader 104 or the entrance / exit management server 103.

  Next, the MFP use processing of the authentication system 1 of the authentication system 1 will be described with reference to FIG.

  In FIG. 7, the card reader 101 detects the IC card 900 held by the user and reads the card ID. The card reader 101 notifies the multifunction peripheral 100 of the read card ID. The multi-function device 100 authenticates with the authentication cache 254 or the authentication server 102, and receives the result and performs login processing and error processing.

  As shown in FIG. 7, the card reader 101 detects the IC card 900 (step S100) and reads the card ID 901 stored therein (step S101). The card reader 101 transmits the read card ID 901 to the multifunction peripheral 100 (step S102).

  The multi-function device 100 receives the card ID 901 (second identification information) read from the card reader 101 (step S103).

  The multi-function device 100 retrieves the user information 920 from the authentication cache 254 (step S104). Specifically, one of the card IDs 921 (first identification information) of one or more pieces of user information 920 included in the authentication cache 254 matches the card ID 901 (second identification information) received from the card reader 101. Determine whether to do.

  In other words, it is determined whether or not the first identification information that matches the second identification information is stored (memory determination).

  Here, the authentication speed can be increased by using the authentication cache 254 of the multifunction peripheral 100 instead of the authentication DB 403 of the authentication server 102. When the authentication server 102 is used, network communication takes time and a lot of user information 920 is stored in the authentication server 102.

  On the other hand, when the authentication cache 254 is used, it is not necessary to perform network communication, and only the user information 920 of the user who entered the zone is stored. Therefore, by using the authentication cache 254, the authentication speed can be increased and a system with high usability can be realized.

  If the user information 920 is found in the authentication cache 254 as a result of the determination in step S104, the multi-function device 100 determines entry / exit (step S105). Specifically, it is confirmed whether the entry / exit flag 926 of the user information 920 is entry or exit.

  If the entry / exit flag 926 is determined to be entered as a result of the determination in step S105, the multifunction device 100 sets the user authority 925 in the multifunction device 100 (step S106). This authority 925 sets the authority 925 included in the user information 920 acquired from the authentication cache 254 in the MFP main body.

  The multi-function device 100 sets the set authority information and user information 920 in the multi-function device, and performs login processing (step S107). The functions of the multifunction device 100 can be used by logging in.

  That is, when it is determined that the authentication cache including the card ID (first identification information) stored in step S030 that matches the card ID (second identification information) received in step S103 is stored. Permit use of multifunction devices.

  Specifically, the IC card authentication screen 1000 displayed on the operation unit 3030 is switched to the copy screen 1300 or the print screen 1400 so that the user can use various functions of the multifunction device 100.

  At this time, the display and functions of the copy screen 1300 and the print screen 1400 are limited according to the authority. For example, the color button 1303 on the copy screen 1300 is not displayed for a user who does not have color printing authority, and the print button 1302 is not displayed for a user who does not have printing authority. In addition, when there is no color authority, the color button 1303 is operated or the print button 1302 is displayed. However, even when the print or color function is used, the output is forcibly set to monochrome. Good.

  As a result of the determination in step S105, if the entry / exit flag 926 is determined to leave, the multifunction device 100 sets the guest authority (strong) 943 in the multifunction device main body (step S108). Guest authority (strong) 943 is information stored in the application setting information 253 of the multifunction peripheral 100. By providing this guest authority, it is possible to realize a system that achieves both security and convenience.

  When a user who does not have a record of entering a room enters the room with a companion or the like, this user should not be allowed to use the multifunction device in consideration of security. However, the fact that the multifunction device cannot be used even though it is in the room may impair convenience. Therefore, if there is no entry record due to sharing, etc., the guest authority is set so that only the minimum functions can be used.

  The reason for setting the guest authority (strong) instead of the guest authority (weak) here is as follows. The presence of the user information 920 in the authentication cache 254 of the multi-function device 100 means that the user has once entered the room correctly. Therefore, even if you enter the room together, you cannot say that it is a complete third party. Therefore, the strength of the guest authority is distinguished depending on whether or not the user information exists in the authentication cache 254, thereby realizing a more convenient system.

  The multi-function device 100 displays a warning message on the operation unit 3030 (step S109). Specifically, the multifunction peripheral 100 displays an error dialog 1200 on the operation unit 3030. As an error message at this time, a message such as “Log in with limited authority because there is no entry record. If you want to use the MFP with your authority, please enter correctly” is output. In addition, the user may be alerted by sounding a beep sound as well as reading out an error message by voice.

  If the user information 920 is not found in the authentication cache 254 as a result of the determination in step S104, the multi-function device 100 makes a user information search request to the authentication server 102 (step S110). At this time, the authentication server 102 of the communication destination determines based on the information of the authentication server 941 and the authentication port 942 stored in the application setting information 253 of the multifunction peripheral 100. Further, the card ID 901 received from the card reader 101 is transmitted as a user information search request.

  The authentication server 102 receives a search request (card ID 901) from the multifunction device 100 (step S111).

  The authentication server 102 retrieves the user information 920 from the authentication DB 403 (Step S112). Specifically, it is determined whether any one of the card IDs 921 of the one or more pieces of user information 920 included in the authentication DB 403 matches the card ID 901 received from the multifunction device 100.

  As a result of the determination, if there is matching user information 920, the result is success, and if there is no matching user information 920, the result is failure. The authentication server 102 notifies the MFP 100 of the search result (step S113). The search result includes a search success flag and the searched user information 920 when the search is successful, and a search failure flag when the search is unsuccessful.

  The multi-function device 100 receives the search result from the authentication server 102 (step S114), and determines whether the result is successful (step S115). If the search is successful, the multi-function device 100 determines an entrance / exit flag 926 of the search result user information 920 (step S116).

  Specifically, since the authentication DB of the authentication server 102 does not have an entrance / exit flag, a request to acquire an entrance / exit flag corresponding to the card ID received from the multifunction peripheral 100 to the entrance / exit management server 103 in step S103. And information on the entrance / exit flag is acquired from the entrance / exit management server 103. The acquired entry flag is determined.

  If the entrance / exit zone is acquired at the same time and matches the zone of the MFP, the process can be shifted to step S105.

  Since there is no authentication cache in step S104, if the entry flag is information indicating entry, the entry / exit zone and the zone 945 of the application setting information (FIG. 15) of the MFP 100 do not match. . That is, as will be described later, there is a state where there is a record of entering the room in another zone. However, this is not the case when the authentication cache is deleted by the multifunction device.

  If it is determined in step S116 that the entry / exit flag 926 has been entered, the multifunction peripheral 100 sets the guest authority (weak) 943 in the multifunction peripheral body (step S108).

  As a result, a system that achieves both high security and convenience can be realized. This case is a case where the user is managed by the authentication server 102 but there is no entry record in the zone, and there is an entry record in another zone.

  In other words, this is a case where companion is performed when leaving another zone, and companion is also performed when entering the zone. At this time, since there is no doubt that the user has entered a certain zone correctly, the multifunction device 100 is used. Therefore, convenience can be enhanced while increasing security.

  In the present embodiment, the determination in step S116 is performed, and the process in step S117 or step S118 is performed. However, if the result of the setting in the multifunction machine 100 is OK in step S115, the process proceeds to step S117. You may comprise as follows. That is, it can be configured not to perform the process of step S116. This is because since the authentication cache is not stored, it is clear that the room has never been entered into the zone, and it has become clear that the room has been entered together.

  If the determination result in step S115 indicates that the search has failed, or if the determination result in step S116 indicates that the entry / exit flag 926 has been determined to leave, the multi-function device 100 displays an error dialog 1200 on the operation unit 3030. As an error message at this time, a message such as “You are not registered.” Or “There is no entry record. Please use the multifunction device after entering the room correctly” is output. In addition, the user may be alerted by sounding a beep sound as well as reading out an error message by voice.

  Next, the job input process of the authentication system 1 will be described with reference to FIG.

  In FIG. 8, the client PC 105 generates a job 960 and inputs it to the print server 106. The print server 106 receives the job 960 and analyzes and stores the job 960.

  As shown in FIG. 8, the client PC 105 generates a job 960 using an application (step S300), and inputs the job 960 generated using a printer driver to the print server 106 (step S301).

  The print server 106 receives the job 960 from the client PC 105 (step S302), and analyzes the bibliographic information 950 of the job 960 (step S303). Specifically, the job owner 951, the job name 952, the printing method 953, and the color mode 954 of the bibliographic information 950 included in the job 960 are analyzed.

  By analyzing the bibliographic information in advance, it is possible to save the trouble of analyzing the bibliographic information when a job list request is received from the multifunction peripheral 100, and to improve the response response.

  The print server 106 stores the analyzed bibliographic information 950 in the bibliographic database 803 (step S304), and stores the analyzed job 960 in the job DB 804 (step S305).

  Next, the printing process of the authentication system 1 will be described with reference to FIG.

  In FIG. 9, the multi-function device 100 acquires a job 960 from the print server 106, and performs output processing and error processing of the job 960 according to the authority. Note that this print processing is processing after the user logs in to the multifunction peripheral 100.

  As shown in FIG. 9, the multi-function device 100 makes a list request to the print server 106 (step S400). At this time, the user name 922 included in the user information 920 of the login user set in the MFP 100 is included in the list request.

  The print server 106 receives a list request from the multifunction peripheral 100 (step S401), searches the bibliographic information 950 of the user from the bibliographic database 803, and creates a list including at least a time stamp (step S402). Specifically, the bibliographic information 950 in which the job owner 951 of the bibliographic information 950 matches the user name 922 received from the multifunction peripheral 100 is searched from the bibliographic DB 803. The print server 106 transmits the created list to the multifunction device 100 (step S403).

  The multi-function device 100 receives a list from the print server 106 (step S404), and displays a user job list on the print screen 1400 of the operation unit 3030 (step S405). At this time, the job name 952 included in the bibliographic information 950 is displayed in a list. In addition, bibliographic information such as the number of pages (not shown) and job submission time is also displayed.

  The multi-function device 100 waits for a print instruction from the user (step S406). Specifically, the user selects a job name to be printed on the print screen 1400 and presses a print button 1403. The multi-function device 100 waits for the print button 1403 to be pressed.

  The multi-function device 100 determines the authority of the login user (step S407). The login user's authority is checked in two stages.

  First, in the first stage, the print authority is checked. If there is no print authority with the login user authority set in the MFP, it is determined that there is no authority.

  In the second stage, the print option authority is checked. The print option is a function associated with a printing function such as color printing or single-sided printing. For example, if at least one color job is included in the selected job and there is no color print authority with the authority of the login user, it is determined that there is no authority.

  If it is determined in step S407 that there is no authority, the MFP 100 determines whether the authority of the set login user is the authority 925 of the user information 920 or the guest authority (strong) 943 acquired from the application setting information 253. Alternatively, it is determined whether the guest authority (weak) 944 is set (step S408).

  Also, when it is determined that there is an authority as a result of the determination in step S407, the multifunction peripheral 100 performs guest authority determination in the same manner as in step S408 (step S419).

  In this way, a system with high security and convenience is realized by combining the presence / absence of authority, determination of guest authority, and user authority.

  If it is determined in step S408 that the user has the guest authority, the multi-function device 100 displays an error dialog 1200 on the operation unit 3030 (step S418).

  A message such as “You do not have permission to use this function” is output as an error message. In addition, the user may be alerted by sounding a beep sound as well as reading out an error message by voice.

  When it is determined that the user authority is obtained as a result of the determination in step S418, the multi-function device 100 makes a user information search request to the authentication server 102 (step S409). At this time, the authentication server 102 of the communication destination determines based on the information of the authentication server 941 and the authentication port 942 stored in the application setting information 253 of the multifunction peripheral 100. Further, the card ID 921 included in the user information 920 of the login user is transmitted as a user information search request.

  The authentication server 102 receives a search request from the multi-function device 100 (step S410), and searches for user information 920 from the authentication DB 403 (step S411). Specifically, it is determined whether one of the card IDs 921 of the one or more user information 920 included in the authentication DB 403 matches the card ID 921 received from the multi-function device 100.

  As a result of the determination, if there is matching user information 920, the result is success, and if there is no matching user information 920, the result is failure. The authentication server 102 notifies the MFP 100 of the search result (step S412).

  The multi-function device 100 receives the search result from the authentication server 102 (step S413), and determines the search result (step S414).

  If it is determined that the search is successful as a result of the determination in step S414, the multi-function device 100 performs authority determination (step S415). The authority determination process is the same as that in step S407.

  If it is determined in step S414 that the search has failed, or if it is determined in step S415 that there is no authority, the multifunction peripheral 100 displays an error dialog 1200 on the operation unit 3030.

  A message such as “You do not have permission to use this function” is output as an error message. In addition, the user may be alerted by sounding a beep sound as well as reading out an error message by voice.

  If it is determined in step S415 that there is an authority, the multi-function device 100 updates the authentication cache 254 (step S417). Specifically, first, user information 920 included in the authentication cache 254 is searched. At this time, the user information 920 in which the card ID 901 received from the entry / exit card reader 104 matches the card ID 921 of the user information 920 is searched. When the matching user information 920 is found, the user information 920 is overwritten.

  Here, there are cases where authority is given. First, it is assumed that when the user tries to enter the zone, the information stored in the authentication server 102 has an authority that cannot be printed. Here, the user information 920 of the authority that cannot be printed when the user enters the room is cached in the authentication cache 254.

  After that, after the user enters the room, the user information 920 of the authentication server 102 is changed by the administrator, so that the user can print. However, at this point, the authentication cache 254 is not updated and remains old. If the user leaves the room and enters the room again, it is cached with new information. However, it takes time and the user does not know when the user information 920 of the user is updated.

  Therefore, if the authority is insufficient at the time of printing as in this process, it is possible to prevent lack of authority due to the mismatch of the user information 920 without the user being aware by reconfirming it.

  Through the processing in steps S407 to S413, when the authority is rewritten by the authentication server by the administrator after the user enters the room, the authority can be acquired again, and proper operation is possible.

  The multi-function device 100 requests a print instruction from the print server 106 (step S420). As a print instruction, a list of bibliographic information 950 of the job selected in step S406 is transmitted. Note that the job bibliographic information list may be a list including at least information (for example, a time stamp) that can specify a job.

  The print server 106 receives a print instruction from the multifunction peripheral 100 (step S421), and performs a job search (step S422). Specifically, the job DB 804 is searched for a job 960 that matches the bibliographic information 950 received from the multifunction peripheral 100.

  The print server 106 issues a print instruction for the searched job 960 to the multi-function peripheral 100 using the print protocol (step S423). Common printing protocols include LPR and RAW, but any protocol can be used as long as a printing instruction can be made. When the print instruction is issued, the print server 106 deletes the bibliographic information 950 and the job 960 that have been issued the print instruction from the bibliographic DB 803 and the job DB 804.

  The multi-function device 100 accepts a print instruction from the print server 106 (step S424), and performs print processing for the accepted job 960 (step S425). Specifically, the multi-function device 100 stores the accepted job 960 in a reception buffer (not shown) and performs spool processing.

  Subsequently, the bibliographic information 950 of the spooled job 960 is analyzed. The analyzed bibliographic information 950 is used to adjust the printer 3050 so as to be output by a method set in the printing method 953 or the color mode 954. Further, other bibliographic information 950 that is not used for adjustment of the printer 3050 is used for internal log data (not shown).

  Next, the MFP 100 analyzes the PDL data 962 of the job 960, creates intermediate data of the drawing object, and further creates a bitmap image based on the intermediate data. The multi-function device 100 prints the created bitmap image on a medium such as paper using a known printing technique.

  If the result of the determination in step S419 is that the guest authority is determined, the multi-function device 100 requests a forced print instruction from the print server 106 (step S426). A list of bibliographic information 950 of the job selected in step S406 is transmitted as a forced printing instruction. The forced printing instruction is an instruction to rewrite and print the bibliographic information 950 of the job 960. Note that the job bibliographic information list may be a list including at least information (for example, a time stamp) that can specify a job.

  The print server 106 receives a forced print instruction from the multifunction peripheral 100 (step S427), and performs a job search (step S428).

  The print server 106 issues a print instruction for the searched job 960 to the multifunction peripheral 100 using the print protocol (step S429). At this time, since the print request from the MFP 100 is a forced print instruction, the bibliographic information 950 of the job 960 to be transmitted is rewritten. Specifically, the printing method 953 is rewritten to both sides and the color mode 954 is rewritten to monochrome. Since the multi-function device 100 determines the printing method and color based on the bibliographic information 950 at the time of printing, the setting can be forcibly changed.

  For example, consider a case where the guest authority has been set, for example, when there is no entry record due to sharing with the user. At this time, since the user has entered the room, the user is allowed to use it in consideration of convenience. However, the use permission can be minimized by forced printing. Thus, both convenience and security can be achieved.

  Next, a preferred embodiment of the authentication system 2 according to the present invention will be described in detail.

  The authentication system 1 is an embodiment having a configuration in which a print job is stored in the print server 106 instead of the multifunction peripheral 100. By using the print server 106, the user does not have to specify the multifunction device to be output when the job is input, and therefore, a print job can be output from any multifunction device.

  On the other hand, the authentication system 2 is an embodiment configured to store print jobs in the multifunction peripheral 100 instead of the print server 106. In this configuration, the print server 106 is not installed, so that installation and management costs can be reduced.

  As described above, the authentication system 2 implements an authentication system in a multifunction peripheral, similar to the authentication system 1, and differs in where the print job is stored.

  Hereinafter, an embodiment of the authentication system 2 will be described with reference to FIGS.

  Note that FIG. 1 of the authentication system 1 is replaced with FIG. FIG. 4 of the authentication system 1 is replaced with FIG. FIG. 8 of the authentication system 1 is replaced with FIG. FIG. 9 of the authentication system 1 can be realized by replacing FIG.

  Regarding the other drawings, it is assumed that the authentication system 1 and the authentication system 2 are equivalent, and a description thereof will be omitted.

  Next, the configuration of the authentication system 2 will be described with reference to FIG.

  FIG. 19 is a diagram showing an example of the configuration of the authentication system 2 according to the present invention.

  In FIG. 1 of the authentication system 1, the print server 106 exists, but in FIG. 19 of the authentication system 2, the authentication server 102 does not exist. The other components are the same in the authentication system 1 and the authentication system 2, and the description thereof is omitted.

  Next, functions of the authentication system 2 and data to be used will be described with reference to FIG.

  FIG. 20 is a block diagram showing a functional configuration of the authentication system 2 according to the present invention.

  In FIG. 4 of the authentication system 1, the print server 106 exists, but in FIG. 20 of the authentication system 2, the authentication server 102 does not exist. The other components are the same in the authentication system 1 and the authentication system 2, and the description thereof is omitted.

Next, an outline of processing of the authentication system 2 according to the present invention will be described with reference to FIG.
FIG. 21 is a process outline diagram of the authentication system 2.

  In order to enter a specific zone, the user holds the IC card over the entry / exit card reader 104 to accept the card ID of the IC card (1-1). The entrance / exit card reader 104 reads the card ID 901 from the IC card 900 and makes an authentication request to the entrance / exit management server 103 (1-2). The entrance / exit management server 103 receives the authentication request, searches the entrance / exit authentication DB 503 for the card ID 901 included in the authentication request (1-3), and sends an authentication response to the entrance / exit card reader 104 (1-4).

  When the entrance / exit card reader 104 accepts the authentication reply and determines that the authentication is successful, the entrance / exit card reader 104 notifies the multifunction peripheral 100 of the card ID 901 with the successful authentication (1-5). The multi-function device 100 makes an authentication request to the authentication server 102 based on the notified card ID 901 (1-6).

  The authentication server 102 searches the authentication DB 403 for user information 920 associated with the card ID 901 included in the authentication request (1-7), and sends an authentication response to the multifunction peripheral 100 (1-8). The multi-function device 100 accepts the authentication reply, and updates the authentication cache 254 with the user information 920 included in the accepted authentication reply (1-9).

  The entrance / exit card reader 104 unlocks the gate installed in the zone so that the user can enter the room.

  The user logs in to the client PC 105 and issues a data printing instruction. (2-1) The multi-function device 100 analyzes the job 960 and stores the analyzed bibliographic information 950 and the analyzed job 960 in the printer box 207.

  The multi-function device 100 makes an authentication request to the authentication server 102 based on the job owner 951 included in the analyzed bibliographic information 950 (2-2).

  The authentication server 102 searches the authentication DB 403 for user information 920 that matches the job owner 951 and the user name 922 (2-3), and sends an authentication response to the multifunction peripheral 100 (2-4).

  The multi-function device 100 updates the authentication cache 254 with the acquired user information 920 (2-5).

  The user accepts the card ID of the IC card by holding the IC card 900 over the card reader 101 connected to the multifunction peripheral 100 (3-1).

  The card reader 101 reads a card ID 901 from the IC card 900. The multi-function device 100 searches the authentication cache 254 for user information 920 associated with the card ID 901 (3-2).

  The multi-function device 100 performs login processing using the retrieved user information 920. The multifunction device 100 searches the job list of the logged-in user from the printer box 207 and displays it on the screen, and accepts a selection from the user. The user selects a job displayed on the screen and executes printing. The multi-function peripheral 100 takes out the selected job 960 from the printer box 207 and prints it.

  Next, the job input process of the authentication system 2 will be described with reference to FIG.

  In FIG. 22, the client PC 105 generates a job 960 and inputs it to the composite 100. The multi-function device 100 receives the job 960, analyzes the job 960, and stores it. The multi-function device 100 communicates with the authentication server 102 based on the analyzed information, and updates the authentication cache 254.

  In addition, since the process from step S300 to step S301, the process of step S413, and step S417 is the same as that of the authentication system 1, description is abbreviate | omitted.

  As shown in FIG. 22, the multi-function device 100 accepts a job 960 from the client PC 105 (step S310), and analyzes the bibliographic information 950 of the job 960 (step S311).

  Specifically, the job owner 951, the job name 952, the printing method 953, and the color mode 954 of the bibliographic information 950 included in the job 960 are analyzed. By analyzing the bibliographic information in advance, it is possible to save the trouble of analyzing the bibliographic information when searching the job list of the logged-in user, and the processing speed can be improved.

  The multi-function device 100 stores the analyzed bibliographic information 950 and the analyzed job 960 in the printer box 207 (step S312).

  The multi-function device 100 searches the authentication cache 254 using the job owner 951 of the analyzed bibliographic information 950 (step S313). Specifically, the user information 920 having the user name 922 that matches the job owner 951 is searched. In addition, a time stamp 932 that is paired with the user information 920 is also acquired.

  If the user information 920 is found as a result of the determination in step S313, the multi-function device 100 determines whether or not a predetermined time has elapsed since the user information 920 was last updated (step S314). Specifically, it is determined whether or not a predetermined time has passed by comparing the current time with a time stamp 932 associated with the user information 920. By making this determination, frequent updating of the user information 920 is avoided.

  For example, when a plurality of jobs are printed by the client PC 105, there is a possibility that communication with the authentication server 102 occurs several times at the same time. Since the authentication DB 403 of the authentication server 102 is not frequently updated in operation, it is not necessary to update the authentication cache 254 too frequently. Therefore, it is possible to prevent network load and performance degradation by determining whether to update the authentication cache 254 according to the elapsed time from the update time.

  As a result of the determination in step S314, when it is determined that a predetermined time has elapsed since the user information 920 was updated, the multi-function device 100 makes a user information search request to the authentication server 102 (step S315). At this time, the authentication server 102 of the communication destination determines based on the information of the authentication server 941 and the authentication port 942 stored in the application setting information 253 of the multifunction peripheral 100. Further, the job owner 951 analyzed from the job 960 is transmitted as a user information search request.

  The authentication server 102 receives a search request from the multi-function device 100 (step S316).

  The authentication server 102 retrieves the user information 920 from the authentication DB 403 (step S317). Specifically, it is determined whether any one of the user names 922 of the one or more pieces of user information 920 included in the authentication DB 403 matches the job owner 951 received from the multifunction device 100. As a result of the determination, if there is matching user information 920, the result is success, and if there is no matching user information 920, the result is failure. The authentication server 102 notifies the MFP 100 of the search result (step S318).

  Next, the printing process of the authentication system 2 will be described with reference to FIG.

  In FIG. 23, the multifunction peripheral 100 acquires a job 960 from the printer box 207, and performs output processing and error processing of the job 960 according to the authority. Note that this print processing is processing after the user logs in to the multifunction peripheral 100.

  In addition, since the process from step S405 to step S419 is the same as that of the authentication system 1, description is abbreviate | omitted.

  As shown in FIG. 23, the multifunction peripheral 100 acquires a job list from the printer box 207 (step S500). Specifically, the bibliographic information 950 in which the job owner 951 of the bibliographic information 950 matches the user name 922 of the login user set in the multi-function device 100 is searched from the printer box 207 and set as a job list (step S403).

  The multi-function device 100 performs a printing process (step S501). Specifically, the multifunction peripheral 100 stores the job 960 selected in step S406 in a reception buffer (not shown) and performs spool processing.

  Subsequently, the bibliographic information 950 of the spooled job 960 is analyzed. The analyzed bibliographic information 950 is used to adjust the printer 3050 so as to be output by a method set in the printing method 953 or the color mode 954. Further, other bibliographic information 950 that is not used for adjustment of the printer 3050 is used for internal log data (not shown).

  Next, the MFP 100 analyzes the PDL data 962 of the job 960, creates intermediate data of the drawing object, and further creates a bitmap image based on the intermediate data. The multi-function device 100 prints the created bitmap image on a medium such as paper using a known printing technique.

  The multi-function device 100 performs forced printing processing (step S502). Specific processing is the same as that in step S501. The difference is that when the bibliographic information 950 of the job 960 is used, the printing method 953 and the color mode 954 are discarded. The printing method 953 is double-sided regardless of the setting of the bibliographic information 950. The color mode 954 is monochrome regardless of the setting of the bibliographic information 950. As a result, the setting can be forcibly changed.

  For example, consider a case where the guest authority has been set, for example, when there is no entry record due to sharing with the user. At this time, since the user has entered the room, the user is allowed to use it in consideration of convenience. However, the use permission can be minimized by forced printing. Thus, both convenience and security can be achieved.

  According to the present embodiment, a multifunction peripheral (image forming apparatus) is used by providing a cache of authentication information to a multifunction peripheral (image forming apparatus) that the user may use according to the user's entry. Authentication processing can be speeded up.

  In addition, when the user leaves the room and the IC card is held over the MFP to use the MFP (image forming apparatus), and there is a cache of authentication information corresponding to the IC card, While performing authentication by cache to speed up the authentication process, it is possible to increase security by using the multifunction machine using the authority (guest (strong) authority) different from the normally granted user authority.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Further, the program according to the present invention is a program that allows a computer to execute the processing methods of the flowcharts shown in FIGS. 6 to 9 and FIGS. 22 to 23, and the storage medium according to the present invention includes FIGS. A program capable of being executed by the computer in the processing method of FIG. 23 is stored. Note that the program in the present invention may be a program for each processing method of each device in FIGS. 6 to 9 and FIGS. 22 to 23.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network by a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

DESCRIPTION OF SYMBOLS 100 MFP 101 Card reader 102 Authentication server 103 Entrance / exit management server 104 Entrance / exit card reader 105 Client PC
106 Print server

Claims (12)

An image forming apparatus capable of communicating via a network with a management server that manages user entry / exit, an authentication server for authenticating use of the image forming apparatus,
First identification information receiving means for receiving the first identification information of the user permitted to enter the room by the management server, according to the first identification information for identifying the user received when the user enters the room;
First authentication request transmitting means for transmitting an authentication request including the first identification information received by the first identification information receiving means to the authentication server;
By transmitting an authentication request by the first authentication request means, when the first identification information is authenticated, the authenticated first identification information is stored as authentication information in the image forming apparatus. Storage means;
Second identification information receiving means for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
Storage determination means for determining whether or not authentication information including first identification information that matches the second identification information received by the second identification information reception means is stored in the storage means;
And an permission unit that permits the use of the image forming apparatus when the storage determination unit determines that the first identification information that matches the second identification information is stored. Forming equipment. The authentication information stored in the storage means includes entry / exit information indicating entry / exit,
The first identification information receiving means receives first identification information of a user permitted to leave the management server,
When the first identification information receiving means receives the first identification information of the user permitted to leave, the entry / exit information of the authentication information including the first identification information is updated to information indicating the leaving. The image forming apparatus according to claim 1, further comprising an entry / exit information update unit. Authority for using the first identification information and the image forming apparatus from the authentication server when the first identification information is authenticated by transmitting an authentication request by the first authentication request means. User information receiving means for receiving user information including information,
The image forming apparatus according to claim 2, wherein the authentication information stored in the storage unit is the user information.   The permission means stores the authority stored in the storage means when the storage identification means stores first identification information that matches the second identification information, and the entry / exit information is information indicating entry. The image forming apparatus according to claim 3, wherein use of the image forming apparatus is permitted using the information.   The permission means is stored in advance in the image forming apparatus when the storage identification means stores first identification information that matches the second identification information, and the entry / exit information is information indicating exit. 5. The image forming apparatus according to claim 3, wherein use of the image forming apparatus is permitted using first authority information applied to a user having information indicating that the user has left the room. A second request for transmitting an authentication request including the second identification information to the authentication server when the storage determination means determines that the first identification information that matches the second identification information is not stored; An authentication request transmission means,
The image forming apparatus stored in advance in the image forming apparatus when the second identification information is authenticated by transmitting an authentication request by the second authentication requesting means. 6. The image formation according to claim 1, wherein use of the image forming apparatus is permitted using second authority information applied to a user who does not enter the zone to which the user belongs. apparatus. The image forming apparatus according to claim 1, wherein the authentication information stored in the storage unit includes an authentication information update unit that updates the print data in response to reception of print data. An authentication system in which a management server for managing user entry / exit, an authentication server for authenticating use of the image forming apparatus, and the image forming apparatus can communicate via a network,
The management server
Entry / exit permission means for permitting entry or exit by authenticating the first identification information for identifying the user input when entering or leaving the room by the user;
An authentication result output means for outputting an authentication result to notify the image forming apparatus of the zone permitted by the entry / exit permission means with the first identification information permitted by the entry / exit permission means;
The image forming apparatus includes:
First identification information receiving means for receiving first identification information permitted to enter the room by the management server;
First authentication request transmitting means for transmitting an authentication request including the first identification information received by the first identification information receiving means to the authentication server;
By transmitting an authentication request by the first authentication request means, when the first identification information is authenticated, the authenticated first identification information is stored as authentication information in the image forming apparatus. Storage means;
Second identification information receiving means for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
Storage determination means for determining whether or not authentication information including first identification information that matches the second identification information received by the second identification information reception means is stored in the storage means;
Authentication means comprising: permission means for permitting use of the image forming apparatus when the storage determination means determines that the first identification information that matches the second identification information is stored. system. An authentication method in an image forming apparatus capable of communicating via a network with a management server for managing user entry / exit, an authentication server for authenticating use of the image forming apparatus,
A first identification information receiving step for receiving the first identification information of the user permitted to enter the room by the management server, according to the first identification information for identifying the user received when the user enters the room;
A first authentication request transmitting step of transmitting an authentication request including the first identification information received in the first identification information receiving step to the authentication server;
When the first identification information is authenticated by transmitting an authentication request in the first authentication requesting step, the storage means of the image forming apparatus uses the authenticated first identification information as authentication information. A storage control step for performing storage control;
A second identification information receiving step for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
A storage determination step for determining whether or not authentication information including first identification information that matches the second identification information received in the second identification information reception step is stored in the storage means;
An authentication step including a permission step of permitting the use of the image forming apparatus when it is determined in the storage determination step that the first identification information that matches the second identification information is stored. Method. An authentication method in an authentication system in which a management server for managing user entry / exit, an authentication server for authenticating use of the image forming apparatus, and the image forming apparatus can communicate via a network,
The management server
An entry / exit permission step for permitting entry or exit by authenticating the first identification information for identifying the user input when entering or leaving the room by the user;
An authentication result output step of outputting an authentication result to notify the image forming apparatus in the zone permitted in the entry / exit permission step of the first identification information permitted in the entry / exit permission step. ,
The image forming apparatus includes:
A first identification information receiving step of receiving first identification information permitted to enter the room by the management server;
A first authentication request transmitting step of transmitting an authentication request including the first identification information received in the first identification information receiving step to the authentication server;
When the first identification information is authenticated by transmitting an authentication request in the first authentication requesting step, the storage means of the image forming apparatus uses the authenticated first identification information as authentication information. A storage control step for performing storage control;
A second identification information receiving step for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
A storage determination step for determining whether or not authentication information including first identification information that matches the second identification information received in the second identification information reception step is stored in the storage means;
When it is determined in the storage determination step that the first identification information that matches the second identification information is stored, a permission step for permitting use of the image forming apparatus is executed. Authentication method. In a program executed by a management server that manages user entry / exit, an authentication server for authenticating use of the image forming apparatus, and an image forming apparatus that can communicate via a network,
First identification information receiving means for receiving first identification information of a user permitted to enter the room by the management server, based on first identification information for identifying the user received when the user enters the image forming apparatus. When,
First authentication request transmitting means for transmitting an authentication request including the first identification information received by the first identification information receiving means to the authentication server;
By transmitting an authentication request by the first authentication request means, when the first identification information is authenticated, the authenticated first identification information is stored as authentication information in the image forming apparatus. Storage means;
Second identification information receiving means for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
Storage determination means for determining whether or not authentication information including first identification information that matches the second identification information received by the second identification information reception means is stored in the storage means;
When the storage determination unit determines that the first identification information that matches the second identification information is stored, the computer functions as a permission unit that permits the use of the image forming apparatus. A readable program. In a program executed in an authentication system in which a management server that manages user entry / exit, an authentication server for authenticating use of the image forming apparatus, and the image forming apparatus can communicate via a network,
The management server
Entry / exit permission means for permitting entry or exit by authenticating the first identification information for identifying the user input when entering or leaving the room by the user;
The first identification information permitted by the entry / exit permission unit is allowed to function as an authentication result output unit that outputs an authentication result to notify the image forming apparatus of the zone permitted by the entry / exit permission unit,
The image forming apparatus;
First identification information receiving means for receiving first identification information permitted to enter the room by the management server;
First authentication request transmitting means for transmitting an authentication request including the first identification information received by the first identification information receiving means to the authentication server;
By transmitting an authentication request by the first authentication request means, when the first identification information is authenticated, the authenticated first identification information is stored as authentication information in the image forming apparatus. Storage means;
Second identification information receiving means for receiving second identification information for identifying the user in order for the user to use the image forming apparatus;
Storage determination means for determining whether or not authentication information including first identification information that matches the second identification information received by the second identification information reception means is stored in the storage means;
When the storage determination unit determines that the first identification information that matches the second identification information is stored, the computer functions as a permission unit that permits the use of the image forming apparatus. A readable program.

Images