JP2015194984A - Information management system, information processor, information management method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To appropriately prevent information leakage when there is a risk of information leakage.SOLUTION: An information management system includes: storage means which stores first recording medium information that is associated with user identification information to be related to a user who owns a recording medium to recording medium identification information; authentication means which receives the recording medium identification information recorded by the recording medium and executes user authentication of a user who owns the recording medium on the basis of the first recording medium information and the received recording medium identification information; notification means which notifies a user, who is associated with a user who owns the recording medium, of confirmation information for allowing it to confirm whether or not output of output data in accordance with use of an output device by an authenticated user is valid as a notification destination; and control means which acquires result information showing a confirmation result from a notification destination and controls evacuation of the user who has outputted the output data or transmission restriction of the output data using the output device in accordance with the result information.

Description

  The present invention relates to an information management system for confirming whether output of output data based on use of an output device by a user is valid, an information processing apparatus included in the information management system, an information management method, and a program.

  In recent years, in an environment where corporate activities such as offices are carried out, it is required to construct a mechanism for checking the take-out of highly confidential information from the viewpoint of information security. In order to respond to such a request, for example, in Patent Document 1, an importance level is set in advance for each room and information, and when a visitor accesses a room or information with a high importance level, an alarm is issued when the visitor leaves the building. Technology to be developed has been proposed. Further, Patent Document 2 monitors the position information, staying time, etc. of an outsider, determines that the outsider is taking a suspicious action when a predetermined determination condition is satisfied, A technique for notifying a terminal of a warning has been proposed.

  However, the technique described in Patent Document 1 is troublesome because even if there is no risk of information leakage, a warning is issued when a visitor leaves the building just by accessing a highly important room or information. There is. In addition, when there is an actual risk of information leakage, it is difficult to prevent information leakage simply by issuing a warning when leaving the building.

  Further, the technique described in Patent Document 2 has a problem that it is very difficult to set a determination condition that can accurately determine that an outsider is taking a suspicious action, and there are many erroneous determinations. In addition, it is difficult to prevent information leakage simply by notifying a warning to the terminal of the supervisor.

  The present invention has been made in view of the above, and provides an information management system, an information processing apparatus, an information management method, and a program that can appropriately prevent information leakage when there is a risk of information leakage. For the purpose.

  In order to solve the above-described problems and achieve the object, the present invention provides an information management system for confirming whether or not output of output data based on the use of an output device by a user is valid. Storage means for storing first recording medium information in which recording medium identification information for identifying a medium is associated with user identification information for identifying a user associated with a user who owns the recording medium, and recorded on the recording medium Authentication means for receiving recording medium identification information, and performing user authentication of a user possessing the recording medium based on the first storage medium information stored in the storage means and the received recording medium identification information; Confirmation information for confirming whether the output of the output data according to the use of the output device by the authenticated user is valid or not is related to the user who owns the recording medium. A notification means for notifying a user to be attached as a notification destination, and obtaining the result information representing the confirmation result from the notification destination, and depending on the result information, the exit of the user who has output the output data using the output device or the And control means for controlling restrictions on transmission of output data via a network using an output device.

  According to the present invention, there is an effect that information leakage can be appropriately prevented when there is a risk of information leakage.

FIG. 1 is a configuration diagram showing a schematic configuration of an information management system. FIG. 2 is a block diagram illustrating a functional configuration example of the information management system. FIG. 3 is a diagram illustrating an example of user information. FIG. 4 is a diagram illustrating an example of card information. FIG. 5 is a diagram illustrating an example of an operation log. FIG. 6 is a diagram illustrating an example of management information for managing image logs. FIG. 7 is a diagram illustrating an example of a confirmation screen displayed on the terminal device of the visited employee. FIG. 8 is a diagram illustrating an example of entrance information. FIG. 9 is a sequence diagram showing a series of operations when the guest user copies an image using the MFP. FIG. 10 is a flowchart illustrating an example of a processing procedure until the log management server notifies the terminal information of the visited employee of confirmation information. FIG. 11 is a flowchart illustrating an example of a processing procedure in which the entrance / exit management server controls the opening / closing of the gate according to the result information. FIG. 12 is a diagram illustrating an example of a confirmation screen displayed on the terminal device of the visited employee when the MFP receives an image transmission request from the guest user. FIG. 13 is a flowchart illustrating an example of a processing procedure of the MFP when an image transmission request is received from a guest user.

  Exemplary embodiments of an information management system, an information processing apparatus, an information management method, and a program according to the present invention will be described below in detail with reference to the accompanying drawings. In this embodiment, a corporate office is assumed as an environment for constructing an information management system. Assume that an MFP (Multifunction Peripheral / Printer) is installed inside an office building as an example of an image forming apparatus. The MFP assumed in this embodiment has a card authentication function. The MFP is provided with a card reader for performing this card authentication.

  An employee who is a registered user whose user information is registered has an employee IC card (hereinafter referred to as an employee card) issued in advance to each employee. When each employee uses the MFP, the user authentication process is performed by holding the employee card over the card reader of the MFP. When authenticated, the MFP can be used. An IC card for a guest user (hereinafter referred to as a temporary card) is issued to a guest user who has visited the office (a user whose user information is not registered). When the guest user uses the MFP, the user authentication process is performed by holding the temporary card over the card reader of the MFP. When the guest user is authenticated, the MFP can be used. The employee card and the temporary card are also used for user authentication when an employee or guest user enters or leaves an office building.

  The employee card and the temporary card need not be different types of IC cards. For example, an IC card such as Felica (registered trademark) can be used in either case. In other words, whether the IC card is for an employee or a guest user may be set by the user in advance. For example, an employee's IC card is associated with an employee's user ID. It suffices if an ID for identifying a guest is associated and registered.

  The temporary card does not necessarily have to be an embodiment used only by the guest user. For example, a temporary card may be issued as a substitute for an employee who has forgotten to have an employee card. In other words, the employee card is an IC card that has a provider specified before being provided, is provided to the provider (specific user), and can identify the specific user. Temporary cards have the property that the provider is not specified before being provided, is provided to unspecified users (used by multiple users), and does not necessarily identify a specific user. IC card.

  The office assumed in the present embodiment is provided with a reception where a receptionist stays outside the building. At this reception, the guest user first tells the person in charge of reception of his / her name, purpose of visit, employee name of the visited employee, and issues a temporary card. Therefore, the provider of the temporary card can be specified by the receptionist at this stage. At this time, the person in charge of the registration performs a registration operation for associating the card ID (identification information) of the temporary card issued to the guest user with the user information of the visited employee. For example, this registration can be performed by performing an input operation that associates the card ID of the temporary card issued to the guest user with the user ID of the visiting employee included in the user information. When a visiting employee picks up a guest user at the reception, for example, the employee card held by the visiting employee and the temporary card are continuously read by a card reader, so that the card ID of the temporary card is visited. You may make it perform the process linked | related with the user information of an employee automatically. Therefore, the employee card is a card for identifying at least the user (employee) who possesses the employee card, and the temporary card is a card that can identify the user (visiting employee) associated with at least the user who possesses the temporary card. is there.

  At the entrance / exit of the office building assumed in the present embodiment, a card reader and a gate, which is a mechanism unit that restricts user entry and exit, are provided. A guest user who has been issued a temporary card at the reception can enter the building by opening the gate by holding the temporary card over the card reader when entering the office building. Similarly, when the guest user leaves the office building, the guest user can go out of the building by holding the temporary card over the card reader and opening the gate. However, if the guest user illegally copies or prints a confidential document or the like using the MFP in the building, the guest user can use the information management system of this embodiment to insert a temporary card to the card reader when leaving the building. If you hold it over, the gate will not open and guest users will be restricted from leaving.

  FIG. 1 is a configuration diagram showing a schematic configuration of the information management system of the present embodiment. As shown in FIG. 1, the information management system of the present embodiment includes an MFP 10, an authentication server 20, a log management server 30, and an entrance / exit management server 40, which are communication such as a LAN (Local Area Network). This is a configuration connected by a network N.

  As described above, the MFP 10 is an image forming apparatus having a card authentication function. The MFP 10 includes a copy function, a print function, a FAX function, a distribution function, and the like as functions related to image output. In addition, when the MFP 10 outputs an image, an operation log indicating the type of output (in this embodiment, a job log including not only the type of output but also information such as date and time information, a user name described later, and the number of output sheets). And a function for recording an image log of the output image. Although two MFPs 10 are shown in FIG. 1, the number of MFPs 10 is arbitrary, and may be one or three or more.

  The authentication server 20 is a server device that provides a user authentication service. The authentication server 20 according to the present embodiment performs user authentication by collating the card ID read by the card reader, and provides information related to the card ID when authenticated. The authentication server 20 may be configured to connect to an external directory server (such as an Active Directory server), request user authentication, and receive the result as an authentication result. Further, the MFP 10 and the authentication server 20 may be realized by a single casing, and user authentication may be executed in the MFP 10.

  The log management server 30 is a server device that provides a service for acquiring and managing operation logs and image logs recorded by the MFP 10 from the MFP 10. In the present embodiment, particularly for the image log, when the user who has output the image is a guest user, the MFP 10 records the output image, and the log management server 30 acquires the image log (output image data) from the MFP 10. And

  The entrance / exit management server 40 is a server device that provides a service for managing entry and exit of office buildings by employees and guest users. In this embodiment, a gate is provided at the entrance and exit of an office building, and the entrance / exit management server 40 controls the opening and closing of the gate according to the result of user authentication using an employee card or a temporary card, thereby It is assumed that the user enters and leaves the building.

  FIG. 1 shows an example in which the information management system of this embodiment is constructed on a single-segment communication network N. However, some devices are arranged on communication networks of different segments connected to the network. May be. Further, in the example shown in FIG. 1, the authentication server 20, the log management server 30, and the entry / exit management server 40 are configured as independent devices, but a part or all of these are integrated into one device. Alternatively, some or all of these may be realized as functions of the MFP 10. Furthermore, the authentication server 20, the log management server 30, and the entry / exit management server 40 are realized by a server group on the cloud, and the end user is in a form of cloud computing that does not need to be aware of these server groups. You may comprise so that a service may be provided.

  Each of the authentication server 20, the log management server 30, and the entrance / exit management server 40 includes, for example, a processor such as a CPU (Central Processing Unit), a main storage device such as a RAM (Read Only Memory), and a HDD (Hard Disk Drive). A normal computer system having an auxiliary storage device is used as basic hardware, and various functions to be described later can be realized by a predetermined program (software) executed on the computer system.

  In the present embodiment, the image forming apparatus 10 is exemplified as an apparatus used by the user, but an apparatus other than the image forming apparatus 10 may be used. The image forming apparatus 10 requires user authentication using a recording medium such as an IC card in order to use at least a part of the functions, and the use of an output function that outputs at least data as a part of the functions by being authenticated. It is an example of the output device which becomes possible. Some functions include a copy function that reads and prints a document document, a print function that prints document data, a FAX function that faxes a document document to a destination that is set to read, and a document document that is delivered to a destination that is set to read Although a delivery function etc. are mentioned, it does not need to be restricted to this. For example, an output device having an output function of displaying and projecting document image data obtained by reading a document original, an output device having an output function of displaying and projecting received document data, and the like may be used.

  FIG. 2 is a block diagram illustrating a functional configuration example of the information management system of the present embodiment. Hereafter, each function in the information management system of this embodiment is demonstrated in detail along the structural example shown in this FIG. In FIG. 2, portions of the devices constituting the information management system that are not directly related to the present invention are not shown.

  As shown in FIG. 2, the MFP 10 includes a card reader 11, an operation control unit 12, and a log recording unit 13.

  The card reader 11 is a reader that reads a card ID from an employee card possessed by an employee or a temporary card issued to a guest user. When the employee card or the temporary card is held over the card reader 11, the card reader 11 reads the card ID from the employee card or the temporary card by short-range wireless communication or the like and passes it to the operation control unit 12.

  The operation control unit 12 controls the overall operation of the MFP 10. For example, when receiving the card ID from the card reader 11, the operation control unit 12 passes the card ID to the authentication server 20 to make an authentication request, receives the authentication result from the authentication server 20, and performs control according to the success or failure of the authentication. Run. Specifically, if the authentication result by the authentication server 20 is authentication OK (authentication successful), a login permission notice is displayed on a display unit such as an operation panel or display for displaying the operation screen of the MFP 10 (or authentication is performed by login). Display the operation screen of the function that can be used by the user, and inform the user that the login is successful. After this login notification, the user can use the copy function, print function, FAX function, distribution function, and the like of the MFP 10 as functions permitted to be used after being authenticated. If the authentication result by the authentication server 20 is authentication NG (authentication failure), a login disapproval notice is displayed on the display unit of the MFP 10 to notify the user that login has failed.

  The operation control unit 12 controls operations of the MFP 10 such as a copy function, a print function, a FAX function, and a distribution function in response to a user request after login. The operation control unit 12 also logs an operation log and an image log recorded by a log recording unit 13 (to be described later) together with a card ID read by the card reader 11 at the time of login after the user logs out of the MFP 10. Send to 30. The user is logged out, for example, when a logout button displayed on the display unit of the MFP 10 is operated or when a predetermined time has passed without any operation on the MFP 10.

  When the output data such as image data is output by the copy function, the print function, the FAX function, the distribution function, etc., the log recording unit 13 reads the operation log indicating the output type by the card ID read by the card reader 11. Record and hold with. When the user who uses the copy function, print function, FAX function, distribution function, etc. is a guest user, the log recording unit 13 uses the card reader 11 to store the image log of the image output by these functions. It is recorded and held together with the read card ID. In the example of FIG. 2, the log recording unit 13 is illustrated as a function different from the operation control unit 12, but the operation control unit 12 may include a function of the log recording unit 13.

  The operation log in this embodiment does not include output display data that can display the contents of the output data itself, and is executed by the MFP 10 in accordance with user operations such as functions, conditions, and date / time when the output data is output. It is an example of the log information including the information regarding the performed function. On the other hand, the image log in the present embodiment is an example of log information including at least the content of the output data itself.

  As shown in FIG. 2, the authentication server 20 includes a user management unit 21, a user information storage unit 22, and a card information storage unit 23.

  The user management unit 21 performs user authentication in response to a request from the MFP 10 or the entrance / exit management server 40, searches the user information storage unit 22 or the card information storage unit 23 in response to an inquiry about user information, and displays the search result. Processing such as responding.

  The user information storage unit 22 stores user information of employees who are registered users. FIG. 3 is a diagram illustrating an example of user information stored in the user information storage unit 22. The user information is stored in the user information storage unit 22 in the form of a user information table Tb1 as shown in FIG. 3, for example.

  In the user information table Tb1, as shown in FIG. 3, for each employee who is a registered user, a user ID that is employee identification information, a user name, an affiliation, and notification destination information are associated with each other. Stored. Note that the notification destination is information for specifying a connection to a terminal device 50, which will be described later, which is occupied and used by the employee, such as an e-mail address of the terminal device 50.

  The card information storage unit 23 stores card information of employee cards and temporary cards. FIG. 4 is a diagram illustrating an example of card information stored in the card information storage unit 23. The card information is stored in the card information storage unit 23, for example, in the form of a card information table Tb2 as shown in FIG.

  In the card information table Tb2, as shown in FIG. 4, for each issued card (employee card or temporary card), a card ID, a card type indicating whether the card is an employee card or a temporary card, and a user ID Are stored in association with each other. Accordingly, whether the card provided to the user is an employee card or a temporary card is determined by the type of card associated with the card ID of the card. In the case of an employee card, the user ID is the user ID of the employee who uses the employee card. In the case of a temporary card, the user ID is the user ID of the visiting employee of the guest user who issued the temporary card. As described above, the user ID corresponding to the temporary card is stored in the card information table Tb2 by, for example, registration work of a reception receptionist.

  In the present embodiment, user information and card information are handled as individual information, but these may be integrated information. In this case, for example, each employee's user information includes the card ID of the employee card issued to the employee, and for the guest user visiting employee, a temporary card is issued to the guest user. When this is done, the card ID of the temporary card may be managed so as to be associated with the user information. Further, the employee card or the temporary card is distinguished depending on the type of the card, but the distinction method is not limited to this. For example, a user name for a guest user (for example, a user name “guest”) is registered in the user information, and the user ID for the guest user is registered in the user ID associated with the card ID. Also good. In the case of this method, it is possible to distinguish between an employee card and a temporary card depending on whether or not the user name associated with the user ID (user ID associated with the card ID) specified from the card ID is a user name for a guest user. However, in this method, an item for registering the user ID of the visited user is additionally required in the card information.

  As shown in FIG. 2, the log management server 30 includes a log management unit 31, an operation log storage unit 32, an image log storage unit 33, a determination unit 34, a confirmation information generation unit 35, and a notification unit 36. Prepare.

  The log management unit 31 stores the operation log sent from the MFP 10 in association with the card ID in the operation log storage unit 32, stores the image log sent from the MFP 10 in the image log storage unit 33, and stores the image log of the image log. The management information is generated and stored in the image log storage unit 33. In addition, the log management unit 31 performs a process of searching the operation log storage unit 32 and the image log storage unit 33 in response to an inquiry about the operation log and the image log and responding the search result.

  The operation log storage unit 32 stores an operation log acquired from the MFP 10. FIG. 5 is a diagram illustrating an example of an operation log stored in the operation log storage unit 32. The operation log is stored in the operation log storage unit 32, for example, in the format of an operation log table Tb3 as shown in FIG.

  The operation log table Tb3 includes, for each operation log acquired from the MFP 10, a log ID that is log identification information, an operation date and time, an output type, and a user name of an operated user (“guest” in the case of a guest user). ), The card ID used for user authentication, and the number of output sheets are stored in association with each other.

  The image log storage unit 33 stores the image log acquired from the MFP 10 and the management information generated by the log management unit 31. The image log is image data rasterized when the MFP 10 outputs an image. The management information is information for managing the image log, and is stored in the image log storage unit 33, for example, in the form of an image log management table Tb4 as shown in FIG.

  In the image log management table Tb4, as shown in FIG. 6, for each image log acquired from the MFP 10, a log ID which is log identification information, a card ID used for user authentication, and an image in the image log storage unit 33 are displayed. Address information indicating log storage destinations is stored in association with each other. In the present embodiment, as described above, since the image log is acquired only when the guest user uses the MFP 10, the card ID included in the image log management table Tb4 is a temporary issued to the guest user. It becomes the card ID of the card.

  The determination unit 34 analyzes the image log stored in the image log storage unit 33 and determines whether the image output by the MFP 10 according to the operation of the guest user is an image that needs to be confirmed by the visiting employee. To do. When the guest user outputs an image using the MFP 10, as described above, the image log of the output image is sent to the log management server 30 after the guest user logs out and stored in the image log storage unit 33. The determination unit 34 extracts and analyzes the image log stored in the image log storage unit 33 at an arbitrary timing after the guest user logs out, and the image output from the MFP 10 is an image that needs to be confirmed by the visiting employee. It is determined whether or not.

  Specifically, the determination unit 34 performs, for example, OCR (Optical Character recognition) on the image data stored as the image log, and a predetermined character string is included in the image log. In addition, it is determined that the image output by the MFP 10 is an image that needs to be confirmed by the visiting employee. The predetermined character string may be, for example, a character string indicating confidentiality such as “confidential”, “confidential”, “confidential”, “important”, “careful handling”, company name, department name of a specific department, or specific prohibited word. It is a predetermined character string. Further, the determination unit 34 predetermines a specific figure as a reference pattern, such as a company logo mark, “maru secret”, “maru prohibition” symbol, etc., and a reference pattern for image data stored as an image log. If these figures are included in the image log, the image output from the MFP 10 may be determined to be an image that needs to be confirmed by the visiting employee.

  The confirmation information generation unit 35 generates confirmation information including an image log when the determination unit 34 determines that image confirmation is necessary. The confirmation information is information for the visiting employee to confirm whether or not the use of the MFP 10 by the guest user is valid. In the present embodiment, it is assumed that the notification unit 36 described later notifies the confirmation information to the terminal device 50 used by the visiting employee in the form of an e-mail. Therefore, the image information generation unit 35 generates confirmation information in a format that can be displayed as an e-mail screen (see FIG. 7 for a screen example).

  Specifically, the confirmation information generation unit 35 converts the image log determined by the determination unit 34 to be confirmed by the employee into a file format that can be used as an attached file of an e-mail. That is, the confirmation information includes output display data that allows the user to confirm the contents of the output data, and data obtained by converting the image log into a file is an example of the output display data. Note that an image log (image data) may be pasted and displayed on an e-mail. Then, for example, the confirmation information generation unit 35 pastes an image log file into the body of an e-mail in which a standard message requesting image confirmation is described, and an operation button for receiving a screen operation by a visiting employee Is generated and embedded, and confirmation information in a format that can be displayed as an e-mail screen is generated.

  In the present embodiment, the determination unit 34 analyzes the image log to determine whether image confirmation is necessary. When it is determined that image confirmation is necessary, the confirmation information generation unit 35 generates confirmation information. However, it is not limited to this. For example, a type of output that requires image confirmation is determined in advance, and confirmation information is generated when an operation log acquired together with the image log from the MFP 10 indicates a predetermined type of output. May be. Specifically, when the type of output that requires image confirmation is copy, if the type of output included in the operation log is copy, the confirmation information generation unit 35 acquires the image acquired together with the operation log. The log is filed and confirmation information is generated by the same method as in the above example.

  The confirmation information generated by the confirmation information generation unit 35 as described above is transferred to the notification unit 36 together with the card ID of the temporary card used by the guest user. The format of the confirmation information is not limited to the e-mail format, and may be another format such as a web format that can be displayed as a web screen.

  The notification unit 36 uses the confirmation information generated by the confirmation information generation unit 35 together with the card ID of the temporary card used by the guest user and the notification destination included in the user information of the visited employee, that is, the terminal used by the visited employee Notification is sent to the device 50. The terminal device 50 that is the notification destination of the confirmation information can communicate with the log management server 30 and the entry / exit management server 40, and may be any device that is equipped with software for browsing the confirmation information (for example, e-mail). From the viewpoint that confirmation information can always be browsed, it is desirable that the mobile terminal be carried by a visiting employee.

  When the notification unit 36 receives the confirmation information and the card ID of the temporary card from the confirmation information generation unit 35, the notification unit 36 first passes the card ID of the temporary card to the authentication server 20 and makes a request for acquiring the notification destination. When receiving the notification destination acquisition request from the notification unit 36, the user management unit 21 of the authentication server 20 searches the card information storage unit 23 and the user information storage unit 22 using the card ID of the temporary card as a key, and stores the card of the temporary card. Information on the notification destination (for example, the e-mail address of the terminal device 50 used by the visiting employee) is acquired from the user information of the visiting employee associated with the ID, and this is sent to the notification unit 36 as a response to the acquisition request.

  When the notification unit 36 receives the notification destination information from the authentication server 30, for example, confirmation information generated in the form of an e-mail is sent to the e-mail address of the terminal device 50 that is the notification destination together with the card ID of the temporary card. Send. Accordingly, the confirmation information in the e-mail format is received at the terminal device 50 of the visited employee, and a screen based on the confirmation information (hereinafter referred to as a confirmation screen) is displayed on the display unit of the terminal device 50.

  FIG. 7 is a diagram illustrating an example of a confirmation screen displayed on the terminal device 50 of the visited employee. FIG. 7A shows a confirmation screen 100 that is initially displayed on the terminal device 50 of the visited employee. FIG. 7B shows that the “NG” button 105 in the confirmation screen 100 of FIG. A confirmation screen 200 displayed when operated is shown.

  The confirmation screen 100 illustrated in FIG. 7A includes a display area 101 for displaying the user name of the visited employee, a display area 102 for displaying a message for the visited employee, and an operation for opening the attached file. A button 103, a “confirmation OK” button 104, and an “NG” button 105 are provided. When the visiting employee operates the operation button 103 on the confirmation screen 100, the image log file corresponding to the operation button 103 is opened, and the image of the image log is displayed on the confirmation screen 100 as a pop-up display or as a separate screen. Is done. As a result, the visited employee can check the image output by the guest user using the MFP 10.

  Further, when the visiting employee who has confirmed the image operates the “confirmation OK” button 104 on the confirmation screen 100, the result information indicating that the guest user is authorized to use the MFP 10 is displayed on the temporary card used by the guest user. Along with the card ID, it is sent to the entrance / exit management server 40. On the other hand, when the visiting employee who has confirmed the image operates the “NG” button 105 on the confirmation screen 100, the result information indicating that the guest user is improperly using the MFP 10 is the card of the temporary card used by the guest user. The ID is sent to the entrance / exit management server 40 together with the ID. At this time, a confirmation screen 200 as shown in FIG. 7B is displayed on the terminal device 50 of the visited employee.

  The confirmation screen 200 illustrated in FIG. 7B includes a display area 201 in which the user name of the visited employee is displayed, a display area 202 in which a message for the visited employee is displayed, and a “release” button 203. Is provided. When the visiting employee operates the “cancel” button 203 on the confirmation screen 200, the information indicating that the restriction on the exit for the guest user is cancelled is displayed along with the card ID of the temporary card used by the guest user. 40.

  When the “NG” button 105 is operated on the confirmation screen 100 of FIG. 7A, the guest user's exit is restricted by the entrance / exit management server 40, as will be described later. However, for example, when a visiting employee collects printed matter (output image) from a guest user, it is not necessary to limit the guest user's exit. Therefore, in this embodiment, when the “NG” button 105 is operated on the confirmation screen 100 of FIG. 7A, the confirmation screen 200 of FIG. 7B is displayed on the terminal device 50 of the visited employee, When the “cancel” button 203 is operated on the confirmation screen 200, the restriction on leaving the guest user can be canceled. However, the display of the confirmation screen 200 illustrated in FIG. 7B is not essential, and only the confirmation screen 100 illustrated in FIG. 7A is displayed on the terminal device 50 of the visited employee. It may be configured. In that case, the exit restriction may be canceled by, for example, a receptionist.

  As shown in FIG. 2, the entrance / exit management server 40 includes an entrance management unit 41, an entrance information storage unit 42, and a gate control unit 43.

  The entrance / exit management server 40 is connected to a card reader 44 and a gate 45 installed at the entrance of the building. Similar to the card reader 11 of the MFP 10, the card reader 44 is a reader that reads a card ID from an employee card possessed by an employee or a temporary card issued to a guest user. The card ID read by the card reader 44 is transferred to the gate control unit 43. The gate 45 is a mechanism unit that restricts user entry and exit, and opens and closes according to control by the gate control unit 43.

  The admission management unit 41 stores the admission time of the employee or guest user in the admission information storage unit 42 in association with the card ID, or enters the admission based on the above result information received from the terminal device 50 of the visited employee. Processing such as setting or resetting the exit restriction flag for the guest user. The exit restriction flag is flag information indicating whether or not to restrict the user's exit. When this exit restriction flag is set to “1”, the guest user is restricted from exiting (cannot exit). )

  When the result information received from the terminal device 50 of the visited employee indicates that the guest user is improperly using the MFP 10, the entrance management unit 41 exits corresponding to the card ID received together with the result information. The restriction flag is set to “1”. On the other hand, if the result information sent from the terminal device 50 of the visited employee indicates that the guest user is authorized to use the MFP 10, an exit restriction flag corresponding to the card ID received together with the result information Is left as “0”. In addition, when the entrance management unit 41 receives information from the visiting employee's terminal device 50 that cancels the restriction on leaving the guest user, the entrance management unit 41 sets an exit restriction flag corresponding to the received card ID together with this information. Reset from “1” to “0”.

  In this embodiment, when the “confirmation OK” button 104 is operated on the confirmation screen 100 as illustrated in FIG. 7A, the terminal device 50 of the visited employee contacts the entrance / exit management server 40. Thus, result information indicating that the use of the MFP 10 by the guest user is valid is transmitted. However, when the “confirmation OK” button 104 is operated on the confirmation screen 100 illustrated in FIG. 7A, the result information is transmitted from the terminal device 50 of the visited employee to the entrance / exit management server 40. The corresponding exit restriction flag may be maintained at “0”.

  The entrance information storage unit 42 stores entrance information for managing entrance of employees and guest users. FIG. 8 is a diagram illustrating an example of entrance information stored in the entrance information storage unit 42. The entrance information is stored in the entrance information storage unit 42, for example, in the format of an entrance information table Tb5 as shown in FIG.

  In the admission information table Tb5, as shown in FIG. 8, for each employee or guest user who is entering, the card ID of the employee card or temporary card, the admission date and time, and the exit restriction flag are stored in association with each other. Yes. As the exit restriction flag for the user who is entering the building, “0” is set for a user who does not restrict exit, and “1” is set for a user who restricts exit. The entry information for each user stored in the entry information storage unit 42 is deleted when the user leaves the building.

  The gate control unit 43 controls the operation of the gate 45 based on the result of user authentication and the exit restriction flag when the user leaves.

  Specifically, when receiving the card ID from the card reader 44, the gate control unit 43 passes the card ID to the authentication server 20 to make an authentication request, and receives the authentication result from the authentication server 20. If the authentication result by the authentication server 20 is “authentication OK”, the gate control unit 43 sends an open control signal to the gate 45. When the gate 45 receives the opening control signal from the gate controller 43, the gate 45 is opened for a predetermined time. As a result, employees and guest users can enter or leave the building. If the authentication result by the authentication server 20 is “NG”, the gate control unit 43 does not send an open control signal to the gate 45, and the gate 45 remains closed.

  Further, the gate control unit 43 is stored in association with the card ID received from the card reader 44 when the user leaves the building (that is, in a state where the user's entrance information is stored in the entrance information storage unit 42). Check the exit restriction flag. If the exit restriction flag is “1”, the gate control unit 43 does not send an open control signal to the gate 45 even if the authentication result by the authentication server 20 is authentication OK. For this reason, the gate 45 remains closed, and the user's exit is restricted.

  Note that the relationship between the above-described functions in the information management system described above and each device constituting the information management system is an example, and a part of the functions of a certain device is configured to be realized by another device. Also good. For example, the functions of the determination unit 34, the confirmation information generation unit 35, and the notification unit 36 of the log management server 30 may be realized by any of the MFP 10, the authentication server 20, and the entrance / exit management server 40.

  Next, with regard to the operation of the information management system of the present embodiment, a part mainly related to the guest user exit restriction will be described.

  FIG. 9 is a sequence diagram showing a series of operations when the guest user copies an image using the MFP 10.

  First, when the guest user holds a temporary card over the card reader 11 of the MFP 10 (step S101), the card reader 11 reads the card ID from the temporary card (step S102), and passes the read card ID to the operation control unit 12 (step S102). S103).

  When the operation control unit 12 of the MFP 10 receives the card ID from the card reader 11, it passes the card ID to the user management unit 21 of the authentication server 20 and makes an authentication request (step S104). The user management unit 21 that has received the authentication request performs user authentication based on the card ID (step S105), and returns an authentication result to the operation control unit 12 of the MFP 10 (step S106). Here, it is assumed that the authentication result of the user authentication is “authentication OK”. The user authentication using the card ID refers to, for example, the card information (see FIG. 4) stored in the card information storage unit 23, and “authentication OK” if any user ID is associated with the card ID. If no user ID is associated with the card ID, it can be realized by a method of “NG”. Therefore, in the case of a temporary card, the user ID associated with the card ID may not be the user ID of the user who owns the card, but the registered card is registered by the card ID being registered in the card information storage unit 22. If the user ID is registered in association with the card ID, it is determined that the condition for authenticating the user who owns the card is satisfied.

  Upon receiving the “authentication OK” authentication result from the authentication server 20, the operation control unit 12 of the MFP 10 displays a login notification on, for example, a display unit (not shown) of the MFP 10 to notify the guest user that the login has been successful (step S107). Thereafter, when the guest user requests output of an image using the copy function of the MFP 10 (step S108), under the control of the operation control unit 12, a copy operation corresponding to the request of the guest user is performed (step S109). ). When the copy operation is completed, the operation control unit 12 displays a copy completion notification on, for example, a display unit (not shown) of the MFP 10 to notify the guest user that the copy is complete (step S110).

  Thereafter, when the guest user is logged out (step S111), the operation control unit 12 logs the operation log and image log recorded by the log recording unit 13 during the copying operation together with the card ID of the temporary card in the log management server 30. The data is sent to the management unit 31 (step S112). The log management unit 31 stores the operation log, the image log, and the management information sent from the operation control unit 12 of the MFP 10 in the operation log storage unit 32 and the image log storage unit 33 (Step S113), and the operation control unit 12 of the MFP 10 Is notified of the transfer completion (step S114). Upon receiving the transfer completion notification from the log management unit 31 of the log management server 30, the operation control unit 12 displays a logout notification on, for example, a display unit (not shown) of the MFP 10, and notifies the guest user that the logout has been performed (step S1). S115), a series of processing ends.

  Next, the operation of the log management server 30 will be described with reference to FIG. FIG. 10 is a flowchart illustrating an example of a processing procedure until the log management server 30 notifies confirmation information to the terminal device 50 of the visited employee.

  When the processing shown in the flowchart of FIG. 10 is started, first, the determination unit 34 extracts one image log associated with the card ID of the temporary card used by the guest user from the image log storage unit 33 (step S201). ). Then, the determination unit 34 analyzes the image log extracted in step S201, and determines whether or not a predetermined character string or figure is included in the image log (step S202).

  As a result of the determination in step S202, if a predetermined character string or figure is included in the image log (step S202: Yes), it is determined that confirmation of the image by the visiting employee is necessary, and the image log is confirmed by the confirmation information. It is passed to the generation unit 35. The confirmation information generation unit 35 converts the image log received from the determination unit 34 into a file format that can be used as an attached file of e-mail, for example (step S203). On the other hand, if the image log does not include a predetermined character string or figure (step S202: No), it is determined that the image confirmation by the visiting employee is unnecessary, and the process of step S203 is skipped.

  Next, it is determined whether or not all the image logs associated with the card ID of the temporary card used by the guest user have been checked (step S204), and there is an unchecked image log (step S204: No). ), The process returns to step S201, and the processes of steps S201 to S203 are repeated. On the other hand, when all the image logs have been checked (step S204: Yes), the confirmation information generation unit 35 determines whether there is a filed image log (step S205).

  As a result of the determination in step S205, if there is no filed image log (step S205: No), the processing is ended as it is. On the other hand, if there is a filed image log (step S205: Yes), for example, the confirmation information generation unit 35 generates e-mail format confirmation information with the filed image log as an attached file (step S206). This confirmation information is passed to the notification unit 36.

  When the notification unit 36 receives the confirmation information from the confirmation information generation unit 35, the notification unit 36 requests the authentication server 20 to acquire user information of the user ID associated with the authenticated card ID, and the user information acquired from the authentication server 20. Based on the information, the information on the notification destination of the user (visited employee) (for example, the e-mail address of the terminal device 50 used by the visited employee) is acquired (step S207). And the notification part 36 notifies the confirmation information received from the confirmation information generation part 35 to the terminal device 50 of the notification destination acquired from the authentication server 20 (step S208), and complete | finishes a process.

  Next, the operation of the entrance / exit management server 40 will be described with reference to FIG. FIG. 11 is a flowchart illustrating an example of a processing procedure in which the entrance / exit management server 40 controls the opening / closing of the gate 44 according to the result information.

  First, when the result information indicating the confirmation result of the image by the visiting employee is transmitted from the visiting employee's terminal device 50 to the entrance / exit management server 40, the admission management unit 41 receives the result information (step S40). S301). Then, the entrance management unit 41 determines whether or not the result information received from the terminal device 50 indicates that the guest user is improperly using the MFP 10 (NG) (step S302).

  As a result of the determination in step S302, if the result information received from the terminal device 50 indicates that the guest user is improperly using the MFP 10 (NG) (step S302: Yes), the terminal device 50 together with the result information. The exit restriction flag corresponding to the card ID received from is set to “1” (step S303). On the other hand, if the result information received from the terminal device 50 indicates that the use of the MFP 10 by the guest user is valid (step S302: No), the process of step S303 is skipped.

  Then, it waits until the card ID is read by the card reader 44 provided at the entrance of the building (step S304: No), and when the card ID is read by the card reader 44 (step S304: Yes), the gate The control unit 43 receives the card ID from the card reader 44, makes an authentication request to the authentication server 20, and receives an authentication result. If the authentication result is “authentication OK” (step S305: Yes), the gate control unit 43 sets the exit restriction flag stored in association with the card ID received from the card reader 44 to “1”. It is determined whether or not (step S306).

  If the exit restriction flag stored in association with the card ID received from the card reader 44 is “0” as a result of the determination in step S306 (step S306: No), the gate control unit 43 Then, an open control signal is sent to open the gate 45 for a predetermined time (step S307), and the process is terminated. On the other hand, if the withdrawal restriction flag stored in association with the card ID received from the card reader 44 is “1” (step S306: Yes), the process ends without performing the process of step S307. For this reason, the gate 45 remains closed, and the guest user's exit is restricted. Similarly, when the authentication result of user authentication is “NG” (step S305: No), the process ends without performing the process of step S307, and the guest user's exit is restricted.

  In the information management system of this embodiment, when the guest user illegally outputs a copy of a confidential document or the like using an output device such as the MFP 10 by the operation described above, the guest user is restricted from leaving the building. Information leakage can be prevented appropriately.

  When the guest user transmits an image to the outside using the MFP 10, information leakage cannot be reliably prevented only by restricting the guest user's exit afterwards. Therefore, when the guest user makes a request to the MFP 10 to transmit an image to the outside, the information management system according to the present embodiment provides confirmation information including image transmission destination information to the terminal device 50 of the visited employee. It is desirable to have a mechanism for sending an image to the outside in response to a request from the guest user when the MFP 10 acquires the result information indicating transmission permission from the terminal device 50 of the visited employee. Hereinafter, such a mechanism will be described.

  First, when the operation control unit 12 of the MFP 10 receives a request for transmitting an image from the guest user using, for example, a FAX function or a distribution function, the operation control unit 12 performs processing at the stage when the image log of the requested image is recorded. It stops and sends the image log and destination information to the log management server 30 together with the card ID of the temporary card used by the guest user.

  When the log management unit 31 of the log management server 30 acquires the image log and the transmission destination information together with the card ID from the MFP 10, the log management unit 31 passes them to the confirmation information generation unit 35 to request generation of confirmation information. The confirmation information generation unit 35 converts the image log received from the log management unit 31 into a file and, as described above, for example, has a format that can be displayed as an e-mail screen in which the image log file is pasted as an attached file. Generate confirmation information. This confirmation information includes information on the transmission destination of the image designated by the guest user. The confirmation information generated by the confirmation information generation unit 35 is transferred to the notification unit 36 together with the card ID of the temporary card used by the guest user.

  Therefore, the MFP 10 performs operation control by the operation control unit 12 according to what function is requested to be executed. Specifically, copy or print processing is executed if the copy function or print function is used by the guest user, and transmission processing of the scanned image is stopped (standby) if the FAX function or distribution function is used. This is based on the type of output whether the output medium stays in the office building or can leak out of the building. That is, since output data is output to a paper medium by the MFP 10 for copying and printing, the output medium at the time when the output is completed remains in the building where the MFP 10 is installed. On the other hand, the output of an electronic medium via a communication network such as a network or a telephone line may be output outside the building depending on the transmission destination. Therefore, for processing that may be output outside the building, it is possible to determine whether or not the data may be output outside the building by executing processing that allows the visiting employee to check before performing the output processing. Can do.

  Accordingly, the log management server 30 determines the confirmation information to be generated according to what function execution is selected in the MFP 10. In other words, if the copy or print function in the MFP 10 is selected, it is clear that the output destination is the MFP 10, and therefore it is not necessary to include the output destination (transmission destination) in the confirmation information. If it is selected, the information indicating the output destination is important in the user's judgment, so the output destination (transmission destination) is included in the confirmation information. In such control, the items to be included in the confirmation information may be set in advance according to the function to be used (or the type of output).

  Upon receiving the confirmation information from the confirmation information generation unit 35, the notification unit 36 notifies the confirmation information to the terminal device 50 of the visited employee according to the above-described procedure. Thereby, for example, a confirmation screen 300 as shown in FIG. 12 is displayed on the terminal device 50 of the visited employee.

  The confirmation screen 300 illustrated in FIG. 12 includes a display area 301 in which the user name of the visited employee is displayed, a display area 302 in which a message for the visited employee is displayed, and an operation button 303 for opening the attached file. A display area 304 for displaying the transmission destination of the image designated by the guest user, a “confirmation OK” button 305, and an “NG” button 306 are provided. When the visiting employee operates the operation button 303 on the confirmation screen 300, the image log file corresponding to the operation button 303 is opened, and the image of the image log is displayed on the confirmation screen 300 as a pop-up display or as a separate screen. Is done. As a result, the visited employee can check the image that the guest user is going to send to the outside using the MFP 10. Further, the visiting employee can confirm where the guest user is going to transmit an image by referring to the display area 304.

  When the visiting employee who has confirmed the image and the transmission destination operates the “confirmation OK” button 305 on the confirmation screen 300, result information indicating permission to transmit the image is transmitted to the MFP 10. On the other hand, when the visiting employee who has confirmed the image and the transmission destination operates the “NG” button 306 on the confirmation screen 300, result information indicating that image transmission is prohibited is sent to the MFP 10.

  The operation control unit 12 of the MFP 10 receives the result information sent from the terminal device 50 of the visited employee, and switches whether to stop the stopped process or to end the process as it is according to the content of the result information. . That is, if the result information received from the terminal device 50 of the visited employee indicates permission to transmit an image, the operation control unit 12 restarts the stopped process and displays the image in response to a guest user request. Send to the specified destination. On the other hand, if the result information received from the terminal device 50 of the visited employee indicates that image transmission is prohibited, the operation control unit 12 ends the process without restarting the stopped process. In this case, it is desirable to display a message indicating that the image cannot be transmitted on the display unit of the MFP 10 or the like.

  FIG. 13 is a flowchart illustrating an example of a processing procedure of the MFP 10 when an image transmission request is received from a guest user.

  When the operation control unit 12 of the MFP 10 receives a request for image transmission from the guest user (step S401), the image log of the image to be transmitted and the information on the transmission destination designated by the guest user are stored in the temporary card used by the guest user. It transmits to log management server 30 with card ID (step S402).

  Thereafter, when the result information is sent from the terminal device 50 of the visited employee, the operation control unit 12 receives this result information (step S403), and whether the received result information indicates transmission permission. It is determined whether or not (step S404). If the received result information indicates transmission permission (step S404: Yes), the operation control unit 12 transmits the image to the designated transmission destination in response to a request from the guest user (step S405). ), The process is terminated. On the other hand, if the received result information indicates that transmission is prohibited (step S404: No), the operation control unit 12 ends the process without transmitting an image.

  In this way, when a guest user intends to transmit an image to the outside using the MFP 10, the image and the transmission destination are confirmed by the visiting employee, and only when the visiting employee permits the image of the image by the MFP 10. By enabling transmission, it is possible to prevent information leakage due to image transmission to the outside.

  Note that although the MFP 10 performs control of stopping and restarting image transmission, it may be performed by a device other than the MFP 10. In other words, the MFP 10 transmits the scanned image and information about the transmission destination of the image to an information processing apparatus such as a distribution server connected via the network, and controls the stop and restart of the image transmission process in the information processing apparatus. Also good. In this case, control is performed based on the result information received by the information processing apparatus.

  In the above description, when the visiting employee operates the “NG” button 306 on the confirmation screen 300 illustrated in FIG. 12, the result information indicating that transmission is prohibited is sent to the MFP 10 and the image is transmitted. I am trying not to break it. However, in addition to this, result information indicating that the guest user is improperly using the MFP 10 is also sent to the entrance / exit management server 40 to restrict the guest user from leaving the building. Good.

  The functions of the authentication server 20, the log management server 30, and the entry / exit management server 40 constituting the information management system of the present embodiment are performed on the computer system as described above except for various storage units realized by memory resources. It can be realized by a program to be executed. These programs are recorded in a computer-readable recording medium such as a CD-ROM, a flexible disk (FD), a CD-R, and a DVD (Digital Versatile Disc), for example, in an installable or executable file. To be provided.

  Further, these programs may be provided by being stored on another computer connected to a network such as the Internet and downloaded via the network. These programs may be configured to be provided or distributed via a network such as the Internet. Further, these programs may be provided by being incorporated in advance in a ROM or the like.

  For example, the program for realizing the log management unit 31, the determination unit 34, the confirmation information generation unit 35, and the notification unit 36 of the log management server 30 has a module configuration including these units, and the actual hardware The processor (CPU) reads out and executes a program from the recording medium described above, for example, so that the above-described units are loaded onto the main memory (RAM), and the above-described units are generated on the main memory.

  As described above in detail with specific examples, in the information management system according to the present embodiment, when the guest user outputs an image using the MFP 10, the information is displayed on the terminal device 50 of the visiting employee. Confirmation information for confirming whether or not the use of the MFP 10 by the guest user is valid is notified. If the result information indicating the confirmation result by the visiting employee indicates that the use of the MFP 10 by the guest user is illegal, the gate 45 provided at the entrance of the building is not opened, and the guest user exits. The hall is restricted. Therefore, according to the information management system of the present embodiment, information leakage can be appropriately prevented when there is a risk of information leakage. Further, since the guest user can use the MFP 10 if it is not illegal use, the convenience of the guest user can be improved.

  In the information management system of this embodiment, when a guest user outputs an image using the MFP 10, the image log is analyzed to determine whether or not a predetermined character string or figure is included. Then, when a predetermined character string or figure is included, confirmation information is notified to the terminal device 50 of the visited employee. Accordingly, it is possible to suppress the inconvenience of requesting the visiting employee to confirm the image more than necessary, and to reduce the troublesome confirmation work.

  Further, in the information management system of the present embodiment, confirmation information is generated and notified after the guest user logs out of the MFP 10, so that the generation and notification of confirmation information hinders image output. In addition, it is possible to appropriately prevent information leakage when there is a risk of information leakage while effectively suppressing inconvenience of waiting for a guest user for a long time.

  Further, in the information management system of this embodiment, when a guest user intends to transmit an image to the outside using the MFP 10, the visiting employee confirms the image and the transmitting destination with the visiting employee and permits the visiting employee. By allowing the MFP 10 to transmit an image only in this case, information leakage due to the image being transmitted to the outside can be prevented.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied with various modifications and changes in the implementation stage without departing from the scope of the invention.

  For example, in the above-described embodiment, the log management server 30 analyzes the image log and determines whether or not to confirm the image output by the guest user at any timing after the guest user outputs the image using the MFP 10. If confirmation is necessary, confirmation information is transmitted to the terminal device 50 of the visited employee. Then, the entrance / exit management server 40 sets an exit restriction flag corresponding to the card ID of the temporary card used by the guest user based on the result information received from the terminal device 50 of the visited employee, and the guest user exits. At the time of building, it is determined whether or not to restrict the guest user's exit by referring to this exit restriction flag. However, the method of restricting the guest user's exit is not limited to this example. For example, when the guest user exits, the presence or absence of an image log associated with the card ID of the temporary card used by the guest user is confirmed. If there is an image log, it is determined whether or not confirmation is necessary, the confirmation information is transmitted to the terminal device 50 of the visited employee, and the result information is received from the terminal device 50 of the visited employee. Based on the received result information, the guest user It is good also as a structure which judges whether to restrict | leave a person's leaving.

  In this example, the entrance / exit management server 40 passes the card ID read by the card reader 44 to the log management server 30 when the guest user leaves, for example, and requests confirmation of the image log. At this time, the gate 45 is kept closed. In response to this request, the log management server 30 checks the presence / absence of an image log associated with the card ID received from the entry / exit management server 40, and if there is a corresponding image log, it is the same as in the above-described embodiment. Whether the image needs to be confirmed is determined, and if confirmation is necessary, confirmation information is transmitted to the terminal device 50 of the visited employee. Further, when there is no image log associated with the card ID received from the entry / exit management server 40 or when it is determined that there is an image log but confirmation is not necessary, the log management server 30 To send exit permission information.

  Upon receiving the exit permission information from the log management server 30, the entrance / exit management server 40 opens the gate 45 and leaves the guest user. On the other hand, if the exit permission information is not received, the entrance / exit management server 40 waits for result information to be transmitted from the terminal device 50 of the visited employee while keeping the gate 45 closed. Then, when the result information is transmitted from the terminal device 50 of the visited employee, the result information is received. If the result information indicates confirmation OK, the gate 45 is opened to leave the guest user.

  In the case of this example, the log management server 30 deletes the image log and its management information confirmed in response to the request from the entry / exit management server 40 from the image log storage unit 33 or confirms the management information of the image log. It is desirable to additionally register information indicating that it has been completed. Thereby, even when a temporary card is reused by an unspecified number of guest users, it is possible to appropriately check the image log.

  Moreover, although the gate 45 provided in the entrance / exit of the building was illustrated as a mechanism part which restrict | limits a guest user's exit in embodiment mentioned above, it is not restricted to this. For example, it is good also as a structure which restrict | limits a guest user's exit by controlling the operation | movement of the electronic lock of the door provided in the entrance / exit of the room. Moreover, it is good also as a structure which restrict | limits a guest user's exit by controlling operation | movement of both the gate 45 provided in the entrance / exit of the building, and the electronic lock of the door provided in the entrance / exit of the room.

  In the above-described embodiment, the MFP 10 is illustrated as an example of the image forming apparatus, but the present invention is not limited to this. The image forming apparatus only needs to have at least one function of outputting an image, such as a copier, a printer, or a FAX transceiver. Further, the employee card or guest card used for user authentication does not necessarily have a card shape, and may be any card that can hold identification information corresponding to a card ID such as an IC tag, for example.

  In the above-described embodiment, an office of a company is assumed as an environment for constructing an information management system. The information management system according to the present invention can be effectively applied in various environments in which prevention of information leakage is required.

  In the information management system in the above-described embodiment, when a user such as a guest user executes output of output data using an output device such as an image forming apparatus, is the output of the output data by the user valid? It is an example of the information management system which confirms whether or not.

  Further, the card information storage unit 23 is first recording medium information in which user identification information for identifying a user associated with a user having the recording medium is associated with recording medium identification information for identifying a recording medium such as an IC card. And storage medium identification information for identifying a recording medium such as an IC card and second recording medium information in which user identification information for identifying a user possessing the recording medium is associated with each other. It is.

  The user management unit 11 receives the recording medium identification information recorded on the recording medium, and based on the recording medium information stored in the storage unit and the received recording medium identification information, the user management unit 11 It is an example of the authentication means which performs user authentication.

  The confirmation information generation unit 35 is an example of a confirmation information generation unit that generates confirmation information for confirming whether or not output of output data according to use of the output device by an authenticated user is valid. is there. The confirmation as to whether the output is valid or not is a confirmation as to whether the output data is data that may be taken out of the gate 45 as a result, and the confirmation operation has the recording medium. This is done by the user associated with the user who performs the operation. Therefore, if it is determined that the associated user can be taken out, the user can obtain the result of the output process by the output device. As a method for obtaining the result, there are a method of obtaining a paper medium and a method of transmitting to a transmission destination designated by the user. The confirmation information can include contents according to the type of output. For example, when the user requests a process for transmitting output data via the network, confirmation information including the transmission destination is generated. Execute the process. In addition, the confirmation information includes information that can instruct the user to restrict the exit or can instruct the output data to be restricted. Therefore, the confirmation information generating means includes information for executing the restriction according to the user's instruction.

  The notification unit 36 is an example of a notification unit that notifies confirmation information with a user associated with the user who owns the recording medium as a notification destination.

  The operation control unit 12 is an example of a control unit that controls transmission of output data based on result information representing a confirmation result acquired from a notification destination that has notified the confirmation information by the notification unit. The control means limits the transmission of the output data by not performing the transmission of the output data unless the transmission of the output data is permitted from the confirmation result.

  The gate control unit 41 is an example of a control unit that controls the exit of the user according to the result information.

10 MFP
DESCRIPTION OF SYMBOLS 11 Card reader 12 Operation control part 13 Log recording part 20 Authentication server 21 User management part 22 User information storage part 23 Card information storage part 30 Log management server 31 Log management part 32 Operation log storage part 33 Image log storage part 34 Determination part 35 Confirmation information generation unit 36 Notification unit 40 Entrance / exit management server 41 Entrance management unit 42 Entrance information storage unit 43 Gate control unit 44 Card reader 45 Gate 50 Terminal device

Japanese Patent No. 4347138 JP 2007-141184 A

Claims (19)

An information management system for confirming whether or not output of output data based on use of an output device by a user is valid,
Storage means for storing first recording medium information in which recording medium identification information for identifying a recording medium is associated with user identification information for identifying a user associated with a user who owns the recording medium;
User authentication of a user who receives the recording medium identification information recorded on the recording medium and based on the first storage medium information stored in the storage means and the received recording medium identification information An authentication means for executing
Confirmation information for confirming whether output of output data according to the use of the output device by an authenticated user is valid or not, with a user associated with the user having the recording medium as a notification destination A notification means for notification;
Obtaining the result information indicating the confirmation result from the notification destination, and according to the result information, the exit of the user who output the output data using the output device or the output data via the network using the output device An information management system comprising: control means for controlling transmission restrictions. The output data output by the output device further comprises determination means for determining whether confirmation by the confirmation information is required,
The notification means sends to the notification destination the confirmation information including output display data that allows the notification destination user to display and confirm the output data when the determination means determines that confirmation is required. The information management system according to claim 1, wherein notification is performed.   The information management system according to claim 2, wherein the determination unit determines that confirmation by the confirmation information is required when a predetermined character string or graphic is included in the output data.   The determination unit acquires and analyzes an image log of the output data transmitted from the output device after logout processing of the authenticated user is executed in the output device. 3. The information management system according to 3.   5. The information management system according to claim 1, wherein the notification unit notifies the notification destination of the confirmation information corresponding to a type of output used in the output device. 6. The storage means further stores second recording medium information in which user identification information for identifying a user who possesses the recording medium is associated with recording medium identification information for identifying the recording medium;
When the user identification information associated with the received recording medium identification information is user identification information for identifying a user associated with the user who owns the recording medium, the notification means sends the confirmation information to the notification destination. The information management system according to claim 1, wherein notification is performed. The notification means notifies the notification destination of the confirmation information including a transmission destination of the output data when transmission output of output data via a network is requested in the output device,
7. The output device according to claim 1, wherein, when the result information indicates permission to transmit output data, the output device transmits the output data to a transmission destination in response to the request. Information management system described in the section. It has a mechanism that restricts user exit,
The mechanism is a gate that is opened when user authentication using the recording medium is successful,
2. The control unit according to claim 1, wherein, when the result information indicates an inappropriateness, the control unit performs control so that the gate is not opened even if the user authentication using the recording medium is successful. Information management system. It has a mechanism that restricts user exit,
The mechanism is an electronic lock that unlocks when user authentication using the recording medium is successful,
2. The control unit according to claim 1, wherein when the result information indicates that the result is invalid, the control unit controls the electronic lock not to be unlocked even if the user authentication using the recording medium is successful. Information management system described in 1. Log management means for managing log information of the output data,
The control means causes the log management means to confirm the presence or absence of log information of output data by the user when the user leaves,
The notification means includes output display data that allows the notification destination user to display and confirm the output data when the log management means determines that there is log information of the output data by the user. Notifying the notification destination of the confirmation information,
When the result information indicates that the result information is invalid, the control unit controls the gate not to be opened or the electronic lock not to be unlocked even if the user authentication using the recording medium is successful. The information management system according to claim 8 or 9, characterized by the above. An information processing device included in an information management system for confirming whether or not output of output data based on use of an output device by a user is valid,
The information management system includes:
Storage means for storing first recording medium information in which recording medium identification information for identifying a recording medium is associated with user identification information for identifying a user associated with a user who owns the recording medium;
A user of the user who receives the recording medium identification information recorded on the recording medium and who possesses the recording medium based on the first storage medium identification information stored in the storage unit and the received recording medium identification information An authentication means for performing authentication, and
Confirmation information for confirming whether or not output of output data according to use of the output device by an authenticated user is valid, and output using the output device according to a confirmation result The confirmation information for controlling the exit of the user who outputted the data or the restriction of the transmission of the output data via the network using the output device is notified to the user associated with the user who owns the recording medium as the notification destination An information processing apparatus comprising a notification means. The output data output by the output device further comprises determination means for determining whether confirmation by the confirmation information is required,
The notification means notifies the notification destination of the confirmation information including output display data that the user can confirm by displaying the output data when the determination means determines that confirmation is required. The information processing apparatus according to claim 11.   The information processing apparatus according to claim 12, wherein the determination unit determines that confirmation by the confirmation information is required when a predetermined character string or graphic is included in the output data.   The determination unit acquires and analyzes an image log of the output data transmitted from the output device after logout processing of the authenticated user is executed in the output device. 13. The information processing apparatus according to 13.   The information processing apparatus according to claim 11, wherein the notification unit notifies the confirmation destination of the confirmation information according to a type of output used in the output apparatus. The storage means stores second recording medium information in which user identification information for identifying a user who possesses the recording medium is associated with recording medium identification information for identifying the recording medium;
When the user identification information associated with the received recording medium identification information is user identification information for identifying a user associated with the user who owns the recording medium, the notification means sends the confirmation information to the notification destination. The information processing apparatus according to claim 11, wherein notification is performed. The notification means notifies the notification destination of the confirmation information including a transmission destination of the output data when transmission output of output data via a network is requested in the output device,
17. The output device according to claim 11, wherein, when the result information indicates permission to transmit output data, the output device transmits the output data to a transmission destination in response to the request. The information processing apparatus according to item. An information management method executed by an information management system for confirming whether or not output of output data based on use of an output device by a user is valid,
The information management system includes storage means for storing first recording medium information in which recording medium identification information for identifying a recording medium is associated with user identification information for identifying a user to be associated with a user having the recording medium. And
The authentication unit receives the recording medium identification information recorded on the recording medium, and based on the storage medium identification information stored in the storage unit and the received recording medium identification information, the user possessing the recording medium Performing user authentication; and
A user associated with the user who possesses the recording medium with confirmation information for confirming whether or not the output of the output data according to the use of the output device by the authenticated user is valid by the notification means A process of notifying as a notification destination,
The control means acquires result information representing the confirmation result from the notification destination, and exits the user who has output the output data using the output device according to the result information or via the network using the output device. And a step of controlling restriction on transmission of the output data. A program executed by a computer included in an information management system for confirming whether or not output of output data based on use of an output device by a user is valid,
The information management system includes:
Storage means for storing first recording medium information in which recording medium identification information for identifying a recording medium is associated with user identification information for identifying a user associated with a user who owns the recording medium;
A user of the user who receives the recording medium identification information recorded on the recording medium and who possesses the recording medium based on the first storage medium identification information stored in the storage unit and the received recording medium identification information An authentication means for performing authentication, and
In the computer,
Confirmation information for confirming whether or not output of output data according to use of the output device by an authenticated user is valid, and output using the output device according to a confirmation result The confirmation information for controlling the exit of the user who outputted the data or the restriction of the transmission of the output data via the network using the output device is notified to the user associated with the user who owns the recording medium as the notification destination Program to realize the function to perform.

Images