JP5091965B2 - Image forming system and user manager server device - Google Patents

Description

The present invention relates to an image forming system and user manager server equipment.

  In recent years, directory services such as an active directory and an e directory have been introduced to manage users and devices in a network system. Some image forming apparatuses such as printers, copiers, and multifunction machines have a network function, and currently users and groups (departments) can be managed using such a directory service. When performing user management with a directory service, user authentication of a user who has performed a login operation on an image forming apparatus is usually performed by a server apparatus of the directory service.

  On the other hand, in the image forming apparatus, an authorization process may be performed in which only a function permitted to the login user among various functions can be used. Normally, in the authorization process, for each user, authorization information that designates a function that is permitted to be used (or a function that is prohibited to be used) is preset in the image forming apparatus, and is used by the login user in accordance with the authorization information. Function to be limited. In addition, there is also a system that provides the login user authorization information to the image forming apparatus using an intermediate server device having authorization information for each user (see, for example, Patent Document 1).

  In addition, as a user authentication method at the time of login, a card reader is provided in the image forming apparatus, the user carries an ID card, and when logging in to the image forming apparatus, the user presents the ID card to the card reader to form an image. There is also a method in which the device performs user authentication by reading the user ID from the ID card. In this case, the image forming apparatus interprets the read data output from the card reader in a prescribed output data format (character string data, hexadecimal data, etc.), and acquires a user ID and the like.

JP 2008-140067 A

  As described above, when a card reader is built in or connected to the image forming apparatus, the image forming apparatus includes a driver that processes read data in accordance with the output data format of the card reader. Therefore, when the card reader is replaced or a new card reader is connected to the image forming apparatus, the model of the card reader to be replaced or connected is limited to that of the output data format.

  Although it is conceivable to update the driver in accordance with the card reader, in a system in which a large number of image forming apparatuses are connected, it is necessary to update the driver for each image forming apparatus, resulting in poor development efficiency. Furthermore, when user authentication is performed by the server device of the directory service, if the data format of the user ID acquired by the card reader is different from the format compatible with the server device, the data format needs to be converted. In addition, it is necessary to update the driver for each image forming apparatus, which is not realistic.

The present invention has been made in view of the above problems, and an image forming system capable of performing authentication and authorization while integrally supporting readers of various output data formats, and a user usable in the image forming system and to obtain a manager server equipment.

  In order to solve the above problems, the present invention is configured as follows.

An image forming system according to the present invention is connected to a network and has an image forming apparatus having a reader that reads user identification information and outputs read data, and a function that is connected to the network and permitted to be used by a logged-in user of the image forming apparatus. A user manager server device that provides the image forming apparatus with authorization information that identifies the user ID, and a directory server device that provides directory service and has domain group and domain user registration information . Then, the image forming apparatus transmits the read data by the reader to the user manager server apparatus. The user manager server apparatus receives the read data from the image forming apparatus, specifies the data format of the received read data, and sets the data format. The user ID corresponding to the read data is specified after being converted into a predetermined data format, and user authentication based on the user ID is performed in the user manager server device or the directory server device, and authorization for the login user who has succeeded in user authentication Information is transmitted to the image forming apparatus.
The user manager server device registers local group information including domain users separately from the domain group, at least one of domain group authorization information for domain groups and domain user authorization information for domain users, and local group authorization information for local groups. (A) When a logged-in user who has succeeded in user authentication belongs to a local group, (a1) When there is domain user authorization information of the logged-in user, the domain user authorization is obtained from the domain user authorization information and the local group authorization information. The authorization information for the login user is generated and transmitted to the image forming apparatus so as to permit only the functions permitted to be used in both the information and the local group authorization information, and (a2) login When there is no domain user authorization information of the user, the local group authorization information is transmitted to the image forming apparatus as authorization information about the login user. (B) If the login user who has succeeded in user authentication does not belong to the local group, the domain Group authorization information or domain user authorization information is transmitted to the image forming apparatus as authorization information for the login user.

  As a result, the format of the read data of the reader is converted by the user manager server device, so that it is not necessary to process the read data in the image forming device, and readers of various output data formats are used in the image forming device. Can do.

A user manager server device according to the present invention includes a network interface connected to a network , at least one of domain group authorization information and domain user authorization information for a domain group and a domain user managed by a directory server device connected to the network, Output from the reader for reading the user identification information in the image forming apparatus using the storage device having the registration information of the local group including the domain user separately from the domain group and the local group authorization information for the local group and the network interface. The read data is received from the image forming apparatus, the data format of the received read data is specified, and the data format is converted into a predetermined data format to be read data. Identifies the user ID to respond, the user authentication by the user ID, the user authentication processing unit for performing in the user manager server device or in the directory server, (a) If the login user has succeeded in the user authentication belongs to a local group (A1) When there is domain user authorization information of the logged-in user, from the domain user authorization information and the local group authorization information, only the function permitted to be used in both the domain user authorization information and the local group authorization information is permitted. Authorization information for the login user is generated and transmitted to the image forming apparatus. (A2) When there is no domain user authorization information for the login user, local group authorization information is transmitted to the image forming apparatus as authorization information for the login user. (B) If the login user successfully over The authentication does not belong to a local group, and a authorization processing unit for transmitting a domain group authorization information or domain user authorization information, to the image forming apparatus as the authorization information of the logged-in user.

  As a result, the format of the read data of the reader is converted by the user manager server device, so that it is not necessary to process the read data in the image forming device, and readers of various output data formats are used in the image forming device. Can do.

  In addition to the above user manager server device, the user manager server device according to the present invention may be as follows. In this case, the user authentication processing unit receives data type information indicating the data format from the image forming apparatus, and specifies the data format of the read data from the received data type information.

  Thereby, in the user manager server device, the type of the data format of the read data by the reader is accurately specified.

  The user manager server device according to the present invention may be configured as follows in addition to any of the user manager server devices described above. In this case, the read data is encrypted, and the user authentication processing unit decrypts the read data based on the data type information.

  Thereby, the read data is accurately decoded by a method specified by the data type information.

  The user manager server device according to the present invention may be configured as follows in addition to any of the user manager server devices described above. In this case, the user identification information is the card ID of the ID card, and the user authentication processing unit specifies the card ID from the read data after the data format conversion, and specifies the user ID corresponding to the card ID.

  According to the present invention, it is possible to integrally support readers of various output data formats. In addition, expandability and development efficiency on the server side are improved.

FIG. 1 is a block diagram showing a configuration of an image forming system according to Embodiment 1 of the present invention. FIG. 2 is a block diagram showing the configuration of the multifunction machine in FIG. FIG. 3 is a block diagram showing a configuration of the user manager server apparatus in FIG. FIG. 4 is a diagram showing a configuration example of the authorization policy data in FIG. FIG. 5 is a block diagram showing the configuration of the directory server device in FIG. FIG. 6 is a sequence diagram for explaining the operation of each device when a user logs in to the multifunction machine in the system shown in FIG. FIG. 7 is a block diagram showing a configuration of an image forming system according to Embodiment 2 of the present invention. FIG. 8 is a block diagram showing a configuration of the application server apparatus in FIG. FIG. 9 is a sequence diagram for explaining the operation of each apparatus when a processing request is made from the multifunction peripheral to the application server apparatus in the system shown in FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.

  FIG. 1 is a block diagram showing a configuration of an image forming system according to an embodiment of the present invention. In the system shown in FIG. 1, a plurality of multifunction peripherals 1 </ b> A and 1 </ b> B and a printer 1 </ b> C are connected to a network 2, and a user manager server device 3 and a directory server device 4 are connected to the network 2.

  The multifunction device 1A has a printer function, a scanner function, a copy function, a facsimile function, and the like, and executes various jobs with the above-described functions in accordance with commands from the operation panel on the multifunction device 1A, a host device connected to the network 2, and the like. An image forming apparatus. The multifunction machine 1B is a similar device. The printer 1C is also an image forming apparatus like the multifunction machines 1A and 1B, but does not have a scanner function, a copy function, and a facsimile function. In the following, the case where the multifunction peripherals 1A and 1B function as image forming apparatuses will be mainly described. However, the printer 1C can also function as an image forming apparatus.

  The user manager server device 3 is a server device that accepts user authentication requests from the multifunction peripherals 1A and 1B and provides authorization information for users logged in to the multifunction peripherals 1A and 1B. The directory server device 4 is a server device that provides directory services such as an active directory and an e directory.

  FIG. 2 is a block diagram showing a configuration of the multifunction machine 1A in FIG. The multifunction machine 1B has a similar configuration. The multi-function device 1A includes an operation panel 21, a modem 22, a network interface 23, a printer 24, a scanner 25, and a control device 26.

  The operation panel 21 is installed in the housing of the multifunction machine 1A, and includes a display device 21a that displays various types of information to the user and an input device 21b that receives user operations. The display device 21a is, for example, a liquid crystal display or various indicators. The input device 21b is, for example, a touch panel or a key switch.

  The modem 22 can be connected to a subscriber telephone network such as a public switched telephone network (PSTN), and is a communication device that transmits and receives facsimile data.

  The network interface 23 can be connected to a wired or wireless computer network 2 and performs data communication with other devices (server device 3, host device not shown) connected to the network 2. Device.

  The printer 24 is an internal device that prints on a sheet according to a print request and discharges the printed matter. In the case of the electrophotographic method, after charging the photosensitive drum, the printer 24 emits a light source based on the print data to form an electrostatic latent image on the surface of the photosensitive drum, and this electrostatic latent image is Development is performed with toner, the toner image is transferred and fixed on a sheet, and the sheet is discharged as a printed matter.

  The scanner 25 irradiates light on one or both sides of a document fed by an automatic document feeder or a document placed by a user and receives reflected light or the like to read an image of the document. It is an internal device that outputs as image data.

  The reader 27 is a device that reads user identification information and outputs read data, and may be provided in the multifunction peripheral 1A or may be connected as a peripheral device. In this embodiment, the reader 27 reads user identification information from an ID card such as a magnetic card or IC card, and reads the read data including the user identification information in a predetermined output data format (character string, hexadecimal, etc.). Any one of the above). The reader 27 may be a reader that reads a user's biometric information (such as a fingerprint). In that case, the feature amount obtained from the biological information is used as the user identification information. The reader 27 may be a contact type or a non-contact type.

  The control device 26 is a device that controls each unit in the multifunction peripheral 1A and performs data processing. The control device 26 is configured as a computer having, for example, a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like. In the control device 26, the CPU implements various processing units by loading a program stored in the ROM or other storage device (flash memory or the like) into the RAM and executing it. In the control device 26, a FAX communication unit 31, a network communication unit 32, a control unit 33, and a determination unit 34 are realized.

  The FAX communication unit 31 is a processing unit that controls the modem 22 and receives facsimile data. When receiving the facsimile data, the FAX communication unit 31 supplies a print request to the determination unit 34.

  The network communication unit 32 is a processing unit that controls the network interface 23 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 32 transmits the read data output from the reader 27 at the time of user login to the user manager server device 3 and receives the login user authorization information from the user manager server device 3. For example, the network communication unit 32 receives a print request (such as PDL (Page Description Language) data) from the host computer, and supplies the print request to the control unit 33.

  The control unit 33 receives a job request by a user operation on the operation panel 21 or a job request received from the host device by the network interface 23 and the network communication unit 32, and controls each unit in the multifunction peripheral 1A to control the job. A processing unit that executes a job corresponding to a request. The job request includes a print request, a scan request, a facsimile transmission request, and the like. Further, when there is a login operation, the control unit 33 acquires read data from the reader 27, transmits the read data as it is using the network communication unit 32 without converting the format, and transmits user authentication, authorization information, and the like to the user manager server device. 3 is requested. In this embodiment, data type information indicating the data format of the read data is transmitted together with the read data.

  Based on the authorization information about the login user received from the user manager server device 3 by the network interface 23 and the network communication unit 32, the determination unit 34 uses the login user among the functions of the MFP 1A. It is a processing unit that specifies a function to be prohibited (or a function to be permitted) and stores data indicating whether or not to permit use of each function on, for example, a RAM. The control unit 33 refers to the data and restricts the use of the MFP 1A by the login user. For example, when the use of the color copy function is restricted for the logged-in user, a copy function menu is displayed on the operation panel 21 so that the color copy cannot be selected (for example, selecting a color from monochrome / color). Button is grayed out).

  In this way, the multifunction peripherals 1A and 1B are configured.

  FIG. 3 is a block diagram showing the configuration of the user manager server device 3 in FIG. The user manager server device 3 includes a storage device 41, a network interface 42, and an arithmetic processing device 43.

  The storage device 41 is a device that stores programs and data. As the storage device 41, a nonvolatile semiconductor memory, a hard disk drive, or the like is used. The storage device 41 stores authorization policy data 51, local user data 52, and local group data 53.

  The authorization policy data 51 is data including authorization information used for specifying a function that is permitted to be used by the login user of the multifunction peripheral 1A, 1B. The authorization policy data 51 can include authorization information for users and authorization information for groups. Authorization information for a user is authorization information applied to the user, and authorization information for a group is authorization information applied to users belonging to the group. The authorization policy data 51 includes authorization information for a domain user registered in the directory server device 4 and authorization information for a local user registered in the user manager server device 3 as authorization information for the user. And can be included. The authorization policy data 51 includes authorization information for a domain group registered in the directory server device 4 and authorization information for a local group registered in the user manager server device 3 as authorization information for the group. And can be included. The authorization information for a user includes a user ID and information on a function that is permitted (or prohibited) for the user (for example, a function ID). The authorization information for a group includes a group ID and information on a function that is permitted (or prohibited) for a user belonging to the group (for example, a function ID). For example, functions permitted (or prohibited) to be used include large items such as printing, scanning, copying, and facsimile transmission, and small items (for example, a color / monochrome selection function) associated with each large item.

  FIG. 4 is a diagram showing a configuration example of the authorization policy data 51 in FIG.

  In the authorization policy data 51 shown in FIG. 4, the domain group A includes domain users A, B, C, and D, and the local group A includes local users A and B and domain users B and D. An authorization policy # 1 (policy data including authorization information) is set for the domain group A, an authorization policy # 2 is set for the domain user A belonging to the domain group A, and an authorization policy # for the local group A 3 is set, the authorization policy # 4 is set for the local user A belonging to the local group A, the authorization policy # 5 is set for the domain user B belonging to the domain group A, and the authorization for the domain user E is set. Policy # 6 is set, and authorization policy # 7 is set for local user C.

  The local user data 52 is data including registration information (user ID and password) of the local user. The local user is a user registered in the user manager device 3 separately from the domain user registered in the directory server device 4.

  The local group data 53 is data including registration information (group ID and user ID of a user belonging to the group) of the local group. The local group is a group registered in the user manager device 3 separately from the domain user registered in the directory server device 4. Local groups can include local users and domain users. That is, a local group consisting only of local users, a local group consisting only of domain users, and a local group consisting of local users and domain users can be set.

  The network interface 42 can be connected to a wired or wireless computer network 2 and performs data communication with other devices (such as the multifunction devices 1A and 1B and the server device 4) connected to the network 2. Device.

  The arithmetic processing unit 43 is configured as a computer having a CPU, a ROM, a RAM, and the like, and loads various programs stored in the ROM or the storage device 41 into the RAM and executes them by the CPU, thereby realizing various processing units. . In the arithmetic processing device 43, a network communication unit 61, a user authentication processing unit 62, and an authorization processing unit 63 are realized.

  The network communication unit 61 is a processing unit that controls the network interface 42 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 61 receives data read by the reader 27 at the time of login from the multifunction device 1A, and transmits authorization information about the user to the multifunction device 1A. For example, the network communication unit 61 transmits a user authentication request to the directory server device 4 and receives the authentication result and user information from the directory server device 4.

  The user authentication processing unit 62 uses the network interface 42 and the network communication unit 61 to read the read data output from the user identification information reading reader 27 together with the data type information of the read data into the multifunction device 1A (or the multifunction device 1B). The data format of the received read data is specified by the data format determination unit 62a from the data type information, and the format conversion unit 62b converts the data format into a predetermined data format (for example, hexadecimal to a character string). The processing unit identifies a user ID corresponding to the read data and performs user authentication based on the user ID. The user authentication processing unit 62 authenticates login users of the multifunction peripherals 1A and 1B with the local user data 52 in the multifunction peripheral 1A or with an authentication server apparatus such as the directory server apparatus 4 using the network interface 42.

  If the read data output from the reader 27 is encrypted, the user authentication processing unit 62 identifies the encryption method based on the data type information, and decrypts the read data using a decryption method corresponding to the encryption method. To do.

  The authorization processing unit 63 extracts the authorization information about the login user of the multifunction device 1A (or multifunction device 1B) that has been successfully authenticated from the authorization policy data 51, and transmits the authorization information to the multifunction device 1A (or multifunction device 1B). It is a processing unit. In this embodiment, when the login user of the multifunction device 1A (or multifunction device 1B) who has succeeded in user authentication belongs to the local group, the authorization processing unit 63 obtains authorization information for the local group from the authorization policy data 51. If the logged-in user that has been extracted and transmitted to the MFP 1A (or MFP 1B) using the network interface 42 as authorization information for the logged-in user and succeeded in user authentication does not belong to the local group, the logged-in user The authorization information for the domain group to which the user belongs or the user (domain user or local user) is extracted from the authorization policy data 51, and the network interface 42 is used as the authorization information for the login user. 1B To send to.

  For example, in the case of the authorization policy data 51 shown in FIG. 4, when the domain user A logs in to the multifunction device 1A, the authorization policy # 2 and the authorization policy # 1 are transmitted to the multifunction device 1A. When there are conflicting authorization settings in the user and group authorization policies (here, authorization policy # 2 and authorization policy # 1), the setting of a predetermined authorization policy of the group or user is applied. In this case, when the domain user B logs in to the multifunction device 1A, the authorization policy # 5, the authorization policy # 3, and the authorization policy # 1 are transmitted to the multifunction device 1A. If there are conflicting authorization settings in the domain group and local group authorization policies (here, authorization policy # 1 and authorization policy # 3), the setting of the predetermined authorization policy of the domain group or local user is applied. Is done. In this case, when the domain user C logs in to the multifunction device 1A, the authorization policy # 1 is transmitted to the multifunction device 1A. In this case, when the domain user D logs in to the multifunction device 1A, the authorization policy # 1 and the authorization policy # 3 are transmitted to the multifunction device 1A. In this case, when the domain user E logs in to the multifunction device 1A, the authorization policy # 6 is transmitted to the multifunction device 1A. In this case, when the local user A logs in to the multifunction device 1A, the authorization policy # 4 and the authorization policy # 3 are transmitted to the multifunction device 1A. In this case, when the local user B logs in to the multifunction device 1A, the authorization policy # 3 is transmitted to the multifunction device 1A. In this case, when the local user C logs in to the multifunction device 1A, the authorization policy # 7 is transmitted to the multifunction device 1A.

  When there are a plurality of authorization policies to be applied to a certain login user, the authorization processing unit 63 generates a single authorization policy by combining the authorization policies in the server device 3 and transmits the generated authorization policy. You may make it do. In that case, any setting policy selected according to a predetermined rule is applied to setting items that compete with each other in a plurality of approval policies.

  Thus, the user manager server device 3 is configured.

  FIG. 5 is a block diagram showing the configuration of the directory server device 4 in FIG. The directory server device 4 includes a storage device 71, a network interface 72, and an arithmetic processing device 73.

  The storage device 71 is a device that stores programs and data. As the storage device 71, a nonvolatile semiconductor memory, a hard disk drive, or the like is used. A directory service database 91 is constructed in the storage device 71, and the database 91 includes user data 91a and group data 91b. The user data 91a includes a user ID, a password, and user information (a telephone number, a facsimile number, an e-mail address, and other attribute information to be contacted). The group data 91b includes a group ID, a user ID list of users belonging to the group, and group information (contact information, responsible person, and other attribute information).

  The network interface 72 is a device that can be connected to a wired or wireless computer network 2 and performs data communication with other devices (such as the server device 3) connected to the network 2.

  The arithmetic processing unit 73 is configured as a computer having a CPU, a ROM, a RAM, and the like, and implements various processing units by loading a program stored in the ROM or the storage device 71 into the RAM and executing the program by the CPU. In this arithmetic processing unit 73, a network communication unit 81 and a directory service processing unit 82 are realized.

  The network communication unit 81 is a processing unit that controls the network interface 72 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 81 receives a user authentication request and transmits the authentication result and user information.

  The directory service processing unit 82 is a processing unit that manages domain users and domain groups. The directory service processing unit 82 performs registration and deletion of domain users and domain groups, user authentication, provision of user information of domain users and group information of domain groups, and the like. For user authentication, LDAP (Lightweight Directory Access Protocol) authentication, Kerberos authentication, or the like is used. When the directory service is an active directory, the directory service processing unit 82 operates as a domain controller.

  Thus, the directory server device 4 is configured.

  Next, the operation of each device when the user logs in to the multifunction device 1A in the above system will be described. FIG. 6 is a sequence diagram for explaining the operation of each device when a user logs in to the multifunction peripheral 1A in the system shown in FIG. Each device operates in the same manner when a user logs in to the multifunction machine 1B.

  When the reader 27 of the MFP 1A detects the ID card, reads the user identification information from the ID card, and outputs the read data in a predetermined data format (step S1), the control unit 33 accepts the read data, and the data Along with the type information, the data is transmitted to the user manager server device 3 using the network communication unit 32 and the network interface 23 (step S2).

  In the user manager server device 3, the user authentication processing unit 62 receives the read data and data type information using the network communication unit 61 and the network interface 42, and converts the data format of the received read data from the data type information. Specify (step S3). If the data format is not the predetermined data format, the user authentication processing unit 62 converts the data format into the predetermined data format (step S4). Then, the user authentication processing unit 62 specifies a user ID corresponding to the read data, and performs user authentication using the user ID. Here, the user authentication processing unit 62 transmits the user ID and the user authentication request to the directory server device 4 by a predetermined protocol (LDAP or the like) (step S5).

  In the directory server device 4, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to receive the user ID and the authentication request using a predetermined protocol, refers to the directory database 91, and It is determined whether or not the ID belongs to a valid user (step S6).

  Then, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to display the determination result (that is, the authentication result) and the user information of the user when the authentication is successful. As a response, it transmits to the user manager server apparatus 3 (step S7).

  In the user manager server device 3, the user authentication processing unit 62 uses the network communication unit 61 and the network interface 42 to receive the authentication result as a response to the authentication request. Receive information. If the authentication is successful, the authorization processing unit 63 refers to the authorization policy data 51, specifies the authorization information of the user (that is, the authorization policy applied to the user) (step S8), and the network Using the communication unit 61 and the network interface 42, a response indicating authentication success is transmitted to the multi function device 1A together with the authorization information and user information (step S9).

  In the MFP 1A, the control unit 33 receives the authorization information and user information using the network communication unit 32 and the network interface 23, and provides the authorization information to the determination unit 34 (step S10). Based on the authorization information, the determination unit 34 sets, on the RAM, data indicating whether or not the use of the user is permitted for each of the predetermined functions of the multifunction peripheral 1A.

  Thereafter, the user is permitted to use the multifunction device 1A in a state where the function is restricted according to the authorization information (step S11). In the MFP 1A, the control unit 33 refers to the above-described data set by the determination unit 34 and accepts and executes only jobs that use functions permitted for the user.

  When user authentication fails, only a response indicating authentication failure is transmitted from the user manager server apparatus 3 to the multifunction device 1A. When the multifunction device 1A receives a response indicating authentication failure, the message indicating authentication failure is transmitted. Is displayed on the operation panel 21 and the use of the multifunction device 1A by the user is prohibited.

  As described above, according to the first embodiment, the multifunction device 1A (or the multifunction device 1B) transmits the data read by the reader 27 to the user manager server device 3, and the user manager server device 3 transmits the data to the multifunction device 1A. (Or MFP 1B) receives the read data, specifies the data format of the received read data, converts the data format into a predetermined data format, specifies the user ID corresponding to the read data, and uses the user ID User authentication is performed in the user manager server device 3 or the server device 4, and authorization information about the login user who has succeeded in user authentication is transmitted to the multifunction device 1A (or multifunction device 1B).

  As a result, since the format of the read data of the reader is converted by the user manager server device that provides the authorization information, there is no need to process the read data in the multifunction device 1A (or multifunction device 1B), and the multifunction device 1A (or In the multi-function peripheral 1B), readers of various output data formats can be used, and readers of various output data formats can be integratedly supported. In addition, expandability and development efficiency on the server side are improved.

Embodiment 2. FIG.

  FIG. 7 is a block diagram showing a configuration of an image forming system according to Embodiment 2 of the present invention. In the image forming system according to the second embodiment, an application server device 101 that executes processing in response to a request from an application in the multifunction peripheral 1A or 1B is provided, and the application server device 101 includes the above-described user authentication processing device. 62 has the same authentication processing unit.

  FIG. 8 is a block diagram showing the configuration of the application server apparatus 101 in FIG.

  The application server device 101 includes a network interface 111 and an arithmetic processing device 112.

  The network interface 111 can be connected to a wired or wireless computer network 2 and performs data communication with other devices (such as the multifunction devices 1A and 1B and the server device 4) connected to the network 2. Device.

  The arithmetic processing unit 112 is configured as a computer having a CPU, a ROM, a RAM, and the like, and implements various processing units by loading a program stored in the ROM or the like into the RAM and executing the program by the CPU. In this arithmetic processing unit 112, a network communication unit 121, an authentication processing unit 122, and a server processing unit 123 are realized.

  The network communication unit 121 is a processing unit that controls the network interface 111 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 121 receives the data read by the reader 27 at the time of login from the multifunction device 1A together with the processing request, executes the processing specified by the processing request, and displays the execution result of the processing as the multifunction device 1A. Send to. For example, the network communication unit 121 transmits an authentication request to the directory server device 4 and receives the authentication result and user information from the directory server device 4.

  Using the network interface 111, the authentication processing unit 122 receives the read data output from the user identification information reading reader 27 together with the data type information of the read data from the multifunction device 1A (or the multifunction device 1B), and receives the received data. The data format of the read data is specified by the data format determination unit 112a from the data type information, and the format conversion unit 112b converts the data format into a predetermined data format (for example, hexadecimal to a character string) to correspond to the read data. A processing unit that identifies an ID (read data itself or an ID associated with the read data) and authenticates the ID. The authentication processing unit 122 performs authentication of this ID using an authentication server device such as the directory server device 4 using the network interface 111.

  If the read data output from the reader 27 is encrypted, the authentication processing unit 122 identifies the encryption method based on the data type information, and decrypts the read data using a decryption method corresponding to the encryption method. To do.

  The server processing unit 123 is a processing unit that executes the process specified by the processing request only when the authentication processing unit 122 succeeds in authenticating the ID obtained from the read data.

  Next, the operation of each apparatus when a processing request is made from the multifunction machine 1A to the application server apparatus 101 will be described. FIG. 9 is a sequence diagram for explaining the operation of each device when a processing request is made from the multifunction peripheral 1A to the application server device 101 in the system shown in FIG. Each device operates in the same manner when a processing request is made from the multifunction device 1B to the application server device 101.

  As in the first embodiment, when the reader 27 of the multifunction peripheral 1A detects the ID card, reads the user identification information from the ID card, and outputs the read data in a predetermined data format, the control unit 33 reads the read data. To get. In the multifunction machine 1A, for example, when an application program is executed on the Java virtual machine by the control device 26, and a processing request to the application server apparatus 101 is generated during the execution of the application program (step S101), The control unit 33 transmits the processing request and read data together with the data type information to the application server apparatus 101 using the network communication unit 32 and the network interface 23 (step S102).

  In the application server apparatus 101, the authentication processing unit 122 receives the processing request, the read data, and the data type information using the network communication unit 121 and the network interface 111, and the data format determination unit 122a receives the received read. The data format of the data is specified from the data type information (step S103). If the data format is not the predetermined data format, the authentication processing unit 122 converts the data format into the predetermined data format by the format conversion unit 122b (step S104). And the authentication process part 122 specifies ID corresponding to the read data, and performs user authentication by the ID. Here, the user authentication processing unit 122 transmits the user ID and the user authentication request to the directory server device 4 by a predetermined protocol (LDAP or the like) (step S105).

  In the directory server device 4, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to receive the ID and the authentication request using a predetermined protocol, refers to the directory database 91, and the ID is It is determined whether or not it is a legitimate user or device (ID card or the like) (step S106).

  Then, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to display the determination result (that is, the authentication result) and the user information of the user when the authentication is successful. As a response, it transmits to the application server apparatus 101 (step S107).

  In the application server apparatus 101, the authentication processing unit 122 receives the authentication result as a response to the authentication request using the network communication unit 121 and the network interface 111. If the authentication is successful, the server processing unit 123 executes the processing specified by the processing request (step S108), and uses the network communication unit 121 and the network interface 111 to send the processing result to the multifunction device. Transmit to 1A (step S109).

  As described above, according to the second embodiment, the multifunction device 1A (or the multifunction device 1B) transmits the read data to the application server device 101, and the application server device 101 performs the multifunction device 1A (or the multifunction device 1B). Only when the read data is received, the data format of the received read data is specified, the data format is converted into a predetermined data format, the ID corresponding to the read data is specified, and the ID is successfully authenticated, Processing corresponding to a request from the application of the multifunction device 1A (or multifunction device 1B) is executed.

  Thus, since the application server device 101 converts the format of the read data of the reader, there is no need to process the read data in the multifunction device 1A (or the multifunction device 1B), and the multifunction device 1A (or the multifunction device 1B) Various readers of output data formats can be used, and readers of various output data formats can be integratedly supported. In addition, expandability and development efficiency on the server side are improved.

  Each embodiment described above is a preferred example of the present invention, but the present invention is not limited to these, and various modifications and changes can be made without departing from the scope of the present invention. It is.

  For example, in each of the above embodiments, local users and domain users are mixed and included in the local group, but there may be a local group including only local users or a local group including only domain users.

  In each of the above embodiments, the user manager server device 3 is connected to another network different from the network 2 without being connected to the network 2, and is connected to the directory server device 4 in the other network and the network 2. The user manager server device 3 and the directory server device 4 may perform data communication via another network.

  In each of the above-described embodiments, the multifunction peripherals 1A and 1B are used as the image forming apparatus, but a printer, a copier, or the like may be used instead. Further, in each of the above embodiments, the system has three image forming apparatuses, but it is also possible to use one, two, or four or more image forming apparatuses.

  In each of the above embodiments, the authorization information may include an access authority level to the multifunction device. For example, either an administrator or a general user is set as the access authority level. In the case of an administrator, functions that cannot be used by general users, such as maintenance, can be used.

  In each of the above embodiments, instead of the data type information, the MFPs 1A and 1B transmit model information indicating the model of the reader 27 to the server devices 3 and 101. The data format of the read data may be specified. Further, in each of the above embodiments, the server device 3 101 may identify the data format from the content of the read data.

  In each of the above embodiments, the multifunction devices 1A and 1B transmit the passwords input to the operation panel 21 of the multifunction devices 1A and 1B to the server devices 3 and 101. User authentication may be performed using the specified user ID and its password. In that case, for example, the server device 4 may perform user authentication with the user ID and the password.

  In the second embodiment, the data format of the read data is converted in the application server apparatus 101. Instead, the data format of the read data is converted in the multifunction peripherals 1A and 1B and then read to the external application. Data may be transmitted. For example, a Java (registered trademark) application for an extended function for converting the data format is installed in the multifunction peripherals 1A and 1B having Java (registered trademark) virtual machines, and the Java (registered trademark) application is The read data of the reader 27 is acquired, the data format of the read data is converted into the data format required by the application server apparatus 101, and the read data is transmitted to the application server apparatus 101.

  The present invention can be applied to, for example, a network system having a plurality of image forming apparatuses.

1A, 1B MFP (an example of an image forming apparatus)
1C printer (an example of an image forming apparatus)
2 Network 3 User manager server device 4 Directory server device (an example of an authentication server device)
27 Reader 41 Storage device 42, 111 Network interface 62 User authentication processing unit 63 Authorization processing unit 101 Application server device 122 Authentication processing unit 123 Server processing unit (an example of processing execution unit)

Claims (5)

An image forming apparatus having a reader connected to a network and reading user identification information and outputting read data;
A user manager server device that is connected to the network and provides authorization information for identifying the functions permitted to be used by a login user of the image forming device to the image forming device ;
A directory server device that provides directory service and has domain group and domain user registration information ;
The image forming apparatus transmits data read by the reader to the user manager server apparatus,
The user manager server device receives the read data from the image forming device, specifies a data format of the received read data, converts the data format into a predetermined data format, and corresponds to the read data ID is specified, user authentication is performed by the user ID in the user manager server device or the directory server device, and authorization information about the logged-in user who has succeeded in user authentication is transmitted to the image forming device ,
The user manager server device includes registration information of a local group including the domain user separately from the domain group, domain group authorization information for the domain group, domain user authorization information for the domain user, and the local group. (A) when the logged-in user who has succeeded in user authentication belongs to the local group, (a1) when there is the domain user authorization information of the logged-in user, the domain user authorization information and Authorization information for the logged-in user so as to allow only the functions permitted to be used in both the domain user authorization information and the local group authorization information from the local group authorization information (A2) When there is no domain user authorization information for the logged-in user, the local group authorization information is transmitted to the image forming apparatus as authorization information for the logged-in user. b) When the login user who has succeeded in user authentication does not belong to the local group, transmitting the domain group authorization information or the domain user authorization information to the image forming apparatus as authorization information about the login user;
An image forming system. In the user manager server device that provides the image forming apparatus with authorization information that identifies the functions permitted to be used by the login user,
A network interface connected to the network;
At least one of domain group authorization information and domain user authorization information for a domain group and a domain user managed by a directory server device connected to the network, registration information of a local group including the domain user separately from the domain group, and A storage device having local group authorization information for the local group;
Using the network interface, read data output from a reader for reading user identification information in the image forming apparatus is received from the image forming apparatus, a data format of the received read data is specified, and the data format is A user authentication processing unit that performs conversion into a predetermined data format to identify a user ID corresponding to the read data, and performs user authentication by the user ID in the user manager server device or the directory server device;
(A) When the logged-in user who has succeeded in user authentication belongs to the local group, (a1) When there is the domain user authorization information of the logged-in user, the domain user authorization information and the local group authorization information are used to determine the domain Generate and send authorization information about the logged-in user to the image forming apparatus so as to permit only functions permitted to be used in both the user authorization information and the local group authorization information, and (a2) the login user's When there is no domain user authorization information, the local group authorization information is transmitted to the image forming apparatus as authorization information about the login user, and (b) the login user who has succeeded in user authentication does not belong to the local group , The domain group The variable information or the domain user authorization information, the authorization processing unit to be transmitted to the image forming apparatus as the authorization information for the logged-in user,
A user manager server device comprising: The user authentication processing unit, the data type information indicating the data format received from the image forming apparatus, from the data type information received according to claim 2, wherein the identifying the data format of the read data User manager server device. The read data is encrypted,
The user authentication processing unit decrypts the read data based on the data type information;
The user manager server device according to claim 3 . The user identification information is a card ID of an ID card,
The user authentication processing unit specifies a card ID from the read data after data format conversion, and specifies a user ID corresponding to the card ID;
The user manager server device according to claim 2 .

Images