JP5589579B2 - Authentication system, image forming apparatus, processing method and program thereof, and user information management apparatus. - Google Patents

Description

The present invention relates to an authentication system that performs authentication processing, an image forming apparatus , and a user information management apparatus .

  In recent years, when an MFP is used, an authentication information management apparatus (IC card authentication server) for authentication information read from the IC card by holding the IC card over the card reader of the MFP, for example, for the purpose of limiting users. ) And if authentication information is registered, there is already a system that responds to the multifunction peripheral with a successful authentication and can use the multifunction peripheral.

  In such a system, there are cases where it is desired to limit the functions that can be used by the multifunction device to the user. For example, there are cases where it is desired to limit the functions for each user, such as user A can use only copying, and user B can use copying and FAX.

  As described above, Patent Document 1 discloses a system for setting functions that can be used in units of users or setting functions that can be used in units of a group of multifunction devices / groups.

JP 2007-286908 A

  In the system disclosed in Patent Document 1, functions that can be used in a multi-function peripheral can be set in units of users or in units of multi-function peripherals / groups that combine multi-function peripherals.

  However, in this case, since it is necessary to perform setting again every time a new multifunction peripheral is introduced, there is a problem that the workload of the administrator is large.

  In addition, when using a multifunction device, there is a mechanism in which user authentication is performed by holding an IC card or the like, and the user can use the multifunction device when the user is authenticated. Use the multifunction device installed in your company without being conscious of whether you can use it.

  Therefore, when using a mechanism that sets a multifunction device that can be used for each user, when using a multifunction device other than the multifunction device that is always used, authentication is performed by holding the IC card. As a result, the authentication is successful, but the MFP is set as an unusable MFP. Therefore, the user holding the IC card cannot use the MFP. In this case, it is inconvenient for the user to search for a usable multi-function device or to use the multi-function device by using a multi-function device that is always used.

  In addition, there is a demand for operations such as giving a plurality of IC cards to one user and allowing the user to use different IC cards. For example, a user who goes to a plurality of group companies and performs business is given an IC card used by each company, and the user uses the IC card properly. Then, the user uses a multi-function machine that is restricted using the use authority associated with each IC card.

  Furthermore, in the multi function device, in addition to authentication using an IC card, it is possible to perform keyboard authentication in which a user inputs a user ID, a password, and the like for authentication.

  Normally, authentication is performed using an IC card. If the user forgets the IC card, the MFP is used using keyboard authentication. However, as described above, a plurality of IC cards are associated with one user. If this is the case, a plurality of user information (card ID, user name, e-mail address, authority information, etc.) will be searched, and it may not be possible to log in to the multifunction device.

  If multiple user information is searched, it is possible to log in using one of the user information, but if the user information that is currently being used by the currently operating multifunction device is not selected, If the authority is different and the functions of a commonly used multifunction machine cannot be used, or if a multifunction machine that can be used for each user is determined, the problem arises that the multifunction machine itself cannot be used.

Therefore, an object of the present invention is to use uniquely identified user information in the case of an authentication method using a storage medium, and in the case of an authentication method using user identification information input in accordance with a user operation . An object of the present invention is to provide a mechanism for easily using an image forming apparatus by selecting user information to be logged in from a plurality of user information obtained by authentication.

In order to achieve the object of the present invention, it is possible to manage user identification information and a plurality of pieces of user information in association with each other and to manage read information read from a storage medium and user information in association with each other. An authentication system that is communicably connected to a user information management apparatus and an image forming apparatus, and the image forming apparatus can uniquely identify user information from a storage medium in order to log in to the image forming apparatus reading means for reading the Do read information, in accordance with the user operation receiving, in order to log into the image forming apparatus, an input accepting means for accepting input of user identification information, the read information or the input receiving means read by the reading means The first transmission means for transmitting the received user identification information to the user information management device and the first transmission means The read information, or, in the case of the first receiving means, an authentication method by the input receiving means for receiving from the previous SL user information management device the user information corresponding to the user identification information, received by the first receiving means determination means for determining a plurality or not user information that, in the case of the authentication method by the input receiving means, by the determination unit, when the user information corresponding to the user identification information is determined to one Is logged in using the user information, and when the determination means determines that there are a plurality of user information corresponding to the user identification information, the user information is selected by displaying the plurality of user information. log in using one of the user information, whereas, in the case of the authentication process according to said reading means, a log using the user information received by said first receiving means And a log-in means for down, the user information management device, the read information from the image forming apparatus, or a second receiving means for receiving the user identification information, received by the second receiving means and said Authentication means for authenticating by reading the user information using the read information or the user identification information, and when authentication is successful using the read information by the authentication means, uniquely identifying by the read information User information for acquiring one or a plurality of user information stored in association with the user identification information when authentication is successful using the user identification information by the authentication means. an acquiring unit, characterized in that it comprises a second transmitting means for transmitting the user information acquired by the user information acquisition means prior Symbol image forming apparatus.

In addition, when the determination unit determines that there are a plurality of user information corresponding to the user identification information, the display unit further includes a display unit that displays selectable user information from the plurality of received user information . the log-in means is characterized that you login using the user information selected from a plurality of user information displayed on the display means.

The image forming apparatus further includes a determination unit that determines whether or not there is a plurality of user information, and the display unit determines that the plurality of user information when the determination unit determines that there are a plurality of user information. The user information is displayed in a selectable manner, and the log-in means logs in using user information selected from the plurality of user information displayed on the display means.

In addition, a change determination unit that determines whether or not a change instruction for logged-in user information has been issued, and the display unit displays the plurality of user information when the change determination unit determines that a change instruction has been issued. The display is again selectable.

The user information may be a user name, an e-mail address, or a cost code.

Also, Yu chromatography The information management apparatus further includes a group information storage means for storing in association with said group of user information and log an image forming apparatus, the user information acquisition means, said second receiving means The user information associated with the group including the image forming apparatus that has received the user identification information is acquired from the plurality of user information stored in association with the user identification information received by the second transmission unit, The user information associated with the group including the image forming apparatus having received the user identification information by the second receiving means acquired by the user information acquiring means is transmitted.

The user information management apparatus and the image forming apparatus may be configured as separate housings.

In the case of an authentication method using a storage medium, a plurality of users obtained by authentication are used in the case of an authentication method using user identification information input in accordance with the user's operation using user information uniquely specified. By selecting user information for login from the information, the image forming apparatus can be easily used.

System configuration diagram showing an example of the configuration of an IC card authentication system Hardware configuration diagram of information processing apparatus applicable to IC card authentication server 200, directory service server 300, and client PC 700 Hardware configuration diagram of MFP 100 Functional block diagram of MFP 100 and IC card authentication server 200 in the IC card authentication system The figure which shows the structure of the table for IC card authentication Figure showing an example of the device management screen The figure which shows an example of a user information edit screen The figure which shows an example of the function restriction confirmation screen 800A and the search result display screen 800B Flow chart showing device group registration process A flowchart showing processing when an IC card is held over a card reader Flow chart showing authentication process Flow chart showing device group search processing Diagram showing the structure of function restriction information The figure which shows the matching table of function restriction information and an authority group The figure which shows an example of the user information memorize | stored in the IC card authentication table Flowchart showing authentication processing when user name and password are entered Flow chart showing keyboard authentication process Flow chart showing login information change processing after login Login information selection screen

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram showing an example of the configuration of the IC card authentication system of the present invention.

  FIG. 1 shows a configuration in which one or a plurality of multifunction peripherals 100, an IC card authentication server 200, and a plurality of directory service servers 300 are communicably connected via a local area network (LAN) 400.

  The IC card authentication server 200 (user information management apparatus) stores an IC card authentication table (shown in FIG. 5 to be described later), and an authentication request by an IC card from the multifunction peripheral 100 (image forming apparatus) or a user name and In response to a password authentication request, authentication processing is performed using the IC card authentication table.

  The directory service server 300 includes hardware resources such as servers and clients existing on the network, user attributes (for example, Microsoft Windows (registered trademark) login user name and password), access rights, and the like. For example, a server equipped with an active directory (Active Directory (trademark; hereinafter omitted)) function.

  A client PC 700 is a client PC in which an IC card authentication server management tool is installed. It is possible to access the IC card authentication server from the IC card authentication server management tool and perform setting work from the screens of FIGS. 6 and 7 of the IC card authentication server management tool.

  The IC card authentication server management tool may be configured to be installed in the IC card authentication server 200, and can be set by the IC card authentication server 200.

  The IC card authentication system according to the present embodiment is configured such that one or a plurality of MFPs 100, the IC card authentication server 200, and the directory service server 300 configured as described above are connected via a WAN 500 connected via a LAN 400. It may be.

  Furthermore, the present invention can be applied not only to IC card authentication but also to an authentication system using biometric authentication such as fingerprint.

  An IC card authentication table stored in the IC card authentication server 200 may be stored in the HDD 304 of the multi-function device 100, and authentication processing (FIG. 11) may be performed in the multi-function device 100.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 illustrated in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram showing a hardware configuration of an information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 shown in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display 210 such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is provided in an external storage device (hard disk (HD)), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash (registered trademark) memory connected via an adapter.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the hardware configuration of the multifunction peripheral 100 as the image forming apparatus of the present invention will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 100 illustrated in FIG.

  In FIG. 3, reference numeral 316 denotes a controller unit which is connected to a scanner unit 314 functioning as an image input device and a printer unit 312 functioning as an image output device, while being connected to a LAN (for example, the LAN 400 shown in FIG. 1) or a public line ( (WAN) (for example, PSTN or ISDN) to input / output image data and device information.

  In the controller unit 316, reference numeral 301 denotes a CPU, which is a processor that controls the entire system. A RAM 302 is a system work memory for the CPU 301 to operate, and is also a program memory for recording a program and an image memory for temporarily recording image data.

  A ROM 303 stores a system boot program and various control programs. An external storage device (hard disk drive (HDD)) 304 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 307 is an interface unit with the operation unit (UI) 308 and outputs image data to be displayed on the operation unit 308 to the operation unit 308. The operation unit I / F 307 serves to transmit information (for example, user information) input by the system user from the operation unit 308 to the CPU 301. Note that the operation unit 308 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  A network interface (Network I / F) 305 is connected to a network (LAN) and inputs / outputs data. A modem (MODEM) 306 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 318 is an I / F unit that accepts external inputs such as USB, IEEE 1394, printer port, RS-232C, etc. In this embodiment, an IC card (storage medium) required for authentication ) Is connected to the external I / F unit 318. The CPU 301 can control reading of information from the IC card by the card reader 319 via the external I / F 318, and can acquire information read from the IC card. The above devices are arranged on the system bus 309.

  Reference numeral 320 denotes an image bus interface (IMAGE BUS I / F), which is a bus bridge that connects the system bus 309 and an image bus 315 that transfers image data at high speed, and converts the data structure.

  The image bus 315 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 315.

  A raster image processor (RIP) 310 develops vector data such as a PDL code into a bitmap image. A printer interface (printer I / F) 311 connects the printer unit 312 and the controller unit 316 and performs synchronous / asynchronous conversion of image data. A scanner interface (scanner I / F) 313 connects the scanner unit 314 and the controller unit 316 and performs synchronous / asynchronous conversion of image data.

  An image processing unit 317 performs correction, processing, and editing on input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 317 performs image data rotation and compression / decompression processing such as JPEG for multi-valued image data and JBIG, MMR, MH for binary image data.

  The scanner unit 314 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 308, the CPU 301 gives an instruction to the scanner unit 314, and the feeder feeds the original paper one by one to read the original image. Perform the action.

  The printer unit 312 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is ejected from a micro nozzle array directly on the paper. There is an inkjet method for printing an image, but any method may be used. The activation of the printing operation is started by an instruction from the CPU 301. The printer unit 312 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  The operation unit 308 has an LCD display unit, and a touch panel sheet is pasted on the LCD. The operation unit 308 displays an operation screen of the system. When a displayed key is pressed, the position information is displayed on the operation unit I / F 307. To the CPU 301 via The operation unit 308 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Here, the start key of the operation unit 308 is used when starting a document image reading operation. At the center of the start key, there are two color LEDs, green and red, which indicate whether or not the start key can be used. Further, the stop key of the operation unit 308 functions to stop the operation in operation. The ID key of the operation unit 308 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit.

  The card reader 319 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 301, and reads the read information via the external I / F 318. The CPU 301 is notified. The controller unit 316, the printer unit 312, the scanner unit 314, the operation unit 308, and the card reader 319 are provided in the same casing in the multifunction device 100.

  Next, processing of the IC card authentication system will be described using a functional block diagram of the MFP 100 and the IC card authentication server 200 in the IC card authentication system of FIG.

  The multi-function device 100 includes functional units 401 to 407, and the CPU 301 executes the functional units. The IC card authentication server 200 has 408 to 412 functional units, and the CPU 201 executes the functional units.

  First, the user information setting unit 408 of the MFP 100 acquires user information from the directory service server 300 and stores it in the IC card authentication table of FIG. For the stored user information, the function restriction information 530 for the case other than the card number 511, the function restriction information 507, and the device restriction information 520 device group is set via the user information editing screen of FIG. Also, a device group is generated via the device management screen of FIG. 6, and an IP address and a subnet mask are set in the device group.

  When the authentication information acquisition unit 401 detects an IC card that can be read by the card reader 319, the authentication information acquisition unit 401 acquires personal authentication information in the IC card. The authentication information transmission unit 402 transmits the acquired personal authentication information to the IC card authentication server 200 as an authentication request. In this authentication request, the IP address of the multifunction device 100 is also transmitted. This IP address includes an IP address transmitted over TCP / IP communication. The personal authentication information is information used for authentication and may be a manufacturing number of the IC card.

  The authentication information receiving unit 409 of the IC card authentication server 200 receives personal authentication information from the multifunction device 100. The authentication unit 410 performs authentication processing of the received personal authentication information based on the IC card authentication table (FIG. 5) stored on the external storage device of the IC card authentication server 200, and the IC card authentication table (FIG. 5). ) Includes personal authentication information, it is determined whether the MFP 100 can be used with the authority normally used by the user according to the IP address that can be acquired when the personal authentication information is received and the device restriction information 520 in FIG. To do. Information received by the authentication information receiving unit 409 includes at least a user name (user identification information), and a password, authentication destination information, and an IP address (identification information of the image forming apparatus) of the multifunction device 100 according to a user input. It is information to include.

  When the acquired IP address is included in the device group information, the authentication result transmission unit 411 sends the user information including the authority (function restriction information 507) normally available to the user and the authentication OK authentication result to the multi-function device 100. Send. Further, when the acquired IP address is not included in the device group information, the authentication result transmission unit 411 authenticates the user information including the authority (function restriction information 530) when using the device not included in the device group and the authentication. The authentication result of OK is transmitted to the multifunction device 100. Further, the authentication result transmission unit 411 has a case where the personal authentication information is not included in the IC card authentication table (FIG. 5), and a case where the acquired IP address is not included in the device group information and no device group is set. Transmits the authentication result of the authentication NG to the multi-function device 100.

  Note that the authentication result includes information for identifying whether the user can normally use the authority (function restriction information 507) or the authority when using a device not included in the device group (function restriction information 530). In this identification information, the authority (function restriction information 507) that can be normally used by the user is flag “0”, and the authority when using a device not included in the device group (function restriction information 530) is flag “1”. A flag is included in the authentication result. Alternatively, the function restriction information is defined for each of the authority that the user can normally use (function restriction information 507) and the authority for using a device that is not included in the device group (function restriction information 530). Alternatively, the function restriction information name may be provided with identifiable information, and the function restriction information name may be included in the authentication result.

  Further, it is assumed that the authority (function restriction information 530) when using the device is set to be lower than the authority (function restriction information 507) that is normally available to the user. When the authority at the time of use (function restriction information 530) is higher authority, the lower authority is used for items that do not match.

  The authentication result receiving unit 403 of the MFP 100 receives the authentication result from the IC card authentication server 200, and the authentication result storage unit 404 stores the user information of the authentication result in the RAM 302. When the authority information included in the user information stored in the RAM 302 is an authority that can be normally used by the user (function restriction information 507), the authority determination unit 405 transmits the information to the multifunction peripheral 100 according to the function restriction information 507. Log in. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 507. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 507 and restricts the use of the print function and scan function of the multifunction device 100.

  8 is displayed on the operation unit 308 when the authority information included in the user information is an authority (function restriction information 530) for using a device not included in the device group. And login to the MFP 100 according to the authority (function restriction information 530) when using a device not included in the device group, which is lower than the authority (function restriction information 507) that the user can normally use. . This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 530. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 530 and restricts the use of the print function and the scan function of the multifunction device 100.

  Also, in the case of using the authority (function restriction information 530) when using a device not included in the device group, the device group search request unit 407 uses the authority (function restriction information) normally available to the user according to the user's instruction. 507), a request is made to the IC card authentication server 200 using user information (for example, a user name or a card number) in order to acquire a multifunction device that can be used or a location (floor name) where the multifunction device is installed. In addition, the device group search unit 412 of the IC card authentication server 200 acquires the device group 521 according to the user information included in the request, and transmits the device group 521 to the multifunction device 100.

  The display control unit 406 of the MFP 100 displays the search result display screen 800B of FIG. 8 using the device group received from the IC card authentication server 200. When a plurality of user information is received from the IC card authentication server 200, the plurality of user information is displayed so that one user for logging in can be selected from the plurality of user information.

  The multi-user determining unit 414 of the multi-function peripheral 100 determines whether there are a plurality of user information received from the IC card authentication server 200. In the user information selection unit 415, it is determined that there is a plurality of user information by the multiple user determination unit 414, the plurality of user information is displayed by the display control unit 406, and the user presses any one of the plurality of user information. Thus, user information to be logged in is selected (determined). The login unit 416 performs a login process using the user information selected by the user information selection unit 415.

  Next, the IC card authentication table will be described with reference to FIG.

  FIG. 5 is a data configuration diagram showing an example of an IC card authentication table in the IC card authentication system of the present embodiment. The IC card authentication table is stored in the external memory 211 of the IC card authentication server 200.

  As shown in FIG. 5, the IC card authentication table includes a card number 511, validity information 512, a card name 515, a user name 501, an authentication domain name 502, a mail address 504, an expiration date 505, a valid / invalid 506, a function. It is composed of restriction information 507, department ID 508, department password 509, device restriction information 520, function restriction information 530 for cases other than device groups, and the like. The device restriction information 520 includes a device group 521, an IP address 522, and a subnet mask 523.

Information in the IC card authentication table is managed using the card number as a key.

  The card number 511, validity information 512, and card name 513 are card information of an IC card for the user to use the multifunction device 100. In the present embodiment, the card information of the IC card is key information that permits (uses user authentication) use of the multifunction peripheral 100 (image forming apparatus).

  The card number 511 is a string of numbers and characters for identifying individual cards, and is information for comparing the card number with the card number read from the IC card by the card reader 319. Authentication succeeds, and if they do not match, authentication fails. The validity information 512 and the card name 513 will be described later.

  The user name 501 is the name of the user who uses the multifunction device 100 and is information included in the authentication result. Login to the multifunction device 100 is performed with this user name. When the user logs in, the user name is displayed on the operation unit 308.

  The authentication domain name 502 indicates where the authentication destination server is on the network. The authentication destination is the IC card authentication server 200, the directory service server 300, or the like.

  An e-mail address 504 is an e-mail address owned by the user, and is used when notifying the user about the use of the multifunction device 100. The expiration date 505 is an expiration date for use of the multifunction device 100 determined by the user. When the expiration date is exceeded, the user cannot use the multifunction device 100.

  Valid / invalid 506 is information indicating whether or not the user can use the multifunction device 100. When the MFP 100 cannot be used due to reasons such as exceeding the expiration date, information indicating invalidity is written.

  The function restriction information 507 indicates contents for restricting the functions of the multifunction device when the multifunction device 100 included in the device group set for the user is used. The multifunction device normally used by the user (for example, There are some which restrict the functions of the floor multifunction devices that users usually use. The function restriction information 507 is realized by associating the function restriction information shown in FIG. Details of the function restriction information are described in FIG. The information stored in the function restriction information 507 stores a name associated with the function restriction information. The function restriction information 507 can be paraphrased as first function restriction information that defines functions that can be used by the MFP 100 included in the device group.

  The department ID 508 is an ID indicating the internal department to which the user belongs. The department password 509 is a password associated with the department ID 508.

  The password 531 is a user password corresponding to the user name 501. When IC card authentication is selected as the authentication destination during keyboard authentication, authentication is performed using the user name 501 and the password 531.

  The display name 532 is the name of the user who uses the multifunction peripheral 100, and is information corresponding to double-byte characters. When logged in, the user name 501 or the display name 532 is displayed on the operation unit 308.

  The cost burden code 533 is information indicating a cost burden source when the multifunction machine is used. This is used when performing operations such as charging the expenses incurred for printing or the like to the cost burden source, or when selecting which information a user having a plurality of user information logs in.

Specifically, the code of the department to which the user belongs is set as the cost burden code.

  The company code 534 is information indicating the company code to which the user belongs. The company code 534 is information assuming the same usage as the expense burden code 533.

  The outline regarding the validity information 512 and the card name 513 will be described below.

  The validity information 512 is numerical information registered in the IC card. This information is used, for example, to distinguish a lost IC card from a reissued IC card when the IC card is lost.

  For example, by adding one value from the validity information of the lost IC card and reissuing the IC card, it is possible to distinguish it from the lost IC card. It can prevent misuse of lost IC card and keep security.

  The card name 513 is displayed together when displaying the card number of the IC card on a card information deletion screen (not shown) or the like so that the user can easily discriminate it. The card name can be set on a card registration / card name input screen (not shown) at the time of card information registration.

  An outline of the device group 521, the IP address 522, and the subnet mask 523 will be described below.

  The device group 521 represents the name of the device group and is unique information. The IP address 522 is an IP address of a device group, and a plurality of IP addresses can be set for one device group. The subnet mask 523 is set with an IP address range.

  The device restriction information 520 is information stored by being set on the user editing screen of FIG. Further, the device restriction information that can be set on the user edit screen of FIG. 7 is information that can be set on the device management screen of FIG.

The function restriction information 530 for a device other than a device group indicates contents for restricting the functions of the MFP 100 that are not included in the device group. In addition, the function restriction information 530 can be paraphrased as first function restriction information that defines usable functions of the MFP 100 that are not included in the device group.

  In addition, the IP address 522 and the subnet mask 523 can be rephrased as a first address (identification information) for specifying a multifunction device that can be used by the user.

  In this embodiment, the device group is configured to manage the IP address of the multifunction device. However, the device group manages identification information of the multifunction device such as the MAC address of the multifunction device, and uses the identification information of the multifunction device to manage the device. It is also possible to specify a group.

  FIG. 15 is a diagram illustrating an example when each of the above-described user information is stored in the IC card authentication table.

  As shown in FIG. 15, a plurality of card numbers are associated with one user. For example, a plurality of card numbers, sid00001 and sid00002 are registered for the user 01 (user01). In the present embodiment, it is assumed that user information is registered in advance by an administrator.

  Note that the card number in FIG. 16 does not initially contain a card number value, and the card number can be registered by the user holding the IC card over the card reader of the multifunction device. is there.

  Next, processing for registering a device group will be described with reference to FIGS.

  Note that the processing of steps S901 to S905 in FIG.

  In step S901, the name of the device group is input to the text area 611, and the add group button 612 is pressed to register the device group. The registered device group is displayed at the top of the tree structure, such as 601 and 603.

  In step S902, device information (IP address or IP address and subnet mask) is registered for the registered device group. When registering using only the IP address, enter the IP address in the text area 613 and press the device addition button 616 for registration. The registered IP address is displayed below the tree structure as 602.

  When registering by IP address and subnet mask, the IP address is input in the text area 614, the subnet mask is input in the text area 615, and the device addition button 616 is pressed to register. The registered IP address is displayed in the lower part of the tree structure in the format of “IP address / subnet mask value” as 604. A plurality of device information can be registered for one device group.

The registered information is stored in the external memory 211 of the IC card authentication server 200. When registering with an IP address and a subnet mask, a specific network (network address (network information)) is designated, and is a setting for targeting a multi-function device in the network.

  Next, processing for registering the device group registered in FIG. 6 in the user information will be described with reference to FIGS.

  In step S903, it is determined whether to register the device group in the user information according to the user instruction. If it is determined to register, the process proceeds to step S904. If registration is not performed, that is, an end instruction is given, the process ends.

  In step S904, the device group to be registered in the user information is selected from the pull-down menu 703 on the user edit screen, and the add button 704 is pressed to register the device group to the user (device restriction information setting). A user can register a plurality of device groups. In the pull-down menu 703, the device group registered in FIG. 6 is set.

  In step S905, the user selects radio buttons 705 and 706 to set an operation when the IP address of the MFP 100 at the time of authentication does not correspond to the device group registered with the user (second function). Set restriction information). When the radio button 705 (cannot log in) is selected, no information is registered in the device restriction information 520 (a NULL value is set) so that authentication is NG.

  Also, when the radio button 706 (log in with the following group usage restrictions) is selected, the function restriction information specified in the pull-down menu 707 becomes the device restriction information so that the function restriction information specified in the pull-down menu 707 is authenticated. 520 is registered.

  Next, a process when the IC card is held over a card reader will be described with reference to FIG. In addition, when IC card authentication using an IC card is not performed, keyboard authentication using keyboard input can be performed according to a user operation. The process for keyboard authentication will be described with reference to FIG. It is to be noted that the screen is shifted to the keyboard authentication screen by pressing the “Click here if you do not have a card” button in FIG.

  Note that the processing of step S1001 and step S1012 to step S1017 is executed by the CPU 301 of the multifunction peripheral 100, and step S1001-1 is executed by the CPU 201 of the IC card authentication server 200. Note that the processing in step S1001-1 will be described with reference to FIG.

  First, in step S1001, card information is acquired from an IC card held by a user (first identification information is acquired), and an IP address of the multifunction device 100 is acquired (second address is acquired). The acquired card information and the IP address of the MFP 100 are transmitted to the IC card authentication server 200 (authentication request transmission).

In step S1001-1, the IC card authentication server 200 receives the card information and the IP address of the multi-function device 100, and performs authentication processing.
Here, the authentication process will be described with reference to FIG.

  Note that the processing in steps S1002 to S1011 is executed by the CPU 201 of the IC card authentication server 200.

  In step S1002, the card information and the IP address of the multifunction device 100 are received (authentication request reception).

  In step S1003, user information is searched from the IC card authentication table of FIG. 5 based on the card information received in step S1002.

  In step S1004, if the user information (information in the IC card authentication table 501 to 530) can be acquired as a result of the search in step S1003, the process proceeds to step S1005 as successful authentication (authentication OK). When user information cannot be acquired (when user information is not registered), the process proceeds to step S1011.

  In step S1005, the IP address of the MFP 100 received in step S1002 is compared with the device restriction information of the user information acquired in step S1003. Specifically, the IP address 522 or / IP address 522 and subnet mask 523 are used to check whether the IP address of the MFP 100 included in the device group (use determination).

  In step S1006, if it is determined that the MFP is included in the device group as a result of the comparison in step S1005, the process proceeds to step S1007. If it is determined that the MFP is not included in the device group, the process proceeds to step S1008.

  If it is determined in step S1007 that the MFP is included in the device group, the result of authentication OK and the authentication result of user information (e-mail address 504, function restriction information 507, etc.) are transmitted to the MFP 100 (authentication result transmission). . This authentication result has identification information (such as a flag) indicating that the function restriction information 507 normally used by the user is included.

  In step S1008, when it is determined that the MFP is not included in the device group, it is determined whether authentication is performed when there is an authentication request from the MFP other than the device group. Whether or not to authenticate is determined by the function restriction information 530 in the case other than the device group. If the function restriction information is included in the function restriction information 530 in the case other than the device group, that is, if 707 is set in FIG. 7, the process proceeds to step S1009. If the function restriction information is not included in the function restriction information 530 other than the device group (in the case of a NULL value), that is, if 706 is set in FIG. 7, the process proceeds to step S1011.

  In step S1009, the function restriction information is acquired from the function restriction information 530 in the case other than the device group.

  In step S1010, the result of authentication OK (authentication OK with function restriction information in a case other than a device group) and the authentication result of user information (e.g., email address 504, function restriction information 530 in a case other than a device group) are sent to the MFP 100. Send (send authentication result). This authentication result has identification information (such as a flag) indicating that the function restriction information 530 for cases other than the device group is included.

  In step S <b> 1011, an authentication NG authentication result is transmitted to the multifunction peripheral 100.

  Subsequently, returning to FIG. 10, in step S <b> 1012, the multi-function device 100 receives the authentication result from the IC card authentication server 200.

  In step S1013, the authentication result from the IC card authentication server 200 received in step S1012 is determined. If the authentication is OK, the process proceeds to step S1014. If the authentication is NG, the process proceeds to step S1017.

  If the authentication is OK, the user information included in the authentication result is stored in the RAM 302.

  In step S1017, an authentication NG screen (not shown) indicating that the authentication could not be performed is displayed on the operation unit 308.

  In step S1014, it is determined from the identification information included in the authentication result whether the function restriction information 530 for the device group other than the device group indicates that the authentication is OK. If the function restriction information 530 other than the device group indicates authentication OK, the process proceeds to step S1016. If the function restriction information 507 normally used by the user indicates authentication OK, the process proceeds to step S1015. Move.

  In other words, the process of step S1014 is a process of determining whether or not the MFP can log in using the function restriction information 507 (first function restriction information). If the MFP can log in using the function restriction information 507 (first function restriction information), the process proceeds to step S1015, and login is possible using the function restriction information 507 (first function restriction information). If the MFP is not a multifunction device, the process proceeds to step S1016.

  In step S 1015, the MFP 100 is logged in according to the function restriction information 507 of the user information stored in the RAM 302, and an initial screen (not shown) after login is displayed on the operation unit 308. The initial screen is a screen displayed as a default after login, and can be arbitrarily set by the administrator. Examples of the initial screen include a print operation screen and a scan operation screen. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 507. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 507 and restricts the use of the print function and scan function of the multifunction device 100.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

In step S1016, the log-in process is performed using the function restriction information 530 in the case other than the device group without using the function restriction information 507 that is normally used by the user. In order to notify
A function restriction confirmation screen 800 </ b> A of FIG. 8 is displayed on the operation unit 308.

  Here, the screen of FIG. 8 will be described. When login processing is performed using the function restriction information 507 that is normally used by the user, the function restriction confirmation screen 800A is not displayed, and the function restriction confirmation screen 800A is displayed when the function restriction information 530 for a device group other than the device group is used. Is displayed.

  The function restriction confirmation screen 800A includes a search button 801 for searching for a multifunction machine that can perform login processing using the function restriction information 507 that is normally used by the user, and function restriction information 530 for a device other than the device group. And an OK button 804 that can be used to instruct to perform login processing.

  When the search button 801 is pressed by the user, the name of the device group obtained by transmitting user information from the multifunction device 100 to the IC card authentication server 200 is displayed on the search result display screen 800B. The search result display screen 800B can also display information for specifying a multifunction peripheral that can perform login processing using the function restriction information 507 that is normally used by the user. The information for specifying the MFP is a computer name (multifunction machine name (device name)) converted from the IP address using the IP address 602 and DNS (Domain Name Service) in FIG.

  The search result display screen 800 </ b> B is applied with a return button 802 for returning to the screen on which the function restriction confirmation screen 800 </ b> A is displayed and function restriction information 530 for a device group other than the device group. An end button 803 is provided to prevent the user from logging in when processing is considered impossible.

  When the end button 803 is instructed by the user, the multifunction peripheral 100 that has detected the instruction ends the process without logging in. Then, when the user holds the card over the card reader 319, the process waits for the processing to proceed to step S1001.

  Subsequently, returning to FIG. 10, in step S1018, it is determined whether or not the search button 801 on the function restriction confirmation screen 800A has been pressed. If the search button 801 is pressed, the process proceeds to step S1201 in FIG. If the OK button 804 is pressed, the process proceeds to step S1015. In this case, in step S1015, the function restriction information 530 for a device group other than the device group is applied and a login is performed, and an initial screen is displayed on the operation unit 308. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 530. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 530 and restricts the use of the print function and the scan function of the multifunction device 100.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

  Next, device group search processing will be described with reference to FIG.

  Note that the processing of steps S1201 and S1205 to S1207 is executed by the CPU 301 of the multifunction peripheral 100. Further, the processing of steps S1202 to S1204 is executed by the CPU 201 of the IC card authentication server 200.

  In step S1201, IC card authentication is performed in order to acquire the name of a multifunction device or device group (for example, the floor where the multifunction device is installed) that can be logged in using the function restriction information 507 that is normally used by the user. A device group request including user information (for example, user name and card information) stored in the RAM 302 is transmitted to the server 200 (transmission of search request). In addition to the user information stored in the RAM 302, the card information acquired in step S1001 can be used.

  In step S1202, a device group request including user information (for example, user name and card information) is received from the multi-function device 100 (reception request reception).

  In step S1203, based on the user information, the IC card authentication table of FIG. 5 stored in the external memory of the IC card authentication server 200 is searched to obtain the device restriction information 520 (521, 522, 523). .

  In step S1204, the device group 521 is transmitted from the acquired device restriction information 520 to the requested MFP 100 (device restriction information transmission). In this embodiment, the device group 521 of the acquired device restriction information 520 is transmitted. However, the IP address 522 or the computer name converted from the IP address 522 (multifunction device name) may be transmitted. Good. This can be arbitrarily set by the administrator, and information corresponding to the setting is transmitted to the multi-function device 100.

  In step S1205, the device group 521 is received from the IC card authentication server 200.

  In step S1206, the search result display screen 800B of FIG. 8 is displayed on the operation unit 308 of the multifunction peripheral 100 in accordance with the received device restriction information 520 (device restriction information display).

  In step S1207, it is determined whether or not the return button 802 on the search result display screen 800B has been pressed. If it is determined that the return button 802 is pressed, the screen returns to the screen displaying the function restriction confirmation screen 800A shown in FIG. 8 and waits until the user detects that the search button 801 or the OK button 804 is pressed. If the end button 803 is pressed, the process ends, and the user information stored in the RAM 302 of the multi-function device 100 is deleted.

  Next, the function restriction information will be described with reference to FIGS. FIG. 13 is a diagram illustrating setting of function restriction information stored in the function restriction information 507 and the function restriction information 530 in a case other than the device group. FIG. 14 is a diagram illustrating an association table that associates function restriction information with authority groups.

  The function restriction information can set the use restrictions of each function of the multifunction device 100 in detail. For example, by setting “Allow / Do not allow” printing of device restriction items, it is possible to specify restrictions on whether to allow printing. . This function restriction information is set in advance by the administrator, and is stored in association with an authority group name 1401 arbitrarily given by the administrator as shown in the authority group setting information in FIG.

  A plurality of function restriction information can be associated with one authority group name 1401. Further, each function restriction information is provided with a function restriction information name 1402, and the function restriction information name 1402 is used for association.

  In this embodiment, the function restriction information 507 and the function restriction information 530 for the case other than the device group store a function restriction information name 1402, and the functions set in FIG. 13 corresponding to the function restriction information name 1402. The restriction information is transmitted to the multifunction device 100.

  The information set in 707 in FIG. 7 is the authority group in FIG. 14. When the authority group is set here, the function restriction information name corresponding to the authority group is derived from FIG. It is stored in the function restriction information 530 when the name is other than the device group. Reference numeral 707 denotes an example in which a GeneralUser is set. In this case, since the function restriction information B can be acquired with reference to FIG. 14, “function restriction information B” is included in the function restriction information 530 other than the device group. Stored.

  This can be realized even in a configuration in which the function restriction information 530 stores the authority group (for example, GeneralUser) set in 707.

  Next, an authentication process (keyboard authentication) when a user name and a password are input will be described with reference to FIG.

  Note that the processing of step S2001 and step S2003 to step S2013 is executed by the CPU 301 of the multifunction peripheral 100, and step S2002 is executed by the CPU 201 of the IC card authentication server 200. Note that the processing in step S2002 will be described with reference to FIG.

  First, in step S2001, an input of a user name (user identification information), a password, and authentication destination information input by the user is received (input reception), the information is acquired (second identification information is acquired), Also, the IP address of the multifunction device 100 is acquired (a second address is acquired). The acquired user name, password, authentication destination information and IP address (identification information of the image forming apparatus) of the MFP 100 are transmitted to the IC card authentication server 200 (transmission of user identification information).

  In step S2002, the IC card authentication server 200 receives the user name, password, authentication destination information, and the IP address of the multifunction device 100, and performs keyboard authentication processing.

  Here, keyboard authentication processing will be described with reference to FIG.

  Note that the processing of steps S3001 to S3016 is executed by the CPU 201 of the IC card authentication server 200.

  In step S3001, the user name, password, authentication destination, and IP address of the multifunction device 100 are received (keyboard authentication request reception).

  In step S3002, based on the user name, password, and authentication destination information received in step S3001, authentication is executed using the user name and password for the specified authentication destination. Authentication destinations include IC card authentication and directory services (such as Active Directory (registered trademark)).

When the authentication destination is an IC card authentication server, authentication is performed using the user name and password with respect to the IC card authentication table of FIG. (Search using user name and password.)

  In step S3003, the authentication result of step S3002 is determined. If the authentication is successful, the process proceeds to step S3004. If the authentication fails, the process moves to step S3007. (Step S3007 will be described later.)

  In step S3004, user information is searched using the user name with respect to the IC card authentication table of FIG. User information associated with the searched user name is stored in the RAM 203.

  In step S3005, the search result in step S3004 is determined. If the user information can be acquired, the process proceeds to step S3006. If not acquired, the process proceeds to step S3007. (Step S3007 will be described later.)

  In steps S3006 to S3015, the process is repeated as many times as the number of acquired user information. That is, one or more pieces of user information associated with the user name are acquired.

  In step S3008, the IP address of the MFP 100 received in step S3001 is compared with the device restriction information of the user information acquired in step S3004. Specifically, the IP address 522 or / IP address 522 and subnet mask 523 are used to check whether the IP address of the MFP 100 included in the device group (use determination).

  In step S3009, if it is determined from the comparison result in step S3008 that the MFP is included in the device group, the process proceeds to step S3010. If it is determined that the MFP is not included in the device group, the process proceeds to step S3011. A multifunction device included in the device group indicates that the user can use the multifunction device.

  If it is determined in step S3010 that the MFP is included in the device group, the authentication OK result and user information (e-mail address 504, function restriction information 507, etc.) are held in the RAM 203, and the process proceeds to step S3015.

  In step S3011, when it is determined that the MFP is not included in the device group, it is determined whether the function is restricted and the authentication is OK when there is an authentication request from the MFP other than the device group. Whether the authentication is OK is determined based on the function restriction information 530 in the case other than the device group. If the function restriction information is included in the function restriction information 530 other than the device group, that is, if 707 is set in FIG. 7, the process proceeds to step S3012. If the function restriction information is not included in the function restriction information 530 other than the device group (in the case of a NULL value), that is, if 706 is set in FIG. 7, the process proceeds to step S3014.

  In step S3012, the function restriction information is acquired from the function restriction information 530 for cases other than device groups.

  In step S3013, the result of authentication OK (authentication OK with function restriction information in a case other than a device group) and user information (e-mail address 504, function restriction information 530 in a case other than a device group) are stored in the RAM 203, The process moves to S3015. This authentication result has identification information (such as a flag) indicating that the function restriction information 530 for cases other than the device group is included.

  In step S3014, since the corresponding user information is authentication NG information, the user information is discarded and the process proceeds to step S3015. That is, since it is a user that cannot be used in a device group other than the device group, the user information is deleted from the user information acquired in step S3004 so as not to be stored in the RAM 203.

  In step S3015, iterative processing is determined. If user information that has not been processed in steps S3008 to 3014 remains among the user information acquired in step S3004 and stored in the RAM 203, the process proceeds to step S3008. If no user information that has not been processed in steps S3008 to 3030 remains among the user information acquired in step S3004 and held in the RAM 203, the process proceeds to step S3016. By this process, a user that can be used in the destination multi-function peripheral that has received the authentication request in step S3001 is determined.

  In step S3016, it is determined from the processing results in steps S3006 to S3015 whether there is user information for authentication OK. If user information for authentication OK exists (if user information exists in the RAM 203), the process proceeds to step S3017. If user information for authentication OK does not exist (when user information does not exist in the RAM 203), the process proceeds to step S3007.

  In step S3017, all the user information and authentication result of authentication OK (authentication OK or authentication OK with function restriction information in a case other than device group) are all transmitted to the MFP 100 (keyboard authentication result transmission).

  In step S3007, an authentication NG authentication result is transmitted to the multi-function device 100.

  Subsequently, returning to FIG. 16, in step S <b> 2003, the multi-function device 100 receives the authentication result from the IC card authentication server 200.

  In step S2004, the authentication result from the IC card authentication server 200 received in step S2003 is determined. If it is authentication NG, the process proceeds to step S2005. If it is not authentication NG, the process proceeds to step S2006. (Step S2005 will be described later.)

  In step S2006, it is determined whether or not there is a plurality of pieces of user information that are authentication results from the IC card authentication server 200 received in step S2003. If there is a plurality of pieces of user information, the process proceeds to step S2007. If there is no single user information, the process proceeds to step S2010. (Step S2010 will be described later.)

  In step S2007, since there are a plurality of pieces of user information, a login information selection screen 1900 (FIG. 19) for selecting which information to log in is displayed on the operation unit 308.

  Here, the screen of FIG. 19 will be described. The login information selection screen 1900 shown in FIG. 19 shows a case where there is a plurality of user information (when a plurality of user information is held with the same user name in the IC card authentication table) and the keyboard authentication is performed. It is a screen for selecting whether or not to log in with user information.

  In FIG. 19, a screen for selecting a cost burden code is used as information for selection, but a screen for displaying other user information (e-mail address, display name, etc.) may be used. Alternatively, a screen that displays all user information (a screen that displays all e-mail addresses, display names, and the like) can be used. That is, the screen configuration is selectable so that one piece of user information to log in can be determined.

  The login information selection screen 1900 has a cost burden code list 1901 used to select which user information is used to log in, a login button 1903 for logging in with the selected cost burden code, and a screen for returning to the initial screen. A cancel button 1902 is provided.

  As described above, the cost burden code list 1901 can display a list of mail addresses and display names instead of the cost burden codes.

It is also possible to display not only one item but also a plurality of items of user information. (Display name, email address, expense code, etc.)

In this case, the screen configuration may be such that the next user information is displayed and selected in accordance with the pressing of the “next user” button in the page format instead of the list format. (Not shown)

  Subsequently, returning to FIG. 16, in step S2008, the user information pressed by the user is determined (selected), and the information is held (obtained) in order to use the selected user information as login information.

  In step S2009, the plurality of user information received in step S2003 and the authentication result (authentication OK or authentication OK with function restriction information for devices other than device groups) are all stored in the RAM 302. This information is used when logging in again with different user information after logging in (see FIG. 18).

  In step S2010, it is determined from the identification information included in the authentication result whether the function restriction information 530 for the device group other than the device group indicates that the authentication is OK. If the function restriction information 530 other than the device group indicates authentication OK, the process proceeds to step S2011. If the function restriction information 507 normally used by the user indicates authentication OK, the process proceeds to step S2013. Move.

  If the authentication is OK, the user information included in the authentication result is stored in the RAM 302. More specifically, it is stored in an area (login context) for managing the logged-in user. In addition, although it was set as the structure which memorize | stores user information in the process of step S2013, it is also possible to comprise so that user information may be memorize | stored after the process of step S2008. It may be stored at any timing as long as it is a timing for logging in to the multifunction machine.

  In other words, the process of step S2010 is a process of determining whether or not the MFP can be logged in using the function restriction information 507 (first function restriction information). If the MFP can log in using the function restriction information 507 (first function restriction information), the process proceeds to step S2011, and login is possible using the function restriction information 507 (first function restriction information). In the case of a multifunction device that is not, the process proceeds to step S2013.

  In step S2013, the MFP 100 is logged in according to the function restriction information 507 of the user information stored in the RAM 302, and an initial screen (not shown) after login is displayed on the operation unit 308. The initial screen is a screen displayed as a default after login, and can be arbitrarily set by the administrator. Examples of the initial screen include a print operation screen and a scan operation screen. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 507. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 507 and restricts the use of the print function and scan function of the multifunction device 100.

  Note that the login in step S2013 is performed when it is determined that a plurality of user information does not exist, the user logs in using one user information acquired from the IC card authentication server, and a plurality of users are determined to exist. Logs in using the selected user information.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

In step S2011, the log-in process is performed using the function restriction information 530 for the case other than the device group without using the function restriction information 507 that is normally used by the user. In order to notify this, the function restriction confirmation screen 800A shown in FIG.
(The description of FIG. 8 is as described above.)

  In step S2012, it is determined whether or not the search button 801 on the function restriction confirmation screen 800A has been pressed (search instruction determination). If the search button 801 is pressed, the process proceeds to step S1201 (FIG. 12) in FIG. In the present embodiment, the IC card authentication server is configured to make a request for acquiring information (device group) of a multifunction peripheral that can be used with normal function restrictions. However, the authentication result (user) received in step S2003 is used. Information) includes information on a multifunction device (device group) that can be used with normal function restrictions, and displays the information on the multifunction device (device group) in step S1207 without requesting the IC card authentication server. Also good.

  If the OK button 804 is pressed, the process proceeds to step S2013. In this case, in step S2013, the function restriction information 530 for a device group other than the device group is applied to log in, and an initial screen is displayed on the operation unit 308. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 530. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 530 and restricts the use of the print function and the scan function of the multifunction device 100.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

  In step S2005, an authentication NG screen (not shown) indicating that the authentication could not be performed is displayed on the operation unit 308.

  Next, the login information change process after login will be described with reference to FIG.

  In step S4001, it is determined whether a login information change button (not shown) is pressed on the operation unit 308 by the user. If the login information change button has been pressed, the process proceeds to step S4002 (user switching). Note that the login change button is displayed on the touch panel of the operation unit 308. However, the login change button only needs to be configured so that login information can be changed. Button) may be configured.

  The login information can be changed by the user at an arbitrary timing.

  In step S4002, the user information stored in the RAM 302 in step S2009 is acquired, and a screen for selecting which user information to log in from among the acquired user information is displayed on the operation unit 308 (FIG. 19).

  In step S4003, user information is acquired in order to use the selected user information as login information.

  In step S4004, the plurality of user information displayed in step S4002 and the authentication result (authentication OK or authentication OK with function restriction information in cases other than device groups) are all stored (stored) in the RAM 302. This information is information used when logging in again with different user information after logging in. Since user information is already stored in the RAM 302, this process can be omitted.

  In addition, in the above-described steps S2008 and S4004, the selected user information may not be held.

  Hereinafter, step S4005 to step S4008 are the same as the processing of step S2010 to step S2013 in FIG.

  In step S4005, it is determined from the identification information included in the login information whether the login information held in step S4003 is authentication OK in the function restriction information 530 in the case other than the device group. If the function restriction information 530 other than the device group indicates authentication OK, the process proceeds to step S4006. If the function restriction information 507 normally used by the user indicates authentication OK, the process proceeds to step S4008. Move.

  In step S4006, the log-in process is performed using the function restriction information 530 in the case other than the device group without using the function restriction information 507 that is normally used by the user, so that the function restriction differs from the normal function restriction for the user. In order to notify this, the function restriction confirmation screen 800A shown in FIG. (The description of FIG. 8 is as described above.)

  In step S4007, it is determined whether or not the search button 801 on the function restriction confirmation screen 800A has been pressed. If the search button 801 is pressed, the process proceeds to step S1201 in FIG. If the OK button 804 is pressed, the process proceeds to step S4008. In this case, in step S4008, the function restriction information 530 for a device group other than the device group is applied and logged in, and an initial screen is displayed on the operation unit 308.

  By holding a plurality of user information in step S2009, when switching logins, it is possible to log in to the MFP without requiring authentication to the IC card authentication server again, thereby improving authentication efficiency or inputting user authentication information. Can be reduced.

  In particular, at the time of keyboard authentication, input of a user name and a password is reduced from the operation unit 308 of the complex machine that is difficult to operate, and usability is greatly improved.

  According to the embodiment described above, when a plurality of pieces of user information is obtained by authentication using user identification information input in accordance with a user operation, the user information to be logged in is displayed so as to be selectable. It is to provide a mechanism that facilitates the use of.

  Another object of the present invention is to provide a mechanism for easily using the image forming apparatus by displaying user information that can be used in the image forming apparatus in which user identification information is input in accordance with a user operation.

  In addition, by setting a group of multifunction devices (image forming apparatuses) that can be used by the user and setting the set groups for each user, the use of the multifunction devices (image forming apparatuses) according to authentication is restricted. It is possible to realize a mechanism with high security.

  In addition, by setting authority when the MFP (image forming apparatus) that has requested authentication is not a group of MFPs (image forming apparatuses) that can be used by the set user, other MFPs (image forming apparatuses) are set. It is possible to use the multi-function device and improve convenience while restricting the functions of the device. Further, by limiting the functions of other multifunction peripherals (image forming apparatuses), it is possible to realize a high security mechanism that restricts unnecessary use.

  Further, a multifunction peripheral (image forming apparatus) that can be used with the authority of the multifunction peripheral normally used by the user from another multifunction peripheral (image forming apparatus) that has lower authority than the multifunction peripheral (image forming apparatus) that is normally used. ) Can be searched, and a highly convenient mechanism can be realized.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Further, the program in the present invention is a program capable of executing the processing method of FIGS. 9 to 12, and the storage medium of the present invention stores a program capable of executing the processing method of FIGS. ing. The program in the present invention may be a program for each processing method of each apparatus in FIGS.

As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network by a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 MFP 200 IC Card Authentication Server 300 Directory Service Server 400 Local Area Network (LAN)
500 WAN
700 client PC
201 CPU
211 External memory 301 CPU
302 RAM
308 Operation unit 319 Card reader

Claims (12)

Communicates with a user information management apparatus and an image forming apparatus capable of managing user identification information and a plurality of user information in association with each other, and capable of managing in association with reading information read from a storage medium and user information in association with each other An authentication system that can be connected,
The image forming apparatus includes:
A reading unit that reads read information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving means for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
First transmission means for transmitting read information read by the reading means or user identification information received by the input receiving means to the user information management device;
The transmitted read information by the first transmission means or the first receiving means for receiving from the previous SL user information management device the user information corresponding to the user identification information,
In the case of the authentication method by the input receiving unit, a determining unit that determines whether or not there is a plurality of user information received by the first receiving unit;
If the authentication method by the input receiving means, by the determination unit, when the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination unit When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of the authentication method by the reading means, it comprises a login means for logging in using the user information received by the first receiving means ,
The user information management device includes:
A second receiving means for receiving the read information or the user identification information from the image forming apparatus;
Authentication means for authenticating by searching user information using the read information received by the second receiving means or the user identification information;
When authentication is successful using the read information by the authentication means, user information uniquely specified by the read information is acquired, and when authentication is successful using the user identification information by the authentication means Includes user information acquisition means for acquiring one or a plurality of user information stored in association with the user identification information;
Authentication system characterized by comprising a second transmission means for transmitting the user information acquired by the user information acquisition means prior Symbol image forming apparatus. The image forming apparatus includes:
When the determination unit determines that there are a plurality of the user information corresponding to the user identification information, the display unit further includes a display unit that displays selectable user information from the plurality of received user information .
The log-in means, the authentication system according to claim 1, characterized that you login using the user information selected from a plurality of user information displayed on the display means. Provided with a change determination means for determining whether or not an instruction to change logged-in user information has been issued,
The authentication system according to claim 2, wherein the display unit displays the plurality of pieces of user information so as to be selectable again when it is determined that the change instruction is given by the change determination unit. The user information, the authentication system according to any one of claims 1 to 3, characterized in that a user name or email address or cost code. Yu over The information management device,
A group information storage unit that stores the user information and a group of image forming apparatuses that can log in in association with each other;
The user information acquisition unit is associated with a group including the image forming apparatus that has received the user identification information among a plurality of user information stored in association with the user identification information received by the second reception unit. Get user information,
The second transmission unit transmits user information associated with a group including an image forming apparatus that has received user identification information by the second reception unit acquired by the user information acquisition unit. 5. The authentication system according to any one of 1 to 4 . Authentication system according to any one of claims 1 to 5 wherein the user information managing apparatus and the image forming apparatus, characterized in that it is constituted by a separate unit. The user identification information and the plurality of user information are managed in association with each other, and the user information management device capable of managing the reading information read from the storage medium and the user information in association with each other is communicably connected. An image forming apparatus comprising:
A reading unit that reads read information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving means for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
First transmission means for transmitting read information read by the reading means or user identification information received by the input receiving means to the user information management device;
The transmitted read information by the first transmission means or the first receiving means for receiving from the previous SL user information management device the user information corresponding to the user identification information,
In the case of the authentication method by the input receiving unit, a determining unit that determines whether or not there is a plurality of user information received by the first receiving unit;
If the authentication method by the input receiving means, by the determination unit, when the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination unit When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of an authentication method using a reading unit , an image forming apparatus comprising: a login unit that logs in using user information received by the first receiving unit . Communicates with a user information management apparatus and an image forming apparatus capable of managing user identification information and a plurality of user information in association with each other, and capable of managing in association with reading information read from a storage medium and user information in association with each other A processing method of an authentication system that can be connected,
The image forming apparatus includes:
A reading step of reading reading information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving step for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
A first transmission step of transmitting the reading information read by the reading step or the user identification information received by the input receiving step to the user information management device;
The transmitted read information by the first transmission step, or the first receiving step of receiving from the previous SL user information management device the user information corresponding to the user identification information,
A determination step of determining whether or not there is a plurality of pieces of user information received in the first reception step in the case of the authentication method by the input reception step;
If the authentication method by the input receiving step, by the determination step, if the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination step When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of the authentication method by the reading step, a login step for logging in using the user information received by the first receiving step is executed.
The user information management device is
A second receiving step of receiving the read information or the user identification information from the image forming apparatus;
An authentication step of authenticating by searching user information using the read information received by the second receiving step or the user identification information;
When authentication is successful using the read information in the authentication step, user information uniquely specified by the read information is acquired, and when authentication is successful using the user identification information in the authentication step A user information acquisition step of acquiring one or a plurality of user information stored in association with the user identification information;
Processing method characterized by performing a second transmission step of transmitting the user information acquired by the user information acquisition step before Symbol image forming apparatus. The user identification information and the plurality of user information are managed in association with each other, and the user information management device capable of managing the reading information read from the storage medium and the user information in association with each other is communicably connected. An image forming apparatus processing method comprising:
The image forming apparatus includes:
A reading step of reading reading information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving step for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
A first transmission step of transmitting the reading information read by the reading step or the user identification information received by the input receiving step to the user information management device;
The transmitted read information by the first transmission step, or the first receiving step of receiving from the previous SL user information management device the user information corresponding to the user identification information,
A determination step of determining whether or not there is a plurality of pieces of user information received in the first reception step in the case of the authentication method by the input reception step;
If the authentication method by the input receiving step, by the determination step, if the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination step When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of an authentication method using a reading step , a processing method is executed, wherein a login step for logging in using the user information received in the first receiving step is executed. Communicates with a user information management apparatus and an image forming apparatus capable of managing user identification information and a plurality of user information in association with each other, and capable of managing in association with reading information read from a storage medium and user information in association with each other A program in an authentication system that can be connected,
The image forming apparatus;
A reading unit that reads read information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving means for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
First transmission means for transmitting read information read by the reading means or user identification information received by the input receiving means to the user information management device;
The transmitted read information by the first transmission means or the first receiving means for receiving from the previous SL user information management device the user information corresponding to the user identification information,
In the case of the authentication method by the input receiving unit, a determining unit that determines whether or not there is a plurality of user information received by the first receiving unit;
If the authentication method by the input receiving means, by the determination unit, when the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination unit When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of the authentication method by the reading means, it functions as a login means for logging in using the user information received by the first receiving means ,
The user information management device;
A second receiving means for receiving the read information or the user identification information from the image forming apparatus;
Authentication means for authenticating by searching user information using the read information received by the second receiving means or the user identification information;
When authentication is successful using the read information by the authentication means, user information uniquely specified by the read information is acquired, and when authentication is successful using the user identification information by the authentication means Includes user information acquisition means for acquiring one or a plurality of user information stored in association with the user identification information;
Program for causing to function as a second transmission means for transmitting the user information acquired by the user information acquisition means prior Symbol image forming apparatus. The user identification information and the plurality of user information are managed in association with each other, and the user information management device capable of managing the reading information read from the storage medium and the user information in association with each other is communicably connected. A program in an image forming apparatus,
The image forming apparatus;
A reading unit that reads read information capable of uniquely specifying user information from a storage medium in order to log in to the image forming apparatus;
An input receiving means for receiving input of user identification information in order to log in to the image forming apparatus according to a user operation ;
First transmission means for transmitting read information read by the reading means or user identification information received by the input receiving means to the user information management device;
The transmitted read information by the first transmission means or the first receiving means for receiving from the previous SL user information management device the user information corresponding to the user identification information,
In the case of the authentication method by the input receiving unit, a determining unit that determines whether or not there is a plurality of user information received by the first receiving unit;
If the authentication method by the input receiving means, by the determination unit, when the user information corresponding to the user identification information is determined to one, log in using the user information, by the determination unit When it is determined that there are a plurality of user information corresponding to the user identification information, the user is logged in using one user information selected by the operator by displaying the plurality of user information , In the case of an authentication method by a reading means , a program which functions as a login means for logging in using user information received by the first receiving means . In order to log in to the image forming apparatus, reading means for reading the reading information capable of uniquely specifying the user information from the storage medium, and input of user identification information for logging in to the image forming apparatus according to the user operation Input receiving means for receiving the user information, reading information read by the reading means or user identification information received by the input receiving means to be transmitted to the user information management device, and transmitted by the first transmitting means. Received by the first receiving means in the case of the authentication method by the first receiving means for receiving the read information or the user information corresponding to the user identification information from the user information management device and the input receiving means In the case of the determination means for determining whether or not there is a plurality of user information and the authentication method by the input reception means, the determination means When it is determined that the user information corresponding to the user identification information is one, the user information is used to log in, and the determination means determines that there are a plurality of the user information corresponding to the user identification information. In this case, the user is logged in using one user information selected by the operator by displaying the plurality of user information. On the other hand, in the case of the authentication method by the reading means, the first receiving means User identification information and a plurality of pieces of user information are associated with each other and communicated with an image forming apparatus including a login unit that logs in using received user information, and read information read from a storage medium; A user information management apparatus capable of managing user information uniquely associated with the user information,
A second receiving means for receiving the read information or the user identification information from the image forming apparatus;
Authentication means for authenticating by searching user information using the read information received by the second receiving means or the user identification information;
When authentication is successful using the read information by the authentication means, user information uniquely specified by the read information is acquired, and when authentication is successful using the user identification information by the authentication means Includes user information acquisition means for acquiring one or a plurality of user information stored in association with the user identification information;
Second transmitting means for transmitting user information acquired by the user information acquiring means to the image forming apparatus;
A user information management device comprising:

Images