JP2005038372A - Access control decision system, and access control execution system - Google Patents

Access control decision system, and access control execution system Download PDF

Info

Publication number
JP2005038372A
JP2005038372A JP2003315996A JP2003315996A JP2005038372A JP 2005038372 A JP2005038372 A JP 2005038372A JP 2003315996 A JP2003315996 A JP 2003315996A JP 2003315996 A JP2003315996 A JP 2003315996A JP 2005038372 A JP2005038372 A JP 2005038372A
Authority
JP
Japan
Prior art keywords
information
access control
requirement
access
document
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2003315996A
Other languages
Japanese (ja)
Inventor
Yoichi Kanai
洋一 金井
Original Assignee
Ricoh Co Ltd
株式会社リコー
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to JP2003178033 priority Critical
Application filed by Ricoh Co Ltd, 株式会社リコー filed Critical Ricoh Co Ltd
Priority to JP2003315996A priority patent/JP2005038372A/en
Priority claimed from US10/872,574 external-priority patent/US20050021980A1/en
Publication of JP2005038372A publication Critical patent/JP2005038372A/en
Application status is Pending legal-status Critical

Links

Abstract

<P>PROBLEM TO BE SOLVED: To make a security policy for constitution applicable to an information processing system to enhance the security of the constitution for not only an electronic document but also a document of paper. <P>SOLUTION: This access control decision system has an abstract level conversion means for converting the first information assigned by an access decision request into the second information of higher abstract level than that of the first information, when receiving the access decision request for requiring decision for access control to objective information to be accessed, an access control decision means for deciding the access control to the objective information by referring to the security policy specified abstractly, based on the second information, and a decision result transmitting means a decision result indicating the access control to the objective information by the access control decision means to a requirer issuing the access decision request. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention provides an access control determination system and an access control enforcement system that can apply an organization security policy to an information processing system and improve the organization security for not only an electronic document but also a paper document. Is to provide.

  As office work is digitized, the importance of managing electronic documents such as confidential documents has increased. Access control has been performed on such electronic documents in accordance with a predetermined security policy.

  From the viewpoint of ensuring the security of electronic documents with a unified security policy within a company, a security policy description method and an apparatus for transmitting the security policy have been proposed (for example, Patent Document 1). Further, there are a method for distributing such a security policy, a device that operates based on the security policy, and the like (for example, Patent Document 2). Furthermore, there is a method and apparatus for controlling printing of an electronic document according to a security policy together with encryption and decryption of the electronic document (for example, Patent Document 3).

  In addition, a system mainly for selling digital contents such as music data and image data has the same problem as trade secret management, and therefore a similar technique may be applied (for example, Patent Document 4). Patent Document 5, Patent Document 6, and Patent Document 7). In particular, we provide a system that must satisfy the conditions when referring to or printing digital data (called digital work such as music data and image data) that involves copyright. Yes. The authority description grammar (usage right grammar) and a protocol for checking whether the conditions for exercising the authority are satisfied are disclosed. By using this technology, it is possible to realize that, for distributed music data, image data, etc., it is necessary to pay a fee for referencing or printing, or to limit the period of time that can be used without paying the fee.

  However, these inventions are not intended for the management of trade secrets in the office, but for the purpose of selling digital contents. Therefore, it is assumed that access control including the printed matter when confidential documents are printed is assumed. It has not been.

  In addition, systems that display digital contents and perform various processes during printing have been proposed (for example, Patent Document 8 and Patent Document 9). For example, glyph codes can be embedded during printing. However, the information to be embedded must be determined for each individual document.

Furthermore, a policy evaluation module that determines whether access is permitted or not according to a policy, an execution function verification module that determines whether or not a condition for permitting can be executed, and an execution module An access control subsystem composed of the following is proposed (for example, Patent Document 10).
JP 2002-267065 A JP 2002-251921 A JP 2002-299712 A JP-A-8-263441 US Pat. No. 5,715,403 JP-A-8-263438 US Pat. No. 6,236,971 JP 2000-122977 A US Pat. No. 6,233,684 JP 2001-184264 A (FIGS. 1 and 2)

However, the above prior art has a problem in terms of operational flexibility as described below.
-When the policy stipulates that “only related parties can be referred to”, the related parties vary in units of documents, but the related parties cannot be managed in units of documents.
・ If the policy stipulates “Press confidential stamps when printing”, it cannot handle various stamps such as confidential stamps, top secret stamps, and carry-out prohibited stamps.
・ If the policy stipulates “warn users of handling cautions,” the warning content (text) cannot be changed according to the document type.
• It is not possible to define “permitted zones” where documents can be handled and to restrict usage within that range.
-To control operations on paper documents, paper documents must be identifiable, but it is not possible to define and handle how to deal with paper document identification failures.

  Even if these problems are solved, in order to perform unified access control according to the security policy of the organization, the part that determines access control according to the policy is completely separated so that it can be used from various application systems. However, it is desirable to configure it separately from the part that actually executes access.

  In addition, there is a problem that access cannot be controlled in accordance with an abstract description like an organization security policy.

  Therefore, an object of the present invention is to provide an access control determination system and an access control execution system that can apply an organization security policy to an information processing system and ensure the security of paper documents and electronic documents.

  In order to solve the above-described problem, the present invention is specified by an access determination request when receiving an access determination request for requesting an access control determination to access target information. The first information is converted to second information having a higher abstraction level than the first information, and the security policy defined abstractly based on the second information is referred to, thereby Access control determination means for determining access control to information, and determination result transmission means for transmitting a determination result indicating access control to the target information by the access control determination means to the request source that made the access determination request. Configured to have.

  In such an access control determination system, information for determining access control can be converted to the same level as the abstraction level of the security policy of the organization. Therefore, access control can be determined according to the abstract security policy.

  Further, according to the present invention, as described in claim 2, the abstraction conversion means manages the first information having different abstraction levels and the second information in association with each other based on the first information. By referring to the management table, it can be configured to have mapping means for mapping to the second information.

  In such an access control determination system, the degree of abstraction of the first information can be increased by referring to a table in which the first information having a low level of abstraction is associated with the second information having a high level of abstraction.

  Further, according to the present invention, as described in claim 3, the abstraction conversion means manages the first information having different abstraction levels and the second information in association with each other based on the first information. By referring to the first management table, the first mapping means for mapping to the second information, and the first information and the second information having different abstractions based on the first information are different from each other. A second mapping means for mapping to the third information by referring to a second management table that manages the three information in association with each other, and the access control determining means includes the second information and the second information. The access control to the target information can be determined by referring to the security policy based on at least one of the three information.

  In such an access control determination system, it is possible to convert from the first information to a plurality of pieces of information with a high level of abstraction by referring to a plurality of management tables that increase the degree of abstraction.

  Further, according to the present invention, as described in claim 4, the abstraction conversion means associates the first information with intermediate information having different attributes based on the first information. The intermediate information is acquired by referring to the first management table to be attached, and based on the acquired intermediate information, the intermediate information corresponds to the second information different in the abstraction level of the first information A mapping means for mapping to the second information by referring to the second management table to be attached can be configured.

  In such an access control determination system, it is possible to convert from the first information to the second information having a higher level of abstraction by referring to a plurality of management tables that increase the level of abstraction.

  Further, according to the present invention, the first information is user identification information for identifying a user who accesses the target information, and the second information is the authority level of the user. It can be constituted so that it is information which shows.

  In such an access control determination system, the level of abstraction can be increased from the user identification information to the authority level of the user.

  In the present invention, the first information is user identification information for identifying a user who accesses the target information, and the second information is defined by the user as the target. It can be configured to be information indicating whether or not the person is an information related person.

  In such an access control determination system, the degree of abstraction can be increased from the user identification information to the related party / non-related party.

  Further, according to the present invention, the first information is information indicating a location where the target information is accessed, and the second information is in a predetermined zone. It can be configured to be information indicating whether or not.

  In such an access control determination system, the level of abstraction can be increased in the zone / outside the zone from the context information.

  In the present invention, the first information is image data obtained by scanning a paper document indicating the target information, and the second information is based on the image data. It can be configured to be information indicating the security attribute of the target information.

  In such an access control determination system, even when the target information is indicated by a paper document, image data obtained by scanning the paper document can be converted into information indicating a security attribute having a high abstraction level.

  Further, according to the present invention, as described in claim 9, the access control determination means determines access control with a requirement for permitting access to the target information according to the security policy, and determines the determination. The result transmitting means can be configured to add information indicating a requirement to the determination result and transmit the information to the request source.

  In such an access control determination system, access control can be performed with a requirement for access permission.

  Further, according to the present invention, the access control determination means is specified when processing the requirement in the requirement for permitting access to the target information in accordance with the security policy. Can be configured to include supplemental information.

  In such an access control determination system, it is possible to perform access control by adding supplementary information to requirements for permitting access.

  Further, according to the present invention, as described in claim 11, the access control determination unit is an alternative to the case where the requirement cannot be processed in the requirement when the access to the target information is permitted according to the security policy. Can be configured to include requirements.

  In such an access control determination system, it is possible to specify an alternative requirement for a requirement for permitting access.

  Further, according to the present invention, the security policy can be configured to be settable from the outside.

  In such an access control determination system, the security policy can be changed from the outside. Also, by managing and changing the security policy in one place, access control can be performed so that the entire organization follows the security policy corresponding to the change.

  As means for solving the above-described problems, the present invention provides an access control determination method for causing a computer to perform processing in the access control determination system, a program, and a storage medium storing the program. You can also.

In order to solve the above-mentioned problem, according to the present invention, the access control for the target information is performed based on the access control information that specifies the control related to the access to the target information according to the security policy. Have access control enforcement means to enforce,
It can be constituted as follows.

  In such an access control determination system, when accessing target information according to the security policy, it is determined whether or not the requirement for permitting access is feasible, and based on the result, the target is satisfied so as to satisfy the requirement. It can enforce access control to information.

  In the present invention, the access control execution means further indicates that the access cannot be executed so that the determination result by the requirement availability determination means satisfies the requirement as described in claim 17 It is possible to configure to have access prohibiting means for prohibiting the access to the target information.

  In such an access control determination system, access can be prohibited if the requirements are not satisfied.

  Furthermore, as described in claim 18, when the access control execution unit indicates that the access cannot be performed so that the determination result by the requirement availability determination unit satisfies the requirement, The access control can be executed so as to find an alternative requirement specified by the access control information.

  In such an access control determination system, an alternative requirement can be executed if the requirement is not satisfied.

  In the present invention, the access control execution unit further indicates that the access cannot be performed so that the determination result by the requirement availability determination unit satisfies the requirement. When there is an alternative requirement availability determination unit that determines whether the alternative requirement specified by the access control information can be executed, and the determination result by the alternative requirement availability determination unit indicates that the alternative requirement cannot be executed The access can be prohibited.

  In such an access control determination system, access can be prohibited when alternative requirements are not satisfied.

  Further, according to the present invention, as described in claim 20, when the access control execution unit can execute the access so that the determination result by the requirement availability determination unit satisfies the requirement, the access control information The access control for the target information can be executed so as to satisfy the requirement using the supplementary information specified in (1).

  In such an access control determination system, requirements can be executed using supplementary information.

  Further, as described in claim 21, the present invention can execute at least one of log recording, encrypted storage, originality assurance, strict user authentication, version management, complete erasure, and warning display as the above requirements. It can be configured to be.

  In such an access control determination system, requirements required as a document management system can be executed.

  Further, the present invention provides log recording, label printing, operator printing, image log recording, warning display, warning printing, destination restriction, confidential transmission, watermark printing, digital watermark embedding as described in claim 22. At least one can be configured to be executable as the requirement.

  In such an access control determination system, requirements required for a digital multi-function peripheral can be executed.

  The present invention also provides log recording, strict user authentication, warning display, confidential printing, image log recording, identification information printing, label printing, watermark printing, copy suppression copy-forgery-inhibited pattern printing, It can be configured such that at least one of identification background pattern printing and warning printing can be executed as the requirement.

  In such an access control determination system, requirements required as a document viewer can be executed.

  Furthermore, as described in claim 24, the present invention provides an access control determination system that determines access control in accordance with the security policy defined abstractly in response to an access request to the target information. Access determination request means for requesting the access control determination; and access control reception means for receiving the access control information provided in response to the access control determination request from the access control determination system; The access control execution means can be configured to execute the access control for the target information based on the access control information received by the access control reception means.

  In such an access control determination system, access control information according to a security policy with a high abstraction level can be acquired from the access control determination system for information with a low abstraction level provided by the access control determination system. Therefore, security management and access control can be separated.

  As a means for solving the above-mentioned problems, the present invention can also be an access control execution method for causing a computer to perform processing in the access control execution system.

  Security of paper documents and electronic documents can be ensured according to the security policy of the organization. In addition, the access control according to the organization's security policy specifies not only permission or disapproval but also requirements, and the requirements are used to enhance the ability of users to prevent information leakage, and security processing is performed when printing electronic documents. By using it for enforcement, it has the effect of consistently enforcing the security policy of the organization from handling not only electronic documents but also paper documents.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  The system in which the access control determination system according to an embodiment of the present invention is applied as a security server constitutes a system as shown in FIG. 1, for example. FIG. 1 is a diagram showing a system configuration according to an embodiment of the present invention. In FIG. 1, a security server 200 that controls access to an electronic document or paper document includes a document management system 100 that manages the electronic document, and a digital multi-function peripheral equipped with a plurality of different image forming functions such as a copy, a fax, a printer, and a scanner. 70 and a document viewer 53 that displays an electronic document on the user terminal 51 are connected via a network.

  In FIG. 1, a document viewer 53 is a predetermined application that operates on the terminal 51. Further, the terminal 51 accesses the target document stored in the document management system 100 via the network. In addition, the user 52 performs copying or the like of the brought-in paper document with the digital multi-function peripheral 70. In FIG. 1, there may be a plurality of terminals 51 and users 52, respectively.

  An electronic document that is managed by the document management system 100 and whose access to the electronic document itself is controlled is hereinafter referred to as a server document 61. A paper document handled by the digital multifunction peripheral 70 is hereinafter referred to as a paper document 62. An electronic document downloaded from the document management system 100 or the like, stored in the local storage of the terminal 51, and opened and referred to by the document viewer 53 is hereinafter referred to as a portable document 63.

  When the user 52 connects to the document management system 100 using the terminal 51 and accesses the server document 61, the document management system 100 acquires authentication information from the user 52 and asks the user management server 300 for user authentication. I do. The document management system 100 makes an access control inquiry to the security server 200 based on the authentication result from the user management server 300. The document management system 100 accesses the server document 61 based on the access control information notified from the security server 200.

  Similarly, when the user 52 copies the paper document 62 with the digital multifunction peripheral 70, the digital multifunction peripheral 70 acquires authentication information from the user 52 and makes an inquiry to the user management server 300 for user authentication. The digital multi-function peripheral 70 makes an access control inquiry to the security server 200 based on the authentication result from the user management server 300. The digital multi-function peripheral 70 copies the paper document 62 based on the access control information notified from the security server 200.

  Similarly, when the user 52 activates the document viewer 53 on the terminal 51 and displays the portable document 63, the document viewer 53 acquires authentication information from the user 52 and makes an inquiry about user authentication to the user management server 300. Do. The document viewer 53 makes an access control inquiry to the security server 200 based on the authentication result from the user management server 300. The document viewer 53 displays the portable document 63 or outputs the displayed portable document 63 based on the access control information notified from the security server 200.

  When the user management server 300 receives the authentication information of the user 52 from the document management system 100, the digital multi-function peripheral 70, or the document viewer 53, the user management table 300 manages the user information of the user 52 including the authentication information for each user 52. Referring to 310, the user 52 is authenticated. The user management server 300 transmits the authentication result to the document management system 100, the digital multi-function peripheral 70, or the document viewer 53 that has inquired about user authentication.

  The security server 200 includes a policy file 240 that describes access control rules in the organization, a user authority management level table 250 that manages user authority for each user 52, a document profile 260 that manages the profile for each document, a zone A zone management table 270 that manages access control for each print, and a print profile management table 280 that manages information related to printing for each printing. The security server 200 responds to an access control inquiry from the document management system 100, the digital multi-function peripheral 70, and the document viewer 53 using the policy file 240 and these tables 250 to 280.

  The policy file 240 can define “access permission only for related persons” and the like, but it must be able to manage who is related to which document. A table supplementing such a policy is managed in the security server separately from the policy. This is because if such a party is described in the policy, it becomes a policy lacking versatility. That is, only a part that can be defined as a “rule” such as an organization's trade secret management rule is defined as a policy, and various items to be set for each document and each user are managed in a table. Since the “rule” varies depending on the organization, the policy file 240 can be replaced.

  Hereinafter, the server document 61, the paper document 62, and the portable document 63 are collectively referred to as a document 60 (FIG. 2).

  A device that accesses the document 60 including the terminal 51 and the user 52 is called an initiator 50.

  The document management system 100, the digital multi-function peripheral 70, the document viewer 53, and the like are collectively referred to as an application system 400.

  In the system 1000, the security server 200 and the user management server 300 are configured separately, but a single server may be configured to have the functions of the security server 200 and the user management server 300.

  An overview of access control will be described with reference to FIG. 2 showing an access control model described according to ISO / IEC 10181-3. FIG. 2 is a diagram illustrating an access control model.

  In FIG. 2, when the application system 400 is requested to access the document 60 from the initiator 50, the application system 400 requests the security server 200 to determine whether or not to permit access after user authentication. In particular, when user authentication is not required, access permission may be inquired as an anonymous (anonymous) user or a guest (guest) user.

  The security server determines whether the user is authorized to access the document according to the access control rule (policy) described in the policy file 240 held therein, and whether the user is permitted or prohibited. If it is permitted, what is the requirement that must be satisfied is returned to the application system as a determination result.

  The application system 400 receives the determination result, and processes the access requested by the user if permitted. At this time, if a requirement is specified as a determination result, the document 60 is processed so as to satisfy the requirement. If it is prohibited or the requirements are not met, access is denied.

  Next, the hardware configuration and functional configuration of the security server 200 will be described. FIG. 3 is a diagram showing a hardware configuration of the security server according to an embodiment of the present invention.

  In FIG. 3, the security server 200 is a server computer having a CPU (Central Processing Unit) 41, a memory unit 42, a display unit 43, an input unit 44, a communication unit 45, and a storage device 46. The units 41 to 46 are connected to the system bus B2.

  The CPU 41 controls the storage 200 according to a program stored in the memory unit 42. The memory unit 42 includes a RAM (Random Access Memory), a ROM (Read-Only Memory), and the like, and is obtained by a program executed by the CPU 41, data necessary for processing by the CPU 41, and processing by the CPU 41. Stored data. A part of the memory unit 42 is allocated as a work area used for processing by the CPU 41.

  The display unit 43 displays various information necessary under the control of the CPU 41. The communication unit 45 is a unit for controlling communication with the application system 400 when connected to the application system 400 via, for example, a LAN (Local Area Network). The storage device 46 is configured by, for example, a hard disk unit, and stores a policy file 240 and management tables such as a user authority level table 250, a document profile management table 260, a zone management table 270, and a print profile management table 290.

  A program for controlling the security server 200 is installed in the storage device 46 in advance.

  FIG. 4 is a diagram illustrating a functional configuration of the security server. In FIG. 4, the security server 200 is mainly abstracted by an abstraction processing unit 231 that performs abstraction in order to make information provided from the application system 400 correspond to a company security policy, and the abstraction processing unit 231. A policy-based access control determination unit 241 that determines access control based on the received information.

  The abstraction processing unit 231 further includes a user authority level mapping unit 232, a user category mapping 233, a zone mapping unit 234, and a document security attribute mapping unit 235.

  When the abstraction processing unit 231 receives user identification information, access type information, document identification information, and context information from the application system 400, the user authority level mapping unit 232 determines the user authority level based on the user identification information. The authority level abstracted by referring to the table 250 is acquired (1), and the user category mapping 233 refers to the document profile management table 260 based on the user identification information and the relation indicating the parties or non-restrictions abstracted. The zone mapping unit 234 refers to the document profile management table 260 and the zone management table 270 based on the context information and abstracts the zone within the zone. Or zone classification indicating outside the zone In step (4), the document security attribute mapping unit 235 refers to the document profile management table 260 and the print profile management table 280 based on the document identification information, and acquires the abstracted confidential level and document category (5). ).

  In the above, it may be configured such that the time zone is set in the context information, and a time segment indicating a predetermined time or outside a predetermined time may be acquired.

  Each of the mapping units 232 to 235 may be configured as one abstraction processing unit. In this case, one abstraction processing unit is configured to refer to one or more management tables.

  Alternatively, the authority level and the party classification can be classified into three types of attributes such as a user security attribute, a confidentiality level and a document category as a document security attribute, and a zone classification as an access environment attribute. An abstraction processing unit may be configured. In this case, the abstraction processing unit has one or more mapping processing units, and each mapping processing unit is configured to refer to one or more tables.

  The policy-based access control determination unit 241 receives the information abstracted by the abstraction processing unit 231 as a parameter, and determines access control according to the access control rule (policy) described in the policy file 240. The policy file 240 can be set from the outside. Therefore, it becomes easy to change according to the security policy of the company.

  In this embodiment, the two-stage processing of the abstraction processing unit 231 and the policy-based access control determination unit 241 performs access control determination while complying with a general-purpose security policy and flexibly responding to security policy changes. It can be performed.

  In addition, since the abstraction processing unit 231 is provided, it is not necessary to change the format of information provided by the application system 400 by changing the security policy. Since it is not necessary to change the software on the application system 400 side according to the change of the security policy, the maintenance becomes easy.

It is possible to manage what is called an ACL (Access Control List) for each document and to perform access control such that what access is permitted or prohibited for which user. There is also a conventional system in which such an ACL is called a security policy (US Pat. No. 6,289,450). However, in the conventional system, the policy is set for each document, and it is applied according to the “organization” trade secret management rule (policy), such as “The secret is accessible only to related parties”. There is a problem that it is not known whether it is done or not.
The security server 200 for judging access control according to the present invention separates general judgment rules for access control from detailed security settings of each document, and abstracts the attributes of documents and users. Make an access decision after mapping to. Further, by allowing the general-purpose judgment rule to be described as a policy file, the rule is not fixed but can be replaced.

There may be other examples in which decision rules are programmed as software logic, but there are no examples in which the decision rules can be defined and set in various ways according to the security policy of the organization.
The data structure of the table managed by the security server 200 will be described.

  FIG. 5 is a diagram illustrating a data structure of the user authority level table. In FIG. 5, the data structure 251 of the user authority level table 250 indicates the authority of the user or the user belonging to the group for each user or group by the code 252 indicating “UserMapList {userMap [] userMap;};”. It is composed of UserMapList that manages userMap by array. The authority of a plurality of users is managed by such UserMapList.

  This userMap is indicated by a user ID or group ID indicated by a character string by a code 253-1 indicating "String principalId;" and by a character string such as a user or a group by a code 253-2 indicating "String entryType;". It is composed of an entry type and an authority level indicated by a character string by a code 253-3 indicating "String leveleId;".

  An entry of userMap is created in UserMapList for each user 52 who uses the application system 400, and the user 52 is registered.

  FIG. 6 shows the data structure of the document profile management table. In FIG. 6, the data structure 261 of the document profile management table 260 manages a docProfile indicating a security policy for an electronic document for each electronic document with an array by a code 262 indicating “DocProfileTable {DocProfile [] docProfiles;};”. It is composed of DocProfileTable. A plurality of electronic documents are managed by such a DocProfileTable.

  This docProfile includes an electronic document indicated by a character string by a code 263-1 indicating “String docId;”, a document category indicated by a character string by a code 263-2 indicating “String DocCategory;”, and “String docLevel; A list of a plurality of parties composed of a confidential level indicated by a character string by a code 263-3 indicating "" and an array of parties indicated by a character string by a code 263-4 indicating "String [] relatedPersons;" A list of a plurality of zone IDs configured by an array of zone IDs indicated by a character string by a code 263-5 indicating "String [] zones;" and a date by a code 263-6 indicating "Date nondisclosure;" By the secret retention period indicated by the date, the retention period indicated by the date by the code 263-7 indicating "Date retention;", and the code 263-8 indicating "Date validity;" Constituted by the expiration date indicated by the date.

  An entry of DocProfile is created in DocProfileTable for each electronic document to be accessed, and the electronic document is registered. The document ID is identification information uniquely indicated for each electronic document. The document category and confidential level specify identification information of the document category and confidential level used by the security policy.

  In the related person list, user IDs or group IDs of related persons of the electronic document are listed. In the zone, a list of zone IDs that specify a zone in which access to the electronic document is permitted is designated.

  FIG. 7 shows the data structure of the zone management table. In FIG. 7, the data structure 271 of the zone management table 270 is configured by a ZoneInfoTable that manages a ZoneInfo indicating information specifying a zone for each zone by an array by a code 272 indicating “ZoneInfo Table {ZoneInfo [] zones};”. Is done. A plurality of zones are managed by such a ZoneInfoTable.

  This ZoneInfo includes a zone ID indicated by a character string by a code 273-1 indicating "String id;", a zone name indicated by a character string by a code 273-2 indicating "String name;", and "AddressInfo [] The address of the zone indicated by the array of AddressInfo [] by a code 273-3 indicating "addresses;".

  The data structure of AddressInfo described by the code 273-3 is an IP address or MAC address indicated by a character string by a code 275-1 indicating "String address;" and a code 275-2 indicating "String addressType;" "IP" or "MAC" indicated by a character string, and a subnet mask indicated by a character string such as "255.255.255.0" in the case of an IP address by a code 275-3 indicating "String netmask;" .

  The zone management table 270 is a table for managing a zone for which access is permitted by using a list of addresses. A plurality of IP addresses or MAC addresses are listed and assigned to one zone ID for management.

  FIG. 8 shows the data structure of the print profile management table. In FIG. 8, the data structure 281 of the print profile management table 280 is composed of a PrintProfileTable that manages a PrintProfile indicating a print-related profile for each print by an array by a code 281 indicating “PrintProfileTable {PrintProfile [] printprofiles;};”. The A plurality of print profiles are managed by such a PrintProfileTable.

  PrintProfile includes a print ID indicated by a character string by a code 283-1 indicating “String printId;”, a document ID of an electronic document indicated by a character string by a code 283-2 indicating “String docId;”, and “Date printed date and time indicated by a code 283-3 indicating "printedDate;", a print user ID indicated by a character string by code 283-4 indicating "String printedUserId;", and 283-5 indicating "String printedUserName;" And a print user name indicated by a character string.

  Each time an electronic document whose access is controlled is printed, a PrintProfile entry is registered in the PrintProfileTable. The print ID is identification information uniquely specified for each print. The document ID is the document ID of the printed document.

A specific access control sequence will be described below. Each of the document management system 100, the digital multi-function peripheral 70, and the document viewer 53 will be described.
[Access control in document management system]
Access control in the document management system 100 will be described with reference to FIG. 9 and FIG.

  FIG. 9 is a diagram showing an access control sequence in the document management system. FIG. 10 is a flowchart for explaining an access control process in the document management system. 9 and 10, the processes in the access control sequence shown in FIG. 9 are associated with the same reference numerals as the descriptions of the processes in FIG. 10.

  9 and 10, the document management system 100 receives a user ID and password from the terminal 51 together with a login request of the user 52 (S1001).

  The document management system 100 sends the received user ID and password to the user management server 300 to make an authentication request (S1002). The user management server 300 performs an authentication process with the received user ID and password (S1003). The user management server 300 returns authentication result information indicating the success or failure of the authentication to the document management system 100 (S1004). The authentication result information includes user identification information for identifying the user and information indicating success or failure of the authentication.

  The document management system 100 performs processing according to the authentication result information (S1005). If the authentication result information indicates that the authentication is successful, the document management system 100 transmits the authentication result information received from the user management server 300 to the terminal 51, and proceeds to S1006. On the other hand, when the authentication result information indicates that the authentication has failed, the document management system 100 ends the access control process.

  The terminal 51 makes a document read request for the server document 61 stored in the document management system 100 to the document management system 100 by designating the document ID (S1006).

  The document management system 100 sends the authentication result information of the user 52, the document ID of the server document 61, the access type, and the client context information to the security server 200, and inquires about access control for the server document 61 (S1007). For example, read access corresponding to a document read request is specified as the access type.

  The security server 200 determines whether to permit access based on the received information (S1008).

  The security server 200 returns the determination result to the document management system 100 (S1009). The document management system 100 performs processing according to the determination result received from the security server 200 (S1009). If the determination result indicates “permitted”, the document management system 100 processes the requirement specified by the determination result, and proceeds to S1011. On the other hand, if the determination result indicates “prohibited”, access is prohibited and the access control process is terminated.

  The document management system 100 performs processing according to the access request requested from the terminal 51, transmits the server document 61 to the terminal 51, and normally ends the access control processing (S1011).

  The user authentication inquiry in S1002 may be made via the security server 200. The method of authenticating the user 52 is not limited to the method of authenticating with the user ID and password. More advanced biometric authentication or challenge / response authentication using a smart card may be applied.

  Next, an authentication process performed by the user management server 300 will be described with reference to FIG. FIG. 11 is a diagram for explaining the authentication process in the user management server. In FIG. 11, the user management server 300 authenticates the user 52 by comparing the user ID and password received from the document management system 100 with the user management 310 (L0011).

  It is determined whether or not the user 52 has been successfully authenticated (L0012). When the authentication of the user 52 is successful, the user management server 300 acquires a list of group IDs to which the user 52 belongs (L0013), and lists the user ID, the user name, and the group ID to which the user 52 belongs. To create authentication result information (L0014). The authentication result information includes user identification information for identifying a user and information indicating a successful authentication.

  The user management server 300 returns the created authentication result information to the document management system 100 (L0015), and ends the process when the user 52 is successfully authenticated (L0016). Then, the authentication process ends (L0020).

  On the other hand, when the user 52 authentication fails (L0017), the user management server 300 creates authentication result information indicating the authentication failure and returns it to the document management system 100 (L0018), and the user 52 authentication fails. The process ends (L0019) and the authentication process ends (L0020).

  FIG. 12 is a diagram illustrating a data structure of authentication result information. In FIG. 12, the data structure 501 of the authentication result information is defined by, for example, a structure AuthInfo, and indicates a user ID indicated by a character string by a code 502-1 indicating “String userId;” and “String username;” A user name indicated by a character string by the code 502-2, and a plurality of group ID arrays of groups to which the user 52 indicated by the character string by the code 502-3 indicating "String [] groups;" belongs It consists of a list of group IDs.

  Next, the permission process performed by the security server 200 in S1008 will be described with reference to FIGS. FIGS. 13, 14 and 15 are diagrams for explaining permission processing in the security server in response to an inquiry from the document management system.

  In FIGS. 13, 14, and 15, when a user 52 performs an operation for reading the server document 61 of the document management system 100 at the terminal 51, a document read request is transmitted from the terminal 51 to the document management system 100. This process is exemplified. Other operations at the terminal 51 include, for example, property reference, original reference, revision, deletion, storage, etc., and the document management system 100 as a property reference request, original reference request, revision request, deletion request, storage request, etc., respectively. To the security server 100.

  The original reference operation is an access to acquire the original server document 61 managed by the document management system 100. Further, the document reading operation illustrated is an access to acquire the server document 61 that is converted so that the original server document 61 can be opened only by the special document viewer 53.

  Further, the permission processing in the security server 100 for each request is the same.

  In FIG. 13, the security server 200 receives authentication result information, document ID, access type, and context information from the document management system 100 that made the determination request (L0031). For example, “read document for server document” is specified as the access type. The type of the document 60 (that is, the server document 61) and the type of operation (that is, reading the document) are specified by the access type.

  The security server 200 acquires the document profile (docProfile) corresponding to the document ID (docid) received from the document management system 100 from the document profile management table 260 (L0032).

  The security server 200 refers to the document profile (docProfile) and acquires the document category (docCategory) and the confidential level (docLevel) (L0033).

  The security server 200 refers to the document profile (docProfile) and acquires a related person list (relatedPersons) (L0034).

  The security server 200 determines whether or not the user ID (userId) or group (groups) of the authentication result information (authInfo) is included in the related party list (relatedPersons) (L0035).

  If included, the security server 200 sets a related party (RELATED_PERSONS) in the user category (userCategory) (L0036). On the other hand, if not included, the security server 200 sets unrestricted (ANY) to the user category (userCategory) (L0037).

  The security server 200 refers to the user authority level table (UserMapTable) and stores the level corresponding to the user ID or group ID (principalId) in the authority level (userLevel) (L0038).

  The security server 200 refers to the document profile (docProfile) and acquires a zone ID list (zones) (L0039).

  The security server 200 refers to the zone management table (ZoneInfoTable), acquires the IP address and MAC address corresponding to the zone ID list (zones), and creates a permitted address list (L0040).

  The security server 200 determines whether the address included in the context information is included in the created permitted address list (L0041).

  If it is included, the security server 200 sets a restriction (RESTRICTED) for the zone (L0042). On the other hand, if not included, the security server 200 sets non-limited (ANY) to the zone (LNY) (L0043).

  The security server 200 loads the security policy file into the memory and acquires an array of access restriction rules (rule) (L0044).

  The security server 200 repeats the following processing from L0046 to L0071 for each access control rule (rule) (L0045).

  In the security server 200, the document category (docCategory) of the access control rule (rule) matches the non-limited (ANY) or the document category (docCategory), and the document level (docLevel) of the access control rule (rule) is not limited. It is determined whether or not (ANY) or the document level (docLevel) is matched (L0046). Document category (docCategory) of access control rule (rule) matches unrestricted (ANY) or document category (docCategory), and document level (docLevel) of access control rule (rule) is unrestricted (ANY) or document If it matches the level (docLevel), the security server 200 further repeats the following processing from L0049 to L0064 for each access control list (Ace) of the access control rule (rule) (L0048).

  On the other hand, if they do not match (L0070 and L0071), the security server 200 returns to L0045 and repeats the above processing for the next access control rule (rule).

  When the security server 200 matches, the user category (userCategory) of the access control list (Ace) matches the unrestricted (ANY) or user category (userCategory), and the user level (Ace) of the access control list (Ace) Determine whether (UserLevel) matches unrestricted (ANY) or user level (userLevel) and the access control list (Ace) zone (Zone) matches unrestricted (ANY) or zone (zone) (L0049, L0050 and L0051). The user category (userCategory) in the access control list (Ace) matches the unrestricted (ANY) or user category (userCategory), and the user level (UserLevel) in the access control list (Ace) is unrestricted (ANY) or user If it matches the level (userLevel) and the zone (Zone) of the access control list (Ace) matches the non-restricted (ANY) or the zone (zone), the security server 200 determines each of the access control list (Ace) For the operation (Operation), the following L0053 to L0058 are repeated (L0052).

  On the other hand, if they do not match (L0064 and L0065), the security server 200 returns to L0048 and repeats the above processing for the access control list (Ace) next to the access control rule (rule).

  When the security server 200 determines that the IDs match in the determinations in L0049, L0050, and L0051, the security server 200 determines whether the ID (Operation.Id) of the operation matches the operation (L0053). If they match, permission (true) is stored in permission (allowed) of the determination result information (decisionInfo) (L0054). Also, the security server 200 stores all the requirements (requirement) specified in the operation (operation) in the determination result information (L0055), and proceeds to L0072 (L0056).

  On the other hand, if they do not match (L0058 and L0059), the security server 200 returns to L0052 and repeats the above processing for each operation (Operation) in the access control list (Ace).

  When the processing for each operation (Operation) in the access control list (Ace) is completed, the security server 200 determines whether or not there is a corresponding operation (L0060). If not, the security server 200 stores “not permitted” (false) in the permitted (allowed) of the determination result information (decisionInfo) (L0061), and proceeds to L0072 (L0063).

  On the other hand, if there is, the security server 200 proceeds to L0072 as it is (L0063).

When the processing for each access control list (Ace) of the access control rule (rule) in L0048 ends,
The security server 200 determines whether there is no corresponding access control list (Ace) (L0066). If not, the security server 200 stores “not permitted” (false) in the permitted (allowed) of the determination result information (decisionInfo) (L0067), and proceeds to L0072 (L0063).

  On the other hand, if there is, the security server 200 proceeds to L0072 as it is (L0069).

  In L0045, when the processing for each access control rule (rule) is completed, the security server 200 determines whether or not there is a corresponding access control rule (rule) (L0072). If not, the security server 200 stores “not permitted” (false) in the permitted (allowed) of the determination result information (decisionInfo) (L0073), and proceeds to L0075. On the other hand, if there is, the security server 200 proceeds to L0075 as it is.

  The security server 200 determines whether permission (allowed) of the determination result information (decisionInfo) is not permitted (false) (L0075). When the permission (allowed) of the determination result information (decisionInfo) is not permitted (false), the determination result information (decisionInfo) is returned to the document management system 100 that made the determination request (L0076), and the permission process is terminated (L0082). ).

  On the other hand, if the decision result information (decisionInfo) is not permitted (false) (L0078), the requirement (requirement) included in the decision result (decisionInfo) is corrected (L0079). The information (decisionInfo) is returned to the document management system 100 that made the determination request (L0080), and the permission process is terminated (L0082).

  The data structure of the context information transmitted from the document management system 100 to the security server 200 will be described with reference to FIG. FIG. 16 is a diagram illustrating a data structure of context information.

  In FIG. 16, context information is information indicating the address of the terminal 51 used by the user 52, and the data structure 511 of the context information is defined by, for example, a structure ContextInfo and indicates “String ipAddress;”. It is composed of an IP address indicated by a character string by code 513-1 and a MAC address indicated by a character string by code 513-2 indicating "String macAddress;".

  Determination result information (decisionInfo) transmitted from the security server 200 to the document management system 100 will be described with reference to FIG. FIG. 17 is a diagram illustrating a data structure of the determination result information.

  In FIG. 17, the determination result information is information indicating the determination result of access control, and the data structure 521 of the determination result information is defined by, for example, the structure DecisionInfo, and a code 523-1 indicating “Boolean allowed;” And the plurality of requirements configured by an array of requirements by a code 523-2 indicating "Requirement [] requirements;".

  Furthermore, each requirement is defined by the structure “Requirement”, a requirement ID for identifying a requirement indicated by a string by a code 525-1 indicating “String requirement;”, and a code 525 indicating “Property [] supplements;” -2, a plurality of supplementary information constituted by an array of supplementary information, supplementary data constituted by an array of bytes by a code 525-3 indicating "byte [] data;", and "Requirement [] alternatives;" The code 525-4 shown includes a plurality of alternative requirements configured by an array of requirements.

  The supplementary information is defined in the structure Property, and is a name indicated by a character string by a code 527-1 indicating "String name;" and a value indicated by a character string by a code 527-2 indicating "String value;" Configured.

  Next, the requirement correction processing in the document management system 100 will be described with reference to FIG. FIG. 18 is a flowchart for explaining the process for correcting a requirement in the document management system.

  In FIG. 18, the document management system 100 repeats from L1102 to L1110 for each supplemental information (supplement) included in the requirement (requirement) of the determination result information (decisionInfo) (L1101).

  The document management system 100 determines whether or not a fixed image (static_image) is designated as the name of the property (Property) of the supplementary information (L1102). When a fixed image (static_image) is specified, the document management system 100 reads out the data of the stamp image file specified in the value (value) of the supplemental information (Property) from the local hard disk, and requires (requirement) (L1103), and the process proceeds to L1105.

  On the other hand, when the fixed image (static_image) is not designated, the document management system 100 proceeds to L1105 as it is.

  Here, the fixed image is, for example, a stamp image or the like.

  The document management system 100 determines whether or not a dynamic image (dynamic_image) is specified as the name (name) of the property (Property) of the supplementary information and the operation is “print” (L1105). . When the dynamic image (dynamic_image) is specified as the name (name) of the property (Property) of the supplementary information and the operation (operation) is “print”, a new print profile (printProfile) is created (L1106). Further, the document management system 100 encodes the print ID (printId) of the print profile (printProfile) into identification image data (L1107), and stores the identification image data in the supplementary data (data) of the requirement (requirement) (L1108). ). Then, the document management system 100 ends the requirement correction process.

  On the other hand, when the dynamic image (dynamic_image) is not specified in the name (name) of the supplementary information property (Property) or the operation (operation) is not “print”, the document management system 100 corrects the requirement as it is. End the process.

  Here, the dynamic image is a barcode image or an identification pattern image.

  Next, requirement processing in the document management system 100 will be described with reference to FIGS. 19 and 20 are flowcharts for explaining the requirement processing in the document management system.

  In FIG. 19, the document management system 100 determines whether or not the permission (allowed) of the determination result information (decisionInfo) indicates disapproval (false) (L1121). When the permission is indicated, the document management system 100 rejects the access and ends the requirement processing (L1122).

  On the other hand, if no disapproval is indicated, L1125 to L1160 are repeated for each requirement (requirement) of the determination result information (decisionInfo) (L1124).

  The document management system 100 determines whether or not a requirement (requirement) that is not supported by the document management system 100 is specified (L1125). If a requirement that is not supported by the document management system 100 is not specified, the document management system 100 proceeds to L1131.

  On the other hand, when a requirement (requirement) that is not supported by the document management system 100 is designated, the document management system 100 further designates a requirement that is not supported by an alternative requirement (alternative) of the requirement (requirement). It is determined whether or not (L1126). If an unsupported requirement is specified as an alternative requirement (alternative) of the requirement (requirement), the document management system 100 denies access and ends the requirement processing (L1127).

  On the other hand, if an unsupported requirement is not specified as an alternative requirement (alternative) of the requirement (requirement), the document management system 100 processes the alternative requirement (alternative) of the requirement (requirement).

  Subsequently, the document management system 100 determines whether or not a log record (record_audit_data) is specified in the requirement (requirement) (L1131). When log recording (record_audit_data) is designated, the document management system 100 includes a user ID (userid), a document ID (docid), an operation (operation), a date and time, and context information (contextInfo). Log data is generated (L1132).

  The document management system 100 transmits the log data to the security server (L1133). The document management system 100 determines whether or not the log data transmission has failed (L1134). If transmission of log data fails, the document management system 100 denies access and ends the requirement processing (L1135). On the other hand, when the log data has been successfully transmitted, the document management system 100 proceeds to L1138 as it is.

  Furthermore, the document management system 100 determines whether or not encryption is specified in the requirement (requirement) (L1138). If encryption is specified, the document management system 100 encrypts the stored document (L1139). On the other hand, when encryption is not designated, the document management system 100 proceeds to L1141 as it is.

  Next, the document management system 100 determines whether or not the requirement (requirement) specifies the originality of the electronic document (integrity_protection) (L1141). When ensuring of the originality (integrity_protection) of the electronic document is designated, the document management system 100 transfers the document to the originality ensuring support system and stores it. The originality ensuring support system may be a system as disclosed in, for example, Japanese Patent Laid-Open No. 2000-285024. Further, such an originality ensuring support system may be configured in the document management system 100.

  On the other hand, when the originality of the electronic document (integrity_protection) is not specified in the requirement (requirement), the document management system 100 proceeds to L1144 as it is.

  Further, the document management system 100 determines whether or not multi-authentication is permitted for access to the electronic document (requirement) (L1144). If not specified, the document management system 100 proceeds to L1150 as it is.

  On the other hand, if specified, the document management system 100 requests strict user authentication (such as fingerprint authentication) from the user 52 using the terminal 52 (L1145). After strict user authentication, the document management system 100 determines whether strict authentication has failed (L1146). If it fails, the document management system 100 denies access and ends the requirement processing (L1147). On the other hand, if it is not a failure, the document management system 100 proceeds to L1150.

  Subsequently, the document management system 100 determines whether or not version management of the electronic document is specified in the requirement (requirement) (L1150). If specified, the document management system 100 saves the revised document as a new version (L1151), and proceeds to L1153. On the other hand, if not specified, the document management system 100 proceeds to L1153 as it is.

  Further, the document management system 100 determines whether or not complete deletion (complete_deletion) of the electronic document is designated in the requirement (requirement) (L1153). If specified, the document management system 100 executes a complete deletion process for the deleted document (L1154), and proceeds to L1156. On the other hand, if not specified, the document management system 100 proceeds to L1156 as it is.

  Subsequently, the document management system 100 determines whether a warning display (show_alarm) is specified in the requirement (requirement) (L1156). If specified, the document management system 100 creates a warning character string in the character string format specified in the supplement information (supplement) of the requirement (requirement) (L1157), and the warning character string is displayed in the dialog box by the user 52. (L1168). Then, in order to repeat the same process as described above for the next requirement (requirement), the process returns to L1124. On the other hand, if not designated, the document management system 100 returns to L1124 as it is.

  After the above processing is performed for all requirements (requirement), the document management system 100 performs the access processing requested from the terminal 51 (L1161), and ends the requirement processing (L1162).

  In the description of FIG. 19 and FIG. 20, the requirement (requirement) of the determination result information (decisionInfo) is processed in parallel, but the requirement (requirement) that must be dealt with is determined for each operation (operation). As described above, it is not necessary to perform processing for all requirement patterns. For example, the complete deletion (complete_deletion) of the electronic document is designated as a requirement only when it is made for the server document 61. In order to simplify the explanation, the above processing example is used. The document management system 100 executes the same process as described above for the alternative requirement process.

As described above, the document management system 100 can perform access control according to the security policy set in the security server 200. At that time, the permission requirements defined in the security policy can be applied. In addition, flexible processing is possible by including processing of supplementary information and processing of alternative requirements necessary to satisfy the permission requirements.
[Access control with digital MFP]
Access control in the digital multi-function peripheral 70 will be described with reference to FIG.

  FIG. 21 is a diagram showing an access control sequence in the digital multi-function peripheral. FIG. 22 is a flowchart for explaining access control processing in the digital multi-function peripheral. In FIG. 21 and FIG. 22, each process in the access control sequence shown in FIG. 21 is associated with the description of each process in FIG.

  21 and 22, the digital multi-function peripheral 70 receives the user ID and password together with the login request of the user 52 (S2001).

  The digital multi-function peripheral 70 transmits the received user ID and password to the user management server 300 to make an authentication request (S2002). The user management server 300 performs an authentication process with the received user ID and password (S2003). The user management server 300 returns authentication result information indicating the success or failure of the authentication to the digital multi-function peripheral 70 (S2004).

  The digital multi-function peripheral 70 performs processing according to the authentication result information (S2005). If the authentication result information indicates a successful authentication, the digital multi-function peripheral 70 transmits the authentication result information received from the user management server 300 to the terminal 51, and the process proceeds to S2006. On the other hand, when the authentication result information indicates that the authentication has failed, the digital multi-function peripheral 70 ends the access control process.

  The user 52 requests a copy of a paper document with the digital multi-function peripheral 70 (S2006).

  Upon receiving a request for copying a paper document, the digital multi-function peripheral 70 cuts out an identification area from image data obtained by scanning the paper document in order to identify the paper document (S2007).

  The authentication information, cut-out image, access type, and context information of the user 52 are sent to the security server 200 to inquire access control (S2008). For example, copy access corresponding to a copy request is designated as the access type.

  The security server 200 determines whether to permit access based on the received information (S2009). The security server 200 returns the determination result to the digital multifunction peripheral (S2010).

  The digital multi-function peripheral 70 performs processing according to the determination result received from the security server 200 (S2011). When the determination result indicates “permitted”, the digital multi-function peripheral 70 processes the requirements included in the determination result. On the other hand, when the determination result indicates “prohibited”, the digital multi-function peripheral 70 ends the access control process without performing access.

  The digital multifunction peripheral 70 processes the access request (copy request) requested by the user, outputs the copied paper, and ends the access control process (S2012).

  In the above example, the case where the access request is a copy request has been described. However, the same processing is performed for a scan request, a fax transmission request, and the like. For example, when the access request is a scan request, If the access request is stored in the storage area and the access request is a fax transmission request, the scanned image data is faxed to the destination designated by the user 52.

  The user authentication inquiry in S2002 may be performed via the security server 200. The method of authenticating the user is not limited to the method of authenticating with the user ID and password. More advanced biometric authentication or challenge / response authentication using a smart card may be applied.

  The authentication process by the user management server 300 in S2003 is the same as that in the case of access control in the document management system 100, and a description thereof will be omitted. Also, the data structure of the authentication result information is the same as that in the case of access control in the document management system 100, and thus the description thereof is omitted.

  The permission process performed by the security server 200 in S2009 will be described with reference to FIGS. 23, 24, and 25 are diagrams for explaining permission processing in the security server in response to an inquiry from the digital multi-function peripheral.

  23, 24, and 25 exemplify processing when the user 52 makes a copy request for copying the paper document 62 using the digital multifunction peripheral 70. Other operations in the digital multi-function peripheral 70 include, for example, fax transmission, scanning, and the like, which are transmitted from the digital multi-function peripheral 70 to the security server 100 as fax transmission requests, scan requests, and the like, respectively.

  The fax transmission operation is an access for faxing the paper document 62 scanned by the digital multi-function peripheral 70 to a destination designated by the user 52. The scan operation is an operation of scanning the paper document 62 and storing image data in a predetermined storage area.

  Further, the permission processing in the security server 100 for each request is the same.

  In FIG. 23, the security server 200 receives the authentication result information, the document ID, the access type, and the context information from the document management system 100 that made the determination request (L2031). For example, “copy for paper document” is designated as the access type. The access type identifies the type of document 60 (ie, paper document 62) and the type of operation (ie, copy).

  The security server 200 decodes the received cutout image to obtain a print ID (printId) (L2032). Instead of decoding the clipped image on the security server 200 side, the digital MFP 70 acquires the print ID (printId) and sends the print ID (printId) to the security server 200 instead of the clipped image. Also good.

  The security server 200 determines whether it cannot be decoded (L2033). If decoding is not possible, the security server 200 sets unknown (UNKNOWN) for the document category (docCategory) (L2034), sets unknown (UNKNOWN) for the document level (docLevel) (L2035), and sets the user category (userCategory) to non-descriptive. Restriction (ANY) is set (L2036), and non-limitation (ANY) is set to the zone (L2037).

  On the other hand, if the decoding is successful, the security server 200 refers to the print profile management table and acquires the print profile (printProfile) corresponding to the print ID (printId) (L2040).

  Then, the security server 200 determines whether or not the corresponding print profile exists (L2041). If not, the security server 200 sets unknown (UNKNOWN) for the document category (docCategory) (L2042), sets unknown (UNKNOWN) for the document level (docLevel) (L2043), and sets the user category (userCategory) to non-existing. Limited (ANY) is set (L2044), and non-limited (ANY) is set to the zone (L2045).

  On the other hand, when the corresponding print profile exists (L2047), the security server 200 acquires the document ID (docid) from the print profile (printProfile) (L2048), and refers to the document profile management table for the document ID (docid). The document profile (docProfile) corresponding to is acquired (L2049), the document category (docCategory) and the confidential level (docLevel) are acquired by referring to the document profile (docProfile) (L2050), and the document profile (docProfile) is referred to Then, a related person list (relatedPersons) is acquired (L2051).

  The security server 200 further determines whether or not the related person (relatedPersons) includes the user ID (userId) or the group to which the user belongs (L2052). If included, the security server 200 sets the related person (RELATED_PERSONS) in the user category (userCategory) (L2053), and proceeds to L2055. On the other hand, if not included, the security server 200 sets unrestricted (ANY) to the user category (userCategory) (L2054), and proceeds to L2055.

  The security server 200 refers to the document profile (docProfile) and acquires a zone ID list (zones) (L2055). The security server 200 refers to the zone management table (ZoneInfoTable) and acquires the IP address and MAC address corresponding to the zone ID list (permitted address list) (L2056).

  The security server 200 determines whether or not the address included in the context information is included in the permitted address list (L2057). If included, the security server 200 sets a limitation (RESTRICTED) to the zone (L2058), and proceeds to L2062. On the other hand, if not included, the security server 200 sets non-limited (ANY) to the zone (LNY) (L2059), and proceeds to L2062.

  The security server 200 refers to the user authority level table (UserMapTable), and stores the level corresponding to the user ID (userId) or group (groups) in the user level (userLevel) (L2062).

  The security server 200 loads the security policy file into the memory and acquires an array of access control rules (rule) (L2063).

  The security server 200 repeats the following processing from L2065 to L2068 for each access control rule (rule) (L0064).

  In the security server 200, the document category (docCategory) of the access control rule (rule) matches the non-limited (ANY) or the document category (docCategory), and the document level (docLevel) of the access control rule (rule) is not limited. It is determined whether or not it matches (ANY) or the document level (docLevel) (L0065 and L2066). If they match, the security server 200 further repeats the following processing from L 2068 to L 2083 for each access control list (Ace) of the access control rule (rule) (L 2067).

  On the other hand, if they do not match (L2088 and L2089), the security server 200 returns to L2064 and repeats the above processing for the next access control rule (rule).

  When the security server 200 matches in L0065 and L2066, the user category (userCategory) of the access control list (Ace) matches the unrestricted (ANY) or user category (userCategory), and the access control list (Ace) Does the user level (UserLevel) match the unrestricted (ANY) or user level (userLevel), and the access control list (Ace) zone (Zone) matches the unrestricted (ANY) or zone (zone)? It is determined whether or not (L2068, L2069 and L2070). The user category (userCategory) in the access control list (Ace) matches the unrestricted (ANY) or user category (userCategory), and the user level (UserLevel) in the access control list (Ace) is unrestricted (ANY) or user If it matches the level (userLevel), and the zone of the access control list (Ace) matches non-limited (ANY) or zone (zone), the security server 200 determines each of the access control lists (Ace). For the operation (Operation), the following L2072 to L2077 are repeated (L2071).

  On the other hand, if they do not match (L0082 and L0083), the security server 200 returns to L2067 and repeats the above processing for the access control list (Ace) next to the access control rule (rule).

  If the security server 200 determines that they match in the determinations in L2068, L2069, and L2070, it determines whether the ID (Operation.Id) of the operation matches the operation (L2072). If they match, permission (true) is stored in permission (allowed) of the determination result information (decisionInfo) (L2073). Further, the security server 200 stores all the requirements (requirement) specified in the operation in the determination result information (L2074), and proceeds to L2098 (L2081).

  On the other hand, if they do not match (L2076 and L2077), the security server 200 returns to L2071 and repeats the above processing for each operation (Operation) in the access control list (Ace).

  In L2071, when the processing for each operation (Operation) in the access control list (Ace) is completed, the security server 200 determines whether or not there is a corresponding operation (L2078). If not, the security server 200 stores “not permitted” (false) in the permitted (allowed) of the determination result information (decisionInfo) (L2079), and proceeds to L2090 (L2081).

  On the other hand, if there is, the security server 200 proceeds to L2090 as it is (L2081).

  In L2067, when the processing for each access control rule (rule) ends, the security server 200 determines whether or not there is a corresponding access control rule (rule) (L2090). If not, the security server 200 stores “not permitted” (false) in the permitted (allowed) of the determination result information (decisionInfo) (L2091), and proceeds to L2093. On the other hand, if there is, the security server 200 proceeds to L2093 as it is.

  The security server 200 determines whether permission (allowed) of the determination result information (decisionInfo) is not permitted (false) (L2093). When the permission (allowed) of the determination result information (decisionInfo) is not permitted (false), the determination result information (decisionInfo) is returned to the digital multifunction peripheral 70 that has requested the determination (L2094), and the permission process is terminated (L2100). ).

  On the other hand, if the decision result information (decisionInfo) is not permitted (false) (L2096), the requirement (requirement) included in the decision result (decisionInfo) is corrected (L2097). The information (decisionInfo) is returned to the document management system 100 that made the determination request (L2098), and the permission process is terminated (L2100).

  Since the data structure of the context information transmitted from the digital multifunction peripheral 70 to the security server 200 is the same as the data structure of the context information transmitted from the document management system 100 to the security server 200, the description thereof is omitted.

  Since the data structure of the determination result information transmitted from the security server 200 to the digital multifunction peripheral 70 is the same as the data structure of the determination result information transmitted from the security server 200 to the document management system 100, the description thereof is omitted. .

  Since the requirement correction processing in the digital multi-function peripheral 70 is the same as the requirement correction processing in the document management system 100, the description thereof is omitted.

  Next, requirement processing in the digital multi-function peripheral 70 will be described with reference to FIGS. 26, 27, and 28. FIG. 26, 27 and 28 are flowcharts for explaining the requirement processing in the digital multi-function peripheral.

  In FIG. 26, the digital multi-function peripheral 70 determines whether or not the permission (allowed) of the determination result information (decisionInfo) indicates disapproval (false) (L2121). If not permitted, the access is denied and the process ends (L2122).

  On the other hand, if no disapproval is indicated, L2125 to L2178 are repeated for each requirement (requirement) of the determination result information (decisionInfo) (L2124).

  The digital multi-function peripheral 70 determines whether or not a requirement (requirement) that is not supported by the digital multi-function peripheral 70 is designated (L2125). When a requirement (requirement) that is not supported by the digital multifunction peripheral 70 is not designated, the digital multifunction peripheral 70 proceeds to L2131.

  On the other hand, when a requirement (requirement) that is not supported by the digital multi-function peripheral 70 is designated, the digital multi-function peripheral 70 is further designated by an alternative requirement (alternative) that is not supported by the requirement (requirement). It is determined whether or not there is (L2126). If an unsupported requirement is specified as an alternative requirement (alternative) of the requirement (requirement), the digital multifunction peripheral 70 denies access and ends the requirement processing (L2127).

  On the other hand, if an unsupported requirement is not specified in the requirement (requirement) alternative requirement (alternative), the digital multi-function peripheral 70 processes the requirement (requirement) alternative requirement (alternative) (L2128).

  Subsequently, the digital multi-function peripheral 70 determines whether or not log recording (record_audit_data) is designated in the requirement (requirement) (L2131). When log recording (record_audit_data) is designated, the digital multi-function peripheral 70 includes a user ID (userid), a document ID (docid), an operation (operation), a date and time, and context information (contextInfo). Log data is generated (L2132).

  Then, the digital multi-function peripheral 70 transmits log data to the security server 200 (L2133). The digital multi-function peripheral 70 determines whether or not the log data transmission has failed (L2134). If the log data transmission fails, the digital multi-function peripheral 70 denies access and ends the requirement processing (L2135). On the other hand, if the log data is successfully transmitted, the digital multi-function peripheral 70 proceeds to L2138 as it is.

  Further, the digital multi-function peripheral 70 determines whether or not label printing (show_label) is designated (L2138). If specified, the digital multi-function peripheral 70 prints and embeds the stamp image specified in the supplement information (supplement) of the requirement (requirement) in the document (L2139). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds to L2141 as it is.

  Subsequently, the digital multi-function peripheral 70 determines whether or not user name printing (show_operator) is designated (L2141). When designated, the digital multi-function peripheral 70 prints and embeds an operator name (operator) in the document (L2142). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds directly to L2144.

  Further, the digital multi-function peripheral 70 determines whether or not image log recording (record_image_data) is designated (L2144). If specified, the digital multi-function peripheral 70 receives the user ID (userid), document ID (docid), operation (operation), date and time, context information (contextInfo), and document data (scan data). Including image log data is generated (L2145). Subsequently, the digital multifunction peripheral 70 stores the image log data in the internal hard disk of the digital multifunction peripheral (L2146). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds directly to L2148.

  Subsequently, the digital multi-function peripheral 70 determines whether or not a warning display (show_alarm) is designated (L2148). If specified, the digital multi-function peripheral 70 creates a warning character string in the character string format specified in the supplementary information (supplement) of the requirement (requirement) (L2149), and the warning character string is created on the operation panel by the user. (L2150). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds to L2152 as it is.

  Furthermore, the digital multi-function peripheral 70 determines whether or not warning printing (print_alarm) is designated (L2152). If specified, the digital multi-function peripheral 70 creates a warning character string in the character string format specified in the supplement information (supplement) of the requirement (requirement) (L2153), and prints the warning character string on the document. Embedded (L2154). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds directly to L2156.

  Subsequently, the digital multi-function peripheral 70 determines whether or not destination restriction (address_restriction) for fax transmission is specified (L2156). If specified, the digital multi-function peripheral 70 checks the destination specified by the user according to the destination condition specified in the supplement information (supplement) of the requirement (requirement) (L2157). Further, the digital multi-function peripheral 70 determines whether or not it matches the destination condition (L2158). If not matched, the digital multi-function peripheral 70 notifies the user on the operation panel that the destination does not match the condition (L2159), denies access, and ends (L2160). On the other hand, if there is a match, the digital multi-function peripheral 70 proceeds directly to L2162.

  If it is determined by the determination at L2156 that it has not been designated, the digital multi-function peripheral 70 proceeds directly to L2162.

  Furthermore, the digital multi-function peripheral 70 determines whether or not the use of the confidential transmission mode (private_send) is designated (L2163). If designated, the digital multi-function peripheral 70 sets the transmission condition to the confidential transmission mode (L2164). Then, the digital multifunction peripheral 70 determines whether or not the confidential transmission mode can be set (L2165). If it cannot be set, the digital multi-function peripheral 70 notifies the user on the operation panel that the other party cannot accept confidential transmission (L2166), denies access, and ends the requirement processing (L2167). On the other hand, if it can be set, the digital multi-function peripheral 70 proceeds to L2170 as it is.

  If it is determined by the determination at L2163 that it is not designated, the digital multifunction peripheral 70 proceeds to L2170 as it is.

  Subsequently, the digital multi-function peripheral 70 determines whether printing of visible watermark characters (visible_watermark) is designated (L2170). If so, the digital multi-function peripheral 70 creates a character string in the character string format specified in the supplementary information (supplement) of the requirement (requirement) (L2171), and uses the character string as a watermark in the document. Embed (L2172). On the other hand, if not designated, the digital multi-function peripheral 70 proceeds directly to L2174.

  Furthermore, the digital multi-function peripheral 70 determines whether or not digital watermark embedding (digital_watermark) is designated (L2174). If so, the digital multi-function peripheral 70 creates a character string in the character string format specified in the supplementary information (supplement) of the requirement (requirement) (L2175), and scans the character string as a digital watermark Embed in the data (L2176). The process returns to L2124 to repeat the same processing as described above for the next requirement (requirement). On the other hand, if not designated, the digital multi-function peripheral 70 returns to L2124 as it is.

  After the above processing is performed for all requirements (requirement), the digital multi-function peripheral 70 performs the access processing requested from the terminal 51 (L2179), and ends the requirements processing (L2180).

  As described above, the digital multi-function peripheral 70 can perform access control according to the security policy set in the security server 200. At that time, the permission requirements defined in the security policy can be applied. In addition, flexible processing is possible by incorporating supplementary information processing necessary to satisfy the permission requirements and processing of alternative requirements.

Since the identification of the paper document 62 is not 100% complete, an identification error may occur. If a paper document cannot be identified when copying a paper document with the digital multi-function peripheral 70, it must basically be copied as a general paper document that is not security protected. Because of such circumstances, it is necessary to allow some security processing to work even when identification is not possible. Considering such a case, the processing of a manuscript that could not be identified (in the document category UNKNOWN) can be executed according to the policy.
[Access control in Document Viewer]
Access control by the document viewer 53 will be described with reference to FIGS. 30 and 31 with reference to FIG.

  FIG. 29 is a diagram showing an access control sequence in the document viewer. 30 and 31 are flowcharts for explaining the access control processing in the document viewer. 29, 30, and 31, the processes in the access control sequence shown in FIG. 29 are associated with the same reference numerals as the descriptions of the processes in FIGS. 30 and 31.

  29 and 30, the document viewer 53 receives an open request for opening a file (portable document 63) from the user 52 (S3001).

  The document viewer 53 checks whether the portable document 63 is protected by security (S3002). The document viewer 53 performs processing according to whether or not the portable document 63 is protected (S3003). If the portable document 63 is not protected, the document viewer 53 displays the contents of the portable document 63 and ends the access control process. On the other hand, if the portable document 63 is protected, the document viewer 53 proceeds directly to S3004.

  The document viewer 53 requests the user to input a user ID and a password and receives them (S3004).

  The document viewer 53 transmits the received user ID and password to the user management server to perform user authentication (S3005).

  The user management server 300 performs user authentication processing with the received user ID and password (S3006), and returns authentication result information to the document viewer 53 (S3007).

  Upon receiving the authentication result information from the user management server 300, the document viewer 53 performs a process according to the authentication result information (S3008). If the authentication fails, the document viewer 53 notifies the user 52 of an authentication error and ends the access control process. If the authentication is successful, the document viewer 53 proceeds directly to S3009.

  The document viewer 53 extracts the document ID from the portable document 63 (S3009). Then, the document viewer 53 sends authentication result information, document ID, access type, and context information of the terminal 52 on which the document viewer 53 is operating to the security server 200 to inquire access control (S3010). As the access type, for example, read access corresponding to the open request is designated.

  The security server 200 determines whether to permit access based on the received information (S3011). The security server 200 returns the determination result to the document viewer 53 (S3012).

  If the determination result indicates “permitted”, the document viewer 53 processes the requirements included in the determination result (S3013). If the determination result indicates “prohibited”, access is prohibited and the access control process is terminated.

  The document viewer 53 processes the access (file open) requested by the user 52 and displays the contents of the portable document 63 (S3014).

  The document viewer 53 receives a print request for the portable document 63 from the user 52 (S3015).

  The document viewer 53 sends authentication result information, document ID, access type, and context information of the terminal on which the document viewer is operating to the security server, and inquires about access control (S3016). As the access type, for example, print access corresponding to a print request is designated.

  The security server 200 determines whether to permit access based on the received information (S3017), and returns the determination result to the document viewer (S3018).

  If the determination result indicates “permitted”, the document viewer 53 determines. The requirements included in the determination result are processed (S3019). If the determination result indicates “prohibited”, access is prohibited and the access control process is terminated.

  The document viewer 53 processes the access (printing) requested by the user and prints out the contents of the portable document 63 (S3020).

  The user authentication inquiry in S3005 may be performed via the security server 200. The method of authenticating the user 52 is not limited to the method of authenticating with the user ID and password. More advanced biometric authentication or challenge / response authentication using a smart card may be applied.

  Since the authentication processing by the user management server 300 in S3006 is the same as that in the case of access control in the document management system 100, the description thereof is omitted. Also, the data structure of the authentication result information is the same as that in the case of access control in the document management system 100, and thus the description thereof is omitted.

  Since the permission processing performed by the security server 200 in S3011 and S3017 is the same as that in the case of access control in the document management system 100, the description thereof is omitted. Further, the data structure of the determination result information is the same as that in the case of access control in the document management system 100, and thus the description thereof is omitted.

  The requirement correction processing in the document viewer 53 is the same as the requirement correction processing in the document management system 100, and thus the description thereof is omitted.

  Next, requirement processing in the document viewer 53 will be described with reference to FIGS. 32 to 36 are flowcharts for explaining the requirement processing in the document viewer.

  In FIG. 32, the document viewer 53 determines whether or not the permission (allowed) of the determination result information (decisionInfo) indicates disapproval (false) (L3121). If not permitted, the access is denied and the process ends (L3122).

  On the other hand, when the disapproval is not indicated, L3125 to L3243 are repeated for each requirement (requirement) of the determination result information (decisionInfo) (L3124).

  The document viewer 53 determines whether or not a requirement (requirement) that is not supported by the document viewer 53 is specified (L3125). If a requirement that is not supported by the document viewer 53 is not specified, the document viewer 53 proceeds to L3131.

  On the other hand, when a requirement (requirement) that is not supported by the document viewer 53 is designated, the document viewer 53 further designates an unsupported requirement (alternative) of the requirement (requirement). Is determined (L3126). When an unsupported requirement is specified as an alternative requirement (alternative) of the requirement (requirement), the document viewer 53 denies access and ends the requirement processing (L3127).

  On the other hand, if an unsupported requirement (alternative) is not specified in the requirement (requirement), the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3128).

  Subsequently, the document viewer 53 determines whether or not log recording (record_audit_data) is specified in the requirement (requirement) (L3131). When log recording (record_audit_data) is specified, the document viewer 53 includes a user ID (userid), document ID (docid), operation (operation), date and time, and context information (contextInfo). Data is generated (L3132).

  Then, the document viewer 53 transmits the log data to the security server 200 (L3133). The document viewer 53 determines whether or not the log data transmission has failed (L3134). If the log data transmission fails, the document viewer 53 denies access and ends the requirement processing (L3135). On the other hand, when the log data is successfully transmitted, the document viewer 53 proceeds to L3138 as it is.

  Further, the document viewer 53 determines whether or not multi-step authentication is permitted for access to the electronic document (multi_authentication) (L3138). If specified, the document viewer 53 requests the user 52 for strict user authentication (such as fingerprint authentication) (L3139). The document viewer 53 further determines whether or not strict authentication has failed (L3140). If unsuccessful, access is denied and the process ends (L3141). On the other hand, when the multi-step authentication is not designated and when the strict authentication is successful, the document viewer 53 proceeds to L3144 as it is.

  Subsequently, the document viewer 53 determines whether or not a warning display (show_alarm) is designated (L3144). If specified, the document viewer 53 creates a warning character string in the character string format specified in the supplement information (supplement) of the requirement (requirement) (L3145), and displays the warning character string on the screen (display). Is displayed to the user (L3146). On the other hand, if it is not designated, the document viewer 53 proceeds to L3148 as it is.

  Further, the document viewer 53 determines whether or not the confidential printing mode (private_access) is designated (L3148). If not specified, the document viewer 53 proceeds to L3160 as it is.

  On the other hand, if specified, the document viewer 53 determines whether the printing destination printer does not support confidential printing (L3149). If not supported, the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3150). Then, the document viewer 53 determines whether or not the alternative requirement (alternative) could not be processed (L3151). If the processing cannot be performed, the document viewer 53 denies access and ends (L3152). On the other hand, when the alternative requirement (alternative) can be processed, the document viewer 53 proceeds to L3160 as it is.

  On the other hand, when confidential printing is supported (L3155), the document viewer 53 displays a dialog for inputting a password to the user 52 (L3156), sets the password input from the user 52 in the printer driver, and performs confidential printing. The mode is set (L3157). Then, the document viewer 53 proceeds to L3160.

  Subsequently, the document viewer 53 determines whether or not image log recording (record_image_data) is designated (L3160). If specified, the document viewer 53 further determines whether the print destination printer does not support image log recording (L3161). If not supported, the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3162). Then, the document viewer 53 determines whether or not the alternative requirement (alternative) could not be processed (L3163). If the processing cannot be performed, the document viewer 53 denies access and ends (L3164). On the other hand, when the alternative requirement (alternative) can be processed, the document viewer 53 proceeds to L3173 as it is.

  On the other hand, when image log recording is supported (L3167), the document viewer 53 displays the user ID (userid), document ID (docid), operation (operation), date and time, and context information (contextInfo). The log data including it is generated (L3168). The document viewer 53 sets the image log bibliographic item in the printer driver (L3169), and sets the image log recording mode in the printer driver (L3170). Then, the document viewer 53 advances to L3173.

  Further, the document viewer 53 determines whether or not embedding of trace information (embed_trace_info) is designated (L3173). If not specified, the document viewer 53 proceeds to L3187 as it is.

  If the embedding of the tracking information is designated, the document viewer 53 further determines whether or not the driver of the printing destination printer supports stamp printing (L3174). If it is supported, the document viewer 53 sets the barcode image specified in the supplement information (supplement) of the requirement (requirement) to the printer driver and sets the stamp print mode (L3175). Then, the document viewer 53 proceeds to L3187.

  On the other hand, when the driver of the printing destination printer does not support stamp printing, the document viewer 53 further determines whether or not the document viewer 53 supports document editing (L3177). If specified, the document viewer 53 edits the document and embeds the barcode image specified in the supplement information (supplement) of the requirement (requirement) in each page to be printed (L3178). On the other hand, when specified (L3180), the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3181). The document viewer 53 determines whether or not the alternative requirement (alternative) could not be processed (L3182). If the processing cannot be performed, the document viewer 53 denies access and ends the requirement processing (L3183). If the processing can be performed, the document viewer 53 proceeds to L3187 as it is.

  Subsequently, the document viewer 53 determines whether or not printing of a label as a stamp (show_label) is designated (L3187). If not specified, the document viewer 53 proceeds to L3201 as it is. If specified, the document viewer 53 further determines whether or not the driver of the printing destination printer supports stamp printing (L3188). When the stamp printing is supported, the document viewer 53 sets the stamp image specified in the supplement information (supplement) of the requirement (requirement) to the printer driver and sets the stamp printing mode (the embedding position is the requirement). ("Embedding position" specified in supplement information (supplement) of (requirement)) (L3189). Then, the document viewer 53 advances to L3201.

  On the other hand, when stamp printing is not supported (L3191), the document viewer 53 determines whether or not the document viewer 53 supports document editing (L3191). When document editing is supported, the document viewer 53 edits the document and embeds the stamp image specified in the supplementary information (supplement) of the requirement (requirement) on each page to be printed (the embedding position is the requirement) ("Embedding position" specified in the supplement information (supplement) of (requirement)) (L3192).

  On the other hand, when document editing is not supported, the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3195). Then, the document viewer 53 determines whether or not the alternative requirement (alternative) could not be processed (L3196). If the processing cannot be performed, the document viewer 53 denies access and ends the requirement processing (L3197). On the other hand, if the processing can be performed, the document viewer 53 proceeds to L3201 as it is.

  Further, the document viewer 53 determines whether printing of visible watermark characters (visible_watermark) is designated (L3201). If not specified, the document viewer 53 proceeds to L3216 as it is.

  On the other hand, if specified, the document viewer 53 creates a background character string in the character string format specified in the supplement information (supplement) of the requirement (requirement) (L3202). The document viewer 53 further determines whether or not the driver of the printing destination printer supports composite printing (L3203). If it is supported, the document viewer 53 sets the background character string as a composite character string in the printer driver (L3204). Then, the document viewer 53 proceeds to L3216.

  On the other hand, when the driver of the print destination printer does not support composite printing, the document viewer 53 determines whether the document viewer 53 supports document editing (L3206). If it is supported, the document is edited and the background character string is embedded in the document background (L3207). Then, the document viewer 53 advances to L3216.

  On the other hand, when document editing is not supported, the document viewer 53 performs an alternative requirement (alternative) of the requirement (requirement) (L3200). Then, the document viewer 53 further determines whether or not the alternative requirement (alternative) cannot be processed (L3211). The document viewer 53 denies access and ends the requirement processing (L3212).

  Subsequently, the document viewer 53 determines whether or not printing of a floating watermark character (anti_copy_watermark) is designated (L3216). If not specified, the document viewer 53 proceeds to L3232.

  On the other hand, if specified, the document viewer 53 creates a tint block character string in the character string format specified in the supplementary information (supplement) of the requirement (requirement) (L3217). Further, the document viewer 53 determines whether or not the driver of the printing destination printer supports tint block printing (L3218). If it is supported, the document viewer 53 sets the copy-forgery-inhibited pattern character string in the printer driver (L3219). Then, the document viewer 53 proceeds to L3232.

  On the other hand, when the copy-forgery-inhibited pattern printing is not supported, the document viewer 53 determines whether or not the document viewer 53 supports document editing (L3221). If it is supported, the document viewer 53 generates a copy-forgery-inhibited pattern image based on the copy-forgery-inhibited pattern character string (L3222), edits the document, and embeds the copy-forgery-inhibited pattern image in the background of the document (L3223).

  On the other hand, when document editing is not supported (L3225), the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3226). Then, the document viewer 53 determines whether or not the alternative requirement (alternative) cannot be processed (L3227). If the processing cannot be performed, the document viewer 53 denies access and ends the requirement processing (L3228). On the other hand, if the processing can be performed, the document viewer 53 proceeds to L3232.

  Further, the document viewer 53 determines whether or not identification pattern printing (identifiable_bg_pattern) is designated (L3232). If not specified, the document viewer 53 proceeds to L3247.

  When printing of the identification pattern is designated, the document viewer 53 creates a copy-forgery-inhibited pattern character string with the identification pattern image designated in the supplementary information (supplement) of the requirement (requirement) (L3233). Then, the document viewer 53 further determines whether or not the driver of the printing destination printer repeatedly supports stamp printing (L3234). If it is supported, the document viewer 53 sets the identification pattern image specified in the supplementary information (supplement) of the requirement (requirement) in the printer driver and repeatedly enters the stamp printing mode (L3235). Then, the document viewer 53 proceeds to L3247.

  On the other hand, when repeated stamp printing is not supported (L3237), the document viewer 53 further determines whether or not the document viewer supports document editing (L3237). If it is supported, the document viewer 53 edits the document, and repeatedly embeds the identification pattern image specified in the supplementary information (supplement) of the requirement (requirement) in the background of the document (L3238). Then, the document viewer 53 proceeds to L3247.

  On the other hand, when document editing is not supported (L3240), the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3241). Then, the document viewer 53 determines whether or not the alternative requirement (alternative) cannot be processed (L3242). If the process cannot be performed, the document viewer 53 denies access and ends the requirement process (L3243). On the other hand, if the processing can be performed, the document viewer 53 proceeds to L3247.

  Subsequently, the document viewer 53 determines whether or not warning printing (print_alarm) is designated (L3247). If not specified, the document viewer 53 returns to L3124 as it is.

  On the other hand, if specified, the document viewer 53 creates a warning character string in the character string format specified in the supplement information (supplement) of the requirement (requirement) (L3248). Then, the document viewer 53 further determines whether or not the driver of the printing destination printer supports header / footer printing (L3249). If it is supported, the document viewer 53 sets the warning character string in the printer driver as a header / footer (L3250).

  On the other hand, when the header / footer printing is not supported, the document viewer 53 further determines whether or not the document viewer 53 supports document editing (L3252). If it is supported, the document viewer 53 embeds the warning character string in the header / footer of the document (L3253).

  On the other hand, when document editing is not supported (L3255), the document viewer 53 processes an alternative requirement (alternative) of the requirement (requirement) (L3256). Then, the document viewer 53 further determines whether or not the alternative requirement (alternative) could not be processed (L3257). If the processing cannot be performed, the document viewer 53 denies access and ends the requirement processing (L3258).

  On the other hand, when the alternative requirement processing is completed, the document viewer 53 returns to L2124 in order to repeat the same processing as described above for the next requirement (requirement).

  After the above processing is performed for all requirements (requirement), the document viewer 53 performs the access processing requested by the user 52 (L3263), and ends the requirement processing (L3264).

  As described above, the document viewer 53 can perform access control according to the security policy set in the security server 200. At that time, the permission requirements defined in the security policy can be applied. In addition, flexible processing is possible by incorporating supplementary information processing necessary to satisfy the permission requirements and processing of alternative requirements.

  In the above, in the requirement processing in which it is determined whether or not the document viewer 53 supports the editing function, it is necessary to temporarily edit the contents of the portable document 63 even when the specified requirement cannot be realized. It is possible to perform processing after embedding various information in the portable document 63.

  The portable document 63 needs to be encrypted so that the portable document 63 can be opened only by the document viewer 53 that realizes the access control as described above.

  The key used for encryption / decryption may be incorporated in the special document viewer 53 that can realize the above access control, or only when it is confirmed that the special document viewer 53 can execute the access control. The decryption key may be transferred from the security server 200 side to the document viewer 53 side.

By doing so, it is possible to prevent the portable document 63 from being opened by a general document viewer 53 that cannot implement access control.
Examples of screens displayed on the terminal 51 displaying the document viewer 53 when access control for a print request is performed based on the security policy as described above will be described with reference to FIGS. The user 52 can know what requirements are processed on the screen described below.

  FIG. 37 is a diagram illustrating an example of a screen when warning printing is designated as a requirement. FIG. 37A is a diagram showing an example of a screen on which settings for warning printing are made. FIG. 37B is a diagram showing an example of a screen on which details for warning printing are set.

  In FIG. 37A, a screen 600 is a screen when warning printing is specified as a requirement, and a setting area 601 of the screen 600 is originally a setting area for printing on the header or footer by the user 52. It is. When the warning print is processed as a requirement for executing the print request of the user 62, the print to the header or footer is forcibly set by the requirement processing by the document viewer 53 and is displayed in gray and is displayed by the user 52. Control is performed so that the setting cannot be changed.

  When the user 52 clicks the detail button in the setting area 601, a screen as shown in FIG. 37B is displayed.

  In FIG. 37B, a screen 605 is a screen showing detailed settings when warning printing is designated as a requirement. A setting area 606 of the screen 605 is originally printed on the header or footer by the user 52. This is a setting area for setting the arrangement position and format of the character string to be used. When the warning print is processed as a requirement for executing the print request of the user 62, the arrangement position and format of the character string are forcibly set by the requirement processing by the document viewer 53, and are grayed out. It is controlled so that the setting cannot be changed.

  The user 52 is prohibited from changing the setting, but can confirm that printing of a warning is a requirement before printing. By this confirmation, the user 52 can also determine whether to actually execute printing or cancel.

  FIG. 38 is a diagram illustrating an example of a screen when confidential printing is designated as a requirement. FIG. 38A is a diagram showing an example of a screen on which settings for confidential printing are made. FIG. 38B is a diagram showing an example of a screen for setting authentication information for confidential printing.

In FIG. 38A, a screen 610 is a screen when confidential printing is designated as a requirement, and a selection area 611 for selecting the printing method of the screen 610 is a selection area originally selected by the user 52. is there. When the confidential printing is processed as a requirement for executing the print request of the user 62, the confidential printing is forcibly selected by the requirement processing by the document viewer 53 and is grayed out, and the selection is changed by the user 52. It is controlled so that it cannot.

  Control is performed so that the user 52 cannot change the setting. When the user 52 clicks the detail button in the setting area 611, a screen as shown in FIG. 38B is displayed.

  In FIG. 38B, a screen 613 is a screen showing detailed settings when confidential printing is designated as a requirement. The input areas 614 and 615 of the screen 613 are originally set by the user 52 as authentication information. It is an input area for The input area 614 is an area where the user 52 inputs a user ID, and the input area 615 is an area where the user 52 inputs a password. The user 52 can output the printed portable document 63 from the digital multi-function peripheral 70 by inputting the user ID and password entered on the screen 613 on the digital multi-function peripheral 70 as a printer.

  The user 52 can know that the portable document 63 is printed by confidential printing.

  FIG. 39 is a diagram illustrating an example of a screen when it is specified that a label is printed as a stamp as a requirement. In FIG. 39, a screen 620 is a screen when printing a label as a stamp as a requirement. A setting area 621 of the screen 620 is originally a setting area for setting a stamp by the user 52. is there. When printing the label as a stamp is processed as a requirement for executing the print request of the user 62, the stamp print is forcibly set by the requirement processing by the document viewer 53 and is displayed in gray, and the user 52 It is controlled so that the setting cannot be changed.

  The user 52 is prohibited from changing the setting, but can confirm that printing of the stamp is a requirement before printing. By this confirmation, the user 52 can also determine whether to actually execute printing or cancel.

  FIG. 40 is a diagram illustrating a screen example when printing of visible watermark characters is designated as a requirement. In FIG. 40, a screen 630 is a screen in the case where printing of visible watermark characters is specified as a requirement. A setting area 631 of the screen 630 originally sets printing of watermark characters visible by the user 52. This is a setting area for When visible watermark printing is processed as a requirement for executing the print request of the user 62, visible watermark printing is forcibly set by the requirement processing by the document viewer 53, and gray display is performed. The user 52 is controlled so that the setting cannot be changed.

  The user 52 is prohibited from changing the settings, but can confirm that printing of visible watermark characters is a requirement before printing. By this confirmation, the user 52 can also determine whether to actually execute printing or cancel.

  When the user 52 clicks the button 632 showing the details of the image stamp in the setting area 631 of the displayed screen 630, a screen as shown in FIG. 41 is displayed.

  FIG. 41 is a diagram illustrating a screen example when printing of an identification pattern is designated as a requirement. FIG. 41A is a diagram showing an example of a screen for displaying details when printing of an identification pattern is designated as a requirement.

  In FIG. 41A, an image diagram when the identification pattern is printed is displayed in the display area 641 of the screen 640. The user 52 is prohibited from changing the setting on the screen 640, but can confirm that it is a printing requirement of the identification pattern before printing. By this confirmation, the user 52 can also determine whether to actually execute printing or cancel.

  The identification pattern is printed with dots as shown in FIG. FIG. 41B is a diagram illustrating an example in which the identification pattern is enlarged. In FIG. 41B, the identification pattern 646 is identification image data having, for example, 12 dots vertically and 8 dots horizontally with an interval of 3 dots (that is, the image size is 48 pixels × 32 pixels).

  In order to identify the top, bottom, left, and right, all the right column and bottom row should be dotted with dots, and the other 11 × 7 = 77 dots should be encoded with a 77-bit code. This can be realized by a simple rule that a dot is hit if the bit value is 1, and no dot is hit if the bit value is 0.

  FIG. 41C is a diagram showing an example of encoding of the identification pattern shown in FIG. In FIG. 41C, the identification pattern 646 shown in FIG. 41B becomes a bit pattern 647 by the above encoding. Since an identification error occurs when the dots are disturbed, an error correction code may be inserted.

  For example, when the user 52 uses the printer function of the digital multifunction peripheral 70 to print a portable document from the document viewer 53, the requirement processing in S3019 in FIG. 29 when the confidential printing mode is designated as the printing requirement. The sequence will be described in detail with reference to FIG. FIG. 42 is a diagram showing a requirement processing sequence in the confidential printing mode.

  42, when the user 52 makes a print request for the portable document 63 displayed on the document viewer 53, the document viewer 53 requests a password from the user 52 (S4001). When the user 52 inputs a password (S4002), the document viewer 53 sets the confidential print mode and password in the printer driver 54 installed on the terminal 51 of the user 52 (S4003). Then, the document viewer 53 gives a print instruction to the printer driver 54 (S4004).

  The printer driver 54 generates a PDL (Page Description Language) in response to a print instruction from the document viewer 53 (S4005), and the PDL (for example, RPCS or postscript), the confidential print mode, and the password are digitally combined. It transmits to the machine 70 (S4006). Thereafter, the printer driver 54 notifies the document viewer 53 of the end of printing (S4007).

  On the other hand, the digital multifunction peripheral 70 temporarily stores the PDL received from the printer driver 54, the confidential printing mode, and the password in the internal hard disk (S4008), and waits for the user 52 to input the password.

  The user 52 inputs a password to the digital multifunction peripheral 70 in order to output the portable document 63 from the digital multifunction peripheral 70 (S4009).

  The digital multi-function peripheral 70 collates the password input from the user 52 with the password received from the printer driver 54, and executes a printing process if they match (S4010). If they do not match, the digital multi-function peripheral 70 does not perform print processing. By executing the printing process, the paper document 62 on which the portable document 63 is printed is output from the digital multi-function peripheral 70 (S4011).

  By such a confidential print mode processing sequence, it is possible to prevent other users other than the user 52 from seeing and taking the paper document 62 output from the digital multifunction peripheral 70. .

  In addition, when the user 52 prints a portable document from the document viewer 53 using the printer function of the digital multi-function peripheral 70, the requirement processing in S3019 of FIG. 29 when the copy-forgery-inhibited pattern printing mode is designated as a printing requirement. The sequence will be described in detail with reference to FIG. FIG. 43 is a diagram showing a requirement processing sequence in the tint block printing mode.

  In FIG. 43, the document user 53 confirms whether or not copy-forgery-inhibited pattern printing is possible with the printer driver 54 installed in the terminal 51 of the user 52 (S5001). After confirmation, the document user 53 transmits the copy-forgery-inhibited pattern print mode and the designated character string to the printer driver 54 (S5002), and issues a print instruction (S5003).

  The printer driver 54 receives the copy-forgery-inhibited pattern print mode and the designated character string, and when receiving a print instruction from the document viewer 53, generates a PDL with a copy-forgery-inhibited pattern according to the designated character string (S5004). Then, the printer driver 54 transmits a PDL with a background pattern to the digital multi-function peripheral 70 (S5005).

Hereinafter, the abstraction processing for associating the information provided from the application system 400 by the security server 200 with the company security policy will be described in detail.
[Abstract processing by security server]
In order to explain the abstraction processing by the security server 200, it is assumed that the tables 250 to 270 manage data as shown in FIGS.

  FIG. 44 is a diagram illustrating an example of data managed in the user authority level table. 44, the user authority level table 250 manages data according to the structure UserMap shown in FIG. For example, “GroupLeaders / Sales / Com” as “principalId” indicates that “entryType” is “group” and “levelId” is “manager”. In this way, the other data is similarly shown.

  Such a user management level table 250 may manage data in an XML file as shown in FIG. 45 by describing it in XML (eXtensible Markup Language), for example. FIG. 45 is a diagram showing an XML file of the user authority level table.

  45, the user authority level table 250 is a hierarchical data structure in which the structure names and element names shown in the data structure 251 are indicated by tags in accordance with the data structure 251 shown in FIG. Is described. For example, in the lower layer of the <UserMapList> tag, data related to multiple users is described in parallel by the <UserMap> tag, and in each lower layer of the <UserMap> tag, a <principalId> tag, an <EntryType> tag, and , <LevelId> tag describes the data corresponding to the element.

  FIG. 46 is a diagram illustrating an example of data managed by the document profile management table. 46, the document profile management table 260 has a hierarchical data structure in which the structure name and element name shown in the data structure 261 are indicated by tags in accordance with the structure data 261 shown in FIG. Data is described. For example, for “0000000001” as “docId”, “docCategory” is “development”, “docLevel” is “secret”, “relatedPersons” is “Members / Dev / Com”, and “zones” is “ANY”, “nondisclosure” is “2005/04/01”, “retention” is “2010/04/01”, and “validity” is blank. In this way, the other data is similarly shown.

  Such a document profile management table 26 can be an XML file like the user management level table 250. However, since a table entry is created for each document, the size of the table becomes large, so that it is managed by a database. Better.

  FIG. 47 is a diagram showing an example of data managed by the zone management table. 47, the zone management table 270 has a hierarchical data structure in which the structure name and element name shown in the data structure 271 are indicated by tags in accordance with the structure data 271 shown in FIG. Described. For example, in “saleszone01” as “id”, “name” is “Sales (Yokohama)”, “addressInfo” “address” is “192.207.138.1”, and “addressesInfo” “addressType” is “ IP ”and“ netmask ”of“ addressesInfo ”is“ 255.255.255.0 ”. Furthermore, since multiple “addressInfo” can be managed for one “id”, the “address” of “addressInfo” is “192.207.139.1” for “saleszone01”, and “addressesInfo” “AddressType” of “IP” is “IP” and “netmask” of “addressesInfo” is “255.255.255.0”. In this way, the other data is similarly shown.

  Such a zone management table 270 may be managed in an XML file as shown in FIG. 48 by describing it in XML, for example. FIG. 48 is a diagram showing an XML file of the zone management table.

  48, the zone management table 270 describes the data of the hierarchical zone management table 270 in which the structure name and the element name shown in the data structure 271 are indicated by tags in accordance with the data structure 271 shown in FIG. For example, data related to multiple zones is described in parallel in the lower layer of the <ZoneInfoTable> tag by the <ZoneInfo> tag, and in the lower layer of each <ZoneInfo> tag, the <Id> tag, <Name> tag, and , <AddressInfo> tag describes data corresponding to the element. The <AddressInfo> tag further constitutes a lower layer, and data corresponding to the element is described by an <Address> tag, an <AddressType> tag, and a <Netmask> tag. A plurality of <AddressInfo> tags may be configured under the <AddressInfo> tag.

  For example, in the policy file 240, access control rules are described as shown in FIGS. 49 and 50 are diagrams showing access control rules described in the policy file.

  49 and 50, in the policy file 240, an access control rule is defined for each document from a <Policy> tag description 701 to a </ Policy> tag description 702. For example, in the policy file 240, the rule 1 corresponding to the document attribute is shown in the description 704 of the <Rule> tag to the description 704 of the </ Rule> tag. Rules 2 and 3 corresponding to the attributes are shown.

  The description of rule 1 will be described. Since rules 2 and 3 have the same description method, the description thereof will be omitted.

  Rule 1 is that the description 705 of <DocCategory> sales </ DocCategory> and <DocLevel> topsecret </ DocLevel> is that the document category is “sales (sales department)” and the document level is “topsecret (confidential document). ")" Indicates that an access control rule for the document attribute is defined. Next, in the document attribute according to the description 705, in the descriptions 710 and 720 from the <Ace> tag to the </ Ace> tag, a plurality of access control rules according to the user attribute are described.

  In the description 710, the description 711 of <UserCategory> RELATED_PERSON </ UserCategory>, <UserLevel> manager </ UserLevel>, and <Zone> RESTRICTED </ Zone> has the user category “RELATED_PERSON (related party)” and The access control rule for the user attribute whose user level is “manager (manager)” and whose zone is “RESTRICTED (restricted)” is described. Furthermore, in the description 720, the description 721 of <UserCategory> RELATED_PERSON </ UserCategory> and <UserLevel> ANY </ UserLevel> has a user category “RELATED_PERSON (related party)” and a user level “ANY ( An access control rule for a user attribute that is “unlimited” is described. In the description 721, no zone is specified. Thus, an access control rule is described for each of a plurality of user attributes for one document attribute.

  In the description 710, descriptions 712 and 713 from <Operation> to </ Operation> indicate an operation to which the access control rule is applied.

  The description 712 indicates that the document belonging to the description 705 permits the user 52 belonging to the description 711 to read the document by the description of <id> read </ id>.

  Further, in the description 713, the description of <id> print </ id> processes the requirement that the document belonging to the description 705 is subsequently described for the user 52 belonging to the description 711 to print the document. Indicates that you allow by.

  In this description 713, three requirements are specified as requirements for printing a document. According to the description 714 of <Requirement>, <id> private_access </ id>, and </ Requirement>, “private_access (confidential print mode)” is specified as a requirement at the time of printing.

  Also, according to the description 715 of <Requirement>, <id> print_alarm </ id> and <Supplement> "Printed by% u" </ Supplement>, “print_alarm (print warning)” is “Printed” It is specified that the warning character is used in the character format specified by “by% u”.

  Furthermore, according to the description 716 of <id> identifiable_bg_pattern </ id> and <Supplement> dynamic_image </ Supplement>, “identifiable_bg_pattern” is specified as “dynamic_image” as a printing requirement. The identification pattern image is designated to be performed by a tint block character string.

  Given the above data, for example, “Taro Yamada” who is the leader of the “Marketing” group of the “Sales” department of the “Com” company has a document ID of “192.207.138.64” from the PC with the IP address “192.207.138.64”. When printing the document “0000000003”, for example, authentication result information as shown in FIG. 51 is provided to the application system 400 by the user management server 300. FIG. 51 is a diagram illustrating an example of authentication result information.

  In FIG. 51, the authentication result information includes, for example, “Taro Yamada / Sales / Com” as “userId”, “Taro Yamada” as “userName”, and “Members / Sales” as “groups” in accordance with the data structure 501 shown in FIG. / Com "," Marketing / Sales / Com "," Employee / Com ", and" GroupLeaders / Sales / Com "are shown.

  “Taro Yamda” is specified by such authentication result information, and the security server 200 executes a permission process. In the security server 200, the user authority level mapping unit 232 collates the authentication result information “Taro Yamda” with the user authority level table 250 shown in FIG. In “userId” or “groups”, “GroupLeaders / Sales / Com” first matches and is mapped to “manager” ((1) in FIG. 4).

  Then, the user category mapping unit 233 refers to the document profile management table 260 shown in FIG. 46 to determine whether or not the person is a related person in comparison with “Members / Sales / Com” of “relatedPersons” of the document “0000000003”. judge. The user category mapping unit 233 determines that “Taro Yamada” belongs to “Members / Sales / Com” and is therefore a related party ((2) in FIG. 4).

  The access type is print ((3) in FIG. 4).

  The zone mapping unit 234 receives context information as shown in FIG. 52, for example. FIG. 52 is a diagram illustrating an example of context information. In FIG. 52, “192.207.138.64” is designated as “ipAddress” and “02-36-55-22-78-01” is designated as “macAddress” in the context information.

  The zone mapping unit 234 refers to the document profile management table 160 and acquires “saleszone01” and “saleszone02” as “zones” of the document “0000000003”. The zone mapping unit 234 further refers to the zone management table 270 to obtain a list of IP addresses and MAC addresses included in “saleszone01” and “saleszone02”. Since the IP address “192.207.138.64” of the context information shown in FIG. 52 is included in “saleszone01”, it is determined to be in the zone ((4) in FIG. 4).

  For example, the document security attribute mapping unit 235 receives document identification information as shown in FIG. FIG. 53 is a diagram showing an example of document identification information. In FIG. 53, “0000000003” is designated as “docId” in the document identification information. In this case, “printId” and “image” are not specified.

  The document security attribute mapping unit 235 refers to the document profile management table 260 and determines that the document category of the document “0000000003” is “sales” and the confidentiality level is “topsecret” ((5) in FIG. 4). ).

  By the mapping process in each of the mapping units 232, 233 and 234 as described above, the user authority level is “manager”, the related party classification is “related party”, the access type is “print”, the zone classification is “in zone”, It can be mapped to abstract parameters “sales” as document category and “topsecret” as confidential level.

  When the policy-based access control determination unit 241 determines whether or not the policy is permitted according to the access control rule (policy) described in the policy file 240 shown in FIG. And 713, the “topsecret” of “sales” permits “print” to the “manager” class of the parties concerned. However, since “private_access (confidential print mode)”, “print_alarm (print warning)”, and “identifiable_bg_pattern (print identification pattern)” are defined as requirements, access control determination as shown in FIG. Returns the result.

  FIG. 54 is a diagram illustrating an example of determination result information. 54, in the determination result information, “true (permitted)” is set as “allowed”, “private_access (confidential print mode)” is specified as “requirement” in “requirements”, and “supplements” for this requirement (Supplementary information) "," data ", and" alternatives "are not specified. Also, “print_alarm” is specified as “requirement”, “Printed by Taro Yamda” is specified as “supplements” for this requirement, and “data” and “alternatives” are specified Not. In addition, “identifiable_bg_pattern” is specified as “requirement”, “dynamic_image” as “supplements” and “binary image data” (binary) as “data” for this requirement. Actual dynamic image by data) is specified, and “alternatives” is not specified.

  Here, although “Printed by% u” is described in the access control rule of the policy file 240, the portion of% u is replaced with Taro Yamada by the correction process.

  If “dynamic_image” is described in the access control rule of the policy file 240 and the access type is “print”, a new print profile entry is created in the print profile management table 280 as shown in FIG. . FIG. 55 is a diagram illustrating an example of a print profile management table. In FIG. 55, “printId” is acquired by creating a new print profile entry. Then, the “printId” is encoded into identification image data. The identification image data is stored in [data] as [binary image data].

  The identification image data is printed, for example, on a sheet of paper at the time of printing, and can be used for later identification or tracking. FIG. 56 is a diagram illustrating an example of a printed identification pattern. As shown in FIG. 56, for example, an identification pattern 646 as shown in FIG. 41B is overlaid and printed.

  A case will be described where another user 52, for example, “Hanako Satoh” specified by authentication result information as shown in FIG. 57 requests printing from the same terminal 51 to the same document. FIG. 57 is a diagram illustrating another example of the authentication result information.

  In FIG. 57, the authentication result information includes, for example, “Hanako Satoh / Sales / Com” as “userId”, “Hanako Satoh” as “userName”, and “Members / Sales” as “groups” in accordance with the data structure 501 shown in FIG. / Com "," Marketing / Sales / Com ", and" Employee / Com "are shown.

  “Hanako Satoh” is specified by such authentication result information, and the security server 200 executes a permission process. By executing the permission process, the user authority level is “regular”, the party category is “stakeholder”, the access type is “print”, the zone category is “in-zone”, the document category is “sales”, and the confidentiality level is “topsecret” If the access control rule (policy) described in the policy file 240 shown in FIG. 49 is determined, the access control determination result is not permitted.

  If “Taro Yamada” tries to read (read) the document “0000000001”, the corresponding policy is not defined and the access control determination result is not permitted.

  Further, when the paper previously printed by “Taro Yamada” is copied by the digital multi-function peripheral 70, the digital multi-function peripheral 70 makes an access control inquiry to the security server 200 based on the image data obtained by scanning the paper surface. .

  The security server 200 receives document identification information as shown in FIG. 58A or 58B from the digital multi-function peripheral 70.

  FIG. 58 is a diagram showing an example of document identification information. FIG. 58A shows an example of document identification information when image data itself is transmitted to the security server. In FIG. 58A, “docId” and “printId” are not specified, and binary image data ([binary image data]) is set in “image”.

  FIG. 58B is a diagram showing an example of document identification information when image data is decoded and transmitted to the security server. In FIG. 58B, “docId” and “image” are not specified, and binary image data ([binary image data]) encoded by the digital multi-function peripheral 70 is set in “printId”.

  When the binary image data as illustrated in FIG. 58A is received from the digital multi-function peripheral 70, the security server 200 acquires “p000000001” as “printId”. Based on the “printId”, referring to the print profile, “0000000003” is acquired as “docId”. The security server 200 determines access control according to the policy when the access type indicates “copy”, as in the case of “print” by “Taro Yamada”.

  As described above, according to the present invention, the security server 200 can abstract the information provided from the application system 400 in order to correspond to the security policy of the company. That is, the degree of abstraction can be increased in order to make the low-level information provided from the application system 400 correspond to a security policy with a high degree of abstraction. Therefore, according to the security policy of the organization, it is possible to ensure the security of not only the electronic document but also the paper document.

  The document management server and the document viewer 53 perform access control on the electronic document such as the server document 61 and the portable document according to the organizational security policy, and perform security processing according to the policy when the portable document 63 is printed from the document user 53. Thus, the paper document printed by the printer himself / herself can be appropriately handled according to the policy.

  In addition, when the printed paper document 62 is copied by the digital multifunction peripheral 70, the processing can be controlled according to the policy.

  Accordingly, it is possible to ensure sufficient security of paper documents and electronic documents in a general office.

It is a figure which shows the system configuration | structure which concerns on one Example of this invention. It is a figure which shows an access control model. It is a figure which shows the hardware constitutions of the security server which concerns on one Example of this invention. It is a figure which shows the function structure of a security server. It is a figure which shows the data structure of a user authority level table. It is a figure which shows the data structure of a document profile management table. It is a figure which shows the data structure of a zone management table. 6 is a diagram illustrating a data structure of a print profile management table. FIG. It is a figure which shows the access control sequence in a document management system. It is a flowchart for demonstrating the access control process in a document management system. It is a figure explaining the authentication process in a user management server. It is a figure which shows the data structure of authentication result information. It is a figure explaining the permission process in the security server according to the inquiry from a document management system. It is a figure explaining the permission process in the security server according to the inquiry from a document management system. It is a figure explaining the permission process in the security server according to the inquiry from a document management system. It is a figure which shows the data structure of context information. It is a figure which shows the data structure of judgment result information. It is a flowchart for demonstrating the correction process of the requirement in a document management system. It is a flowchart for demonstrating the requirement process in a document management system. It is a flowchart for demonstrating the requirement process in a document management system. It is a figure which shows the access control sequence in a digital multi-function peripheral. FIG. 11 is a flowchart for explaining access control processing in a digital multi-function peripheral. It is a figure explaining the permission process in the security server according to the inquiry from a digital multi-function peripheral. It is a figure explaining the permission process in the security server according to the inquiry from a digital multi-function peripheral. It is a figure explaining the permission process in the security server according to the inquiry from a digital multi-function peripheral. FIG. 11 is a flowchart for explaining requirement processing in the digital multi-function peripheral. FIG. 11 is a flowchart for explaining requirement processing in the digital multi-function peripheral. FIG. 11 is a flowchart for explaining requirement processing in the digital multi-function peripheral. It is a figure which shows the access control sequence in a document viewer. It is a flowchart for demonstrating the access control process in a document viewer. It is a flowchart for demonstrating the access control process in a document viewer. It is a flowchart for demonstrating the requirement process in a document viewer. It is a flowchart for demonstrating the requirement process in a document viewer. It is a flowchart for demonstrating the requirement process in a document viewer. It is a flowchart for demonstrating the requirement process in a document viewer. It is a flowchart for demonstrating the requirement process in a document viewer. It is a figure which shows the example of a screen when warning printing is designated as requirements. It is a figure which shows the example of a screen when confidential printing is designated as requirements. It is a figure which shows the example of a screen when it is designated to print a label as a stamp as requirements. It is a figure which shows the example of a screen when printing of the visible watermark character is designated as requirements. It is a figure which shows the example of a screen when printing of an identification pattern is designated as requirements. It is a figure which shows the requirement processing sequence of confidential printing mode. It is a figure which shows the requirement processing sequence of a tint block printing mode. It is a figure which shows the example of data managed with a user authority level table. It is a figure which shows the XML file of a user authority level table. It is a figure which shows the example of data managed by a document profile management table. It is a figure which shows the example of data managed with a zone management table. It is a figure which shows the XML file of a zone management table. It is a figure which shows the access control rule described in a policy file. It is a figure which shows the access control rule described in a policy file. It is a figure which shows an example of authentication result information. It is a figure which shows an example of context information. It is a figure which shows an example of document identification information. It is a figure which shows an example of judgment result information. 6 is a diagram illustrating an example of a print profile management table. FIG. It is a figure which shows the example of the printed identification pattern. It is a figure which shows the other example of authentication result information. It is a figure which shows the example of document identification information.

Explanation of symbols

50 Initiator 51 Terminal 52 User 53 Document Viewer 61 Server Document 62 Paper Document 63 Portable Document 70 Digital Multifunction Machine 100 Document Management System 200 Security Server 240 Policy File 250 User Authority Level Table 260 Document Profile Management Table 270 Zone Management Table 270
280 Print profile management table 300 User management server 310 User management table 400 Application system

Claims (25)

  1. Upon receiving an access determination request for requesting access control determination to access target information, an abstract that converts the first information specified in the access determination request into second information having a higher abstraction level than the first information Degree conversion means;
    An access control determination means for determining access control to the target information by referring to an abstractly defined security policy based on the second information;
    An access control determination system comprising: determination result transmission means for transmitting a determination result indicating access control to the target information by the access control determination means to a request source that has made the access determination request.
  2. The abstraction conversion means is:
    Based on the first information, mapping means for mapping to the second information by referring to a management table that manages the first information and the second information having different degrees of abstraction in association with each other The access control determination system according to claim 1, wherein:
  3. The abstraction conversion means is:
    Based on the first information, a first mapping means for mapping to the second information by referring to a first management table for managing the first information and the second information having different degrees of abstraction in association with each other When,
    Based on the first information, the third information is obtained by referring to the second management table that manages the first information having different abstraction levels and the third information different from the second information in association with each other. A second mapping means for mapping,
    The access control determination means is
    The access control determination system according to claim 1, wherein access control to the target information is determined by referring to the security policy based on at least one of the second information and the third information.
  4. The abstraction conversion means is:
    Based on the first information, the intermediate information is acquired by referring to the first management table that associates and manages the first information and the intermediate information having different attributes. Mapping means for mapping to the second information by referring to a second management table that associates and manages the intermediate information and the second information different from the abstraction level of the first information based on the intermediate information The access control determination system according to claim 1, further comprising:
  5.   The access according to claim 1, wherein the first information is user identification information for identifying a user who accesses the target information, and the second information is information indicating an authority level of the user. Control decision system.
  6.   The first information is user identification information for identifying a user who accesses the target information, and the second information is information indicating whether the user is a party to the target information. The access control determination system according to claim 1, wherein:
  7.   The first information is information indicating a location where the target information is accessed, and the second information is information indicating whether or not the information is within a predetermined zone. The access control decision system described.
  8.   The first information is image data obtained by scanning a paper document indicating the target information, and the second information is information indicating a security attribute of the target information based on the image data. The access control determination system according to claim 1.
  9. The access control determining means determines access control with a requirement for permitting access to the target information in accordance with the security policy,
    2. The access control determination system according to claim 1, wherein the determination result transmission means adds information indicating a requirement to the determination result and transmits the information to the request source.
  10.   The access control determining means includes supplementary information specified when processing the requirement in the requirement in the case where access to the target information is permitted in accordance with the security policy. Access control decision system.
  11.   The access according to claim 9 or 10, wherein the access control determination means includes an alternative requirement in the case where the requirement cannot be processed in the requirement when the access to the target information is permitted according to the security policy. Control decision system.
  12.   10. The access control determination system according to claim 1, wherein the security policy can be set from outside.
  13. Security policy that can be set from the outside and defined abstractly is stored in the storage area,
    Receiving an access determination request for requesting an access control determination to the target information to be accessed;
    Converting the first information specified in the access determination request into second information having a higher abstraction level than the first information;
    Based on the second information, the access control to the target information is determined by referring to the security policy stored in the storage area,
    An access control determination method, comprising: transmitting a determination result indicating access control to the target information to a request source that has made the access determination request.
  14. Security policy that can be set from the outside and defined abstractly is stored in the storage area,
    Receiving an access determination request for requesting an access control determination to the target information to be accessed;
    Converting the first information specified in the access determination request into second information having a higher abstraction level than the first information;
    Based on the second information, the access control to the target information is determined by referring to the security policy stored in the storage area,
    An access control determination program for causing a computer to transmit a determination result indicating access control to the target information to a request source that has made the access determination request.
  15. Security policy that can be set from the outside and defined abstractly is stored in the storage area,
    Receiving an access determination request for requesting an access control determination to the target information to be accessed;
    Converting the first information specified in the access determination request into second information having a higher abstraction level than the first information;
    Based on the second information, the access control to the target information is determined by referring to the security policy stored in the storage area,
    A computer-readable storage medium storing an access control determination program, which causes a computer to transmit a determination result indicating access control to the target information to a request source that has made the access determination request.
  16. Based on access control information that specifies control related to access to target information in accordance with a security policy, access control enforcement means for executing access control on the target information;
    The access control enforcement means further includes:
    A requirement availability judging means for judging whether or not the requirement for executing the access specified by the access control information can be executed;
    An access control execution system for executing the access control on the target information so as to satisfy the requirements based on a determination result by the requirement availability determination means.
  17. The access control enforcement means further includes:
    17. The apparatus according to claim 16, further comprising: an access prohibiting unit that prohibits the access to the target information when the determination result by the requirement availability determining unit indicates that the access cannot be performed so as to satisfy the requirement. Access control enforcement system.
  18. The access control enforcement means is
    When the determination result by the requirement availability determination means indicates that the access cannot be executed so as to satisfy the requirement, the access control is executed so as to find the alternative requirement specified in the access control information. The access control enforcement system according to claim 17.
  19. The access control enforcement means further includes:
    When the determination result by the requirement determination unit indicates that the access cannot be performed so as to satisfy the requirement, the replacement requirement determination for determining whether the replacement requirement specified by the access control information can be executed Having means,
    19. The access control execution system according to claim 18, wherein the access is prohibited when the result of determination by the replacement requirement availability determination means indicates that the replacement requirement cannot be executed.
  20.   When the access control execution means can execute the access so that the determination result by the requirement availability determination means satisfies the requirement, the access control execution means satisfies the requirement using supplementary information specified by the access control information. 20. The access control execution system according to claim 18, wherein the access control for target information is executed.
  21.   19. At least one of log recording, encrypted storage, originality assurance, strict user authentication, version management, complete erasure, and warning display can be executed as the requirement. The access control enforcement system described in the section.
  22.   It is possible to execute at least one of log recording, label printing, operator printing, image log recording, warning display, warning printing, destination restriction, confidential transmission, watermark printing, and digital watermark embedding as the above requirements. The access control execution system according to any one of claims 16 to 18.
  23.   Log recording, strict user authentication, warning display, confidential printing, image log recording, identification information printing, label printing, watermark printing, copy suppression copy-forgery-inhibited pattern printing, identification background pattern printing, and warning printing are executed as the above requirements. 19. The access control enforcement system according to claim 16, wherein the access control enforcement system is possible.
  24. An access determination request means for requesting an access control determination to an access control determination system that determines an access control according to the security policy that is abstractly defined in response to an access request to the target information;
    Access control receiving means for receiving the access control information provided in response to the access control determination request from the access control determination system;
    24. The access control execution unit executes the access control for the target information based on the access control information received by the access control reception unit. Access control enforcement system.
  25. Based on access control information that specifies control related to access to the target information according to the security policy, when executing access control for the target information,
    Determine whether the requirements for performing the access specified by the access control information can be executed,
    An access control execution system that executes the access control for the target information so as to satisfy the requirements based on the determination result.
JP2003315996A 2003-06-23 2003-09-08 Access control decision system, and access control execution system Pending JP2005038372A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2003178033 2003-06-23
JP2003315996A JP2005038372A (en) 2003-06-23 2003-09-08 Access control decision system, and access control execution system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2003315996A JP2005038372A (en) 2003-06-23 2003-09-08 Access control decision system, and access control execution system
US10/872,574 US20050021980A1 (en) 2003-06-23 2004-06-22 Access control decision system, access control enforcing system, and security policy
EP04014618A EP1507402A3 (en) 2003-06-23 2004-06-22 Access control decision system, access control enforcing system, and security policy
US12/275,796 US8302205B2 (en) 2003-06-23 2008-11-21 Access control decision system, access control enforcing system, and security policy

Publications (1)

Publication Number Publication Date
JP2005038372A true JP2005038372A (en) 2005-02-10

Family

ID=34220124

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2003315996A Pending JP2005038372A (en) 2003-06-23 2003-09-08 Access control decision system, and access control execution system

Country Status (1)

Country Link
JP (1) JP2005038372A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007034447A (en) * 2005-07-25 2007-02-08 Fujitsu Support & Service Kk Information management device and information management system
JP2007065777A (en) * 2005-08-29 2007-03-15 Ricoh Co Ltd Electronic data distribution system, electronic data distribution program, recording medium with the program recorded thereon, and input device
JP2007164640A (en) 2005-12-15 2007-06-28 Fuji Xerox Co Ltd Device, method, program and system for managing use restriction
JP2008123201A (en) * 2006-11-10 2008-05-29 Fuji Xerox Co Ltd Image processing program, indicating device, processing apparatus, and image processing system
JP2008158857A (en) * 2006-12-25 2008-07-10 Fuji Xerox Co Ltd Document registration program, system and device
JP2009512001A (en) * 2006-08-10 2009-03-19 コリア インスティテュート フォー エレクトロニック コマース Electronic document storage system for performing proof of fact and proof of electronic document, and electronic document registration method, browsing method, issuing method, transfer method, certificate issuing method performed in the system
WO2010140628A1 (en) * 2009-06-03 2010-12-09 株式会社 東芝 Access control system
US7969619B2 (en) 2006-08-08 2011-06-28 Ricoh Company, Ltd. Information tracking method, image forming apparatus, information processing apparatus, and information tracking program
JP2012018698A (en) * 2011-10-24 2012-01-26 Ricoh Co Ltd Portable information processor, electronic device, operation control method, and operation control program
US8259328B2 (en) 2006-12-20 2012-09-04 Ricoh Company, Ltd. Apparatus for transmitting image
KR101468019B1 (en) * 2013-04-17 2014-12-02 삼성전자주식회사 The data transmitting method in image forming apparatus and the image forming apparatus for performing the method
KR101586339B1 (en) * 2014-09-29 2016-01-18 주식회사 포워드벤처스 System and method for executing application
US9727745B2 (en) 2008-09-24 2017-08-08 S-Printing Solution Co., Ltd. Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH02216561A (en) * 1989-02-17 1990-08-29 Hitachi Ltd Multi-level secrecy protective system
JPH103429A (en) * 1996-06-19 1998-01-06 Kobe Nippon Denki Software Kk Picture processor
JPH11161672A (en) * 1997-12-01 1999-06-18 Mitsubishi Electric Corp server
JPH11338825A (en) * 1998-05-29 1999-12-10 Hitachi Ltd Access control method considering configuration of organization
JP2000020377A (en) * 1998-06-30 2000-01-21 Csk Corp Database system, data managing method and storage medium storing software for data management
JP2000231509A (en) * 1999-02-10 2000-08-22 Mitsubishi Electric Corp Access control method in computer system
JP2001184264A (en) * 1999-12-16 2001-07-06 Internatl Business Mach Corp <Ibm> Access control system, access control method, storage medium, and program transmitting device
WO2002003215A1 (en) * 2000-06-30 2002-01-10 Matsushita Electric Industrial Co., Ltd. User information control device
JP2003069595A (en) * 2001-08-24 2003-03-07 Sanyo Electric Co Ltd Access control system
JP2003122635A (en) * 2001-08-03 2003-04-25 Matsushita Electric Ind Co Ltd Access right control system
JP2004280227A (en) * 2003-03-13 2004-10-07 Base Technology Inc Documentation management system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH02216561A (en) * 1989-02-17 1990-08-29 Hitachi Ltd Multi-level secrecy protective system
JPH103429A (en) * 1996-06-19 1998-01-06 Kobe Nippon Denki Software Kk Picture processor
JPH11161672A (en) * 1997-12-01 1999-06-18 Mitsubishi Electric Corp server
JPH11338825A (en) * 1998-05-29 1999-12-10 Hitachi Ltd Access control method considering configuration of organization
JP2000020377A (en) * 1998-06-30 2000-01-21 Csk Corp Database system, data managing method and storage medium storing software for data management
JP2000231509A (en) * 1999-02-10 2000-08-22 Mitsubishi Electric Corp Access control method in computer system
JP2001184264A (en) * 1999-12-16 2001-07-06 Internatl Business Mach Corp <Ibm> Access control system, access control method, storage medium, and program transmitting device
WO2002003215A1 (en) * 2000-06-30 2002-01-10 Matsushita Electric Industrial Co., Ltd. User information control device
JP2003122635A (en) * 2001-08-03 2003-04-25 Matsushita Electric Ind Co Ltd Access right control system
JP2003069595A (en) * 2001-08-24 2003-03-07 Sanyo Electric Co Ltd Access control system
JP2004280227A (en) * 2003-03-13 2004-10-07 Base Technology Inc Documentation management system

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4732820B2 (en) * 2005-07-25 2011-07-27 株式会社富士通エフサス Information management system
JP2007034447A (en) * 2005-07-25 2007-02-08 Fujitsu Support & Service Kk Information management device and information management system
JP2007065777A (en) * 2005-08-29 2007-03-15 Ricoh Co Ltd Electronic data distribution system, electronic data distribution program, recording medium with the program recorded thereon, and input device
JP2007164640A (en) 2005-12-15 2007-06-28 Fuji Xerox Co Ltd Device, method, program and system for managing use restriction
US7969619B2 (en) 2006-08-08 2011-06-28 Ricoh Company, Ltd. Information tracking method, image forming apparatus, information processing apparatus, and information tracking program
JP2009512001A (en) * 2006-08-10 2009-03-19 コリア インスティテュート フォー エレクトロニック コマース Electronic document storage system for performing proof of fact and proof of electronic document, and electronic document registration method, browsing method, issuing method, transfer method, certificate issuing method performed in the system
JP4918092B2 (en) * 2006-08-10 2012-04-18 ナショナル アイティ− インダストリ− プロモ−ション エ−ジェンシ− Electronic document storage system for performing proof of fact and proof of electronic document, and electronic document registration method, browsing method, issuing method, transfer method, certificate issuing method performed in the system
JP2008123201A (en) * 2006-11-10 2008-05-29 Fuji Xerox Co Ltd Image processing program, indicating device, processing apparatus, and image processing system
US8259328B2 (en) 2006-12-20 2012-09-04 Ricoh Company, Ltd. Apparatus for transmitting image
JP2008158857A (en) * 2006-12-25 2008-07-10 Fuji Xerox Co Ltd Document registration program, system and device
US9727745B2 (en) 2008-09-24 2017-08-08 S-Printing Solution Co., Ltd. Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method
JP2010282362A (en) * 2009-06-03 2010-12-16 Toshiba Corp Access control system
WO2010140628A1 (en) * 2009-06-03 2010-12-09 株式会社 東芝 Access control system
JP4649523B2 (en) * 2009-06-03 2011-03-09 東芝ソリューション株式会社 Access control system
JP2012018698A (en) * 2011-10-24 2012-01-26 Ricoh Co Ltd Portable information processor, electronic device, operation control method, and operation control program
KR101468019B1 (en) * 2013-04-17 2014-12-02 삼성전자주식회사 The data transmitting method in image forming apparatus and the image forming apparatus for performing the method
KR101586339B1 (en) * 2014-09-29 2016-01-18 주식회사 포워드벤처스 System and method for executing application

Similar Documents

Publication Publication Date Title
US9390460B2 (en) System and method for dynamic generation of embedded security features in a document
US8154769B2 (en) Systems and methods for generating and processing evolutionary documents
US8237939B2 (en) Apparatus and method for restricting file operations
JP3803378B2 (en) Secure copy of confidential documents
JP4314267B2 (en) Access control apparatus, access control method, and printing system
US7757162B2 (en) Document collection manipulation
AU652525B2 (en) Security system for electronic printing systems
EP1551146B1 (en) Document security management for repeatedly reproduced hardcopy and electronic documents
CN101783862B (en) Information processing apparatus and information processing method
JP4350549B2 (en) Information processing device for digital rights management
US7869082B2 (en) Multi-function input/output device and method
AU780201B2 (en) Remote printing of secure and/or authenticated documents
JP2014159123A (en) Printing device, printing device control method, and program
EP1725015B1 (en) System and method for controlling reproduction of documents containing sensitive information
CN1885327B (en) Image output system having image log recording function, and log recording method in image output system
EP1399798B1 (en) Method of invisibly embedding into a text document the license identification of the generating licensed software
KR100816184B1 (en) System of electronic document repository which guarantees authenticity of the electronic document and issues certificates and method of registering, reading, issuing, transferring, a certificate issuing performed in the system
DE69911954T2 (en) Device for generating and device for reading a digital watermark and method for generating and reading a digital watermark
EP1237352B1 (en) A system, method and computer program for managing documents
US6628412B1 (en) Methods of document management and automated document tracking, and a document management system
JP4379499B2 (en) Image output authentication system, image output authentication server, and image output authentication method
US7028012B2 (en) System and method for ordering customized identification documents via a network
US8913267B2 (en) Printing system and program
DE60306878T2 (en) A server, a terminal and a picture management method
US8040541B2 (en) Secure document printing

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20060123

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20090714

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20090914

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20091013

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20091214

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20100831