JP2008262568A - Image forming apparatus and image forming method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an image forming apparatus for performing processing control based on a security policy, especially by acquiring a document attribute of a document, with respect to a system for securing security of an information system. <P>SOLUTION: The image forming apparatus has: a policy holding means for holding a security policy in which a rule of handling a document is described; a policy rewriting means for rewriting the security policy which is a security policy from outside that is held by the policy holding means; and an operation control means for controlling operation for the document according to the security policy managed by a policy management means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a system for ensuring the security of an information system, and more particularly to an image forming apparatus and an image forming method for performing processing control based on a security policy that describes rules for handling documents.

  In the field of dealing with documents such as offices, there is always a desire to control the security of the documents. For example, when a secret document is copied, it is necessary to obtain the permission of the manager in charge. Particularly, it is important to control a policy for a document which is a container for information, particularly a policy regarding confidentiality. Generally, ensuring the security of an information system is broadly divided into ensuring confidentiality, integrity, and availability, but integrity and availability can be secured to a level that is virtually free of problems if the system administrator appropriately manages and manages it. There are many. On the other hand, in order to ensure confidentiality, it is presumed that the policy must be shared and thoroughly made by members belonging to the user organization.

  In reality, many companies are trying to control security by setting document management rules. However, for ensuring security in an actual office system, it is necessary to individually set security settings for various devices constituting the office system, not for documents.

  Various conventional techniques related to a method of performing access control based on a security policy are disclosed (Patent Document 1 to Patent Document 14).

  For example, in access control, it is described that conditional access permission is evaluated (Patent Document 1).

  For example, it describes security management and auditing simplification of a corporate information system according to an information security policy (Patent Document 2).

  However, in particular, the above-mentioned Patent Document 1 does not mention processing of data after access, particularly reading, in the access control system for data files.

  In the above-mentioned Patent Document 2, a security policy, a system, and a control unit are configured, and a control unit is extracted from a DB (database) in which each combination is registered, and the system is controlled to match the policy. However, the means for auditing the state is only controlled by the control means registered for the system, and the degree of freedom of implementation is low.

  Further, in the method of inputting the operator ID of Patent Document 7, taking out the ID from the document, and controlling copying, control based on a fixed rule of rejecting copying or permitting copying and recording a log. It can only be done.

  In the method of extracting and checking a mark indicating a confidential document from the image of Patent Document 8, since the operation to be performed is determined from the obtained information, the rule lacks flexibility.

  In the method of controlling the output destination based on the output restriction data included in the print information of Patent Document 9, a rule must be included in the print information.

  In the method of reading the image of Patent Document 10 and storing it together with the password and permitting it when the passwords match at the time of output, the criterion to judge is only the password, and the operation controlled by it is permitted or not permitted Only.

  In the method of controlling the permission or disapproval of the operation of all MFPs on the network by one MFP among the plurality of MFPs on the network of Patent Document 11, the controlled operation is permitted or not permitted. Only permission.

In the method of judging permission of use and permission of operation for each of a plurality of devices in Patent Document 12, only permission and non-permission can be controlled, and only control based on user information can be performed. As described above, the problems of the prior art are that the rules are limited and inflexible, and the rules are only predetermined. In other words, in the conventional input / output device, only “permission” and “prohibition” of operations for “user” and “document” IDs are determined in advance.
JP 2001-184264 A JP 2001-273388 A JP 2001-337864 A JP 09-293036 A Japanese Patent Application Laid-Open No. 07-141296 Japanese Patent No. 0273596 Japanese Patent No. 3203103 JP 7-58950 A JP 7-152520 A JP-A-10-191072 JP 2000-15898 A JP 2000-357064 A JP 2001-125759 A JP 2001-325249 A.

  In such a security implementation method, when security for document printing is executed, first, a security enforcer needs knowledge about security of various devices. Second, security must be executed for all devices one by one. Third, it is necessary to easily grasp the security state of the entire system, but it is difficult to grasp. Fourth, even if security is implemented for each device, it cannot be realized that the security of the document is actually protected. As described above, there are problems as described above in ensuring security in an actual office system.

  The present invention aims to solve the above-mentioned problems.

  In particular, an object of the present invention is to provide an image forming apparatus and an image forming method that perform processing control based on a security policy that describes rules for handling documents distributed from an external server via a network.

  In order to solve the above problems, the present invention provides a policy holding means for holding a security policy in which rules for handling documents are described, and policy distribution received from an external server via a network. In response to the notification, communication means for performing policy distribution control with the external server, and rewriting the security policy held by the policy holding means with the security policy received from the external server via the communication means Policy rewriting means and operation control means for controlling the operation on the document according to the security policy managed by the policy management means are configured.

  In such an image forming apparatus, an existing security policy can be rewritten with a security policy provided from an external server.

  Further, according to the present invention, when the communication unit receives the policy distribution notification from the external server, the communication unit sends a policy acquisition request including authentication information of the image forming apparatus to the external server. And when the authentication information is authenticated, a security policy may be received from the external server and transmitted to the policy rewriting means. Further, according to the present invention, the policy distribution notification received from the external server includes identification information of the security policy to be replaced, and the communication unit is configured to transmit the policy at a predetermined timing. The policy acquisition request including identification information may be transmitted to the external server.

  In such an image forming apparatus, the policy rewriting unit may be configured to write the security policy acquired from the outside to the policy holding unit by the communication unit when power is turned on.

  In addition, such an image forming apparatus may include a timer unit that notifies the communication unit of the rewrite timing of the security policy held by the policy holding unit.

  In addition, such an image forming apparatus includes an interface unit that reads the security policy from a storage medium that stores the security policy, and is held by the policy holding unit according to the security policy read by the interface unit. The security policy may be rewritten.

  The communication means may be configured to acquire the security policy according to Simple Object Access Protocol via the network.

  As means for solving the first problem, the present invention may be a method for performing processing in the image forming apparatus, a program to be executed by the processing computer, and a storage medium storing the program. .

  According to the present invention, it is possible to provide an image forming apparatus and an image forming method that perform processing control based on a security policy in which rules for handling documents are described.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  Examples of the present invention are described in detail below.

  First, a security policy describing handling rules regarding documents will be described.

  In this embodiment, in order to share a security policy for a document between different types of systems, the security policy is described using the following mechanism. Here, the described security policy is called a document security policy (DSP).

  FIG. 1 shows an example of a security policy. For example, the organization to which the user belongs is assumed to have a security policy as shown in FIG. 1 for each document security level, such as a confidential document, a confidential document, or a confidential document.

  In order to be able to describe such a policy as a DSP, the following method is used.

  First, the documents are classified according to the confidentiality level (confidential, confidential, confidential, etc.) and the category (HR document, technical document, etc.). This combination of sensitivity level and category is called a document security label. This security label is actually given as attribute information to each document.

  An example of the classification method as described above is shown in FIG. FIG. 2 shows an example of a document label term file. A document label term file 300 as shown in FIG. 2 is a file for managing a list of labels given as attribute information to individual documents, and is described in XML, for example.

  The DSP specifies the operations that are permitted on a document according to the document's confidentiality level and category, and the requirements (permissions of the administrator responsible) to be executed when the operation is permitted. Get, print a label, etc.). It is the document label term file 300 of FIG. 2 that describes such document confidentiality levels and categories.

  In FIG. 2, two types of categories are indicated by a description 311 and a description 321 indicated by <enumeration> to </ enumeration>.

  In the description 311, a description 312 indicating <enum_id> doc_category </ enum_id> indicates that the category identification information is “doc_category”. A description 313 indicating <enum_name> Document Category </ enum_name> indicates that the name of the category is “Document Category”. <Description> A description 314 indicating the type of document category </ description> indicates an explanation “type of document category” indicating what this category classifies.

  Items 315, 316 and 317 indicating <item> to </ item> indicate three categories of items. The description 315 indicates that the item name is “internal_doc” by the description indicating <name> internal_doc </ name>, and the description “internal” of the item by the description indicating <description> general internal document </ description>. "General document".

  The description 316 indicates that the item name is “human_resource_doc” by the description indicating <name> human_resource_doc </ name>, and the description “HR” of the item by the description indicating <description> HR related document </ description>. Related documents ".

  The description 317 indicates that the item name is “technical_doc” by the description indicating <name> technical_doc </ name>, and the description “Technology” of the item by the description indicating <description> technical document </ description>. Related documents ".

  Similarly, in the description 321, a description 322 indicating <enum_id> doc_security_level </ enum_id> indicates that the category identification information is “doc_security_level”. A description 323 indicating <enum_name> Document Security Level </ enum_name> indicates that the category name is “Document Security Level”. <Description> Description 324 indicating the type of document security level </ description> indicates an explanation “type of document security level” indicating what this category classifies.

  Items of three categories are indicated by description 325, description 326, and description 327 indicating <item> to </ item>. The description 325 indicates that the item name is “basic” by a description indicating <name> basic </ name>, and the description “confidential” of the item is described by a description indicating <description> confidential </ description>. Show.

  The description 326 indicates that the item name is “medium” by the description indicating <name> medium </ name>, and the description “secret” of the item by the description indicating <description> secret </ description>. Show.

  The description 327 indicates that the item name is “high” by the description indicating <name> high </ name>, and the description “top secret” of the item is described by the description indicating <description> confidential </ description>. Show.

  As described above, the document label term file 300 defines the types of document categories such as in-house general documents, personnel related documents, and technical related documents. Also, the types of document security levels such as confidential, confidential, and confidential are defined.

  3 to 13 are diagrams showing examples of policy term files. 3 to FIG. 13, one policy term file 400 is configured.

  The policy term file 400 as shown in FIGS. 3 to 13 describes the classification of system types and lists operations for each system type. For each operation, requirements that can be supported when the operation is executed are listed. The policy term file 400 is described in XML, for example.

  In FIG. 3, the method of listing and describing is shown by repeating the description from <enumeration> to </ enumeration>, similarly to the description method in the document label file 300 shown in FIG. Since the detailed description from <enumeration> to </ enumeration> is the same as the description method in the document label file 300 shown in FIG. 2, only a brief description will be given here.

  For example, in FIG. 3, system types are listed by description 411. According to the description 411, “copier”, “printer”, “facsimile”, “scanner”, “document repository”, and “electronic conference system” are described as “system type”.

  Then, for example, as shown in FIG. 4, each operation for each system type is listed by descriptions 421 to 471.

  In the description 421, “copying from paper to paper” is described as “operation related to the copying machine”. In the description 431, “print electronic document on paper” is described as “operation related to the printer”. In the description 441, “fax transmission” and “fax reception” are described as “operation related to fax”. In the description 451, “scan a paper document into an electronic document” is described as “operation related to the scanner”.

  In the description 461, “operation related to the document repository” includes “save”, “revise / edit”, “delete / destroy”, “reference”, “distribute over network (send)”, “disk” “Distribute (send)” and “archive / backup”. In the description 471, “use in conference” is described as “operation related to the electronic conference system”.

  Further, for example, as shown in FIGS. 6 to 13, requirements applicable for each operation are listed by descriptions 481 to 601.

  In the description 481, “explicit permission”, “record of audit trail”, and “record with audit trail image” are described as “requirements related to copying”.

  In the description 491, as “requirements related to printing”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with image of audit trail”, “paper output by printed person”, “trust” “Use of channel (encryption of print data)” and “embedment of tracking information in printout (watermark, label, barcode)” are described.

  In description 501, as “requirements related to fax transmission”, “explicit permission (use restriction)”, “recording audit trail”, “recording with audit trail image”, “restricting destination”, “confidential mode” “Transmission”, “Use of trusted channel”, “Embed tracking information in transmission fax (watermark, label, barcode)”, and “Non-repudiation (acquisition of receipt)” are described.

  In the description 511, as “requirements for receiving a fax”, “record of audit trail”, “record with image of audit trail”, “retrieve of confidential fax destination”, “trust time stamp”, and “received fax” "Tracking information embedding (watermark, label, barcode)" is described.

  In the description 521, “explicit permission (use restriction)”, “record of audit trail”, “record with audit trail image” as “requirement related to scanning (retention requirement is applied after saving)” And “Embed Tracking Information (Watermark, Label, Barcode) in Scanned Image” is described.

  In the description 531, “explicit permission (use restriction)”, “recording audit trail”, “encryption of stored data”, and “tamper protection of stored data” are described as “requirements related to storage”. The

  In the description 541, “explicit permission (use restriction)”, “record audit trail”, and “version management” are described as “requirements related to revision”.

  In the description 551, “explicit permission (use restriction)”, “record of audit trail”, “record with image of audit trail”, and “complete deletion” are described as “requirements related to deletion / destruction”. The

  In the description 561, as “requirement related to reference”, “explicit permission (use restriction)”, “recording of audit trail”, “permitted to refer only to data prohibited for editing”, “permitted to refer only to data prohibited to print”, “Reference permission for reference data only” and “permission for reference only to user-limited data” are described.

  In the description 571, as “requirements related to network distribution (transmission)”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with audit trail image”, “use of trust channel (transmission) Data encryption) ”,“ address restrictions (distribution only within the company, etc.) ”,“ distribution of only edit-prohibited data ”,“ permission of prohibition of printing only ”,“ permission of distribution of data only for reference location ”, and “Permission to distribute data only for users” is described.

  In the description 581, as “requirements related to disk distribution (delivery)”, “explicit permission (use restriction)”, “recording of audit trail”, “recording with image of audit trail”, “encryption of sent data” , “Tampering protection of sending data”, “Allow sending only prohibited data”, “Allow sending only printing prohibited”, “Allow sending only reference location data”, and “Allow sending only user-only data”. be written.

  In the description 591, “explicit permission (use restriction)”, “recording audit trail”, “encryption of archive data”, and “tamper protection of archive data” are included as “requirements related to archive backup”. be written.

  In the description 601, “explicit permission (use restriction)”, “record of audit trail”, and “record with audit trail image” are described as “requirements related to use in a meeting”.

  A DSP based on the document label term file of FIG. 2 and the policy term file of FIGS. 3 to 13 will be described with reference to FIGS. 14 to 22 are diagrams showing examples of policy files. Based on the document label term file 300 shown in FIG. 2 and the policy term file 400 shown in FIGS. 3 to 13, the security policy in the user's organization is, for example, DSP 2000 shown in FIGS. 14 to 22. Is described in XML and constitutes one policy file.

  In the DSP 2000 as shown in FIGS. 14 to 22, a policy is indicated by a description 2001 indicated by <policy> to a description 2002 indicated by </ policy>.

  In the description 2011 indicating <acc_rule> in FIG. 14 to the description 2012 indicating </ acc_rule> in FIG. 16, a document category “<doc_category> ANY </ doc_category>” and a description 2013 indicating <doc_security_level> basic </ doc_security_level> are used. A description 2017 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of “ANY (non-limited)” and document security level “basic (basic level)” A policy for each operation performed by a user having a user attribute having a user category “ANY (unlimited)” and a user security level “ANY (unlimited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  In the description 2021 indicating <acc_rule> in FIG. 16 to the description 2022 indicating </ acc_rule> in FIG. 19, a document category “<doc_category> ANY </ doc_category>” and a description 2023 indicating <doc_security_level> medium </ doc_security_level> are used. A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of “ANY (non-limited)” and document security level “medium (medium level)” 2027, each operation performed by a user having a user attribute “DOC-CATEGORY (type of document category)” (refer to descriptions 312, 313, and 314 in FIG. 2) and a user security level “ANY (unlimited)”. Policies are described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  Further, for a document having the same document attribute, the user category “ANY (non-restricted)” and the user are defined by the description 2028 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> in FIG. A policy for each operation performed by a user having a user attribute having a security level “ANY (non-limited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  In the description 2031 indicating <acc_rule> in FIG. 19 to the description 2032 indicating </ acc_rule> in FIG. 19, the description 2023 indicating <doc_category> ANY </ doc_category> and <doc_security_level> high </ doc_security_level> A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of “ANY (non-limited)” and document security level “high (high level)” For each operation performed by a user having a user attribute “DOC-CATEGORY (type of document category)” (see descriptions 312, 313, and 314 in FIG. 2) and a user security level “ANY (unlimited)” Policies are described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) is defined. Further, when the operation is permitted, a requirement (<requirement>) for permitting is defined.

  Next, the structure of the DSP 2000 of FIGS. 14 to 22 will be described in detail below with reference to FIGS.

  FIG. 23 is a diagram illustrating an example of DSP identification information. In the identification information 210 of the DSP 2000, description information 211 to 213 surrounded by <about_this_policy> and </ about_this_policy> describes identification information for identifying the DSP 2000.

  A description 211 indicating <serial_number> RDSP2023 </ serial_number> describes a serial number for distinguishing the DSP 2000 from other DSPs.

  In the description 212 indicated by <terminology_applied> RDST9487 </ terminology_applied>, the serial number of the policy term file 400 corresponding to the DSP 2000 is described. Since this definition file may be updated, it is recorded in order to clarify which policy term file this DSP 2000 is described on. The description 213 includes <title> DOCUMENT-SECURITY-POLICY </ title> as a title of the DSP 2000, <version> 1.20 </ version> as a version number, <creation_date> 2002/02/18 22: 30:24 Date and time of creation by description indicating </ creation_date>, creator by description of <creator> Taro Tokyo </ creator>, general description such as description by description of <description> sample document security policy. </ Description> Bibliographic information is described.

  Then, the DSP 2000 identification information ends with </ about_this_policy>.

  Next, following the identification information of the DSP 200, the contents of the policy are described in a range surrounded by <policy> and </ policy>. FIG. 24 is a diagram illustrating a description example for explaining the structure of the DSP.

  The policy content 220 shown in FIG. 24 is recorded using a hierarchical structure as described below.

  The policy <policy> is composed of a plurality of access control rules <acc_rule> (description 221). One access control rule <acc_rule> (description 221) uniquely specifies the category <doc_category> and level <doc_security_level> of the target document (description 222), and further sets an access control list <acl> (description 223). It is configured to include one.

  The access control list <acl> (description 223) is composed of a plurality of access control elements <ace> (description 224).

  Each access control element <ace> (description 224) uniquely specifies a target user category <user_category> (description 225) and level <user_security_level> (description 226), and further includes a plurality of operations <operation> (description). 227).

  Each <operation> (description 227) includes one operation name <name> (description 228), one prohibited <denied /> (description 229), or one permission <allowed /> (description 232), or a plurality of <Requirement> (description 230 and description 231).

  In the description 222, “ANY” described in the document category <doc_category> and the user category <user_category_level> indicates that it applies to any category and level. Further, “DOC-CATEGORY” of the user category <user_category> indicated by the description 225 indicates that the user category is applied when it is the same as the document category.

  In this embodiment, <denied /> (description 229) is designated for the operation to be prohibited, but it is indicated that access is not permitted unless it is described in the DSP2000. May be.

  Thus, by describing the DSP, it is possible to describe what kind of user type (category, level) can be operated on the document according to the document type (category, level). . Still further, for the document, the user can clearly describe what requirements must be met if the operation is possible.

  Then, by describing the DSP in platform-independent XML as described above, this DSP can be used in common between different types of systems. In particular, the target to which the security policy is to be applied is not limited to an electronic document but must be applicable to a paper document. Therefore, the document label file in FIGS. 3 to 13 and the DSP 2000 in FIGS. As described, operations related to paper documents (hardcopy, scan, etc.) can also be specified.

  Among the requirements shown in FIG. 24 of the present embodiment, there is a description 231 indicating the following <requirement> explicit_authorization </ requirement>. This is a requirement that “if an explicit permission is obtained from the person in charge of managing the document, the operation is permitted”. All, when the operation is controlled according to this DSP, there is a possibility that the degree of freedom is lost. However, by making it possible to specify this explicit permission requirement, flexible operation control is possible.

  In addition, as a feature of this embodiment, by making it possible to specify the requirement of “explicit permission”, an operation that can be executed if explicit permission is obtained, and explicit permission are obtained. It can be distinguished from operations that must be prohibited.

  Therefore, an operation that is not described in the DSP or specified by <denied /> must be prohibited even if explicit permission is obtained. This makes it possible to accurately define the intention of the side describing the policy, and it is possible to prescribe to prevent a situation in which an operation is executed by giving permission by mistake. .

  Next, another description form of the DSP of the present invention will be described with reference to FIG. FIG. 25 is a diagram illustrating another description example of the DSP. The policy content 240 shown in FIG. 26 describes a nested structure such as <operation> <allowed /> </ operation> for each operation when there are many operations that are allowed unconditionally or operations that are prohibited. Since this is inefficient, a description 243 indicating <allowed_operations> enumerating operations allowed unconditionally and a description 241 indicating <denied_operations> enumerating operations not allowed may be used.

  A description 242 indicating <requirement> explicit_authorization </ requirement> is the same as the description in FIG.

  FIG. 26 shows various media for storing and distributing the DSP described above.

  As described above, the DSP 2000 shown in FIG. 26 is described in XML (Extensible Markup Language). And it can record as an electronic file. Further, for example, a hard disk 51, a magneto-optical disk 52, a flexible disk 53, a CD-ROM, a CD-R, a CD-RW, a DVD, a DVD-R, a DVD-RAM, a DVD in which the electronic file is stored. A storage medium such as the optical disk 54 such as −RW, DVD + RW, and DVD + R can be created. In addition, the electronic DSP 2000 can be transmitted via the network 56 using the computer 55.

  The DSP 2000 is not a description of a security policy for a specific system, but a description of a security policy that can be commonly used by a plurality of different systems. Therefore, by creating a storage medium storing this security policy description and distributing it or transmitting it via a network, it becomes easy to use it in a plurality of systems in common.

  FIG. 27 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. In FIG. 27, an image forming apparatus 1000 is an apparatus controlled by a computer, and includes a CPU (Central Processing Unit) 11, a ROM (Read-Only Memory) 12, a RAM (Random Access Memory) 13, and a nonvolatile memory. RAM (non-volatile random access memory) 14, real-time clock 15, Ethernet (registered trademark) I / F (Ethernet (registered trademark) Interface) 21, USB (Universal Serial Bus) 22, IEEE (Institute of Electrical and Electronics Engineers) 1284 23, a hard disk I / F 24, an engine I / F 25, an RS-232C I / F 26, and a driver 27, which are connected to the system bus B.

  The CPU 11 controls the image forming apparatus 1000 according to a program stored in the ROM 12. In the RAM 13, for example, areas are allocated to resources connected to the interfaces 21 to 26. The nonvolatile RAM 14 stores information necessary for processing by the CPU 11 to control the image forming apparatus 1000. The real-time clock 15 measures the current time and is used by the CPU 11 to synchronize processing.

  An Ethernet (registered trademark) interface cable such as 10BASE-T or 100BASE-TX is connected to the Ethernet (registered trademark) I / F 21. A USB interface cable is connected to the USB 22. An IEEE1284 interface cable is connected to the IEEE1284 23.

  A hard disk 34 is connected to the hard disk I / F 24, and document data of a document to be printed or image data after print processing transmitted via the network is stored in the hard disk 34 via the hard disk I / F 24. . Connected to the engine I / F 25 are a plotter 35-1 for printing on a predetermined medium based on document data, a scanner 35-2 for capturing image data, and the like. An operation panel 36 is connected to the RS-232C I / F 26 to display information to the user and acquire input information or setting information from the user.

  A program that realizes processing performed by the image forming apparatus 1000 is provided to the image forming apparatus 1000 by a storage medium 37 such as a CD-ROM. That is, when the storage medium 37 storing the program is set in the driver 27, the driver 27 reads the program from the storage medium 37, and the read program is installed in the hard disk 34 via the system bus B. When the program is activated, the CPU 11 starts its processing according to the program installed on the hard disk 34. The storage medium 37 for storing the program is not limited to a CD-ROM, and any storage medium that can be read by a computer may be used. The program may be downloaded via a network and installed on the hard disk 34.

  The image forming apparatus that operates in accordance with the security policy will be described in detail below with reference to FIGS. 28, 29, and 30. FIG.

  FIG. 28 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy.

  28 mainly includes a reading unit 71, a reading condition acquisition unit 72, a data transmission destination acquisition unit 73, a data processing unit 74, a data transmission unit 75, a policy, and the like. An execution unit 1001, read image data 61, and accumulated data 62 are included.

  The policy execution unit 1001 includes a document attribute acquisition unit 1011, an operation requirement selection unit 1012, an operation control unit 1013, and a user attribute acquisition unit 1021. The document attribute acquisition unit 1011 acquires the document attribute from the paper document 60 or the read image data 61 and notifies the operation requirement selection unit 1021 of the document attribute.

  On the other hand, when the user attribute acquisition unit 1021 acquires user information input by the user, the user attribute acquisition unit 1021 notifies the operation requirement selection unit 1012. The operation requirement selection unit 1012 selects a requirement for permission according to the DSP 2000 and notifies the operation control unit 1013 of the result. The operation control unit 1013 instructs data processing on the image data of the read paper original 60.

  In the policy execution unit 1001, a portion indicated by a dotted line may be omitted.

  The reading unit 71 is a processing unit that reads (scans) the paper document 60 in accordance with the reading condition input by the user notified from the reading condition acquisition unit 72, and the read image data is stored in the read image data 61. The Also, the document attribute acquisition unit 1011 is notified of the document attribute acquired from the image data 61.

  The reading condition acquisition unit 72 acquires the reading condition input by the user and notifies the reading unit 71 and the data processing unit 74 of the reading condition.

  The data transmission destination acquisition unit 73 is a processing unit that acquires the data transmission destination input by the user and notifies the data transmission unit 75 of the data transmission destination.

  The data processing unit 74 performs data processing on the read image data according to the reading conditions input by the user notified from the reading condition acquisition unit 72 so as to satisfy the requirements provided by the operation control unit 1013, and the data processing is performed. The stored image data is stored in the storage data 62.

  The data transmission unit 75 transmits the image data to be processed extracted from the accumulated data 62 to the transmission destination notified from the data transmission destination acquisition unit 73 so as to satisfy the requirement notified from the operation control unit 1013.

  When there is no need to transmit image data to the outside, the data transmission unit 28 may be omitted. Further, the image data may be stored in the storage medium 37.

  In FIG. 28, the image forming apparatus 1000 as a reading apparatus is described as being configured by dedicated hardware, but may be configured by a general-purpose computer and a program executed on the computer.

  A program for executing the embodiment of the present invention described below on a computer is recorded on a computer-readable storage medium, and is read by the computer before the execution. Such a program can also be distributed via a computer network.

  FIG. 29 is a diagram illustrating an example of a simplified DSP. For convenience of explanation, the DSP 2000 will be described using a simplified DSP. In the DSP 2100 shown in FIG. 29, rules 1 to 3 are shown as follows.

  The rule 1 includes a portion from <acc_rule> on the fourth line of FIG. 29 to <user_security_level> ANY </ user_security_level> on the tenth line, and from the eleventh line <operation> to the fourteenth line <// It is described by the part up to operation>.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 1 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates that the security level of the document is basic.

  <User_category> ANY </ user_category> on the ninth line indicates that the user category is not involved.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that the user's security level is not concerned.

  Further, <name> scan </ name> and <allowed /> in the 12th and 13th lines indicate that reading is permitted without requirement.

  Therefore, in rule 1, the security level of the document is “basic” regardless of the document category according to the fifth, sixth, ninth, tenth, tenth, twelfth and thirteenth lines. In the case of "", reading is allowed without requirement regardless of the category of the user and regardless of the security level of the user.

  Next, rule 2 includes the part from <acc_rule> on the fourth line in FIG. 29 to <user_security_level> ANY </ user_security_level> on the tenth line, and from the fifteenth line <operation> to the 20th line. It is described by the part up to the eye </ operation>.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 2 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates that the security level of the document is basic.

  <User_category> ANY </ user_category> on the ninth line indicates that the user category is not involved.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that the user's security level is not concerned.

Furthermore, <name> net_delivery </ name> from the 16th line to the 19th line
<Requirement> audit <// requirement>
<Requirement> print_restriction </ requirement>
<Requirement> trusted_channel </ requirement>
Indicates that network delivery is permitted when meeting the requirements of “logging”, “printing restrictions”, and “using a trusted channel”.

  Therefore, in rule 2, the security level of the document is “basic” regardless of the document category, according to the fifth, sixth, ninth, tenth, and sixteenth to nineteenth lines. In this case, regardless of the user's category and regardless of the user's security level, network delivery will require the requirements of logging, printing restrictions, and using a reliable channel. Indicates that it is allowed when meeting.

  The rule 3 includes the part from <acc_rule> on the 24th line to the <user_security_level> ANY </ user_security_level> on the 30th line and the 35th line from the <operation> on the 31st line. It is described by the part up to </ operation>.

  <Doc_category> ANY </ doc_category> on the 25th line indicates that the document category is not involved.

<Doc_security_level> high </ doc_security_level> on the 26th line is
Indicates the case where the security level of the document is high.

  <User_category> DOC-CATEGORY </ user_category> on the 29th line indicates that the user category is the same as the document category.

  <User_security_level> ANY </ user_security_level> on the 30th line indicates that it does not relate to the user security level.

From the 32nd line to the 34th line,
<Name> scan </ name>
<Requirement> audit <// requirement>
<Requirement> embed_trace_info </ requirement>
Is permitted when it meets the requirements of “logging” and “embedding traceable information”.

  Therefore, in the rule 3, the security level of the document is “high” regardless of the document category according to the 25th line, the 26th line, the 29th line, the 30th line, the 31st line to the 34th line. "If the user's category is the same as the document's category and the reading meets the requirements of logging and embedding traceable information regardless of the user's security level Indicates that it is allowed.

  Here, “embedding traceable information” may include, for example, embedding an electronic watermark, embedding a displayable label, or adding document attribute information. The displayable label may include authentication data of the user who instructed reading and a time stamp at the time of instructing reading. Further, in “recording the log”, the authentication data of the user who instructed reading, the document data to be read, and the time stamp at the time of instructing reading may be recorded in the log. In addition, in “recording log”, the authentication data of the user who instructed network distribution, the information of the network distribution destination, the document data to be read, and the time stamp at the time of instructing reading are recorded in the log. It may be.

  A detailed operation will be described with reference to FIG.

  Based on the DSP 2100 shown in FIG. 29 described above, for example, when a document whose security level is “basic” is to be read, there is no requirement to be extracted.

  Further, based on the security policy shown in FIG. 29 described above, for example, when a document whose security level is “high” is to be read, as described above, “to record a log” and “trackable” “Embedding information” is a requirement for reading. The contents of “recording log” and “embedding traceable information” are the same as described above.

  Next, when there is no requirement to be extracted as in the case where the security level is “basic”, the operation control unit 1013 instructs the data processing unit 71 to read the document, and the user Acquires the document data and ends.

  On the other hand, when there is a requirement to be extracted as in the case where the security level is “high”, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied, and the determination result is determined. The operation control unit 1013 is notified.

  When the determination result by the operation requirement selection unit 1012 indicates that all requirements cannot be satisfied, the operation control unit 1013 instructs the data processing unit 74 to prohibit data processing, and the data processing unit 74. Cancels the read data and ends. The user is notified that data processing cannot be performed.

  On the other hand, if the determination result by the operation requirement selection unit 1012 indicates that all requirements can be satisfied, the operation control unit 1013 data processing unit 74 is instructed to perform data processing so as to satisfy the requirement. . The user obtains the document data and ends.

  In this case, the following processing is executed.

  The user attribute acquisition unit 1021 issues a user ID input request to the user who has issued a reading instruction from the operation panel 36. The user inputs a user ID from the operation panel 36. The user attribute acquisition unit 1021 acquires the category and security level corresponding to the input user ID registered in the database 102 from the user ID, and notifies the operation requirement selection unit 1021 of the category.

  When recording a log, information that can be traced is embedded in the read document data (for example, embedding of an electronic watermark, embedding of a displayable label, addition of document attribute information, etc.). The displayable label may include the authentication data of the user who instructed reading and the time stamp at the time of instructing reading.

  Finally, the user acquires the image data of the paper document 60 in the accumulated data 62 and ends.

  As described above, the paper document (document) 60 can be read in accordance with the security policy shown in FIG.

  Next, a case where the image forming apparatus 1000 reads the paper original 60 and distributes the read document to the network will be described.

  First, the user sets a paper document 60 in the image forming apparatus 1000, and issues an input of reading conditions, designation of a distribution destination of read data, and a reading instruction of the paper document 60 from the operation panel 36.

  A reading unit 71 reads a paper document. The document attribute acquisition unit 1011 extracts a document ID from image information such as a barcode and digital watermark of image data of the read paper original 60, acquires a category and a security level, and notifies the operation requirement selection unit 1012 of the document ID.

  The operation requirement selection unit 1012 searches the corresponding entry in the DSP 2100 according to the document attribute notified by the document attribute acquisition unit 1011 and extracts the requirement.

  Based on the DSP 2100 shown in FIG. 29 described above, for example, when a document whose security level is “basic” is read and distributed to the network, there is no requirement for reading. However, as described above, when distributing to a network, “recording a log”, “applying a print restriction”, and “using a reliable channel” are requirements.

  In addition, based on the DSP 2100 shown in FIG. 29 described above, for example, when a document having a security level of “high” is to be read, “log recording” and “trackable information” are required as reading requirements. (For example, embedding an electronic watermark, embedding a displayable label, and adding document attribute information as described above) is a requirement. However, since there is no rule that permits distribution to the network, it is not permitted.

  For example, when the requirement for distributing the document to the network does not exist in the DSP 2100, the operation control unit 1013 instructs the data transmission unit 75 to distribute the document, distributes the document to the network, and performs processing. Exit.

  On the other hand, for example, when the requirements for distributing the document to the network exist in the DSP 2100, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied.

  When there is no rule that permits distribution to the network, the operation control unit 1013 notifies the user that “there is no rule that permits distribution to the network” and the image data of the paper document 60 Is discarded. For example, the security level is “high”.

  When the operation requirement selection unit 1012 determines that all the requirements cannot be satisfied, the operation control unit 1013 notifies the user and discards the image data of the paper document 60 to the data processing unit 74. To finish.

  For example, when all the requirements can be satisfied as in the case where the security level described above is “basic”, the operation control unit 1013 instructs the data processing unit 74 to perform reading that satisfies the requirements, and The data transmission unit 75 is instructed to distribute the document to the network, and the process ends.

  Then, the user attribute acquisition unit 1012 issues a user ID input request to the user who has issued a reading instruction from the operation panel 36.

  When the user inputs a user ID from the operation panel 36, the user attribute acquisition unit 1021 acquires the category and security level corresponding to the user ID, and notifies the operation requirement selection unit 1012 of them. The operation control unit 1013 records a log according to the requirements notified from the operation requirement selection unit 1012.

  Further, the operation control unit 1013 converts the read image data of the paper document 60 into data that cannot be printed (for example, a PDF having an ADOBE (registered trademark) printing prohibition attribute). Instruct to do so.

  Finally, the operation control unit 1013 issues a distribution instruction to the data transmission unit 75, and the data transmission unit 75 distributes the document to the network through a reliable communication path (for example, IPsec, VPN, etc.), and ends.

  As described above, using the DSP 2100 shown in FIG. 29, the image forming apparatus 1000 as the document reading apparatus shown in FIG. 28 can read the document and distribute the read document to the network.

  A functional configuration of an image forming apparatus as a copying apparatus that realizes an operation in accordance with a security policy will be described with reference to FIG. FIG. 30 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. In FIG. 30, the same processing units as those in FIG. 28 are denoted by the same reference numerals, and detailed description thereof is omitted.

  30, an image forming apparatus 1000-2 as a copying apparatus includes a copying condition acquisition unit 81 instead of the reading condition acquisition unit 72 and the data transmission destination acquisition unit 73 of the image forming apparatus 1000 illustrated in FIG. The image forming apparatus 1000 is different from the image forming apparatus 1000 shown in FIG. 28 in that a printing unit 82 is provided instead of the data transmission unit 75 of the image forming apparatus 1000 shown in FIG.

  However, the image forming apparatus 1000 may further include a copy condition acquisition unit 81 and a printing unit 82 of the image forming apparatus 1000-2. A portion 1002 indicated by a dotted line may be omitted.

  The copy condition acquisition unit 81 acquires a copy condition input by the user to the operation panel 36 and notifies the reading unit 71 and the data processing unit 74 of the copy condition and also notifies the printing unit 82.

  In response to an instruction from the operation control unit 1013, the printing unit 82 acquires the image data of the paper document 60 from the accumulated data 62 and notifies the copy condition acquisition unit 81 to satisfy the requirements notified from the operation control unit 1013. Then, a printing process is performed according to the copying conditions, and a copy original 60b having image data formed on a sheet is output.

  Hereinafter, a method for setting a policy for the image forming apparatus 1000 or 1000-2 from the outside will be described. For example, the DSP 2000 described in FIGS. 14 to 22 is distributed as a policy. When the DSP 2000 is distributed from an external server to the image forming apparatus 1000 or 1000-2 as a policy, it is performed by communication according to SOAP (Simple Object Access Protocol).

  The image forming apparatus 1000 or 1000-2 shown in FIGS. 31 to 44 is not limited to an image forming apparatus as a reading apparatus or a copying apparatus, and has a reading function and a copying function, or more (for example, It may be an image forming apparatus that enables a plurality of different image forming processes (scanner, copy, FAX, printer, etc.).

  First, a first policy setting method in which the image forming apparatus 1000 or 1000-2 receives a policy unilaterally sent will be described with reference to FIG.

  FIG. 31 is a diagram illustrating a first policy setting method in which a policy is distributed from an external server. In FIG. 31, an administrator console 4001 used by an administrator who wants to set a policy, a policy distribution server 4000 that distributes a policy as an external server, and an image forming apparatus 1000 or 1000-2 are connected via a network 5. Is done. The policy distribution server 4000 is a server computer and has a SOAP client function 4021, and the image forming apparatus 1000 has a SOAP server function 4022. In FIG. 31, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In the first policy setting method shown in FIG. 31, the administrator transmits the DSP 2000 as a policy from the administrator console 4001 to the policy distribution server 4000 (step S11). Then, the policy distribution server 4000 uses the SOAP client function 4021 to distribute the DSP 2000 as a policy (step S12), and the image forming apparatus 1000 receives the DSP 2000 as a policy using the SOAP server function 4022, and returns a reception result.

  Then, the image forming apparatus 1000 selects an operation requirement according to the distributed DSP 2000, and operates to satisfy the operation requirement (step S13).

  In such a configuration, the image forming apparatus 1000 checks whether or not the policy distribution server 4000 that transmits the policy is reliable, thereby preventing reception of a wrong policy, setting of a malicious policy, and the like. You can also. That is, when the policy distribution server 4000 distributes a policy, the following operation is executed.

  In step S12, the policy distribution server 4000 transmits the DSP 2000 to the image forming apparatus 1000 as its own authentication information and policy.

  Next, the image forming apparatus 1000 verifies the transmitted authentication information of the policy distribution server 4000 (step S12-2).

  When it is confirmed that the authentication information of the policy distribution service 4000 is correct, the image forming apparatus 1000 regards the DSP 2000 transmitted as a policy as an official one, and selects an operation requirement according to the distributed DSP 2000. The operation is performed so as to satisfy the operation requirement (step S13).

  By performing such authentication of the policy distribution server 4000, the image forming apparatus 1000 can prevent receiving a wrong policy or setting a malicious policy.

  Next, a second policy setting method in which the image forming apparatus 1000 or 1000-2 receives a policy distribution notification from the policy distribution server 4000 and acquires a policy will be described with reference to FIG.

  FIG. 32 is a diagram illustrating a second policy setting method for acquiring a policy from an external server. In FIG. 32, as in FIG. 31, the administrator console 4001, the policy distribution server 4000, and the image forming apparatus 1000 or 1000-2 are connected via the network 5. The policy distribution server 4000 has a SOAP client function 4021 and a SOAP server function 2024, and the image forming apparatus 1000 or 1000-2 has a SOAP server function 4022 and a SOAP client function 4023. In FIG. 32, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In the second policy setting method shown in FIG. 32, the administrator transmits DSP 2000 as a policy from the administrator console 4001 to the policy distribution server 4000 (step S21). Then, the policy distribution server 4000 uses the SOAP client function 4020 to notify that the DSP 2000 has been distributed as a policy (step S22), and the image forming apparatus 1000 receives the distribution notification using the SOAP server function 4022. Return the reception result.

  Thereafter, when the image forming apparatus 1000 transmits a policy acquisition request using the SOAP client function 4023, the policy distribution server 4000 receives the policy acquisition request using the SOAP server function 2024, and the policy (management) is received as a reception result. DSP2000 received from the operator console 4001 is transmitted (step S23).

  Then, the image forming apparatus 1000 selects an operation requirement according to the distributed DSP 2000, and operates to satisfy the operation requirement (step S24).

  In step S22, the policy distribution server 4000 may notify the policy distribution by transmitting identification information for identifying the DSP 2000 to the image forming apparatus 1000. In this case, in step S23, the image forming apparatus 1000 may make a policy acquisition request by transmitting the identification information received from the policy distribution server 4000.

  Furthermore, in such a case, information leakage (here, policy) can be prevented by confirming whether or not the image forming apparatus 1000 that receives the policy is reliable. That is, when the image forming apparatus acquires a policy from the policy distribution server 4000, the following operation is executed.

  First, in step S23, the image forming apparatus 1000 adds its own authentication information to the policy acquisition request and transmits it to the policy distribution server 4000.

  Next, the policy distribution server 4000 verifies the authentication information received from the image forming apparatus 1000 (step S23-2). When the policy distribution server 4000 confirms that the authentication information of the image forming apparatus 1000 is correct, the policy distribution server 4000 transmits the DSP 2000 as a policy to the image forming apparatus 1000 (step S23-4).

  By performing such authentication of the image forming apparatus 1000, the policy distribution server 4000 can prevent information leakage (policy in this case).

  The second policy setting method is such that when the image forming apparatus 1000 receives a relatively large capacity policy one after another, the image forming apparatus 1000 acquires a policy when necessary when the storage area becomes insufficient. It is effective in that it can be done.

  In this second policy setting method, the image forming apparatus 1000 may promptly make a policy acquisition request upon receiving the distribution notification, or store the fact that the distribution notification has been received inside the apparatus, A policy acquisition request may be made at the timing.

  A modification of the policy setting method for making a policy acquisition request at a predetermined timing will be described with reference to FIGS. 33, 34, and 35.

  FIG. 33 is a diagram showing a third policy setting method for obtaining a policy when the power is turned on. In FIG. 33, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000. The third policy setting method shown in FIG. 33 is a policy setting method when the image forming apparatus 1000 does not have a security policy yet, such as when the image forming apparatus 1000 is first connected to the network 5.

  In FIG. 33, when the image forming apparatus 1000 is powered on (step S31), a policy acquisition request is sent to the policy distribution server 4000 via the network 5 using the SOAP client function 4023 (step S32). ). The policy distribution server 4000 receives a policy acquisition request using the SOAP server function, and transmits a policy (DSP 2000 received from the administrator console 4001) as a reception result.

  When the image forming apparatus 1000 receives the policy from the policy distribution server 4000, the image forming apparatus 1000 operates to satisfy the operation requirements (step S33).

  FIG. 34 is a diagram showing a fourth policy setting method for obtaining a policy when the power is turned on. In FIG. 34, parts similar to those in FIG. 33 are denoted by the same reference numerals, and the description thereof is omitted. The image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000. In FIG. 34, the policy distribution server 4000 further includes an identification information comparison unit 4029.

  When the image forming apparatus 1000 is powered on (step S41), a policy acquisition request is sent to the policy distribution server 4000 using the SOAP client function 4023 via the network 5, and at the same time, the current DSP 2000 Identification information (for example, “RDSP2023” indicated by the description 211 in FIG. 23) is transmitted simultaneously (step S42).

  When the policy distribution server 4000 receives a policy acquisition request using the SOAP server function, the identification information comparison unit 4029 compares the received identification information (for example, “RDSP2023”) with the identification information of the policy to be distributed. (Step S43). If they are the same, only the reception result indicating the same identification information is transmitted. If they are not the same, the policy distribution server 4000 transmits a policy (DSP 2000 received from the administrator console 4001) as a reception result to the image forming apparatus 1000 (step S44).

  When receiving the policy from the policy distribution server 4000, the image forming apparatus 1000 rewrites the policy held in the received policy, selects the operation requirement according to the policy, and operates to satisfy the operation requirement (step S45). .

  In this second modified example, when the identification information is the same, no policy is distributed, so that useless traffic can be reduced.

  FIG. 35 is a diagram showing a fifth policy setting method for obtaining a policy when the power is turned on. In FIG. 35, the same components as those in FIG. 33 are denoted by the same reference numerals, and description thereof is omitted. The image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  When the image forming apparatus 1000 is powered on (step S51), a policy distribution request is sent to the policy distribution server 4000 via the network 5 using the SOAP client function 4023 (step S52). When the policy distribution server 4000 receives the policy distribution request by the SOAP server function 4024, the policy distribution server 4000 transmits the reception result to the image forming apparatus 1000.

  Thereafter, the policy distribution server 4000 transmits the policy by the SOAP client function 4021, the image forming apparatus 1000 receives the policy, and returns the reception result to the policy distribution server 4000 (step S53).

  When receiving the policy from the policy distribution server 4000, the image forming apparatus 1000 selects an operation requirement according to the policy, and operates to satisfy the operation requirement (step S54).

  In the fifth policy setting method, the policy distribution server 4000 may distribute the policy immediately after receiving the policy acquisition request from the image forming apparatus 1000, or it is determined that the policy distribution server 4000 has received the policy acquisition request. The policy may be distributed at a predetermined timing.

  In the fifth policy setting method, the policy distribution server 4000 may include the identification information comparison unit 4029 as in the fourth policy setting method shown in FIG. With such a configuration, useless traffic can be reduced.

  A functional configuration for realizing the first and fifth policy setting methods described with reference to FIGS. 31 to 36 will be described with reference to FIG. FIG. 36 is a diagram illustrating an example of a functional configuration for realizing the first to fifth policy setting methods. In the description of FIG. 36, the image forming apparatus 1000 and the image forming apparatus 1000-2 will be described using the image forming apparatus 1000 because they have the same operation requirement selection unit 1012. A dotted line portion 1002 indicates that it can be omitted.

  36, the operation requirement selection unit 1012 of the image forming apparatus 1000 includes a policy interpretation unit 4101, a selection requirement verification unit 4102, a communication unit 4103, a policy rewriting unit 4104, a DSP 2000a, and a system attribute 91a.

  The policy interpretation unit 4101 interprets the policy for the document attribute acquired by the document attribute acquisition unit 1011 and the user attribute acquired by the user attribute acquisition unit 1021 based on the DSP 2000a. Then, the policy interpretation unit 4101 notifies the selection requirement verification unit 4102 of the operation requirements as the interpretation result. That is, the operation requirement that must be satisfied when the operation specified by the user is executed is notified.

  The selection requirement verification unit 4102 determines whether or not the operation requirement notified from the policy interpretation unit 4101 can be satisfied by referring to the system attribute 91a. The selection requirement verification unit 4102 notifies the operation control unit 1013 of the determination result.

  The communication unit 4103 is a processing unit that controls communication with the policy distribution server 4000 in accordance with SOAP, and includes at least one of the SOAP server function 4022 and the SOAP client function 4023 shown in FIGS. Upon receiving DSP 2000b as a policy from the policy distribution server 4000, the communication unit 4103 notifies the policy rewriting unit 4104. As shown in FIG. 32, when making a policy acquisition request to the policy distribution server 4000, authentication information for authenticating the image forming apparatus 1000 is simultaneously transmitted.

  The policy rewriting unit 4104 rewrites the DSP 2000a with the received DSP 2000b. Further, as shown in FIG. 31, when the authentication information is distributed simultaneously with the DSP 2000b, the policy rewriting unit 4104 authenticates the policy distribution server 4000 based on the authentication information, and the policy distribution server 4000 is authenticated. Only rewrite DSP2000a with the received DSP2000b.

  The policy distribution server 4000 includes a communication unit 4123, a policy management unit 4124, and a DSP 2000b.

  The communication unit 4123 is a processing unit that controls communication with the image forming apparatus 1000 according to SOAP, and includes at least one of the SOAP server function 4021 and the SOAP client function 4024 illustrated in FIGS. 31 to 35. The communication unit 4123 distributes the DSP 2000b.

  The policy management unit 4124 manages the DSP 2000b to be distributed. As shown in FIG. 31, the policy management unit 4124 causes the communication unit 4123 to simultaneously transmit authentication information for authenticating the policy distribution server 4000 when distributing the DSP 2000b. The policy management unit 4124 authenticates the image forming apparatus 1000 based on the authentication information when authentication information of the image forming apparatus 1000 is simultaneously transmitted in the policy acquisition request. Transmitted by the communication unit 4123.

  Next, a fifth policy setting method for acquiring a policy by a timer will be described with reference to FIG.

  FIG. 37 is a diagram showing a sixth policy setting method for acquiring a policy by a timer. In FIG. 37, parts similar to those in FIG. The image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In FIG. 37, when the processing time by the timer management elapses (step S51), the image forming apparatus 1000 transmits a policy acquisition request to the policy distribution server 4000 using the SOAP client function 4023, and the policy distribution server 4000 sends a SOAP acquisition request. The server function 4021 transmits a policy (DSP 2000 received from the management console 4001) as a reception result (step S52).

  In the third policy setting method, the policy distribution server 4000 has a SOAP client function 4021 and a SOAP server function 4024, and the image forming apparatus 1000 has a SOAP server function 22 and a SOAP client function 4023. Thus, the policy may be distributed after the image forming apparatus 1000 makes a policy acquisition request.

  A functional configuration for realizing the third policy setting method shown in FIG. 37 will be described with reference to FIG. FIG. 38 is a diagram illustrating an example of a functional configuration for realizing the sixth policy setting method. In FIG. 38, processing parts similar to those in FIG. 36 are denoted by the same reference numerals, and description thereof is omitted. In addition, since the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-2, the image forming apparatus 1000 will be described. A dotted line portion 1002 indicates that it can be omitted.

  A difference from the operation requirement selection unit 1012 illustrated in FIG. 36 is that the operation requirement selection unit 1012-2 further includes a timer unit 4105.

  When the predetermined time has elapsed, the timer unit 4105 notifies the communication unit 4103 that the predetermined time has elapsed. In response to this notification, the communication unit 4103 acquires the DSP 2000b from the policy distribution server 4000 according to SOAP, and the policy rewriting unit 4104 rewrites the DSP 2000a with the DSP 2000b.

  Next, a method for setting a policy offline will be described with reference to FIG. FIG. 39 is a diagram showing a seventh policy setting method for setting a policy offline. In FIG. 39, the same parts as those in FIG. The image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In FIG. 39, for example, the DSP 2000 is stored in the storage medium 50 of the hard disk 51, magneto-optical disk 52, flexible disk 53, or optical disk 54 as shown in FIG. 26, and the storage medium 50 is set in the image forming apparatus 1000. By storing the DSP 2000 in a predetermined storage area of the image forming apparatus 1000, a policy is set offline (step S71).

  Thereafter, the image forming apparatus 1000 operates in accordance with the DSP 2000 stored as a policy in a predetermined storage area (step S72).

  A functional configuration for realizing the fourth policy setting method shown in FIG. 39 will be described. FIG. 40 is a diagram illustrating an example of a functional configuration for realizing the seventh policy setting method. In FIG. 40, processing units similar to those in FIG. 36 are denoted by the same reference numerals, and description thereof is omitted. In the description of FIG. 40, the image forming apparatus 1000 and the image forming apparatus 1000-2 will be described using the image forming apparatus 1000 because they have the same operation requirement selection unit 1012-3. A dotted line portion 1002 indicates that it can be omitted.

  The operation requirement selection unit 1012-3 includes an interface 4106 for reading the DSP 2000 stored in the storage medium 50 from the storage medium 50, but does not include the communication unit 4103.

  The policy rewriting unit 4104 rewrites the DSP 2000 read by the interface 4106 with the DSP 2000a currently held by the operation requirement selection unit 101203. In this way, the policy is set when offline. Further, for example, when setting a policy offline using the storage medium 50 in which the DSP 2000 is stored, the reliability of the policy can be improved by adding a falsification detection code or the like.

  Next, a method for setting a policy offline and selecting it online will be described with reference to FIG. FIG. 41 shows an eighth policy setting method for setting a policy offline and selecting it online. In FIG. 41, the same parts as those in FIG. The image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In FIG. 41, for example, DSP 2000 is set as a policy from the administrator console 4001 to the policy distribution server 4000 via the network 5 (step S81).

  Further, the storage medium 50 (the hard disk 51, the magneto-optical disk 52, the flexible disk 53, or the optical disk 54 as shown in FIG. 26) in which the DSP 2000 is stored offline is set in the security policy database of the image forming apparatus 1000. (Step S82).

  Thereafter, selection of a policy is designated from the management console 4001 to the policy distribution server 4000 via the network 5 (step S83). Here, selection of a policy means that one of the policies is selected according to the policy identification information.

  In response to the policy selection from the management console 4001, the policy distribution server 4000 notifies the image forming apparatus 1000 of the policy selection using the SOAP client function 4021 (step S84). The image forming apparatus 1000 receives a policy selection notification using the SOAP server function 4022 and returns a reception result to the policy distribution server 4000. That is, the identification information of the policy to be executed is notified to the image forming apparatus 1000.

  The image forming apparatus 1000 selects a policy specified by the identification information according to the policy selection, and operates according to the selected policy (step S85).

  A functional configuration for realizing the fifth policy setting method will be described with reference to FIG. FIG. 42 is a diagram illustrating an example of a functional configuration for realizing the eighth policy setting method. In FIG. 42, the same processing units as those in FIGS. 36 and 40 are denoted by the same reference numerals, and the description thereof is omitted. 42, since the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-4, the image forming apparatus 1000 will be described. A dotted line portion 1002 indicates that it can be omitted.

  The operation requirement selection unit 1012-4 includes a communication unit 4103 and an interface 4106 corresponding to the storage medium 50 for reading the DSP 2000 stored in the storage medium 50 from the storage medium 50.

  The communication unit 4103 notifies the policy rewriting unit 4012-2 of the policy selection received from the policy distribution server 4000-2 according to SOAP.

  For example, the policy rewriting unit 4012-2 reads the DSP 2000 stored in the storage medium 50 by the interface 4106 by offline policy setting, and stores it in the document security policy DB 92. The policy rewriting unit 4012-2 replaces the policy to be executed based on the policy selection notified from the communication unit 4103. In other words, if the previous policy to be executed is DSP 2000a and DSP 2000 is specified by the identification information, DSP 2000a is rewritten by DSP 2000 as the policy to be executed.

  Further, since the policy distribution server 4000-2 has an interface 4126 for writing the DSP 2000b to the storage medium 50, the policy management unit 4124 sets the policy distribution server 4000-2 in order to set the policy offline. You may make it write in the storage medium 50 as a policy (DSP2000) which distributes DSP2000b. The storage medium 50 in this case is a hard disk 51, a magneto-optical disk 52, a flexible disk 53, or an optical disk 54 as shown in FIG.

  In policy distribution server 4000-2, communication unit 4123 transmits a policy selection to image forming apparatus 1000 in accordance with SOAP.

  Next, a functional configuration for inquiring an external server to interpret a policy based on document attributes and user attributes will be described with reference to FIGS.

  FIG. 43 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy. In FIG. 43, processing units similar to those in FIG. 36 are given the same reference numerals, and descriptions thereof are omitted. 43, since the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-3, the image forming apparatus 1000 will be described. A dotted line portion 1002 indicates that it can be omitted.

  On the image forming apparatus 1000 side, the operation requirement selection unit 1012-5 has only a communication unit 4103-2, a selection requirement item game 4102, and a system attribute 91a.

  The communication unit 4103-2 is a processing unit that controls communication according to the policy interpretation server 4200 and SOAP. The communication unit 4103-2 transmits the document attribute notified from the document attribute acquisition unit 1011 and the user attribute notified from the user attribute acquisition unit 1021 to the policy interpretation server 4200 according to SOAP. In addition, when the communication unit 4103-2 receives a rule corresponding to the document attribute and the user attribute from the policy interpretation server 4200, the communication unit 4103-2 notifies the selection requirement inspection unit 4102. The rules indicate the operational requirements that must be met if allowed for the operation.

  The selection requirement verification unit 4102 determines whether or not the operation requirement can be satisfied while referring to the system attribute 91a, and notifies the operation control unit 1013 of the determination result.

  The policy interpretation server 4200 as an external server is a server computer, and includes a communication unit 4213, a policy interpretation unit 4224, and a DSP 2000b.

  The communication unit 4213 is a processing unit that controls communication with the image forming apparatus 1000 according to SOAP, and notifies the policy interpretation unit 4224 of the document attribute and user attribute received from the image forming apparatus 1000, and the policy interpretation unit 4224. The rule corresponding to the document attribute and the user attribute notified from is transmitted to the image forming apparatus 1000. The rule includes an operation requirement when the operation is permitted.

  The policy interpretation unit 4224 acquires a rule including an operation requirement when the operation is permitted by referring to the DSP 2000b based on the document attribute and the user attribute acquired from the communication unit 4213. The rule is notified to the communication unit 4213.

  With such a functional configuration, even if the image forming apparatus 1000 does not hold the policy, the security policy can be executed for the operation of the image forming apparatus 1000.

  Next, a functional configuration in which the external server interprets the policy and further verifies the selection requirements will be described with reference to FIG.

  FIG. 44 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy and verifies selection requirements. In FIG. 44, processing parts similar to those in FIG. 43, since the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-3, the image forming apparatus 1000 will be described. A dotted line portion 1002 indicates that it can be omitted.

  On the image forming apparatus 1000 side, the operation requirement selection unit 1012-6 includes only the communication unit 4103-3.

  The communication unit 4103-3 is a processing unit that controls communication according to the policy interpretation server 4200 and SOAP. The communication unit 4103-3 transmits the document attribute notified from the document attribute acquisition unit 1011 and the user attribute notified from the user attribute acquisition unit 1021 to the policy interpretation server 4200-2 according to SOAP. In addition, the communication unit 4103-2 receives permission or disapproval of the operation from the policy interpretation server 4200, and operation requirements if permitted, and notifies the operation control unit 1013 of it.

  The operation requirement selection server 4200-2 as an external server further includes a selection requirement inspection unit 4226 and a system attribute 91b in addition to the configuration shown in FIG.

  The policy interpretation unit 4224 refers to the DSP 2000b based on the document attribute and user attribute acquired from the communication unit 4213, acquires a rule including an operation requirement when the operation is permitted, and selects a selection requirement verification unit 4226 is notified.

  The selection requirement verification unit 4226 determines whether or not the image forming apparatus 1000 can satisfy the operation requirements by referring to the system attribute 91b, and transmits the determination result to the image forming apparatus 1000 by the communication unit 4213. . If the image forming apparatus 1000 determines that the operation requirement cannot be satisfied, the determination result indicates disapproval. On the other hand, when the image forming apparatus 1000 determines that the operation requirements are satisfied, the determination result indicates permission and specifies the operation requirements.

  Next, a system attribute 91a provided in the image forming apparatus 1000 referred to by the selection requirement verification unit 4102 of the image forming apparatus 1000 will be described with reference to FIG. FIG. 45 is a diagram illustrating an example of system attributes provided in the image forming apparatus.

  In FIG. 45, a system attribute 91a is a table for managing items of operating conditions that can be executed by user selection, and includes items such as operating conditions and support indicating whether support is possible. Operating conditions include log recording, image log recording, confidential label printing, operator label printing, identification barcode printing, identification pattern printing, and the like.

  Usually, the operation condition is provided in the image forming apparatus 1000 as a selectable function when operating. When such an operation condition is specified as a requirement when the operation is permitted by the policy, it becomes an operation requirement.

  FIG. 46 is a diagram illustrating an example of system attributes provided in the external server. In FIG. 46, the system attribute 91b associates supportability of a plurality of image forming apparatuses with identification information (apparatus 01, apparatus 02, apparatus 03, apparatus 04,...) Of the image forming apparatus for each operation condition. It is a table to manage. Operating conditions include log recording, image log recording, confidential label printing, operator label printing, identification barcode printing, identification pattern printing, and the like.

  Usually, the operating condition is a selectable function when operating. When such an operation condition is specified as a requirement when the operation is permitted by the policy, it becomes an operation requirement.

  Next, an example of SOAP for setting a policy performed by the image forming apparatus 1000 or 1000-2 and the policy distribution server 4000 will be described with reference to FIGS. 47 to 56, there is no difference between the image forming apparatus 1000 serving as a reading apparatus and the image forming apparatus 1000-2 serving as a copying apparatus.

  First, as shown in FIG. 31, SOAP when the policy distribution server 4000 performs policy distribution to the image forming apparatus 1000 using the SOAP client function 4021 will be described with reference to FIG. FIG. 47 is a diagram illustrating an example of XML data indicating policy distribution transmitted according to SOAP.

  In FIG. 47, XML data 800 is a description in XML according to SOAP for distributing a policy. In the XML data 800, information about a policy to be distributed and the policy itself are shown from a description 801 indicating <ns1: policyDistribution> to a description 802 indicating </ ns1: policyDistribution>.

  In the description 801, “policyDistribution” indicates that the XML data 800 distributes a policy.

  In a description 803 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set. Then, the policy is described in the description 804 of </ policy> from <policy xsi: type = "xsd: string">. For example, the DSP 2000 (see FIGS. 14 to 22) identified by the identification information “RDSP2023” itself is described.

  The image forming apparatus 1000 that has received the XML data 800 indicating such policy distribution transmits a reception result as shown in FIG. 48 to the policy distribution server 4000 using the SOAP server function 4022. FIG. 48 is a diagram illustrating an example of XML data indicating a reception result for policy distribution transmitted in accordance with SOAP.

  In FIG. 48, XML data 810 is an XML description indicating a reception result for policy distribution. In the XML data 810, information about a reception result for policy distribution is shown from a description 811 indicating <ns1: policyDistributionResponse> to a description 812 indicating </ ns1: policyDistributionResponse>.

  In the description 812, “policyDistributionResponse” indicates that the XML data 810 is a response to policy distribution.

  A description 813 indicating <result xsi: type = "xsd: boolean"> true </ result> indicates whether or not the policy distribution has been normally received. In this case, “true” is indicated, which indicates that the data has been normally received.

  As shown in FIG. 32, SOAP when the policy distribution server 4000 sends a policy distribution notification to the image forming apparatus 1000 using the SOAP client function 4021 will be described with reference to FIG. FIG. 49 is a diagram illustrating an example of XML data indicating a policy distribution notification transmitted according to SOAP.

  In FIG. 49, XML data 820 is a description in XML according to SOAP for notifying policy distribution. In the XML data 820, information about policy distribution notification is shown from a description 821 indicating <ns1: policyDistributionReport> to a description 822 indicating </ ns1: policyDistributionReport>.

  In the description 821, “policyDistributionReport” indicates that the XML data 820 notifies policy distribution.

  In the description 823 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set.

  Then, the image forming apparatus 1000 that has received the XML data 820 indicating such policy distribution notification transmits the reception result using the SOAP server function 4022, and then uses the SOAP client function 4023 to display the result as shown in FIG. Such a policy acquisition request is transmitted to the policy distribution server 4000. FIG. 50 is a diagram illustrating an example of XML data indicating a policy acquisition request transmitted according to SOAP.

  In FIG. 50, XML data 830 is an XML description according to SOAP for distributing a policy. In the XML data 830, information about a policy acquisition request is shown from a description 831 indicating <ns1: policyRequest> to a description 832 indicating </ ns1: policyRequest>.

  In the description 831, “policyRequest” indicates that the XML data 830 requests acquisition of a policy.

  The description 833 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId> is identification information “RDSP2023 for identifying the policy notified by the XML data 820 indicating the policy distribution notification shown in FIG. "Is set.

  The XML data 830 indicating this policy acquisition request is transmitted to the policy distribution server 4000 after receiving the policy distribution notification or at the timing of processing.

  Upon receiving the XML data 830 indicating such a policy acquisition request, the policy distribution server 4000 transmits a reception result as illustrated in FIG. 51 to the image forming apparatus 1000 using the SOAP server function 4024. FIG. 51 is a diagram illustrating an example of XML data indicating a reception result for a policy acquisition request transmitted according to SOAP.

  In FIG. 51, XML data 840 is a description in XML indicating a reception result for a policy acquisition request. In the XML data 840, information about a policy to be distributed and the policy itself are shown from a description 841 indicating <ns1: policyDistribution> to a description 842 indicating </ ns1: policyDistribution>.

  In the description 841, “policyDistribution” indicates that the XML data 840 distributes a policy.

  In a description 843 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set. Then, the policy is described in the description 844 of </ policy> from <policy xsi: type = "xsd: string">. For example, the DSP 2000 (see FIGS. 14 to 22) identified by the identification information “RDSP2023” itself is described.

  As shown in FIG. 52, SOAP when the image forming apparatus 1000 makes a policy distribution request to the policy distribution server 4000 using the SOAP client function 4023 will be described with reference to FIG. FIG. 52 is a diagram illustrating an example of XML data indicating a policy distribution request transmitted according to SOAP.

  In FIG. 52, XML data 850 is a description in XML according to SOAP for requesting policy distribution. In the XML data 850, information about a policy distribution request is shown from a description 851 indicating <ns1: policyDistributionRequest> to a description 852 indicating </ ns1: policyDistributionRequest>.

  In the description 851, “policyDistributionRequest” indicates that the XML data 850 notifies policy distribution.

  In the description 853 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set.

  Then, the policy distribution server 4000 that has received the XML data 850 indicating such a policy distribution request distributes the policy using the XML data 800 shown in FIG. 47 immediately after the reception or at a predetermined timing.

  As shown in FIG. 41, SOAP when the policy distribution server 4000 makes a policy selection notification to the image forming apparatus 1000 using the SOAP client function 4021 will be described with reference to FIG. FIG. 53 is a diagram illustrating an example of XML data indicating a policy selection notification transmitted in accordance with SOAP.

  In FIG. 53, XML data 860 is a description in XML according to SOAP for notifying policy selection. In the XML data 860, information about a policy to be selected is shown from a description 861 indicating <ns1: policyChangeRequest> to a description 862 indicating </ ns1: policyChangeRequest>.

  In the description 861, “policyChangeRequest” indicates that the XML data 860 is a policy selection notification.

  In the description 863 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set. The image forming apparatus 1000 sets the policy identified by the identification information “RDSP2023” as an enforcement policy.

  Next, in FIG. 43 or FIG. 44, SOAP when the image forming apparatus 1000 makes an operation requirement acquisition request to an external server that interprets a policy will be described with reference to FIGS. 54 and 55 are diagrams showing examples of XML data indicating an operation requirement acquisition request transmitted in accordance with SOAP. 54 and 55 show one XML data 870. FIG.

  In the XML data 870, user attributes, document attributes, and operation information are shown from a description 871 indicating <ns1: isAllowed> in FIG. 54 to a description 872 indicating </ ns1: isAllowed> in FIG.

  A description 873 indicating </ userTicketInfo> to a description 874 indicating </ userTicketInfo> specifies a user ticket when a user attribute is required. For example, in FIG. 43, when the policy interpretation server 4200 as an external server determines that a user attribute is necessary for interpreting the policy, the user attribute is acquired using the designated user ticket.

  A description 881 indicated by </ docInfo> from <docInfo xsi: type = "ns1: DocInfo"> indicates information on document attributes. In the description 881, a description 882 indicating <catgory xsi: type = "xsd: string"> Technical_doc </ category> indicates that the category of the document is "Technical_doc (technical document)", and <level xsi: type The description 883 indicating “= xsd: string”> High </ level> indicates that the level of the document is “High (high level)”, and <zone xsi: type = “xsd: string”> 99.99.99.99 A description 884 indicating </ zone> indicates that the zone is “99.99.99.99”.

  A description 885 indicating <accessInfo> to </ accessinfo> indicates operation information. In the description 885, a description 886 indicating <operation xsi: type = "xsd: string"> COPY </ operation> indicates that the operation is a copy.

  When the policy interpretation server 4200 as an external server shown in FIG. 43 receives such XML data 870, the policy interpretation server 4200 sends a policy interpretation result by the policy interpretation unit 4224 as shown in FIG. 56 to the image forming apparatus 1000. FIG. 56 is a diagram illustrating an example of XML data indicating a policy interpretation result transmitted in accordance with SOAP.

  In FIG. 56, XML data 890 is a description in XML according to SOAP for notifying a policy interpretation result. In the XML data 890, information about a policy interpretation result is shown from a description 891 indicating <ns1: isAllowedResponse> to a description 892 indicating </ ns1: isAllowedResponse>.

  In the description 891, “isAllowedResponse” indicates that the XML data 890 indicates the notification of the policy interpretation result.

  A description 895 indicating <allowed xsi: type = "xsd: boolean"> true </ allowed> indicates that the operation is permitted.

  A description 896 from <requirements> to </ requirements> indicates an operation requirement for permitting the operation. In the description 896, a description 897 from <item> to </ item> indicates an operation requirement. The description indicating <requirement xsi: type = "xsd: string"> audit </ requirement> specifies the audit trail record ("audit") as an operation requirement.

  Next, the functional configuration of the operation control unit 1013 will be described with reference to FIGS. First, a functional configuration of the operation control unit 1013 of the image forming apparatus 1000 as the reading apparatus illustrated in FIG. 28 will be described. FIG. 57 is a diagram illustrating an example of a functional configuration of the operation control unit in the image forming apparatus as the reading apparatus.

  57, in the image forming apparatus 1000 as a reading device, the operation control unit 1013 includes a data processing control unit 74a that controls the data processing unit 74 and a data transmission control unit 75a that controls the data transmission unit 75.

  In the image forming apparatus 1000 as the reading device, the data processing control unit 74a stops the reading process according to the operation requirement notified from the operation requirement selecting unit 1012 and erases all the read data as necessary. Erase a part of the scanned data by blackening, whitening or deleting a page, deleting color information, reducing the amount of information, or adding a confidential label by printing a “confidential” stamp Further, the data processing unit 74 is controlled so as to add identification information by printing a bar code, a number, a character, a pattern, and a security attribute.

  In the image forming apparatus 1000 as a reading device, the data transmission control unit 75a transmits to only the transmission destination specified by the operation requirement, for example, according to the operation requirement notified from the operation requirement selection unit 1012. The data transmission unit 75 is controlled to execute transmission to the transmission destination specified by the operation requirement.

  FIG. 58 is a diagram illustrating an example of a functional configuration of the operation control unit in the image forming apparatus as the copying apparatus.

  58, in the image forming apparatus 1000-2 as a copying apparatus, the operation control unit 1013 includes a data processing control unit 74a that controls the data processing unit 74 and a print control unit 76a that controls the printing unit 76.

  In the image forming apparatus 1000-2 as the copying apparatus, the data processing control unit 74a is the same as the data processing control unit 74a in the image forming apparatus 1000 as the reading apparatus in FIG. Color information that stops reading processing according to the notified operational requirements, and erases all read data as necessary, erases part of the read data black, white, or deletes pages, etc. Delete, reduce the amount of information, add a confidential label by printing a “confidential” stamp, and add identification information by printing barcodes, numbers, letters, patterns, security attributes, The data processing unit 74 is controlled to execute the above.

  In the image forming apparatus 1000-2 as a copying apparatus, the print control unit 76a controls the print control unit 76a to execute, for example, stop printing, print on a sheet of a tray specified by operation requirements, and the like. To do.

  In the above-described embodiment, the image forming apparatus 1000 as a reading apparatus and the image forming apparatus 1000-2 as a copying apparatus are illustrated. However, an apparatus having at least one of a plurality of different image forming functions such as a printer, a FAX, and a copy. Alternatively, an apparatus having a plurality of such different image forming functions may be used.

  According to the present invention, since an internal security policy relating to a document can be set from the outside, handling of the document can be controlled by a consistent security policy within the enterprise. Further, control according to the security policy can be executed regardless of whether the document is a paper document or electronic data (document data).

It is a figure which shows the example of a security policy. It is a figure which shows the example of the list | wrist of a document label term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy term file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of a policy file. It is a figure which shows the example of the identification information of DSP. It is a figure which shows the example of a description for demonstrating the structure of DSP. It is a figure which shows the other example of description of DSP. FIG. 2 illustrates various media for storing and distributing a DSP. 1 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. FIG. 3 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy. It is a figure which shows the example of simplified DSP. FIG. 2 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. It is a figure which shows the 1st policy setting method by which a policy is distributed from an external server. It is a figure which shows the 2nd policy setting method which acquires a policy from an external server. It is a figure which shows the 3rd policy setting method which acquires a policy at the time of power activation. It is a figure which shows the 4th policy setting method which acquires a policy at the time of power activation. It is a figure which shows the 5th policy setting method which acquires a policy at the time of power activation. It is a figure which shows the example of a function structure for implement | achieving the 1st to 5th policy setting method. It is a figure which shows the 6th policy setting method which acquires a policy with a timer. It is a figure which shows the example of a function structure for implement | achieving the 6th policy setting method. It is a figure which shows the 7th policy setting method which sets a policy offline. It is a figure which shows the example of a function structure for implement | achieving the 7th policy setting method. An eighth policy setting method for setting a policy offline and selecting online is shown. It is a figure which shows the example of a function structure for implement | achieving the 8th policy setting method. It is a figure which shows the example of a function structure which an external server interprets a policy. It is a figure which shows the example of a function structure which an external server interprets a policy and verifies selection requirements. FIG. 4 is a diagram illustrating an example of system attributes provided in the image forming apparatus. It is a figure which shows the example of the system attribute with which the external server was equipped. It is a figure which shows the example of the XML data which shows the policy distribution transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the reception result with respect to the policy distribution transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy distribution notification transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy acquisition request transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the reception result with respect to the policy acquisition request transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy distribution request transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy selection notification transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy selection notification transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy distribution transmitted according to SOAP. It is a figure which shows the example of the XML data which shows the policy interpretation result transmitted according to SOAP. FIG. 3 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus serving as a reading device. FIG. 3 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus as a copying apparatus.

Explanation of symbols

51 hard disk 52 magneto-optical disk 53 flexible disk 54 optical disk 55 computer 56 network 71 reading unit 72 reading condition acquisition unit 73 data transmission destination acquisition unit 74 data processing unit 1000 image forming apparatus 1001 policy execution unit 1011 document attribute acquisition unit 1012 operation requirement selection Unit 1013 operation control unit 1021 user attribute acquisition unit 2000 DSP

Claims (6)

Policy holding means for holding a security policy that describes rules for handling documents,
A communication means for performing policy distribution control with the external server in response to the policy distribution notification received from the external server via the network;
Policy rewriting means for rewriting the security policy held in the policy holding means with the security policy received from the external server via the communication means;
An image forming apparatus comprising: an operation control unit that controls an operation on the document according to the security policy managed by the policy management unit. The communication means includes
When the policy distribution notification is received from the external server, a policy acquisition request including authentication information of the image forming apparatus is transmitted to the external server, and when the authentication information is authenticated, a security policy is received from the external server. The image forming apparatus according to claim 1, wherein the image forming apparatus transmits the information to the policy rewriting unit. The policy distribution notification received from the external server includes identification information of the security policy to be replaced,
The image forming apparatus according to claim 1, wherein the communication unit transmits the policy acquisition request including the identification information to the external server at a predetermined timing. An image forming method in an image forming apparatus having an image forming function,
A policy retention procedure that maintains a security policy that describes the rules for handling documents,
A communication procedure for performing policy distribution control with the external server in response to a policy distribution notification received from the external server via the network;
A policy rewriting procedure for rewriting the security policy held in the policy holding procedure with the security policy received from the external server via the communication procedure;
An image forming method comprising: an operation control procedure for controlling an operation on the document according to the security policy managed by the policy management procedure. The communication procedure is:
When the policy distribution notification is received from the external server, a policy acquisition request including authentication information of the image forming apparatus is transmitted to the external server, and when the authentication information is authenticated, a security policy is received from the external server. 5. The image forming method according to claim 4, wherein the image is rewritten to the policy rewriting procedure. The policy distribution notification received from the external server includes identification information of the security policy to be replaced,
6. The image forming method according to claim 4, wherein the communication procedure transmits the policy acquisition request including the identification information to the external server at a predetermined timing.

Images