JP2009099037A - Document management system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a document management system and a program for, when the management information of a document to be managed is invalidated in operating the document, preventing the unauthorized manipulation of a document by discarding the object document. <P>SOLUTION: In such a state that invalidation is set in a protection document for managing policy information by a policy server 100, when a prescribed operation is instructed by using a client PC300 or a multi-functional machine 400 and a shredder 500 to the protection document, each device confirms that the protection document is invalidated by communicating with the policy server 100. Then, the protection document is discarded. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a document management system and a program.

  There is a system for managing electronic documents and paper documents based on a predetermined security policy. In this system, by setting policy information based on the security policy for the document to be operated, control is performed so that only permitted operations can be performed only for authorized users. is doing. That is, an unauthorized operation by an unauthorized user is rejected, and a user permitted by the policy information can only perform the set operation.

  In addition, this policy information can be set to invalidation that prohibits all operations on the document itself. Since a document for which invalidation is set is excluded from the operation target, Control is performed to delete all information related to the document or to reject all operations while managing the information related to the document.

The prior art disclosed in Patent Document 1 manages the state of a document based on the document ID set for the document, and in particular, reads the document ID when the document is discarded, manages the number of discarded documents, and manages the history. This is a technology that can be used.
JP 2006-243999 A

  By invalidating the document to be managed, the operation on the target document can be permanently prohibited. However, the invalidated document itself remains in the user's hand, which is not preferable for security.

  Therefore, in the present invention, when the management information of a document to be managed is invalidated in the operation of the document to be managed, the document that can prevent unauthorized use of the invalidated document by discarding the target document. An object is to provide a management system and program.

  In order to achieve the above object, the invention according to claim 1 is characterized in that, when a document is operated, a determination unit that determines whether invalidation information is set in management information of the document, and the document is invalidated by the determination unit. And a discarding unit for discarding the document when it is determined that the document exists.

  According to a second aspect of the present invention, invalidation means for invalidating the document by setting invalid information in the management information of the document, and discarding the document when the invalidation means invalidates the document Means.

  According to a third aspect of the present invention, in the first aspect of the invention, the document is an electronic document, and the discarding unit determines that the electronic document is invalidated by the determining unit. An electronic document is deleted.

  According to a fourth aspect of the present invention, in the first aspect of the invention, the document is a paper document, and the discarding unit determines that the paper document is invalidated by the determining unit. A paper document is cut by a document cutting device.

  According to a fifth aspect of the present invention, in the first aspect of the invention, the document is a paper document, and the discarding unit determines that the paper document is invalidated by the determining unit. A paper document is accommodated in a protective accommodation unit.

  According to a sixth aspect of the present invention, there is provided a management device for managing operation restriction information for restricting operation of a document corresponding to the document, and operating a document under operation restriction by the operation restriction information managed by the management means. A document operation device, and the management device includes invalidation means for invalidating the document by setting invalid information in the operation authority information of the document. Discriminating means for discriminating whether the document has been invalidated by the invalidating means by inquiring to the management device, and discarding the document when the discriminating means determines that the document has been invalidated Means.

  According to the invention of claim 7, invalidation means for invalidating the document by setting invalid information in the management information of the document, whether invalid information is set in the management information of the document when operating the document And determining means for determining whether or not the document is discarded by the determining means when the document is determined to be invalidated.

  Further, the invention of claim 8 is an invalidation means for invalidating the document by setting invalid information in the document management information, and discarding the document when the invalidation means invalidates the document. It is made to function as a discarding means to perform.

  According to the first aspect of the present invention, when it is determined that the document is invalidated, the document can be discarded, and an unintended unauthorized use can be prevented.

  Further, according to the second aspect, it is possible to discard the document when invalidating the document, and it is possible to prevent unintended unauthorized use.

  Further, according to the third aspect, there is an effect that the invalidated electronic document can be discarded by being deleted.

  According to the fourth aspect, there is an effect that the invalidated electronic document can be discarded by cutting with the document cutting device.

  Further, according to claim 5, it becomes possible to collect and discard the invalidated electronic document by storing it in the protective storage unit, and only a specific administrator confirms the invalidated document. There is an effect that is possible.

  Further, according to the sixth aspect, it is possible to discard the invalidated document and to prevent unintentional unauthorized use.

  Further, according to the seventh aspect, it is possible to discard the invalidated document, and it is possible to prevent unintended unauthorized use.

  Further, according to the eighth aspect, it is possible to discard the document when invalidating the document, and it is possible to prevent unintended unauthorized use.

  Hereinafter, an embodiment of a document management system and program according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is an example of a system configuration diagram of a document management system configured by applying a document management system and a program according to an embodiment of the present invention.

  In FIG. 1, the document management system includes a policy server 100, an authentication server 200, a client PC 300, a multifunction machine 400, and a discarding device 500 (hereinafter referred to as “shredder 500”).

  The policy server 100 is a device that manages policy information applied to each of an electronic document and a paper document to be operated based on a security policy.

  The security policy at this time is a policy or rule that eliminates risk factors for the document and ensures the confidentiality of the document, and the policy information indicates the security level of this security policy. . That is, by applying policy information to a document, information leakage and unauthorized access are prevented in advance.

  For example, there are authorized users and operation authority as security policies for preventing information leakage and unauthorized access, and the operation of the document is restricted by setting policy information that defines them to the document. Therefore, the policy information is also expressed as “operation restriction information”.

  Further, in the policy information, it is possible to set the invalidation of the operation, and the document to which the policy information in which the invalidation of the operation is set is applied is in a state where any operation is invalid.

  At this time, the document in which the policy information is applied and is protected is referred to as “protected document” below.

  Note that protected documents can be classified into two types depending on whether the medium is electronic or paper, and a document ID that uniquely identifies the medium is assigned and managed.

  An example of the protected document at this time is shown in FIG.

  FIG. 2 is a diagram showing a state of a protected document to which policy information is applied in the document management apparatus of the document management system according to the embodiment of the present invention.

  2A is a diagram illustrating an example of a protected document for an electronic document, and FIGS. 2B and 2C are diagrams illustrating an example of a protected document for a paper document.

  2A includes a document header 1 and an encrypted document body 3, and the document header 1 includes a document ID 2 for identifying a document.

  The document is identified by the document ID 2, and policy information applied to the document ID 2 is managed by the policy server 100. The encrypted document body 3 is a document body encrypted with an encryption key.

  FIG. 2B shows a document in a state where a digital code including a document ID is printed at the beginning and end of a paper document. When a paper document in this state is scanned, copied, or transmitted by facsimile using the multifunction device 400, the policy server 100 manages the document ID by reading the document ID from the printed digital code. Apply policy information.

  Further, FIG. 2C is a document in which the document ID is embedded in the entire document using a watermark technique. Similar to the document shown in FIG. 2B, scanning, copying, facsimile using the multifunction device 400 is performed. When performing an operation such as transmission, the multi-function device 400 reads out the document ID from the document and applies the policy information managed by the policy server 100 to the document ID.

  In this document management system, when an operation request is made for a document whose operation is invalidated by policy information, the document is discarded.

  The authentication server 200 centrally manages information for authenticating an operator (user) who operates a document, and makes an inquiry about user authentication from an external device such as the policy server 100, the client PC 300, the multifunction device 400, or the discarding device 500. Respond to. The authentication server 200 is configured by, for example, a Lightweight Directory Access Protocol (LDAP) server or an Active Directory (AD) server.

  The policy server 100 manages the policy information applied to the document ID for identifying the document as described above, and manages the derivation relationship of the document. The document derivation relationship occurs when another document is generated as a result of operating a certain document, and the two documents are referred to as having a derivation relationship. For example, when a certain paper document is copied and another paper document is generated, when another electronic document is copied and another electronic document is generated, when a certain paper document is scanned and an electronic document is generated For example, a paper document is generated by printing an electronic document. The document from which the derivation is derived is referred to as a derivation source document.

  The client PC 300 is a terminal that operates an electronic document. The client PC 300 generates a document by using an installed document application, and performs various operations such as editing and printing of the document. In addition, a protected document in which policy information is newly applied to the generated document through mutual communication with the policy server 100 is created.

  The created protected document can be operated within the range permitted by the policy information.

  When it is determined that the target document has already been invalidated, processing for deleting the target document from the storage device is performed.

  The client PC 300 can request the policy server 100 to invalidate the protected document, and the policy server 100 that has received this request performs a process of invalidating the document (hereinafter referred to as “invalidation process”). Do. Here, the document invalidation process is a process in which a document is stored in a storage area of one of the apparatuses, and the document is excluded from the operation target. It is a process for setting that it is invalidated.

  The multifunction machine 400 performs print output processing for outputting an electronic document as a paper document in accordance with a print instruction from the client PC 300. Also, an image forming process for generating an electronic document by a paper document reading process is performed. In addition to copying processing for copying paper documents, facsimile transmission is also performed.

  The multi-function device 400 reads a document ID from a paper document requested for copying or a paper document requested for facsimile transmission, and confirms policy information applied to the document indicated by the document ID by communication with the policy server 100. It is determined whether the processing requested for the confirmed policy information (in this case, copying or facsimile transmission processing) is possible.

  Incidentally, an electronic document instructed to be printed from the client PC 300 or an electronic document requested to be transmitted by facsimile is sent together with the user ID and the document ID from the requesting client PC 300. Then, it is determined whether or not the electronic document can be operated based on the policy information.

  The policy information applied to the document indicated by the document ID read in this way is confirmed by mutual communication with the policy server 100. When the policy information is confirmed, it is determined whether the requested operation corresponds to the operation permitted by the policy information (printing, reading, copying, facsimile transmission, etc.).

  Further, when invalidation of a document is specified by policy information, processing for discarding the document is performed. The process of discarding a document refers to a process of storing a paper document in a special storage tray provided in the multifunction machine 400, for example. This special storage tray is not a tray that can be opened and closed by anyone, but is a tray that can be opened and closed by being unlocked only by an administrator who is locked and has a key, for example. This storage tray is also shown as a protective storage.

  In addition to this, a process of cutting a paper document using a shredder (not shown) (not shown) that cuts a paper document provided in the multifunction device 400 may be used.

  The client PC 300 also performs a process of discarding the operation target electronic document if it is invalidated by the policy information. That is, it is deleted from the storage area.

  FIG. 3 is a block diagram showing a detailed configuration of the policy server shown in FIG.

  The policy server 100 shown in FIG. 3 includes a security policy registration unit 10, a security policy list response unit 11, a security policy search unit 12, a security policy invalidation unit 13, a security policy DB 14, and a document information DB 15, and includes a security policy registration unit. 10. The security policy list response unit 11, the security policy search unit 12, and the security policy invalidation unit 13 perform data communication with the client PC 300, the multifunction device 400, and the shredder 500.

  The security policy DB 14 manages policy information as shown in FIG. 8, and the document information DB 15 manages operation target document information as shown in FIG.

  First, the policy information shown in FIG. 8 will be described.

  The policy information shown in FIG. 8 is represented by a table configuration, and includes a [policy ID] item 801, a [policy name] item 802, a [use range] item 803, a [valid period] item 804, and a [permitted function list] item. 805.

  [Policy ID] item 801 is identification information for identifying policy information, and [Policy Name] item 802 is information indicating the name of policy information.

  The [Usage Range] item 803 is information indicating a range corresponding to a user who operates the document of the identification information indicated in the [Policy ID] item 801. For example, when a user group is specified, the user group is assigned to the user group. This is a range in which the user to which the user can operate the document, and when a specific user is designated, it indicates that only the user can operate the document.

  [Effective period] item 804 is information indicating the effective period of the policy information for each user range indicated by [usage range] item 803. For example, the effective period is the number of days that have elapsed since the document was generated. specify.

  The [permitted function list] item 805 is information indicating a list of permitted operations, and is indicated for each medium of the operation target document. For example, when the medium is an electronic document, browsing and printing are possible, and when the medium is paper, copying (copying) is possible.

  The policy information with the policy ID “0001” is applied to a document, the user authenticated by communication with the authentication server 200 is “user A”, and the user A belongs to “software development department”. 8, the policy table in FIG. 8 indicates that the user A can “browse and print” the electronic document only within “180 days” from the generation of the document. It is shown that it is possible to “copy”.

  Similarly, the policy information with the policy ID “0002” is applied to a document, and the user authenticated by communication with the authentication server 200 is “user B”, and the user B is “creator”. In the policy table of FIG. 8, the user B can perform “browsing, editing, and printing” operations on the electronic document without limitation for the period in the policy table of FIG. This indicates that each operation of “copy (copy), scan” can be performed on the document.

  Next, the document information shown in FIG. 9 will be described.

  The document information shown in FIG. 9 is shown in a table configuration, and includes a [document ID] item 901, a [derived document ID] item 902, a [policy ID] item 903, a [document name] item 904, and a [media type]. An item 905, a “creator ID” item 906, a “creation date” item 907, and an “invalidation date” item 908 are configured.

  [Document ID] item 901 is information for identifying a document to be operated, and shows an example expressed in hexadecimal. [Derivation source document ID] item 902 is information for identifying the document that is the derivation source, and shows an example expressed in hexadecimal as with the document ID shown in [document ID] item 901. If no derivation source document ID is indicated in the [derivation source document ID] item 902 (when “-” is indicated), this indicates that the document is a root document.

  [Policy ID] item 903 is identification information for identifying policy information to be applied to a document. One of the policy IDs shown in [Policy ID] item 801 shown in FIG. It is.

  The [Document Name] item 904 is information indicating the name of the document, the [Media Type] item 905 is information indicating the medium of the document, and the [Creator ID] item 906 is the [Document ID] item 901. This information identifies the creator who created the document to be identified.

  Further, a “creation date” item 907 is information indicating the date and time when the document was created, and an “invalidation date” item 908 is information indicating the date and time when the invalidation processing was performed. If the date and time are indicated in the [Invalidation Date / Time] item 908, it indicates that the document is invalidated.

  The document identified by the document ID “40ffaaa4-0fb6-4634-85bf-bba45bc941b5” shown in the [document ID] item 901 in FIG. It is determined that there is no document, and indicates that the policy information identified by the policy ID “0001” indicated in the [policy ID] item 903 is applied. Further, the document name of this document is “internal material” as shown in the “document name” item 904, and is composed of “electronic” media shown in the “media type” item 905. Furthermore, this document is created by the creator “Fx12345” shown in the “Creator ID” item 906, “2007-01-20 10:00” shown in the “Creation Date” item 907, “10:00 on January 20, 2007” This is a document created at “00 minutes”, and the [invalidation date / time] item 908 is “−”, indicating that the document has not been invalidated. That is, it is a document that can be manipulated.

  Further, the document identified by the document ID “AED6483F-3304-11d2-86F1-006008B0E5D2” shown in the [Document ID] item 901 in FIG. Therefore, it is determined that the parent document from which this document is based is a document identified by “4FB6BB003347-11d0-B40A-00A005FF586”.

  In addition, since the [policy ID] item 903 and the [document name] item 904 are both “−”, the policy information is not applied and the document name is not set. However, although the [policy ID] item 903 is not set on the DB, since this document is a derived document in the processing of the policy server 100, if the [policy ID] item 903 is not set, the derived By tracing the original document, the [policy ID] item 903 applied to this document is specified.

  In the case of this document, since “0002” is set as the [policy ID] item 903 in the parent document “4FB6BB003347-11d0-B40A-00A005FF586”, it is determined that this policy is set.

  Further, this document is a paper document because the “media type” item 905 is indicated as “paper”, and the “creation date” item 907 is created by the creator of “Fx25615” shown in the “creator ID” item 906. It is a document created at "14:23 on October 3, 2006" of "2006-10-03 14:23" shown in. Further, since the [invalidation date and time] item 908 is “2006-11-01 12:13”, it indicates that the document is invalidated at “12:13 on November 1, 2006”. . That is, if an operation is attempted on this document, it is rejected and discarded.

  In this way, the security policy DB 14 shown in FIG. 3 manages policy information, and the document information DB 15 manages document information.

  Subsequently, the security policy registration unit 10 shown in FIG. 3 performs processing for registering the document information of the protected document by creating the protected document by an external device such as the client PC 300. From the external device, the document ID, the derivation source document ID, the policy ID, the document name, the media type, the creator ID, and the creation date / time information are designated as the document information of the protected document.

  An example of a document information registration request received from the client PC 300 at this time is shown in XML (Extensible Markup Language) format as follows. A line number used for explanation is shown at the left end of each step of XML.

01 <PolicyRegister>
02 <DocumentID> 4FB6BB00-3347-11d0-B40A-00A005FF586 </ DocumentID>
03 <PolicyID> 0002 </ PolicyID>
04 <DocumentName> Model2006 Catalog </ DocumentName>
05 <Type> electric </ Type>
06 <UserID> Fx19810 </ UserID>
07 <Date> 2006-10-01 T10: 00 + 09: 00 </ Date>
08 </ PolicyRegister>
Lines 01 and 08 show a <PolicyRegister> tag element indicating that it is a policy information registration request. In addition, the contents of the document information to be registered are shown in lines 02 to 07 as the value of the tag element of <PolicyRegister>.

  On line 02, the document ID is represented by a tag element of <DocumentID>, which indicates that the document ID is “4FB6BB00-3347-11d0-B40A-00A005FF586”. The 03th line shows a policy ID applied to the document with a tag element of <PolicyID>, and indicates that the policy ID is “0002”. On line 04, the document name is indicated by a tag element of <DocumentName>, and the document name indicates “Model 2006 catalog”.

  In line 05, the <Type> tag element indicates the media type, and "electric" is shown as the value, indicating that the document is an electronic document. The 06th line shows the <UserID> tag element, indicating that the protected document was created by the creator identified by "Fx19810", and the 07th line shows the <Date> tag element. “2006-10-01 T10: 00 + 09: 00” indicates that a protected document was created at “10:00 on October 01, 2006”.

  The security policy registration unit 10 that has received the information registers the information in the document information table managed by the document information DB 15. An example of the document information table at this time is shown in a record (909) in which the document ID of FIG. 9 is “4FB6BB00-3347-11d0-B40A-00A005FF586”. Incidentally, the [invalidation date / time] item 908 of this record (909) becomes “-(empty)” to indicate that invalidation processing is not performed. In this example, there is no derivation source document, but a case where a derivation source document exists is shown below.

01 <PolicyRegister>
02 <DocumentID> AED6483F-3304-11d2-86F1-006008B0E5D2 </ DocumentID>
03 <DerivateFrom> 4FB6BB003347-11d0-B40A-00A005FF586 </ DerivateFrom>
04 <Type> paper </ Type>
05 <UserID> Fx25615 </ UserID>
06 <Date> 2006-10-03 T14: 23 + 09: 00 </ Date>
07 </ PolicyRegister>
When there is a derivation source document, the derivation source document is specified by the <DerivatedFrom> tag element instead of the <PolicyID> tag element as described above.

  In this way, the document information of the protected document is registered by the security policy registration unit 10.

  The security policy list response unit 11 responds to an inquiry about a list of policy information applicable to a document from an external device such as the client PC 300, the multifunction machine 400, or the shredder 500 from policy information managed by the security policy DB 14. Returns a list of policy information created by acquiring policy information to the request source.

  At this time, an example of a list of policy information to be responded expressed in XML format is shown below. A line number used for explanation is shown at the left end of each step of XML.

01 <Polices>
02 <Policy>
03 <PolicyID> 0001 </ PolicyID>
04 <Name> Software Development Department internal materials </ Name>
05 <AccessRight>
06 <Users>
07 <Group> Development Division </ Group>
08 </ Users>
09 <ValidTerm> 60days from creation </ ValidTerm>
10 <Operation>
11 <View />
12 </ Operation>
13 </ AccessRight>
14 <AccessRight>
15 <Users>
16 <Group> Software Development Department </ Group>
17 </ Users>
18 <ValidTerm> 180days from creation </ ValidTerm>
19 <Operation>
20 <View />
21 <Print />
22 <Copy />
23 </ Operation>
24 </ AccessRight>
25 <AccessRight>
26 <Users>
27 <user> Owner </ user>
28 </ Users>
29 <ValidTerm></ValidTerm>
30 <Operation>
31 <View />
32 <Print />
33 <Copy />
34 <Edit />
35 <Scan />
36 </ Operation>
37 </ AccessRight>
38 </ Policy>
39 <Policy>
40 <PolicyID> 0002 </ PolicyID>
41 <Name> Sales Materials </ Name>
42 <AccessRight>
43 <Users>
44 <user> everything </ user>
45 </ Users>
46 <ValidTerm> 30days from creation </ ValidTerm>
47 <Operation>
48 <View />
49 </ Operation>
50 </ AccessRight>
51 <AccessRight>
52 <Users>
53 <Group> Sales Department </ Group>
54 </ Users>
55 <ValidTerm> 180days from creation </ ValidTerm>
56 <Operation>
57 <View />
58 <Edit />
59 <Copy />
60 </ Operation>
61 </ AccessRight>
62 <AccessRight>
63 <Users>
64 <user> Owner </ user>
65 </ Users>
66 <ValidTerm></ValidTerm>
67 <Operation>
68 <View />
69 <Print />
70 <Copy />
71 <Edit />
72 <Scan />
73 </ Operation>
74 </ AccessRight>
75 </ Policy>
76 </ Polices>
The <Polices> tag element shown in the first and 76th lines is a tag element indicating a list of policy information, and indicates that one or a plurality of policy information is specified. This list of policy information in the XML format shows an example including two pieces of policy information. The first is shown from the 02th line to the 38th line, and the second is shown from the 39th line to the 75th line. .

  First, the first policy information indicates a policy ID for identifying the policy information with the <PolicyID> tag element in the 03th line, and “0001” is indicated as the value of the tag element. In line 04, the name of the policy information is indicated by a <Name> tag element, which indicates that the name is “software development department internal data”.

  Lines 05 to 37 show the details of the policy information for each user information, and the contents of a plurality of policy information for the user information. In this XML example, policy information for three pieces of user information is specified.

  The contents of the first policy information are shown from the 5th line to the 13th line, the user information is indicated by the <Users> tag element from the 06th line to the 08th line, and the value of the tag element is shown in the 7th line. The <Group> tag element indicates the group to which the user belongs.

  In addition, the <ValidTerm> tag element indicates the policy information validity period on line 09, and the operations permitted on the <Operation> tag elements on lines 10 to 12 are indicated. Indicates a browsing operation represented by <View />. That is, the first policy information is policy information applied to users belonging to the development headquarters, and allows browsing operations within 60 days after the document is created. .

  The contents of the second policy information are shown from the 14th line to the 24th line, the user information is indicated by the <Users> tag element from the 15th line to the 17th line, and the value of the tag element is 16 The <Group> tag element on the line indicates the group to which the user belongs.

  In addition, the <ValidTerm> tag element indicates the policy information validity period on the 18th line, and the permitted operations are indicated on the <Operation> tag element on the 19th to 23rd lines. The 22nd line from <View />, <Print />, <Copy /> indicates a browsing operation, a printing operation, and a copying operation.

  That is, the second policy information is policy information applied to users belonging to the software development department, and if it is within 180 days from the creation of the document, the browsing operation, the printing operation, and the copying operation are performed. Is possible.

  Furthermore, the contents of the third policy information are shown from the 25th line to the 37th line, the user information is indicated by the <Users> tag element from the 26th line to the 28th line, and the value of the tag element is 27. The user is identified by the tag element of <user> on the line.

  In addition, the <ValidTerm> tag element indicates the policy information validity period on line 29, and the operations permitted on the <Operation> tag element on lines 30 to 36 are indicated. Indicates the browse operation, print operation, copy operation, edit operation, and read operation represented by <View />, <Print />, <Copy />, <Edit />, <Scan /> on the 35th line from ing.

  That is, the content of the third policy information is policy information applied to the user who is the creator (owner) of the document, and can be viewed, printed, copied, An editing operation and a reading operation are enabled.

  Next, the second policy information indicates a policy ID for identifying the policy information by the tag element of <PolicyID> on the 40th line, and “0002” is indicated as the value of the tag element. In line 41, the <Name> tag element indicates the name of the policy information, which indicates that the name is “sales material”.

  Lines 41 to 74 show detailed policy information contents for each user information, and show a plurality of policy information contents for the user information. This XML example shows an example in which the contents of policy information for three pieces of user information are defined.

  The contents of the first policy information are shown from the 42nd line to the 50th line, the user information is indicated by the <Users> tag element from the 43rd line to the 45th line, and the value of the tag element is shown in the 44th line. The <user> tag element indicates a corresponding user. Since the <user> tag element indicates “everything”, this indicates that the tag can be applied to all users.

  In addition, the <ValidTerm> tag element indicates the valid period of policy information on the 46th line, and the permitted operations are indicated on the <Operation> tag element on the 47th to 49th lines. Indicates a browsing operation represented by <View />.

  That is, the content of the first policy information is policy information applied to all users, and allows browsing operations within 30 days after the document is created.

  The contents of the second policy information are shown in the 51st line to the 61st line, the user information is indicated by the <Users> tag element in the 52nd line to the 54th line, and the value of the tag element is 53. The <Group> tag element on the line indicates the group to which the user belongs.

  Furthermore, the <ValidTerm> tag element indicates the policy information validity period on line 55, and the permitted operations are indicated on the <Operation> tag elements on lines 56 to 60. 59, the view operation, the edit operation, and the copy operation represented by <View />, <Edit />, and <Copy />.

  In other words, the content of the second policy information is policy information applied to users belonging to the sales department, and if it is within 180 days from the creation of the document, the browsing operation, editing operation, copying Operation is possible.

  In addition, the contents of the third policy information are shown in lines 62 to 74. From line 63 to 65, user information is indicated by the <Users> tag element, and the value of the tag element is 64 lines. The eye identifies the user with the <user> tag element.

  In line 66, the <ValidTerm> tag element indicates the valid period of the policy information. In lines 67 to 73, the <Operation> tag element indicates the permitted operation. Indicates the browsing operation, printing operation, copying operation, editing operation, and reading operation indicated by <View />, <Print />, <Copy />, <Edit />, <Scan /> on the 72nd line. ing.

  That is, the content of the third policy information is policy information applied to the user who is the creator (owner) of the document, and can be viewed, printed, copied, An editing operation and a reading operation are enabled.

  A list of such policy information is returned to the external device.

  Then, when one of the policy information in the list is selected by the external device and a request for applying the policy information to the document is made, the security policy search unit 12 receives it. This application request includes the user ID of the user who is the operator of the document.

  Upon receiving the policy information application request, the security policy search unit 12 inquires of the document information DB 15 about the policy ID of the policy information to be applied to the document. Subsequently, the policy ID obtained from the document information DB 15 and the policy information for the user ID of the user who has requested the application of the policy information are inquired to the security policy DB 14 and the corresponding policy information is searched.

  Of course, the application ID may include a group ID of a group to which the user indicated by the user ID belongs (for example, a software development department group or a development headquarter group). In this case, the authentication server 200 is inquired separately about the group ID of the group to which the user corresponds to the user ID.

  When the security policy search unit 12 searches for policy information to be applied to the document in this way, a list of searched policy information is returned to the request source.

  An example of the response result to the request source at this time in the XML format is shown below. A line number used for explanation is shown at the left end of each step of XML.

01 <UsageRights>
02 <UserID> fx17691 </ UserID>
03 <DocumentID> 4FB6BB00-3347-11d0-B40A-00A005FF586 </ DocumentID>
04 <Policy>
05 <PolicyID> 0002 </ Policy>
06 <ValidTo> 2007-02-20 T23: 59: 59 + 09: 00 </ ValidTo>
07 <Operations>
08 <View />
09 <Print />
10 <Copy />
11 </ Operations>
12 </ Policy>
13 <InvalidateDate></InvalidateDate>
14 </ UsageRights>
The <UsageRights> tag element indicating that this XML is a search result of policy information is shown in the 01st and 14th lines. Applicable policy information for the user ID shown in the tag element of <UserID> on the 02 line and the document ID shown in the tag element of <DocumentID> on the 03 line is shown in <Policy> on the 04 and 12 lines. This is indicated by the tag element. In this example, only the policy information shown in the 05th to 11th lines is applicable policy information.

  The policy information that can be applied is identified by the tag element value “0002” of the <PolicyID> in the 05th line, and the expiration date “2007-02-20 T23 indicated by the <ValidTo> tag element in the 06th line. : 59: 59 + 09: 00 ”is valid.

  Incidentally, the tag element of <InvalidateDate> shown on the 13th line indicates the date and time when the document becomes invalid when invalidation processing is performed.

  The security search unit 12 responds to the request source with a list of policy information as described above.

  Subsequently, the invalidation processing is performed by receiving from the external device an invalidation request including information on the document ID, the user ID, and the document range to be invalidated. At this time, an example of the invalidation request in the XML format is shown below. A line number used for explanation is shown at the left end of each step of XML.

01 <PolicyInvalidate>
02 <DocumentID> 4FB6BB00-3347-11d0-B40A-00A005FF586 </ DocumentID>
03 <UserID> Fx17691 </ UserID>
04 <Range> all </ Range>
05 </ PolicyInvalidate>
Lines 01 and 05 are tag elements of <PolicyInvalidate> indicating that this XML is an invalidation request. In line 02, the document ID of the document to be invalidated is shown as the value of the tag element of <DocumentID>, and in line 03, the user ID of the user who made the invalidation request is a tag of <UserID> Shown as element value.

  In line 04, the range of documents to be invalidated (referred to as “invalidation range”) is shown as the tag element of <Range>, and when “all” is shown as the value of the tag element , Indicates that all related documents (parent document, child document) related to the document with the document ID indicated by the value of the tag element of <DocumentID> are invalidated at once, and "all" is not indicated The processing for invalidating only the document with the document ID indicated by the value of the tag element of <DocumentID> is performed. In the latter case, it may be configured such that only the document with the document ID indicated by the value of the tag element of <DocumentID> is invalidated by specifying “this”.

  Upon receiving such an XML format invalidation request, the security policy invalidation unit 13 performs processing for invalidating the designated document. Therefore, a list “idList” of documents to be invalidated is created from the document ID indicated by the tag element of <DocumentID> on the 02nd line and the invalidation range information indicated by the tag element on the 04th line.

  Note that the document ID of the document included in the created “idList” differs depending on the invalidation range information, and the value of the <Range> tag element on the 04th line is “all”, and all related documents are listed. If invalidation is specified, the document IDs of all related documents are included.

  On the other hand, when the value of the <Range> tag element is “this” and it is specified that only the specified document is invalidated, only the document ID of the specified document is included.

  Subsequently, the document information of each document ID of the created “idList” is acquired from the document information DB 15, and only the document information in which the user ID of the user who made the invalidation request is specified is acquired. That is, only the creator of the document can invalidate the document. In the acquired document information, the document information that has not been invalidated is invalidated.

  Taking the document information shown in FIG. 9 as an example, the invalidation processing is performed by registering the current time in the document information in which the date / time is not registered in the [invalidation date / time] item 908 in the acquired document information.

  That is, whether or not the document is invalidated is determined by whether or not the date and time is registered in [Invalidated Date and Time] 908 of the policy information applied to the document.

  This invalidation process is not limited to the creator of the document, and it can be executed by anyone, and it can be executed only by an administrator with specific operation rights. Is also possible.

  FIG. 4 is a block diagram showing a detailed configuration of the client PC shown in FIG.

  The client PC 100 shown in FIG. 4 includes a protected electronic document generation unit 30, a document ID generation unit 31, a document editing unit 32, a document storage unit 33, a document display unit 34, a control unit 35, a document deletion unit 36, a user authentication unit 37, A protected document discarding unit 38 and a protected document printing unit 39 are provided.

  The control unit 35 is the main control in the client PC 100 and gives instructions to other functional components. Further, it receives a document operation instruction from the user, and instructs other function components to perform processing based on the operation instruction.

  Upon receiving the document operation instruction from the user, the control unit 35 first makes an authentication request to the user authentication unit 37 in order to authenticate the user who issued the operation instruction. The user authentication unit 37 performs processing for authenticating a user through communication with the authentication server 200. For example, the user is authenticated by a combination of a user ID and a password input by the user using the user interface.

  If the authentication is successful, the user information of the user is returned to the control unit 35.

  Subsequently, when a protected document generation request is made by the authenticated user, the control unit 35 makes a protected document generation request for the document stored in the document storage unit 33 in the protected electronic document generation unit 30 together with the authenticated user information. . The document storage unit 33 stores a document that is created using a document application or the like and to which no policy information is applied.

  When a protected document generation instruction is issued from the control unit 35, the protected electronic document generation unit 30 generates a protected document by applying policy information to the document stored in the document storage unit 33. The policy information applied to the document at this time is the policy information selected from the policy information list shown by the policy server 100.

  A protected document generated by applying policy information to an electronic document is referred to as “protected electronic document”, which is a name for distinguishing from a protected document generated by applying policy information to a paper document. This protected document is indicated as “protected paper document”. This protected paper document is generated by the multifunction machine.

  An example of the protected electronic document is a document as shown in FIG. 2A, and examples of the protected paper document are documents as shown in FIG. 2B and FIG. 2C.

  A document ID that is identification information for identifying the document generated by the document ID generation unit 31 is set in the protected electronic document generated by the protected electronic document generation unit 30. As a result, the correspondence relationship between the document ID and the policy information is determined, and the policy information relationship with respect to the document ID is registered in the policy server 100.

  The generated protected electronic document is stored in the document storage unit 33. The detailed processing flow in the protected electronic document generation unit 30 at this time is shown in the flowchart of FIG.

  Further, when an operation such as browsing, editing, and printing of the protected electronic document is instructed by the user, the control unit 35 authenticates the user by the user authentication unit 37 and stores it in the document storage unit 33 together with the user information of the authenticated user. By sending the protected electronic document to the document display unit 34, the document editing unit 32, and the protected document printing unit 39, a processing instruction is given.

  The document display unit 34, the document editing unit 32, and the protected document printing unit 39 to which the processing instruction is issued obtains policy information to be applied to the document from the policy server 100 via the control unit 35, and the policy information indicates It is determined whether the processed processing is possible.

  When processing is possible, the protected electronic document is decrypted, whereby the document display unit 34 displays the document, the document editing unit 32 allows the user to operate, and the protected document printing unit 39 issues a document print request. Send to the MFP 400.

  At this time, if the acquired policy information includes information indicating that the document has already been invalidated (if the invalidation date is included), the document deletion unit is called to Delete the document.

  The detailed processing flow when displaying the document is shown in the flowchart of FIG. 14, the detailed processing flow when editing the document is shown in the flowchart of FIG. 15, and the detailed processing flow when printing the protected document is shown. The flow is shown in the flowcharts of FIGS. The detailed processing flow when editing and saving a document is shown in the flowcharts of FIGS. FIG. 18 shows a case where the document is not derived when the document is edited and saved, and FIG. 19 shows an example where the document is derived when the document is edited and saved.

  Further, when the user instructs to invalidate the document, the control unit 35 authenticates the user by the user authenticating unit 37 and instructs the protected document discarding unit 38 to invalidate the document together with the user information of the authenticated user.

  Note that the user invalidates a document by using a user interface to designate a document to be invalidated and designate a document invalidation range. This invalidation range specifies the range of documents to be invalidated, and selects whether to invalidate all the documents derived from the invalidated document or only the designated document. Specify by.

  The protected document discarding unit 38 instructed to invalidate the document designated by these transmits an invalidation request for invalidating the document with the policy information applied to the document designated by the invalidation range to the policy server 100. When the document is invalidated by the policy server 100, the protected document discarding unit 38 responds to the control unit 35 that invalidation is set in the policy information of the document designated as the invalidation range.

  As a result, the control unit 35 requests the document deletion unit 36 to delete the document, and the document deletion unit 36 deletes the designated document. This detailed flowchart is shown in FIG.

  5 and 6 are block diagrams showing the detailed configuration of the multi-function device 400 shown in FIG.

  First, the MFP shown in FIG. 5 performs processing for cutting and discarding a document when copying, copying, scanning, facsimile transmission, or the like is instructed for a paper document invalidated by invalidation processing. The structure when performing is shown.

  The MFP 400 shown in FIG. 5 includes a document ID encoding unit 40, a protected paper document generation unit 41, a printing unit 42, a document ID generation unit 43, an image storage unit 44, a protected electronic document generation unit 45, a document ID analysis unit 46, A control unit 47, a user authentication unit 48, and a paper document discard unit 49-1 are provided.

  The control unit 47 is the main control in the multi-function peripheral 400, and performs control such as printing, copying (copying), scanning, facsimile transmission, and invalidation of a protected document.

  When processing such as copying or scanning for a protected paper document is instructed, the control unit 47 makes an authentication request for the user who made the instruction in the user authentication unit 48. The user authentication unit 48 performs processing for authenticating a user through communication with the authentication server 200. For example, the user is authenticated by a combination of a user ID and a password input by the user using the user interface.

  If the authentication is successful, the control unit 47 then transmits the requested document to the document ID analysis unit 46 in order to analyze the document ID. Based on the analyzed document ID and the authenticated user information, the policy server 100 is inquired about the policy information for the document ID to confirm whether the requested processing is permitted. If the operation requested by the policy information is permitted, the process is continued.

  In the case of a copy instruction, the control unit 47 transmits a generation request for a protected paper document including the document to the protected paper document generation unit 41. The protected paper document generation unit 41 embeds the document ID generated by the document ID generation unit 43 and encoded (encoded) into a two-dimensional barcode by the document ID encoding unit 40 in the image image of the document read by the scan function. An image that is a source of the protected paper document is generated.

  At this time, if the document from which the protected paper document is generated is a paper document, that is, if the paper document is read by the scan function to create the protected paper document, the paper document is not discharged. It may be configured to be stored in a special tray. As a result, the user uses the generated protected paper document for subsequent processing.

  This is particularly effective when the scan function is realized by an ADF (Auto Document Feeder).

  When the protected paper document generation unit 41 generates the image image, the image is stored in the image storage unit 44 and the paper document for the image image is output from the printing unit 42. This is a protected paper document.

  Finally, the control unit 47 performs processing for registering the generated document ID information in the policy server.

  In the above case, in the case of a scan instruction, after confirming the rights to the policy server, the control unit 47 transmits the document to the protected electronic document generation unit 45 together with the authenticated user information. The protected electronic document generation unit 45 creates a protected electronic document for the protected paper document. This is an image image generated by reading the paper document with the scan function of the multi-function peripheral 400, and this image image is encrypted. A document ID generated by the document ID generation unit 43 is assigned to the document, a protected electronic document is generated, and the generated document ID is registered in the policy server.

  When there is a print request from the client PC 300, the print image of the document, the document ID, and the user ID information are designated and a print instruction is given to the control unit 47. At this time, the passed user ID and document ID are designated, the policy server 100 is inquired about the right, and it is confirmed whether or not the right to print is permitted. If permitted, the control unit 47 designates a print image and transmits a protected paper document generation request to the protected paper document generation unit 41. In the protected paper document generation unit 41, the original of the protected paper document in which the document ID generated by the document ID generation unit 43 in the print image image and encoded (encoded) into a two-dimensional barcode or the like by the document ID encoding unit 40 is embedded. To generate an image. Finally, the control unit 47 performs processing for registering the generated document ID information in the policy server 100.

  In the above processing, when invalidation of the document is specified in the policy information for the paper document to be processed, the document is transferred to the paper document discarding unit 49-1 in order to discard the requested document. To do.

  The paper document discarding unit 49-1 performs processing for cutting and discarding the paper document whose document ID has been read.

  The multifunction device 400 also has a function of invalidating the protected paper document. When an invalidation instruction is given, the control unit 47 sends an authentication request to the user authentication unit 48 for the user who has given the instruction. The user authentication unit 48 performs processing for authenticating a user through communication with the authentication server 200. For example, the user is authenticated by a combination of a user ID and a password input by the user using the user interface.

  If the authentication is successful, the control unit 47 then transmits the requested document to the document ID analysis unit 46 in order to analyze the document ID. The analyzed document ID, the authenticated user, the document ID, and the invalidation range designated by the user are designated, and the policy server 100 is instructed to invalidate the document. Thereafter, the target paper document is sent to the paper document discarding unit 49-1, where it is discarded.

  Next, when an invalid electronic document or paper document is instructed to perform processing such as copying (copying), scanning, facsimile transmission, etc., the multifunction peripheral of FIG. 6 stores the document in a special tray or storage area. Process to store in.

  The MFP shown in FIG. 6 is similar to the MFP shown in FIG.

  6 includes a document ID encoding unit 40, a protected paper document generation unit 41, a printing unit 42, a document ID generation unit 43, an image storage unit 44, a protected electronic document generation unit 45, a document ID analysis unit 46, and a control. Unit 47, user authentication unit 48, and document storage unit 49-2.

  5 is configured to transfer the invalidated document to the paper document discarding unit 49-1, but is disabled in the multifunction device having the configuration shown in FIG. The document is stored in the document storage unit 49-2.

  The document storage unit 49-2 is realized by a storage tray. When the paper document is invalidated in the process for the paper document, and when the paper document is invalidated, the target paper document is stored in the storage tray. To store.

  This storage tray is a special tray that is locked and can be opened and closed only by an administrator having a key.

  FIG. 7 is a block diagram showing a detailed configuration of the shredder shown in FIG.

  The shredder 500 shown in FIG. 7 includes a control unit 50, a document ID reading unit 51, a paper document discarding unit 52, and a user authentication unit 53, and can perform data communication with other nodes on the network. For example, when a paper document is set at the insertion slot when the paper document is discarded, the document ID is read from the paper document and transferred to the policy server 100.

  First, when a paper document is set in the insertion slot, the control unit 50 issues an authentication request to the user authentication unit 53 in order to authenticate a user who discards the paper document. The user reads the user information from the IC card, or inputs the user ID and password using the user interface, so that the user authentication unit 53 performs user authentication for communication with the user authentication server 200.

  When the user is authenticated by the user authentication unit 53, the user information of the authenticated user is returned to the control unit 50. The control unit 50 determines that the user information is authenticated by the response, and then instructs the document ID reading unit 51 to read the document ID of the paper document.

  The document ID reading unit 51 is configured by a reading mechanism such as a CCD (Charge Coupled Devices) and decodes the read document ID. When the document reading unit 51 successfully reads the document ID and decodes it, the document reading unit 51 responds to the control unit 50 to that effect. As a result, the control unit 50 instructs the paper document discarding unit 52 to discard the paper document set at the insertion slot.

  The paper document discard unit 52 discards the paper document by breaking it.

  Further, the control unit 50 transfers the read document ID and the specified invalidation range information to the policy server 100 to set invalidation in the policy information of the corresponding document. That is, the current date and time is set in the [invalidation date and time] item 908 of the document information table shown in FIG.

  Incidentally, as an invalidation range designation method, for example, there is a method of selecting an invalidation range with a button provided on the shredder 500. In this case, the [All Derived Documents] button and the [Only This Document] button are provided. When the [All Derived Documents] button is pressed, all documents related to the read document ID are invalidated. Specifies that the document is a document. When the [Only this document] button is pressed, it is specified that only the document with the read document ID is invalidated.

  When a document invalidated by policy information is copied using the multifunction device 400, the document is discarded by the multifunction device 400. In the case of a paper document, it is stored in a special storage tray or deleted with a shredder (different from the shredder 500).

  In this way, a process for discarding the invalidated paper document is performed.

  Hereinafter, the detailed flow of the various processes described above will be described with reference to the flowcharts of FIGS.

  FIG. 10 is a flowchart showing a flow of processing for searching policy information performed by the policy server of the document management system according to the embodiment of the present invention.

  In FIG. 10, when operation information permitted by policy information in which a document ID and a user ID are specified is requested from an external device such as a client PC or a multifunction peripheral, the processing is started, and the document ID is based on the document ID. The document information of the document indicated by is searched (1001). It is determined whether the document information can be searched (1002). If the document information cannot be searched (NO in 1002), error information is generated and a response is made to the requesting external device (1012).

  If the document information can be searched (YES in 1002), the policy ID indicated by the document information is acquired and the policy information indicated by the policy ID is searched (1003).

  It is determined whether or not the policy information for the policy ID can be searched (1004). If the search cannot be performed (NO in 1004), the document information of the derivation source document ID is searched by referring to the derivation source document ID of the document information. The policy ID specified there is used. The policy ID is acquired by sequentially tracing to the derivation source (root) (1013). At least the root document has a policy ID specified.

  Subsequently, the policy information for the policy ID is searched (1014). Thereafter, the process returns to step 1004 to determine again whether the policy information matches. In this way, iterative processing is performed.

  When the policy information for the policy ID can be searched (YES in 1004), only the policy information whose user ID is indicated in the use range item of the policy information is filtered (1005). As a result of filtering, it is determined whether there is policy information indicating the user ID (1006). If there is no corresponding policy information (NO in 1006), error information is generated and the request source external information is generated. It responds to the device (1012).

  If there is corresponding policy information (YES in 1006), the expiration date and time of the period in which the policy information is valid is generated from the information on the validity period of the filtered policy information and the creation date and time of the document (1007). . If the expiration date and time of the generated valid period is before the current time, the policy information cannot be applied, and the policy information is deleted (1008).

  It is determined whether there is any remaining policy information (1009). If no corresponding policy information remains (NO in 1009), error information is generated and a response is made to the requesting external device (1012).

  If policy information remains (YES in 1009), an operation list of operations to be permitted is created by merging permitted function list items of the policy information (1010). Then, among the remaining policy information expiration dates, the shortest one is set as the expiration date of the operation indicated in the created operation list (1011). If invalidation date / time is designated as document information, the invalidation date / time is assigned to the permission list.

  FIG. 11 is a flowchart showing a flow of processing for invalidating a document performed by the policy server of the document management system according to the embodiment of the present invention.

  In FIG. 11, when an invalidation request in which document ID, user ID, and invalidation range information is specified is received from an external device such as a client PC or a multifunction peripheral, processing is started, and a document included in the invalidation range information is displayed. A document ID is retrieved and acquired from the managed document information (1101). A detailed flow of this processing is shown in FIG.

  An “idList” that is a list of acquired document IDs is created (1102), and the following processing (1103 to 1108) is performed on each document ID included in the “idList”.

  First, the document information of the document ID shown in the “idList” is searched (1103), and it is determined whether the document information has been searched (1104). If the document information cannot be searched (NO in 1104), the document ID is deleted from “idList” (1109), and the process moves to the next document ID (1110).

  If the document information can be retrieved (YES in 1104), it is confirmed whether the creator of the document indicated by the document information matches the designated user ID (1105). It is determined whether or not they match (1106). If they cannot be matched (NO in 1106), the document ID is deleted from “idList” (1109), and the process moves to the next document ID (1110).

  If the user ID of the document creator matches the designated user ID (YES in 1106), it is then determined whether the document indicated by the document information has been invalidated (1107). That is, it is determined whether date / time is not specified in the invalidation date / time item of the document information (1107).

  If the date and time is specified and invalidated (NO in 1107), the document ID is deleted from "idList" (1109), and the process moves to the next document ID (1110). If not invalidated (YES in 1107), the current time is registered in the invalidation date / time item for invalidation (1108).

  In this way, the policy server invalidates the document.

  FIG. 12 is a flowchart showing a flow of processing for searching for a document designated in the invalidation range in FIG.

  In FIG. 12, when searching for a document designated as the invalidation range, “idList” indicating the designated document is initialized (1201). Then, it is determined whether the range designated as the invalidation range is “all” (1202). When “all” is not specified (NO in 1202), for example, when the invalidation range is “this”, the document ID included in the invalidation request received from the external device is designated as the document to be invalidated. “IdList” is created (1203).

  If “all” is designated as the invalidation range (YES in 1202), the document information of the document indicated by the document ID is searched (1204). As a result of the search, it is determined whether the document information can be searched (1205). If the document information for the document ID cannot be searched (NO in 1205), a result indicating an error is generated (1206).

  On the other hand, if the document ID can be searched (YES in 1205), subsequently, the derivation source document item of the searched document information is not registered and it is determined whether the document indicated by the document ID is the root document. Judgment is made (1207). If it is not the root document (NO in 1207), the document ID of the derivation source document specified in the derivation source document item is set to the document ID of the document specified in the invalidation range search (1208). Steps 1204 to 1207 are repeated based on this document ID.

  If no document ID is registered in the derivation source document ID item (YES in 1207), it can be determined that the document ID is the root document. When the root document is searched, the root document is added to “idList” as a document designated as the invalidation range (1209). Thereafter, the document ID is used as a root document, and a process for retrieving a document derived therefrom is performed.

  First, document information having the target document ID group as a derivation source document ID is searched (1210). Then, it is determined whether there is matching document information (1211). If there is a matching record (YES in 1211), the document ID group of the search result is set as the next target (1213), The process of step 1210 is performed on the document ID.

  Then, when there is no document information having the target document ID group as a derivation source document ID (NO in 1211), “idList” at that time becomes a list of document IDs of the derived document (1212).

  In this way, a list of document IDs of documents designated as invalidation ranges is created.

  FIG. 13 is a flowchart showing a flow of processing for creating a protected electronic document for an electronic document in the document management system according to the embodiment of the present invention.

  In FIG. 13, the process for creating the protected electronic document is executed by the client PC. Of course, this function may be implemented by the multifunction machine. The user designates an electronic document and instructs application of policy information (1301). Subsequently, a process of authenticating the instructed user is performed (1302).

  It is determined whether or not the authentication is successful (1303). If the authentication is impossible (NO in 1303), an error is displayed and the process is terminated (1304). If user authentication is performed (YES in 1303), the target electronic document is stored and saved (1305).

  Then, the policy server obtains a list of policy information to be applied to the electronic document from the policy server to obtain the list (1306), and the user or the system automatically optimizes from the policy information shown in the obtained policy information list. Policy information is selected (1307).

  Then, a document ID for identifying the created protected electronic document is created, and in addition to the document ID, the policy information of the selected policy information, the document name, the user ID, the media type, the creation date and time are designated, and the document information is designated. Register (1308).

  The document is encrypted with the encryption key indicated in the selected policy information to generate a protected document (1309).

  As a result, a protected electronic document is created.

  FIG. 14 is a flowchart showing a flow of processing for browsing a protected electronic document on the client PC of the document management system according to the embodiment of the present invention.

  In FIG. 14, for example, a protected electronic document is created by the process shown in FIG. 13, and the process is started when the user makes a browsing request for the protected electronic document. An authentication process is performed for the user who made the browsing request (1401). It is determined whether authentication by this authentication process is successful (1402). If the authentication is not successful (NO in 1402), an error message indicating that authentication cannot be performed is displayed on the screen of the client PC (1411).

  On the other hand, if the user authentication is successful (YES in 1402), the document ID is read from the protected electronic document to be browsed, and policy information is requested from the policy server from the read document ID and the user ID of the authenticated user. (1403).

  It is determined whether or not there is a response to the policy information from the policy server in response to this request (1404). If there is no response to the policy information (NO in 1404), the screen indicates that there is no corresponding policy information. It is displayed (1411).

  When policy information for the document ID and user ID is returned from the policy server (YES in 1404), it is then determined whether the target document has been invalidated (1412), and if it has been invalidated (1412). If YES in 1412, the document is deleted (1413). If the document has been deleted or has not been invalidated (NO in 1412), it is confirmed whether browsing of the electronic document is permitted by the policy information (1405). Specifically, the policy information is filtered by checking whether “browse electronic document” is described in the operation indicated in the permitted function list item of the response policy information.

  Then, as a result of filtering, it is determined whether or not the corresponding policy information is filtered (1406), and if it is not filtered (NO in 1406), that is, the policy information permitting “browsing electronic document” is applicable. If not, a message to reject the operation is displayed (1411).

  If the policy information permitting this operation has been filtered (YES in 1406), the policy information within the effective period is searched from the policy information (1407). This search determines whether or not the policy information within the valid period is applicable (1408), and if there is no applicable policy information (NO in 1408), that fact is displayed (1411).

  On the other hand, if browsing of the electronic document is permitted and there is policy information within the valid period (YES in 1408), the protected electronic document is decrypted with the designated decryption key, and the decrypted electronic document is set to the document ID. And memorize it together (1409). Then, the electronic document is displayed on the display screen of the client PC (1410).

  FIG. 15 is a flowchart showing a flow of processing for editing an electronic document by the client PC of the document management system according to the embodiment of the present invention.

  FIG. 15 shows processing when the electronic document stored in the client PC is edited by the processing shown in FIG. 14, and the processing is started when the user requests editing of the electronic document.

  At this time, the user is in an authenticated state, and policy information is requested from the policy server from the document ID of the electronic document to be operated and the user ID of the authenticated user (1501). It is determined whether or not there is a response to the corresponding policy information from the policy server (1502). If no matching policy information is returned (NO in 1502), that fact is displayed (1508).

  When matching policy information is returned from the policy server (YES in 1502), it is then determined whether the target document has been invalidated (1509), and if it has been invalidated (YES in 1509). The document is deleted (1510). If the document is deleted or not invalidated (NO in 1509), it is confirmed whether editing of the electronic document is permitted by the policy information (1503). Specifically, it is confirmed whether “edit electronic document” is designated in the permitted function list item of the matched policy information.

  If editing of the electronic document is permitted because “editing of electronic document” is specified in this item (YES in 1502), “editing of electronic document” is specified in the permitted function list item. The policy information is filtered, and it is determined whether there is the corresponding policy information after being filtered (1504).

  If there is no filtered policy information (NO in 1504), an error message indicating that there is no corresponding policy information is displayed (1508). If there is filtered policy information (YES in 1504), the policy information within the effective period is searched from the policy information (1505). It is determined whether or not the policy information within the expiration date is applicable by this search (1506). If there is no relevant policy information (NO in 1506), that fact is displayed (1508).

  On the other hand, if editing of the electronic document is permitted and there is policy information within the valid period (YES in 1506), the electronic document is edited (1507).

  FIG. 16 is a flowchart showing a flow of processing for printing an electronic document by the client PC of the document management system in the embodiment of the present invention.

  In FIG. 16, in the state where the electronic document is stored by the process shown in FIG. 14, an authenticated user makes a print request for the document (1601). A print image of the electronic document requested to be printed is generated and transmitted to the multifunction peripheral together with the document ID and the user ID (1602).

  As a result, the printing process by the multifunction device is started and printing is performed. In this case, it is essential to perform processing for inquiring the policy server as to whether or not the multifunction device has the right.

  FIG. 17 is a flowchart showing a flow of a second example of processing when an electronic document is printed by the client PC of the document management system according to the embodiment of the present invention. In this example, it is checked whether the client PC has the right to print.

  FIG. 17 shows a process when the electronic document stored in the client PC is printed by the process shown in FIG. 14, and the process is started when the user requests the electronic document to be printed.

  At this time, the user is in an authenticated state, and policy information is requested from the policy server from the document ID of the electronic document to be operated and the user ID of the authenticated user (1701). It is determined whether or not there is a response of the corresponding policy information from the policy server (1702), and if the matching policy information is not responded (NO in 1702), that fact is displayed (1708).

  When matching policy information is returned from the policy server (YES in 1702), it is subsequently determined whether or not the target document has been invalidated (1709), and if it is invalidated (YES in 1709). The document is deleted (1710). If the document has been deleted or has not been invalidated (NO in 1709), it is confirmed whether printing of the electronic document is permitted by the policy information (1703). Specifically, it is confirmed whether “print electronic document” is designated in the permitted function list item of the matched policy information.

  If printing of electronic documents is permitted because "Printing electronic documents" is specified in this item, filtering of policy information in which "Printing electronic documents" is specified in the permitted function list item is performed. Then, it is filtered to determine whether there is corresponding policy information (1704).

  If there is no filtered policy information (NO in 1704), an error display indicating that there is no corresponding policy information is displayed (1708). If there is filtered policy information (YES in 1704), the policy information within the effective period is searched from the policy information (1505). It is determined whether or not the policy information within the expiration date is applicable by this search (1706). If there is no relevant policy information (NO in 1706), that fact is displayed (1708).

  On the other hand, if printing of the electronic document is permitted and there is policy information within the valid period (YES in 1706), an electronic document printing request is made (1707).

  In the case of this example, since it is checked whether or not there is a right on the client PC side, it is not essential to perform the check on the multifunction device side. Of course, both may be executed.

  FIG. 18 is a flowchart showing a flow of processing for storing an electronic document in the client PC of the document management system according to the embodiment of the present invention.

  In FIG. 18, when an authenticated user instructs to save an electronic document stored in the client PC, it is confirmed whether a document ID is assigned to the electronic document instructed to save (1801). That is, if a document ID is assigned, it can be determined that the document is a protection target document.

  It is determined whether a document ID is assigned (1802). If a document ID is assigned (YES in 1802), the document is encrypted using an encryption key, and a new document ID is assigned and stored. (1803). If no document ID is assigned (NO in 1802), the electronic document is saved in that state (1804).

  FIG. 19 is a flowchart showing a flow of the second example in the process when the electronic document is stored in the client PC of the document management system in the embodiment of the present invention. In this case, a process for deriving a document when editing and saving is performed. In other words, the saved document is handled as a different document with a derivation relationship with the document before saving.

  In FIG. 19, when an authenticated user instructs to save an electronic document stored in the client PC, it is confirmed whether a document ID is assigned to the electronic document instructed to save (1901). That is, if a document ID is assigned, it can be determined that the document is a protection target document.

  It is determined whether or not a document ID is assigned (1902). If a document ID is assigned (YES in 1902), the document is encrypted using an encryption key, and a new document ID is assigned and stored. (1903). If no document ID is assigned (NO in 1902), the electronic document is stored in that state (1904).

  When a protected electronic document is created for a document to which a document ID is assigned, a newly assigned new document ID, an old document ID assigned to the original document, a document name, and a user ID of the user who performed this operation Document information of media type and creation date is registered (1905).

  FIG. 20 is a flowchart showing the flow of invalidation processing performed by the client PC of the document management system in the embodiment of the present invention.

  When the user designates a protected electronic document to be invalidated, user authentication is first performed (2001). It is determined whether or not authentication has been performed (2002), and if authentication is not possible (NO in 2002), a message to that effect is displayed (2003).

  If the authentication is successful (YES in 2002), the invalidation range is designated in the protected electronic document (2004). As a method for specifying the invalidation range, for example, there are a method of displaying a screen to the user and designating by a user operation, and a method of designating the invalidation range in advance.

  The invalidation range designated by such a designation method is either only the document designated as the protected electronic document or all the electronic documents related to the protected electronic document.

  When the invalidation range is designated, the document ID is read out from the target document (2005). Based on the read document ID, the user ID of the authenticated user, and the designated invalidation range, the policy server is requested to invalidate the document (2006). When the policy server responds to this request, the electronic document is deleted when the invalidation processing is completed by the response (2007).

  FIG. 21 is a flowchart showing the flow of printing processing performed by the multifunction peripheral of the document management system according to the embodiment of the present invention.

  In FIG. 21, when a print request is received from a client PC or the like, processing is started, and policy information for the document ID and user ID included in the print request is requested from the policy server (2101). It is determined whether or not the policy information can be retrieved by the policy server (2102). If the policy information cannot be retrieved (NO in 2102), a message to that effect is displayed (2103).

  If the policy information can be retrieved (YES in 2102), it is then determined whether the target document has been invalidated (2111). If it has been invalidated (YES in 2111), The document is deleted (2112). After the document is deleted or when it is not invalidated (NO in 2111), policy information that permits printing of the electronic document is filtered by the policy information (2104). Specifically, policy information in which “print electronic document” is specified in the permitted function list item of the policy information is filtered.

  As a result, it is determined whether there is filtered policy information (2105). If the policy information does not match (NO in 2105), an error is displayed (2104). If the policy information matches (YES in 2105), a search is made for items that are within the validity period set in the matched policy information (2106). It is determined whether there is policy information within the valid period (2107). If all the valid periods have passed (NO in 2107), a message to that effect is displayed (2103).

  If there is policy information within the valid period (YES in 2107), the print image, document ID, and user ID requested to be printed are stored (2108). Then, a new document ID is created, an image image of a digital code is generated from the document ID, and is combined with the print image of the document (2109). Document information of the combined print image is registered in the policy server (2110).

  In this way, the protected document is printed out.

  FIG. 22 is a flowchart showing the flow of copying processing performed by the multifunction peripheral of the document management system in the embodiment of the present invention.

  In FIG. 22, processing is started when a protected paper document is placed on the platen glass of the multifunction machine or on the ADF and the copy button is pressed. First, user authentication is performed (2201). Then, it is determined whether or not the authentication is successful (2202). If the authentication cannot be performed (NO in 2202), an error is displayed (2203).

  If the authentication is successful (YES in 2202), the set protected paper document is read, an image is generated, and the document ID is read from the image and decoded (2204).

  Thus, it is determined whether or not the document ID can be decoded (2205). If the document ID cannot be decoded (NO in 2205), a message to that effect is displayed (2203). If the decryption is successful (YES in 2205), a request for policy information based on the document ID and user ID is made to the policy server (2206).

  It is determined whether there is policy information returned from the policy server (2207). If there is no policy information (NO in 2207), an error is displayed (2203). If there is policy information (YES in 2207), it is then determined whether the target document is invalidated (2215). If it is invalidated (YES in 2215), the document is deleted. It is deleted (2216). If the document has been deleted or if it has not been invalidated (NO in 2215), policy information that permits “copying of paper document” is filtered (2208). Specifically, the policy information in which “copy paper document” is designated in the permitted function list item of the policy information is searched.

  As a result of filtering, it is determined whether there is matching policy information (2209). If there is policy information (YES in 2209), the policy information within the valid period is searched (2210).

  It is determined whether there is policy information within the effective period (2211). If there is no policy information (NO in 2211), it is displayed that there is no corresponding policy information (2203). If there is policy information within the valid period (YES in 2211), the print image, document ID, and user ID requested to be printed are stored (2212).

  Then, a new document ID is created, an image image of a digital code is generated from the document ID, and is combined with the print image of the document (2213). Document information of the combined print image is registered in the policy server (2214).

  FIG. 23 is a flowchart showing a flow of scan processing for creating an electronic document from a paper document performed by the multifunction peripheral of the document management system according to the embodiment of the present invention.

  In FIG. 23, when a protected paper document is placed on the platen glass or ADF of the multifunction machine and a scan button for reading the protected paper document is pressed, the processing is started. First, user authentication is performed (2301). Then, it is determined whether or not the authentication is successful (2302). If the authentication cannot be performed (NO in 2302), an error display is performed (2303).

  If the authentication is successful (YES in 2302), the set protected paper document is read, an image is generated, and the document ID is read from the image and decoded (2304).

  Thus, it is determined whether the document ID can be decoded (2305). If the document ID cannot be decoded (NO in 2305), a message to that effect is displayed (2303). If the decryption is successful (YES in 2305), a request for policy information based on the document ID and user ID is made to the policy server (2306).

  It is determined whether there is policy information returned from the policy server (2307). If there is no policy information (NO in 2307), an error is displayed (2303). If there is policy information (YES in 2307), it is then determined whether the target document is invalidated (2315). If it is invalidated (YES in 2315), the document is deleted. It is deleted (2316). If the document has been deleted or if it has not been invalidated (NO in 2315), policy information that permits “scanning of paper document” is filtered (2308). Specifically, the policy information in which “paper document scanning” is designated in the permitted function list item of the policy information is searched.

  As a result of filtering, it is determined whether there is matching policy information (2309). If there is policy information (YES in 2309), the policy information within the valid period is searched (2310).

  It is determined whether there is policy information within the valid period (2311). If there is no policy information (NO in 2311), it is displayed that there is no corresponding policy information (2303). If there is policy information within the valid period (YES in 2311), the read image image, document ID, and authenticated user ID are stored (2312). Then, a new document ID is created, the image is converted into an electronic document, encrypted using an encryption key, and a protected electronic document with a new document ID is created (2313). The protected electronic document is registered in the policy server (2314).

  FIG. 24 is a flowchart showing a flow of processing for invalidating a protected paper document performed by the multifunction peripheral and the shredder of the document management system according to the embodiment of the present invention.

  In FIG. 24, in the case of a multifunction machine, a process is started by placing a protected paper document on a platen glass or on an ADF and pressing an invalidation button for performing invalidation processing. In the case of a shredder, processing is started by setting a protected paper document in the document insertion slot.

  First, user authentication is performed (2401). Then, it is determined whether or not the authentication is successful (2402). If the authentication cannot be performed (NO in 2402), an error is displayed (2403). If the authentication is successful (YES in 2402), the invalidation range for the protected paper document is designated (2404).

As an invalidation range designation method, for example, there are a method of designating by a user operation and a method of predesignating the invalidation range. Further, in the case of a shredder, a button is set on the shredder, and a document to be invalidated is designated by the button.

  The invalidation range designated by such a designation method is either only the document designated as the protected paper document or all the protected documents related to the protected paper document. In particular, in the case of a shredder, a button capable of selecting either of these is installed, and the invalidation range is designated by pressing one of them.

  When the invalidation range is designated, a digital code is read from an image image obtained by reading a paper document, and the document ID is decoded (2405). Then, it is determined whether the decoding is successful (2406). If the decoding is successful (YES in 2406), the policy server is requested to invalidate the document specified by the document ID (2407).

  When invalidation of the policy information of the document is set by the policy server, the document is discarded (2408).

  If the decryption of the document ID is not successful (NO in 2406), a message to that effect is displayed (2403) and the process is terminated.

  In the case of a multifunction machine, the paper document to be discarded is discarded by storing it in a special tray or cutting with a shredder. In the case of a shredder, the protected paper document is discarded by cutting.

  In the above description, the multifunction device 400 is configured to discard a document when the paper document is invalidated in the operation of the paper document. However, recent multifunction devices include a multifunction device that can directly process an electronic document.

  For example, it has a function of storing an electronic document in a multi-function peripheral and printing or faxing it according to an instruction. Even in such a case, the policy server is inquired about the policy information and invalidated by executing the same processing as that in the MFP or the client PC, that is, the processing of reading the document ID from the protected electronic document. The electronic document can be deleted from the storage device.

  Further, although the policy server 100 is configured to receive the invalidation request from the external device, the policy server itself may be configured to directly receive the invalidation request.

  The embodiment of the present invention is not limited to the present embodiment, and includes such a configuration.

  In the present invention, the program is executed from a recording medium (CD-ROM, DVD-ROM, etc.) storing a program for executing the above-described operation in a document management system having a communication function or configuring the above-described means. It is also possible to configure a document management system that executes the above-described processing by installing the program in a computer and executing it. A computer constituting the document management system is connected to a central processor unit (CPU), a read only memory (ROM), a random access memory (RAM), and a hard disk via a system bus. The CPU performs processing using the RAM as a work area according to a program stored in the ROM or the hard disk.

  The medium for supplying the program may be a communication medium (a medium for temporarily or fluidly holding the program such as a communication line or a communication system). For example, the program may be posted on an electronic bulletin board (BBS: Bulletin Board Service) of a communication network and distributed via a communication line.

  The present invention is not limited to the embodiments described above and shown in the drawings, and can be implemented with appropriate modifications within a range not changing the gist thereof.

1 is an example of a system configuration diagram of a document management system configured by applying a document management system and a program according to an embodiment of the present invention. The figure showing the state of the protection document to which policy information is applied with the document management apparatus of the document management system in embodiment of this invention. The block diagram which shows the detailed structure of the policy server shown in FIG. The block diagram which shows the detailed structure of the client PC shown in FIG. FIG. 2 is a block diagram illustrating a detailed configuration of the multifunction machine illustrated in FIG. 1. FIG. 2 is a block diagram illustrating a detailed configuration of the multifunction machine illustrated in FIG. 1. The block diagram which shows the detailed structure of the shredder shown in FIG. The table block diagram which shows policy information. The table block diagram which shows document information. 6 is a flowchart showing a flow of processing for searching policy information performed by a policy server of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for invalidating a document performed by a policy server of the document management system according to the embodiment of the present invention. 12 is a flowchart showing a flow of processing for searching for a document designated in the invalidation range in FIG. 6 is a flowchart showing a flow of processing for creating a protected electronic document for an electronic document in the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for browsing a protected electronic document on a client PC of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for editing an electronic document by a client PC of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for printing an electronic document by a client PC of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for printing an electronic document by a client PC of the document management system according to the embodiment of the present invention. 4 is a flowchart showing a flow of processing for storing an electronic document in a client PC of the document management system in the embodiment of the present invention. 4 is a flowchart showing a flow of processing for storing an electronic document in a client PC of the document management system in the embodiment of the present invention. 6 is a flowchart showing a flow of invalidation processing performed by a client PC of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of printing processing performed by the multifunction peripheral of the document management system according to the embodiment of the present invention. 6 is a flowchart showing the flow of copying processing performed by the multifunction peripheral of the document management system according to the embodiment of the present invention. 6 is a flowchart illustrating a flow of scan processing for creating an electronic document from a paper document performed by the multifunction peripheral of the document management system according to the embodiment of the present invention. 6 is a flowchart showing a flow of processing for invalidating a protected paper document performed by the multifunction peripheral and the shredder of the document management system according to the embodiment of the present invention.

Explanation of symbols

10 Security Policy List Response Unit 11 Security Policy Search Unit 12 Security Policy Registration Unit 13 Security Policy Invalidation Unit 14 Security Policy DB
15 Document information DB
DESCRIPTION OF SYMBOLS 30 Protected electronic document production | generation part 31 Document ID production | generation part 32 Document edit part 33 Document memory | storage part 34 Document display part 35 Control part 36 Document deletion part 37 User authentication part 38 Protected document discard part 39 Protected document printing part 40 Document ID encoding part 41 Protected paper document generation unit 42 Printing unit 43 Document ID generation unit 44 Image storage unit 45 Protected electronic document generation unit 46 Document ID analysis unit 47 Control unit 48 User authentication unit 49-1 Paper document discard unit 49-2 Document storage unit 50 Control Unit 51 Document ID reading unit 52 Paper document discarding unit 53 User authentication unit 100 Policy server 200 Authentication server 300 Client PC
400 MFP 500 Discarding device (shredder)

Claims (8)

A discriminating means for discriminating whether invalidation information is set in the management information of the document when operating the document;
A document processing apparatus comprising: a discarding unit that discards the document when the determination unit determines that the document is invalidated. Invalidation means for invalidating the document by setting invalid information in the management information of the document;
A document processing apparatus comprising: a discard unit that discards the document when the document is invalidated by the invalidation unit. The document is
An electronic document,
The discarding means
The document processing apparatus according to claim 1, wherein the electronic document is deleted when it is determined that the electronic document is invalidated by the determination unit. The document is
A paper document,
The discarding means
The document processing apparatus according to claim 1, wherein when the paper document is determined to be invalidated by the determining unit, the paper document is cut by the document cutting apparatus. The document is
A paper document,
The discarding means
The document processing apparatus according to claim 1, wherein the paper document is stored in a protection storage unit when the determination unit determines that the paper document is invalidated. A management device for managing operation restriction information for restricting operation of the document corresponding to the document;
A document operation device that operates a document under operation restriction by the operation restriction information managed by the management means,
The management device
Invalidating means for invalidating the document by setting invalid information in the operation authority information of the document,
The document operation device includes:
Determining means for determining whether the document has been invalidated by the invalidating means by inquiring to the management apparatus when operating the document;
A document management system comprising: a discarding unit that discards the document when the determination unit determines that the document is invalidated. Computer
A discriminating means for discriminating whether invalid information is set in the management information of the document when operating the document;
A document management program that functions as a discarding unit that discards a document when the determination unit determines that the document is invalidated. Computer
Invalidation means for invalidating the document by setting invalid information in the management information of the document;
A document management program that functions as a discarding unit that discards a document when the document is invalidated by the invalidation unit.

Images