JP2009199390A - Image forming apparatus, electronic device and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an image forming apparatus for, when an print error occurs in a device to receive an access-controlled electronic document, appropriately handling the error by recording information in more detail, reporting it to an apparatus manager, or preserving an evidence for alteration. <P>SOLUTION: When error information is reported from a security policy server 6A (S138), the image forming apparatus 2Z (document print program) records an error log (S150 and S152), reports error information to the apparatus manager (S154), preserves the electronic document in the own apparatus (S156 and S158), reports the error information to a recording server for preservation (S160 and S162), reports the electronic document to the recording server for preservation (S164 and S166), locks the apparatus to prohibit all subsequent operations (S170 and S172), prints the error information (S174 and S176), and stops print processing and reports an error alarm to a user (S180 and S182). <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an image forming apparatus that forms an image on a predetermined output medium based on a security policy relating to a document, an electronic device that accepts a user operation based on a security policy, and a program.

When an operation request for electronic information such as an electronic document (referred to as electronic information) is received, access control is performed such as permitting or disapproving the operation request or permitting it with a certain condition. The mechanism is known. This mechanism is a technique for controlling user access to electronic information in accordance with a security policy managed for each electronic information, and access to be controlled includes file opening and printing.
For example, when operating an electronic computer such as a personal computer or a server, a printing apparatus, a copying apparatus, a FAX apparatus, or a multifunction machine capable of executing these multiple functions installed in an office, it is desired to control document security. In order to respond, for example, Patent Document 1 proposes a mechanism for managing permission / denial of device operation by setting access rights (also referred to as security settings).

JP 2004-152263 A

  In the mechanism described in Japanese Patent Application Laid-Open No. 2004-228561, printing permission / prohibition and printing requirements based on a means for acquiring a user attribute for printing a document file, a means for acquiring a document file attribute, and the acquired user and document file attributes. A security policy that defines (an example of access right) is searched to obtain a printing requirement, and a means for forcing the acquired printing requirement at the time of printing is provided. This eliminates the need for device security knowledge regarding the security settings for document printing, eliminates the need for security settings for each device, and allows the overall security status to be ascertained. It is possible to realize that is protected.

  The mechanism described in Patent Document 1 employs a dynamic method of managing access rights and decryption keys by a management server, also called a policy server, and the access rights are distributed after distributing the electronic document with the access rights set. Since it can be changed dynamically, rights such as browsing and printing at the distribution destination can be changed as necessary. In addition, since the server always inquires about the status of the access right at the time of operation, it is possible to record the operation status of the electronic document at the distribution destination as a record.

  The present invention makes it possible to change the access right at the distribution destination of electronic information such as an electronic document to which the access right is set, and moreover, when an error occurs without confirmation of a valid access right at the distribution destination, It is an object of the present invention to provide a mechanism capable of performing appropriate error handling processing such as detailed information recording, notification to an apparatus administrator, or evidence maintenance by the possibility of falsification.

  According to the first aspect of the present invention, a user who prints an electronic document for which access rights are managed and a security policy that defines printing permission / rejection and printing requirements are retrieved based on the attributes of the electronic document to obtain printing requirements. A printing requirement application control unit that controls to apply the acquired printing requirement at the time of printing processing, and when an error occurs that does not match the acquired printing requirement, more detailed information is recorded, An image processing apparatus comprising: an error handling processing unit that performs a predetermined error handling process that contributes to evidence maintenance due to notification or possibility of tampering.

  According to a second aspect of the present invention, in the first aspect of the present invention, the error handling processing unit determines error handling processing contents with reference to an operation setting registered in advance in the own device. Features.

  According to a third aspect of the present invention, in the first aspect of the present invention, the operation setting for determining the error response processing content is registered in advance in the security policy server, and the error response processing unit is provided by the security policy server. The content of error handling processing is determined with reference to the notified operation setting.

  According to a fourth aspect of the invention, in the third aspect of the invention, the operation setting can be changed from the security policy server for each job.

  According to a fifth aspect of the present invention, in the first aspect of the present invention, the operation setting for determining the content of error handling processing is pre-registered in a security policy server, and the error handling processing unit is configured to activate the device. Sometimes, error handling processing content is determined with reference to an operation setting acquired by checking with the security policy server.

  The invention according to claim 6 is the invention according to any one of claims 1 to 5, wherein the electronic document in which the access right is managed is encrypted, and the electronic document is converted into plain text. A decryption key obtaining unit for obtaining a decryption key for making the decryption key, and a decryption unit for returning the encrypted electronic document to plaintext using the decryption key obtained by the decryption key obtaining unit. Features.

  The invention according to claim 7 is the invention according to any one of claims 1 to 6, wherein the error handling processing unit sends error information indicating a situation at the time of error occurrence to a predetermined in the apparatus. And an error information recording unit for recording in the storage device.

  According to an eighth aspect of the invention, in the invention according to any one of the first to seventh aspects, the error handling processing unit notifies the device administrator of error information indicating a situation when an error occurs. It has an error information notification maintenance unit that performs

  According to a ninth aspect of the invention, in the invention according to any one of the first to eighth aspects, the error handling processing unit stores an electronic document to be printed in a predetermined storage device in its own device. And an electronic document maintenance unit for maintaining the electronic document.

  The invention according to claim 10 is the invention according to any one of claims 1 to 9, wherein the error handling processing unit records error information indicating a situation when an error occurs, and records an operation situation. And an error information notification maintenance unit for notifying and maintaining the server.

  According to an eleventh aspect of the present invention, in the invention according to any one of the first to tenth aspects, the error handling processing unit stores an electronic document to be printed on a server that records an operation status. It has an electronic document transmission maintenance section that transmits and maintains it.

  According to a twelfth aspect of the invention, in the invention according to any one of the first to eleventh aspects of the invention, the error handling processing unit sends error information indicating a situation at the time of error occurrence to a predetermined output medium. And an error information printing control unit for controlling printing to be performed.

  According to a thirteenth aspect of the present invention, in the twelfth aspect of the invention, the error information print control unit causes the error information printed out only by a device administrator to be discharged to an available discharge device. Features.

  The invention described in claim 14 is the operation lock unit according to any one of claims 1 to 13, wherein the error handling processing unit locks all operations of the device after the error occurs. It is characterized by having.

  The invention according to claim 15 is the invention according to any one of claims 1 to 14, further comprising an imaging unit that captures a still image or a moving image of the operator, wherein the error handling processing unit includes: And an error image acquisition unit that treats a still image or a moving image indicating the operation status acquired by the imaging unit as error information when an error occurs and passes the error image to each function unit.

  According to a sixteenth aspect of the present invention, a user who performs a processing operation of electronic information for which access rights are managed and a security policy that defines operation permission / inhibition and operation requirements based on an attribute of the electronic information are searched to determine the operation requirements. Information processing unit that acquires and enforces the acquired operation requirements at the time of information processing, and when an error occurs that does not match the acquired operation requirements, more detailed information recording, notification to the device administrator, or tampering An electronic apparatus comprising: an error handling processing unit that performs a predetermined error handling process that contributes to evidence maintenance by possibility.

  The invention according to claim 17 is a program for using a computer to perform security policy management processing for controlling whether or not the device can be operated based on a security policy relating to electronic information, and the access right of the computer is managed. Based on the user who operates the electronic information and the attribute of the electronic information, search the security policy that defines the operation permission / inhibition and the operation requirement, acquire the operation requirement, and control to apply the acquired operation requirement at the time of information processing The program is made to function as an operation requirement application control unit and an error handling processing unit that performs predetermined error handling processing when an error does not match the acquired operation requirements.

  According to the first aspect of the present invention, compared with the case where the invention according to the first aspect is not adopted, the actual print processing time at the distribution destination of the electronic document in which the access right is managed by the security policy server. When printing cannot be performed due to an error that does not meet the set printing requirements, information can be recorded, notified, and maintained for internal control.

  According to the second aspect of the present invention, it is possible to determine the error handling processing content only by the own apparatus, as compared with the case where the invention according to the second aspect is not adopted.

  According to the third aspect of the present invention, compared with the case where the invention according to the third aspect of the present invention is not adopted, it is possible to determine the error handling processing content by the cooperation processing with the security policy server.

  According to the fourth aspect of the present invention, it is possible to dynamically determine the error handling processing contents for each job as compared with the case where the invention according to the fourth aspect is not adopted.

  According to the fifth aspect of the present invention, when the image forming apparatus is activated, the content of the error handling process is determined by the cooperation process with the security policy server, as compared with the case where the invention according to the fifth aspect is not adopted. Can do.

  According to the sixth aspect of the present invention, compared with the case where the invention according to the sixth aspect of the present invention is not adopted, it is possible to improve the security performance regarding the storage of job data in the image forming apparatus.

  According to the invention described in claim 7, as compared with the case where the invention according to claim 7 is not adopted, an error log for internal control can be recorded and maintained in the own apparatus.

  According to the invention described in claim 8, it is possible to notify the device manager of error information for internal control as compared with the case where the invention according to claim 8 is not adopted.

  According to the invention described in claim 9, compared with the case where the invention according to claim 9 is not adopted, the electronic document to be printed for internal control can be maintained in the own apparatus.

  According to the invention described in claim 10, error information for internal control can be recorded and maintained by the server as compared with the case where the invention according to claim 10 is not adopted.

  According to the invention described in claim 11, as compared with the case where the invention according to claim 11 is not adopted, the electronic document to be printed for internal control can be maintained by the server.

  According to the twelfth aspect of the present invention, error information for internal control can be acquired and confirmed as a print result as compared with the case where the invention according to the twelfth aspect is not adopted.

  According to the invention described in claim 13, it is possible to prevent the general user from taking out the error information output result as compared with the case where the invention according to claim 13 is not adopted.

  According to the invention described in claim 14, compared to the case where the invention according to claim 14 is not adopted, the subsequent operation of the apparatus is impossible, so that illegal removal of the protected information can be prevented more reliably. it can.

  According to the fifteenth aspect of the present invention, the operator can be easily identified during error analysis as compared with the case where the invention according to the fifteenth aspect is not adopted.

  According to the invention described in claim 16, compared with the case where the invention according to claim 16 is not adopted, at the time of actual information processing at the distribution destination of the electronic information whose access right is managed by the security policy server. When information that cannot be executed due to an error that does not meet the set operational requirements, information can be recorded, notified, and maintained for internal control.

  According to the invention described in claim 17, compared to the case where the invention according to claim 17 is not adopted, the actual print processing time at the distribution destination of the electronic document whose access right is managed by the security policy server. A system for recording, notifying, and maintaining information for internal control can be realized using a computer when printing cannot be performed due to an error that does not meet the set printing requirements.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

<System configuration>
FIG. 1 is a diagram showing a configuration example of a document processing history management system partially including an image forming system to which an embodiment of the present invention is applied. The document processing history management system 1 of the present embodiment includes a security policy management processing system, and permits device operation based not only on a document processing history storage function for recording device operation history but also on a security policy for electronic documents. / It is characterized in that it has a security policy management function for controlling non-permission (referred to as device operation availability).

  As shown in the figure, the document processing history management system 1 of the present embodiment has various image output functions for outputting an image to an output medium such as paper and an image acquisition function for reading an image on the output medium and acquiring electronic data. Imaging device 2 and a client device 4 for instructing various imaging devices 2 to perform image acquisition processing and image output processing. As the client apparatus 4, a distributor terminal 4A having a function of setting a security policy that defines image output permission / rejection and image output requirements for a document to be distributed, and an image reading process and an image output process using the distributed document are instructed. Including a processing instruction terminal 4B.

  Further, the document processing history management system 1 includes a document processing history management device 6 having a document processing history management function and a security policy management function (function of the security policy server 6A) that controls image forming processing according to a security policy, and a personal authentication process ( An authentication server 7 is also provided for performing (also called a directory service). Each functional unit is connected by a network 9 which is an example of a communication unit. The document processing history management device 6 and the authentication server 7 constitute an access management server 8. In other drawings, the security policy server 6A may be referred to as a “policy server”.

  The document processing history management function is a function for logging operations on an electronic document by a report from a program that handles the electronic document. Specifically, the processed document image is subjected to image acquisition processing and image output processing by various imaging devices 2. This is a function for recording, storing and managing a processing history (also referred to as a log) together with the situation when it is made, and retrieving stored information (including images).

  Further, the document processing history management system 1 includes a shredder device 3 for discarding a document. The shredder device 3 can identify a document when it is discarded, and is connected to the document processing history management device 6 via the network 9 or the like. The information of the identified document is sent to the document processing history management device 6. Notice.

  The imaging device 2 includes an image processing control unit 22 that controls image reading processing and image forming processing. As the imaging device 2, for example, a copying machine 2A having an image acquisition function and an image output function (collectively referred to as a copy function), a single function called a printer (only a print function which is an example of an image output function) is printed. There are an apparatus 2B, an image reading apparatus 2C having an image acquisition function called a scanner (particularly called a scanner function), a multifunction machine 2D having a printing function, a copying function and a scanner function, and a facsimile machine 2E. Or a document processing history management apparatus 6 via a predetermined connection interface. In the figure, one or two imaging devices 3 are shown, but the number thereof may be arbitrary, and depending on the system operation, either may not exist. Each operation case will be described later.

  Among the imaging devices 2, those having an image output function such as the printing device 2B and the multifunction device 2D are particularly referred to as an image forming device 2Z. In this embodiment, the image forming apparatus 2Z is a so-called page printer that outputs (prints) data for one page collectively.

  For example, the copying machine 2A is connected to the document processing history management apparatus 6 via the network 9, and when a user operates the operation panel (not shown) of the copying machine 2A to give a copying instruction. Then, the image read in accordance with the copy instruction (specifically, image data that is electronic data: the same applies hereinafter) is transmitted to the document processing history management apparatus 6. At this time, the copying machine 2A authenticates the user who has given the copy instruction by inputting the user name and password, and obtains information such as a user name for identifying the user obtained by this authentication as an image. At the same time, it may be transmitted to the document processing history management apparatus 6.

  Further, the copying machine 2A does not directly form the read image on the sheet, but receives the image to be formed from the document processing history management device 6 and forms an image corresponding to the sheet based on the received image. To do. That is, the copying machine 2A once transmits an image obtained by reading a document to be copied to the document processing history management device 61, and continues processing based on the image received from the document processing history management device 6.

  The printing apparatus 2B is connected to the processing instruction terminal 4B and the document processing history management apparatus 6 via the network 9, and is input from the processing instruction terminal 4B (possibly via the document processing history management apparatus 6). Based on the above, an image is formed on an output medium such as paper.

  The image reading device 2C is connected to the document processing history management device 6 via the network 9, and the user operates the operation panel (not shown) of the image reading device 2C or the processing instruction terminal 4B to read instructions. Is performed, the read image is transmitted to the document processing history management apparatus 6 in accordance with the reading instruction. At this time, the image reading apparatus 2C authenticates the user who has instructed the reading by inputting the user name and password, and information such as the user name for identifying the user obtained by this authentication is obtained. You may transmit to the document processing log | history management apparatus 6 with an image.

  The multifunction machine 2D is connected to the document processing history management apparatus 6 via the network 9, and executes the functions of the copying machine 2A, the printing apparatus 2B, and the image reading apparatus 2C.

  The facsimile machine 2E is connected to the document processing history management apparatus 6 via the network 9, and transmits the read image by FAX, or outputs a FAX image to an output medium such as paper based on the received image, and at the time of transmission / reception Are output to the document processing history management apparatus 6.

  The hardware configuration of the image processing control unit 22 provided in the imaging device 2 includes, for example, a central processing control unit (CPU) that performs control processing and arithmetic processing, and a RAM (Random Access) that stores processing data and program data. A mechanism similar to that of a general electronic computer including a memory device such as a memory (ROM) or a ROM (read only memory) can be used. An example of the hardware configuration is well known as a configuration of an electronic computer such as a personal computer constructed from a microprocessor or the like that executes predetermined processing software.

  That is, in the present embodiment, the mechanism of the image processing control unit 22 that performs a central function of controlling processing for reading an image or processing for forming an image on a predetermined output medium is not limited to being configured by a hardware processing circuit. Alternatively, it can be realized in software using an electronic computer (computer) based on a program code that realizes the function. By adopting a mechanism that is executed by software, it is possible to enjoy an advantage that the processing procedure can be easily changed without changing hardware.

  When the electronic computer is caused to execute the function of controlling the image reading process and the image forming process by software, a computer (such as an embedded microcomputer) in which a program constituting the software is incorporated in dedicated hardware, or , A system on a chip (SOC) that implements a desired system by mounting functions such as a CPU, logic circuit, and storage device on a single chip, or various programs by installing various programs It is installed from a recording medium in a general-purpose personal computer or the like capable of executing functions.

  The recording medium causes a state change of energy such as magnetism, light, electricity, etc. according to the description contents of the program to the reading device provided in the hardware resource of the computer, and in the form of a signal corresponding to the change. The program description can be transmitted to the reader. For example, a magnetic disk (including a flexible disk FD), an optical disk (CD-ROM (Compact Disc-Read Only Memory)), a DVD on which a program is recorded, which is distributed to provide a program to a user separately from a computer. (Including Digital Versatile Disc), magneto-optical disk (MO (Magneto Optical Disk)), or package media (portable storage media) made of semiconductor memory, etc. It may be configured by a ROM, a hard disk, or the like in which a program is recorded that is provided to the user in a state. The program constituting the software is not limited to being provided via a recording medium, and may be provided via a wired or wireless communication network. The form using these electronic computer mechanisms and the accompanying program in-roll are the same in the document processing history management apparatus 6 and the authentication server 7 described later.

  An electronic document program, which is a program for performing processing related to an electronic document, in an imaging device 2 having an image forming function (copier 2A, printing device 2B, multifunction device 2D, facsimile 2E: hereinafter also collectively referred to as image forming device 2Z), A document printing program is incorporated as an example of a security policy management program for controlling permission / non-permission of device operation (referred to as device operation permission / prohibition) based on a security policy regarding an electronic document.

  The document print program decrypts the protected document and performs a process for causing the image forming unit to execute a print process according to the set print requirements when a print request is received from the user (user) of the process instruction terminal 4B. It is. For example, input data spooling function (storing function), authentication processing function, encryption processing function, encryption key acquisition function, decryption processing function, decryption key acquisition function, security policy server cooperation function required for handling electronic documents , Including image forming requirement acquisition function, script processing (including workflow) function, image data generation function (print data generation function), job log function, network function (such as mail transmission and file transfer). Output image formation data (print data) processed according to the document printing program is sent to the image forming unit.

  As an example of a security policy management program that controls whether or not the device can be operated based on a security policy relating to an electronic document, a document protection program is provided in the distributor terminal 4A, and a document print instruction program, also referred to as a printer driver, is provided in the processing instruction terminal 4B. Each is incorporated. The document protection program sets processing requirements according to the input operation of the user (distributor) of the distributor terminal 4A to the document file, performs an authentication process, encrypts the document file using an encryption algorithm, and protects it. It is a program that performs processing for generating a document. For example, program modules such as an authentication processing function (for example, password processing), an encryption processing function, an encryption key acquisition function, an attribute assignment function, an attribute registration function, and a security policy server cooperation function necessary for handling electronic documents are included. As an encryption algorithm, any method such as a common key encryption method or a public key encryption method may be used. As is well known, the latter has better security performance.

  The distributor terminal 4A and the processing instruction terminal 4B are connected to the document processing history management apparatus 6 via the network 9, and images to be processed by the printing apparatus 2B, the image reading apparatus 2C, etc., and the names of users who give processing instructions. To the document processing history management device 6. The distributor terminal 4A and the processing instruction terminal 4B are composed of a display device mainly including a liquid crystal panel and a CRT (Cathode Ray Tube), an instruction input device such as a keyboard and a mouse, an FDD (Flexible Disk Drive), and an HDD (Hard Disk). A personal computer equipped with a recording device such as Drive) can be applied.

  As an example of an electronic document program that is a program for performing processing related to an electronic document, a document protection program is incorporated in the distributor terminal 4A, and a document print instruction program also called a printer driver is incorporated in the processing instruction terminal 4B. The distributor terminal 4A includes only a program module that accepts a request for document protection, and a core module portion that protects the electronic document by setting an access right is installed on the security policy server 6A side according to the system configuration. Changes can be made as appropriate.

  The document protection program sets processing requirements according to the input operation of the user (distributor) of the distributor terminal 4A to the document file, performs an authentication process, encrypts the document file using an encryption algorithm, and protects it. It is a program that performs processing for generating a document. For example, program modules such as an authentication processing function (for example, password processing), an encryption processing function, an encryption key acquisition function, an attribute assignment function, an attribute registration function, and a security policy server cooperation function necessary for handling electronic documents are included. As an encryption algorithm, any method such as a common key encryption method or a public key encryption method may be used. As is well known, the latter has better security performance.

  When distributing an electronic document, the operability is not dependent on the receiving device or system such as PDF (Portable Document Format), for example, rather than the file format of the application that created or edited the electronic document. A standard file format should be used. When distributing in a specific file format rather than in a standard file format, of course, the device or system that receives the electronic document must handle the file format specific to that electronic document. It is necessary to incorporate an application program that can be used (not necessarily the same as an application program created or edited). In this embodiment, in order to simplify the description, unless otherwise specified, a description will be given in a mode in which the file is distributed in a standard file format.

  The document print instruction program is for issuing a print instruction for the electronic document distributed in a state where the distributor manages the access right. The document print instruction program performs an authentication process for operating the electronic document and uses the user of the process instruction terminal 4B ( This is a program for setting output conditions (printing conditions) according to an input operation of a user) and creating electronic data for printing (hereinafter referred to as a print document) as necessary. A so-called printer driver mechanism for creating an output job and transmitting it to an arbitrary image forming apparatus 2Z or document processing history management apparatus 6 can be adopted. For example, program modules such as an authentication processing function (for example, password processing), a decryption processing function, a decryption key acquisition function, a printer driver function, and a security policy server cooperation function necessary for handling a print document are included.

  In the printer driver function, an output job (also referred to as a print job) is created based on output settings (also referred to as output conditions, print conditions, or print attributes) designated as necessary. The output job includes image data (print data) that is content to be formed on a paper medium or the like, and output settings. Here, the output conditions include items such as basic settings, layout settings, page decoration settings, and finishing settings. Basic settings include, for example, the number of copies, the number of copies, black and white or color, paper size (A4, A3, B4, B5, etc.), printing direction (vertical / horizontal), paper feed tray (automatic, tray number), printing Items such as quality are included. The layout setting includes items such as single-sided or double-sided, presence / absence of scaling (enlargement / reduction) and setting of scaling ratio, presence / absence of layout printing (aggregated printing) and setting of arrangement mode. The page decoration setting includes items such as page printing presence / absence and detailed setting, stamp mark presence / absence / stamp mark setting, header / footer presence / absence and printing information setting, and the like. The finishing setting includes items such as sorting, finisher (terminal device), binding margin, opening direction, and bookbinding setting. The finisher includes items such as setting of presence / absence of punch and number of holes, setting of presence / absence of stapling (processing to bind in one bundle) and setting of binding position. The distributor can set an access right for these output conditions, and can limit the permitted output conditions, for example, permitting only in the monochrome mode or low quality.

  For the transfer of printing data between the processing instruction terminal 4B and the image forming apparatus 2Z or the document processing history management apparatus 6, a page description language (PDL) corresponding to the fact that the image forming apparatus 2Z is a page printer. A file format of a programming language called “Page Description Language” may be used, or an output instruction file BF_2 describing the file format itself and output conditions of the distributed electronic document may be used. In the present embodiment, for the sake of simplicity of explanation, unless otherwise specified, the file format of the distributed electronic document itself is transmitted to the image forming apparatus 2Z, and a printing instruction is issued. The print data (document file) sent to the image forming apparatus 2Z side together with the print instruction is hereinafter referred to as a print document BF_3 in order to distinguish it from the distributed document BF_1 which is a distributed electronic document. In the latter case, a pair of the distribution document BF_1 and the output instruction file BF_2 becomes a print document BF_3.

  When the print document BF_3 is a PDL file, it is preferable to encrypt the PDL data in order to improve security performance. When the output job created on the processing instruction terminal 4B side is transmitted to the image forming apparatus 2Z, the image forming apparatus 2Z decrypts the received PDL data if it is encrypted, and further converts the received PDL data into the received PDL data. The image data is converted into bitmap-like image data (image) on a page basis, and stored in a predetermined storage device before printing. On the other hand, if the print document BF_3 is a pair of the distribution document BF_1 and the output instruction file BF_2, the received print document BF_3 (= distribution document BF_1) is decrypted and returned to the original electronic document (in plain text). Further, based on the plain text electronic document, the image data is converted into bitmap-like image data (image) suitable for image forming processing on the image forming apparatus 2Z side, stored in a predetermined storage device, and then printed.

  At the time of confidential printing, in order to improve the security performance on the image forming apparatus 2Z side, the image forming apparatus 2Z receives the print document BF_3 received from the processing instruction terminal 4B side and intermediate data created during the image forming process. Alternatively, it is preferable to store the final bitmapped image data in an encrypted state. In this embodiment, for the sake of simplicity, unless otherwise specified, the distribution document BF_1 received from the processing instruction terminal 4B side and the print document BF_3 including the output instruction file BF_2 are stored in an encrypted state. Shall.

  The document processing history management device 6 has a server function, performs control for image acquisition processing and image output processing in the imaging device 2 in response to a request from the processing instruction terminal 4B side which is a client system, In order to store the related information at the time of processing as a processing history, the characteristics of the document image are recorded and stored in a predetermined storage device. The basic method for acquiring and storing the processing history may be the same as various known mechanisms. When the document processing history management device 6 receives an authentication processing request from the distributor terminal 4A, the processing instruction terminal 4B, or the imaging device 2, the document processing history management device 6 cooperates with the authentication server 7 to perform personal authentication processing, Controls whether or not the image forming process can be executed in the imaging apparatus 2 having a function of controlling the image forming process in accordance with a security policy that defines image output requirements.

  The document processing history management device 6 includes, for example, a security control unit 62, a data holding unit 64 having a hard disk device, an optical disk device, or the like that stores a processing image (referred to as an image log) and a processing history in association with each other as a storage device. Have The hardware configuration of the security control unit 62 can be the same mechanism as that of the electronic computer, like the image processing control unit 22.

  The security control unit 62 specifies processing operation information such as an image to be processed from the imaging device 2 such as the copying machine 2A or the printing apparatus 2B, a user who requested the image processing, a processing date and time, and processing conditions. Attached information such as information (information other than the image specifying the status of the processing operation) is received, and the document image and the attached information (for example, electronic document ID, version, attribute, etc.) are stored in the data holding unit 64 as processing history information. Store. In addition, the image received as the processing target is transmitted and output to the imaging device 2 such as the copying machine 2A, the printing apparatus 2B, or the facsimile machine 2E to execute image processing. Further, the security control unit 62 receives the processing history information search instruction, searches the processing history information stored in the data holding unit 64, and executes a search process for presenting the search result.

  For this search process, when the image is processed by the imaging device 2, the information (identifier ID) for uniquely identifying the image and the version VO are output to the output medium (paper medium or the like or saved as a file as electronic data). (Better), it is embedded by means such as a barcode, an ID tag, or a digital watermark. When the processed image is processed again by the imaging device 2, the ID and version of the image are read. Then, the document image stored in the data holding unit 64 specified from the read information is compared with the document image read from the output medium.

  Also, the security policy server 6A portion provided in the document processing history management apparatus 6 provides an electronic document encryption function in order to increase the security of the electronic document. Preferably, under a public key cryptosystem, a double key is used, and encryption and decryption keys are provided to a program that handles electronic documents depending on whether or not user authentication is possible. Furthermore, the security policy server 6A preferably provides a temporary (temporary, timed) decryption key in order to enhance the convenience in the offline. That is, the security policy server 6A decrypts information indicating what access right (security attribute) is set in the electronic document (referred to as a protected electronic document) for which the access right is set, and the protected electronic document. Therefore, a decryption key is registered in a predetermined storage medium as an access right database.

  When the decryption key is used, an access right to the electronic document is also obtained. In this case, the decryption key is temporary, and the decryption key has a valid period. After obtaining the decryption key and the access right online, if the decryption key is within the valid period, the processing instruction terminal 4B The document processing history management apparatus 6 (specifically, the security policy server 6A) can operate the document even when it is offline. For example, the document processing history management apparatus 6 can output an instruction to the image forming apparatus 2Z as well as browsing, but is outside the valid period. Then, the document cannot be operated. In order to perform a document operation after the validity period expires, it is necessary to retrieve the decryption key and the access right from the security policy server 6A online again.

  The authentication server 7 includes an authentication processing control unit (not shown) and a data holding unit such as a hard disk device, and the data holding unit stores authentication information (a combination of a user name and a password) for each user in advance in the user database. Register as In the user database, it is preferable to manage categories and classes, for example, by managing categories and classes as separate attributes for each user, or by creating a group account and allowing individual users to belong to the group.

  The hardware configuration of the authentication processing control unit can be the same mechanism as that of the electronic computer, like the image processing control unit 22. Then, the user ID sent from the document processing history management device 6 and the user password input by the user are collated with user information registered in advance to determine whether or not the user is an appropriate person, The determination result (referred to as an authentication result) is returned to the document processing history management apparatus 6.

  Here, the image forming apparatus 2Z having an image forming function preferably includes a data holding unit 24 such as a hard disk device or an optical disk device for holding / accumulating data, as shown for the multifunction device 2D, for example. In addition to the simple function of performing image forming processing almost immediately upon receiving an output instruction, the processing control unit 22 stores an image forming job once in a predetermined data holding unit 24 and is issued at a predetermined timing thereafter. A so-called confidential print processing function for outputting an image on an output medium after receiving the output instruction. Here, a program for handling an electronic document incorporated on the processing instruction terminal 4B side identifies a user by a user ID, a user password, and the like, inquires of the security policy server 6A together with the unique ID of the electronic document, and issues a security policy (permission information / access Right information) and image forming processing is performed according to the security policy. Also in the confidential printing process, the security policy is confirmed in cooperation with the security policy server 6A, and the image forming process is performed according to the security policy.

  For example, the image forming apparatus 2Z receives an electronic document managed by the security policy server 6A directly from the processing instruction terminal 4B, or receives it via the document processing history management apparatus 6, or a portable type such as a CD-ROM. The print right of the electronic document is confirmed by a program that handles the electronic document that is read from the storage medium and operates internally, and is printed. Further, the image forming apparatus 2Z includes a user interface for confirming the access right of the user who intends to print to the security policy server 6A. Thus, the user is provided with functions such as input of a user ID and a user password, and a list display for searching for an electronic document (its file data) to be printed.

  Further, the image forming apparatus 2Z includes an imaging unit 28 that captures a still image or a moving image of the operator. A still image or moving image indicating the operation status acquired by the imaging unit 28 is used as error information when an error occurs.

  In FIG. 1, a document processing history management device 6 having a security policy server function for performing image forming processing in accordance with a security policy is provided separately from the imaging device 2, but the system configuration is as described above. Not exclusively. For example, the system configuration may be such that the security policy server 6A is removed from the document processing history management device 6 and provided as a separate server, or the imaging device 2 may have a system configuration having the function of the security policy server 6A.

<Outline of security policy output processing>
FIG. 2 is a diagram for explaining the outline of the procedure of the image forming process according to the security policy. Basically, it does not matter what the system configuration is, but as shown in FIG. 1, a case will be described where the document processing history management apparatus 6 has the function of a security policy server.

  In the image forming apparatus 2Z, a confidential box is created in advance (S10). At this time, the user ID and user password for the directory service in the authentication server 7 are set as attributes of the confidential box. Information related to the creation of the confidential box is notified to the document processing history management device 6 and the authentication server 7 and is also managed by the document processing history management device 6 and the authentication server 7.

  Distributor terminal 4A is a program that handles an electronic document and a device that can execute the program. A user (distributor of the document) that handles the distributor terminal 4A can store the electronic document on network 9 or a portable storage medium. When distributing via the user (S20), the access right is set to the distribution document BF_1 for each user. For example, a category of electronic documents (technical or accounting related) and a confidential level (confidential, confidential, confidential, public, etc.) are set. At this time, the range in which access is permitted may be set for each user instead of setting the department or class to which the user belongs.

  Distributor terminal 4A provides security policy server 6A provided with document processing history management apparatus 6 with a security policy in which information on the set access right (permission information) is described in a page description language such as XML (eXtensible Markup Language). Register (S22). In order to improve the security of the electronic document itself, the security policy server 6A is not a static method for including access right information in the electronic document file itself, but the access right for operating the electronic document separately from the electronic document file. It takes a dynamic way to manage. If the dynamic method is adopted, the contents of the access right can be changed dynamically after the electronic document is distributed. On the other hand, in order to be able to operate the electronic document at the distribution destination, not only so-called user authentication but also access right verification processing is required. Operation is also required. When the operation log is managed in a database, internal control is strengthened by recording information on the access right verification processing operation.

  Specifically, the security policy server 6A manages security policy information sent from the distributor terminal 4A for each electronic document. For example, access rights such as browsing, editing, printing, and saving can be set for an electronic document. The set access right is not added to the electronic document itself but is managed by the security policy server 6A. In order to uniquely identify each electronic document, a unique identifier (referred to as an electronic document ID) is assigned. The electronic document is preferably distributed after being encrypted. In addition, it should be possible to decrypt with an appropriate password or secret key. Encryption and the corresponding private key and decryption key are applied to increase the security of the electronic document.

  As an example of the security policy, for example, in the case of an organization security policy, after setting a field and a confidential level for a document, a class, a department, and a printing requirement of a user permitted to access the electronic document are set. For example, an electronic document file with a field of “Technology” and a confidentiality level of “Top Secret” is permitted to be viewed by users with a category of “Technology” and a class of “Up”, but requires “Stakeholder”. In principle, copying is prohibited, and it is necessary to obtain permission from the manager in charge of copying. In addition, only "related persons" are permitted to copy, and confidential printing and tint block printing are also permitted. In addition, bar code addition, digital watermark addition, confidential label stamp addition, and the like are requirements for electronic copying, and stipulate that printing on a paper medium or the like (so-called hard copy) is not permitted. In addition, electronic document files with a field of “Technology” and a confidentiality level of “Mal secret” are permitted to be viewed by users with a category of “Technology” and a class of “Medium” or “Up”, but “ ”As a requirement, and only“ participants ”are permitted to copy or print, and when printing, watermarks such as characters and symbols indicating that the document is a confidential document are printed at the same time. It prescribes. In the case of “confidential documents”, it is stipulated that the permission of the administrator must be obtained when the document is sent outside the company, and that no permission is required for copying, printing, and browsing within the company. It is stipulated that all “accounting documents” are handled as confidential documents.

  A user who desires to operate an electronic document distributed with an access right managed by a distributor operates the processing instruction terminal 4B, and attributes of the electronic document such as an electronic document ID for specifying the electronic document desired to be operated. Then, user attributes such as a user ID and a user password registered in advance to uniquely identify itself are notified to the security policy server 6A (S30). Upon receiving these, the security policy server 6A performs personal authentication processing in cooperation with the authentication server 7 (S32). When the authentication is successful (that is, if it is a regular user), the electronic document corresponding to the electronic document ID is decrypted. The decryption key necessary for this, the electronic document at that time, and the permission information (access right information) set for the user are transmitted to the processing instruction terminal 4B (S34). That is, the security policy is retrieved from the user attribute or the electronic document attribute at the time of operation on the electronic document at the processing instruction terminal 4B, and is applied to the confidential printing instruction.

  As a result, the electronic document can be browsed, printed, etc. within a range where the access right is permitted at that time. For example, if browsing and printing are permitted at that time, the user who has acquired the decryption right (processing instruction terminal 4B) is encrypted using the decryption right (the access right is managed). ) Decrypt the electronic document and open the document file (S36).

  Further, when the user wishes to print the electronic document, the user operates the print driver screen on the processing instruction terminal 4B and issues a print instruction to the image forming apparatus 2Z desired to output (S40). At this time, in the present embodiment, the distributed distribution document BF_1 itself and the output instruction file BF_2 describing the output conditions are paired and transmitted as a print document BF_3 to the image forming apparatus 2Z side. Here, when instructing confidential printing, in the output instruction file BF_2, in addition to the output conditions themselves, information necessary for confidential printing, for example, confidential box number, password for confidential box, specified when printing is instructed Include the name of the selected document.

  The image forming apparatus 2Z that has received the print document BF_3 completes the output process almost immediately if it is not confidential printing. On the other hand, if confidential printing that requires temporarily storing the output processing of the print document BF_3 is instructed, the image forming apparatus 2Z stores the print document BF_3 in the confidential box if the password for the confidential box is correct. . At this time, the distribution document BF_1 received from the processing instruction terminal 4B side and the print document BF_3 including the output instruction file BF_2 are stored in an encrypted state. After that, the user goes to the installation place of the image forming apparatus 2Z, operates the image forming apparatus 2Z, and gives an instruction to output a confidential document. At this time, the user inputs the user ID, the user password, the confidential box number and the password for the confidential box, opens the confidential box for the user, and wants to output the confidential document from the document list displayed on the operation panel or the like. Is selected and a print instruction is issued (S50).

  The image forming apparatus 2Z that has received the instruction to print the confidential document sends the electronic document ID, user ID, and user password of the confidential document instructed to be output to the security policy server 6A to perform authentication processing and permission information (access right information). ) Is requested (S52). Upon receiving these, the security policy server 6A performs personal authentication processing in cooperation with the authentication server 7 (S54). If the authentication is successful (that is, if the user is an authorized user), the security policy server 6A further refers to the security policy recorded and held by the security policy server 6A and determines whether or not the user has the authority to print the confidential document designated by the user. Check the status of the security policy at that time, such as what printing requirements are set, the decryption key required to decrypt the electronic document corresponding to the electronic document ID, the electronic document at that time, and The permission information (access right information) set for the user is transmitted to the image forming apparatus 2Z (S56). In other words, the user attribute and the electronic document attribute are also used in the output process of the print job stored in the image forming apparatus 2Z, such as the actual output process for the print document BF_3 when the confidential print instruction is issued. Search for security policies and apply them during output processing.

  As a result, the image forming apparatus 2Z decrypts the confidential document, which is an example of the protected document with the access right set, within the range where the access right is permitted at that time, according to the document printing program. Depending on the printing conditions, the electronic document can be printed. However, since the access right management form in this embodiment is a dynamic method in which the access right for operating the electronic document is managed by the security policy server 6A separately from the electronic document file, the security policy is Since it can be changed at any time, the status of the security policy (access right) at the time of issuing the confidential print instruction (S40) is the same as the status of the security policy at the actual output instruction time of the confidential document (S52). Not necessarily. Therefore, at the timing when an access right management target electronic document is accessed (even in the case of actual confidential printing processing in this example), the security policy of the electronic document is confirmed and access control is performed.

  For example, if there is no change between the security policy status at the time of issuing the confidential print instruction (S40) and the security policy status at the actual output instruction time of the confidential document (S52), the output condition at the time of issuing the confidential print instruction The printing process is performed according to (S60). For example, if there is no change in the output conditions at the time of issuing the confidential print instruction (S40) and printing is permitted, the image forming apparatus 2Z that has acquired the decryption right is encrypted using the decryption right. After decrypting the distribution document BF_1 (with access rights managed), output bitmap data is created according to the output instruction file BF_2, and printing processing is executed. At this time, if watermarking is set as a printing requirement for the electronic document file, a predetermined watermark such as a character or symbol indicating a copy-forgery-inhibited pattern or a confidential document is printed together with the contents of the electronic document. Thereby, when printing an electronic document file, the printing requirement according to the preset access right is forced.

  On the other hand, if there is a change in the security policy status at the time when the confidential print instruction is issued (S40) and the security policy status at the actual output instruction time (S52) for the confidential document, the confidential document print processing is caused by some problem. Things that can't be done can happen. In such a case, the image forming apparatus 2Z first disables printing based on the authentication / security policy confirmation result notification from the security policy server 6A, and notifies the user of a warning message such as an error display (S62). ).

  Further, as a feature point of the present embodiment, when an electronic document (in this example, a confidential document, the same applies hereinafter) whose security policy is managed by the security policy server 6A cannot be printed due to some problem, the image forming apparatus 2Z From the point of view of internal control, recording of various detailed information (for example, operation information) at that time, notification of various information to a predetermined location such as an administrator, or the purpose of dealing with the possibility of falsification Error handling processing such as maintenance of various information (storage for leaving evidence) is performed (S64).

  The content of the “notification” may include, for example, the user of the job, the address of the processing instruction terminal 4B that is a client terminal (IP address, MAC address, etc.), and information effective for the investigation. “Maintenance” is an example of storing and storing information in a predetermined storage medium, but it means storing to leave evidence, and in particular, a state in which the general user cannot access the stored information In this embodiment, it is used in distinction from normal “storage”. For example, stored error information and electronic documents are protected by appropriate security so that only authorized device administrators can access them.

  As the “some problem”, for example, the following cases can be considered. In any case, there was no problem at the time of issuing the confidential print instruction (S40), but there was a case where some setting change was made in the security policy at the actual output instruction time of the confidential document (S52).

  1) Since the electronic document ID of the electronic document is not registered in the security policy server 6A, the association (correspondence) between the confidential document and the security policy cannot be specified, and the security policy of the confidential document specified by the user is not specified. It is a case that cannot be found. First, the case 1) can be considered when the electronic document ID is deleted from the security policy server 6A. This is the case where the management owner on the document processing history management apparatus 6 (security policy server 6A) of the electronic document has deleted it by himself, apologized, or the database has been damaged. In any case, it should be clear why it is not tied. The case 1) is considered to be that the electronic document itself has been falsified and the electronic document ID has been misrepresented. In this case, analysis is performed by maintaining the electronic document itself.

  2) The electronic document is registered in the security policy server 6A, but the user confirmation cannot be taken. The case of 2) can be considered as a case where another user tries to print the electronic document stored in the data holding unit 24 of the image forming apparatus 2Z, and the designated confidential is not registered. For example, when the user cannot log in to the security policy server 6A that manages the security policy of the document, or when the access right for printing to the user is revoked on the security policy server 6A after the instruction to print the confidential document.

  3) This is a case where a user for whom printing prohibition is set as a security policy tries to print. The case 3) can be considered when the electronic document is sent directly to the image forming apparatus 2Z without confirming the right of printing with a client tool or the like.

  The “error handling process” in step S64 is a process other than the print disapproval or warning message notification in step S62. For example, the following can be considered. These may be arbitrarily combined as appropriate according to the system environment.

1) Information indicating that printing has been canceled due to an error (referred to as error information) is left in the operation log (job log).
2) Notify the administrator of the image forming apparatus 2Z by e-mail or other means.
3) Print the reason for the error. At this time, it is preferable to discharge to a lockable output box for maintenance.
4) The spooled processing data is maintained in the image forming apparatus 2Z.
5) Notifying the document processing history management apparatus 6 that records access to the electronic document and leaving an operation log.
6) The electronic document is transmitted to the document processing history management apparatus 6 which records the access to the electronic document and maintained.
7) Locking the image forming apparatus 2Z prohibits subsequent printing operations and other operations.

  Which of the error handling processing operations 1) to 7) is executed is 1) registered in the image forming apparatus 2Z itself, 2) registered in the security policy server 6A, and an operation policy is set when an error occurs. It may be specified by any setting method of transmitting to the image forming apparatus 2Z, or 3) registering with the security policy server 6A and checking the image forming apparatus 2Z at the time of activation. In the case of 2), the operation policy is changed / notified from the security policy server 6A for each job based on various attribute values such as the security policy server 6A, each image forming apparatus 2Z, each electronic document, each user, etc. That is, the operation policy may be determined dynamically. In the case of 3), the image forming apparatus 2Z is kept valid until the power source (main power source or the like) is cut off.

  Hereinafter, a specific mechanism for performing the above-described processing and details of the error handling processing operation will be described. First, configuration examples of the distributor terminal 4A, the access management server 8 (the security policy server 6A and the authentication server 7), and the image forming apparatus 2Z will be described, and then an error handling process when printing cannot be performed due to some problem (S64). Will be described for each of the cases 1) to 3).

<Configuration example of distributor terminal>
FIG. 3 is a diagram illustrating a configuration example of the distributor terminal 4A, in particular, a configuration example of a portion related to processing for setting an access right to an electronic document. Each illustrated functional unit may be considered as a program module of a document protection program incorporated in the distributor terminal 4A in an actual application example.

  As shown in the figure, the distributor terminal 4A specifies the encryption key acquisition unit 410 that generates an encryption key by using, for example, a hash function and the distributor using the encryption key generated by the encryption key acquisition unit 410. An encryption unit 412 is provided for encrypting the electronic document. The encryption key acquisition unit 410 may generate a parameter for encryption by itself, generate an encryption key using the parameter, or acquire a parameter from another function unit. The parameters may be stored in the document protection program or generated when requested.

  In addition, the distributor terminal 4A generates an electronic document ID of the electronic document, assigns the electronic document ID to the encrypted document delivered from the encryption unit 412, and outputs it as a protected electronic document, and a distributor The access right information from the encryption key acquisition unit 410, the electronic document ID from the protection setting unit 414, and the access right information from the distributor. It has a security policy registration unit 416 that passes document ID, encryption key, and access right information and requests registration of a security policy.

  The security policy to be registered in the security policy registration unit 416 is not limited to permitting or not permitting an operation request for an electronic document, but allows a certain range of operations when a predetermined condition is satisfied. You may make it set the operation requirement with the condition of. Further, the predetermined condition is not limited to one and may be set in combination. For example, it is not limited to simple access right control that allows or prohibits the use of certain functions that allow or disallow printing, but allows printing, but only certain printing such as black and white and low quality. A condition that it is limited within the range of condition specification may be attached.

<Configuration example of access management server>
FIG. 4 is a diagram for explaining a configuration example of the access management server 8, in particular, a configuration example of a part related to the security control unit 62 and the authentication server 7 of the security policy server 6 A that is a functional unit for managing the security policy of the electronic document. It is.

  As shown in the figure, the security control unit 62 of the security policy server 6A of the access management server 8 stores the electronic document ID, encryption key, and access right information passed from the security policy registration unit 416 in a predetermined storage medium. A security policy DB registration unit 610 registered as an SPDB and an access authority confirmation unit 612 that performs user authentication in cooperation with the authentication server 7 and refers to the security policy database SPDB to confirm the security policy of the electronic document requested to be operated. And a print requirement acquisition / sending unit 614 for specifying the print requirement based on the security policy and notifying the image forming apparatus 2Z. The authentication server 7 of the access management server 8 has a user authentication unit 710 that performs user authentication with reference to the user database UDB registered in a predetermined storage medium and notifies the access authority confirmation unit 612 of the authentication result.

<Image Forming Apparatus: First Configuration Example>
FIG. 5 shows a configuration example of the image forming apparatus 2Z, particularly a configuration example in the case of a system configuration in which the security policy server function is removed from the document processing history management apparatus 6 and the image forming apparatus 2Z has a security policy management function (first example). It is a figure explaining the example of a structure.

  As illustrated, the image forming apparatus 2Z of the first configuration example includes a security policy management unit 210 that manages security policies, and user attributes that acquire attributes (such as categories and security levels) of users who have requested printing of electronic documents. An acquisition unit 212, a document attribute acquisition unit 214 for acquiring attributes (category, security level, etc.) of an electronic document to be printed, and an image forming process (printing process) based on an instruction from the processing instruction terminal 4B or the operation panel of the own apparatus. ) Is executed. The image forming unit 216 includes an image processing control unit 22 in which a document printing program is incorporated and a print engine unit 260, as in a second configuration example described later. Details of the image processing control unit 22 will be described in a second configuration example.

  The security policy management unit 210 also has the function of the security policy DB registration unit 610 of the security policy server 6A shown in FIG. The user attribute acquisition unit 212 also includes a functional part related to user authentication of the access authority confirmation unit 612 of the security policy server 6A shown in FIG. The document attribute acquisition unit 214 also includes a function part related to the security policy of the access authority confirmation unit 612 of the security policy server 6A shown in FIG.

<Image Forming Apparatus: Second Configuration Example>
6 and 6A illustrate another configuration example of the image forming apparatus 2Z, in particular, a configuration example (referred to as a second configuration example) in the case where the document processing history management device 6 has a system configuration including the security policy server 6A. FIG.

  As shown in the overall schematic diagram of FIG. 6, the image forming apparatus 2Z of the second configuration example performs an image forming process (printing process) based on an instruction from the processing instruction terminal 4B or the operation panel of the own apparatus. 216. The image forming unit 216 includes an image processing control unit 22 in which a document printing program is incorporated, and a print engine unit 260.

  The image processing control unit 22 accesses the security policy server 6A, confirms the security policy at the time of processing, and controls the print requirement application control unit 220 that controls to apply the confirmed print requirement at the time of print processing, and a plain text electronic document. And an encryption unit 225 for encrypting print data, a decryption unit 226 for returning the encrypted distribution document BF_1 and print data to plaintext, and a plaintext distribution document BF_1 or a plaintext electronic document decrypted by the decryption unit 226 A print processing unit 228 that generates data is included.

  The print requirement application control unit 220 print document BF_3 stored in the data holding unit 24, intermediate data, or bitmap image (all of which may be encrypted or plainly written: in the present embodiment, the former Is preferred), the security policy server 6A confirms whether the user has the authority to print from the user ID to be printed and the stored electronic document ID, and is permitted to print. Has the ability to control just to print. Specifically, the print requirement application control unit 220 accesses the security policy server 6A, confirms the access right, acquires the decryption key, and accesses the security policy server 6A. A printing requirement acquisition unit 224 that acquires the printing requirements.

  The access right confirmation / decryption key acquisition unit 222 obtains a decryption key from the security policy server 6 </ b> A when the access right can be confirmed and passes this to the decryption unit 226. The decryption unit 226 returns the protected electronic document (distributed document BF_1) encrypted using the decryption key acquired from the access right confirmation / decryption key acquisition unit 222 to plain text, and sends the plain text electronic document to the print processing unit 228. hand over. The print requirement acquisition unit 224 acquires the print requirement from the security policy server 6A and passes it to the print processing unit 228. The print processing unit 228 generates print data according to the print requirements acquired by the print requirement acquisition unit 224 for a plain text electronic document.

  As shown in the detailed view of FIG. 6A, the print processing unit 228 is specific to the present embodiment in addition to processing instructions, error warnings, log records, and print settings in accordance with the contents of the print requirements received from the print requirement acquisition unit 224. A requirement processing control unit 230 that controls error handling processing, a document processing unit 232 that processes an electronic document file as necessary, and a plaintext electronic document file (an electronic document file that has been processed by the document processing unit 232 A printer driver unit 234 for creating print data based on

  The print processing unit 228 further notifies the user of a warning message with an error warning (error) using predetermined display notification means (for example, a display device such as an operation panel) or voice notification means (for example, a speaker or other sound generator). An error alarm unit 236 for performing an alarm), a log recording unit 238 for notifying an operation log to a recording server (remote server: document processing history management device 6 in this example) and leaving a record, and error handling processing An error handling processing unit 240 is provided.

  When an error occurs in the security policy server 6A, the error handling processing unit 240 performs the set error processing according to the error notification. For this reason, the error handling processing unit 240 records error information in a predetermined storage device (such as the data holding unit 24) in the image forming apparatus 2Z by an electronic document program as error handling processing, for example. Unit 242, an error information notification maintenance unit 244 that notifies the device administrator of error information by e-mail, for example, to a portable terminal owned by the electronic document program, and an electronic document to be printed by the electronic document program Is stored in a predetermined storage device (such as the data holding unit 24) in the image forming apparatus 2Z.

  The error information recording unit 242 is different from the log recording unit 238 in that it can record information about errors independently of the server. Also, because of this structural difference, it is possible to record information that exceeds the format specified in the notification to the server, or to record all information even if the network is intentionally shut down when an error occurs. There is a unique action and effect that can be done.

  The electronic document maintained by the electronic document maintaining unit 246 in a predetermined storage device in the image forming apparatus 2Z is preferably stored in an encrypted state. Further, it is preferable that the protected electronic document is protected by appropriate security so that only authorized device managers can access it. An electronic document that is maintained by an unauthorized access by a general user is prevented from being falsified or deleted.

  The error handling processing unit 240 also notifies the error information by the electronic document program as an error handling process to a server (document processing history management device 6 in this example) that records the operation status (device operation status information) for maintenance. And an error information notification maintenance unit 248 for sending the electronic document to be printed by the electronic document program to a server (in this example, the document processing history management device 6) that records the operation status, and the document processing history management device 6 maintains the electronic document. An electronic document transmission maintenance unit 250 is included.

  The error information notified from the error information notification maintenance unit 248 is maintained in a predetermined storage device by the document processing history management device 6. The electronic document transmitted from the electronic document transmission maintenance unit 250 is maintained in a predetermined storage device by the document processing history management device 6. It is preferable to maintain the operation status and the electronic document maintained by the document processing history management apparatus 6 in an encrypted state. In addition, it is preferable that the protected operation status and the electronic document be protected by appropriate security so that only authorized device managers can access them. The operation status and the electronic document that are maintained by unauthorized access by general users are prevented from being altered or deleted.

  The error handling processing unit 240 also performs error information printing control for controlling the error information to be printed on a predetermined output medium on the image forming apparatus 2Z or the security policy server 6A side, for example, as an error handling process by an electronic document program. And an operation lock unit 254 that locks all subsequent operations of the image forming apparatus 2Z by the electronic document program. The error information printed by the image forming apparatus 2Z based on an instruction from the error information printing unit 252 is output to a discharge apparatus that can obtain error information printed out only by the apparatus administrator, for example, in an output tray with a key. Therefore, it is preferable that only the device administrator can obtain the output result of the error information. The general user is prevented from taking out the error information output result.

  Further, the error handling processing unit 240 treats a still image or a moving image indicating the operation status acquired by the imaging unit 28 included in the image forming apparatus 2Z as error information (particularly referred to as an error image) when an error occurs. An image acquisition unit 258 is included. The error image acquisition unit 258 passes this error image as error information to each functional unit that performs other error handling processing in the error handling processing unit 240.

  Each of the functional units included in the error handling processing unit 240 is not limited to being executed alone, and a plurality of functional units may be arbitrarily combined to execute error handling processing in each.

<Error Problem: First Embodiment>
FIG. 7 is a flowchart for explaining the first embodiment of “some problem” that triggers error handling processing in the error handling processing unit 240 and the error handling processing. The case where “some problem” occurs in the first embodiment is a case where the electronic document ID of the electronic document is not registered in the security policy server 6A. In this case, since the association (correspondence relationship) between the electronic document and the security policy cannot be specified, and the security policy of the confidential document designated by the user cannot be found, the image forming apparatus 2Z stops the printing process and notifies the error alarm unit 236. The error warning is notified to the user, and the error handling processing unit 240 performs a predetermined error handling process. Note that the print cancellation process, the error warning notification process, and the error handling process in the error handling processing unit 240 may be performed first. In the drawing, an example is shown in which an error handling process in the error handling processing unit 240 is performed first, and then a print cancellation process and an error warning notification process are performed.

  For example, the client (general user) issues a confidential printing instruction as an electronic document printing instruction at the processing instruction terminal 4B (S100). Upon receiving this instruction, the processing instruction terminal 4B transmits the confidential print target distribution document BF_1 itself and the output instruction file BF_2 as the print document BF_3 to the image forming apparatus 2Z (S102). Receiving the print document BF_3 from the processing instruction terminal 4B, the image forming apparatus 2Z temporarily stores the print document BF_3 in the data holding unit 24, starts an electronic document program (in this example, a document print program), and starts a print job. (S110). Incidentally, when the print document BF_3 is a confidential print target, the user who issued the confidential print instruction goes to the installation location of the image forming apparatus 2Z and instructs the start of the confidential print job from the operation panel of the image forming apparatus 2Z. .

  When starting the print job, the image forming apparatus 2Z (document printing program) first checks whether or not the print document BF_3 to be processed is a protected electronic document managed by the security policy server 6A (S120). If it is not a protected electronic document, the image forming apparatus 2Z (document printing program) prepares for normal printing (normal confidential printing in this example) (S120-NO, S122). On the other hand, when the document is a protected electronic document (S120-YES), the image forming apparatus 2Z (document printing program) accepts input of a user ID and a user password via an operation panel, a user card (ID card), or the like (S124). Then, the input user ID and user password, and the electronic document ID of the print document BF_3 instructed to be output are sent to the security policy server 6A, and the authentication confirmation by the security policy server 6A or the authentication server 7 is awaited (S126).

  The security policy server 6A performs personal authentication processing in cooperation with the authentication server 7. When the personal authentication is successful, the security policy server 6A refers to the security policy recorded and held by itself and prints the print document BF_3 designated by the user. Check the status of the security policy at that point in time, such as whether the user has authority and what printing requirements are set. In this example, since the electronic document ID of the print document BF_3 is not registered in the security policy server 6A, an authentication result that the electronic document ID is not managed is obtained (S130), and the security policy The server 6A returns error information indicating the problem status to the image forming apparatus 2Z (document printing program) (S138).

  The image forming apparatus 2Z (document printing program) that has received the error information from the security policy server 6A performs error handling processing in the error handling processing unit 240 according to the error handling settings. For example, log recording of error information by the error information recording unit 242 (S150, S152), notification of error information to the device administrator by the error information notification maintenance unit 244 (S154), and the electronic document own device by the electronic document maintenance unit 246 Maintenance (S156, S158), notification of error information by the error information notification maintenance unit 248 to the recording server (document processing history management apparatus 6 in this example) and maintenance at the recording server (S160, S162), electronic document Transmission of the electronic document to the recording server (document processing history management apparatus 6 in this example) by the transmission maintenance unit 250 and maintenance (S164, S166) at the recording server, and all operations of the image forming apparatus 2Z thereafter by the operation lock unit 254 Lock (S170-YES, S172), error information printout by error information printing unit 252 (S1 4-YES, S176) and, according to the error processing set, any one or optionally in combination plurality executed.

  When the error handling processing in the error handling processing unit 240 is completed, the image forming apparatus 2Z (document printing program) stops the printing process and notifies the user of an error warning in the error warning unit 236 (S180, S182). .

<Error Problem: Second Embodiment>
FIG. 8 is a flowchart for explaining the second embodiment of “some problem” that triggers the error handling processing in the error handling processing unit 240 and the error handling processing. The process step number is indicated by 200, and the 10th and 1st stages of the same process steps as in the first embodiment are denoted by the same 10th and 1st numbers as in the first embodiment. Hereinafter, differences from the first embodiment will be described.

  The case where “some problem” occurs in the second embodiment is that an electronic document is registered in the security policy server 6A, but personal information is not registered in the authentication server 7, or later on the security policy server 6A. In this case, the user confirmation for permitting access to the electronic document (print operation in this example) cannot be taken, such as when the print access right to the user is revoked. In this case, since the user confirmation cannot be taken, the image forming apparatus 2Z stops the printing process, notifies the user of an error warning by the error alarm unit 236, and performs a predetermined error handling process by the error handling unit 240.

  The security policy server 6A confirms the personal authentication and the status of the security policy at that time based on the user ID and user password sent from the image forming apparatus 2Z (document printing program) and the print document BF_3 instructed to output. In this example, the electronic document ID is registered, but the user's authentication information is not registered (the user does not exist in the user DB), or the right to access the electronic document related to the user (in this example, An authentication result indicating that printing is not set is obtained (S232), and the security policy server 6A returns error information indicating the problem status to the image forming apparatus 2Z (document printing program) (S238). .

  The image forming apparatus 2Z (document printing program) that has received the error information from the security policy server 6A performs error handling processing according to the error handling settings in the error handling processing unit 240 in the same manner as in the first embodiment.

<Error Problem: Third Embodiment>
FIG. 9 is a flowchart for explaining the third embodiment of “some problem” that triggers error handling processing in the error handling processing unit 240 and error handling processing. The processing step number is indicated by 300, and the numbers 10 and 1 in the same processing steps as in the first embodiment are indicated by the numbers 10 and 1 as in the first embodiment. Hereinafter, differences from the first embodiment will be described.

  In the case of “some problem” in the third embodiment, an electronic document is registered in the security policy server 6A and personal information is registered in the authentication server 7, but printing prohibition is set as the security policy. This is a case where a user who tries to print is going to print. In this case, since the printing cannot be permitted for the user, the image forming apparatus 2Z stops the printing process, notifies the user of an error warning by the error warning unit 236, and performs a predetermined error by the error handling processing unit 240. Perform response processing.

  The security policy server 6A confirms the personal authentication and the status of the security policy at that time based on the user ID and user password sent from the image forming apparatus 2Z (document printing program) and the print document BF_3 instructed to output. In the case of this example, the electronic document ID and personal authentication information (user ID and user password) are registered, but the authentication result that the security policy for prohibiting printing of the electronic document is set for the user Is obtained (S334), and the security policy server 6A returns error information indicating the problem status to the image forming apparatus 2Z (document printing program) (S338).

  The image forming apparatus 2Z (document printing program) that has received the error information from the security policy server 6A performs error handling processing according to the error handling settings in the error handling processing unit 240 in the same manner as in the first embodiment.

<Example of information notified / recorded when an error occurs>
FIG. 10 is a chart for explaining information (error information and electronic document when an error occurs) that is notified or recorded when an error occurs. As shown in the figure, “information to be notified / recorded” is the error information excluding the electronic document at the time of the error occurrence, and the contents of “information to be notified / recorded” are the user and client of the job. Useful information for error investigation, such as information that uniquely identifies the terminal. “Information to be notified / recorded” is error log maintenance by the error information recording unit 242 (S @ 50, S @ 52: @ is any one of 1, 2, and 3), and the error information notification maintenance unit 244 Notification to device administrator (S @ 54), error information notification maintenance unit 248 and electronic document transmission maintenance unit 250 notify / transmit and maintain (S @ 60, S @ 62, S @ 64, S @) 66) and error information printing by the error information printing unit 252 (S @ 74, S @ 76).

  As shown in the figure, the error information includes, for example, information that uniquely identifies the image forming apparatus 2Z (for example, an apparatus name and model number), an electronic document ID, a job reception time, a job execution time, and an output instruction file BF_2. Print instruction information (feed / discharge tray, double-sided, post-processing, etc.), user ID, user password, authentication result in security policy server 6A, access right obtained from security policy server 6A, error information from security policy server 6A The operation setting of the image forming apparatus 2Z at the time of error occurrence, the user's still image or moving image at the time of error occurrence obtained by the imaging unit 28 (error image acquisition unit 258), and information for uniquely identifying the device manager (for example, name) Information) uniquely identifying the recording server (in this example, the document processing history management device 6) For example, IP address, MAC address, etc.) and information (for example, IP address, MAC address, etc.) uniquely identifying the security policy server 6A are applicable.

<Example of operation settings when an error occurs>
11 to 11B are flowcharts for explaining a method for determining an error handling processing operation performed by the error handling processing unit 240 when an error occurs.

  The first method shown in FIG. 11 is an example in which which of the error handling processing operations (operation policy when an error occurs) is registered in the image forming apparatus 2Z itself. Specifically, when error information is sent from the security policy server 6A (S400), the image forming apparatus 2Z (document printing program) that has received this error information recognizes that an error has occurred (S402). Then, the image forming apparatus 2Z (document printing program) reads the error handling process operation setting registered in the apparatus in advance (S404), refers to the read error handling process setting, and sets the operation policy. The corresponding error handling process is executed (S406).

  The second method shown in FIG. 11A is an example in which which of the error handling processing operations is executed is registered in the security policy server 6A and the operation policy is transmitted to the image forming apparatus 2Z (document printing program) when an error occurs. It is. Specifically, when sending the error information to the image forming apparatus 2Z (document printing program), the security policy server 6A reads the operation setting of the error handling process registered in the self apparatus and reads the read operation policy. Is also notified to the image forming apparatus 2Z (document printing program) (S410). The image forming apparatus 2Z (document printing program) that has received the error information recognizes that an error has occurred (S412), and executes error handling processing according to the operation policy with reference to the received error handling processing settings. (S416).

  In the third method shown in FIG. 11B, which of the error handling processing operations is executed is registered in the security policy server 6A, and when the error occurs, the registered operation policy is stored in the image forming apparatus 2Z (document printing program). ) Is an example of confirmation at startup. Specifically, the image forming apparatus 2Z (document printing program) requests the security policy server 6A to confirm the setting of error handling processing when the apparatus is activated when the main power is turned on (S420). Upon receiving this setting confirmation request, the security policy server 6A reads the operation settings for error handling processing registered in advance in its own apparatus, and notifies the image forming apparatus 2Z (document printing program) of the read operation policy ( S422). The image forming apparatus 2Z (document printing program) that has received the operation policy from the security policy server 6A is valid until the power (such as the main power supply) of the image forming apparatus 2Z is cut off to the predetermined storage device. (S424).

  When error information is sent from the security policy server 6A (S430), the image forming apparatus 2Z (document printing program) that has received this error information recognizes that an error has occurred (S432). Then, the image forming apparatus 2Z (document printing program) reads out the operation settings for error handling processing received from the security policy server 6A and stored in a predetermined storage device, and refers to the settings for the read error handling processing. Then, an error handling process according to the operation policy is executed (S436).

<Various devices: Computer configuration>
FIG. 12 is a block diagram illustrating another configuration example of various apparatuses such as the image forming apparatus 2Z, the distributor terminal 4A, the processing instruction terminal 4B, the document processing history management apparatus 6, the security policy server 6A, and the authentication server 7. Here, a more realistic hardware constructed by a microprocessor or the like that executes software for electronic document protection processing (in this embodiment, various processing related to error handling processing in particular in this embodiment) using an electronic computer such as a personal computer. The hardware configuration is shown.

  In other words, in this embodiment, the mechanism of the security policy management function that controls whether or not the device can be operated based on the security policy for the electronic document is not limited to being configured by a hardware processing circuit, but can be electronically based on a program code that realizes the function. It is realized by software using a computer (computer). Therefore, a program suitable for realizing the mechanism according to the present invention by software using an electronic computer (computer) or a computer-readable storage medium storing this program is extracted as an invention. By adopting a mechanism that is executed by software, the processing procedure and the like can be easily changed without changing hardware.

  A series of processing for controlling permission / non-permission of device operation (referred to as device operation permission / prohibition) based on a security policy regarding an electronic document is not limited to hardware or software alone, and can be realized by a combined configuration of both. When executing processing by software, a program showing the processing procedure is installed (installed) in a storage medium in a computer embedded in hardware and executed, or a general-purpose electronic computer capable of executing various types of processing is used. Incorporate the program and execute it.

  A program for causing a computer to execute the security policy management function is distributed through a recording medium such as a CD-ROM. Alternatively, this program may be stored in the FD instead of the CD-ROM. In addition, an MO drive may be provided to store the program in the MO, or the program may be stored in another recording medium such as a nonvolatile semiconductor memory card such as a flash memory. Furthermore, the program constituting the software is not limited to being provided via a recording medium, but may be provided via a wired or wireless communication network. For example, the program may be obtained by downloading from another server or the like via a network such as the Internet, or may be updated. Further, the program is provided as a file describing a program code for realizing the function of performing the security policy management process. In this case, the program is not limited to being provided as a batch program file, but is a hardware of a system configured by a computer. Depending on the hardware configuration, it may be provided as an individual program module.

  For example, the computer system 900 reads and records data from a controller unit 901 and a predetermined storage medium such as a hard disk device, a flexible disk (FD) drive, a CD-ROM (Compact Disk ROM) drive, a semiconductor memory controller, or the like. And a recording / reading control unit 902. Further, the computer system 900 includes an instruction input unit 903 as a functional unit that forms a user interface, a display output unit 904 that presents a user with predetermined information such as a guidance screen and a processing result, and each functional unit. And an interface unit (IF unit) 909 that performs an interface function between them.

  The controller unit 901 includes a CPU (Central Processing Unit) 912, a ROM (Read Only Memory) 913 which is a read-only storage unit, and a RAM (Random Access) which can be written and read at any time and is an example of a volatile storage unit. Memory) 915 and RAM (described as NVRAM) 916 which is an example of a nonvolatile storage unit.

  The recording medium causes a state change of energy such as magnetism, light, electricity, etc. according to the description content of the program to the reading device provided in the hardware resource of the computer, and in the form of a signal corresponding to the state change, The program description is transmitted to the reading device.

  The “volatile storage unit” means a storage unit in a form in which the stored contents disappear when the apparatus is turned off. On the other hand, the “non-volatile storage unit” means a storage unit in a form that keeps stored contents even when the main power supply of the apparatus is turned off. Any memory device can be used as long as it retains the stored contents. The semiconductor memory device itself is not limited to a nonvolatile memory device, and a backup power supply is provided so that a volatile memory device can be made “nonvolatile”. You may do.

  The “nonvolatile storage unit” is not limited to a semiconductor memory element, and may be configured using a medium such as a magnetic disk or an optical disk. For example, a hard disk device can also be used as a nonvolatile storage unit. In addition, it can be used as a nonvolatile storage unit by adopting a configuration for reading information from a recording medium such as a CD-ROM.

  As the instruction input unit 903, for example, an operation key unit 985b of the user interface unit 985 may be used. Alternatively, a keyboard or a mouse may be used. The display output unit 904 includes a display control unit 919 and a display device. As the display device, for example, an operation panel unit 985a of the user interface unit 985 may be used. Alternatively, other display units such as CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) may be used.

  When configuring the image forming apparatus 2Z that implements a security policy management function or a so-called image log function, the image reading unit 905 that reads a document, or image formation that forms a document image on a predetermined output medium based on output image data An image forming unit 906 corresponding to the unit 216 is provided.

  The interface unit 909 includes a system bus 991 that is a transfer path for processing data (including image data) and control data, a printer IF unit 996 that functions as an interface with the image forming unit 906 and other printers, and the like. A communication IF unit 999 is provided to mediate communication data exchange with the network.

  In such a configuration, the CPU 912 controls the entire system via the system bus 991. The ROM 913 stores a control program for the CPU 912 and the like. The RAM 915 is configured by SRAM (Static Random Access Memory) or the like, and stores program control variables, data for various processes, and the like. The RAM 915 includes an area for temporarily storing data obtained by calculation according to a predetermined application program, data obtained from the outside, and the like. The hard disk device controlled by the recording / reading control unit 902 stores data for various processes by the control program, temporarily stores a large amount of data acquired by the device itself, data acquired from the outside, and the like. The area to be included.

  With such a configuration, a CD-ROM storing a program for executing a security policy management processing method for controlling whether or not the apparatus can be operated based on a security policy for an electronic document in response to an instruction from the operator via the operation key unit 985b. A security policy management processing program is installed in the RAM 915 from a readable recording medium such as the above, and the security policy management processing program is activated by an instruction or automatic processing by an operator via the operation key unit 985b. The CPU 912 performs calculation processing, determination processing, control processing, and the like associated with the security policy management processing method in accordance with the security policy management processing program, stores the processing results in a storage device such as the RAM 915 and a hard disk, and the operation panel unit 985a or CRT. And output to a display device such as LCD.

  Note that the security policy is not limited to such a configuration using a computer, but a security policy management process is performed by a combination of dedicated hardware that performs processing of each functional unit in the configuration diagram of each device shown using functional blocks. A management processing system, image forming apparatus 2Z, distributor terminal 4A, processing instruction terminal 4B, security policy server 6A, and the like may be configured. For example, a processing circuit 960 may be provided in which not all processing of each functional part for security policy management processing is performed by software, but a part of these functional parts is performed by dedicated hardware. Of course, the entire functional units are not limited to hardware, and a part of the functional units constituting the functional units may be configured by hardware.

  Although the mechanism performed by software can flexibly cope with parallel processing and continuous processing, the processing time becomes longer as the processing becomes complicated, so that a reduction in processing speed becomes a problem. On the other hand, when constructed with a hardware processing circuit, even if the processing is complicated, a reduction in processing speed is prevented, and an accelerator system is constructed that achieves high speed to obtain high throughput.

  As mentioned above, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the range as described in the said embodiment. Various changes or improvements can be added to the above-described embodiment without departing from the gist of the invention, and embodiments to which such changes or improvements are added are also included in the technical scope of the present invention.

  Further, the above embodiments do not limit the invention according to the claims (claims), and all combinations of features described in the embodiments are not necessarily essential to the solution means of the invention. Absent. The embodiments described above include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. Even if some constituent requirements are deleted from all the constituent requirements shown in the embodiment, as long as an effect is obtained, a configuration from which these some constituent requirements are deleted can be extracted as an invention.

  For example, in the above-described embodiment, the example in which the security policy management processing system is applied to the image forming apparatus that is an example of the electronic apparatus has been specifically described. However, the target electronic apparatus is not limited to the image forming apparatus. As long as the electronic information handled by the electronic device is one whose access right is managed, the present invention can be applied to anything such as a mobile phone or a portable music player. In this case, the electronic document in the above-described embodiment may be replaced with electronic information such as content downloaded from the server, image formation or printing processing may be replaced with information processing, and printing requirements may be replaced with operation requirements.

1 is a diagram illustrating a configuration example of a document processing history management system partially including an image forming system to which an embodiment of the present invention is applied. It is a figure explaining the outline | summary of the procedure of the image formation process according to a security policy. It is a figure explaining the structural example of the part in connection with the process which sets an access right to an electronic document in a distributor terminal. It is a figure explaining the structural example of the part in connection with a security policy server and an authentication server in an access management server. It is a figure explaining the image forming apparatus of the 1st structural example provided with a security policy management function. It is a whole schematic diagram explaining the image forming apparatus of the 2nd example of a structure in the case of a system configuration provided with a security policy server. FIG. 10 is a detailed diagram illustrating a print processing unit of an image forming apparatus of a second configuration example in the case of a system configuration including a security policy server. It is a flowchart explaining the first embodiment of “some problem” that triggers error handling processing in the error handling processing unit and error handling processing. It is a flowchart explaining the second embodiment of “some problem” that triggers error handling processing in the error handling processing unit and the error handling processing. It is a flowchart explaining the second embodiment of “some problem” that triggers error handling processing in the error handling processing unit and the error handling processing. It is a chart explaining information (error information and electronic document at the time of error occurrence) notified or recorded when an error occurs. It is a flowchart explaining the 1st method of determining the error handling processing operation | movement which an error handling processing part performs at the time of error occurrence. It is a flowchart explaining the 2nd method of determining the error handling processing operation | movement which an error handling processing part performs when an error generate | occur | produces. It is a flowchart explaining the 3rd method of determining the error handling processing operation | movement which an error handling processing part performs when an error generate | occur | produces. FIG. 2 is a diagram illustrating an example of a hardware configuration when various apparatuses such as an image forming apparatus, a distributor terminal, a processing instruction terminal, a document processing history management apparatus, a security policy server, and an authentication server are configured using an electronic computer. .

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Document processing history management system, 2 ... Imaging apparatus, 2Z ... Image forming apparatus, 4 ... Client apparatus, 4A ... Distributor terminal, 4B ... Processing instruction terminal, 6 ... Document processing history management apparatus, 6A ... Security policy server, DESCRIPTION OF SYMBOLS 7 ... Authentication server, 8 ... Access management server, 9 ... Network, 22 ... Image processing control part, 24 ... Data holding part, 28 ... Imaging part, 62 ... Security control part, 64 ... Data holding part, 210 ... Security policy management 212: User attribute acquisition unit, 214 ... Document attribute acquisition unit, 216 ... Image forming unit, 220 ... Print requirement application control unit, 222 ... Access right confirmation / decryption key acquisition unit, 224 ... Print requirement acquisition unit, 225 ... Encryption unit, 226 ... Decryption unit, 228 ... Print processing unit, 230 ... Requirements processing control unit, 232 ... Document processing unit, 234 ... Printer driver 236 ... Error warning unit, 238 ... Log recording unit, 240 ... Error handling processing unit, 242 ... Error information recording unit, 244 ... Error information notification unit, 246 ... Electronic document maintenance unit, 248 ... Error information notification maintenance unit , 250 ... Electronic document transmission maintenance unit, 252 ... Error information printing unit, 254 ... Operation lock unit, 258 ... Error image acquisition unit, 260 ... Print engine unit, 410 ... Encryption key acquisition unit, 412 ... Encryption unit, 414 ... Protection setting unit, 416 ... security policy registration unit, 610 ... security policy DB registration unit, 612 ... access authority confirmation unit, 614 ... print requirement acquisition sending unit, 710 ... user authentication unit

Claims (17)

Based on the user who prints the electronic document for which the access right is managed and the attribute of the electronic document, the security policy that defines the printing permission / rejection and the printing requirement is searched to obtain the printing requirement, and the acquired printing requirement is printed. A printing requirement application control unit that controls to apply at times,
Error handling processing that performs predetermined error handling processing that contributes to recording of more detailed information, notification to the device administrator, or evidence maintenance due to the possibility of tampering when an error occurs that does not match the acquired printing requirements And
An image forming apparatus comprising: The image forming apparatus according to claim 1, wherein the error handling processing unit determines error handling processing contents with reference to an operation setting registered in advance in the apparatus. The operation settings that determine the error handling process are registered in advance in the security policy server.
The image forming apparatus according to claim 1, wherein the error handling processing unit determines error handling processing content with reference to an operation setting notified from a security policy server.   The image forming apparatus according to claim 3, wherein the operation setting can be changed from the security policy server for each job. The operation settings that determine the error handling process are registered in advance in the security policy server.
The error handling processing unit determines error handling processing contents with reference to an operation setting acquired by confirming with the security policy server when the apparatus is activated. The image forming apparatus described. The electronic document in which the access right is managed is encrypted, and a decryption key acquisition unit that acquires a decryption key for converting the electronic document into plain text;
A decryption unit that returns the encrypted electronic document to plaintext using the decryption key obtained by the decryption key obtaining unit;
The image forming apparatus according to claim 1, further comprising: The error handling processing unit includes an error information recording unit that records error information indicating a situation at the time of an error in a predetermined storage device in the device. The image forming apparatus described in the item. The error handling processing unit includes an error information notification maintenance unit for notifying an apparatus administrator of error information indicating a situation at the time of occurrence of an error. Image forming apparatus. 9. The error handling processing unit includes an electronic document maintenance unit that maintains an electronic document to be printed in a predetermined storage device in the device itself. Image forming apparatus. The error handling processing unit includes an error information notification maintenance unit that notifies and maintains error information indicating a status at the time of an error to a server that records an operation status. The image forming apparatus according to claim 1. The error handling processing unit includes an electronic document transmission maintaining unit that transmits and maintains an electronic document to be printed to a server that records an operation status. The image forming apparatus described in the item. The error handling processing unit includes an error information print control unit that controls error information indicating a situation at the time of an error to be printed on a predetermined output medium. The image forming apparatus according to claim 1. The image forming apparatus according to claim 12, wherein the error information print control unit discharges the error information printed only by an apparatus administrator to an available discharge apparatus. The image forming apparatus according to claim 1, wherein the error handling processing unit includes an operation lock unit that locks all operations of the apparatus after the occurrence of an error. It further includes an imaging unit that captures still images or videos of the operator,
The error handling processing unit includes an error image acquisition unit that treats a still image or a moving image indicating the operation status acquired by the imaging unit as error information when an error occurs and passes the information to each function unit that performs error handling processing. The image forming apparatus according to any one of claims 1 to 14. Based on the electronic information processing operation for which access rights are managed and the attribute of the electronic information, search the security policy that defines the operation permission / inhibition and operation requirements, obtain the operation requirements, and obtain the acquired operation requirements An operation requirement application control unit that controls to be applied at the time of processing;
Error handling processing that performs predetermined error handling processing that contributes to more detailed information recording, notification to the device administrator, or evidence maintenance due to the possibility of tampering when an error occurs that does not match the acquired operation requirements And
An electronic device characterized by comprising: A program for using a computer to perform security policy management processing for controlling device operation based on a security policy for an electronic document,
The computer,
Based on the user who prints the electronic document for which the access right is managed and the attribute of the electronic document, the security policy server that registers the security policy that defines the printing permission and the printing requirement is searched to obtain the printing requirement. A printing requirement acquisition unit;
A print processing unit forcing the print requirements acquired by the print requirement acquisition unit during print processing;
An error handling processing unit that performs a predetermined error handling process when an error has occurred and does not match the printing requirements obtained by the printing requirement obtaining unit;
A program characterized by making it function.

Images