JP2010140158A - Information processing apparatus, processing method thereof, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a mechanism for easily setting function authority to use composite machines by associating the group of users to be managed by a directory server with the group of users to be managed by an authentication server. <P>SOLUTION: An information processing apparatus is communicatively connected with a directory service server which manages user information and stores user authentication information. The information processing apparatus stores a first user group set to the user authentication information and function limiting information for limiting the function of an image forming apparatus associated with the first user group, obtains the first user group, receives a second user group to be managed by a directory service server from the directory service server, displays the first user group and the second user group, associates the second user group with the first user group, and generates association information showing the association of the associated first user group and second user group. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing apparatus that stores authentication information.

  In recent years, even when using a multifunction device, user authentication is performed and use of the multifunction device is restricted for each user (Patent Document 1).

  As a user authentication when using a multifunction device, there is a mechanism for performing user authentication by holding an IC card over a card reader of the multifunction device.

  As one mechanism for user authentication using an IC card, authentication information including card information is held in an external server, and authentication is performed by comparing the authentication information with the card information read from the IC card. However, the server that holds this authentication information is managed by a server (IC card authentication server) that is different from the directory server that manages user information (user name, password, group) in the company. .

  This is because there are companies that do not want to change the configuration of the user information of the directory server just to introduce a multifunction device using IC card authentication because the directory server has already been installed in the company. is there.

In addition, when restricting the functions of a multifunction device, the multifunction device has a plurality of functions. Therefore, the function restriction for a plurality of functions must be set and managed in detail on the directory server. Management becomes complicated.
JP 2007-142574 A

  Therefore, an IC card authentication server is installed to perform user authentication using an IC card. The IC card authentication server imports user information (for example, a user name) of the directory server and manages the user name by associating the card information of the IC card with the user name.

  In addition, a group is set for each user. In order to use the IC card authentication server for general purposes, it is also possible to restrict the function restriction information defining the restrictions on the functions of the multifunction device for each group. In addition, a group that can be uniquely used by the IC card authentication server is held.

  In such a configuration, from the user (company) who introduces the IC card authentication server, the group used in the system using the multifunction peripheral and the function restrictions of the group are not managed by the directory server, but are already managed by the directory server. There is a desire to restrict the functions of multifunction devices by using groups.

  In this case, it is possible to import the group managed on the directory server together with the user name and replace it with a group managed by the IC card authentication server after the import. However, the administrator creates a group correspondence table, one by one Complicated work has occurred because it has to be replaced.

  In addition, although multifunction devices have multiple functions, there are many operations that limit functions across departments, such as allowing all functions and settings to be used by department administrators. There was an operation that does not match the management method of the directory server group that is divided into detailed groups as in the system.

  For this reason, after importing the user information of the directory server, the administrator has to reset it to a group for using the multifunction peripheral, which causes troublesome work.

  Accordingly, an object of the present invention is to associate a group of users managed by the directory server with a group of users managed by an authentication server (for example, an IC card authentication server) before importing user information managed by the directory server. Therefore, it is to provide a mechanism that can easily perform function authority setting using a multifunction peripheral.

  In addition, for example, a mechanism is provided that can restrict the function of using a multifunction device for each authenticated user even during authentication (keyboard authentication) without using an IC card.

  The present invention is an information processing apparatus for storing user authentication information for authenticating input information input by an image forming apparatus, which can communicate via a network with a directory service server that manages user information including user groups. A first user group to be set in the user authentication information, a storage unit for storing function restriction information for limiting the function of the image forming apparatus associated with the first user group, and the storage unit. Acquisition means for acquiring a first user group; first reception means for receiving a second user group managed by the directory service server from the directory service server; the first user group and the second user group Display means for displaying the user group and the second user with respect to the first user group. Characterized in that it comprises a correlating means for correlating the groups, and generating means for generating a correspondence information indicating a correspondence between a first user group and the second user group associated with said correlating means.

  According to this configuration, before importing user information managed by the directory server, by associating a group of users managed by the directory server with a group of users managed by an authentication server (for example, an IC card authentication server), It is possible to easily set the function authority to use the multifunction device.

  Further, the present invention provides a fetching instruction unit for instructing fetching of user information including the second user group managed by the directory service server, and accepting from the directory service server according to the fetching instruction of the fetching instruction unit. And changing means for changing the second user group included in the user information to the first user group associated with the association means.

  The present invention is further characterized by further comprising registration means for registering the user information received from the directory service server changed to the first user group by the changing means as the user authentication information.

  Further, the present invention provides an input information receiving unit that receives input information obtained from a storage medium in the image forming apparatus, an authentication unit that authenticates according to the input information received according to the input information receiving unit and the user authentication information, The first function restriction information obtaining unit for obtaining the function restriction information according to a first user group of users authenticated by the authentication unit, and the first function restriction unit for restricting the use of the image forming apparatus. The apparatus further comprises first function restriction information transmitting means for transmitting the function restriction information acquired by the function restriction information acquiring means to the image forming apparatus.

  According to the present invention, the user authentication information includes a user name and a password, and user information including user name and password input from the image forming apparatus in order to use the image forming apparatus is received. Receiving means; and second receiving means for receiving user information including a second user group corresponding to the user name from the directory server, using the user name and password received by the user information receiving means. The changing means changes the second user group included in the user information received by the second receiving means to the first user group according to the association information.

  Further, the present invention provides a second function restriction information acquisition unit that acquires function restriction information corresponding to the first user group changed by the changing unit, and the second function restriction information acquisition unit to restrict use of the image forming apparatus. And a second function restriction information transmitting means for transmitting the function restriction information acquired by the second function restriction information acquiring means to the image forming apparatus.

  According to the present invention, before importing user information managed by the directory server, by associating a group of users managed by the directory server with a group of users managed by an authentication server (for example, an IC card authentication server), It is possible to easily set the function authority to use the multifunction device.

  Further, for example, even when authentication (keyboard authentication) is not performed using an IC card, it is possible to limit the function of using the multifunction device for each authenticated user.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram showing an example of the configuration of the IC card authentication system of the present invention.

  FIG. 1 shows a configuration in which one or a plurality of multifunction peripherals 100, an IC card authentication server 200, and a plurality of directory service servers 300 are connected via a local area network (LAN) 400.

  The IC card authentication server 200 stores an IC card authentication table (shown in FIG. 4 to be described later), and in response to an authentication request by the IC card from the multi-function device 100 or an authentication request by a user name and a password. Authentication processing is performed using the authentication table.

  The directory service server 300 includes hardware resources such as servers and clients existing on the network, user attributes (for example, Microsoft Windows (registered trademark) login user name and password), access rights, and the like. For example, a server equipped with an active directory (Active Directory (trademark; hereinafter omitted)) function. Hereinafter, a group managed by the directory service server will be described as an Active Directory group.

A client 700 is a client PC in which an IC card authentication server management tool is installed. It is possible to access the IC card authentication server from the IC card authentication server management tool and perform setting work.
The IC card authentication server management tool may be installed in the IC card authentication server 200.

  The IC card authentication system according to the present embodiment is configured such that one or a plurality of MFPs 100, the IC card authentication server 200, and the directory service server 300 configured as described above are connected via a WAN 500 connected via a LAN 400. It may be.

  Furthermore, the present invention can be applied not only to IC card authentication but also to an authentication system using biometric authentication such as fingerprint.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 illustrated in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram showing a hardware configuration of an information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 shown in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display 210 such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is provided in an external storage device (hard disk (HD)), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash (registered trademark) memory connected via an adapter.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the hardware configuration of the multifunction machine 100 as the information processing apparatus of the present invention will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 100 illustrated in FIG.

  In FIG. 3, reference numeral 316 denotes a controller unit which is connected to a scanner 314 functioning as an image input device and a printer 312 functioning as an image output device, while being connected to a LAN (for example, the LAN 400 shown in FIG. 1) or a public line (WAN). By connecting to (for example, PSTN or ISDN), input / output of image data and device information is performed.

  In the controller unit 316, reference numeral 301 denotes a CPU, which is a processor that controls the entire system. A RAM 302 is a system work memory for the CPU 301 to operate, and is also a program memory for recording a program and an image memory for temporarily recording image data.

  A ROM 303 stores a system boot program and various control programs. An external storage device (hard disk drive (HDD)) 304 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 307 is an interface unit with the operation unit (UI) 308 and outputs image data to be displayed on the operation unit 308 to the operation unit 308. The operation unit I / F 307 serves to transmit information (for example, user information) input by the system user from the operation unit 308 to the CPU 301. Note that the operation unit 308 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  A network interface (Network I / F) 305 is connected to a network (LAN) and inputs / outputs data. A modem (MODEM) 306 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  Reference numeral 318 denotes an external interface (external I / F), which is an I / F unit that accepts external inputs such as USB, IEEE 1394, printer port, RS-232C, etc. In this embodiment, an IC card (storage medium) required for authentication ) Is connected to the external I / F unit 318. The CPU 301 can control reading of information from the IC card by the card reader 319 via the external I / F 318, and can acquire information read from the IC card. The above devices are arranged on the system bus 309.

An image bus interface (IMAGE BUS I / F) 320 connects the system bus 309 and an image bus 315 that transfers image data at high speed, and is a bus bridge that converts a data structure. The image bus 315 is a PCI bus. Or it is comprised by IEEE1394. The following devices are arranged on the image bus 315.

  A raster image processor (RIP) 310 develops vector data such as a PDL code into a bitmap image. A printer interface (printer I / F) 311 connects the printer 312 and the controller unit 316, and performs synchronous / asynchronous conversion of image data. A scanner interface (scanner I / F) 313 connects the scanner 314 and the controller unit 316 and performs synchronous / asynchronous conversion of image data.

  An image processing unit 317 performs correction, processing, and editing on input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 317 performs image data rotation and compression / decompression processing such as JPEG for multi-valued image data and JBIG, MMR, MH for binary image data.

  The scanner unit 314 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 308, the CPU 301 gives an instruction to the scanner 314, and the feeder feeds the original paper one by one to read the original image. I do.

  The printer unit 312 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is ejected from a micro nozzle array directly on the paper. There is an inkjet method for printing an image, but any method may be used. The activation of the printing operation is started by an instruction from the CPU 301. The printer unit 312 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  The operation unit 308 has an LCD display unit, and a touch panel sheet is pasted on the LCD. The operation unit 308 displays an operation screen of the system. When a displayed key is pressed, the position information is displayed on the operation unit I / F 307. To the CPU 301 via The operation unit 308 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Here, the start key of the operation unit 308 is used when starting a document image reading operation. At the center of the start key, there are two color LEDs, green and red, which indicate whether or not the start key can be used. Further, the stop key of the operation unit 308 functions to stop the operation in operation. The ID key of the operation unit 308 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit.

  The card reader 319 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 301, and reads the read information via the external I / F 318. The CPU 301 is notified. Note that the controller unit 316, the printer 312, the scanner 314, the operation unit 308, and the card reader 319 are provided in the same casing in the multifunction peripheral 100.

  First, an outline of authentication in the IC card authentication system in the present embodiment will be described.

  When the MFP 100 detects an IC card that can be read by the card reader 319, it reads the personal authentication information in the IC card and transmits the read personal authentication information to the IC card authentication server 200 as an authentication request. The personal authentication information is information used for authentication and may be a manufacturing number of the IC card.

  When the IC card authentication server 200 receives the personal authentication information from the MFP 100, the IC card authentication server 200 stores the authentication processing of the personal authentication information in the IC card authentication table (FIG. 4) stored on the external storage device of the IC card authentication server 200. The authentication result is returned to the multi-function device 100. Here, the IC card authentication table (user authentication information) will be described with reference to FIG.

  FIG. 4 is a data configuration diagram showing an example of an IC card authentication table (user authentication information) in the IC card authentication system of the present embodiment. The IC card authentication table is stored in the external memory 211 of the IC card authentication server 200.

  As shown in FIG. 4, the IC card authentication table includes a user name 501, authentication domain name 502, card information 503, mail address 504, expiration date 505, valid / invalid 506, authentication server group 507, department ID 508, department password. 509 and the like. The card information 503 includes a card number 511, validity information 512, and a card name 513. A plurality of card information can be registered for one user.

  The user name 501 is the name of the user who uses the multifunction device 100 and is information included in the authentication result. Login to the multifunction device 100 is performed with this user name. When the user logs in, the user name is displayed on the operation unit 308.

  The authentication domain name 502 indicates where the authentication destination server is on the network. The authentication destination is the IC card authentication server 200, the directory service server 300, or the like.

  The card information 503 is card information of an IC card that allows the user to use the multifunction device 100. In the present embodiment, the card information 503 of the IC card is key information that permits the use of the multifunction peripheral 100 (image forming apparatus). The card information 503 includes a card number 511, validity information 512, and a card name 513.

  The card number 511 is a string of numbers and characters for identifying individual cards, and is information for comparing the card number with the card number read from the IC card by the card reader 319. Authentication succeeds, and if they do not match, authentication fails. The validity information 512 and the card name 513 will be described later.

  An e-mail address 504 is an e-mail address owned by the user, and is used when notifying the user about the use of the multifunction device 100. The expiration date 505 is an expiration date for use of the multifunction device 100 determined by the user. When the expiration date is exceeded, the user cannot use the multifunction device 100.

  Valid / invalid 506 is information indicating whether or not the user can use the multifunction device 100. When the MFP 100 cannot be used due to reasons such as exceeding the expiration date, information indicating invalidity is written.

  The authentication server group 507 indicates the content of restrictions on the use of the multifunction device 100 set for the user. This is realized by associating the authentication server group 507 with the function restriction information. Details of the function restriction information are shown in FIG. The information stored in the authentication server group 507 stores an authentication server group name that is converted (changed) based on information set in FIG. The authentication server group 507 includes a group stored in advance and a group that an administrator can arbitrarily create. The function restriction information described later is associated with the group stored in advance. In the case of an arbitrarily created group, the administrator determines what kind of function restriction is to be performed on the group, creates function restriction information, and associates it with the arbitrarily created group. It is also possible to associate existing function restriction information with an arbitrarily created group.

  The department ID 508 is an ID indicating the internal department to which the user belongs. The department password 509 is a password associated with the department ID 508.

  In the present embodiment, each item in the IC card authentication table of FIG. 4 is registered at the time of import, which will be described later with reference to FIG.

  The outline regarding the validity information 512 and the card name 513 in the card information 503 will be described below.

  The validity information 512 in the card information 503 is numerical information registered in the IC card. This information is used, for example, to distinguish a lost IC card from a reissued IC card when the IC card is lost.

  For example, by adding one value from the validity information of the lost IC card and reissuing the IC card, it is possible to distinguish it from the lost IC card. It can prevent misuse of lost IC card and keep security.

  The card name 513 is displayed together when displaying the card number of the IC card on a card information deletion screen (not shown) or the like so that the user can easily discriminate it. The card name can be set on a card registration / card name input screen (not shown) at the time of card information registration.

  FIG. 10 shows the detailed contents of the function restriction information described in the description of the authentication server group 507 in FIG. The function restriction information is stored in the external memory 211 of the IC authentication server 200.

  It is possible to set the usage restrictions for each function of the multifunction device in detail. For example, by setting “Allow / Do not allow” printing of device restriction items, it is possible to specify restrictions on whether to allow printing. This function restriction information is set in advance by the administrator, and is stored in association with each authentication server group 507.

  A plurality of function restriction information can be associated with one authentication server group. In this case, function restriction information to be used is set in advance among a plurality of function restriction information, or function restriction information is generated using a loose restriction, and the generated function restriction information is used. It is also possible.

  Next, referring to FIG. 5, FIG. 6, FIG. 7, and FIG. 8, the authentication server group and Active Directory group association setting in the IC card authentication system of this embodiment and the set association contents are used at the time of authentication. It describes about the processing to do.

  First, FIG. 5 describes the association setting process between the authentication server group and the Active Directory group in the IC card authentication system. This processing is performed by the IC card authentication server 200 and the client PC 700, and can be realized by executing a program that executes the processing steps described in this flowchart.

  In step S101, it is determined whether or not group association is performed in order to associate the authentication server group with the Active Directory group. Whether or not to perform grouping is determined by receiving a request for group association by a user operation from a management screen (not shown) for setting various information on the authentication server. If group association is performed, the process proceeds to step S112. If group association is not performed, the process ends.

  When group association is performed, a group association setting screen (FIG. 12) is displayed in step S112.

  In steps S102 to S103, an initial display process of the group association setting screen is described.

  In step S102, an authentication server group (FIG. 14) stored and managed in advance in the IC card authentication server is searched, and the authentication server group acquired in step S103 is set in the pull-down menu 1201.

  Here, an authentication server group stored and managed in advance by the IC card authentication server will be described with reference to FIG.

  FIG. 14 is stored in the external memory 211 of the IC card authentication server, and the authentication server group 1401 stores an authentication server group name (for example, Administrators). This authentication server group name is read from the external memory 211 and displayed on the pull-down menu 1201. The function restriction information 1402 stores a function restriction information name (for example, function restriction information A) corresponding to the function restriction information in FIG. Furthermore, the authentication server group 1401 and the function restriction information 1402 are associated with each other.

  In step S104 to step S106, processing by a user operation on the group association setting screen is described.

  In step S104, a search for an Active Directory group is executed by a user operation. A search condition 1202 is set for the search, and when the search button 1203 is pressed, a request is made to the directory service server 300 and the search is executed in the directory service server 300.

  In step S106, the search result searched according to the search request in step S104 is received from the directory service server 300, and the received Active Directory group is displayed in a list 1204 as a list.

  In step S107, the selection of the authentication server group set in the pull-down menu 1201 is accepted. The selected authentication server group is stored in the IC card authentication server 200 or the RAM 203 of the client PC 700.

  In step S108, the selection of the Active Directory group set in the selection list 1204 is accepted. When an add button 1205 is pressed, the Active Directory group selected in the selection list 1204 is displayed in the addition list 1206 as an Active Directory group associated with the Active Directory group. Note that the Active Directory group added to the addition list 1206 is stored in the RAM 203 of the IC card authentication server 200 or the client PC 700. Note that a plurality of Active Directory groups can be selected from the selection list 1204.

  When an OK button 1207 is pressed, the authentication server group selected from the pull-down menu 1201 and the Active Directory group added to the addition list 1206 are read from the IC card authentication server 200 or the RAM 203 of the client PC 700 in step S109. The association between the authentication server group and the Active Directory group is displayed as shown in FIG. 11 on the display 210 of the IC card authentication server 200 or the client PC. Reference numeral 1101 denotes an authentication server group, and 1102 and 1103 denote Active Directory groups, which are configured to display the authentication server group at the upper level and the Active Directory group at the lower level. Further, when another authentication server group is selected on the screen of FIG. 12 and the association of the Active Directory group is performed, 1104 (authentication server group) and 1105 (Active Directory group) are added.

  In step S110, the set association is confirmed by a user operation, and the association information confirmed in step S111 is saved in an XML file (FIG. 9). The XML file is stored in the external memory 211 of the IC card authentication server 200.

  FIG. 9 is a diagram for explaining an XML file in which association information between an authentication server group and an Active Directory group is described as described above. Element names in the XML format and explanations of information described in the elements are described. A description example 902 of an XML file generated based on the association information shown in 901 and displayed in FIG. 11 is shown in 902, and the association information displayed in FIG.

  Next, a process (import process) for storing user information managed by the directory service server in the IC card authentication table (FIG. 4) managed by the IC card authentication server 200 will be described with reference to FIG. At the time of import processing, group association is set in FIG. 5, and an authentication server group is set based on the generated XML file 901 (group association information).

In step S201, it is determined whether to import user information managed by the directory service server.
There are two cases of import processing execution timing: a case that is periodically performed at a specified time, and a case that is executed by a user instructing from an import execution screen (not shown). When importing, the process proceeds to step S202. When not importing, the process ends.

  In step S202, a user information acquisition request is sent to the directory service server 300. When the directory server receives the acquisition request, the directory server acquires user information of items to be imported from user information (FIG. 13) stored and managed by the directory service server 300. The acquired user information is transmitted to the requested IC card authentication server 200, and the IC card authentication server 200 receives the user information. When making a user information acquisition request to the directory service server 300, user information for managing in the IC card authentication table of the IC card authentication server 200 by transmitting items to be imported to the directory service server 300. Can be obtained.

  Here, user information stored and managed by the directory service server 300 will be described with reference to FIG.

  FIG. 13 is a diagram showing an example of data constituting the user information of the directory server. Information 1301 to 1310 is information registered in advance by the administrator when the directory service server is introduced.

  Information on the user name 1301 is imported as information on the user name 501. The information of the password 1302 is information that is not imported to the IC card authentication server 200. This is because the password is strictly managed by the directory server so that it cannot be easily retrieved or imported.

  The card information 1303 is the card information 503, the validity information 1304 is the validity information 512, the mail address 1305 is the mail address 504, the validity period 1306 is the validity period 505, the validity / invalidity 1307 is 506, and the department ID 1309 is the department ID 1309 In ID 508, the department password 1310 corresponds to the department password 509 and is imported.

  The directory server group 1308 (user group) corresponds to the authentication server group 507, and is an item in which information converted into an authentication server group name at the time of import is stored according to the association setting in FIG.

  In step S205, the Active Directory group to which each user belongs is acquired from the user information of the directory service server 300 acquired in step S202.

  In step S206, the authentication server group to which the user belongs is determined in accordance with the group association content set in the group association information (XML file 902). This process is executed for the number of users acquired in step S202. For example, when the Active Directory group is Domain Admins, referring to the XML file 902 in FIG. 9 matches 1103, Domain Admins is replaced with 1101 Administrators.

  In step S207, user information not including the Active Directory group acquired in step S202 and the contents of the authentication server group of each user determined (replaced) in step S205 are stored in the IC card authentication table.

  As described above, in this embodiment, before the user information managed by the directory service server is imported, the user group managed by the directory server (Active Directory group) and the user group managed by the IC card authentication server (authentication) By simply associating the server group with the server group on the screen, the function authority setting using the multifunction peripheral can be easily performed. Next, a process of authenticating using the user information imported into the IC card authentication table in FIG. 5 will be described with reference to FIG. FIG. 7 is a flowchart related to card authentication when a card is held over the card reader 319 of the multifunction peripheral 100.

  At the time of card authentication, the card information including the card number transmitted from the multi-function device is matched with the card information managed in the IC card authentication table to perform authentication.

  First, in step S301, card information (input information) including the card number of the IC card read by the card reader 319 by user operation is acquired. In step S302, the card information including the acquired card number is transmitted to the IC card authentication server 200.

  In step S303, the IC card authentication server 200 receives card information including the card number transmitted from the multifunction peripheral (accepts input information). In step S304, it is confirmed (authenticated) whether the card information including the received card number exists in the IC card authentication table (FIG. 4). Further, when the card information exists, the function restriction information (FIG. 10) corresponding to the authentication server group is acquired.

In step S305, when the card information including the card number exists in step S304, the IC card authentication server 200 transmits the user information including the corresponding user name and function restriction information and the authentication OK authentication result to the multi function device 100. To do.
In step S304, the IC card authentication server 200 transmits the authentication result of the authentication NG to the multi-function device 100 when the card information does not exist for the corresponding card number. In step S306, the multi-function device 100 receives the authentication result.

In step S307, OK or NG of the authentication result received in step S306 is determined. If authentication is OK, it is determined that authentication is successful, and the process proceeds to step S308. In the case of authentication NG, it is determined that the authentication has failed, and the process proceeds to step S309.
If the received authentication result is OK, an authentication success screen (not shown) is displayed in step S308. If the received authentication result is NG, an authentication failure screen (not shown) is displayed in step S309.

  After displaying the authentication success screen in step S308, the function restriction information included in the authentication result received by the CPU 301 of the multifunction device 100 is used to restrict each function constituting the multifunction device 100, and the user holding the IC card is held. The use of the multifunction device 100 is restricted. In addition, when a function whose use is restricted, for example, a transmission function is not permitted by the function restriction information, a user interface for executing the transmission function is not displayed on the operation unit 308.

  Next, a process of authenticating using user information stored and managed in the directory service server 300 without using the user information imported into the IC card authentication table in FIG. 5 will be described with reference to FIG. FIG. 8 is a flowchart regarding keyboard authentication when a user name, a password, and a user authentication destination (for example, a directory service server name) are input to the operation unit 308 of the multifunction peripheral 100 in accordance with a user operation.

  In step S401, the user name, password, and user authentication destination (for example, directory service server name) input by the user operation are acquired.

  In step S402, user information including the acquired user name, password, and user authentication destination is transmitted to the IC card authentication server 200 as an authentication request.

  In step S <b> 403, the IC card authentication server 200 receives user information including the user name, password, and user authentication destination transmitted from the multifunction peripheral 100.

  In step S404, the directory service server 300 to be an authentication destination is specified according to the user authentication destination of the received user information, and authentication is performed with the directory service server 300 specified using the user name and password of the received user information. To do. The directory service server 300 that has been authenticated compares the user information stored and managed by the directory service server 300 with the user name and password, and determines whether or not the user exists in the user information. If the user exists, the authentication OK authentication result is transmitted to the IC card authentication server 200. If the user does not exist, the authentication NG authentication result is transmitted to the IC card authentication server 200. Note that the authentication result in the case of the authentication OK includes user information (for example, user name, email address, expiration date, department ID, Active Directory group, etc.) of the matched user.

  In step S405, an authentication OK or authentication NG authentication result is received from the directory service server 300.

  In step S408, it is determined whether the authentication result in step S405 is authentication OK or authentication NG. If the authentication is OK, the process proceeds to step S410. If the authentication is NG, the process proceeds to step S413. In step S410, an Active Directory group is acquired from user information obtained from the authentication result.

  In step S411, the authentication server group is determined (acquired) using the group association information (XML file 902) based on the acquired Active Directory group. Further, the function restriction information (FIG. 10) corresponding to the confirmed authentication server group is acquired from the external memory 211 of the IC card authentication server 200. The method for determining (acquiring) the authentication server group using the group association information (XML file 902) is the same as the processing in step S206.

  In step S412, the authentication information including the authentication OK and the user information not including the Active Directory group acquired in step S410, the authentication server group acquired in step S411, and the function restriction information is transmitted to the MFP 100.

  In step S413, the authentication result of the authentication NG is transmitted to the multifunction device 100. In step S414, the MFP 100 receives the authentication result transmitted in step S412 or step S413.

  In step S415, OK or NG of the authentication result received in step S414 is determined. If authentication is OK, it is determined that the authentication is successful, and the process proceeds to step S416. In the case of authentication NG, it is determined that authentication has failed, and the process proceeds to step S417.

  If the received authentication result is OK, an authentication success screen (not shown) is displayed in step S416. If the received authentication result is NG, an authentication failure screen (not shown) is displayed in step S417.

  After displaying the authentication success screen in step S416, the function restriction information included in the authentication result received by the CPU 301 of the multifunction device 100 is used to restrict each function constituting the multifunction device 100, and the user name, password, and user authentication are performed. The use of the MFP 100 of the user who has input the destination is restricted. In addition, when a function whose use is restricted, for example, a transmission function is not permitted by the function restriction information, a user interface for executing the transmission function is not displayed on the operation unit 308.

  As a result, even when the IC card is forgotten or when keyboard authentication is performed when no user exists in the IC card authentication table, the function of the MFP 100 can be restricted for each user.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

Further, the program in the present invention is a program capable of executing the processing methods of FIGS. 5 to 8, and the storage medium of the present invention stores the program capable of executing the processing method in FIGS. 5 to 8. ing. The program in the present invention may be a program for each processing method of each apparatus in FIGS.
As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network by a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

1 is a system configuration diagram showing an example of a configuration of an IC card authentication system of the present invention. 2 is a block diagram illustrating a hardware configuration of an information processing apparatus applicable to an IC card authentication server 200, a directory service server 300, and a client PC 700. FIG. FIG. 2 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 100 illustrated in FIG. 1. It is a data block diagram which shows an example of the table for IC card authentication of the IC card authentication system in this invention. It is a flowchart which shows an example of the matching process of the authentication server group of the IC card authentication system in this invention, and an Active Directory group. It is a flowchart which shows an example of the import process of the user information of the IC card authentication system in this invention. It is a flowchart which shows an example of the card | curd authentication process of the IC card authentication system in this invention. It is a flowchart which shows an example of the keyboard authentication process of the IC card authentication system in this invention. It is a block diagram which shows an example of the matching setting content of the authentication server group of the IC card authentication system in this invention, and an Active Directory group. It is a block diagram which shows an example of the function restriction | limiting information of the IC card authentication system in this invention. It is the example of a screen after the matching setting of the authentication server group of the IC card authentication system in this invention and an Active Directory group. It is an example of a screen of the correlation setting of the authentication server group of the IC card authentication system and the Active Directory group in the present invention. It is a block diagram which shows an example of the user information of the directory server in this invention. It is a block diagram which shows an example of matching with the authentication server group of the IC card authentication system in this invention, and function restriction information.

Explanation of symbols

100 MFP 200 IC Card Authentication Server 300 Directory Service Server 400 Local Area Network (LAN)
500 WAN
700 client PC

Claims (8)

An information processing apparatus for storing user authentication information for authenticating input information input by an image forming apparatus, capable of communicating via a network with a directory service server that manages user information including user groups,
Storage means for storing a first user group set in the user authentication information and function restriction information for restricting the function of the image forming apparatus associated with the first user group;
Obtaining means for obtaining a first user group from the storage means;
First receiving means for receiving a second user group managed by the directory service server from the directory service server;
Display means for displaying the first user group and the second user group;
Association means for associating the second user group with the first user group;
An information processing apparatus comprising: generating means for generating association information indicating association between the first user group and the second user group associated by the association means. Capture instruction means for instructing capture of user information including a second user group managed by the directory service server;
Change means for changing the second user group included in the user information received from the directory service server to the first user group associated with the association means according to the capture instruction of the capture instruction means; The information processing apparatus according to claim 1, further comprising: 3. The information processing apparatus according to claim 2, further comprising registration means for registering user information received from the directory service server changed to the first user group by the changing means as the user authentication information. Input information receiving means for receiving input information obtained from a storage medium in the image forming apparatus;
Authentication means for authenticating according to the input information accepted according to the input information acceptance means and the user authentication information;
First function restriction information acquisition means for acquiring the function restriction information according to a first user group of users authenticated by the authentication means;
In order to restrict the use of the image forming apparatus, the apparatus further comprises a first function restriction information transmitting unit that transmits the function restriction information acquired by the first function restriction information acquiring unit to the image forming apparatus. The information processing apparatus according to 2 or 3. The user authentication information includes a user name and a password,
User information receiving means for receiving user information including a user name and a password input from the image forming apparatus in order to use the image forming apparatus;
Using the user name and password received by the user information receiving means, further comprising second receiving means for receiving user information including a second user group corresponding to the user name from the directory server;
The said change means changes the 2nd user group contained in the user information received by the said 2nd receiving means to the 1st user group according to the said correlation information, The Claim 2 or 3 characterized by the above-mentioned. Information processing device. Second function restriction information acquisition means for acquiring function restriction information corresponding to the first user group changed by the changing means;
A second function restriction information transmitting unit configured to transmit the function restriction information obtained by the second function restriction information obtaining unit to the image forming apparatus in order to restrict use of the image forming apparatus; The information processing apparatus according to claim 5. User authentication information for authenticating input information input by the image forming apparatus, which is communicable via a network with a directory service server that manages user information including user groups, and a first set in the user authentication information A processing method in an information processing apparatus comprising storage means for storing a user group and function restriction information for restricting a function of the image forming apparatus associated with the first user group,
An obtaining step of obtaining a first user group from the storage means;
A first receiving step of receiving a second user group managed by the directory service server from the directory service server;
A display step for displaying the first user group and the second user group;
A step of associating the second user group with the first user group;
And a generating step of generating association information indicating association between the first user group and the second user group associated in the association step. An information processing apparatus for storing user authentication information for authenticating input information input by an image forming apparatus, capable of communicating via a network with a directory service server that manages user information including user groups,
Storage means for storing a first user group set in the user authentication information and function restriction information for restricting the function of the image forming apparatus associated with the first user group;
Obtaining means for obtaining a first user group from the storage means;
First receiving means for receiving a second user group managed by the directory service server from the directory service server;
Display means for displaying the first user group and the second user group;
Association means for associating the second user group with the first user group;
A computer-readable program that functions as a generation unit that generates association information indicating association between a first user group and a second user group associated by the association unit.

Images