JP5521804B2 - Authentication system, image forming apparatus, user management apparatus, processing method thereof, and program - Google Patents

Description

  The present invention relates to an authentication system that performs authentication processing, an image forming apparatus, and a user management apparatus.

  In recent years, when an MFP is used, an authentication information management apparatus (IC card authentication server) for authentication information read from the IC card by holding the IC card over the card reader of the MFP, for example, for the purpose of limiting users. ) And if authentication information is registered, there is already a system that responds to the multifunction peripheral with a successful authentication and can use the multifunction peripheral.

  In such a system, there are cases where it is desired to limit the functions that can be used by the multifunction device to the user. For example, there are cases where it is desired to limit the functions for each user, such as user A can use only copying, and user B can use copying and FAX.

  As described above, Patent Document 1 discloses a system for setting functions that can be used in units of users or setting functions that can be used in units of a group of multifunction devices / groups.

JP 2007-286908 A

  In the system disclosed in Patent Document 1, functions that can be used in a multi-function peripheral can be set in units of users or in units of multi-function peripherals / multi-function peripherals.

  However, in this case, since it is necessary to perform setting again every time a new multifunction peripheral is introduced, there is a problem that the workload of the administrator is large.

  In addition, when using a multifunction device, there is a mechanism in which user authentication is performed by holding an IC card or the like, and the user can use the multifunction device when the user is authenticated. Use the multifunction device installed in your company without being conscious of whether you can use it.

  Therefore, when using a mechanism that sets a multifunction device that can be used for each user, when using a multifunction device other than the multifunction device that is always used, authentication is performed by holding the IC card. As a result, the authentication is successful, but the MFP is set as an unusable MFP. Therefore, the user holding the IC card cannot use the MFP. In this case, it is inconvenient for the user to search for a usable multi-function device or to use the multi-function device by using a multi-function device that is always used.

Accordingly, an object of the present invention is to group image forming apparatuses and set use authority information of image forming apparatuses belonging to the group and use authority information of image forming apparatuses not belonging to the group to form an image according to authentication. The use of the device is easily restricted to provide a high security mechanism.

To achieve the object of the present invention, an image forming apparatus, user identification information for user authentication , device group information for managing device identification information in groups, and image formation of device identification information belonging to the device group information An authentication system comprising: a user management apparatus that manages usage authority information to be applied to an apparatus and usage authority information to be applied to an image forming apparatus having device identification information that does not belong to the device group information in association with each other; forming apparatus transmits the identification information acquiring means for acquiring user identification information for user authentication, user identification information acquired by the identification information acquiring unit, the authentication request including the device identification information of the image forming apparatus an authentication request transmission unit, according to the authentication request transmitting means, including the use authority information from the user management apparatus Includes an authentication result receiving means for receiving the testimony result, a log-in means to log by applying usage rights information included in the authentication result received by the verification result receiving unit, the user management apparatus, wherein from the image forming apparatus An authentication request receiving unit that receives an authentication request, and determines whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received by the authentication request receiving unit And when the use determination means determines that the device identification information belongs to the device group information, the authentication result including the use right information corresponding to the device group information is transmitted. If it is determined that the device identification information does not belong to the device group information, it belongs to the device group information. Characterized in that it had provided an authentication result transmitting unit that sends the authentication result including the use authority information applied to the image forming apparatus of the device identification information.

The image forming apparatus includes a device group information receiving unit that receives device group information from the user management apparatus, and an image of device identification information in which the usage right information received by the authentication result receiving unit does not belong to the device group information. In the case of usage authority information to be applied to the forming apparatus, a display for displaying the device group information received by the device group information receiving means so as to use the image forming apparatus to which the usage authority information corresponding to the device group information can be applied And the user management apparatus further comprises device group information transmitting means for transmitting device group information corresponding to the user identification information to an image forming apparatus having device identification information that does not belong to the device group information. Features.

The image forming apparatus includes a device group information receiving unit that receives device group information from the user management apparatus, and an image of device identification information in which the usage right information received by the authentication result receiving unit does not belong to the device group information. In the case of usage authority information to be applied to the forming apparatus, a display for displaying the device group information received by the device group information receiving means so as to use the image forming apparatus to which the usage authority information corresponding to the device group information can be applied And the user management apparatus further comprises device group information transmitting means for transmitting device group information corresponding to the user identification information to an image forming apparatus having device identification information that does not belong to the device group information. Features.

The device group information is a group of image forming apparatuses normally used by a user, and the image forming apparatus further includes search request means for requesting a search for an image forming apparatus normally used, and the display means includes: The device group information of the image forming apparatus that is normally used is displayed according to the search request unit, and the device group information transmission unit of the user management apparatus is configured to display the device group information according to the search request by the search request unit. Is transmitted.

In addition, the image forming apparatus further includes a registration request unit that makes a registration request including the input user identification information and device identification information of the image forming apparatus so that authentication can be performed using the user identification information. The user management apparatus includes a specifying unit that specifies device group information to which the device identification information included in the registration request belongs, and a registration unit that associates and registers the user identification information and the device group information specified by the specifying unit. And further comprising.

To group the image forming apparatus, by setting the use authority information of the image forming apparatus belonging to the group, the use authority information of the image forming apparatus not belonging to a group, easily restrict the use of the image forming apparatus according to the authentication , Can increase security.

System configuration diagram showing an example of the configuration of an IC card authentication system Hardware configuration diagram of information processing apparatus applicable to IC card authentication server 200, directory service server 300, and client PC 700 Hardware configuration diagram of MFP 100 Functional block diagram of MFP 100 and IC card authentication server 200 in the IC card authentication system The figure which shows the structure of the table for IC card authentication Figure showing an example of the device management screen The figure which shows an example of a user information edit screen The figure which shows an example of the function restriction confirmation screen 800A and the search result display screen 800B Flow chart showing device group registration process A flowchart showing processing when an IC card is held over a card reader Flow chart showing authentication process Flow chart showing device group search processing Diagram showing the structure of function restriction information The figure which shows the matching table of function restriction information and an authority group A flowchart showing processing when an IC card is held over a card reader (second embodiment) Flowchart showing keyboard authentication process (second embodiment) Flowchart showing card registration processing (second embodiment) The figure which shows an example of user confirmation screen 1800A, card registration success screen 1800B, and authentication NG screen 1800CA The figure which shows an example of the user information memorize | stored in the IC card authentication table Flowchart showing keyboard authentication process (third embodiment) Figure showing an example of the registration notification screen Flowchart showing keyboard authentication process (third embodiment) Flowchart showing card registration processing (third embodiment) Diagram showing device group information table

[First Embodiment]
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram showing an example of the configuration of the IC card authentication system of the present invention.

  FIG. 1 shows a configuration in which one or a plurality of multifunction peripherals 100, an IC card authentication server 200, and a plurality of directory service servers 300 are communicably connected via a local area network (LAN) 400.

  The IC card authentication server 200 (user management apparatus) stores an IC card authentication table (shown in FIG. 5 to be described later), and responds to an authentication request from the multifunction device 100 using an IC card or an authentication request using a user name and password. Then, an authentication process is performed using the IC card authentication table.

  The directory service server 300 includes hardware resources such as servers and clients existing on the network, user attributes (for example, Microsoft Windows (registered trademark) login user name and password), access rights, and the like. For example, a server equipped with an active directory (Active Directory (trademark; hereinafter omitted)) function.

  A client PC 700 is a client PC in which an IC card authentication server management tool is installed. It is possible to access the IC card authentication server from the IC card authentication server management tool and perform setting work from the screens of FIGS. 6 and 7 of the IC card authentication server management tool.

  The IC card authentication server management tool may be configured to be installed in the IC card authentication server 200, and can be set by the IC card authentication server 200.

  The IC card authentication system according to the present embodiment is configured such that one or a plurality of MFPs 100, the IC card authentication server 200, and the directory service server 300 configured as described above are connected via a WAN 500 connected via a LAN 400. It may be.

  Furthermore, the present invention can be applied not only to IC card authentication but also to an authentication system using biometric authentication such as fingerprint.

  An IC card authentication table stored in the IC card authentication server 200 may be stored in the HDD 304 of the multi-function device 100, and authentication processing (FIG. 11) may be performed in the multi-function device 100.

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 illustrated in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram showing a hardware configuration of an information processing apparatus applicable to the IC card authentication server 200, the directory service server 300, and the client PC 700 shown in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display 210 such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is provided in an external storage device (hard disk (HD)), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash (registered trademark) memory connected via an adapter.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the hardware configuration of the multifunction peripheral 100 as the image forming apparatus of the present invention will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 100 illustrated in FIG.

  In FIG. 3, reference numeral 316 denotes a controller unit which is connected to a scanner unit 314 functioning as an image input device and a printer unit 312 functioning as an image output device, while being connected to a LAN (for example, the LAN 400 shown in FIG. 1) or a public line ( (WAN) (for example, PSTN or ISDN) to input / output image data and device information.

  In the controller unit 316, reference numeral 301 denotes a CPU, which is a processor that controls the entire system. A RAM 302 is a system work memory for the CPU 301 to operate, and is also a program memory for recording a program and an image memory for temporarily recording image data.

  A ROM 303 stores a system boot program and various control programs. An external storage device (hard disk drive (HDD)) 304 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 307 is an interface unit with the operation unit (UI) 308 and outputs image data to be displayed on the operation unit 308 to the operation unit 308. The operation unit I / F 307 serves to transmit information (for example, user information) input by the system user from the operation unit 308 to the CPU 301. Note that the operation unit 308 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  A network interface (Network I / F) 305 is connected to a network (LAN) and inputs / outputs data. A modem (MODEM) 306 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 318 is an I / F unit that accepts external inputs such as USB, IEEE 1394, printer port, RS-232C, etc. In this embodiment, an IC card (storage medium) required for authentication ) Is connected to the external I / F unit 318. The CPU 301 can control reading of information from the IC card by the card reader 319 via the external I / F 318, and can acquire information read from the IC card. The above devices are arranged on the system bus 309.

  Reference numeral 320 denotes an image bus interface (IMAGE BUS I / F), which is a bus bridge that connects the system bus 309 and an image bus 315 that transfers image data at high speed, and converts the data structure.

  The image bus 315 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 315.

  A raster image processor (RIP) 310 develops vector data such as a PDL code into a bitmap image. A printer interface (printer I / F) 311 connects the printer unit 312 and the controller unit 316 and performs synchronous / asynchronous conversion of image data. A scanner interface (scanner I / F) 313 connects the scanner unit 314 and the controller unit 316 and performs synchronous / asynchronous conversion of image data.

  An image processing unit 317 performs correction, processing, and editing on input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 317 performs image data rotation and compression / decompression processing such as JPEG for multi-valued image data and JBIG, MMR, MH for binary image data.

  The scanner unit 314 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 308, the CPU 301 gives an instruction to the scanner unit 314, and the feeder feeds the original paper one by one to read the original image. Perform the action.

  The printer unit 312 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is ejected from a micro nozzle array directly on the paper. There is an inkjet method for printing an image, but any method may be used. The activation of the printing operation is started by an instruction from the CPU 301. The printer unit 312 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  The operation unit 308 has an LCD display unit, and a touch panel sheet is pasted on the LCD. The operation unit 308 displays an operation screen of the system. When a displayed key is pressed, the position information is displayed on the operation unit I / F 307. To the CPU 301 via The operation unit 308 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Here, the start key of the operation unit 308 is used when starting a document image reading operation. At the center of the start key, there are two color LEDs, green and red, which indicate whether or not the start key can be used. Further, the stop key of the operation unit 308 functions to stop the operation in operation. The ID key of the operation unit 308 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit.

  The card reader 319 reads information stored in an IC card (for example, Sony FeliCa (registered trademark)) under the control of the CPU 301, and reads the read information via the external I / F 318. The CPU 301 is notified. The controller unit 316, the printer unit 312, the scanner unit 314, the operation unit 308, and the card reader 319 are provided in the same casing in the multifunction device 100.

  Next, processing of the IC card authentication system will be described using a functional block diagram of the MFP 100 and the IC card authentication server 200 in the IC card authentication system of FIG.

  The multi-function device 100 includes functional units 401 to 407, and the CPU 301 executes the functional units. The IC card authentication server 200 has 408 to 412 functional units, and the CPU 201 executes the functional units.

  First, the user information setting unit 408 of the MFP 100 acquires user information from the directory service server 300 and stores it in the IC card authentication table of FIG. For the stored user information, the function restriction information 530 in the case other than the card information 503, the function restriction information 507, and the device restriction information 520 device group is set via the user information editing screen of FIG. Also, a device group is generated via the device management screen of FIG. 6, and an IP address and a subnet mask are set in the device group.

  When the authentication information acquisition unit 401 detects an IC card that can be read by the card reader 319, the authentication information acquisition unit 401 acquires personal authentication information in the IC card. The authentication information transmission unit 402 transmits the acquired personal authentication information to the IC card authentication server 200 as an authentication request. In this authentication request, the IP address of the multifunction device 100 is also transmitted. This IP address includes an IP address transmitted over TCP / IP communication. The personal authentication information is information used for authentication and may be a manufacturing number of the IC card.

  The authentication information receiving unit 409 of the IC card authentication server 200 receives personal authentication information from the multifunction device 100. The authentication unit 410 performs authentication processing of the received personal authentication information based on the IC card authentication table (FIG. 5) stored on the external storage device of the IC card authentication server 200, and the IC card authentication table (FIG. 5). ) Includes personal authentication information, it is determined whether the MFP 100 can be used with the authority normally used by the user according to the IP address that can be acquired when the personal authentication information is received and the device restriction information 520 in FIG. To do.

  When the acquired IP address is included in the device group information, the authentication result transmission unit 411 sends the user information including the authority (function restriction information 507) normally available to the user and the authentication OK authentication result to the multi-function device 100. Send. Further, when the acquired IP address is not included in the device group information, the authentication result transmission unit 411 authenticates the user information including the authority (function restriction information 530) when using the device not included in the device group and the authentication. The authentication result of OK is transmitted to the multifunction device 100. Further, the authentication result transmission unit 411 has a case where the personal authentication information is not included in the IC card authentication table (FIG. 5), and a case where the acquired IP address is not included in the device group information and no device group is set. Transmits the authentication result of the authentication NG to the multi-function device 100.

  Note that the authentication result includes information for identifying whether the user can normally use the authority (function restriction information 507) or the authority when using a device not included in the device group (function restriction information 530). In this identification information, the authority (function restriction information 507) that can be normally used by the user is flag “0”, and the authority when using a device not included in the device group (function restriction information 530) is flag “1”. A flag is included in the authentication result. Alternatively, the function restriction information is defined for each of the authority that the user can normally use (function restriction information 507) and the authority for using a device that is not included in the device group (function restriction information 530). Alternatively, the function restriction information name may be provided with identifiable information, and the function restriction information name may be included in the authentication result.

  Further, it is assumed that the authority (function restriction information 530) when using the device is set to be lower than the authority (function restriction information 507) that is normally available to the user. When the authority at the time of use (function restriction information 530) is higher authority, the lower authority is used for items that do not match.

  The authentication result receiving unit 403 of the MFP 100 receives the authentication result from the IC card authentication server 200, and the authentication result storage unit 404 stores the user information of the authentication result in the RAM 302. When the authority information included in the user information stored in the RAM 302 is an authority that can be normally used by the user (function restriction information 507), the authority determination unit 405 transmits the information to the multifunction peripheral 100 according to the function restriction information 507. Log in. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 507. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 507 and restricts the use of the print function and scan function of the multifunction device 100.

  8 is displayed on the operation unit 308 when the authority information included in the user information is an authority (function restriction information 530) for using a device not included in the device group. And login to the MFP 100 according to the authority (function restriction information 530) when using a device not included in the device group, which is lower than the authority (function restriction information 507) that the user can normally use. . This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 530. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 530 and restricts the use of the print function and the scan function of the multifunction device 100.

  Also, in the case of using the authority (function restriction information 530) when using a device not included in the device group, the device group search request unit 407 uses the authority (function restriction information) normally available to the user according to the user's instruction. 507), a request is made to the IC card authentication server 200 using user information (for example, a user name) in order to obtain a multifunction device that can be used or a location (floor name) where the multifunction device is installed. In addition, the device group search unit 412 of the IC card authentication server 200 acquires the device group 521 according to the user information included in the request, and transmits the device group 521 to the multifunction device 100. The display control unit 406 of the MFP 100 displays the search result display screen 800B of FIG. 8 using the device group received from the IC card authentication server 200.

  Next, the IC card authentication table will be described with reference to FIG.

  FIG. 5 is a data configuration diagram showing an example of an IC card authentication table in the IC card authentication system of the present embodiment. The IC card authentication table is stored in the external memory 211 of the IC card authentication server 200.

  As shown in FIG. 5, the IC card authentication table includes a user name 501, an authentication domain name 502, card information 503, a mail address 504, an expiration date 505, valid / invalid 506, function restriction information 507, a department ID 508, and a department password. 509, device restriction information 520, function restriction information 530 for cases other than device groups, and the like. The card information 503 includes a card number 511, validity information 512, and a card name 513. A plurality of card information can be registered for one user. The device restriction information 520 includes a device group 521, an IP address 522, and a subnet mask 523.

  The user name 501 is the name of the user who uses the multifunction device 100 and is information included in the authentication result. Login to the multifunction device 100 is performed with this user name. When the user logs in, the user name is displayed on the operation unit 308.

  The authentication domain name 502 indicates where the authentication destination server is on the network. The authentication destination is the IC card authentication server 200, the directory service server 300, or the like.

  The card information 503 is card information of an IC card that allows the user to use the multifunction device 100. In this embodiment, the card information 503 of the IC card is key information that permits the use of the multifunction peripheral 100 (image forming apparatus) (user authentication). The card information 503 includes a card number 511, validity information 512, and a card name 513.

  The card number 511 is a string of numbers and characters for identifying individual cards, and is information for comparing the card number with the card number read from the IC card by the card reader 319. Authentication succeeds, and if they do not match, authentication fails. The validity information 512 and the card name 513 will be described later.

  An e-mail address 504 is an e-mail address owned by the user, and is used when notifying the user about the use of the multifunction device 100. The expiration date 505 is an expiration date for use of the multifunction device 100 determined by the user. When the expiration date is exceeded, the user cannot use the multifunction device 100.

  Valid / invalid 506 is information indicating whether or not the user can use the multifunction device 100. When the MFP 100 cannot be used due to reasons such as exceeding the expiration date, information indicating invalidity is written.

  The function restriction information 507 indicates contents for restricting the functions of the multifunction device when the multifunction device 100 included in the device group set for the user is used. The multifunction device normally used by the user (for example, There are some which restrict the functions of the floor multifunction devices that users usually use. The function restriction information 507 is realized by associating the function restriction information shown in FIG. Details of the function restriction information are described in FIG. The information stored in the function restriction information 507 stores a name associated with the function restriction information. The function restriction information 507 can be paraphrased as first function restriction information that defines functions that can be used by the MFP 100 included in the device group.

  The department ID 508 is an ID indicating the internal department to which the user belongs. The department password 509 is a password associated with the department ID 508.

  The outline regarding the validity information 512 and the card name 513 in the card information 503 will be described below.

  The validity information 512 in the card information 503 is numerical information registered in the IC card. This information is used, for example, to distinguish a lost IC card from a reissued IC card when the IC card is lost.

  For example, by adding one value from the validity information of the lost IC card and reissuing the IC card, it is possible to distinguish it from the lost IC card. It can prevent misuse of lost IC card and keep security.

  The card name 513 is displayed together when displaying the card number of the IC card on a card information deletion screen (not shown) or the like so that the user can easily discriminate it. The card name can be set on a card registration / card name input screen (not shown) at the time of card information registration.

  An outline of the device group 521, the IP address 522, and the subnet mask 523 will be described below.

  The device group 521 represents the name of the device group and is unique information. The IP address 522 is an IP address of a device group, and a plurality of IP addresses can be set for one device group. The subnet mask 523 is set with an IP address range.

  The device restriction information 520 is information stored by being set on the user editing screen of FIG. Further, the device restriction information that can be set on the user edit screen of FIG. 7 is information that can be set on the device management screen of FIG.

The function restriction information 530 for a device other than a device group indicates contents for restricting the functions of the MFP 100 that are not included in the device group. In addition, the function restriction information 530 can be paraphrased as first function restriction information that defines usable functions of the MFP 100 that are not included in the device group.

  In addition, the IP address 522 and the subnet mask 523 can be rephrased as a first address for specifying a multifunction device that can be used by the user.

  FIG. 19 is a diagram showing an example when the above-described user information is stored in the IC card authentication table.

  Next, processing for registering a device group will be described with reference to FIGS.

  Note that the processing of steps S901 to S905 in FIG.

  In step S901, the name of the device group is input to the text area 611, and the add group button 612 is pressed to register the device group. The registered device group is displayed at the top of the tree structure, such as 601 and 603.

  In step S902, device information (IP address or IP address and subnet mask) is registered for the registered device group. When registering using only the IP address, enter the IP address in the text area 613 and press the device addition button 616 for registration. The registered IP address is displayed below the tree structure as 602.

  When registering by IP address and subnet mask, the IP address is input in the text area 614, the subnet mask is input in the text area 615, and the device addition button 616 is pressed to register. The registered IP address is displayed in the lower part of the tree structure in the format of “IP address / subnet mask value” as 604. A plurality of device information can be registered for one device group.

The registered information is stored in the external memory 211 of the IC card authentication server 200. When registering with an IP address and a subnet mask, a specific network (network address (network information)) is designated, and is a setting for targeting a multi-function device in the network.

  Next, processing for registering the device group registered in FIG. 6 in the user information will be described with reference to FIGS.

  In step S903, it is determined whether to register the device group in the user information according to the user instruction. If it is determined to register, the process proceeds to step S904. If registration is not performed, that is, an end instruction is given, the process ends.

  In step S904, the device group to be registered in the user information is selected from the pull-down menu 703 on the user edit screen, and the add button 704 is pressed to register the device group to the user (device restriction information setting). A user can register a plurality of device groups. In the pull-down menu 703, the device group registered in FIG. 6 is set.

  In step S905, the user selects radio buttons 705 and 706 to set an operation when the IP address of the MFP 100 at the time of authentication does not correspond to the device group registered with the user (second function). Set restriction information). When the radio button 705 (cannot log in) is selected, no information is registered in the device restriction information 520 (a NULL value is set) so that authentication is NG.

  Also, when the radio button 706 (log in with the following group usage restrictions) is selected, the function restriction information specified in the pull-down menu 707 becomes the device restriction information so that the function restriction information specified in the pull-down menu 707 is authenticated. 520 is registered.

  Next, a process when the IC card is held over a card reader will be described with reference to FIG.

  Note that the processing of step S1001 and step S1012 to step S1017 is executed by the CPU 301 of the multifunction peripheral 100, and step S1001-1 is executed by the CPU 201 of the IC card authentication server 200. Note that the processing in step S1001-1 will be described with reference to FIG.

  First, in step S1001, card information is acquired from the IC card held by the user (second identification information is acquired), and an IP address of the multi-function device 100 is acquired (second address is acquired). The acquired card information and the IP address of the MFP 100 are transmitted to the IC card authentication server 200 (authentication request transmission). Card information is held in the RAM 302.

In step S1001-1, the IC card authentication server 200 receives the card information and the IP address of the multi-function device 100, and performs authentication processing.
Here, the authentication process will be described with reference to FIG.

  Note that the processing in steps S1002 to S1011 is executed by the CPU 201 of the IC card authentication server 200.

  In step S1002, the card information and the IP address of the multifunction device 100 are received (authentication request reception).

  In step S1003, user information is searched from the IC card authentication table of FIG. 5 based on the card information received in step S1002.

  In step S1004, if the user information (information in the IC card authentication table 501 to 530) can be acquired as a result of the search in step S1003, the process proceeds to step S1005 as successful authentication (authentication OK). When user information cannot be acquired (when user information is not registered), the process proceeds to step S1011.

  In step S1005, the IP address of the MFP 100 received in step S1002 is compared with the device restriction information of the user information acquired in step S1003. Specifically, using the IP address 522 and / or the subnet mask 523, the IP address of the MFP 100 included in the device group is inspected (use determination).

  In step S1006, if it is determined that the MFP is included in the device group as a result of the comparison in step S1005, the process proceeds to step S1007. If it is determined that the MFP is not included in the device group, the process proceeds to step S1008.

  If it is determined in step S1007 that the MFP is included in the device group, the result of authentication OK and the authentication result of user information (e-mail address 504, function restriction information 507, etc.) are transmitted to the MFP 100 (authentication result transmission). . This authentication result has identification information (such as a flag) indicating that the function restriction information 507 normally used by the user is included.

  In step S1008, when it is determined that the MFP is not included in the device group, it is determined whether authentication is performed when there is an authentication request from the MFP other than the device group. Whether or not to authenticate is determined by the function restriction information 530 in the case other than the device group. If the function restriction information is included in the function restriction information 530 in the case other than the device group, that is, if 707 is set in FIG. 7, the process proceeds to step S1009. If the function restriction information is not included in the function restriction information 530 other than the device group (in the case of a NULL value), that is, if 706 is set in FIG. 7, the process proceeds to step S1011.

  In step S1009, the function restriction information is acquired from the function restriction information 530 in the case other than the device group.

  In step S1010, authentication OK (authentication OK within device group (normal authentication OK) / authentication with function restriction information other than device group OK) and authentication result NG result and user information (mail address 504, device group other than device group) The authentication result of the function restriction information 530 or the like is transmitted to the multi-function device 100 (authentication result transmission). This authentication result has identification information (such as a flag) indicating that the function restriction information 530 for cases other than the device group is included.

  In step S <b> 1011, an authentication NG authentication result is transmitted to the multifunction peripheral 100.

  Subsequently, returning to FIG. 10, in step S <b> 1012, the multi-function device 100 receives the authentication result from the IC card authentication server 200.

  In step S1013, the authentication result from the IC card authentication server 200 received in step S1012 is determined. If the authentication is OK, the process proceeds to step S1014. If the authentication is NG, the process proceeds to step S1017.

  If the authentication is OK, the user information included in the authentication result is stored in the RAM 302.

  In step S1017, an authentication NG screen (not shown) indicating that the authentication could not be performed is displayed on the operation unit 308.

  In step S1014, it is determined from the identification information included in the authentication result whether the function restriction information 530 for the device group other than the device group indicates that the authentication is OK. If the function restriction information 530 other than the device group indicates authentication OK, the process proceeds to step S1016. If the function restriction information 507 normally used by the user indicates authentication OK, the process proceeds to step S1015. Move.

  In other words, the process of step S1014 is a process of determining whether or not the MFP can log in using the function restriction information 507 (first function restriction information). If the MFP can log in using the function restriction information 507 (first function restriction information), the process proceeds to step S1015, and login is possible using the function restriction information 507 (first function restriction information). If the MFP is not a multifunction device, the process proceeds to step S1016.

  In step S 1015, the MFP 100 is logged in according to the function restriction information 507 of the user information stored in the RAM 302, and an initial screen (not shown) after login is displayed on the operation unit 308. The initial screen is a screen displayed as a default after login, and can be arbitrarily set by the administrator. Examples of the initial screen include a print operation screen and a scan operation screen. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 507. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 507 and restricts the use of the print function and scan function of the multifunction device 100.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

  In step S1016, the log-in process is performed using the function restriction information 530 in the case other than the device group without using the function restriction information 507 that is normally used by the user. In order to notify this, the function restriction confirmation screen 800A shown in FIG.

  Here, the screen of FIG. 8 will be described. When login processing is performed using the function restriction information 507 that is normally used by the user, the function restriction confirmation screen 800A is not displayed, and the function restriction confirmation screen 800A is displayed when the function restriction information 530 for a device group other than the device group is used. Is displayed.

  The function restriction confirmation screen 800A includes a search button 801 for searching for a multifunction machine that can perform login processing using the function restriction information 507 that is normally used by the user, and function restriction information 530 for a device other than the device group. And an OK button 804 that can be used to instruct to perform login processing.

  When the search button 801 is pressed by the user, the name of the device group obtained by transmitting user information from the multifunction device 100 to the IC card authentication server 200 is displayed on the search result display screen 800B. The search result display screen 800B can also display information for specifying a multifunction peripheral that can perform login processing using the function restriction information 507 that is normally used by the user. The information for specifying the MFP is a computer name (multifunction machine name (device name)) converted from the IP address using the IP address 602 and DNS (Domain Name Service) in FIG.

  The search result display screen 800 </ b> B is applied with a return button 802 for returning to the screen on which the function restriction confirmation screen 800 </ b> A is displayed and function restriction information 530 for a device group other than the device group. An end button 803 is provided to prevent the user from logging in when processing is considered impossible.

  When the end button 803 is instructed by the user, the multifunction peripheral 100 that has detected the instruction ends the process without logging in. Then, when the user holds the card over the card reader 319, the process waits for the processing to proceed to step S1001.

  Subsequently, returning to FIG. 10, in step S1018, it is determined whether or not the search button 801 on the function restriction confirmation screen 800A has been pressed. If the search button 801 is pressed, the process proceeds to step S1201 in FIG. If the OK button 804 is pressed, the process proceeds to step S1015. In this case, in step S1015, the function restriction information 530 for a device group other than the device group is applied and a login is performed, and an initial screen is displayed on the operation unit 308. This login is to make a login request to the platform (for example, operating system) of the multifunction machine 100 using the function restriction information 530. The platform side of the multifunction device 100 that has received the login request refers to the function restriction information 530 and restricts the use of the print function and the scan function of the multifunction device 100.

  Note that after the initial screen is displayed, the function selected by the user and having no function restriction is executed. For example, when executing the print function, a print job output from the client PC 700 and including the user name of the user who has logged in to the client PC 700 is stored in the HDD 304 of the MFP 100, and corresponds to the user name logged in from this print job. The print job to be acquired is acquired and the print job list is displayed. When the user selects a print job displayed in a list, the print job is acquired from the HDD 304 and output from the printer unit 312.

  Next, device group search processing will be described with reference to FIG.

  Note that the processing of steps S1201 and S1205 to S1207 is executed by the CPU 301 of the multifunction peripheral 100. Further, the processing of steps S1202 to S1204 is executed by the CPU 201 of the IC card authentication server 200.

  In step S1201, IC card authentication is performed in order to acquire the name of a multifunction device or device group (for example, the floor where the multifunction device is installed) that can be logged in using the function restriction information 507 that is normally used by the user. A device group request including user information (for example, user name and card information) stored in the RAM 302 is transmitted to the server 200 (transmission of search request). In addition to the user information stored in the RAM 302, the card information acquired in step S1001 can be used.

  In step S1202, a device group request including user information (for example, user name and card information) is received from the multi-function device 100 (reception request reception).

  In step S1203, based on the user information, the IC card authentication table of FIG. 5 stored in the external memory of the IC card authentication server 200 is searched to obtain the device restriction information 520 (521, 522, 523). .

  In step S1204, the device group 521 is transmitted from the acquired device restriction information 520 to the requested MFP 100 (device restriction information transmission). In this embodiment, the device group 521 of the acquired device restriction information 520 is transmitted. However, the IP address 522 or the computer name converted from the IP address 522 (multifunction device name) may be transmitted. Good. This can be arbitrarily set by the administrator, and information corresponding to the setting is transmitted to the multi-function device 100.

  In step S1205, the device group 521 is received from the IC card authentication server 200.

  In step S1206, the search result display screen 800B of FIG. 8 is displayed on the operation unit 308 of the multifunction peripheral 100 in accordance with the received device restriction information 520 (device restriction information display).

  In step S1207, it is determined whether or not the return button 802 on the search result display screen 800B has been pressed. If it is determined that the return button 802 is pressed, the screen returns to the screen displaying the function restriction confirmation screen 800A shown in FIG. 8 and waits until the user detects that the search button 801 or the OK button 804 is pressed. If the end button 803 is pressed, the process ends, and the user information stored in the RAM 302 of the multi-function device 100 is deleted.

  Next, the function restriction information will be described with reference to FIGS. FIG. 13 is a diagram illustrating setting of function restriction information stored in the function restriction information 507 and the function restriction information 530 in a case other than the device group. FIG. 14 is a diagram illustrating an association table that associates function restriction information with authority groups.

  The function restriction information can set the use restrictions of each function of the multifunction device 100 in detail. For example, by setting “Allow / Do not allow” printing of device restriction items, it is possible to specify restrictions on whether to allow printing. . This function restriction information is set in advance by the administrator, and is stored in association with an authority group name 1401 arbitrarily given by the administrator as shown in the authority group setting information in FIG.

  A plurality of function restriction information can be associated with one authority group name 1401. Further, each function restriction information is provided with a function restriction information name 1402, and the function restriction information name 1402 is used for association.

  In this embodiment, the function restriction information 507 and the function restriction information 530 for the case other than the device group store a function restriction information name 1402, and the functions set in FIG. 13 corresponding to the function restriction information name 1402. The restriction information is transmitted to the multifunction device 100.

  The information set in 707 in FIG. 7 is the authority group in FIG. 14. When the authority group is set here, the function restriction information name corresponding to the authority group is derived from FIG. It is stored in the function restriction information 530 when the name is other than the device group. Reference numeral 707 denotes an example in which a GeneralUser is set. In this case, since the function restriction information B can be acquired with reference to FIG. 14, “function restriction information B” is included in the function restriction information 530 other than the device group. Stored.

  This can be realized even in a configuration in which the function restriction information 530 stores the authority group (for example, GeneralUser) set in 707.

  According to the embodiment described above, a group of multifunction peripherals (image forming apparatuses) that can be used by a user is set, and a multifunction peripheral (image forming apparatus) according to authentication is set by setting the set groups for each user. Can be restricted, and a highly secure mechanism can be realized.

  In addition, by setting authority when the MFP (image forming apparatus) that has requested authentication is not a group of MFPs (image forming apparatuses) that can be used by the set user, other MFPs (image forming apparatuses) are set. It is possible to use the multi-function device and improve convenience while restricting the functions of the device. Further, by limiting the functions of other multifunction peripherals (image forming apparatuses), it is possible to realize a high security mechanism that restricts unnecessary use.

  Further, a multifunction peripheral (image forming apparatus) that can be used with the authority of the multifunction peripheral normally used by the user from another multifunction peripheral (image forming apparatus) that has lower authority than the multifunction peripheral (image forming apparatus) that is normally used. ) Can be searched, and a highly convenient mechanism can be realized.

[Second Embodiment]
In the first embodiment, the mechanism for creating a device group, setting the created device group in the user information, and restricting the use of the multifunction device has been described.

  In the present embodiment, a mechanism for restricting the use of a multifunction device by enabling registration of an IC card from a usable multifunction device according to a device group will be described.

  Next, an embodiment in which card registration is performed when an IC card is not registered in the IC card authentication table in the process when the IC card is held over the card reader will be described with reference to FIG. .

  Note that the processing in step S1001, step S1001-1, step S1012 to step S1018 in FIG. 15 is the same as the processing described in the description of FIG. 10 and FIG. Therefore, the description of the above steps is omitted here.

  In step S1013 of FIG. 15, the authentication result from the IC card authentication server 200 received in step S1012 is determined. If the authentication is OK, the process proceeds to step S1014. If the authentication result is NG, The process moves to step S1020.

  As described above, the authentication result is authentication OK (authentication OK in device group (authentication OK with function restriction information 507) / authentication with function restriction information in a case other than device group) authentication NG result and user information (email address 504). , Function restriction information 507 or function restriction information 530 for cases other than device groups). In the case of authentication NG, a flag indicating the reason for authentication NG, for example, a flag indicating that the card is not registered in the IC card authentication table is included in the authentication result.

  Note that the processing subsequent to step S1014 (steps S1014 to 1016 and step S1018) has already been described with reference to FIG.

  In step S1020, the contents of authentication NG are determined. Since the card is not registered in the IC card authentication table, if the authentication is NG, the process proceeds to step S1021. If it is authentication NG for other reasons, the process proceeds to step S1017. (Step S1017 has already been described with reference to FIG. 11 and will not be described here.)

  In the case of the present embodiment, a 1800C screen is displayed on the operation unit to notify that registration cannot be performed from the multifunction device.

  In step S1021, it is determined whether the held card is a registerable card. If the card can be registered, the process proceeds to step S1021. If it is authentication NG for other reasons, the process proceeds to step S1017. Step S1017 has already been described with reference to FIG.

  Whether the card can be registered is determined from the contents of the read card number. On the multi-function device side, the card number range (number of digits, alphanumeric rules, etc.) is defined in advance, and a card that can be registered is determined.

  In step S1022, a user confirmation screen 1800A shown in FIG. 18 is displayed on the operation unit 308 in order to confirm whether the user can register the card before card registration.

  In step S1023, the user name, password, and authentication destination information input by the user on the user confirmation screen 1800A are acquired, and the IP address of the multifunction device 100 is acquired. The acquired user name, password, authentication destination information and the IP address of the multifunction device 100 are transmitted to the IC card authentication server 200 (user confirmation keyboard authentication request transmission).

  Here, the keyboard authentication process for user confirmation is demonstrated using FIG.

  Note that the processing of steps S3000 and S3018 is executed by the CPU 301 of the multifunction peripheral 100, and the CPU 201 of the IC card authentication server 200 executes steps S3001 to S3005, steps S3007 to S3009, steps S3011 to S3013, and step S3017. To do.

  First, in step S3000, the user name, password, and authentication destination information input by the user are acquired, and the IP address of the multifunction device 100 is acquired. The acquired user name, password, authentication destination information and the IP address of the multifunction device 100 are transmitted to the IC card authentication server 200 (transmitting a keyboard authentication request).

  In step S3001, the IC card authentication server 200 receives the user name, password, authentication destination information, and the IP address of the multifunction peripheral 100, and performs keyboard authentication processing. (Keyboard authentication request received)

  In step S3002, based on the user name, password, and authentication destination information received in step S3001, authentication is executed using the user name and password for the specified authentication destination. Authentication destinations include IC card authentication and directory services (such as Active Directory).

  When the authentication destination is IC card authentication, authentication is performed using the user name and password with respect to the IC card authentication table of FIG. (Search using user name and password.)

  In step S3003, the authentication result of step S3002 is determined. If the authentication is successful, the process proceeds to step S3004. If the authentication fails, the process moves to step S3007. (Step S3007 will be described later.)

  In step S3004, user information is searched using the user name with respect to the IC card authentication table of FIG.

  In step S3005, the search result in step S3004 is determined. If the user information can be acquired, the process proceeds to step S3008. If not acquired, the process proceeds to step S3007. (Step S3007 will be described later.)

  In step S3008, the IP address of the MFP 100 received in step S3001 is compared with the device restriction information of the user information acquired in step S3004. Specifically, the IP address 522 or / IP address 522 and subnet mask 523 are used to check whether the IP address of the MFP 100 included in the device group (use determination).

  In step S3009, if it is determined from the comparison result in step S3008 that the MFP is included in the device group, the process proceeds to step S3010. If it is determined that the MFP is not included in the device group, the process proceeds to step S3011.

  In step S3010, if it is determined that the MFP is included in the device group, the result of authentication OK and the authentication result of user information (e-mail address 504, function restriction information 507, etc.) are transmitted to the MFP 100 (authentication result transmission). . This authentication result has identification information (such as a flag) indicating that the function restriction information 507 normally used by the user is included.

  In step S3011, if it is determined that the MFP is not included in the device group, it is determined whether authentication is performed when there is an authentication request from the MFP other than the device group. Whether or not to authenticate is determined by the function restriction information 530 in the case other than the device group. If the function restriction information is included in the function restriction information 530 other than the device group, that is, if 707 is set in FIG. 7, the process proceeds to step S3012. When the function restriction information is not included in the function restriction information 530 other than the device group (in the case of a NULL value), that is, when 705 is set in FIG. 7, the process proceeds to step S3007.

  In step S3012, the function restriction information is acquired from the function restriction information 530 for cases other than device groups.

  In step S3013, the result of authentication OK (authentication OK with function restriction information in a case other than a device group) and the authentication result of user information (e.g., mail address 504, function restriction information 530 in a case other than a device group) are sent to the multi-function device 100. Send (send authentication result). This authentication result has identification information (such as a flag) indicating that the function restriction information 530 for cases other than the device group is included.

  In step S3007, an authentication NG authentication result is transmitted to the multi-function device 100.

  In step S3018, the multifunction peripheral 100 receives the authentication result from the IC card authentication server 200.

  Subsequently, returning to FIG. 15, in step S <b> 1024, the multifunction peripheral 100 determines the authentication result from the IC card authentication server 200.

In the case of authentication OK (authentication OK / authentication with function restriction information other than device group OK), the process proceeds to step S1028.

  In the case of authentication NG, the process proceeds to step S1017. (Step S1017 has already been described with reference to FIG. 11 and will not be described here.)

  In step S1028, card registration is performed based on the card information held by the user in step S1001. (Card registration process).

  Here, the card registration processing will be described with reference to FIG.

  Note that the processing of steps S711 and S706 is executed by the CPU 301 of the multifunction peripheral 100, and the CPU 201 of the IC card authentication server 200 executes steps S705 and S714 to 722.

  In step S711, the MFP 100 uses the card information (card number and validity information) acquired in step S1001 in FIG. 15 and the user information (user name and user authentication destination) acquired in step S1022 in FIG. 200.

  In step S714, the IC card authentication server 200 receives the card information and user information transmitted in step S711.

  In step S716, the IC card authentication server 200 searches the IC card authentication table 5 for card information associated with the user information received in step S714.

  In step S717, the IC card authentication server 200 compares the card information received in step S714 with the card information searched in step S716.

  In step S718, the IC card authentication server 200 determines that the card information having the same card number as the card number received in step S714 exists in the card information searched in step S716 based on the comparison result executed in step S717. Executes the process of step S719.

  If there is no card information with the same card number, the process of step S715 is executed because new card information is added.

  In step S715, the IC card authentication server 200 registers the card information received in step S714 for the corresponding user in the IC card authentication table 5.

  If the corresponding user does not exist in the IC card authentication table 5 (that is, the user exists in the directory service server 300 such as Windows (registered trademark) Active Directory (registered trademark) or LDAP server), the IC card. It is also possible to register the user name and card information in the authentication table 5.

  Subsequently, in step S <b> 705, the registration result (registration OK) is transmitted to the multifunction device 100.

  On the other hand, if the card information having the same card number as the card information received in step S714 exists in the card information searched in step S716 based on the comparison result executed in step S717, the branch in step S718 is YES. The process proceeds to step S719.

  If the IC card authentication server 200 determines in step S719 that the validity information is the same for the card information having the same card number from the comparison result executed in step S717, the card information of the same IC card has already been registered. Since it is already completed, a card information registration failure (registration NG) is transmitted to the multi-function device 100 in step S720.

  If it is determined that the validity information is different for the card information of the same card number, it is determined that the card information is updated, and the card information update processing (update of validity information, update of card name) is performed in step S721. The existing card information (with the same card number) is updated with the card information received in step S714.

  Thereafter, in step S722, the card information update result and the registration result (registration OK) are transmitted to the multi-function device 100.

  However, even if the card information of the same card number has different validity information, if the value of the validity information of the card information received in step S714 is smaller, it is before the IC card is reissued. Since it is determined to be a card, the registration information is transmitted to the multi-function device 100 without updating the card information.

  The legitimacy information is information indicating reissuance, but the case where the card number matches even though it is reissued is a case where, for example, an employee number is arbitrarily placed in the card during operation. In the case where the employee number is used in the same manner as the card number, the card number of the IC card reissued due to loss or the like matches the IC card before reissuance, but the validity information does not match. Furthermore, when a card is reissued, the IC card is reissued by adding one value to the numerical value representing the validity information. Therefore, if the numerical value representing the validity information is smaller, the previous IC that has been lost, etc. Judged as a card. Therefore, the previous card that was lost is registered by the above process.

Even if recording is attempted, registration is not performed because the validity information is a small numerical value. As a result, misuse of the lost IC card can be prevented and security can be maintained.

  The multifunction peripheral 100 receives the registration results transmitted in step S705, step S722, and step S720 in step S706.

  Subsequently, returning to FIG. 15, in step S <b> 1029, the multifunction peripheral 100 determines a card registration result from the IC card authentication server 200.

If the registration is successful, the process proceeds to step S1030. If the registration is unsuccessful, the process proceeds to step S1031.

  In step S1030, the card registration success screen 1800B of FIG.

  In step S1031, the card registration failure screen (not shown) of FIG.

  As described above, according to the present embodiment, by controlling registration by device group, card registration from an unusable multifunction device (image forming apparatus) is eliminated, and a multifunction device that can be used by a user and an unusable multifunction device. The machine can be identified at the time of card registration.

[Third Embodiment]
In the first embodiment, as described with reference to FIG. 9, a mechanism for setting a device group in user information with the IC card authentication server has been described. In this embodiment, a mechanism for automatically setting a device group when registering an IC card from a multifunction peripheral will be described.
The process of this embodiment is demonstrated using FIG.

  In addition, description is abbreviate | omitted about the same figure and process as 1st Embodiment and 2nd Embodiment.

  First, the present embodiment includes a first mode in which a card can be registered when the card is held over and authentication is NG, and a second mode in which the card can be registered when the user presses a card registration button.

  In the first mode, the process starts from step S1001, and in the second mode, the process starts from S2001.

  Since the first mode has already been described in the first embodiment, the description thereof will be omitted, and the second mode will be described.

  In step S2001, it is detected that the user has pressed the card registration button of the multifunction device. When the card registration button is pressed, the second mode is entered.

  In step S2002, the user is notified to hold the IC card over the card reader, and the card information (card number) read from the IC card is acquired when the IC card is held over. If the card information has been acquired, the process proceeds to step S1021.

  After steps S1021 and S1022, in step S2003, keyboard authentication processing is performed. The process in step S2003 will be described later with reference to FIG.

  In step S2004, the result of authentication in step S2003 is determined. If the authentication is OK, the process proceeds to step S2005. If the authentication is NG, the process proceeds to step S1017. If the authentication is NG, the process proceeds to step S2010.

  In step S2005, the registration confirmation screen in FIG. 21 is displayed using the device group (name) included in the received authentication result.

  In step S2006, it is determined that OK or Cancel is pressed on the registration confirmation screen of FIG. 21, and if the OK button is pressed, the process proceeds to step S2007 to register the card number. If the cancel button is pressed, a card registration failure screen (1800C in FIG. 18) is displayed in step S2010 because the card number is not registered.

  In step S2007, the card number read by the card reader is registered. The registration of the card number will be described later with reference to FIG.

  In step S2008, it is determined from the card number registration result in step S2007 whether registration has succeeded. If registration of the card number is successful, a card registration success screen (1800B in FIG. 18) is displayed in step S2009. If registration of the card number has failed, a card registration failure screen (1800C in FIG. 18) is displayed in step S2010.

  Next, the user authentication process in step S2003 will be described with reference to FIG.

  Steps S3000 to S3007 are the same as those in the second embodiment, and a description thereof will be omitted.

  In step S2201, it is determined whether there is user information in which the card number is empty (NULL) and the device group is empty (NULL) among the user information searched (acquired) in step S3004. If there is user information in which the card number is empty (NULL) and the device group is empty (NULL), the process proceeds to step S2203, and the user information in which the card number is empty (NULL) and the device group is empty (NULL) is stored. If not, the process moves to step S2202. If there is a plurality of user information with a card number empty (NULL) and a device group empty (NULL), a plurality of user information is transmitted in step S2204, which will be described later, and which user information is registered with the user by the multifunction device. It is also possible to make it select.

  In step S2202, since there is no user information that can be registered, the registration result of registration NG is transmitted to the multi-function peripheral.

  In step S2203, the device group including the received IP address is specified (determined) according to the IP address received in step S3001 and the address information set in 613 to 615 of FIG. 6 and stored in the device group information table. )

  In step S2204, the device group specified in step S2203, the information indicating the authentication OK of the authentication result, and the user information in which the card number is empty (NULL) and the device group is empty (NULL) are transmitted to the MFP.

  The device group can be configured not to transmit. In this case, on the screen of FIG. 21, the device group (for example, Bill-B) is not displayed, but “the card can be used in the group to which this multifunction machine belongs” is displayed.

  In step S2205, the multi-function peripheral receives the authentication result transmitted in steps S2204, S2202, and S3007.

  Next, the card registration process in step S2007 will be described with reference to FIG.

  In step S2301, the multi-function peripheral acquires the card information (card number) transmitted in step S2002 or step S1001 from the RAM 302, and sends the card information (card number) and the user information received in step S2205 to the IC card authentication server. Send. If the device group is received in step S2205, the device group may be transmitted. However, as described in step S2203, the device group can be specified by the IC card authentication server. Therefore, it is possible to adopt a configuration in which no device group is sent. In addition, the IP address of the multifunction device is required to specify the device group, but it may be used with an IP address transmitted by the TCP / IP communication protocol, or the multifunction device transmits to the IC card authentication server. It may be included in the message.

  In this embodiment, the device group is specified by using the IP address. However, any information that can specify the MFP such as a MAC address may be used.

  In step S2302, card information and user information are received. If a device group is transmitted in step S2301, the device group is also received.

  In step S2303, the IC card authentication table (1900B in FIG. 19) is referenced to obtain the card number of the received user information.

  In step S2304, it is determined whether the card number acquired in step S2303 is empty. If the card number is empty, the process proceeds to step S2305. If the card number is not empty, the process proceeds to S2307.

  In step S2305, a card number is registered to correspond to empty user information. In addition, the device group received in step S2303 and the IP address received from the MFP and the device group specified according to the device group information table of FIG. 24 are stored so as to be associated with the empty device group.

  Note that reference numeral 1900B in FIG. 19 shows an IC card authentication table before card number registration and an IC card authentication table after card number registration.

  In step 2306, a registration result indicating that the registration is successful is transmitted to the multi-function peripheral. In step S2307, a registration result indicating that registration has failed (failed) is transmitted to the multi-function peripheral.

  In step S2308, the registration result is received from the IC card authentication server.

  In this embodiment, as illustrated in 1900B of FIG. 19, an example in which registration is performed when a card number is empty and a device group is empty has been described. It can also be applied when the card number contains a value but the device group value is empty.

  Specifically, when registering a card, a record in which the card number matches and the device group is empty is specified, and the device group specified according to the IP address of the MFP and the device group information table in FIG. Register the value of. In this configuration, in the case of IC card authentication, user information in which the device group is empty is processed as not subject to authentication.

  Through the processing described above, the multifunction peripheral transmits a registration request including the address information of the multifunction peripheral and the card identification information to the IC card authentication server so that the multifunction peripheral can log in to the multifunction peripheral with the card identification information. The authentication server receives a registration request from the MFP, identifies (acquires) a device group according to the address information of the registration request, and registers the identified device group in an IC card authentication table that matches the received card identification information It is possible to realize the association with the identification information of the received card or the identification information of the received card.

  As described above, according to the present embodiment, a device group can be set according to a multi-function peripheral that performs a registration operation when registering an IC card in addition to the first embodiment.

  Thereby, a group (device group) that can be used by the user can be easily set in the user information.

  FIG. 24 shows the device group information table, which is registered in the external memory 211 of the IC card authentication server when the device group is set in FIG. FIG. 24 is used when registering a device group in user information in each of the first to third embodiments.

  The device group information table stores a device group and address information for specifying a multifunction device included in the device group in association with each other.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Moreover, the program in this invention is a program which a computer can execute the processing method of FIGS. 9-12, 15-17, 20, 20, 21-23, and the storage medium of this invention is FIG. A program capable of being executed by the computer in the processing method of FIG. 12 is stored. In addition, the program in this invention may be a program for every processing method of each apparatus of FIGS. 9-12, 15-17, 20, 20, 21-23.

As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network by a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 MFP 200 IC Card Authentication Server 300 Directory Service Server 400 Local Area Network (LAN)
500 WAN
700 client PC
201 CPU
211 External memory 301 CPU
302 RAM
308 Operation unit 319 Card reader

Claims (13)

An image forming apparatus, user identification information for user authentication , device group information for managing device identification information in a group, usage authority information applied to an image forming apparatus for device identification information belonging to the device group information, An authentication system including a user management device that manages usage identification information that is applied to an image forming apparatus having device identification information that does not belong to device group information ,
The image forming apparatus includes:
Identification information acquisition means for acquiring user identification information for user authentication;
An authentication request transmitting unit that transmits an authentication request including the user identification information acquired by the identification information acquiring unit and the device identification information of the image forming apparatus;
In accordance with the authentication request transmitting means, an authentication result receiving means for receiving an authentication result including usage authority information from the user management device;
Login means for logging in by applying the use authority information included in the authentication result received by the authentication result receiving means,
The user management device includes:
Authentication request receiving means for receiving the authentication request from the image forming apparatus;
Usage determining means for determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received by the authentication request receiving means;
If the usage determining means determines that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that the authentication, characterized in that it comprises an authentication result transmitting unit that sends the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information system. The image forming apparatus includes:
If the usage right information received by the authentication result receiving means is not the usage right information corresponding to the device group information, the usage right information applied to the image forming apparatus of the device identification information not belonging to the device group information is applied. Notification means to notify you that you are logging in
The authentication system according to claim 1, further comprising: The image forming apparatus includes:
Device group information receiving means for receiving device group information from the user management device;
When the usage right information received by the authentication result receiving means is usage right information applied to the image forming apparatus having device identification information that does not belong to the device group information, the usage right information corresponding to the device group information can be applied. Display means for displaying device group information received by the device group information receiving means in order to use the image forming apparatus;
Further comprising
The user management device includes:
Device group information transmitting means for transmitting device group information corresponding to the user identification information to an image forming apparatus having device identification information not belonging to the device group information.
The authentication system according to claim 1, further comprising: The device group information is a group of image forming apparatuses normally used by a user,
The image forming apparatus includes:
It further comprises search request means for requesting a search for an image forming apparatus that is normally used,
The display means displays device group information of a normally used image forming apparatus according to the search request means,
The authentication system according to claim 3, wherein the device group information transmission unit of the user management apparatus transmits the device group information in accordance with a search request from the search request unit. The image forming apparatus includes:
Registration request means for making a registration request including the input user identification information and the device identification information of the image forming apparatus in order to enable authentication using the user identification information;
In addition,
The user management device includes:
Identifying means for identifying device group information to which the device identification information included in the registration request belongs;
Registration means for registering the user identification information and the device group information specified by the specifying means in association with each other;
The authentication system according to any one of claims 1 to 4, further comprising: User identification information for user authentication, device group information for managing device identification information as a group, use authority information for device identification information belonging to the device group information applied to an image forming apparatus, and the device group information Included in the authentication request received by the authentication request receiving means and the authentication request receiving means for managing the use authority information to be applied to the image forming apparatus with no device identification information in association with each other and receiving the authentication request from the image forming apparatus In accordance with the user identification information , it is determined that the device identification information is device identification information belonging to device group information, and the usage determination means determines that the device identification information belongs to device group information. If it is, the access authority information corresponding to the device group information Sending unauthenticated result, if it is determined that the device identification information that does not belong to the device group information, the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information a communication an image forming apparatus and the user management apparatus and a verification result sending unit that sends,
Identification information acquisition means for acquiring user identification information for user authentication;
An authentication request transmitting unit that transmits an authentication request including the user identification information acquired by the identification information acquiring unit and the device identification information of the image forming apparatus;
In accordance with the authentication request transmitting means, an authentication result receiving means for receiving an authentication result including usage authority information from the user management device;
An image forming apparatus, comprising: a login unit that logs in by applying the use authority information included in the authentication result received by the authentication result receiving unit. Identification information acquisition means for acquiring user identification information for user authentication, authentication request transmission means for transmitting an authentication request including user identification information acquired by the identification information acquisition means, and device identification information of the image forming apparatus; , An authentication result receiving means for receiving an authentication result including use right information from a user management device according to the authentication request sending means, and a login for applying and using the use right information included in the authentication result received by the authentication result receiving means And device identification information for user authentication , device group information for managing device identification information as a group, and device identification information belonging to the device group information. Image forming of use authority information to be performed and device identification information not belonging to the device group information A user management device for managing in association with usage authorization information applied to location,
Authentication request receiving means for receiving the authentication request from the image forming apparatus;
Usage determining means for determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received by the authentication request receiving means;
If the usage determining means determines that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that the user characterized in that it comprises an authentication result transmitting unit that sends the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information Management device. An image forming apparatus, user identification information for user authentication , device group information for managing device identification information in a group, usage authority information applied to an image forming apparatus for device identification information belonging to the device group information, A processing method of an authentication system including a user management apparatus that manages usage identification information that is applied to an image forming apparatus having device identification information that does not belong to device group information ,
The image forming apparatus includes:
An identification information acquisition step of acquiring user identification information for user authentication;
An authentication request transmission step of transmitting an authentication request including the user identification information acquired in the identification information acquisition step and the device identification information of the image forming apparatus;
In accordance with the authentication request transmission step, an authentication result receiving step of receiving an authentication result including usage authority information from the user management device;
A login step of logging in by applying the usage right information included in the authentication result received in the authentication result receiving step;
The user management device is
An authentication request receiving step of receiving the authentication request from the image forming apparatus;
A use determination step of determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received in the authentication request reception step;
If it is determined in the usage determination step that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that, and executes the use authentication result transmission step that sends the authentication result including the authorization information to be applied to an image forming apparatus device identification information that does not belong to the device group information Processing method. User identification information for user authentication, device group information for managing device identification information as a group, use authority information for device identification information belonging to the device group information applied to an image forming apparatus, and the device group information Included in the authentication request received by the authentication request receiving means and the authentication request receiving means for managing the use authority information to be applied to the image forming apparatus with no device identification information in association with each other and receiving the authentication request from the image forming apparatus In accordance with the user identification information , it is determined that the device identification information is device identification information belonging to device group information, and the usage determination means determines that the device identification information belongs to device group information. If it is, the access authority information corresponding to the device group information Sending unauthenticated result, if it is determined that the device identification information that does not belong to the device group information, the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information a method for processing the user management device communicable with the image forming apparatus and a verification result sending unit that sends,
The image forming apparatus includes:
An identification information acquisition step of acquiring user identification information for user authentication;
An authentication request transmission step of transmitting an authentication request including the user identification information acquired in the identification information acquisition step and the device identification information of the image forming apparatus;
In accordance with the authentication request transmission step, an authentication result receiving step of receiving an authentication result including usage authority information from the user management device;
A processing method comprising: executing a log-in step of logging in by applying the use authority information included in the authentication result received in the authentication result receiving step. Identification information acquisition means for acquiring user identification information for user authentication, authentication request transmission means for transmitting an authentication request including user identification information acquired by the identification information acquisition means, and device identification information of the image forming apparatus; , An authentication result receiving means for receiving an authentication result including use right information from a user management device according to the authentication request sending means, and a login for applying and using the use right information included in the authentication result received by the authentication result receiving means And device identification information for user authentication , device group information for managing device identification information as a group, and device identification information belonging to the device group information. Image forming of use authority information to be performed and device identification information not belonging to the device group information A processing method of a user management device for managing in association with usage authorization information applied to location,
The user management device is
An authentication request receiving step of receiving the authentication request from the image forming apparatus;
A use determination step of determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received in the authentication request reception step;
If it is determined in the usage determination step that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that, and executes the use authentication result transmission step that sends the authentication result including the authorization information to be applied to an image forming apparatus device identification information that does not belong to the device group information Processing method. An image forming apparatus, user identification information for user authentication , device group information for managing device identification information in a group, usage authority information applied to an image forming apparatus for device identification information belonging to the device group information, A program that can be executed by an authentication system including a user management apparatus that associates and manages usage authority information applied to an image forming apparatus of device identification information that does not belong to device group information ,
The image forming apparatus;
Identification information acquisition means for acquiring user identification information for user authentication;
An authentication request transmitting unit that transmits an authentication request including the user identification information acquired by the identification information acquiring unit and the device identification information of the image forming apparatus;
In accordance with the authentication request transmitting means, an authentication result receiving means for receiving an authentication result including usage authority information from the user management device;
Function as a log-in means for logging in by applying the use authority information included in the authentication result received by the authentication result receiving means,
The user management device;
Authentication request receiving means for receiving the authentication request from the image forming apparatus;
Usage determining means for determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received by the authentication request receiving means;
If the usage determining means determines that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that a program for causing to function as an authentication result transmission unit that sends the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information . User identification information for user authentication, device group information for managing device identification information as a group, use authority information for device identification information belonging to the device group information applied to an image forming apparatus, and the device group information Included in the authentication request received by the authentication request receiving means and the authentication request receiving means for managing the use authority information to be applied to the image forming apparatus with no device identification information in association with each other and receiving the authentication request from the image forming apparatus In accordance with the user identification information , it is determined that the device identification information is device identification information belonging to device group information, and the usage determination means determines that the device identification information belongs to device group information. If it is, the access authority information corresponding to the device group information Sending unauthenticated result, if it is determined that the device identification information that does not belong to the device group information, the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information a program executable by the image forming apparatus and the user management apparatus capable of communicating with an authentication result transmitting unit that sends,
Identification information acquisition means for acquiring user identification information for user authentication of the image forming apparatus;
An authentication request transmitting unit that transmits an authentication request including the user identification information acquired by the identification information acquiring unit and the device identification information of the image forming apparatus;
In accordance with the authentication request transmitting means, an authentication result receiving means for receiving an authentication result including usage authority information from the user management device;
A program that functions as a log-in means for logging in by applying the use authority information included in the authentication result received by the authentication result receiving means. Identification information acquisition means for acquiring user identification information for user authentication, authentication request transmission means for transmitting an authentication request including user identification information acquired by the identification information acquisition means, and device identification information of the image forming apparatus; , An authentication result receiving means for receiving an authentication result including use right information from a user management device according to the authentication request sending means, and a login for applying and using the use right information included in the authentication result received by the authentication result receiving means And device identification information for user authentication , device group information for managing device identification information as a group, and device identification information belonging to the device group information. Image forming of use authority information to be performed and device identification information not belonging to the device group information A program executable in a user management device for managing in association with usage authorization information applied to location,
The user management device;
Authentication request receiving means for receiving the authentication request from the image forming apparatus;
Usage determining means for determining whether the device identification information is device identification information belonging to device group information according to the user identification information included in the authentication request received by the authentication request receiving means;
If the usage determining means determines that the device identification information belongs to the device group information, an authentication result including usage authority information corresponding to the device group information is transmitted, and the device identification information not belonging to the device group information If it is determined that a program for causing to function as an authentication result transmission unit that sends the authentication result including the use authority information applied to the image forming apparatus device identification information that does not belong to the device group information .

Images