JP6958176B2 - Information processing equipment, information processing systems, control methods and programs - Google Patents

Description

The present invention relates to information processing devices, information processing systems, control methods and programs.

As for the network system in an organization such as a company, there may be a plurality of different networks in the same organization. In such a case, communication between devices belonging to different networks is performed via a network device such as a router.

On the other hand, there are cases where it is desired to restrict communication between devices belonging to different networks even within the same tissue. For example, there is a case where there is a network in which information to be kept secret such as personal information flows, and an OA (Office Automation) type network in which information that is less confidential than personal information such as sales and personnel data flows.

For example, Patent Document 1 describes whether or not to perform communication with each network interface in an image processing device provided with a plurality of network interfaces and connected to a network having a plurality of segments by each network interface. A configuration for controlling communication between each network interface and other devices is disclosed based on the communication enable / disable setting means set for the whole.

However, in the case of the above method, it has been studied to control the availability of an application (for example, an application that realizes a printing function or a scanning function) executed by an image processing device that is an information processing device on a network-by-network basis. No. Therefore, an application (for example, a paid application) that should be used only by another device (for example, a communication device) connected to a specific network can be used from a communication device connected to another network. There was a problem.

The information processing device according to the present invention is an information processing device connected to a plurality of networks having different segments, and a communication device connected to the network requests execution of an application installed in the information processing device. It is possible to connect to the publicly disclosed receiving means and the storage means which includes the public range information indicating the public range for each network and stores the setting information for which the usage authority of the application is set for each network. The execution request is transmitted based on the setting means for setting the usage authority to a predetermined user and the usage authority given to the network to which the execution request is transmitted, which is included in the setting information. The network includes a determination means for determining whether or not the network has the right to use the application, and a transmission means for transmitting the determination result to the communication device.

According to the present invention, it is possible to restrict the use of applications from unauthorized networks in a plurality of networks to which the information processing apparatus is connected.

It is a figure which shows an example of the system structure of the information processing system which concerns on 1st Embodiment. It is a figure which shows an outline example of the information processing system which concerns on 1st Embodiment. It is a figure which shows an example of the hardware composition of the information processing apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the hardware composition of the client terminal which concerns on 1st Embodiment. It is a figure which shows an example of the functional structure of the information processing system which concerns on 1st Embodiment. It is a figure which shows an example of the network management table which concerns on 1st Embodiment. It is a figure which shows an example of the application management table which concerns on 1st Embodiment. It is a figure which shows an example of the authentication information management table which concerns on 1st Embodiment. It is a sequence diagram which shows an example of the determination processing of the availability of an application in the information processing system which concerns on 1st Embodiment. It is a figure which shows an example of the execution request of the application which concerns on 1st Embodiment. It is a flowchart which shows an example of the determination processing of the availability of an application in the information processing apparatus which concerns on 1st Embodiment. It is a flowchart which shows an example of the installation process of the application in the information processing apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the installation screen of the application which concerns on 1st Embodiment. It is a sequence diagram which shows an example of the application management table which concerns on 2nd Embodiment. It is a figure which shows an example of the system structure of the information processing system which concerns on other embodiments.

Hereinafter, modes for carrying out the invention will be described with reference to the drawings. In the description of the drawings, the same elements are designated by the same reference numerals, and duplicate description will be omitted.

● First embodiment ●
● System Configuration FIG. 1 is a diagram showing an example of a system configuration of an information processing system according to the first embodiment. The information processing system 1 is a system capable of restricting the use of applications from unauthorized networks in a plurality of networks to which the information processing device 10 is connected.

The information processing system 1 includes an information processing device 10, a router 30 (30a, 30b, 30c, hereinafter referred to as a router 30 when it is not necessary to distinguish them), and a client terminal 50 (50a, 50aa, 50b, 50bb, 50c). , 50cc, hereinafter referred to as the client terminal 50 when it is not necessary to distinguish) and the server device 90 (90a, 90b, 90bb, 90c, hereinafter referred to as the server device 90 when it is not necessary to distinguish). Consists of.

The information processing device 10 is connected to a plurality of networks (Net_A0, Net_B0, Net_C0). The network Net_A0 is connected to the network Net_A1 via the router 30a. Further, the network Net_B0 is connected to the network Net_B1 via the router 30b. Further, the network Net_B1 is connected to the network Net_B2 via the router 30bb. The network Net_C0 is connected to the network Net_C1 via the router 30c.

The network connected to the information processing apparatus 10 is a network Net_A system in which the network Net_A0 and the network Net_A1 are grouped, a network Net_B system in which the network Net_B0, the network Net_B1 and the network Net_B2 are grouped, and a network in which the network Net_C0 and the network Net_C1 are grouped. It is divided into Net_C system. In addition, the networks of each system are separated so that IP (Internet Protocol) communication cannot be performed.

The network address of the network Net_A0 is, for example, "192.168.1.0/24". The network address of the network Net_A1 is "192.168.10.0/24". The network address of the network Net_B0 is "172.16.1.0/24". The network address of the network Net_B1 is 172.16.10.0/24 ”. The network address of the network Net_B2 is "172.16.100.0/24". The network address of the network Net_C0 is "10.0.1.0/24". The network address of the network Net_C1 is "10.0.10.0/24".

In this way, the network address of each network is set so as not to be duplicated. Actually, even if the setting example is other than the above, the IP addresses of the client terminal 50 and the server device 90 that directly communicate with the information processing device 10 may not be duplicated. Further, even if the IP addresses of the client terminal 50 and the server device 90 that directly communicate with each other are duplicated, it is sufficient that the static NAPT (Network Address Port Translation) is set.

The information processing system 1 also controls routes to networks other than directly connected networks, assuming that routers 30 are provided in a plurality of networks having different segments separated so that they cannot communicate with each other. .. As a result, the information processing system 1 enables communication between a plurality of networks via a router device, and makes the information processing device 10 available in a large-scale network. The information processing system 1 according to the present embodiment will be described as being separated between the networks of each system so that IP communication cannot be performed. However, depending on security requirements and the like, the networks of each system will be separated from each other. It may be possible to communicate with. Further, the information processing device 10 may be connected to a network having a segment for establishing an Internet connection.

The client terminal 50a, the client terminal 50b, and the client terminal 50c are connected to the network Net_A0, the network Net_B0, and the network Net_C0, respectively. The client terminal 50a and the server device 90a are connected to the network Net_A1. Further, the client terminal 50b and the server device 90b are connected to the network Net_B1. Further, the client terminal 50c and the server device 90c are connected to the network Net_C1. The client terminal 50 and the server device 90 can communicate with the information processing device 10 via the networks connected to each other.

The information processing device 10 is an image forming device such as a multifunction device that realizes a plurality of functions such as a print function, a copy function, a scanner function, and a fax function in one housing. The image forming apparatus may be called an MFP (Multifunction Peripheral), a copying machine, or the like, in addition to a multifunction device. The information processing device 10 may have only one of a print function, a copy function, a scanner function, or a fax function. In this case, the information processing device 10 is called a printer, a copying machine, a scanner device, or a fax device. Further, the information processing apparatus 10 is installed with one or a plurality of applications for executing each function.

The information processing device 10 is not limited to the image forming device, and for example, outputs PJ (Projector: projector), IWB (Interactive White Board: white board having an electronic whiteboard function capable of mutual communication), digital signage, and the like. It may also be a device, a HUD (Head Up Display) device, an acoustic output device such as a speaker, an industrial machine, an imaging device, a sound collecting device, a medical device, a network home appliance, or the like.

The client terminal 50 is a communication device connected to each network. The client terminal 50 is, for example, a communication device that can be carried or operated by a user such as a notebook PC (Personal Computer). The client terminal 50 may be a mobile phone, a smartphone, a tablet terminal, a game machine, a PDA (Personal Digital Assistant), a digital camera, a wearable PC, a desktop PC, or the like. The client terminal 50 is an example of a communication device.

The server device 90 is a server device such as a job server or an authentication server that is connected to each network. The server device 90 stores, for example, jobs for the information processing device 10 requested by the client terminal 50. Then, the server device 90 outputs the accumulated job to the information processing device 10.

In the information processing system 1, the client terminal 50 transmits, for example, a print request and device information by SNMP (simple network management protocol) to the information processing device 10. The information processing device 10 transfers the file information formed by the scan process to the server device 90. Note that the print request described in this example, the transmission of device information by SNMP, the transfer of scanned file information, and the like are examples, and communication other than these may be used. Further, although the example in which the information processing apparatus 10 is connected to the network of three systems has been described, the information processing device 10 may be configured to be connected to a network of two systems or a network of four or more systems.

● Schematic FIG. 2 is a diagram showing a schematic example of the information processing system according to the first embodiment. In the information processing system shown in FIG. 2, among a plurality of networks having different segments connected to the information processing device 10, a client terminal 50 connected to one network requests the information processing device 10 to execute an application. Shows the processing when it is sent. Note that FIG. 2 briefly describes the outline of the information processing system according to the first embodiment, and details of the functions and the like realized by the information processing system 1 will be described with reference to the drawings and the like described later. ..

The client terminal 50a connected to the network Net_A0 constituting the information processing system 1 transmits an execution request of an application executed by the information processing device 10 to the information processing device 10. The application is software installed in the information processing device 10 for realizing the functions of the information processing device 10. When the information processing device 10 is an image processing device, the application is for realizing a copy function and a scan function. One or more applications are installed in the information processing device 10. The information processing device 10 receives an execution request by the transmission / reception unit 11a.

The determination unit 21 of the information processing device 10 uses the application management table 42 to determine whether the network to which the application execution request is transmitted has the right to use the application. The application management table 42 stores the usage authority of the application for each network to which the information processing device 10 is connected. The application management table 42 is stored, for example, so that the network Net_A0 is given the usage right and the network Net_B0 is not given the usage right to the application A (appA). The application management table 42 is an example of setting information. The information processing device 10 executes an installed application (for example, applicationA, applicationB, etc.) by the application execution unit 16.

The information processing device 10 transmits the determination result determined by the determination unit 21 by the transmission / reception unit 11a to the client terminal 50a. When the determination result transmitted from the information processing device 10 is the application usage permission "Yes", the client terminal 50a can execute the application having the permission.

Therefore, in the information processing system 1, the usage authority set for each network is set for the application installed in the information processing apparatus 10 connected to a plurality of networks having different segments. Then, the information processing device 10 controls the use of the application of the client terminal 50 connected to the specific network based on the set usage authority. Therefore, the information processing system 1 can restrict the use of applications from unauthorized networks in a plurality of networks to which the information processing device 10 is connected. As a result, the information processing device 10 can prevent the use of an unauthorized application from the client terminal 50 connected to another network.

● Hardware Configuration FIG. 3 is a diagram showing an example of the hardware configuration of the information processing apparatus according to the first embodiment. The hardware configuration shown in FIG. 3 may have the same configuration in each embodiment, and components may be added or deleted as needed. The information processing device 10 has a controller 120. The controller 120 includes a CPU (Central Processing Unit) 101, an SDRAM (Synchronous Dynamic Random Access Memory) 102, a flash memory 103, an HDD (Hard Disk Drive) 104, an ASIC (Application Specific Integrated Circuit) 105, and a communication interface (I / F). It has 106, NIC (Network Interface Card) 107 and the like.

The ASIC 105 is a multifunctional device board including a CPU interface, an SDRAM interface, a local bus interface, a PCI (Peripheral Component Interconnect) bus interface, a MAC (Media Access Controller), an HDD interface, and the like.

The CPU 101 reads and executes various programs such as the program according to the present invention from the HDD 104 via the ASIC 105. The information processing device 10 realizes the control method according to the present invention by, for example, executing the program according to the present invention by the CPU 101. The SDRAM 102 functions as a program memory for storing various programs, a work memory used by the CPU 101 when executing various programs, and the like. Instead of the SDRAM 102, a DRAM (Dynamic Random Access Memory) or a SRAM (Static Random Access Memory) may be used.

The flash memory 103 is a non-volatile memory and stores a boot loader (boot program) and an OS (Operation System) that start the information processing apparatus 10. Further, the flash memory 103 functions as an application memory for storing each program. Further, the flash memory 103 functions as a service memory for storing software of each service (copy service, print service, facsimile service).

Further, the flash memory 103 functions as a firmware memory for storing firmware and a data memory for storing a network address, a model machine number, and the like. Instead of the flash memory 103, a non-volatile RAM in which a RAM (Random Access Memory) and a backup circuit using a battery are integrated, or another non-volatile memory such as EEPROM (Electrically Erasable Programmable Read-Only Memory) is used. You may.

The HDD 104 is a non-volatile storage medium that stores data regardless of whether the power of the information processing device 10 is turned on or off. The HDD 104 records programs other than the programs and data stored in the flash memory 103, and data. The HDD 104 may be used as a farm memory.

The communication interface (I / F) 106 is an interface for communicating (connecting) with an external device via a network. The NIC 107 is hardware such as a LAN card connected to a network such as a LAN (Local Area Network). When it is not necessary to distinguish n ICs 107-1, 107-2, 107-3, ... 107-n (hereinafter, NIC107-1, 107-2, 107-3, ..., 107-n) , Described as NIC107) is connected to the communication interface (I / F) 106. The information processing device 10 communicates with an external device through the NIC 107.

The operation unit 108 is connected to the controller 120 by using a USB (Universal Serial Bus) cable or the like. The operation unit 108 is an interface for a user who operates the information processing device 10. The operation unit 108 includes various operation keys, a character display of an LCD (Liquid Crystal Display) or a CRT (Cathode-Ray Tube) as a display device, and a touch panel. The information processing device 10 can input data, execute a job, and display the data by operating the operation unit 108.

Further, the controller 120 includes a fax control unit 109, a USB 110 to which the storage medium 110a can be attached and detached via the PCI bus 115, an IEEE (Institute of Electrical and Electronic Engineers) 1394 (111), a plotter engine 112, a scanner engine 113, and the like. A BLE (Bluetooth (registered trademark) Low Energy) module 114 or the like is connected. As a result, the information processing apparatus 10 can provide each service such as a copy service, a print service, and a facsimile service. The plotter engine 112 may employ either an electrophotographic method or an inkjet method.

The configuration shown in FIG. 3 is only an example, and the hardware configuration of the information processing device 10 is not limited to the configuration shown in FIG. For example, the communication I / F 106 may be connected to the PCI bus 115. Further, the communication interface (I / F) 106 may be connected to the network by a wired LAN (Ethernet (registered trademark)) or the like, or may be connected by a wireless LAN such as Wi-Fi (registered trademark). Further, the communication interface (I / F) 106 may have a DSU (Digital Service Unit) or a modem connected to a telephone network. The communication interface (I / F) 106 may have a communication device connected to the mobile phone network.

FIG. 4 is a diagram showing an example of the hardware configuration of the client terminal according to the first embodiment. The hardware configuration shown in FIG. 4 may have the same configuration in each embodiment, and components may be added or deleted as needed. Further, although FIG. 4 shows the hardware configuration of the client terminal 50, the router 30 and the server device 90 may also have the same configuration. The client terminal 50 includes a CPU 501, a ROM 502, a RAM 503, a storage 504, an input unit 505, a display interface (I / F) 506, an input / output interface (I / F) 507, a communication unit 508, a bus 509, and the like.

The CPU 501 controls the entire client terminal 50. The CPU 501 is an arithmetic unit that realizes each function of the client terminal 50 by reading a program or data stored in a ROM 502, a storage 504, or the like on the RAM 503 and executing processing. The RAM 503 is a volatile memory used as a work area or the like of the CPU 501. The ROM 502 is a non-volatile memory that can hold programs and data even when the power is turned off.

The storage 504 is, for example, a storage device such as an HDD, an SSD (Solid State Drive), or a flash ROM, and stores an OS, an application program, various data, and the like. The input unit 505 is an interface for the operator to input various instructions to the client terminal 50. For example, a keyboard, a mouse, a touch panel, a voice input device, and the like.

The display interface (I / F) 506 displays various information contained in the client terminal 50 on the display 506a in the form of a cursor, a menu, a window, characters, an image, or the like at the request of the CPU 501. The display interface (I / F) 506 is, for example, a graphic chip or a display interface. The input / output interface (I / F) 507 is an interface for connecting another device to the client terminal 50. Other devices include, for example, a recording medium 507a such as a USB memory, a memory card, and an optical disk, various electronic devices, and the like.

The communication unit 508 is a communication interface that communicates (connects) with the information processing device 10 via a network. The communication unit 508 includes an antenna, a wireless unit, a MAC unit, and the like. The bus 509 is connected to each of the above components and transmits an address signal, a data signal, various control signals, and the like. The CPU 501, ROM 502, RAM 503, storage 504, input unit 505, display interface (I / F) 506, input / output interface (I / F) 507, and communication unit 508 are connected to each other via a bus 509.

● Functional configuration FIG. 5 is a diagram showing an example of the functional configuration of the information processing system according to the first embodiment. The information processing device 10 shown in FIG. 5 has a control unit 1000 that functions as the information processing device 10 according to the present invention. The control unit 1000 is realized by, for example, a program executed by the CPU 101 shown in FIG. Further, the control unit 1000 may be realized by, for example, an expansion board incorporated in the information processing device 10. The control unit 1000 includes a transmission / reception unit 11a, a transmission / reception unit 11b, a transmission / reception unit 11c, a communication control unit 12, an application management unit 13, an authentication unit 14, a reception unit 15, an application execution unit 16, a storage / reading unit 17, and a storage unit 18. include.

The transmission / reception unit 11a is a function of exchanging data (packet information) with the client terminal 50 or the server device 90 via the network Net_A0. The transmission / reception unit 11a receives, for example, an application execution request from the client terminal 50a connected to the network Net_A0. Further, the transmission / reception unit 11a transmits the determination result of availability of the application by the determination unit 21 described later to the client terminal 50a via the network Net_A0. Further, the transmission / reception unit 11a may transmit / receive data (packet information) to / from the client terminal 50 or the server device 90 connected to the network Net_A1 via the router 30a.

The transmission / reception unit 11b is a function of exchanging data (packet information) with the client terminal 50 or the server device 90 via the network Net_B0. Further, the transmission / reception unit 11c is a function of exchanging data (packet information) with the client terminal 50 or the server device 90 via the network Net_C0. The information transmitted / received by the transmission / reception unit 11b and the transmission / reception unit 11c is the same as that of the transmission / reception unit 11a. The transmission / reception unit 11a, the transmission / reception unit 11b, and the transmission / reception unit 11c are realized by, for example, a program executed by the NIC 107 and the CPU 101 shown in FIG. The transmission / reception unit 11a, the transmission / reception unit 11b, and the transmission / reception unit 11c are examples of the reception means and the transmission means.

The communication control unit 12 is a function of controlling communication with the client terminal 50 or the server device 90. The communication control unit 12 controls a communication path for transmitting and receiving data (packets) to and from the client terminal 50 or the server device 90. Specifically, the communication control unit 12 specifies which of the transmission / reception unit 11a to the transmission / reception unit 11c has received the data (packet information). Then, the communication control unit 12 transmits data (packet information) to the client terminal 50 or the server device 90 using the specified transmission / reception units (transmission / reception units 11a to 11c).

Further, the communication control unit 12 controls the communication path between the client terminal 50 or the server device 90 by using the network management table 41 described later. The communication control unit 12 is realized by, for example, a program executed by the CPU 101 shown in FIG.

The application management unit 13 is a function of managing the applications installed by the information processing device 10. The application managed by the application management unit 13 is a basic application executed to realize the function of the information processing device 10. The application is, for example, a copy application, a scan application, or the like when the information processing device 10 is an image processing device such as an MFP. Further, the application may be an application installed as an extended function of the information processing device 10.

Further, the application management unit 13 includes a determination unit 21 and a setting unit 22. The determination unit 21 is a function of determining the availability of the application in response to a request from the client terminal 50 connected to the network. When the determination unit 21 receives the application execution request from the client terminal 50, the determination unit 21 determines whether the user who uses the client terminal 50 has the right to use the requested application by using the application management table 42 described later. .. The determination unit 21 is realized by a program or the like executed by the CPU 101 shown in FIG. The determination unit 21 is an example of the determination means.

The setting unit 22 is a function for setting the availability of the application included in the application management table 42 described later. When installing an application on the information processing device 10, the setting unit 22 sets the availability of the application to be installed for each network connected to the information processing device 10. It is realized by a program or the like executed by the CPU 101 shown in FIG. The setting unit 22 is an example of the setting means.

The authentication unit 14 is a function of performing user authentication of the information processing device 10 in response to a user authentication request. When the authentication unit 14 receives the authentication request transmitted from the client terminal 50, for example, the authentication unit 14 performs a user authentication process using the authentication information management table 43 described later. Further, when the user input of the authentication information is received by the reception unit 15, the authentication unit 14 performs the user authentication process using the input authentication information and the authentication information management table 43 described later. The authentication unit 14 is realized by, for example, a program executed by the CPU 101 shown in FIG. The function of the authentication unit 14 may be provided in an external authentication server. The authentication unit 14 is an example of an authentication means.

The reception unit 15 is a function of receiving user input to the operation unit 108 shown in FIG. The reception unit 15 receives, for example, an application execution request input to the operation unit 108. Further, the reception unit 15 receives, for example, the information input to the operation unit 108 for setting the application management table 42 described later. The reception unit 15 is realized by, for example, a program executed by the operation unit 108 and the CPU 101 shown in FIG.

The application execution unit 16 is a function of executing an application installed in the information processing device 10. The application execution unit 16 executes an application permitted to be used by the determination unit 21 in response to a request from the user. When the application is a copy application, the application execution unit 16 executes the copy application based on a print request from the client terminal 50 used by a user who is permitted to use the copy application, and performs the requested print processing. .. The application execution unit 16 is realized by, for example, a program executed by the CPU 101 shown in FIG.

The storage / reading unit 17 is a function of storing various data in the storage unit 18 and reading various data from the storage unit 18. The storage / reading unit 17 and the storage unit 18 are realized by, for example, a program executed by the flash memory 103, the HDD 104, and the CPU 101 shown in FIG. The storage unit 18 is an example of a storage means. Further, the storage unit 18 stores the network management table 41, the application management table 42, and the authentication information management table 43.

○ Network management table Here, the network management table 41 will be described with reference to FIG. FIG. 6 is a diagram showing an example of a network management table according to the first embodiment. The network management table 41 manages the destination information of the client terminal 50, the router 30, and the server device 90 that can communicate with the information processing device 10 via each network.

The network management table 41 includes information on the “device” capable of communicating with the information processing device 10, and information on the “Network address / network” and “default gateway” of the “device”. “Network address / network” and “default gateway” are examples of destination information of the client terminal 50, the router 30, and the server device 90. The network management table 41 stores the destination information of the device that has a track record of communicating with the information processing device 10. The information included in the network management table 41 may be set by the administrator as appropriate, as well as the information of the device having a record of communication with the information processing device 10.

As shown in FIG. 6, the client terminal 50 and the server device 90 are each assigned one IP address that enables communication via the network. A plurality of IP addresses are assigned to the router 30 so that communication via each connected network is possible. The server device may be logically one unit, or may have a redundant configuration with a plurality of devices.

In the case of the network management table 41 shown in FIG. 6, the IP address of the client terminal 50a is "192.168.1.1100/24", and the default gateway is "192.168.1.1.24". .. The IP address of the router 30a is "192.168.1.1/24", and the subnet mask is "192.168.10.1/24". The IP address of the client terminal 50aa is "192.168.10.100/24", and the default gateway is "192.168.10.1/24". The IP address of the server device 90a is "192.168.10.11/24", and the default gateway is "192.168.10.1/24".

The IP address of the client terminal 50b is "172.16.1.1100/24", and the default gateway is "172.16.1.1/24". The IP address of the router 30b is "172.16.1.1/24", and the subnet mask is "172.16.10.1/24". The IP address of the client terminal 50bb is "172.16.10.100/24", and the default gateway is "172.16.10.1/24". The IP address of the server device 90b is "172.1.6.10.11/24", and the default gateway is "172.16.10.12/24".

Further, the IP address of the client terminal 50c is "10.0.1.100/24", and the default gateway is "10.0.1.1/24". The IP address of the router 30c is "10.10.1.1 / 24" and the subnet mask is "10.0.10.1/24". The IP address of the client terminal 50cc is "10.0.10.100/24", and the default gateway is "10.0.10.1/24". The IP address of the server device 90c is "10.0.10.11/24", and the default gateway is "10.0.10.1/24".

The communication control unit 12 of the information processing device 10 controls the communication path of the client terminal 50 or the server device 90 based on the destination information of the client terminal 50 or the server device 90 included in the network management table 41. The device and destination information included in the network management table 41 is not limited to this.

○ Application Management Table Next, the application management table 42 will be described with reference to FIG. 7. FIG. 7 is a diagram showing an example of the application management table according to the first embodiment. The application management table 42 manages the usage authority of the application installed in the information processing device 10 for each network to which the information processing device 10 is connected. The application management table 42 is an example of setting information.

In the application management table 42, information of "Network address / network", "display name", "network disclosure range", and "application availability" is linked to the information of the "network" to which the information processing device 10 is connected. It is attached. “Network” refers to each network connected to the information processing device 10. The "network" may be set by the network administrator, or may be set automatically by being connected to each network.

The "display name" is the name of the network. The "display name" may be set by the network administrator, or may be automatically set by connecting to each network. The "display name" is displayed on the operation unit 108 as information that can be selected by the user, for example, when the usage authority of the application is set by the setting unit 22. As a result, the user who sets the usage authority of the application can easily determine the network.

The “network disclosure range” indicates whether or not to disclose to the user that each network is connected to the information processing device 10. The "network disclosure range" may be specified by the network administrator, or may be automatically specified by connecting to each network. For example, when setting the usage authority of the application, the setting unit 22 sets only the network open to the user who sets the setting target. "Network disclosure range" is an example of disclosure range information.

In the case of the application management table 42 shown in FIG. 7, when a general user sets the usage authority of the application A (appA), the application usage authority is set for the networks Net_A0, Net_A1, and Net_C0 whose disclosure range is "open to the public". It can be set. On the other hand, in the networks Net_B0, Net_B1 and Net_C1 whose disclosure range is "public only to the network administrator", only the user having the network administrator authority can set the application usage authority. That is, the general user cannot set the usage authority of the application for the network whose disclosure range is "public only to the network administrator". Note that a network for which usage authority cannot be set may be automatically set as having no application usage authority.

As for the method of specifying the "network disclosure range", in addition to the specifications such as "open to the public (open to all users)" and "public only to the network administrator" shown in FIG. 7, even if the disclosure range is specified in more detail. good. The method of specifying the "network disclosure range" may be, for example, a specification method such as "public only to users with specific privileges" or "public only to users who use devices connected to a specific network". ..

"Application availability" is information indicating the application usage authority for each network. The availability of an application means that an application installed in the information processing device 10 (for example, a basic application such as a copy application or a scan application, an application installed as an extension function, etc.) is connected to each network as a client terminal. It indicates whether or not it is available to 50 users. The determination unit 21 determines the application usage authority for the user who sent the execution request by referring to the information of "application availability" associated with the network to which the application execution request is transmitted.

In the case of the application management table 42 shown in FIG. 7, for example, the application A (appA) can be used by the user of the client terminal 50 connected to all the networks (corresponding to “OK” shown in FIG. 7). Further, the application B (appB) can be used only by the user of the client terminal 50 connected to the network Net_A0 and the network Net_A1. Further, the application C (appC) can be used only by the user of the client terminal 50 connected to the network Net_B0, the network Net_B1, the network Net_C0, and the network Net_C1.

-Authentication information management table Next, the authentication information management table 43 will be described with reference to FIG. FIG. 8 is a diagram showing an example of the authentication information management table according to the first embodiment. The authentication information management table 43 manages the authentication information of the user registered in the information processing device 10. The authentication information management table 43 manages the user name, password, and authority information in association with each other (association with each other).

The "user name" stores the user's name. The user name and password are examples of authentication information. The authentication unit 14 performs a user authentication process using the authentication information included in the authentication request and the authentication information management table 43 shown in FIG.

The authority information stores the role of each user. The authority information indicates, for example, the authority to use the network for each user. The authority information includes, for example, information that distinguishes whether the user is a network administrator or a general user. In addition, the authority information includes information on the network that can be used by the user.

In the case of the authentication information management table 43 shown in FIG. 8, for example, the user with the user name “adminA” has the authority as an administrator and can communicate using the network Net_B0. Further, the user with the user name "adminB" has the authority as an administrator and can communicate using the network Net_C1. On the other hand, the user with the user name "userA" has the authority as a general user and can communicate using the network Net_A0. Further, the user with the user name "userB" has the authority as a general user, and can communicate using the network Net_C0.

Subsequently, the functional configuration of the client terminal 50a will be described. Note that FIG. 5 shows only the functional configuration of the client terminal 50a, but other client terminals 50 (for example, the client terminal 50b shown in FIG. 1) constituting the information processing system 1 have the same functional configuration. ..

The functions realized by the client terminal 50a shown in FIG. 5 include a transmission / reception unit 51a and a reception unit 52a. The transmission / reception unit 51a is a function of exchanging data with the information processing device 10 via the network Net_A0. The transmission / reception unit 51a transmits a user authentication request to the information processing device 10 via, for example, the network Net_A0. Further, the transmission / reception unit 51a transmits an application execution request to the information processing device 10 via, for example, the network Net_A0. Further, the transmission / reception unit 51a receives, for example, the determination result of availability of the application from the information processing device 10 via the network Net_A0. The transmission / reception unit 51a is realized by, for example, a program executed by the communication unit 508 and the CPU 501 shown in FIG.

The reception unit 52a is a function of receiving user input to the input unit 505 shown in FIG. The reception unit 52a receives, for example, a user authentication request for the information processing device 10 input to the input unit 505. Further, the reception unit 52a receives, for example, a transmission instruction of the application execution request input to the input unit 505. The reception unit 52a is realized by a program or the like executed by the CPU 501 shown in FIG.

● Application availability determination process Next, the application availability determination process in the information processing system according to the first embodiment will be described. FIG. 9 is a sequence diagram showing an example of the process of determining the availability of the application in the information processing system according to the first embodiment. FIG. 9 describes a case where the execution request of the application A (application A) is transmitted from the client terminal 50a connected to the network Net_A0. Further, FIG. 9 will be described assuming that the availability of the application is determined using the application management table 42 shown in FIG. 7. The type of the client terminal 50 for transmitting the execution request and the application related to the execution request is not limited to this, and the same processing is performed for the other client terminals 50 and the application.

In step S101, the client terminal 50a transmits an application execution request to the information processing device 10. Specifically, the client terminal 50a transmits an execution request of the application A (application A) requested to be executed by the user who uses the client terminal 50a.

Here, the information included in the execution request will be described. FIG. 10 is a diagram showing an example of the contents included in the execution request of the application according to the first embodiment. The execution request 60 includes at least the IP address of the source (SRC: source) of the execution request, the IP address of the destination (DST: destination) of the execution request, and information on the application that makes the execution request. The execution request 60 shown in FIG. 10 includes the IP address (192.168.1.1100/24) of the client terminal 50a as a transmission source. Further, the execution request 60 shown in FIG. 10 includes the IP address (192.168.1.10/24) of the information processing apparatus 10 as a transmission destination. Further, the execution request 60 shown in FIG. 10 includes information of application A (appA) as an application that makes an execution request. The information included in the application execution request is not limited to this. The transmission / reception unit 11a of the information processing device 10 receives the execution request of the application A (application A) transmitted from the client terminal 50a (an example of the reception step).

In step S102, the transmission / reception unit 11a of the information processing device 10 outputs the received application execution request to the determination unit 21. In step S103, the determination unit 21 of the information processing device 10 reads out the application management table 42 stored in the storage unit 18. Specifically, the determination unit 21 outputs a read request of the application management table 42 to the storage / read unit 17. Then, when the storage / reading unit 17 detects the output read request, the storage / reading unit 17 reads the application management table 42 stored in the storage unit 18.

In step S104, the storage unit 18 of the information processing device 10 outputs the application management table 42 to the determination unit 21. Specifically, the storage unit 18 outputs the application management table 42 to the storage / reading unit 17. Then, the storage / reading unit 17 outputs the application management table 42 to the determination unit 21.

In step S105, the determination unit 21 of the information processing device 10 determines the application usage authority of the user who has sent the application execution request using the output application management table 42 (an example of the determination step). Here, the details of the processing of the determination unit 21 of the information processing device 10 will be described. FIG. 11 is a flowchart showing an example of the process of determining the availability of the application in the information processing apparatus according to the first embodiment.

When the determination unit 21 detects the execution request of the application in step S201, the determination unit 21 shifts the process to step S202. On the other hand, if the determination unit 21 has not detected the application execution request, the determination unit 21 repeats the process of step S201. In step S202, the determination unit 21 reads out the application management table 42 stored in the storage unit 18.

In step S203, the determination unit 21 identifies the network to which the client terminal 50, which is the source of the detected application execution request, is connected. For example, when the determination unit 21 detects the execution request shown in FIG. 10, the network to which the client terminal 50a is connected is connected to the IP address "192.168.1.100/24" of the client terminal 50a which is the source. Identify Net_A0. The order of the processing in step S202 and the processing in step S203 may be before or after, or may be performed in parallel.

In step S204, if the specified network has the right to use the requested application, the determination unit 21 shifts the process to step S205. Specifically, the determination unit 21 determines the usage authority of the application by referring to the availability of the requested application associated with the specified network in the application management table 42. In step S205, the determination unit 21 outputs the determination result of the usage authority "Yes".

On the other hand, in step S205, if the specified network does not have the right to use the application included in the execution request, the determination unit 21 shifts the process to step S206. In step S206, the determination unit 21 outputs a determination result of "no use". The determination result output in the processes of steps S205 and S206 includes information for identifying the client terminal 50 to which the determination result is notified, the determined application, and the like, in addition to the presence / absence of the usage authority.

Returning to FIG. 10, the description of the process of determining the availability of the application in the information processing system 1 will be continued. In step S106, the determination unit 21 of the information processing device 10 outputs the determination result of availability of the application to the communication control unit 12. In the application management table 42 shown in FIG. 7, the determination unit 21 determines that the usage authority is "yes" because the network Net_A0 to which the execution request is transmitted has the usage authority of the requested application A (appA). Output the result.

In step S107, the communication control unit 12 of the information processing device 10 outputs the output determination result to the transmission / reception unit 11a. In step S108, the transmission / reception unit 11a of the information processing device 10 transmits the output determination result to the client terminal 50a (an example of the transmission step).

The client terminal 50a that has received the determination result of the usage right "Yes" of the application A (appA) executes the process provided by the application A (appA). For example, when the application A (appA) is a copy application, the client terminal 50a executes a print process (cloud print) on the information processing device 10 via the server device 90. The processing executed by the client terminal 50 (user having the usage authority) having the usage authority of the application is not limited to this.

● Application Installation Process Next, the process until the application usage authority is set in the information processing device 10 will be described with reference to FIGS. 12 and 13. FIG. 12 is a flowchart showing an example of application installation processing in the information processing apparatus according to the first embodiment. Further, FIG. 13 is a diagram showing an example of an application installation screen according to the first embodiment. When the information processing device 10 performs an application installation process, the information processing device 10 causes the operation unit 108 to display an installation screen. In the following description, it is assumed that the information processing apparatus 10 newly installs the application D (appD).

In step S301, when the user authentication by the authentication unit 14 is completed (when the user authentication is successful), the information processing device 10 shifts the process to step S302. On the other hand, when the user authentication by the authentication unit 14 is not completed (when the user authentication fails), the information processing device 10 repeats the process in step S301.

In step S302, the reception unit 15 of the information processing device 10 accepts the selection of the application to be installed in the information processing device 10. Specifically, the reception unit 15 causes the operation unit 108 to display the installation screen 70 shown in FIG. Then, the reception unit 15 accepts the selection of the application to be installed by selecting the "file selection" icon on the installation screen 70 by the user.

In step S303, the reception unit 15 of the information processing device 10 acquires a list of networks that can be specified by the user, and accepts user input for setting the usage authority of the application. Specifically, as shown in FIG. 13, the reception unit 15 causes the operation unit 108 to display a list of networks that can be specified by the authenticated user. The usable range shown in FIG. 13 corresponds to the public range of the network included in the application management table 42 shown in FIG. 7. In the usable range shown in FIG. 13, since the authority of the authenticated user is a general user, the network Net_A0, the network Net_A1 and the network Net_C0 whose public range of the network shown in FIG. 7 is "general public" are displayed. ..

Then, the reception unit 15 accepts the user input for granting the usage authority of the application from the network displayed in the available range. In the case of the installation screen 70 shown in FIG. 13, the reception unit 15 accepts that the network Net_A0 and the network Net_C0 are selected by the user operation. The usable range of the installation screen 70 shown in FIG. 13 indicates the display name of the network that can be specified by the authenticated user. As a result, the user who sets the usage authority of the application can easily determine the network by looking at the display of the installation screen 70.

In step S304, the reception unit 15 of the information processing apparatus 10 executes the installation of the selected application by selecting the “OK” icon on the installation screen 70 shown in FIG. In step S305, the reception unit 15 of the information processing device 10 shifts the process to step S306 when the installation of the application is completed. On the other hand, if the application installation is not completed, the reception unit 15 repeats the process of step S305. The processing of steps S302 to S305 ends when the "Cancel" icon of the installation screen 70 shown in FIG. 13 is selected.

In step S306, the setting unit 22 of the information processing device 10 sets the usage authority of the installed application in the application management table 42. For example, the setting unit 22 grants the installed application D (appD) the right to use the application for the network Net_A0 and the network Net_C0 for which the user input is received by the reception unit 15 (“OK” shown in FIG. 7). Corresponds to). On the other hand, the setting unit 22 does not give the application D (appD) the right to use other networks included in the application management table 42 (corresponding to "NG" shown in FIG. 7). As a result, when a new application is installed, the information processing apparatus 10 can limit the range in which the application usage authority can be set according to the authority given to the user who performs the setting operation.

● Effect of First Embodiment As described above, in the information processing system according to the first embodiment, the information processing apparatus 10 connected to a plurality of networks having different segments is connected to a predetermined network. The client terminal 50 (an example of a communication device) receives an execution request of an application installed in the information processing device 10. Then, the information processing device 10 uses the application management table 42 to determine whether the network to which the execution request is transmitted has the right to use the requested application, and the information processing device 10 determines whether or not the client terminal 50 to which the execution request is transmitted has the right to use the requested application. , Send the judgment result. Therefore, the information processing system 1 can restrict the use of applications from unauthorized networks in a plurality of networks to which the information processing device 10 is connected. As a result, the information processing device 10 can prevent the use of an unauthorized application from the client terminal 50 connected to another network.

Further, the information processing system according to the first embodiment sets the usage authority of the application installed in the information processing device 10 only for the network open to the user who makes the setting. Therefore, when a new application is installed in the information processing device 10, the information processing system 1 may limit the range in which the application usage authority can be set according to the authority given to the user who performs the setting operation. can.

● Second embodiment ●
Next, the information processing system according to the second embodiment will be described. The same configurations and the same functions as those in the first embodiment are designated by the same reference numerals, and the description thereof will be omitted. The information processing system according to the second embodiment determines whether or not the application installed in the information processing device 10 can be used, not only for each network to which the information processing device 10 is connected, but also for a client terminal capable of communicating with the information processing device 10. It can be set every 50.

FIG. 14 is a sequence diagram showing an example of the application management table according to the second embodiment. In the application management table 42a, in addition to the information included in the application management table 42 shown in FIG. 7, information on availability of the application is set for each client terminal 50 connected to the network.

In the case of the application management table 42a shown in FIG. 14, for example, the user of the client terminal 50aa connected to the network Net_A1 has the right to use the application A (appA) and the application B (appB). On the other hand, the user of the client terminal 50aa connected to the same network Net_A1 has the right to use the application A (appA) and the application C (appC). Further, the user of the client terminal 50bb connected to the network Net_B1 has the right to use the application A (appA) and the application C (appC). On the other hand, the user of the client terminal 50bb "connected to the same network Net_B1 has the authority to use the application A (apppA) and the application B (apppB).

In this way, in the application management table 42a, different usage privileges can be set for each of the plurality of client terminals 50 connected to the same network. When the determination unit 21 of the information processing device 10 receives the application execution request from the client terminal 50, the determination unit 21 determines whether or not the client terminal 50 that has transmitted the execution request has the right to use the requested application.

The “application availability” included in the application management table 42a shown in FIG. 14 is set by the setting unit 22 as in the first embodiment. In this case, on the installation screen 70 shown in FIG. 13, the usable range may display not only the information of the network that can be specified by the user but also the information of the client terminal 50 connected to the network that can be specified by the user.

● Effects of the Second Embodiment As described above, in the information processing system according to the second embodiment, the availability of the application included in the application management table 42 is determined only for each network to which the information processing device 10 is connected. Instead, it is set for each client terminal 50 connected to the network. Then, the information processing device 10 determines whether or not the network to which the application execution request is transmitted or the client terminal 50 to which the application execution request is transmitted has the right to use the requested application. Therefore, the information processing system according to the second embodiment can more flexibly set the usage authority of the application installed in the information processing device 10.

● Other embodiments ●
Next, the information processing system according to other embodiments will be described. FIG. 15 is a diagram showing an example of a system configuration of an information processing system according to another embodiment. In the information processing system 2 shown in FIG. 15, the function of the control unit 1000 of the information processing device 10 shown in FIG. 5 is realized by the communication control device 20 provided separately from the information processing device 10.

The information processing device 10d includes a network interface for communicating with the communication control device 20. In addition to the function of the control unit 1000 shown in FIG. 6, the communication control device 20 includes a dedicated transmission / reception unit for transmitting / receiving data (packet information) to / from the information processing device 10. The communication control device 20 controls the communication path between the information processing device 10d and the client terminal 50 or the server device 90 by the communication control unit 12 included in the control unit 1000. The communication control unit 12 of the communication control device 20 controls the transfer of data (packet information) by using methods such as bridge control, NAPT (Network Address Port Translation) translation, and NAT (Network Address Translation) translation. In this case, the network management table 41 stores the data (packet information) forwarding rule in advance.

● Summary ●
As described above, the information processing device according to the embodiment of the present invention is the information processing device 10 connected to a plurality of networks having different segments, and the client terminal 50 (communication device) connected to the network. (Example) receives an execution request of an application installed in the information processing apparatus 10. Then, the information processing device 10 determines whether the network to which the execution request is transmitted has the right to use the application, and transmits the determined result to the client terminal 50. Therefore, the information processing device 10 can prevent the use of an unauthorized application from the client terminal 50 connected to another network.

In addition, the information processing device according to the embodiment of the present invention causes a predetermined user who can connect to the open network to set the right to use the application. Therefore, when a new application is installed, the information processing device 10 limits the range in which the application usage authority can be set according to the authority given to the user who performs the setting operation (for example, the network to which the user can connect). can do.

Further, in the information processing apparatus according to the embodiment of the present invention, the usage authority of the application is set for each client terminal 50, and the client terminal 50 is given the usage authority based on the usage authority given to the client terminal 50 that has transmitted the execution request. On the other hand, it is determined whether or not the user has the right to use the application. Therefore, the information processing device 10 can more flexibly set the usage authority of the application installed in the information processing device 10.

Further, the information processing system according to the embodiment of the present invention is an information information system 1 including an information processing device 10 connected to a plurality of networks having different segments and a client terminal 50 connected to the network. Therefore, the client terminal 50 receives an execution request for the application installed in the information processing device 10. Then, the information processing system 1 determines whether the network to which the execution request is transmitted has the right to use the application, and transmits the determined result to the client terminal 50. Therefore, the information processing system 1 can restrict the use of applications from unauthorized networks in a plurality of networks to which the information processing device 10 is connected.

Further, the control method according to the embodiment of the present invention is a control method executed by the information processing apparatus 10 connected to a plurality of networks having different segments, and information processing is performed from the client terminal 50 connected to the network. A reception step for receiving the execution request of the application installed in the device 10, a determination step for determining whether the network to which the execution request is transmitted has the right to use the application, and the determination result are transmitted to the client terminal 50. The transmission step of transmitting to and the transmission step is executed. Therefore, the control method according to the embodiment of the present invention can prevent the use of an unauthorized application from the client terminal 50 connected to another network.

The functions of each embodiment can be realized by a computer-executable program described in a legacy programming language such as an assembler, C, C ++, C #, Java (registered trademark), an object-oriented programming language, or the like, and ROM, EPROM. (Electrically Erasable Programmable Read-Only Memory), EPROM (Erasable Programmable Read-Only Memory), Flash Memory, Flexible Disc, CD (Compact Disc) -ROM, CD-RW (Re-Writable), DVD-ROM, DVD-RAM , DVD-RW, Blu-ray disc, SD card, MO (Magneto-Optical disc) and other devices can be stored in a readable recording medium or distributed via a telecommunications line.

In addition, some or all of the functions of each embodiment can be implemented on a programmable device (PD) such as FPGA (Field Programmable Gate Array), or implemented as an ASIC (Application Specific Integrated Circuit). Circuit configuration data (bit stream data) to be downloaded to PD to realize the functions of each embodiment on PD, HDL (Hardware Description Language) to generate circuit configuration data, VHDL (Very High Speed Integrated) It can be distributed by a recording medium as data described by Circuits Hardware Description Language), Verilog-HDL, or the like.

Although the information processing apparatus, information processing system, control method and program according to one embodiment of the present invention have been described so far, the present invention is not limited to the above-described embodiment, and other embodiments, additions, and the like have been described. Changes, deletions, etc. can be made within the range that can be conceived by those skilled in the art, and are included in the scope of the present invention as long as the actions and effects of the present invention are exhibited in any of the embodiments.

1 Information processing system 10 Information processing device 30 Router 50 Client terminal (example of communication device)
90 Server device 11 Transmitter / receiver (example of receiving means and transmitting means)
14 Authentication unit (an example of authentication method)
18 Storage unit (an example of storage means)
21 Judgment unit (example of judgment means)
22 Setting unit (example of setting means)

Japanese Unexamined Patent Publication No. 2005-229332

Claims (8)

An information processing device connected to multiple networks with different segments.
A receiving means for receiving an execution request of an application installed in the information processing device from a communication device connected to the network, and a receiving means.
A storage means that includes disclosure range information indicating the disclosure range for each network and stores setting information for which the usage authority of the application is set for each network.
A setting means for setting the usage authority for a predetermined user who can connect to the publicly available network, and
Based on the usage authority given to the network to which the execution request is transmitted, which is included in the setting information, as a determination means for determining whether the network to which the execution request is transmitted has the usage authority of the application. ,
A transmission means for transmitting the determined result to the communication device, and
Information processing device equipped with. The disclosure range information includes the authority to use the network as the disclosure range.
The information processing device according to claim 1 , wherein the setting means sets the usage authority for a network in which the predetermined user has the usage authority. The disclosure range information includes information on a network to which the predetermined user can connect.
The information processing device according to claim 1 , wherein the setting means sets the usage authority for a network to which the predetermined user can connect. The information processing device according to any one of claims 1 to 3, and further.
An authentication means for executing user authentication of the predetermined user is provided.
The setting means causes the authenticated predetermined user to set the usage authority.
Information processing device. For the setting information, the usage authority of the application is set for each communication device.
The determination means determines whether or not the communication device has the usage authority of the application based on the usage authority given to the communication device that has transmitted the execution request, which is included in the setting information. The information processing apparatus according to any one of claims 1 to 4. An information processing system including an information processing device connected to a plurality of networks having different segments and a communication device connected to the network.
A receiving means for receiving an execution request of an application installed in the information processing device from the communication device, and
A storage means that includes disclosure range information indicating the disclosure range for each network and stores setting information for which the usage authority of the application is set for each network.
A setting means for setting the usage authority for a predetermined user who can connect to the publicly available network, and
Based on the usage authority given to the network to which the execution request is transmitted, which is included in the setting information, as a determination means for determining whether the network to which the execution request is transmitted has the usage authority of the application. ,
A transmission means for transmitting the determined result to the communication device, and
Information processing system equipped with. A control method executed by an information processing device connected to a plurality of networks having different segments.
A reception step for receiving an execution request of an application installed in the information processing device from a communication device connected to the network, and
A storage step that includes disclosure range information indicating the disclosure range for each network and stores setting information for which the usage authority of the application is set for each network.
A setting step for setting the usage authority for a predetermined user who can connect to the publicly available network, and
Based on the usage authority given to the network to which the execution request is transmitted, which is included in the setting information, a determination step of determining whether the network to which the execution request is transmitted has the usage authority of the application. ,
A transmission step of transmitting the determined result to the communication device, and
Control method to execute. A program that causes a computer to execute the control method according to claim 7.

Images