JP5069820B2 - Image forming system and user manager server device - Google Patents

Description

  The present invention relates to an image forming system and a user manager server device.

  In recent years, directory services such as an active directory and an e directory have been introduced to manage users and devices in a network system. Some image forming apparatuses such as printers, copiers, and multifunction machines have a network function, and currently users and groups (departments) can be managed using such a directory service. When performing user management with a directory service, user authentication of a user who has performed a login operation on an image forming apparatus is usually performed by a server apparatus of the directory service.

  On the other hand, in the image forming apparatus, an authorization process may be performed in which only a function permitted to the login user among various functions can be used. Normally, in the authorization process, for each user, authorization information that designates a function that is permitted to be used (or a function that is prohibited to be used) is preset in the image forming apparatus, and is used by the login user in accordance with the authorization information. Function to be limited. In addition, there is also a system that provides the login user authorization information to the image forming apparatus using an intermediate server device having authorization information for each user (see, for example, Patent Document 1).

  In addition, as a user authentication method at the time of login, a card reader is provided in the image forming apparatus, the user carries an ID card, and when logging in to the image forming apparatus, the user presents the ID card to the card reader to form an image. There is also a method in which the device performs user authentication by reading the user ID from the ID card.

JP 2008-140067 A

  As described above, as an authentication method at the time of user login to the image forming apparatus, as described above, a plurality of methods such as a method of inputting a user ID and password as text on the operation panel, a method of presenting an ID card, There is. Therefore, in a certain image forming apparatus, setting data for specifying an available authentication method among the plurality of authentication methods is set, and an authentication method according to the value of the setting data is permitted to the user.

  Therefore, by changing the value of the setting data in the image forming apparatus, the user authentication method that can be used by the user can be changed. However, if the authentication method of many image forming apparatuses is to be unified, all the images The setting data must be changed for each of the forming apparatuses, which takes time and trouble for the administrator.

  The present invention has been made in view of the above-described problems, and can be used for an image forming system capable of collectively setting authentication methods for a large number of image forming apparatuses with a simple operation, and the image forming system. An object of the present invention is to obtain a simple user manager server device.

  In order to solve the above problems, the present invention is configured as follows.

An image forming system according to the present invention includes a plurality of image forming apparatuses connected to a network, and authorization information that specifies functions permitted to be used by a login user of the image forming apparatus connected to the network. Providing a user manager server device. Each of the plurality of image forming apparatuses stores authentication setting data, acquires identification information at the time of login by an authentication method specified by the authentication setting data among the plurality of user authentication methods, and stores the identification information as a user manager. Send to server device. The user manager server apparatus receives the identification information from any of the plurality of image forming apparatuses, performs user authentication based on the received identification information in the user manager server apparatus or in the authentication server apparatus, and has successfully logged in. Authorization information about the user is transmitted to the image forming apparatus, master authentication setting data is stored, and the master authentication setting data is set as authentication setting data in a plurality of image forming apparatuses. Further, when the user manager server device receives the authentication setting request from any of the plurality of image forming devices, the user manager server device transmits master authentication setting data to the image forming device, and permits the master authentication setting data as a usable authentication method. Is set to the image forming apparatus. Further, when receiving the authentication setting request from any of the plurality of image forming apparatuses, the user manager server apparatus specifies an authentication method that can be used in the image forming apparatus at that time, and specifies the specified authentication method and master authentication setting data. Only when the authentication method specified by is different from the authentication method, the master authentication setting data is transmitted to the image forming apparatus, and the usable authentication method in the image forming apparatus is updated.

As a result, the master authentication setting data of the user manager server apparatus is automatically reflected on each image forming apparatus, so that authentication methods for a large number of image forming apparatuses can be set in a single operation with a simple operation. In addition, since the master authentication setting data is automatically reflected on each image forming apparatus when the image forming apparatus is in operation, it is possible to reliably set the authentication methods of a large number of image forming apparatuses at once. it can. Furthermore, since the master authentication setting data is transmitted only when updating is necessary, it is possible to reduce the load on the image forming apparatus and the user manager server apparatus related to the setting of the master authentication setting data, and the network traffic.

A user manager server device according to the present invention includes a network interface connected to a network, a storage device that stores master authentication setting data that specifies an authentication method that can be used in a plurality of image forming apparatuses, and a plurality of master authentication setting data. An authentication setting unit that sets an authentication method permitted by the master authentication setting data in a plurality of image forming devices and a plurality of images using a network interface as usable authentication methods. A user authentication processing unit that receives identification information acquired by any of the forming apparatuses using the authentication method and performs user authentication based on the received identification information in the user manager server apparatus or in the authentication server apparatus, and user authentication The authorization information about the login user who succeeded And a authorization processing unit to be transmitted to. When the authentication setting unit receives an authentication setting request from any of the plurality of image forming apparatuses using the network interface, the authentication setting unit transmits master authentication setting data to the image forming apparatus, An authentication method permitted by the master authentication setting data is set in the image forming apparatus. Further, upon receiving an authentication setting request from any of a plurality of image forming apparatuses, the authentication setting unit specifies an authentication method that can be used by the image forming apparatus at that time, and uses the specified authentication method and master authentication setting data. Only when the designated authentication method is different, the master authentication setting data is transmitted to the image forming apparatus, and the usable authentication method in the image forming apparatus is updated.

As a result, the master authentication setting data of the user manager server apparatus is automatically reflected on each image forming apparatus, so that the authentication methods of a large number of image forming apparatuses can be integrated at the same time with a simple operation of setting the master authentication setting data. Can be set. In addition, since the master authentication setting data is automatically reflected on each image forming apparatus when the image forming apparatus is in operation, it is possible to reliably set the authentication methods of a large number of image forming apparatuses at once. it can. Furthermore, since the master authentication setting data is transmitted only when updating is necessary, it is possible to reduce the load on the image forming apparatus and the user manager server apparatus related to the setting of the master authentication setting data, and the network traffic.

The user manager server device according to the present invention, in addition to the above user manager server equipment, may be as follows. In this case, when the authentication setting unit receives an authentication setting request transmitted at the time of starting the image forming apparatus or when returning from the sleep mode, the authentication setting unit transmits master authentication setting data to the image forming apparatus, The authentication method permitted by the setting data is set in the image forming apparatus.

  The user manager server device according to the present invention may be configured as follows in addition to any of the user manager server devices described above. In this case, upon receiving an authentication setting request transmitted when the operation panel of the image forming apparatus is reset and the login screen is displayed, the authentication setting unit transmits the master authentication setting data to the image forming apparatus and can be used. As an authentication method, an authentication method permitted by the master authentication setting data is set in the image forming apparatus.

  The user manager server device according to the present invention may be configured as follows in addition to any of the user manager server devices described above. In this case, the user manager server device further includes an editing unit that receives an editing instruction from an external device using the network interface and edits the master authentication setting data according to the editing instruction.

  Accordingly, it is possible to collectively set authentication methods for a large number of image forming apparatuses simply by accessing the user manager server apparatus from an external apparatus and editing the master authentication setting data.

  The user manager server device according to the present invention may be configured as follows in addition to any of the user manager server devices described above. In this case, the master authentication setting data includes a plurality of authentication methods including a first authentication method by user ID and password text input, a second authentication method by ID card, and a third authentication method by text input of ID card and password. One or more of them are designated as authentication methods that can be used in a plurality of image forming apparatuses.

  According to the present invention, authentication methods for a large number of image forming apparatuses can be set collectively by a simple operation.

FIG. 1 is a block diagram showing a configuration of an image forming system according to an embodiment of the present invention. FIG. 2 is a block diagram showing the configuration of the multifunction machine in FIG. FIG. 3 is a block diagram showing a configuration of the user manager server apparatus in FIG. FIG. 4 is a diagram showing a configuration example of the authorization policy data in FIG. FIG. 5 is a block diagram showing the configuration of the directory server device in FIG. FIG. 6 is a sequence diagram for explaining the operation of each device when a user logs in to the multifunction machine in the system shown in FIG. FIG. 7 is a sequence diagram for explaining the operation of each apparatus when editing the master authentication setting data and reflecting the master authentication setting data to the multifunction peripheral in the system shown in FIG. FIG. 8 is a diagram showing an example of a master authentication setting data editing screen displayed on the terminal device in FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a block diagram showing a configuration of an image forming system according to an embodiment of the present invention. In the system shown in FIG. 1, a plurality of multifunction devices 1A and 1B and a printer 1C are connected to a network 2, and a user manager server device 3, a directory server device 4, and a terminal device 5 are connected to the network 2. ing.

  The multifunction device 1A has a printer function, a scanner function, a copy function, a facsimile function, and the like, and executes various jobs with the above-described functions in accordance with commands from the operation panel on the multifunction device 1A, a host device connected to the network 2, and the like. An image forming apparatus. The multifunction machine 1B is a similar device. The printer 1C is also an image forming apparatus like the multifunction machines 1A and 1B, but does not have a scanner function, a copy function, and a facsimile function. In the following, the case where the multifunction peripherals 1A and 1B function as image forming apparatuses will be mainly described. However, the printer 1C can also function as an image forming apparatus.

  The user manager server device 3 is a server device that accepts user authentication requests from the multifunction peripherals 1A and 1B and provides authorization information for users logged in to the multifunction peripherals 1A and 1B. The directory server device 4 is a server device that provides directory services such as an active directory and an e directory. The terminal device 5 is a terminal device having a network function such as a personal computer, an input device such as a keyboard, and a display device such as a display.

  FIG. 2 is a block diagram showing a configuration of the multifunction machine 1A in FIG. The multifunction machine 1B has a similar configuration. The multi-function device 1A includes an operation panel 21, a modem 22, a network interface 23, a printer 24, a scanner 25, and a control device 26.

  The operation panel 21 is installed in the housing of the multifunction machine 1A, and includes a display device 21a that displays various types of information to the user and an input device 21b that receives user operations. The display device 21a is, for example, a liquid crystal display or various indicators. The input device 21b is, for example, a touch panel or a key switch.

  The modem 22 can be connected to a subscriber telephone network such as a public switched telephone network (PSTN), and is a communication device that transmits and receives facsimile data.

  The network interface 23 can be connected to a wired or wireless computer network 2 and performs data communication with other devices (server device 3, host device not shown) connected to the network 2. Device.

  The printer 24 is an internal device that prints on a sheet according to a print request and discharges the printed matter. In the case of the electrophotographic method, after charging the photosensitive drum, the printer 24 emits a light source based on the print data to form an electrostatic latent image on the surface of the photosensitive drum, and this electrostatic latent image is Development is performed with toner, the toner image is transferred and fixed on a sheet, and the sheet is discharged as a printed matter.

  The scanner 25 irradiates light on one or both sides of a document fed by an automatic document feeder or a document placed by a user and receives reflected light or the like to read an image of the document. It is an internal device that outputs as image data.

  The reader 27 is a device that reads user identification information and outputs read data, and may be provided in the multifunction peripheral 1A or may be connected as a peripheral device. In this embodiment, the reader 27 is a card reader that reads user identification information from an ID card such as a magnetic card or an IC card, and outputs read data including the user identification information. The reader 27 may be a reader that reads a user's biometric information (such as a fingerprint). In that case, the feature amount obtained from the biological information is used as the user identification information. The reader 27 may be a contact type or a non-contact type.

  The storage device 28 is a nonvolatile storage device such as a nonvolatile memory or a hard disk drive. The storage device 28 stores authentication setting data 28a. The authentication setting data 28a is data for designating an authentication method permitted in the multi function device 1A. For example, in this embodiment, the authentication setting data 28a includes a first authentication method by text input of user ID and password, a second authentication method by ID card, and a third authentication method by text input of ID card and password. One or a plurality of authentication methods are designated.

  The control device 26 is a device that controls each unit in the multifunction peripheral 1A and performs data processing. The control device 26 is configured as a computer having, for example, a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like. In the control device 26, the CPU implements various processing units by loading a program stored in the ROM, the storage device 28, or another storage device (flash memory or the like) into the RAM and executing it. In the control device 26, a FAX communication unit 31, a network communication unit 32, a control unit 33, and a determination unit 34 are realized.

  The FAX communication unit 31 is a processing unit that controls the modem 22 and receives facsimile data. When receiving the facsimile data, the FAX communication unit 31 supplies a print request to the determination unit 34.

  The network communication unit 32 is a processing unit that controls the network interface 23 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 32 transmits input data by a user login operation to the user manager server device 3 at the time of user login, and receives login user authorization information from the user manager server device 3. The input data by the user's login operation corresponds to the authentication method that can be used in the multifunction device 1A, and (a) the user ID and password input by the operation panel 21 and (b) the user ID. The read data read from the card and output from the reader 27, (c) the read data, the password input by text on the operation panel 21, and the like. For example, the network communication unit 32 receives a print request (such as PDL (Page Description Language) data) from the host computer, and supplies the print request to the control unit 33.

  The control unit 33 receives a job request by a user operation on the operation panel 21 or a job request received from the host device by the network interface 23 and the network communication unit 32, and controls each unit in the multifunction peripheral 1A to control the job. A processing unit that executes a job corresponding to a request. The job request includes a print request, a scan request, a facsimile transmission request, and the like. In addition, when a login operation is performed, the control unit 33 acquires input data from the operation panel 21 and / or the reader 27, transmits the input data using the network communication unit 32, and transmits user authentication, authorization information, and the like to the user manager server device. 3 is requested. Furthermore, the control unit 33 uses the network communication unit 32 to transmit an authentication setting request to the user manager server device 3 at the time of initialization processing (when starting, at the return from sleep, at the time of resetting the operation screen, etc.), and master authentication The setting data is received from the user manager server device 3, and only the authentication method specified in the master authentication setting data is permitted as the user authentication method at the time of login.

  Based on the authorization information about the login user received from the user manager server device 3 by the network interface 23 and the network communication unit 32, the determination unit 34 uses the login user among the functions of the MFP 1A. It is a processing unit that specifies a function to be prohibited (or a function to be permitted) and stores data indicating whether or not to permit use of each function on, for example, a RAM. The control unit 33 refers to the data and restricts the use of the MFP 1A by the login user. For example, when the use of the color copy function is restricted for the logged-in user, a copy function menu is displayed on the operation panel 21 so that the color copy cannot be selected (for example, selecting a color from monochrome / color). Button is grayed out).

  In this way, the multifunction peripherals 1A and 1B are configured.

  FIG. 3 is a block diagram showing the configuration of the user manager server device 3 in FIG. The user manager server device 3 includes a storage device 41, a network interface 42, and an arithmetic processing device 43.

  The storage device 41 is a device that stores programs and data. As the storage device 41, a nonvolatile semiconductor memory, a hard disk drive, or the like is used. The storage device 41 stores authorization policy data 51, local user data 52, local group data 53, and master authentication setting data 54.

  The authorization policy data 51 is data including authorization information used for specifying a function that is permitted to be used by the login user of the multifunction peripheral 1A, 1B. The authorization policy data 51 can include authorization information for users and authorization information for groups. Authorization information for a user is authorization information applied to the user, and authorization information for a group is authorization information applied to users belonging to the group. The authorization policy data 51 includes authorization information for a domain user registered in the directory server device 4 and authorization information for a local user registered in the user manager server device 3 as authorization information for the user. And can be included. The authorization policy data 51 includes authorization information for a domain group registered in the directory server device 4 and authorization information for a local group registered in the user manager server device 3 as authorization information for the group. And can be included. The authorization information for a user includes a user ID and information on a function that is permitted (or prohibited) for the user (for example, a function ID). The authorization information for a group includes a group ID and information on a function that is permitted (or prohibited) for a user belonging to the group (for example, a function ID). For example, functions permitted (or prohibited) to be used include large items such as printing, scanning, copying, and facsimile transmission, and small items (for example, a color / monochrome selection function) associated with each large item.

  FIG. 4 is a diagram showing a configuration example of the authorization policy data 51 in FIG.

  In the authorization policy data 51 shown in FIG. 4, the domain group A includes domain users A, B, C, and D, and the local group A includes local users A and B and domain users B and D. An authorization policy # 1 (policy data including authorization information) is set for the domain group A, an authorization policy # 2 is set for the domain user A belonging to the domain group A, and an authorization policy # for the local group A 3 is set, the authorization policy # 4 is set for the local user A belonging to the local group A, the authorization policy # 5 is set for the domain user B belonging to the domain group A, and the authorization for the domain user E is set. Policy # 6 is set, and authorization policy # 7 is set for local user C.

  The local user data 52 is data including registration information (user ID and password) of the local user. The local user is a user registered in the user manager device 3 separately from the domain user registered in the directory server device 4.

  The local group data 53 is data including registration information (group ID and user ID of a user belonging to the group) of the local group. The local group is a group registered in the user manager device 3 separately from the domain user registered in the directory server device 4. Local groups can include local users and domain users. That is, a local group consisting only of local users, a local group consisting only of domain users, and a local group consisting of local users and domain users can be set.

  The master authentication setting data 54 is data that designates an authentication method that can be used in a predetermined plurality of image forming apparatuses (here, the multifunction peripherals 1A and 1B). That is, one master authentication setting data 54 is reflected in the multifunction devices 1A and 1B in common.

  The network interface 42 can be connected to a wired or wireless computer network 2, and can communicate with other devices (such as the multifunction devices 1 </ b> A and 1 </ b> B, the server device 4, and the terminal device 5) connected to the network 2. It is a device that performs data communication.

  The arithmetic processing unit 43 is configured as a computer having a CPU, a ROM, a RAM, and the like, and loads various programs stored in the ROM or the storage device 41 into the RAM and executes them by the CPU, thereby realizing various processing units. . In the arithmetic processing device 43, a network communication unit 61, a user authentication processing unit 62, an authorization processing unit 63, an authentication setting unit 64, and a master data editing unit 65 are realized.

  The network communication unit 61 is a processing unit that controls the network interface 42 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 61 receives input data at the time of login from the multifunction device 1A, and transmits authorization information about the user to the multifunction device 1A. For example, the network communication unit 61 transmits a user authentication request to the directory server device 4 and receives the authentication result and user information from the directory server device 4. For example, the network communication unit 61 receives an edit request for the master authentication setting data 54 from the terminal device 5.

  The user authentication processing unit 62 uses the network interface 42 and the network communication unit 61 to receive input data (that is, an ID card and user identification information) in the multifunction device 1 from the multifunction device 1A (or the multifunction device 1B). The processing unit identifies a user ID (or a pair of user ID and password) corresponding to the input data, and performs user authentication using the user ID (or pair of user ID and password). The user authentication processing unit 62 authenticates login users of the multifunction peripherals 1A and 1B with the local user data 52 in the multifunction peripheral 1A or with an authentication server apparatus such as the directory server apparatus 4 using the network interface 42.

  The authorization processing unit 63 extracts from the authorization policy data 51 the authorization information for the login user of the multifunction device 1A (or multifunction device 1B) that has succeeded in user authentication based on the input data, and the multifunction device 1A (or multifunction device). 1B). In this embodiment, when the login user of the multifunction device 1A (or multifunction device 1B) who has succeeded in user authentication belongs to the local group, the authorization processing unit 63 obtains authorization information for the local group from the authorization policy data 51. If the logged-in user that has been extracted and transmitted to the MFP 1A (or MFP 1B) using the network interface 42 as authorization information for the logged-in user and succeeded in user authentication does not belong to the local group, the logged-in user The authorization information for the domain group to which the user belongs or the user (domain user or local user) is extracted from the authorization policy data 51, and the network interface 42 is used as the authorization information for the login user. 1B To send to.

  For example, in the case of the authorization policy data 51 shown in FIG. 4, when the domain user A logs in to the multifunction device 1A, the authorization policy # 2 and the authorization policy # 1 are transmitted to the multifunction device 1A. When there are conflicting authorization settings in the user and group authorization policies (here, authorization policy # 2 and authorization policy # 1), the setting of a predetermined authorization policy of the group or user is applied. In this case, when the domain user B logs in to the multifunction device 1A, the authorization policy # 5, the authorization policy # 3, and the authorization policy # 1 are transmitted to the multifunction device 1A. If there are conflicting authorization settings in the domain group and local group authorization policies (here, authorization policy # 1 and authorization policy # 3), the setting of the predetermined authorization policy of the domain group or local user is applied. Is done. In this case, when the domain user C logs in to the multifunction device 1A, the authorization policy # 1 is transmitted to the multifunction device 1A. In this case, when the domain user D logs in to the multifunction device 1A, the authorization policy # 1 and the authorization policy # 3 are transmitted to the multifunction device 1A. In this case, when the domain user E logs in to the multifunction device 1A, the authorization policy # 6 is transmitted to the multifunction device 1A. In this case, when the local user A logs in to the multifunction device 1A, the authorization policy # 4 and the authorization policy # 3 are transmitted to the multifunction device 1A. In this case, when the local user B logs in to the multifunction device 1A, the authorization policy # 3 is transmitted to the multifunction device 1A. In this case, when the local user C logs in to the multifunction device 1A, the authorization policy # 7 is transmitted to the multifunction device 1A.

  When there are a plurality of authorization policies to be applied to a certain login user, the authorization processing unit 63 generates a single authorization policy by combining the authorization policies in the server device 3 and transmits the generated authorization policy. You may make it do. In that case, any setting policy selected according to a predetermined rule is applied to setting items that compete with each other in a plurality of approval policies.

  The authentication setting unit 64 is a processing unit that transmits the master authentication setting data 54 to the multifunction peripherals 1A and 1B using the network interface 42 and the network communication unit 61 and stores the master authentication setting data 54 in the storage device 28 as the authentication setting data 28a. In this embodiment, when the authentication setting unit 64 receives an authentication setting request from the multifunction device 1A or the multifunction device 1B via the network interface 42 and the network communication unit 61, the authentication setting unit 64 sends master authentication setting data to the multifunction devices 1A and 1B. 54 is transmitted. The authentication setting request is transmitted when the multifunction peripherals 1A and 1B are activated or when the MFP 1 returns from sleep, and is received by the authentication setting unit 64. Alternatively, the authentication setting request is transmitted when the operation panel of the multifunction peripheral 1A, 1B is reset and the login screen is displayed, and is received by the authentication setting unit 64. Further, upon receiving an authentication setting request from the multifunction device 1A or the multifunction device 1B, the authentication setting unit 64 identifies an authentication method that can be used by the multifunction device 1A or 1B at that time, and identifies the identified authentication method and master authentication setting. Only when the authentication method specified by the data is different, the master authentication setting data 54 is transmitted to the multifunction devices 1A and 1B, and the authentication setting data 28a in the multifunction devices 1A and 1B is updated.

  Note that the value of the master authentication setting data transmitted to each MFP 1A, 1B is stored in the storage device 41 as an update log, and the authentication setting is determined from the value of the master authentication setting data previously transmitted to the MFP 1A, 1B. Authentication methods that can be used by the multifunction devices 1A and 1B at the time of receiving the request are specified. If the value of the master authentication setting data transmitted last time is not stored, the master authentication setting data 54 is transmitted. Further, the transmission timing of the master authentication setting data 54 to each MFP 1A, 1B and the update timing of the master authentication setting data 54 in the user manager server device 3 are recorded as an update log, and the master authentication setting data 54 The master authentication setting data 54 may be transmitted only when there is an update after transmission.

  The master data editing unit 65 is a processing unit that receives an editing instruction from the terminal device 5 using the network interface 42 and the network communication unit 61 and edits the master authentication setting data 54 according to the editing instruction.

  Thus, the user manager server device 3 is configured.

  FIG. 5 is a block diagram showing the configuration of the directory server device 4 in FIG. The directory server device 4 includes a storage device 71, a network interface 72, and an arithmetic processing device 73.

  The storage device 71 is a device that stores programs and data. As the storage device 71, a nonvolatile semiconductor memory, a hard disk drive, or the like is used. A directory service database 91 is constructed in the storage device 71, and the database 91 includes user data 91a and group data 91b. The user data 91a includes a user ID, a password, and user information (a telephone number, a facsimile number, an e-mail address, and other attribute information to be contacted). The group data 91b includes a group ID, a user ID list of users belonging to the group, and group information (contact information, responsible person, and other attribute information).

  The network interface 72 is a device that can be connected to a wired or wireless computer network 2 and performs data communication with other devices (such as the server device 3) connected to the network 2.

  The arithmetic processing unit 73 is configured as a computer having a CPU, a ROM, a RAM, and the like, and implements various processing units by loading a program stored in the ROM or the storage device 71 into the RAM and executing the program by the CPU. In this arithmetic processing unit 73, a network communication unit 81 and a directory service processing unit 82 are realized.

  The network communication unit 81 is a processing unit that controls the network interface 72 and performs data communication with devices on the network 2 using various communication protocols. For example, the network communication unit 81 receives a user authentication request and transmits the authentication result and user information.

  The directory service processing unit 82 is a processing unit that manages domain users and domain groups. The directory service processing unit 82 performs registration and deletion of domain users and domain groups, user authentication, provision of user information of domain users and group information of domain groups, and the like. For user authentication, LDAP (Lightweight Directory Access Protocol) authentication, Kerberos authentication, or the like is used. When the directory service is an active directory, the directory service processing unit 82 operates as a domain controller.

  Thus, the directory server device 4 is configured.

  Next, the operation of each device when the user logs in to the multifunction device 1A in the above system will be described. FIG. 6 is a sequence diagram for explaining the operation of each device when a user logs in to the multifunction peripheral 1A in the system shown in FIG. Each device operates in the same manner when a user logs in to the multifunction machine 1B.

  In the MFP 1A, the control unit 33 refers to the authentication setting data 28a when the login screen is displayed after initialization processing such as startup, return from sleep, and logout, and is currently permitted to use. An authentication method is specified (step S1). At this time, the control unit 33 transmits an authentication setting request to the user manager server device 3, and if the master authentication setting data 54 is changed, the control unit 33 acquires the master authentication setting data 54 and acquires the authentication setting data 28a. Is updated (steps S31, S32, and S35 described later). Then, the control unit 33 causes the operation panel 21 to display a login screen corresponding to the specified authentication method.

  Thereafter, when there is a login operation by the user, the control unit 33 receives input data from the reader 27 and / or the operation panel 21 (Step S2), and uses the network communication unit 32 and the network interface 23 to use the user manager server device 3. (Step S3).

  In the user manager server device 3, the user authentication processing unit 62 receives the input data using the network communication unit 61 and the network interface 42. When the input data is received, the user authentication processing unit 62 determines that the input data includes (a) a user ID and password, (b) ID card read data (card ID), and (c) ID card read data (card ID). ) And password.

  When the input data is only the card ID, the user authentication processing unit 62 refers to a conversion table (not shown) in the storage device 41 if authentication using only the ID card is permitted in the master authentication setting data 54. The card ID is converted into a user ID and a password (step S4). When the input data is a card ID and a password, the user authentication processing unit 62 converts the ID card and password input (not shown) in the storage device 41 if authentication by the master authentication setting data 54 is permitted. With reference to the table, the card ID is converted into a user ID (step S4).

  Then, the user authentication processing unit 62 transmits the user ID and password obtained from the input data, and the user authentication request to the directory server device 4 by a predetermined protocol (LDAP or the like) (step S5).

  In the directory server device 4, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to receive the user ID, password, and authentication request using a predetermined protocol, and refers to the directory database 91. Then, it is determined whether or not the user ID and password belong to a valid user (step S6).

  Then, the directory service processing unit 82 uses the network communication unit 81 and the network interface 72 to display the determination result (that is, the authentication result) and the user information of the user when the authentication is successful. As a response, it transmits to the user manager server apparatus 3 (step S7).

  In the user manager server device 3, the user authentication processing unit 62 uses the network communication unit 61 and the network interface 42 to receive the authentication result as a response to the authentication request. Receive information. If the authentication is successful, the authorization processing unit 63 refers to the authorization policy data 51, specifies the authorization information of the user (that is, the authorization policy applied to the user) (step S8), and the network Using the communication unit 61 and the network interface 42, a response indicating authentication success is transmitted to the multi function device 1A together with the authorization information and user information (step S9).

  In the MFP 1A, the control unit 33 receives the authorization information and user information using the network communication unit 32 and the network interface 23, and provides the authorization information to the determination unit 34 (step S10). Based on the authorization information, the determination unit 34 sets, on the RAM, data indicating whether or not the use of the user is permitted for each of the predetermined functions of the multifunction peripheral 1A.

  Thereafter, the user is permitted to use the multifunction device 1A in a state where the function is restricted according to the authorization information (step S11). In the MFP 1A, the control unit 33 refers to the above-described data set by the determination unit 34 and accepts and executes only jobs that use functions permitted for the user.

  When user authentication fails, only a response indicating authentication failure is transmitted from the user manager server apparatus 3 to the multifunction device 1A. When the multifunction device 1A receives a response indicating authentication failure, the message indicating authentication failure is transmitted. Is displayed on the operation panel 21 and the use of the multifunction device 1A by the user is prohibited.

  Next, the operation of each device when editing the master authentication setting data and reflecting the master authentication setting data to the multifunction peripheral in the system will be described. FIG. 7 is a sequence diagram for explaining the operation of each device when editing the master authentication setting data 54 and reflecting the master authentication setting data 54 to the multifunction peripherals 1A and 1B in the system shown in FIG.

  The terminal device 5 transmits a request for master setting data to the user manager server device 3 via the network 2 in accordance with the operation of the administrator user (step S21). For example, the terminal device 5 transmits the request to a predetermined URL (Uniform Resource Locator) of the user manager server device 3 by a web browser. When receiving the request, the network communication unit 61 reads the master setting data 54 and transmits it to the terminal device 5 as a response to the request (step S22). Upon receiving the master setting data 54, the terminal device 5 displays an editing screen for the master setting data 54 on a display device (not shown) (step S23).

  FIG. 8 is a diagram showing an example of a master authentication setting data editing screen displayed on the terminal device 5 in FIG. In this editing screen, as shown in FIG. 8, an operation unit capable of editing the setting value of availability of each authentication method is displayed together with the setting value of the current master authentication setting data. Then, when there is a user operation (that is, an editing operation) on the operation unit, it is detected by an input device (not shown) (step S24). Here, a pair of radio buttons is displayed as an operation unit, only one of the pair of radio buttons for each authentication method is selected, and the edit operation is confirmed when the edit button is pressed. Is done.

  When there is an editing operation in this way, the terminal device 5 transmits the edited master authentication setting data to the user manager server device 3 via the network 2 together with the editing request (step S25). When receiving the editing request and the edited master authentication setting data, the user manager server device 3 updates the master authentication setting data 54 in the storage device 41 with the master authentication setting data (step S26).

  In this way, the master authentication setting data 54 is updated by the administrator user.

  Thereafter, in the multifunction device 1A (or multifunction device 1B), the control unit 33 transmits an authentication setting request to the user manager server device 3 after initialization processing (step S31) such as startup, sleep return, and logout. (Step S32).

  In the user manager server device 3, when the authentication setting unit 64 receives the authentication setting request, the master authentication setting data transmitted to the multifunction device 1A (or the multifunction device 1B) by referring to the update log of the master authentication setting data. It is determined whether or not the current master authentication setting data 54 is different (that is, whether or not the master authentication setting data 54 has been updated) (step S33).

  If the master authentication setting data 54 has been updated, the authentication setting unit 64 transmits the current master authentication setting data 54 to the user manager server device 3 (step S34). When the master authentication setting data 54 has not been updated, the authentication setting unit 64 transmits only a response indicating no update to the user manager server device 3.

  When receiving the master authentication setting data 54, the control unit 33 of the multifunction device 1A (or the multifunction device 1B) updates the authentication setting data 28a in the storage device 28 with the master authentication setting data 54 (step S35). Then, the control unit 33 refers to the updated authentication setting data 28a, identifies the permitted authentication method, and causes the operation panel 21 to display a corresponding login screen (step S36).

  When a response indicating no update is received, the control unit 33 refers to the authentication setting data 28a without updating the authentication setting data 28a, identifies the permitted authentication method, and logs in accordingly. A screen is displayed on the operation panel 21.

  As described above, according to the first embodiment, each of the plurality of MFPs 1A and 1B uses the authentication method specified by the authentication setting data 28a among the plurality of user authentication methods, and provides the identification information at the time of login. The identification information is acquired and transmitted to the user manager server device 3. The user manager server device 3 receives identification information (input data) from one of the multiple multifunction devices 1A and 1B, and performs user authentication based on the received identification information in the user manager server device 3 or the server device 4. The authorization information about the login user who has succeeded in the user authentication is transmitted to the multifunction peripherals 1A and 1B. Furthermore, the user manager server device 3 stores master authentication setting data 54, and sets the master authentication setting data 54 as a plurality of multifunction devices 1A and 1B as authentication setting data 28a.

  As a result, the master authentication setting data in the user manager server apparatus 3 is automatically reflected on the multifunction peripherals 1A and 1B, so that authentication methods for a large number of image forming apparatuses can be set at once by a simple operation. Can do. In addition, since the authentication method that can be used in each image forming apparatus is automatically updated, there is no omission of update.

  Each embodiment described above is a preferred example of the present invention, but the present invention is not limited to these, and various modifications and changes can be made without departing from the scope of the present invention. It is.

  For example, in each of the above embodiments, local users and domain users are mixed and included in the local group, but there may be a local group including only local users or a local group including only domain users.

  In each of the above embodiments, the user manager server device 3 is connected to another network different from the network 2 without being connected to the network 2, and is connected to the directory server device 4 in the other network and the network 2. The user manager server device 3 and the directory server device 4 may perform data communication via another network.

  In each of the above-described embodiments, the multifunction peripherals 1A and 1B are used as the image forming apparatus, but a printer, a copier, or the like may be used instead. Further, in each of the above embodiments, the system has three image forming apparatuses, but it is also possible to use one, two, or four or more image forming apparatuses.

  In each of the above embodiments, the authorization information may include an access authority level to the multifunction device. For example, either an administrator or a general user is set as the access authority level. In the case of an administrator, functions that cannot be used by general users, such as maintenance, can be used.

  The present invention can be applied to, for example, a network system having a plurality of image forming apparatuses.

1A, 1B MFP (an example of an image forming apparatus)
1C printer (an example of an image forming apparatus)
2 Network 3 User manager server device 4 Directory server device (an example of an authentication server device)
27 Reader 28a Authentication setting data 41 Storage device 42 Network interface 54 Master authentication setting data 62 User authentication processing unit 63 Authorization processing unit 64 Authentication setting unit 65 Master data editing unit (an example of editing unit)

Claims (6)

A plurality of image forming apparatuses connected to a network;
A user manager server device that is connected to the network and provides authorization information for identifying the functions permitted to be used by a login user of the image forming device to the image forming device;
Each of the plurality of image forming apparatuses stores authentication setting data, acquires identification information at the time of login by an authentication method specified by the authentication setting data among a plurality of user authentication methods, and stores the identification information in the authentication information. To the user manager server device,
The user manager server apparatus receives the identification information from any of the plurality of image forming apparatuses, and performs user authentication based on the received identification information in the user manager server apparatus or in the authentication server apparatus, and performs user authentication. sends the authorization information for the logged-in user successfully to the image forming apparatus, stores master authentication setting data, the master authentication setting data, said as the authentication setting data, and set to the plurality of image forming apparatus ,
Upon receiving an authentication setting request from any of the plurality of image forming apparatuses, the user manager server apparatus transmits the master authentication setting data to the image forming apparatus, and the master authentication setting is used as the usable authentication method. When an authentication method permitted by the data is set in the image forming apparatus and an authentication setting request is received from any of the plurality of image forming apparatuses, an authentication method that can be used in the image forming apparatus at that time is set. Only when the specified authentication method and the authentication method specified by the master authentication setting data are different, the master authentication setting data is transmitted to the image forming apparatus, and the usable authentication method in the image forming apparatus Updating,
An image forming system. In a user manager server device that provides authorization information for identifying a function permitted to be used by a login user to a plurality of image forming apparatuses,
A network interface connected to the network;
A storage device for storing master authentication setting data for specifying an authentication method usable in the plurality of image forming apparatuses;
An authentication setting unit configured to transmit the master authentication setting data to the plurality of image forming apparatuses and set an authentication method permitted by the master authentication setting data as the usable authentication method in the plurality of image forming apparatuses; ,
Using the network interface, the identification information acquired by any of the plurality of image forming apparatuses by the authentication method is received, and user authentication is performed based on the received identification information in the user manager server apparatus or A user authentication processing unit that performs in the authentication server device;
An authorization processor that sends authorization information about the logged-in user that has been successfully authenticated to the image forming apparatus; and
Equipped with a,
When the authentication setting unit receives an authentication setting request from any of the plurality of image forming apparatuses using the network interface, the authentication setting unit transmits the master authentication setting data to the image forming apparatus, and the usable authentication is performed. As an authentication method, an authentication method permitted by the master authentication setting data is set in the image forming apparatus, and when an authentication setting request is received from any of the plurality of image forming apparatuses, the image forming apparatus at that time The authentication method that can be used in the authentication is specified, and only when the specified authentication method and the authentication method specified by the master authentication setting data are different, the master authentication setting data is transmitted to the image forming device, and the image forming device Updating the available authentication scheme in
A user manager server device. When the authentication setting unit receives an authentication setting request transmitted when the image forming apparatus is started up or when returning from sleep, the authentication setting unit transmits the master authentication setting data to the image forming apparatus. 3. The user manager server apparatus according to claim 2 , wherein an authentication method permitted by the master authentication setting data is set in the image forming apparatus. When the authentication setting unit receives an authentication setting request transmitted when the operation panel of the image forming apparatus is reset and a login screen is displayed, the authentication setting unit transmits the master authentication setting data to the image forming apparatus and can use the authentication setting request. 3. The user manager server device according to claim 2 , wherein an authentication method permitted by the master authentication setting data is set in the image forming apparatus as a valid authentication method.   3. The user manager server device according to claim 2, further comprising an editing unit that receives an editing instruction from an external device using the network interface and edits the master authentication setting data according to the editing instruction.   The master authentication setting data includes a plurality of authentication methods including a first authentication method based on text input of a user ID and a password, a second authentication method based on an ID card, and a third authentication method based on text input of an ID card and a password. 3. The user manager server apparatus according to claim 2, wherein one or more are designated as authentication methods usable in the plurality of image forming apparatuses.

Images