JP2004166241A - Image forming apparatus, policy distribution server, and policy interpretation server - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an image forming apparatus which performs processing control based on a security policy by acquiring a document attribute of a document, and more particularly to a system for securing the security of an information system. I do.
An object of the present invention is to provide a policy holding unit for holding a security policy describing a handling rule for a document, and a policy rewriting for rewriting the security policy held by the policy holding unit with an external security policy. The present invention is achieved by an image forming apparatus having means and operation control means for controlling an operation on the document according to the security policy managed by the policy management means.
[Selection] Fig. 36

Description

  The present invention relates to a system for ensuring security of an information system, and more particularly, to an image forming apparatus that performs processing control based on a security policy that describes rules for handling documents.

  The present invention also relates to a policy distribution server that distributes a security policy to an apparatus that performs processing control based on a security policy describing a rule for handling a document.

  Furthermore, the present invention relates to a policy interpretation server that provides an operation requirement for permitting an operation connected to a document to a device connected via a network, based on a security policy describing rules for handling the document.

  In fields that handle documents such as offices, there is always a desire to control the security of the documents. For example, when copying a confidential document, it is necessary to obtain the permission of the manager. For example, it is important to control a policy for a document which is a container of information, especially a policy regarding confidentiality. In general, ensuring the security of information systems can be broadly divided into securing confidentiality, integrity, and availability.However, integrity and availability can be secured to a level that does not cause any substantial problems if the system administrator properly operates and manages them. There are many. On the other hand, it is presumed that in order to ensure confidentiality, it is necessary to share and enforce policies with members belonging to the user organization.

  In fact, many companies are trying to control security by establishing document management regulations. However, with regard to ensuring security in an actual office system, it is necessary to individually set security settings not for documents but for various devices constituting the office system.

  There are various techniques related to a method of performing access control based on a security policy (Patent Documents 1 to 14).

  For example, in access control, it is described that a conditional access permission is evaluated (Patent Document 1).

  In addition, for example, it describes security management of a corporate information system and simplification of an audit according to an information security policy (Patent Document 2).

  However, Patent Document 1 mentioned above does not refer to data processing after access, particularly reading, etc. in an access control system for a data file.

  Further, in Patent Document 2 described above, means for extracting a control means from a DB (database) in which a combination of security policy, system and control means is registered, and controlling the system so as to conform to the policy. However, the means for inspecting the state is only controlled by the control means registered to the system, and the degree of freedom of realization is low.

  Further, in the method of Patent Document 7 in which an operator ID is input, an ID is extracted from a document, and copying is controlled, control based on a fixed rule of rejecting copying or permitting copying and recording a log is performed. Can only do it.

  In the method of extracting and checking a mark indicating that the document is a confidential document from the image of Patent Literature 8, since what kind of operation is performed is determined from the obtained information, the rules lack flexibility.

  In the method of controlling an output destination based on output restriction data included in print information in Patent Document 9, a rule must be included in the print information.

  In the method of reading the image of Patent Document 10 and storing the image together with the password and permitting the password when the password matches at the time of output, the criterion for determination is only the password, and the operation controlled thereby is permitted or not permitted. Only.

  In the method of Patent Document 11 in which one of the MFPs on the network performs user management and controls the permission / non-permission of all operations on the network, the controlled operation is permitted or disabled. Only permission.

In the method of determining use permission and operation permission for a plurality of devices for each user in Patent Literature 12, only permission and non-permission can be controlled, and only control based on user information can be performed. Thus, the problems of the prior art are that the rules are limited and inflexible, and that the rules are only predetermined ones. That is, in the conventional input / output device, only "permission" and "prohibition" of the operation for the IDs of "user" and "document" are determined in advance.
JP 2001-184264 A JP 2001-273388 A JP 2001-337864 A JP-A-09-293036 JP-A-07-141296 Japanese Patent No. 0275966 Japanese Patent No. 3203103 JP-A-7-58950 JP-A-7-152520 JP-A-10-191072 JP 2000-15898 A JP 2000-357064 A JP 2001-125759 A JP-A-2001-325249.

  In such a security implementation method, in order to execute security for printing a document, first, a security enforcer requires knowledge of security of various devices. Second, security needs to be performed for all devices one by one. Third, it is necessary to easily grasp the security state of the entire system, but it is difficult to grasp. Fourth, even if security is implemented for each device, it cannot be felt that the security of the document is actually protected. As described above, the security of the actual office system has the following problems.

  An object of the present invention is to solve the above-mentioned problems.

  In particular, a first object of the present invention is to provide an image forming apparatus that performs processing control based on a security policy describing rules for handling documents distributed from an external server via a network.

  A second object of the present invention is to provide a policy distribution server that distributes a security policy to an apparatus that performs processing control based on a security policy describing a handling rule for a document.

  Furthermore, a third object of the present invention is to provide a policy for providing an operation requirement for permitting an operation connected to a document to an apparatus connected via a network based on a security policy describing rules for handling the document. It is to provide an interpretation server.

  In order to solve the first problem, according to the present invention, a policy holding unit for holding a security policy describing a handling rule regarding a document, and the policy by an external security policy It is configured to include policy rewriting means for rewriting the security policy held by the holding means, and operation control means for controlling operation on the document in accordance with the security policy managed by the policy management means.

  In such an image forming apparatus, an existing security policy can be rewritten with a security policy provided from the outside.

  Further, the present invention has a communication means for performing communication control via a network, wherein the policy rewriting means transmits the security policy received by the communication means to the policy holding means. It can be configured to rewrite the security policy held as such.

  Further, according to the present invention, as set forth in claim 3, the policy rewriting means can write the security policy obtained from the outside into the policy holding means by the communication means when the power is turned on. .

  Also, the present invention includes a timer unit for notifying the communication unit of a rewriting timing of the security policy held by the policy holding unit, wherein the communication unit includes the timer. The security policy can be obtained from a policy distribution server that distributes the security policy via a network.

  Also, the present invention has an interface unit for reading the security policy from a storage medium storing the security policy, and the policy holding is performed by the security policy read by the interface unit. The security policy held by the means can be rewritten.

  In addition, the present invention includes communication means for controlling communication via a network, wherein the communication means receives the selection information indicating the selection of the security policy and rewrites the policy. The policy rewriting means may be configured to rewrite the security policy held by the policy holding means with the security policy read by the interface means based on the selection information. it can.

  Further, according to the present invention, as set forth in claim 7, the policy holding unit holds a plurality of security policies, and the policy rewriting unit holds the plurality of security policies based on the selection information. One of the plurality of security policies may be set as a security policy to be enforced.

  Further, according to the present invention, as set forth in claim 8, the communication means can be configured to acquire the security policy according to the Simple Object Access Protocol via the network.

  As means for solving the first problem, the present invention provides a method for performing processing in the image forming apparatus, a program for causing a processing computer to execute the method, and a storage medium storing the program. Can also.

  In order to solve the second problem, the present invention provides a communication method for controlling communication via a network and a security policy describing rules for handling documents. And a communication unit configured to distribute the security policy managed by the policy management unit to devices connected via the network.

  Such a policy distribution server can distribute the same security policy to a plurality of devices connected via a network.

  Further, according to the present invention, the communication means may be configured to simultaneously transmit authentication information when distributing the security policy.

  Further, according to the present invention, as set forth in claim 14, the communication means includes a request for acquiring the security policy managed by the policy management means from the device connected via the network. And transmitting the security policy to the device according to an authentication result based on the authentication information.

  Also, the present invention has an interface for writing the security policy to a storage medium, and the policy management means writes the security policy to the storage medium by the interface. Can be configured.

  Further, according to the present invention, by transmitting a document attribute relating to a document to an external server which provides a handling rule relating to the document based on the document attribute, the external server transmits the document attribute. It is configured to include a rule acquisition unit for acquiring a rule and an operation control unit for controlling an operation on the document according to the rule acquired by the rule acquisition unit.

  In such an image forming apparatus, there is no need to manage the handling rules for documents for each document and each operation, and it is not necessary to determine which rule should be applied.

  Further, according to the present invention, as set forth in claim 17, the rule acquisition means can be configured to include communication means for controlling communication with the external server in accordance with the Simple Object Access Protocol.

  Further, according to the present invention, as set forth in claim 18, the rule acquiring unit holds communication means for controlling communication with the external server and execution permission information indicating whether or not a selectable function can be executed. By referring to the selection function holding unit and the execution availability information held by the selection function holding unit, it is determined whether or not an operation requirement to be satisfied to permit the operation specified by the rule can be executed. The operation control means may be configured to control the operation on the document based on the judgment result by the operation requirement judgment means.

  In order to solve the third problem, the present invention provides a communication method for controlling communication via a network and a security policy describing rules for handling documents. A policy for referring to the security policy held by the holding unit based on the holding unit to be held, the document attribute and the operation performed on the document, and acquiring the rule for the operation on the document Acquiring means, wherein the communication means notifies the policy acquiring means of the document attribute and the operation received via the network, and transmits the rule acquired by the policy acquiring means. Is done.

  In such a policy interpretation server, there is no need to manage the handling rules for documents for each document and each operation.

  According to another aspect of the present invention, there is provided a selection function holding unit that holds execution permission / prohibition information indicating permission / prohibition of execution of a function selectable for each device connected via the network. By referring to the execution permission / non-permission information held by the function holding unit, it is determined whether or not the operation requirement to be satisfied to permit the operation specified by the rule acquired by the policy acquisition unit can be executed. It can be configured to include an operation requirement determining unit.

  According to the present invention, it is possible to provide an image forming apparatus that performs processing control based on a security policy that describes rules for handling documents, particularly regarding a system for ensuring security of an information system.

  Further, it is possible to provide a policy distribution server that distributes a security policy to an apparatus that performs processing control based on a security policy in which handling rules regarding documents are described.

  Further, the present invention provides a policy interpretation server for providing an operation requirement for permitting an operation to be performed on a document to an apparatus connected via a network based on a security policy describing rules for handling the document. be able to.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  Embodiments of the present invention will be described in detail below.

  First, a security policy that describes rules for handling documents will be described.

  In the present embodiment, in order to share a security policy for a document between different types of systems, a security policy is described using the following mechanism. Here, the described security policy is called a document security policy (DSP).

  FIG. 1 shows an example of a security policy. It is assumed that the organization to which the user belongs has, for example, a security policy as shown in FIG. 1 for each document confidential level such as a confidential document, a confidential document, and a confidential document.

  To enable such a policy to be described as a DSP, the following method is used.

  First, documents are classified according to their confidentiality level (such as confidential, confidential, or confidential) and category (such as personnel documents or technical documents). This combination of the confidentiality level and the category is called a document security label. This security label is actually given to each document as attribute information.

  FIG. 2 shows an example of the classification method as described above. FIG. 2 shows an example of a document label term file. A document label term file 300 as shown in FIG. 2 is a file for managing a list of labels assigned to individual documents as attribute information, and is described in, for example, XML.

  The DSP specifies the operations (operations) permitted for the document according to the confidentiality level and category of the document, and the requirements to be performed when permitting the operation (permission of the administrator). Get, print a label, etc.). Such a document security level and category are described in the document label term file 300 of FIG.

  In FIG. 2, two types of categories are indicated by a description 311 and a description 321 indicated by <enumeration> to </ enumeration>.

  In the description 311, a description 312 indicating <enum_id> doc_category </ enum_id> indicates that the category identification information is “doc_category”. A description 313 indicating <enum_name> Document Category </ enum_name> indicates that the category name is “Document Category”. A description 314 indicating <description> type of document category </ description> indicates an explanation “type of document category” indicating what the category classifies.

  Descriptions 315, 316, and 317 indicating <item> to </ item> indicate items of three categories. The description 315 indicates that the item name is “internal_doc” by a description indicating <name> internal_doc </ name>, and indicates a description “internal” of the item by a description indicating <description> internal general document </ description>. General document ".

  The description 316 indicates that the item name is “human_resource_doc” by the description indicating <name> human_resource_doc </ name>, and the description “HR” indicates the item by the description indicating <description> HR related document </ description>. Related Documents ".

  The description 317 indicates that the item name is “technical_doc” by the description indicating <name> technical_doc </ name>, and the description “technical_document” indicates the item “technical_doc”. Related Documents ".

  Similarly, in the description 321, a description 322 indicating <enum_id> doc_security_level </ enum_id> indicates that the category identification information is “doc_security_level”. The description 323 indicating <enum_name> Document Security Level </ enum_name> indicates that the category name is “Document Security Level”. A description 324 indicating <description> the type of the security level of the document </ description> indicates the description “type of the security level of the document” indicating what this category classifies.

  Descriptions 325, 326, and 327 indicating <item> to </ item> indicate items of three categories. The description 325 indicates that the item name is “basic” by a description indicating <name> basic </ name>, and indicates a description “confidential” of the item by a description indicating <description> confidential </ description>. Show.

  The description 326 indicates that the item name is “medium” by the description indicating <name> medium </ name>, and indicates the description “secret” of the item by the description indicating <description> secret </ description>. Show.

  The description 327 indicates that the item name is “high” by a description indicating <name> high </ name>, and indicates a description “top secret” of the item by a description indicating <description> secret </ description>. Show.

  As described above, the document label term file 300 defines the types of document categories, such as general corporate documents, personnel-related documents, and technical-related documents. Further, types of security levels of the document, such as confidential, confidential, and confidential, are defined.

  3 to 13 show diagrams showing examples of the policy term file. One policy term file 400 is configured according to FIGS.

  The policy term file 400 as shown in FIGS. 3 to 13 describes the classification of system types, and enumerates operations for each system type. Then, for each operation, requirements that can be supported at the time of execution of the operation are listed. The policy term file 400 is described in, for example, XML.

  In FIG. 3, the method of listing and describing is shown by repeating the description from <enumeration> to </ enumeration> in the same manner as the description method in the document label file 300 shown in FIG. The detailed description from <enumeration> to </ enumeration> is the same as the description method in the document label file 300 shown in FIG. 2, so that only a brief description will be given here.

  For example, in FIG. 3, the description 411 lists the system types. According to the description 411, “copier”, “printer”, “facsimile”, “scanner”, “document repository”, and “electronic conference system” are described as “type of system type”.

  Then, for example, as shown in FIG. 4, each operation for each system type is listed by descriptions 421 to 471.

  In the description 421, “copying from paper to paper” is described as “operation relating to a copying machine”. In the description 431, "printing an electronic document on paper" is described as "operation related to a printer". In the description 441, “fax transmission” and “fax reception” are described as “operations related to fax”. In the description 451, "scanning a paper document to an electronic document" is described as "operation related to the scanner".

  In the description 461, as "operations relating to the document repository", "save", "revise / edit", "delete / destroy", "reference", "distribute (transmit) on network", "disk" "Distribute (send)" and "archive / backup". In the description 471, “use in a conference” is described as “operation related to the electronic conference system”.

  Further, for example, as shown in FIGS. 6 to 13, requirements applicable to each operation are listed by descriptions 481 to 601.

  In the description 481, “explicit permission”, “recording of an audit trail”, and “recording of an audit trail with an image” are described as “requirements related to copying”.

  In the description 491, as “requirements related to printing”, “explicit permission (use restriction)”, “recording of an audit trail”, “recording of an audit trail with an image”, “paper output by a printed person”, “trust Use of channel (encryption of print data) "and" Embed tracking information in printout (watermark, label, barcode) "are described.

  In the description 501, as "requirements related to fax transmission", "explicit permission (use restriction)", "recording of audit trail", "recording of audit trail with image", "destination restriction", "confidential mode" "Transmission", "Use of trusted channel", "Embed tracking information in watermarked fax (watermark, label, barcode)" and "Non-repudiation (acquisition of receipt)" are described.

  In the description 511, the “requirements related to fax reception” include “recording of an audit trail”, “recording of an audit trail with an image”, “retrieving by confidential fax recipient”, “reliable time stamp”, and “receiving fax”. "Embed tracking information (watermark, label, barcode)".

  In the description 521, “explicit permission (use restriction)”, “recording of audit trail”, and “recording of audit trail with image” as “requirements related to scanning (storage requirements are applied after saving)” , And "Embed tracking information (watermark, label, barcode) in scanned image".

  In the description 531, “explicit permission (use restriction)”, “record of audit trail”, “encryption of stored data”, and “falsification protection of stored data” are described as “requirements related to storage”. You.

  In the description 541, “explicit permission (use restriction)”, “recording of an audit trail”, and “version management” are described as “requirements related to revision”.

  In the description 551, "explicit permission (use restriction)", "record of audit trail", "record with image of audit trail", and "complete erasure" are described as "requirements related to deletion and destruction". You.

  In the description 561, as “requirements related to reference”, “explicit permission (use restriction)”, “recording of audit trail”, “permission to reference only data that is prohibited from editing”, “permission to reference only data that is prohibited from printing”, "Allow reference only to data limited to reference location" and "Allow reference only to data limited to user" are described.

  In the description 571, as “requirements related to network distribution (transmission)”, “explicit permission (use restriction)”, “recording of audit trail”, “recording of audit trail with image”, “use of trusted channel (transmission) "Encryption of data"), "destination restrictions (such as distributable only within the company)", "distribution only of data that is prohibited from editing", "permission of distribution only of prohibition of printing", "permission of distribution only of data restricted to the reference location", and "Distribution permission only for user-limited data" is described.

  In the description 581, “requirements related to disk distribution (transmission)” include “explicit permission (use restriction)”, “recording of an audit trail”, “recording of an audit trail with an image”, and “encryption of transmitted data”. , "Tampering protection of sent data", "Send only data that is prohibited from editing", "Send only print prohibition", "Send only data that is limited to the reference location", and "Send only user-only data". be written.

  In the description 591, as “requirements related to archive / backup”, “explicit permission (use restriction)”, “record of audit trail”, “encryption of archive data”, and “protection of falsification of archive data” are provided. be written.

  In the description 601, “explicit permission (use restriction)”, “recording of an audit trail”, and “recording of an audit trail with an image” are described as “requirements related to use in a meeting”.

  A DSP based on the document label term file of FIG. 2 and the policy term file of FIGS. 3 to 13 will be described with reference to FIGS. 14 to 22 are diagrams illustrating examples of the policy file. Based on the document label term file 300 shown in FIG. 2 and the policy term file 400 shown in FIGS. 3 to 13, the policy for security in the user's organization is, for example, DSP2000 shown in FIGS. 14 to 22. Are described in XML and constitute one policy file.

  In the DSP 2000 as shown in FIGS. 14 to 22, the policy is indicated by a description 2001 indicated by <policy> to a description 2002 indicated by </ policy>.

  In the description 2011 indicating <acc_rule> in FIG. 14 to the description 2012 indicating </ acc_rule> in FIG. 16, the description 2013 indicating <doc_category> ANY </ doc_category> and <doc_security_level> basic </ doc_security_level> indicates the document category “ For a document having a document attribute of “ANY (unlimited)” and a document security level of “basic (basic level)”, a description 2017 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> In addition, a policy for each operation performed by a user having a user attribute having a user category “ANY (unlimited)” and a user security level “ANY (unlimited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for the permission is specified.

  In the description 2021 indicating <acc_rule> in FIG. 16 to the description 2022 indicating </ acc_rule> in FIG. 19, the description 2023 indicating <doc_category> ANY </ doc_category> and <doc_security_level> medium </ doc_security_level> indicates that the document category “ A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of "ANY (unlimited)" and a document security level of "medium (medium level)" According to 2027, each operation performed by a user having a user category “DOC-CATEGORY (type of document category)” (see descriptions 312, 313, and 314 in FIG. 2) and a user attribute having a user security level “ANY (unlimited)” Is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for the permission is specified.

  Also, for a document having the same document attribute, the user category “ANY (unlimited)” and the user category are described by a description 2028 indicating <user_category> ANY </ user_category> and <user_security_level> ANY </ user_security_level> in FIG. A policy for each operation performed by a user having a user attribute with a security level of “ANY (unlimited)” is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for the permission is specified.

  In the description 2031 indicating <acc_rule> in FIG. 19 to the description 2032 indicating </ acc_rule> in FIG. 19, the description 2023 indicating <doc_category> ANY </ doc_category> and <doc_security_level> high </ doc_security_level> indicates that the document category “ A description indicating <user_category> DOC-CATEGORY </ user_category> and <user_security_level> ANY </ user_security_level> for a document having a document attribute of "ANY (unlimited)" and a document security level of "high (high level)" 2037, each operation performed by a user having a user category “DOC-CATEGORY (type of document category)” (see descriptions 312, 313, and 314 in FIG. 2) and a user attribute having a user security level of “ANY (unlimited)” Is described. For each description from <operation> to </ operation>, permission (<allowed />) or non-permission (<denied />) of the operation is defined. Further, when the operation is permitted, a requirement (<requirement>) for the permission is specified.

  Next, the structure of the DSP 2000 of FIGS. 14 to 22 will be described in detail below with reference to FIGS.

  FIG. 23 is a diagram illustrating an example of DSP identification information. In the identification information 210 of the DSP 2000, identification information for identifying the DSP 2000 is described in descriptions 211 to 213 of a range surrounded by <about_this_policy> and </ about_this_policy>.

  The description 211 indicating <serial_number> RDSP2023 </ serial_number> describes a serial number for distinguishing the DSP 2000 from other DSPs.

  The description 212 indicated by <terminology_applied> RDST9487 </ terminology_applied> describes the serial number of the policy term file 400 corresponding to DSP2000. Since this definition file may be updated, it is recorded in order to clarify on which policy term file this DSP 2000 is described. The description 213 includes the title of the DSP 2000 by the description indicating <title> DOCUMENT-SECURITY-POLICY </ title>, the version number by the description indicating <version> 1.20 </ version>, and <creation_date> 2002/02/18 22: 30:24 </ creation_date> describes the creation date and time, <creator> Taro Tokyo </ creator> describes the creator, and <description> sample document security policy. </ Description> describes the general description. Bibliographic information is described.

  Then, the identification information of the DSP 2000 ends with </ about_this_policy>.

  Next, following the above-described identification information of the DSP 200, the content of the policy is described in a range enclosed by <policy> and </ policy>. FIG. 24 is a diagram illustrating a description example for explaining the structure of the DSP.

  The contents 220 of the policy shown in FIG. 24 are recorded using a hierarchical structure, as described below.

  The policy <policy> includes a plurality of access control rules <acc_rule> (description 221). One access control rule <acc_rule> (description 221) uniquely specifies the category <doc_category> and level <doc_security_level> of the target document (description 222), and further includes an access control list <acl> (description 223). It is configured to include one.

  The access control list <acl> (description 223) includes a plurality of access control elements <ace> (description 224).

  Each access control element <ace> (description 224) uniquely specifies a target user category <user_category> (description 225) and level <user_security_level> (description 226), and further includes a plurality of operations <operation> (descriptions). 227).

  Each <operation> (description 227) includes one operation name <name> (description 228), one forbidden <denied /> (description 229), one allowed <allowed /> (description 232), or a plurality. <Requirement> (description 230 and description 231).

  In the description 222, “ANY” described in the document category <doc_category> and the user category <user_category_level> indicates that the category is applied to any category and level. Also, “DOC-CATEGORY” of the user category <user_category> indicated by the description 225 indicates that it is applied when the user category is the same as the document category.

  In this embodiment, <denied /> (description 229) is specified for the prohibited operation, but if it is not described in the DSP 2000, it indicates that access is not permitted. May be.

  As described above, by describing the DSP, it is possible to describe what kind of user type (category, level) and what kind of operation can be performed on the document according to the type (category, level) of the document. . Further, for the document, the user can clearly describe what requirements must be satisfied if the operation is possible.

  By describing the DSP in platform-independent XML as described above, the DSP can be commonly used between different types of systems. In particular, the object to which the security policy is to be applied is not limited to an electronic document, but must be applicable to a paper document. Therefore, the security policy is applied to the document label file of FIGS. 3 to 13 and the DSP 2000 of FIGS. 14 to 22. As described, operations on paper documents (hardcopy, scan, etc.) can also be specified.

  Among the requirements shown in FIG. 24 in this embodiment, there is a description 231 indicating the following <requirement> explicit_authorization </ requirement>. This is a requirement that, if explicit permission is obtained by the document administrator, the operation is permitted. If the operation is controlled in accordance with the DSP, the degree of freedom may be lost. However, by allowing the requirement of explicit permission to be specified, flexible operation control becomes possible.

  Also, as a feature of the present embodiment, the requirement of “explicit permission” can be specified, so that operations that may be executed if explicit permission is obtained and explicit permission are obtained. That is, it is possible to distinguish between operations that must be prohibited.

  Therefore, operations not described in the DSP or specified in <denied /> are operations that must be prohibited even if explicit permission is obtained. As a result, the intention of the side describing the policy can be accurately specified, and it is possible to specify in advance to prevent a situation in which an operation is executed due to erroneous permission being given. .

  Next, another description form of the DSP of the present invention will be described with reference to FIG. FIG. 25 is a diagram illustrating another description example of the DSP. The contents 240 of the policy shown in FIG. 26 describe a nested structure such as <operation> <allowed /> </ operation> for each operation when there are many operations that are unconditionally permitted or prohibited. This is inefficient, so a description 243 listing <allowed_operations> that enumerates unconditionally permitted operations and a description 241 listing <denied_operations> enumerating operations that are not permitted may be used.

  A description 242 indicating <requirement> explicit_authorization </ requirement> is the same as the description in FIG.

  FIG. 26 illustrates various media for storing and distributing the DSP described above.

  As described above, the DSP 2000 shown in FIG. 26 is described in XML (Extensible Markup Language). And it can be recorded as an electronic file. In addition, for example, a hard disk 51, a magneto-optical disk 52, a flexible disk 53, or a CD-ROM, a CD-R, a CD-RW, a DVD, a DVD-R, a DVD-RAM, a DVD storing the electronic file. A storage medium such as an optical disk 54 such as -RW, DVD + RW, and DVD + R can be created. Further, the electronic DSP 2000 can be transmitted via the network 56 using the computer 55.

  The DSP 2000 is not a description of a security policy for a specific system, but a description of a security policy that can be commonly used by a plurality of different systems. Therefore, by creating a storage medium storing the security policy description and distributing or transmitting the same via a network, the storage medium can be easily used in common by a plurality of systems.

  FIG. 27 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. In FIG. 27, an image forming apparatus 1000 is an apparatus controlled by a computer, and includes a CPU (Central Processing Unit) 11, a ROM (Read-Only Memory) 12, a RAM (Random Access Memory) 13, and a nonvolatile memory. RAM (non-volatile Random Access Memory) 14, real-time clock 15, Ethernet (registered trademark) I / F (Ethernet (registered trademark) Interface) 21, USB (Universal Serial Bus) 22, IEEE (Institute of Electrical and Electronics Engineers) 1284 23, a hard disk I / F 24, an engine I / F 25, an RS-232C I / F 26, and a driver 27, and are connected to the system bus B.

  The CPU 11 controls the image forming apparatus 1000 according to a program stored in the ROM 12. In the RAM 13, for example, an area is allocated to resources connected to the interfaces 21 to 26. Information necessary for processing by the CPU 11 to control the image forming apparatus 1000 is stored in the nonvolatile RAM 14. The real-time clock 15 is used by the CPU 11 to measure the current time and synchronize processing.

  An Ethernet (registered trademark) interface cable such as 10BASE-T or 100BASE-TX is connected to the Ethernet (registered trademark) I / F 21. A USB interface cable is connected to the USB 22. An IEEE1284 interface cable is connected to the IEEE128423.

  A hard disk 34 is connected to the hard disk I / F 24, and the document data of the document to be printed or the image data after the printing process transmitted via the network is stored in the hard disk 34 via the hard disk I / F 24. . The engine I / F 25 is connected to a plotter 35-1 for printing on a predetermined medium based on document data, a scanner 35-2 for reading image data, and the like. An operation panel 36 is connected to the RS-232C I / F 26 to display information to a user and obtain input information or setting information from the user.

  A program for realizing the processing performed by the image forming apparatus 1000 is provided to the image forming apparatus 1000 by a storage medium 37 such as a CD-ROM. That is, when the storage medium 37 storing the program is set in the driver 27, the driver 27 reads the program from the storage medium 37, and the read program is installed on the hard disk 34 via the system bus B. When the program is started, the CPU 11 starts the processing according to the program installed on the hard disk 34. Note that the storage medium 37 for storing the program is not limited to a CD-ROM, but may be any computer-readable storage medium. The program may be downloaded via a network and installed on the hard disk 34.

  An image forming apparatus that operates according to the security policy will be described in detail below with reference to FIGS. 28, 29, and 30.

  FIG. 28 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy.

  The image forming apparatus 1000 as a reading apparatus illustrated in FIG. 28 mainly includes a reading unit 71, a reading condition obtaining unit 72, a data transmission destination obtaining unit 73, a data processing unit 74, a data transmission unit 75, a policy An execution unit 1001, read image data 61, and accumulated data 62 are included.

  Further, the policy execution unit 1001 includes a document attribute acquisition unit 1011, an operation requirement selection unit 1012, an operation control unit 1013, and a user attribute acquisition unit 1021. The document attribute acquisition unit 1011 acquires a document attribute from the paper document 60 or from the read image data 61 and notifies the operation requirement selection unit 1021 of the document attribute.

  On the other hand, when acquiring the user information input by the user, the user attribute acquisition unit 1021 notifies the operation requirement selection unit 1012 of the acquisition. The operation requirement selection unit 1012 selects a requirement for permission according to the DSP 2000, and notifies the operation control unit 1013 of the result. The operation control unit 1013 instructs data processing on the image data of the read paper document 60.

  In the policy execution unit 1001, the part shown by the dotted line may be omitted.

  The reading unit 71 is a processing unit that reads (scans) the paper document 60 in accordance with the reading condition input by the user notified from the reading condition obtaining unit 72. The read image data is stored in the read image data 61. You. Further, the document attribute acquisition unit 1011 is notified of the document attribute acquired from the image data 61.

  The reading condition acquisition unit 72 acquires the reading condition input by the user, and notifies the reading unit 71 and the data processing unit 74 of the information.

  The data transmission destination obtaining unit 73 is a processing unit that obtains the data transmission destination input by the user and notifies the data transmission unit 75.

  The data processing unit 74 performs data processing on the read image data according to the reading conditions input by the user notified from the reading condition obtaining unit 72 so as to satisfy the requirements provided by the operation control unit 1013, and performs the data processing. The stored image data is stored in the storage data 62.

  The data transmission unit 75 transmits the image data to be processed extracted from the accumulated data 62 to the transmission destination notified from the data transmission destination acquisition unit 73 so as to satisfy the requirement notified from the operation control unit 1013.

  When it is not necessary to transmit the image data to the outside, the data transmission unit 28 may be omitted. Further, the image data may be stored in the storage medium 37.

  In FIG. 28, the image forming apparatus 1000 as a reading apparatus is described as being configured by dedicated hardware, but may be configured by a general-purpose computer and a program executed on the computer.

  Further, a program for executing an embodiment of the present invention described below on a computer is recorded on a computer-readable storage medium, and is read by the computer before the execution. Such a program can be distributed via a computer network.

  FIG. 29 is a diagram illustrating an example of a simplified DSP. For convenience of description, the DSP 2000 will be described using a simplified DSP. In the DSP 2100 shown in FIG. 29, rules 1 to 3 are shown as follows.

  Rule 1 includes a part from <acc_rule> on the fourth line to <user_security_level> ANY </ user_security_level> on the tenth line, and a line from the <operation> on the eleventh line in FIG. It is described by the part up to operation>.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 1 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates when the security level of the document is basic.

  <User_category> ANY </ user_category> on the ninth line indicates that it is not related to the category of the user.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that it is not related to the security level of the user.

  Further, <name> scan </ name> and <allowed /> on the twelfth and thirteenth lines indicate that reading is permitted without any requirement.

  Therefore, in rule 1, the fifth, sixth, ninth, tenth, twelfth, and thirteenth lines indicate that the security level of the document is “basic” regardless of the document category. In the case of "", reading is permitted without any requirement regardless of the category of the user and regardless of the security level of the user.

  Next, the rule 2 includes a part from <acc_rule> on the fourth line to <user_security_level> ANY </ user_security_level> on the tenth line and a line from <operation> on the fifteenth line in FIG. It is described by the part up to the eye.

  <Doc_category> ANY </ doc_category> on the fifth line indicates that rule 2 is applied regardless of the document category.

  <Doc_security_level> basic </ doc_security_level> on the sixth line indicates when the security level of the document is basic.

  <User_category> ANY </ user_category> on the ninth line indicates that it is not related to the category of the user.

  <User_security_level> ANY </ user_security_level> on the 10th line indicates that it is not related to the security level of the user.

Further, from the 16th line to the 19th line
<name> net_delivery </ name>
<requirement> audit </ requirement>
<requirement> print_restriction </ requirement>
<requirement> trusted_channel </ requirement>
Indicates that network distribution is permitted when the requirements of "logging", "imposing print restrictions", and "using a reliable channel" are met.

  Therefore, in rule 2, the fifth, sixth, ninth, tenth, and sixteenth to nineteenth lines indicate that the security level of the document is “basic” regardless of the document category. ", Regardless of the category of the user, and regardless of the security level of the user, the network distribution will have the requirements of logging, imposing print restrictions, and using trusted channels. Indicates that it is permitted when satisfied.

  The rule 3 includes a part from <acc_rule> on the 24th line to <user_security_level> ANY </ user_security_level> on the 30th line and a line from the <operation> on the 31st line in FIG. </ operation>.

  <Doc_category> ANY </ doc_category> on the 25th line indicates that it is not related to the document category.

<Doc_security_level> high </ doc_security_level> on the 26th line is
Indicates that the security level of the document is high.

  <User_category> DOC-CATEGORY </ user_category> on the 29th line indicates that the category of the user is the same as the category of the document.

  <User_security_level> ANY </ user_security_level> on the 30th line indicates that it is not related to the security level of the user.

From the 32nd line to the 34th line,
<name> scan </ name>
<requirement> audit </ requirement>
<requirement> embed_trace_info </ requirement>
Is allowed when reading satisfies the requirements of "logging" and "embed trackable information".

  Accordingly, in rule 3, the 25th, 26th, 29th, 30th, and 31st to 34th lines indicate that the security level of the document is “high” regardless of the document category. "If the category of the user is the same as the category of the document and regardless of the security level of the user, the read meets the requirements of logging and embedding traceable information. Is allowed.

  Here, “embed trackable information” may include, for example, embedding of a digital watermark, embedding of a displayable label, addition of document attribute information, and the like. Further, the displayable label may include authentication data of the user who instructed the reading and a time stamp at the time of instructing the reading. Further, in “recording a log”, authentication data of a user who instructed reading, document data to be read, and a time stamp at the time of instructing reading may be recorded in a log. In the “recording a log”, the authentication data of the user who instructed the network distribution, the information of the network distribution destination, the document data to be read, and the time stamp at the time of instructing the reading are recorded in the log. It may be.

  The detailed operation will be described with reference to FIG.

  For example, when trying to read a document whose security level is "basic" based on the DSP 2100 shown in FIG. 29, there is no requirement to be extracted.

  Further, based on the security policy shown in FIG. 29, for example, when trying to read a document whose security level is “high”, as described above, “recording a log” and “ Embedding information "is a requirement for reading. The contents of "recording a log" and "embedding traceable information" are the same as described above.

  Next, when there is no requirement to be extracted as in the case where the security level is “basic”, the operation control unit 1013 instructs the data processing unit 71 to read a document, and the user Acquire the document data and end.

  On the other hand, when there is a requirement to be extracted, such as when the security level is “high”, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied, and determines the result of the determination. The operation control unit 1013 is notified.

  If the result of the determination by the operation requirement selection unit 1012 indicates that all the requirements cannot be satisfied, the operation control unit 1013 instructs the data processing unit 74 to prohibit data processing, and Discards the read data and ends. The user is notified that data processing cannot be performed.

  On the other hand, if the result of the determination by the operation requirement selection unit 1012 indicates that all the requirements can be satisfied, the operation control unit 1013 instructs the data processing unit 74 to perform data processing so as to satisfy the requirements. . The user obtains the document data and ends.

  In this case, the following processing is executed.

  The user attribute acquisition unit 1021 issues a user ID input request to the user who has issued the reading instruction from the operation panel 36. The user inputs a user ID from the operation panel 36. The user attribute acquisition unit 1021 acquires a category and a security level corresponding to the input user ID registered in the database 102 from the user ID, and notifies the operation requirement selection unit 1021 of the acquired category and security level.

  When a log is recorded, traceable information is embedded in the read document data (for example, embedding of a digital watermark, embedding of a displayable label, addition of document attribute information, etc.). The displayable label may include the authentication data of the user who instructed the reading and the time stamp at the time of instructing the reading.

  Finally, the user obtains the image data of the paper document 60 in the stored data 62, and ends the processing.

  As described above, the paper original (document) 60 can be read according to the security policy shown in FIG.

  Next, a case where the image forming apparatus 1000 reads the paper document 60 and distributes the read document to the network will be described.

  First, the user sets the paper document 60 on the image forming apparatus 1000, and inputs a reading condition, designates a delivery destination of the read data, and issues an instruction to read the paper document 60 from the operation panel 36.

  The reading unit 71 reads a paper document. The document attribute acquisition unit 1011 extracts a document ID from image information such as a barcode and a digital watermark of image data of the read paper document 60, acquires a category and a security level, and notifies the operation requirement selection unit 1012 of the document ID.

  The operation requirement selection unit 1012 searches for a corresponding entry in the DSP 2100 according to the document attribute notified by the document attribute acquisition unit 1011 and extracts a requirement.

  Based on the DSP 2100 shown in FIG. 29 described above, for example, when reading a document whose security level is “basic” and trying to distribute the document to a network, there is no requirement for reading. However, as described above, when distributing to a network, it is necessary to “record a log”, “restrict printing”, and “use a reliable channel”.

  Also, based on the DSP 2100 shown in FIG. 29, for example, when a document with a security level of “high” is to be read, the requirements for reading are “recording a log” and “trackable information”. (For example, embedding of a digital watermark, embedding of a displayable label, addition of document attribute information, etc., as described above) is a requirement. However, since there is no rule that permits distribution to the network, it is not permitted.

  For example, if the requirement for distributing the document to the network does not exist in the DSP 2100, the operation control unit 1013 instructs the data transmitting unit 75 to distribute the document, distributes the document to the network, and performs processing. To end.

  On the other hand, for example, when a requirement for distributing a document to a network exists in the DSP 2100, the operation requirement selection unit 1012 determines whether all the requirements can be satisfied.

  If there is no rule permitting distribution to the network, the operation control unit 1013 notifies the user that "there is no rule permitting distribution to the network", And exit. For example, the case where the security level is “high”.

  If the operation requirement selection unit 1012 determines that all the requirements cannot be satisfied, the operation control unit 1013 notifies the user and instructs the data processing unit 74 to discard the image data of the paper document 60. And exit.

  For example, when all the requirements can be satisfied as in the case where the security level is “basic”, the operation control unit 1013 instructs the data processing unit 74 to perform reading that satisfies the requirements. The data transmission unit 75 is instructed to distribute the document to the network, and the processing ends.

  Then, the user attribute acquisition unit 1012 issues a user ID input request to the user who has issued the reading instruction from the operation panel 36.

  When the user inputs a user ID from the operation panel 36, the user attribute acquisition unit 1021 acquires a category and a security level corresponding to the user ID, and notifies the operation requirement selection unit 1012. The operation control unit 1013 records a log according to the requirement notified from the operation requirement selection unit 1012.

  Further, the operation control unit 1013 instructs the data processing unit 74 to convert the read image data of the paper manuscript 60 into non-printable data (for example, PDF having a print prohibition attribute of ADOBE (registered trademark)). Instructions to do so.

  Finally, the operation control unit 1013 issues a distribution instruction to the data transmission unit 75, and the data transmission unit 75 distributes the document to the network via a reliable communication path (for example, IPsec or VPN), and ends.

  As described above, using the DSP 2100 shown in FIG. 29, the image forming apparatus 1000 as the document reading apparatus shown in FIG. 28 can read the document and distribute the read document to the network.

  A functional configuration of an image forming apparatus as a copying apparatus that realizes an operation according to a security policy will be described with reference to FIG. FIG. 30 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. 30, the same reference numerals are given to the same processing units as those in FIG. 28, and the detailed description thereof will be omitted.

  30, an image forming apparatus 1000-2 as a copying apparatus includes a copying condition acquiring section 81 instead of the reading condition acquiring section 72 and the data transmission destination acquiring section 73 of the image forming apparatus 1000 shown in FIG. The image forming apparatus 1000 differs from the image forming apparatus 1000 shown in FIG. 28 in that a printing section 82 is provided instead of the data transmitting section 75 of the image forming apparatus 1000 shown in FIG.

  However, the image forming apparatus 1000 may be configured to further include the copy condition obtaining unit 81 and the printing unit 82 of the image forming apparatus 1000-2. The portion 1002 indicated by the dotted line may be omitted.

  The copy condition obtaining unit 81 obtains the copy condition input by the user on the operation panel 36, notifies the reading unit 71 and the data processing unit 74 of the copy condition, and also notifies the printing unit 82.

  The printing unit 82 acquires the image data of the paper document 60 from the accumulated data 62 in response to the instruction from the operation control unit 1013, and notifies the image data of the copy condition acquisition unit 81 so as to satisfy the requirement notified from the operation control unit 1013. Then, print processing is performed in accordance with the copy conditions, and a copy original 60b having image data formed on paper is output.

  Hereinafter, a method of setting a policy for the image forming apparatus 1000 or 1000-2 from outside will be described. For example, DSP2000 shown in FIGS. 14 to 22 is distributed as a policy. When the DSP 2000 is distributed from the external server to the image forming apparatus 1000 or 1000-2 as a policy, the distribution is performed by communication according to SOAP (Simple Object Access Protocol).

  The image forming apparatus 1000 or 1000-2 shown in FIG. 31 to FIG. 44 is not limited to the image forming apparatus as a reading apparatus or a copying apparatus, and has a reading function and a copying function, or more (for example, An image forming apparatus capable of performing a plurality of different image forming processes (scanner, copy, FAX, printer, etc.)

  First, a first policy setting method in which the image forming apparatus 1000 or 1000-2 receives a unilaterally sent policy will be described with reference to FIG.

  FIG. 31 is a diagram illustrating a first policy setting method in which a policy is distributed from an external server. In FIG. 31, an administrator console 4001 used by an administrator who wants to set a policy, a policy distribution server 4000 that distributes a policy as an external server, and an image forming apparatus 1000 or 1000-2 are connected via a network 5. Is done. The policy distribution server 4000 is a server computer and has a SOAP client function 4021. The image forming apparatus 1000 has a SOAP server function 4022. In FIG. 31, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In the first policy setting method shown in FIG. 31, the administrator sends DSP2000 as a policy from the administrator console 4001 to the policy distribution server 4000 (step S11). Then, the policy distribution server 4000 distributes the DSP 2000 as a policy using the SOAP client function 4021 (step S12), and the image forming apparatus 1000 receives the DSP 2000 as the policy with the SOAP server function 4022, and returns a reception result.

  Then, the image forming apparatus 1000 selects an operation requirement according to the distributed DSP 2000, and operates so as to satisfy the operation requirement (step S13).

  In such a configuration, the image forming apparatus 1000 checks whether or not the policy distribution server 4000 that transmits the policy is reliable, thereby preventing reception of an incorrect policy or setting of a malicious policy. You can also. That is, when the policy distribution server 4000 distributes a policy, the following operation is performed.

  In step S12, the policy distribution server 4000 transmits the DSP 2000 to the image forming apparatus 1000 as its own authentication information and policy.

  Next, the image forming apparatus 1000 verifies the transmitted authentication information of the policy distribution server 4000 (Step S12-2).

  If the authentication information of the policy distribution service 4000 is confirmed to be correct, the image forming apparatus 1000 regards the DSP 2000 transmitted as the policy as formal and selects an operation requirement according to the distributed DSP 2000. Operate to satisfy the operation requirements (step S13).

  By performing such authentication of the policy distribution server 4000, the image forming apparatus 1000 can prevent reception of an incorrect policy, setting of a malicious policy, and the like.

  Next, a second policy setting method in which the image forming apparatus 1000 or 1000-2 receives a policy distribution notification from the policy distribution server 4000 and acquires a policy will be described with reference to FIG.

  FIG. 32 is a diagram illustrating a second policy setting method for acquiring a policy from an external server. 32, the administrator console 4001, the policy distribution server 4000, and the image forming apparatus 1000 or 1000-2 are connected via the network 5, as in FIG. The policy distribution server 4000 has a SOAP client function 4021 and a SOAP server function 2024, and the image forming apparatus 1000 or 1000-2 has a SOAP server function 4022 and a SOAP client function 4023. In FIG. 32, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In the second policy setting method shown in FIG. 32, the administrator sends DSP2000 as a policy from the administrator console 4001 to the policy distribution server 4000 (step S21). Then, the policy distribution server 4000 uses the SOAP client function 4020 to notify that the DSP 2000 has been distributed as a policy (step S22), and the image forming apparatus 1000 receives the distribution notification using the SOAP server function 4022. And return the reception result.

  Thereafter, when the image forming apparatus 1000 transmits a policy acquisition request using the SOAP client function 4023, the policy distribution server 4000 receives the policy acquisition request with the SOAP server function 2024, and receives the policy (management) as a reception result. The DSP 2000 received from the user console 4001 is transmitted (step S23).

  Then, the image forming apparatus 1000 selects an operation requirement according to the distributed DSP 2000, and operates so as to satisfy the operation requirement (step S24).

  In step S22, policy distribution server 4000 may notify policy distribution by transmitting identification information identifying DSP 2000 to image forming apparatus 1000. In this case, in step S23, the image forming apparatus 1000 may make a policy acquisition request by transmitting the identification information received from the policy distribution server 4000.

  Further, in such a case, it is possible to prevent information leakage (here, policy) by checking whether or not the image forming apparatus 1000 that receives the policy is reliable. That is, when the image forming apparatus acquires a policy from the policy distribution server 4000, the following operation is performed.

  First, in step S23, the image forming apparatus 1000 adds its own authentication information to the policy acquisition request and transmits the request to the policy distribution server 4000.

  Next, the policy distribution server 4000 verifies the authentication information received from the image forming apparatus 1000 (Step S23-2). If the policy distribution server 4000 confirms that the authentication information of the image forming apparatus 1000 is correct, the policy distribution server 4000 transmits the DSP 2000 to the image forming apparatus 1000 as a policy (step S23-4).

  By performing such authentication of the image forming apparatus 1000, the policy distribution server 4000 can prevent information leakage (here, policy).

  The second policy setting method is such that when the image forming apparatus 1000 receives a policy having a relatively large capacity one after another, the storage area becomes insufficient, the image forming apparatus 1000 acquires the policy when necessary. It is effective in that it can be done.

  In the second policy setting method, the image forming apparatus 1000 may promptly make a policy acquisition request upon receiving the distribution notification, or store the received distribution notification inside the apparatus, and The policy acquisition request may be made at the timing.

  A modified example of the policy setting method for making a policy acquisition request at a predetermined timing will be described with reference to FIGS.

  FIG. 33 is a diagram illustrating a third policy setting method for acquiring a policy when the power is turned on. 33, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000. The third policy setting method illustrated in FIG. 33 is a policy setting method when the image forming apparatus 1000 does not have a security policy yet, such as when the image forming apparatus 1000 first connects to the network 5.

  In FIG. 33, when the image forming apparatus 1000 is powered on (step S31), a policy acquisition request is made to the policy distribution server 4000 via the network 5 using the SOAP client function 4023 (step S32). ). The policy distribution server 4000 receives the policy acquisition request using the SOAP server function, and transmits a policy (DSP2000 received from the administrator console 4001) as a reception result.

  Upon receiving the policy from the policy distribution server 4000, the image forming apparatus 1000 operates to satisfy the operation requirement (Step S33).

  FIG. 34 is a diagram illustrating a fourth policy setting method for acquiring a policy when the power is turned on. In FIG. 34, the same portions as those in FIG. 33 are denoted by the same reference numerals, and description thereof will be omitted. Further, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000. In FIG. 34, the policy distribution server 4000 further includes an identification information comparison unit 4029.

  When the image forming apparatus 1000 is powered on (step S41), a policy acquisition request is made to the policy distribution server 4000 via the network 5 using the SOAP client function 4023, and at the same time, the current DSP 2000 The identification information (for example, “RDSP2023” indicated by the description 211 in FIG. 23) is transmitted at the same time (step S42).

  When the policy distribution server 4000 receives the policy acquisition request using the SOAP server function, the identification information comparing unit 4029 compares the received identification information (for example, “RDSP2023”) with the identification information of the policy to be distributed. (Step S43). If they are the same, only the reception result indicating the same identification information is transmitted. If they are not the same, the policy distribution server 4000 transmits a policy (DSP2000 received from the administrator console 4001) to the image forming apparatus 1000 as a reception result (Step S44).

  Upon receiving the policy from the policy distribution server 4000, the image forming apparatus 1000 rewrites the policy held in the received policy, selects an operation requirement according to the policy, and operates to satisfy the operation requirement (step S45). .

  In the second modification, when the identification information is the same, no policy is distributed, so that useless traffic can be reduced.

  FIG. 35 is a diagram illustrating a fifth policy setting method for acquiring a policy when the power is turned on. 35, the same components as those in FIG. 33 are denoted by the same reference numerals, and description thereof will be omitted. Further, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  When the power of the image forming apparatus 1000 is turned on (step S51), a policy distribution request is made to the policy distribution server 4000 via the network 5 using the SOAP client function 4023 (step S52). Upon receiving the policy distribution request by the SOAP server function 4024, the policy distribution server 4000 transmits a reception result to the image forming apparatus 1000.

  Thereafter, the policy distribution server 4000 transmits the policy by the SOAP client function 4021, the image forming apparatus 1000 receives the policy, and returns a reception result to the policy distribution server 4000 (Step S53).

  Upon receiving the policy from the policy distribution server 4000, the image forming apparatus 1000 selects an operation requirement according to the policy and operates to satisfy the operation requirement (step S54).

  In the fifth policy setting method, the policy distribution server 4000 may distribute the policy immediately after receiving the policy acquisition request from the image forming apparatus 1000, or may notify the policy distribution server 4000 that the policy acquisition request has been received. And the policy may be distributed at a predetermined timing.

  Further, in the fifth policy setting method, as in the fourth policy setting method shown in FIG. 34, the configuration may be such that the policy distribution server 4000 includes the identification information comparison unit 4029. With such a configuration, useless traffic can be reduced.

  A functional configuration for realizing the first and fifth policy setting methods described with reference to FIGS. 31 to 36 will be described with reference to FIG. FIG. 36 is a diagram illustrating an example of a functional configuration for implementing the first to fifth policy setting methods. In the description of FIG. 36, the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012, and thus the description will be made with the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  36, the operation requirement selection unit 1012 of the image forming apparatus 1000 includes a policy interpretation unit 4101, a selection requirement verification unit 4102, a communication unit 4103, a policy rewrite unit 4104, a DSP 2000a, and a system attribute 91a.

  The policy interpreting unit 4101 interprets policies for the document attributes acquired by the document attribute acquiring unit 1011 and the user attributes acquired by the user attribute acquiring unit 1021 based on the DSP 2000a. Then, the policy interpreting unit 4101 notifies the selection requirement verifying unit 4102 of the operation requirement as a result of the interpretation. That is, an operation requirement that must be satisfied when performing an operation specified by the user is notified.

  The selection requirement verification unit 4102 determines whether or not the operation requirement notified from the policy interpretation unit 4101 can be satisfied by referring to the system attribute 91a. Then, the selection requirement verification unit 4102 notifies the operation control unit 1013 of the determination result.

  The communication unit 4103 is a processing unit that controls communication with the policy distribution server 4000 according to the SOAP, and includes at least one of a SOAP server function 4022 and a SOAP client function 4023 shown in FIGS. Upon receiving the DSP 2000b as a policy from the policy distribution server 4000, the communication unit 4103 notifies the policy rewriting unit 4104. Further, as shown in FIG. 32, when making a policy acquisition request to the policy distribution server 4000, authentication information for authenticating the image forming apparatus 1000 is transmitted at the same time.

  The policy rewriting unit 4104 rewrites the DSP 2000a with the received DSP 2000b. Also, as shown in FIG. 31, when the authentication information is distributed at the same time as the DSP 2000b, the policy rewriting unit 4104 authenticates the policy distribution server 4000 based on the authentication information, and when the policy distribution server 4000 is authenticated. Only the received DSP 2000b rewrites the DSP 2000a.

  The policy distribution server 4000 has a communication unit 4123, a policy management unit 4124, and a DSP 2000b.

  The communication unit 4123 is a processing unit that controls communication with the image forming apparatus 1000 in accordance with the SOAP, and includes at least one of a SOAP server function 4021 and a SOAP client function 4024 illustrated in FIGS. The communication unit 4123 distributes the DSP 2000b.

  The policy management unit 4124 manages the distributed DSP 2000b. As shown in FIG. 31, the policy management unit 4124 causes the communication unit 4123 to simultaneously transmit authentication information for authenticating the policy distribution server 4000 when distributing the DSP 2000b. Further, when the authentication information of the image forming apparatus 1000 is transmitted simultaneously with the policy acquisition request, the policy management unit 4124 authenticates the image forming apparatus 1000 based on the authentication information, and only when the authentication is successful, sets the DSP 2000b as the policy. It is transmitted by the communication unit 4123.

  Next, a fifth policy setting method for acquiring a policy using a timer will be described with reference to FIG.

  FIG. 37 is a diagram illustrating a sixth policy setting method of acquiring a policy using a timer. In FIG. 37, the same parts as those in FIG. 33 are denoted by the same reference numerals, and description thereof will be omitted. Further, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In FIG. 37, when the processing time by the timer management has elapsed (step S51), the image forming apparatus 1000 transmits a policy acquisition request to the policy distribution server 4000 using the SOAP client function 4023, and the policy distribution server 4000 The server function 4021 transmits a policy (DSP2000 received from the management console 4001) as a reception result (step S52).

  In the third policy setting method, the policy distribution server 4000 has a SOAP client function 4021 and a SOAP server function 4024, and the image forming apparatus 1000 has a SOAP server function 22 and a SOAP client function 4023. Then, the policy may be distributed after the image forming apparatus 1000 makes a policy acquisition request.

  A functional configuration for realizing the third policy setting method shown in FIG. 37 will be described with reference to FIG. FIG. 38 is a diagram illustrating an example of a functional configuration for realizing the sixth policy setting method. 38, the same processing units as those in FIG. 36 are denoted by the same reference numerals, and description thereof will be omitted. Further, since the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selecting unit 1012-2, they will be described with reference to the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  The difference from the operation requirement selection unit 1012 shown in FIG. 36 is that the operation requirement selection unit 1012-2 further includes a timer unit 4105.

  When a predetermined time has elapsed, the timer unit 4105 notifies the communication unit 4103 that the predetermined time has elapsed. In response to this notification, the communication unit 4103 acquires the DSP 2000b from the policy distribution server 4000 according to the SOAP, and the policy rewriting unit 4104 rewrites the DSP 2000a with the DSP 2000b.

  Next, a method of setting a policy offline will be described with reference to FIG. FIG. 39 is a diagram illustrating a seventh policy setting method for setting a policy offline. In FIG. 39, the same portions as those in FIG. 31 are denoted by the same reference numerals, and description thereof will be omitted. Further, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  39, for example, the DSP 2000 is stored in the storage medium 50 of the hard disk 51, the magneto-optical disk 52, the flexible disk 53, or the optical disk 54 as shown in FIG. 26, and the storage medium 50 is set in the image forming apparatus 1000. The policy is set offline by storing the DSP 2000 in a predetermined storage area of the image forming apparatus 1000 (step S71).

  Thereafter, the image forming apparatus 1000 operates according to the DSP 2000 stored as a policy in the predetermined storage area (Step S72).

  A functional configuration for realizing the fourth policy setting method shown in FIG. 39 will be described. FIG. 40 is a diagram illustrating an example of a functional configuration for realizing the seventh policy setting method. In FIG. 40, the same reference numerals are given to the same processing units as in FIG. 36, and description thereof will be omitted. In the description of FIG. 40, the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-3, and thus the description will be made with the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  The operation requirement selection unit 1012-3 has an interface 4106 for reading the DSP 2000 stored in the storage medium 50 from the storage medium 50, but does not include the communication unit 4103.

  The policy rewriting unit 4104 rewrites the DSP 2000 read by the interface 4106 with the DSP 2000a currently held by the operation requirement selection unit 101203. In this way, the policy is set when the user is offline. Further, for example, when setting a policy offline by using the storage medium 50 in which the DSP 2000 is stored, the reliability of the policy can be improved by adding a falsification detection code or the like.

  Next, a method of setting a policy offline and selecting it online will be described with reference to FIG. FIG. 41 shows an eighth policy setting method for setting a policy offline and selecting a policy online. In FIG. 41, the same portions as those in FIG. 31 are denoted by the same reference numerals, and description thereof will be omitted. Further, the image forming apparatus 1000 or 1000-2 will be described as the image forming apparatus 1000.

  In FIG. 41, for example, DSP2000 is set as a policy from the administrator console 4001 to the policy distribution server 4000 via the network 5 (step S81).

  Also, the storage medium 50 (the hard disk 51, the magneto-optical disk 52, the flexible disk 53, or the optical disk 54 as shown in FIG. 26) in which the DSP 2000 is stored offline is set in the security policy database of the image forming apparatus 1000. (Step S82).

  Thereafter, the management console 4001 designates a policy selection to the policy distribution server 4000 via the network 5 (step S83). Here, the selection of the policy means that one of the policies is selected according to the identification information of the policy.

  The policy distribution server 4000 notifies the image forming apparatus 1000 of the policy selection by using the SOAP client function 4021 in response to the policy selection from the management console 4001 (step S84). The image forming apparatus 1000 receives the policy selection notification using the SOAP server function 4022, and returns a reception result to the policy distribution server 4000. That is, the identification information of the policy to be executed is notified to the image forming apparatus 1000.

  The image forming apparatus 1000 selects a policy specified by the identification information according to the policy selection, and operates according to the selected policy (step S85).

  A functional configuration for realizing such a fifth policy setting method will be described with reference to FIG. FIG. 42 is a diagram illustrating an example of a functional configuration for realizing the eighth policy setting method. 42, the same reference numerals are given to the same processing units as those in FIGS. 36 and 40, and the description thereof will be omitted. In the description in FIG. 42, the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-4, and thus the description will be made with the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  The operation requirement selection unit 1012-4 has a communication unit 4103 and an interface 4106 corresponding to the storage medium 50 for reading the DSP 2000 stored in the storage medium 50 from the storage medium 50.

  The communication unit 4103 notifies the policy rewriting unit 4012-2 of the policy selection received from the policy distribution server 4000-2 according to the SOAP.

  The policy rewriting unit 4012-2 reads the DSP 2000 stored in the storage medium 50 by the interface 4106 according to, for example, the offline policy setting, and stores the DSP 2000 in the document security policy DB 92. The policy rewriting unit 4012-2 replaces with the policy to be executed based on the policy selection notified from the communication unit 4103. That is, when the previous policy to be executed is the DSP 2000a and the DSP 2000 is specified by the identification information, the DSP 2000a is rewritten as the policy to be executed by the DSP 2000.

  Also, by configuring the policy distribution server 4000-2 to have the interface 4126 for writing the DSP 2000b to the storage medium 50, the policy management unit 4124 can set the policy offline by setting the policy The policy for distributing the DSP 2000b (DSP 2000) may be written in the storage medium 50. The storage medium 50 in this case is a hard disk 51, a magneto-optical disk 52, a flexible disk 53, an optical disk 54, or the like as shown in FIG.

  In policy distribution server 4000-2, communication unit 4123 transmits a policy selection to image forming apparatus 1000 according to SOAP.

  Next, a functional configuration for inquiring of an external server about interpretation of a policy based on a document attribute and a user attribute will be described with reference to FIGS.

  FIG. 43 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy. In FIG. 43, the same reference numerals are given to the same processing units as in FIG. 36, and description thereof will be omitted. In the description of FIG. 43, the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-3, and thus the description will be made with the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  On the image forming apparatus 1000 side, the operation requirement selection unit 1012-5 includes only the communication unit 4103-2, the selection requirement game 4102, and the system attribute 91a.

  The communication unit 4103-2 is a processing unit that controls communication with the policy interpretation server 4200 according to SOAP. The communication unit 4103-2 transmits the document attribute notified from the document attribute obtaining unit 1011 and the user attribute notified from the user attribute obtaining unit 1021 to the policy interpretation server 4200 according to the SOAP. Further, upon receiving a rule corresponding to the document attribute and the user attribute from the policy interpretation server 4200, the communication unit 4103-2 notifies the selection requirement inspection unit 4102 of the rule. The rules indicate the operational requirements that must be met if the operation is allowed.

  The selection requirement verification unit 4102 determines whether or not the operation requirement can be satisfied while referring to the system attribute 91a, and notifies the operation control unit 1013 of the determination result.

  The policy interpretation server 4200 as an external server is a server computer, and includes a communication unit 4213, a policy interpretation unit 4224, and a DSP 2000b.

  The communication unit 4213 is a processing unit that controls communication with the image forming apparatus 1000 according to the SOAP, and notifies the policy interpreting unit 4224 of the document attribute and the user attribute received from the image forming apparatus 1000, and The rule corresponding to the document attribute and the user attribute notified from is transmitted to image forming apparatus 1000. The rule includes an operation requirement when the operation is permitted.

  The policy interpreting unit 4224 refers to the DSP 2000b based on the document attribute and the user attribute acquired from the communication unit 4213 to acquire a rule including an operation requirement when the operation is permitted. The communication unit 4213 is notified of the rule.

  With such a functional configuration, even when the image forming apparatus 1000 does not hold the policy, the security policy can be executed for the operation of the image forming apparatus 1000.

  Next, a functional configuration in which the external server interprets the policy and further verifies the selection requirement will be described with reference to FIG.

  FIG. 44 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy and verifies selection requirements. 44, the same reference numerals are given to the same processing units as in FIG. 43, and the description thereof will be omitted. In the description of FIG. 43, the image forming apparatus 1000 and the image forming apparatus 1000-2 have the same operation requirement selection unit 1012-3, and thus the description will be made with the image forming apparatus 1000. A dotted line portion 1002 indicates that it can be omitted.

  On the image forming apparatus 1000 side, the operation requirement selection unit 1012-6 includes only the communication unit 4103-3.

  The communication unit 4103-3 is a processing unit that controls communication with the policy interpretation server 4200 according to SOAP. The communication unit 4103-3 transmits the document attribute notified from the document attribute obtaining unit 1011 and the user attribute notified from the user attribute obtaining unit 1021 to the policy interpretation server 4200-2 according to the SOAP. In addition, the communication unit 4103-2 receives permission or non-permission for the operation from the policy interpretation server 4200 and, if permitted, the operation requirement, and notifies the operation control unit 1013.

  The operation requirement selection server 4200-2 as an external server further includes a selection requirement inspection unit 4226 and a system attribute 91b in addition to the configuration shown in FIG.

  The policy interpreting unit 4224 refers to the DSP 2000b based on the document attribute and the user attribute acquired from the communication unit 4213 to acquire a rule including an operation requirement when the operation is permitted, and Notify 4226.

  The selection requirement verification unit 4226 determines whether or not the image forming apparatus 1000 can satisfy the operation requirement by referring to the system attribute 91b, and transmits the determination result to the image forming apparatus 1000 via the communication unit 4213. . If the image forming apparatus 1000 determines that the operation requirement cannot be satisfied, the determination result indicates that the operation is not permitted. On the other hand, if the image forming apparatus 1000 determines that the operation requirement is satisfied, the determination result indicates permission and specifies the operation requirement.

  Next, a system attribute 91a provided in the image forming apparatus 1000 and referred to by the selection requirement verification unit 4102 of the image forming apparatus 1000 will be described with reference to FIG. FIG. 45 is a diagram illustrating an example of a system attribute provided in the image forming apparatus.

  In FIG. 45, a system attribute 91a is a table for managing items of operation conditions that can be executed by a user's selection, and includes items such as operation conditions and support indicating whether or not support is possible. The operating conditions include log recording, image log recording, printing of a security label, printing of an operator label, printing of an identification barcode, printing of an identification pattern, and the like.

  Normally, operating conditions are provided in the image forming apparatus 1000 as selectable functions when operating. When such an operation condition is specified as a requirement for permitting an operation by a policy, it is an operation requirement.

  FIG. 46 is a diagram illustrating an example of system attributes provided in the external server. In FIG. 46, a system attribute 91b associates support for a plurality of image forming apparatuses with identification information of the image forming apparatuses (apparatus 01, apparatus 02, apparatus 03, apparatus 04,...) For each operating condition. It is a table to be managed. The operating conditions include log recording, image log recording, printing of a security label, printing of an operator label, printing of an identification barcode, printing of an identification pattern, and the like.

  Normally, the operating condition is a function that can be selected when operating. When such an operation condition is specified as a requirement for permitting an operation by a policy, it is an operation requirement.

  Next, an example of a SOAP for setting a policy performed between the image forming apparatus 1000 or 1000-2 and the policy distribution server 4000 will be described with reference to FIGS. 47 to 56, there is no difference between the image forming apparatus 1000 as a reading apparatus and the image forming apparatus 1000-2 as a copying apparatus.

  First, as shown in FIG. 31, SOAP in the case where the policy distribution server 4000 distributes a policy to the image forming apparatus 1000 using the SOAP client function 4021 will be described with reference to FIG. FIG. 47 is a diagram illustrating an example of XML data indicating policy distribution transmitted according to SOAP.

  In FIG. 47, XML data 800 is a description in XML according to SOAP for distributing a policy. In the XML data 800, information on the distributed policy and the policy itself are described from a description 801 indicating <ns1: policyDistribution> to a description 802 indicating </ ns1: policyDistribution>.

  In the description 801, “policyDistribution” indicates that the XML data 800 distributes a policy.

  In the description 803 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information "RDSP2023" for identifying a policy is set. Then, a policy is described in a description 804 of <policy xsi: type = "xsd: string"> to </ policy>. For example, the DSP 2000 (see FIGS. 14 to 22) identified by the identification information “RDSP2023” itself is described.

  The image forming apparatus 1000 that has received the XML data 800 indicating such a policy distribution transmits a reception result as illustrated in FIG. 48 to the policy distribution server 4000 using the SOAP server function 4022. FIG. 48 is a diagram illustrating an example of XML data indicating a reception result for policy distribution transmitted according to SOAP.

  In FIG. 48, XML data 810 is a description in XML indicating a reception result for policy distribution. In the XML data 810, information on the reception result for the policy distribution is shown from a description 811 indicating <ns1: policyDistributionResponse> to a description 812 indicating </ ns1: policyDistributionResponse>.

  In the description 812, “policyDistributionResponse” indicates that the XML data 810 is a response to policy distribution.

  A description 813 indicating <result xsi: type = "xsd: boolean"> true </ result> indicates whether the policy distribution has been normally received. In this case, since “true” is indicated, it indicates that the reception was successful.

  As shown in FIG. 32, SOAP in the case where the policy distribution server 4000 notifies the image forming apparatus 1000 of the policy distribution using the SOAP client function 4021 will be described with reference to FIG. FIG. 49 is a diagram illustrating an example of XML data indicating a policy distribution notification transmitted according to SOAP.

  In FIG. 49, XML data 820 is a description in XML according to SOAP for notifying of policy distribution. In the XML data 820, information about the policy distribution notification is shown from a description 821 indicating <ns1: policyDistributionReport> to a description 822 indicating </ ns1: policyDistributionReport>.

  In the description 821, “policyDistributionReport” indicates that the XML data 820 notifies policy distribution.

  In the description 823 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information “RDSP2023” for identifying a policy is set.

  Then, after receiving the XML data 820 indicating the policy distribution notification, the image forming apparatus 1000 transmits the reception result using the SOAP server function 4022, and then uses the SOAP client function 4023 to transmit the result illustrated in FIG. Is transmitted to the policy distribution server 4000. FIG. 50 is a diagram illustrating an example of XML data indicating a policy acquisition request transmitted according to SOAP.

  In FIG. 50, XML data 830 is a description in XML according to SOAP for distributing a policy. In the XML data 830, information on the policy acquisition request is described from a description 831 indicating <ns1: policyRequest> to a description 832 indicating </ ns1: policyRequest>.

  In the description 831, “policyRequest” indicates that the XML data 830 requests acquisition of a policy.

  The description 833 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId> is identification information “RDSP2023” for identifying the policy notified by the XML data 820 indicating the policy distribution notification illustrated in FIG. Is set.

  The XML data 830 indicating this policy acquisition request is transmitted to the policy distribution server 4000 after receiving the policy distribution notification or at the timing of processing.

  Then, the policy distribution server 4000 that has received the XML data 830 indicating such a policy acquisition request transmits a reception result as illustrated in FIG. 51 to the image forming apparatus 1000 using the SOAP server function 4024. FIG. 51 is a diagram illustrating an example of XML data indicating a reception result requested for a policy acquisition request transmitted according to SOAP.

  In FIG. 51, XML data 840 is a description in XML indicating a reception result for a policy acquisition request. In the XML data 840, information on the distributed policy and the policy itself are shown from a description 841 indicating <ns1: policyDistribution> to a description 842 indicating </ ns1: policyDistribution>.

  In the description 841, “policyDistribution” indicates that the XML data 840 distributes a policy.

  In the description 843 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information "RDSP2023" for identifying a policy is set. Then, the policy is described in a description 844 from <policy xsi: type = "xsd: string"> to </ policy>. For example, the DSP 2000 (see FIGS. 14 to 22) identified by the identification information “RDSP2023” itself is described.

  As shown in FIG. 52, SOAP when the image forming apparatus 1000 makes a policy distribution request to the policy distribution server 4000 using the SOAP client function 4023 will be described with reference to FIG. FIG. 52 is a diagram illustrating an example of XML data indicating a policy distribution request transmitted according to SOAP.

  In FIG. 52, XML data 850 is a description in XML according to SOAP for requesting policy distribution. In the XML data 850, a description 851 indicating <ns1: policyDistributionRequest> to a description 852 indicating </ ns1: policyDistributionRequest> indicate information on the policy distribution request.

  In the description 851, “policyDistributionRequest” indicates that the XML data 850 notifies policy distribution.

  In the description 853 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information "RDSP2023" for identifying a policy is set.

  Then, upon receiving the XML data 850 indicating such a policy distribution request, the policy distribution server 4000 distributes the policy by the XML data 800 shown in FIG. 47 immediately after the reception or at a predetermined timing.

  As shown in FIG. 41, SOAP in the case where the policy distribution server 4000 uses the SOAP client function 4021 to notify the image forming apparatus 1000 of a policy selection will be described with reference to FIG. FIG. 53 is a diagram illustrating an example of XML data indicating a policy selection notification transmitted according to SOAP.

  In FIG. 53, XML data 860 is a description in XML according to SOAP for notifying of policy selection. In the XML data 860, a description 861 indicating <ns1: policyChangeRequest> to a description 862 indicating </ ns1: policyChangeRequest> indicate information on a policy to be selected.

  In the description 861, “policyChangeRequest” indicates that the XML data 860 is a notification of policy selection.

  In the description 863 indicating <policyId xsi: type = "xsd: string"> RDSP2023 </ policyId>, identification information "RDSP2023" for identifying a policy is set. The image forming apparatus 1000 sets the policy identified by the identification information “RDSP2023” as the policy for execution.

  Next, in FIG. 43 or FIG. 44, SOAP in the case where the image forming apparatus 1000 issues an operation requirement acquisition request to an external server that interprets a policy will be described with reference to FIG. 54 and FIG. FIGS. 54 and 55 are diagrams illustrating examples of XML data indicating an operation requirement acquisition request transmitted according to SOAP. FIG. 54 and FIG. 55 show one XML data 870.

  In the XML data 870, a user attribute, a document attribute, and operation information are described from a description 871 indicating <ns1: isAllowed> in FIG. 54 to a description 872 indicating </ ns1: isAllowed> in FIG.

  A description 873 indicating <userTicketInfo> to a description 874 indicating </ userTicketInfo> specify a user ticket when a user attribute is required. For example, in FIG. 43, when the policy interpretation server 4200 as an external server determines that a user attribute is necessary to interpret a policy, the user attribute is acquired using a specified user ticket.

  A description 881 indicated by <docInfo xsi: type = "ns1: DocInfo"> to </ docInfo> indicates information on document attributes. In the description 881, a description 882 indicating <catgory xsi: type = "xsd: string"> Technical_doc </ category> indicates that the category of the document is "Technical_doc (technical related document)", and <level xsi: type A description 883 indicating "=" xsd: string "> High </ level> indicates that the document level is" High (high level) ", and <zone xsi: type =" xsd: string "> 99.99.99.99 The description 884 indicating </ zone> indicates that the zone is “99.99.99.99”.

  A description 885 indicating <accessInfo> to </ accessinfo> indicates operation information. In the description 885, a description 886 indicating <operation xsi: type = "xsd: string"> COPY </ operation> indicates that the operation is copy.

  Upon receiving such XML data 870, the policy interpretation server 4200 as an external server shown in FIG. 43 transmits a policy interpretation result by the policy interpretation unit 4224 shown in FIG. 56 to the image forming apparatus 1000. FIG. 56 is a diagram illustrating an example of XML data indicating a policy interpretation result transmitted according to SOAP.

  In FIG. 56, XML data 890 is a description in XML according to SOAP for notifying the result of policy interpretation. In the XML data 890, a description 891 indicating <ns1: isAllowedResponse> to a description 892 indicating </ ns1: isAllowedResponse> indicate information on the policy interpretation result.

  In the description 891, the XML data 890 indicates the notification of the policy interpretation result by “isAllowedResponse”.

  A description 895 indicating <allowed xsi: type = "xsd: boolean"> true </ allowed> indicates that the operation is permitted.

  A description 896 from <requirements> to </ requirements> indicates an operation requirement for permitting the operation. In the description 896, a description 897 from <item> to </ item> indicates an operation requirement. The description indicating <requirement xsi: type = "xsd: string"> audit </ requirement> specifies the recording of the audit trail ("audit") as an operation requirement.

  Next, the functional configuration of the operation control unit 1013 will be described with reference to FIGS. First, a functional configuration of the operation control unit 1013 of the image forming apparatus 1000 as the reading apparatus illustrated in FIG. 28 will be described. FIG. 57 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus serving as a reading device.

  In FIG. 57, in the image forming apparatus 1000 as a reading device, the operation control unit 1013 includes a data processing control unit 74a that controls the data processing unit 74 and a data transmission control unit 75a that controls the data transmission unit 75.

  In the image forming apparatus 1000 as a reading device, the data processing control unit 74a stops the reading process according to the operation requirement notified from the operation requirement selection unit 1012 and deletes all the read data as necessary, for example. Erasing part of scanned data by blacking, whitening, or deleting pages, deleting color information, reducing the amount of information, adding a confidential label by printing a "confidential" stamp Further, the data processing unit 74 is controlled so as to execute the addition of identification information by printing bar codes, numbers, characters, patterns, security attributes, and the like.

  In the image forming apparatus 1000 as a reading device, the data transmission control unit 75a stops transmission in accordance with the operation requirement notified from the operation requirement selection unit 1012, and transmits only to the transmission destination specified by the operation requirement, for example. The data transmission unit 75 is controlled to execute transmission to the transmission destination specified by the operation requirement.

  FIG. 58 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus as a copying apparatus.

  58, in an image forming apparatus 1000-2 as a copying apparatus, an operation control unit 1013 has a data processing control unit 74a that controls a data processing unit 74 and a print control unit 76a that controls a printing unit 76.

  In the image forming apparatus 1000-2 as a copying apparatus, the data processing control section 74a is the same as the data processing control section 74a in the image forming apparatus 1000 as the reading apparatus in FIG. According to the notified operating requirements, the reading process is stopped, and if necessary, all the read data is erased, a part of the read data is erased by blacking, whitening, or deleting the page, color information, etc. Erase, reduce the amount of information, add confidential labels by printing "confidential" stamps, and add identification information by printing barcodes, numbers, letters, patterns, security attributes, The data processing unit 74 is controlled so as to execute the above.

  In the image forming apparatus 1000-2 as a copying apparatus, the print control unit 76a controls the print control unit 76a so as to execute, for example, stop printing, print on paper in a tray specified by the operation requirement, and the like. I do.

  In the above embodiment, the image forming apparatus 1000 as a reading apparatus and the image forming apparatus 1000-2 as a copying apparatus have been illustrated. However, an apparatus having at least one of a plurality of different image forming functions such as a printer, a facsimile, and a copy machine Alternatively, the apparatus may have a plurality of different image forming functions.

  According to the present invention, since a security policy in a company for a document can be set from the outside, handling of the document can be controlled by a security policy consistent in the company. Further, whether the document is a paper document or electronic data (document data), control according to the security policy can be executed.

FIG. 4 is a diagram illustrating an example of a security policy. It is a figure showing an example of a list of a document label term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 6 is a diagram illustrating an example of a policy term file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of a policy file. FIG. 4 is a diagram illustrating an example of identification information of a DSP. FIG. 3 is a diagram illustrating a description example for describing a structure of a DSP. FIG. 14 is a diagram illustrating another description example of the DSP. FIG. 2 illustrates various media for storing and distributing a DSP. FIG. 1 is a block diagram illustrating a hardware configuration of an image forming apparatus according to an embodiment of the present invention. FIG. 2 is a diagram illustrating a functional configuration of an image forming apparatus as a reading apparatus that operates according to a security policy. FIG. 3 is a diagram illustrating an example of a simplified DSP. FIG. 2 is a diagram illustrating a functional configuration of an image forming apparatus as a copying apparatus that operates according to a security policy. FIG. 11 is a diagram illustrating a first policy setting method in which a policy is distributed from an external server. FIG. 11 is a diagram illustrating a second policy setting method for acquiring a policy from an external server. FIG. 11 is a diagram illustrating a third policy setting method for acquiring a policy when the power is turned on. FIG. 13 is a diagram illustrating a fourth policy setting method for acquiring a policy when the power is turned on. FIG. 14 is a diagram illustrating a fifth policy setting method for acquiring a policy when the power is turned on. FIG. 14 is a diagram illustrating an example of a functional configuration for implementing the first to fifth policy setting methods. It is a figure showing the 6th policy setting method which acquires a policy by a timer. It is a figure showing the example of the functional composition for realizing the 6th policy setting method. FIG. 21 is a diagram illustrating a seventh policy setting method for setting a policy offline. It is a figure showing the example of the functional composition for realizing the 7th policy setting method. An eighth policy setting method for setting a policy offline and selecting a policy online will be described. It is a figure showing the example of the functional composition for realizing the 8th policy setting method. FIG. 4 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy. FIG. 4 is a diagram illustrating an example of a functional configuration in which an external server interprets a policy and verifies a selection requirement. FIG. 4 is a diagram illustrating an example of a system attribute provided in the image forming apparatus. FIG. 5 is a diagram illustrating an example of a system attribute provided in an external server. FIG. 4 is a diagram illustrating an example of XML data indicating policy distribution transmitted according to SOAP. FIG. 7 is a diagram illustrating an example of XML data indicating a reception result for policy distribution transmitted according to SOAP. FIG. 4 is a diagram illustrating an example of XML data indicating a policy distribution notification transmitted according to SOAP. FIG. 4 is a diagram illustrating an example of XML data indicating a policy acquisition request transmitted according to SOAP. FIG. 9 is a diagram illustrating an example of XML data indicating a reception result for a policy acquisition request transmitted according to SOAP. FIG. 4 is a diagram illustrating an example of XML data indicating a policy distribution request transmitted according to SOAP. FIG. 7 is a diagram illustrating an example of XML data indicating a policy selection notification transmitted according to SOAP. FIG. 7 is a diagram illustrating an example of XML data indicating a policy selection notification transmitted according to SOAP. FIG. 4 is a diagram illustrating an example of XML data indicating policy distribution transmitted according to SOAP. FIG. 9 is a diagram illustrating an example of XML data indicating a policy interpretation result transmitted according to SOAP. FIG. 3 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus serving as a reading device. FIG. 3 is a diagram illustrating an example of a functional configuration of an operation control unit in an image forming apparatus as a copying apparatus.

Explanation of reference numerals

51 hard disk 52 magneto-optical disk 53 flexible disk 54 optical disk 55 computer 56 network 71 reading unit 72 reading condition obtaining unit 73 data destination obtaining unit 74 data processing unit 1000 image forming apparatus 1001 policy executing unit 1011 document attribute obtaining unit 1012 operation requirement selection Unit 1013 operation control unit 1021 user attribute acquisition unit 2000 DSP

Claims (20)

Policy holding means for holding a security policy that describes handling rules for documents;
Policy rewriting means for rewriting the security policy held by the policy holding means with an external security policy;
An operation control unit for controlling an operation on the document according to the security policy managed by the policy management unit. Having communication means for performing communication control via a network,
2. The image forming apparatus according to claim 1, wherein the policy rewriting means rewrites the security policy held by the policy holding means with a security policy received by the communication means.   3. The image forming apparatus according to claim 2, wherein the policy rewriting means writes a security policy acquired from the outside into the policy holding means by the communication means when the power is turned on. Timer means for notifying the communication means of the rewriting timing of the security policy held by the policy holding means,
4. The image forming apparatus according to claim 2, wherein the communication unit acquires the security policy from a policy distribution server that distributes the security policy via the network. Interface means for reading the security policy from a storage medium storing the security policy,
2. The image forming apparatus according to claim 1, wherein the security policy held by the policy holding unit is rewritten by the security policy read by the interface unit. Having communication means for performing communication control via a network,
The communication means, upon receiving the selection information indicating the selection of the security policy, notifies the policy rewriting means,
6. The image according to claim 5, wherein the policy rewriting means rewrites the security policy held by the policy holding means according to the security policy read by the interface means based on the selection information. Forming equipment. The policy holding means holds a plurality of security policies,
7. The image forming apparatus according to claim 6, wherein the policy rewriting unit sets one of the plurality of security policies held by the policy holding unit as a security policy to be enforced based on the selection information. apparatus.   7. The image forming apparatus according to claim 2, wherein the communication unit acquires the security policy via the network according to a Simple Object Access Protocol. A policy maintenance procedure that maintains a security policy that describes the rules for handling documents,
A policy rewriting procedure for rewriting the security policy held in the policy holding procedure with an external security policy,
An operation control procedure for controlling an operation on the document according to the security policy managed by the policy management means. A policy maintenance procedure that maintains a security policy that describes the rules for handling documents,
A policy rewriting procedure for rewriting the security policy held in the policy holding procedure with an external security policy,
A computer-executable program for causing a computer to execute an operation control procedure for controlling an operation on the document according to the security policy managed by the policy management means. A policy maintenance procedure that maintains a security policy that describes the rules for handling documents,
A policy rewriting procedure for rewriting the security policy held in the policy holding procedure with an external security policy,
A computer-readable storage medium storing a program, the program causing a computer to execute an operation control procedure for controlling an operation on the document according to the security policy managed by the policy management means. Communication means for controlling communication via a network;
Policy management means for managing a security policy describing rules for handling documents,
A policy distribution server, wherein the communication means distributes the security policy managed by the policy management means to devices connected via the network.   13. The policy distribution server according to claim 12, wherein the communication unit transmits authentication information simultaneously when distributing the security policy.   The communication means receives, from the device connected via the network, an acquisition request for the security policy managed by the policy management means and authentication information of the device, and an authentication result based on the authentication information. Transmitting the security policy to the device according to the following. An interface for writing the security policy to a storage medium,
15. The policy distribution server according to claim 12, wherein the policy management unit writes the security policy on the storage medium by the interface. A rule acquiring unit that acquires the rule from the external server by transmitting a document attribute related to the document to an external server that provides a rule for handling the document based on the document attribute;
An image forming apparatus comprising: an operation control unit configured to control an operation on the document according to the rule acquired by the rule acquisition unit.   17. The image forming apparatus according to claim 16, wherein the rule acquisition unit includes a communication unit that controls communication with the external server according to a Simple Object Access Protocol. The above rule acquisition means,
Communication means for controlling communication with the external server;
A selection function holding unit that holds execution availability information indicating the availability of the selectable function;
An operation requirement determining unit that determines whether an operation requirement to be satisfied to permit the operation specified by the rule can be executed by referring to the execution availability information held by the selection function holding unit; Has,
17. The image forming apparatus according to claim 16, wherein the operation control unit controls an operation on the document based on a determination result by the operation requirement determination unit. Communication means for controlling communication via a network;
Holding means for holding a security policy describing rules for handling documents,
Policy acquisition means for referring to the security policy held by the holding means based on a document attribute and an operation performed on the document, and acquiring the rule for the operation on the document. ,
The policy interpreting server, wherein the communication unit notifies the policy acquisition unit of the document attribute and the operation received via the network, and transmits the rule acquired by the policy acquisition unit. A selection function holding unit that holds execution availability information indicating execution availability of a selectable function for each device connected via the network,
By referring to the execution availability information held by the selection function holding unit, it is determined whether or not the operation requirement to be satisfied to permit the operation specified by the rule acquired by the policy acquisition unit can be executed. 20. The policy interpretation server according to claim 19, further comprising an operation requirement judging means for judging.

Images