JP2014013474A - Log audit system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce troubles in audit work while preventing information leakage from an image log in a log audit system of an image forming apparatus.
A portion to be concealed in an image log is specified by a set concealment condition, the portion is encrypted, and the image log is stored. When an auditor who has the authority to browse the secret part browses the image log, the encrypted secret part is decrypted and displayed as it is. When an inspector who does not have the authority to browse the secret part browses the image log, the encrypted secret part is masked and displayed.
[Selection] Figure 3

Description

  The present invention relates to a system for auditing a log of a job executed by an image forming apparatus.

  Conventionally, for the purpose of suppressing information leakage and tracking information leakers, it is necessary to audit a log (hereinafter referred to as a job log) related to a job performed by a printer or MFP (Multi Function Peripheral, hereinafter referred to as MFP). A system has been developed. In such a system job log, in addition to attribute information such as job execution date and time, image data of a document handled in the job (hereinafter referred to as an image log) can be audited more strictly. There are things that you can do.

  However, in such a system, there is a concern that an auditor who can access the image log may obtain information that cannot be known from the image log or leak the information to the outside. For this reason, a technique for processing or encrypting the image log and changing the storage location of the job log for each user who executed the job for the purpose of concealing information to the auditor (for example, see Patent Documents 1 and 2) Has been.

JP 2007-214611 A JP 2007-128359 A

  However, if the entire image log is distributed to multiple storage destinations or encrypted in order to limit the auditors that can be viewed, it is not possible to check the contents of the document or compare the leaked document with the image log. The audit work will be hindered. On the other hand, the image log contains information that should be kept confidential to auditors with low audit authority, and it is a problem that the contents of the image log are disclosed to all auditors without being kept secret. is there.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a log audit system capable of reducing troubles in audit work while preventing information leakage from image logs. It is to be.

In order to achieve the above object, the present invention provides a log audit system comprising: an image forming apparatus (102); and a log audit server (101) for auditing an image log of a document processed by the image forming apparatus. There,
The log audit server
Auditor information setting means (301) for setting the authentication information and authority of the auditor,
A concealment condition setting means (302) for setting a condition for specifying a portion to be concealed in the image log;
Text information extraction means (312) for extracting the text in the image log in association with the position information of the text from the image log;
In accordance with the conditions set by the concealment condition setting means, from the text information extracted by the text information extraction means, a concealment place specifying means (313) for specifying a concealment place in the image log,
An encryption unit (314) for encrypting a secret part specified by the secret part specifying unit and storing an image log;
An authentication means (321) for authenticating the auditor;
Decryption means (315) for decrypting the secret part encrypted by the encryption means in accordance with the authority of the auditor authenticated by the authentication means;
Audit means (322) for receiving a request from an inspector, searching an image log, and displaying the image log while masking and displaying a secret portion that has been encrypted without being decrypted by the decryption means. And.

  According to the present invention, only important information in the image log is encrypted and concealed, and the contents other than that are disclosed to the auditor so that the contents can be understood to some extent, thereby preventing information leakage from the image log. At the same time, it is possible to reduce the troubles in the audit work of the image log.

It is a figure which shows the structural example of the log auditing system of this invention. It is a block diagram which shows the hardware structural example of a log audit server. It is a figure which shows the software structural example of a log audit server. It is an example of auditor information. It is an example of a concealment condition. It is an example of secret location information. It is a flowchart which shows the process sequence of the job log preservation | save process in a log audit server. It is a flowchart which shows the process sequence of the image log display process in a log audit server. It is a figure which shows the example of a display of the image log with respect to the auditor who has the document and the secret location browsing authority. It is a figure which shows the example of a display of the image log with respect to the auditor who does not have the secrecy location browsing authority. It is an example of auditor information. It is an example of authority setting of an audit level. It is an example of a concealment condition. It is a flowchart which shows the process sequence of the job log preservation | save process in a log audit server. It is an example of secret location information. It is a flowchart which shows the process sequence of the image log display process in a log audit server. It is a figure which shows the example of a display of the image log with respect to an auditor. It is a figure which shows the example of a display of the image log with respect to an auditor. It is an example of a concealment condition. It is a flowchart which shows the process sequence of the job log preservation | save process in a log audit server. It is an example of secret location information. It is a flowchart which shows the process sequence of the image log display process in a log audit server. It is a figure which shows the example of a display of the image log with respect to an auditor. It is a figure which shows the example of an audit | inspection screen. It is a figure which shows the software structural example of a log audit server.

  The best mode for carrying out the present invention will be described below with reference to the drawings.

Example 1
First, a first embodiment of the present invention will be described.

  FIG. 1 is a diagram showing a configuration example of a log audit system according to the present invention. In the log audit system according to this embodiment, a log audit server 101 and an MFP 102 are connected via a network 150. A plurality of MFPs 102 may be provided. The log audit server 101 stores a job log that is an execution record of a job (such as copying or printing) executed by the MFP 102, and searches and displays the stored job log in response to a request from the auditor. The contents of the job log include an image log of the processed document in addition to job attribute information (execution user name, execution date and time).

  FIG. 2 is a block diagram illustrating an internal configuration example of the log audit server 101.

  A control unit 210 including a CPU 211 controls the operation of the log audit server 101. The CPU 211 reads out a control program stored in the ROM 212 or the HDD 214, and executes various control processes such as input and output and arithmetic processes. The RAM 213 is used as a temporary storage area such as a main memory or work area of the CPU 211. The HDD 214 stores collected job log data, various programs, and the like.

  The operation input I / F 215 receives a signal input from an operation device such as a connected keyboard or mouse.

  The display output I / F 216 outputs a signal to a screen display or the like.

  A network I / F 217 connects the control unit 210 to a network and transmits / receives information to / from another device on the network.

  Reference numeral 220 denotes a bus that connects the blocks in the control unit 210.

  FIG. 3 is a diagram illustrating a software configuration example of the log audit server 101.

  The auditor information setting unit 301 accepts registration of the auditer of the log audit system and an instruction to set the audit authority from the system administrator who manages the log audit system, and stores information on the auditor in the auditor information storage unit 351. To do. FIG. 4 shows an example of auditor information stored in the auditor information storage unit 351 by the auditor information setting unit 301. The example of FIG. 4 indicates that, for example, the auditors “auditor_a” and “auditor_b” are set to have no secret location browsing authority, and the auditor “auditor_c” has the secret location browsing authority.

  The concealment condition setting unit 302 receives a condition setting for a part to be concealed in the image log from the system administrator, and stores the concealment condition in the concealment condition storage unit 352. As a condition, not only a keyword but also personal information such as a name and a telephone number may be designated. FIG. 5 shows an example of the concealment condition. The example of FIG. 5 indicates that “XXX” and “YYY” are set as keyword conditions, and “person name” and “address” are set as personal information conditions.

  A job log receiving unit 311 receives a job log including an image log transmitted from the MFP.

  The image log processing unit 312 performs OCR (Optical Character Reader) on the image log included in the job log received by the job log receiving unit 311 to extract text information and position information of each character of the text. Further, image format conversion, resolution conversion, and the like may be performed as necessary.

  The concealed part specifying unit 313 specifies the concealed part in the text information extracted by the image log processing unit 312 in accordance with the concealment condition stored in the concealment condition storage unit 352. Then, the secret location specifying unit 313 stores the secret location information in the image log corresponding to the specified text in the secret location storage unit 353 in association with the image log. The secret location specifying unit 313 includes an engine that identifies personal information in a text by a specific character string pattern, a personal name dictionary, or the like, and can detect the personal information according to a secret condition. FIG. 6 shows an example of the secret location information stored in the secret location storage unit 353. In the example of FIG. 6, the “image log ID” column is an ID for identifying an image log. The “encryption position” column represents a range to be encrypted in the data of the image log, and in this embodiment, it is assumed that it has information on what byte to what byte. Note that the range of encryption is not always continuous and may have a plurality of ranges. The example of FIG. 6 indicates that the image log with the image log ID 001 has four secret portions to be encrypted.

  The encryption unit 314 encrypts the corresponding part of the image log according to the secret part information stored in the secret part storage unit 353 and stores it in the job log storage unit 354. Note that the encryption unit 314 embeds a tag indicating the encrypted location before and after the encrypted location so that the decryption unit 315 can determine the encrypted location. This tag includes an encrypted position corresponding to the secret location information shown in FIG.

  The decryption unit 315 reads an image log retrieved by the audit unit 322, which will be described later, from the job log storage unit 354, and decrypts the encrypted secret portion of the image log in accordance with the authority of the inspector who performed the retrieval. Turn into.

  The auditor authentication unit 321 authenticates the auditor based on information registered in the auditor information storage unit 351.

  The audit unit 322 receives a search condition designated by the auditor, searches the job log according to the condition, displays its attribute information, and further displays an image log of the designated job log. When displaying the image log, the auditing unit 322 displays the encrypted secret part after performing mask processing such as painting with a rectangle.

  Next, a processing procedure of job log storage processing in the log audit server 101 will be described with reference to the flowchart of FIG. Each step shown in the flowchart of FIG. 7 is realized by the CPU 211 of the log audit server 101 executing a program for realizing each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  In step S701, the image log processing unit 312 performs OCR on the image log to extract text, and also extracts position information of the text in the image.

  In step S <b> 702, the concealed part specifying unit 313 determines an end condition for the iterative process for all the concealment conditions stored in the concealment condition storage unit 352. If all the concealment conditions stored in the concealment condition storage unit 352 have been recorded as having been processed, the concealed part specifying unit 313 advances the process to step S706. Otherwise, the concealed part specifying unit 313 selects one of the concealment conditions for which the step in the iterative process has not been performed, and advances the process to step S703.

  In step S703, the concealed part specifying unit 313 detects a part that matches the selected concealment condition from the text extracted in step S701. If even one matching location is detected, the concealed location specifying unit 313 advances the process to step S704. If none is detected, the concealed part identification unit 313 advances the process to step S705.

  In step S704, the concealed part specifying unit 313 stores the position information in the image log of all the parts detected in step S703 in the concealed part storage unit 353 in association with the image log.

  In step S705, the concealed part specifying unit 313 records the selected concealment condition as processed, and returns the process to step S702.

  In step S <b> 706, the encryption unit 314 determines the end condition of the iterative process for all the concealed portions of the processing target image log stored in the concealed portion storage unit 353. If the steps in the iterative process are recorded as processed for all the concealed portions of the processing target image log stored in the concealed portion storage unit 353, the encryption unit 314 advances the processing to step S709. . Otherwise, the encryption unit 314 selects one secret part that has not been subjected to a step in the iterative process, and advances the process to step S707.

  In step S <b> 707, the encryption unit 314 encrypts the corresponding part of the image log corresponding to the selected secret part.

  In step S708, the encryption unit 314 records the selected secret part as processed, and returns the process to step S706.

  In step S709, the encryption unit 314 stores the image log in the job log storage unit 354 in association with the attribute information of the corresponding job.

  Next, the processing procedure of the image log display process in the log audit server 101 will be described with reference to the flowchart of FIG. Each step shown in the flowchart of FIG. 8 is realized by the CPU 211 of the log audit server 101 executing a program for realizing each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  Prior to this operation, the auditor is authenticated by the auditor authentication unit 321, and the job log is searched by the authenticated auditor in the audit unit 322, and the image log in the specific job log is searched. It is assumed that display is instructed.

  In step S <b> 801, the decryption unit 315 acquires the image log instructed by the audit unit 322 from the job log storage unit 354.

  In step S <b> 802, the decryption unit 315 acquires the encrypted location information of the image log acquired in step S <b> 801 from the confidential location storage unit 353.

  In step S <b> 803, the decryption unit 315 acquires the authority information of the auditor who has been authenticated by the auditor authentication unit 321 and is currently instructing the audit from the auditor information storage unit 351.

  In step S804, the decryption unit 315 determines the end condition of the iterative process for all the concealed portions acquired in step S802. If a step in the iterative process has been recorded as processed for all the acquired secret places, the decoding unit 315 advances the process to step S808. Otherwise, the decryption unit 315 selects one of the concealed places where the step in the iterative process has not been performed, and advances the process to step S805.

  In step S805, the decryption unit 315 determines whether or not there is a viewing authority for the secret location selected in step S804, based on the auditor's authority information acquired in step S803. If there is a viewing authority, the decryption unit 315 advances the processing to step S806. If there is no viewing authority, the decryption unit 315 advances the processing to step S807.

  In step S806, the decryption unit 315 decrypts the corresponding part of the image log corresponding to the secret part selected in step S804 by detecting the tag embedded by the encryption unit 314.

  In step S807, the decryption unit 315 records the selected secret part as processed, and returns the process to step S804.

  In step S <b> 808, the auditing unit 322 determines an end condition of the iterative process for all the concealed portions that are encrypted without being decrypted by the decrypting unit 315. If the steps in the iterative process are recorded as processed for all the confidential parts that are still encrypted, the auditing unit 322 advances the process to step S811. Otherwise, the auditing unit 322 selects one of the encrypted secret portions that have not been subjected to the steps in the repeated processing, and advances the processing to step S809.

  In step S809, the auditing unit 322 performs a mask process of filling a corresponding portion of the image log corresponding to the encrypted secret portion selected in step 508 with a rectangle.

  In step S810, the auditing unit 322 records the selected encrypted secret part as processed, and returns the process to step S808.

  In step S811, the auditing unit 322 displays an image log. For example, if the concealment condition for the image log of the document shown in FIG. 9A is as shown in FIG. 5, the inspector who does not have the authority to view the concealed part is concealed as shown in FIG. 9B. An image with the portion masked is displayed. On the other hand, for the auditor who has the right to browse the secret part, the image log of FIG. 9A not masking the secret part is displayed.

  As described above, in the first embodiment, only important information in the image log can be concealed according to the authority of the auditor. As a result, it is possible to reduce troubles in auditing operations while preventing information leakage to the auditor.

(Example 2)
Next, a second embodiment of the present invention will be described.

  In the first embodiment, the concealed portion that matches the concealment condition is equally encrypted, and only control whether the inspector browses or masks all the concealment portions is performed. However, the importance of information to be kept secret is not always uniform. For example, a term commonly used in a company may be viewed by any in-house auditor even if it is confidential. Therefore, in the second embodiment, a security level indicating a high level of secrecy is provided for each secrecy condition. In addition, the auditor is provided with an audit level corresponding to the security level that can be viewed. As a result, the concealed portion can be concealed more appropriately according to the audit level of the auditor.

  The network configuration, hardware configuration, and software configuration of the present embodiment are the same as those in FIGS. 1, 2, and 3 of the first embodiment. Here, only differences from the first embodiment will be described.

  The auditor information setting unit 301 receives a setting of an audit level for each auditor in addition to the account information of the auditor from the system administrator. Furthermore, each audit level accepts an authority setting as to which security level can be browsed. FIG. 10A and FIG. 10B show examples of auditor information and audit level authority setting stored in the auditor information storage unit 351 by the auditor information setting unit 301. FIG. 10A shows that the auditors “auditor_a” and “auditor_b” have the security level 1 and the auditor “auditor_c” has the security level 3. Further, in the example of FIG. 10B, when the audit level 1 is provided, it is possible to browse the secret part at the security level 1, and when the audit level 4 is provided, it is possible to view the secret part at the security level 10 or lower. ing.

  The concealment condition setting unit 302 accepts setting of a security level for each concealment condition in addition to the concealment condition. FIG. 11 shows an example of the concealment condition stored in the concealment condition storage unit 352 by the concealment condition setting unit 302. In FIG. 11, for example, the keyword “XXX” indicates security level 1 and the personal information “address” indicates security level 3.

  Next, a processing procedure of job log storage processing in the log audit server 101 according to the second embodiment will be described with reference to a flowchart of FIG. Each step shown in the flowchart of FIG. 12 is realized by the CPU 211 of the log audit server 101 executing a program for realizing each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  Note that the processing in FIG. 12 is obtained by changing step S704 to step S1201 and step S707 to step S1202 in the flowchart shown in FIG. The other steps in FIG. 7 that are the same as those in FIG. 7 are given the same numbers as in FIG.

  In step S1201, the concealed part specifying unit 313 stores the position information in the image log of all the parts detected in step S703 in the concealed part storage unit 353 in association with the image log together with the security level of the selected concealment condition. To do. FIG. 13 shows an example of the secret location information stored in the secret location storage unit 353. The secret location information of this embodiment has security level information for each secret location, and the security level of the matched secret conditions is entered. For example, in FIG. 13, when the concealment location where the encryption position is “gggg to hhhh” in the image log ID 001 is specified by the concealment condition of the keyword “YYY” illustrated in FIG. 11, the security level is “4”. "

  In step S1202, the encryption unit 314 encrypts the corresponding part of the image log according to the secret part information stored in the secret part storage part 353. Here, the encryption unit 314 of the present embodiment has different encryption keys for each security level, and encrypts the secret part using the encryption key corresponding to the security level.

  Next, the processing procedure of the image log display process in the log audit server 101 according to the second embodiment will be described with reference to the flowchart of FIG. Each step shown in the flowchart of FIG. 14 is realized by the CPU 211 of the log audit server 101 executing a program for realizing each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  14 is obtained by changing step S805 to step S1401 and step S806 to step S1402 in the flowchart shown in FIG. The other steps in FIG. 8 that are the same as those in FIG. 8 are assigned the same numbers as in FIG.

  In step S1401, the decryption unit 315 has the viewing authority for the secret location selected in step S804 based on the audit level of the auditor acquired in step S803 and the security level information that can be browsed at the audit level. Determine whether or not. If there is a viewing authority, the decryption unit 315 advances the process to step S1402. If there is no viewing authority, the decryption unit 315 advances the processing to step S807.

  In step S1402, the decoding unit 315 decodes the corresponding part of the image log corresponding to the secret part selected in step S804 in the same manner as in step S806. Here, the decryption unit 315 of this embodiment has a decryption key corresponding to a different encryption key for each security level, and decrypts the encrypted secret part using the decryption key corresponding to the security level. To do.

  Here, an operation example of image log display in the present embodiment will be described. Assume that the image log of the document shown in FIG. 9A is encrypted under the confidentiality condition shown in FIG. In this case, the keywords “XXX” and “YYY”, “Yamada...” Corresponding to the personal name of the personal information, and “Nakahara-ku, Kawasaki City, Kanagawa Prefecture” corresponding to the address are the secret parts.

  An image displayed when the auditor “auditor_a” shown in FIG. 10A audits this image log will be described first. The auditor “auditor_a” has an audit level of 1, and according to FIG. Therefore, the auditor “auditor_a” decrypts and displays the security level 1 keyword “XXX” as shown in FIG.

  Next, an image displayed when the auditor “auditor_c” shown in FIG. 10A audits this image log will be described. The auditor “auditor_c” has an audit level of 1, and according to FIG. Therefore, the auditor “auditor_c” decrypts and displays the security level 1 keyword “XXX” and the security level 3 person name and address as shown in FIG. 15B.

  As described above, in the second embodiment, the security level for each concealment condition and the audit level for each inspector can be provided, and the disclosure and concealment of the concealed portion in the image log can be controlled more appropriately for the inspector. .

(Example 3)
Next, a third embodiment of the present invention will be described.

  In the present embodiment, in addition to the method of the second embodiment, the secrecy condition and the security level for each condition can be set for each user who executes the job. This is because the concealment condition and its importance may change depending on the rank and job type of the executing user. For example, people with high positions generally have many opportunities to handle important documents. In addition, even documents that are not so important and confidential do not want to be seen by auditors with low job titles (for example, a document that describes a golf competition or entertainment plan or schedule with executives or business partners) ) Is also considered to be handled. Further, as in the first and second embodiments, in a method in which only the contents of a document are determined for concealment, there is a possibility that concealment may leak due to erroneous determination of a concealed portion. For this reason, it is possible to reduce the leakage of confidentiality by applying higher security than usual to the image log of a user with a high postal position that is considered to handle more important documents.

  The network configuration, hardware configuration, and software configuration of the present embodiment are the same as those of the second embodiment. Here, only differences from the second embodiment except for those will be described.

  The concealment condition setting unit 302 receives the concealment condition for each job execution user and the setting of its security level from the system administrator, and stores them in the concealment condition storage unit 352. FIG. 16 shows an example of the concealment condition in the present embodiment. The example of FIG. 16 indicates that “ZZZ” is set at the security level 1 as a keyword condition for the user “user_a” in addition to the concealment condition for all job execution users. This means that in the case of a job executed by the user “user_a”, the keyword “ZZZ” is also set as a security level 1 secret object. Furthermore, the security level 2 is set for the entire image log for the user “user_b”, which means that the entire image log is a security level 2 concealment target.

  Next, a processing procedure of job log storage processing in the log audit server 101 according to the third embodiment will be described with reference to a flowchart of FIG. Each step shown in the flowchart of FIG. 17 is realized by the CPU 211 of the log audit server 101 executing a program that realizes each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  In the process shown in FIG. 17, step S702 is changed to step S1702, step S705 is changed to step S1703, step S706 is changed to step S1704, and step S708 is changed to step S1705 in the flowchart shown in FIG. Further, the processing of FIG. 17 is added with step S1701, step S1706, and step S1707 in the flowchart shown in FIG. The other steps in FIG. 12 that are the same as those in FIG. 12 are given the same numbers as in FIG.

  In step S <b> 1701, the concealed part specifying unit 313 specifies the execution user of the job from the attribute information of the job log, and acquires only the concealment condition applied to the user from the concealment condition storage unit 352.

  In step S1702, the concealed part specifying unit 313 determines an end condition for the iterative process for the concealment condition acquired in step S1701. If the step in the repetition process is recorded as processed for the acquired all concealment conditions, the concealed part specifying unit 313 advances the process to step S1704. Otherwise, the concealed part specifying unit 313 selects one of the concealment conditions for which the step in the iterative process has not been performed, and advances the process to step S703.

  In step S1703, the concealed part specifying unit 313 records the selected concealment condition as processed, and returns the process to step S1702.

  In step S <b> 1704, the encryption unit 314 determines an end condition of the iterative process for all the concealed portions other than the entire concealment of the processing target image log stored in the concealed portion storage unit 353. If the steps in the iteration process are recorded as processed for all the concealed portions other than the entire concealment of the processing target image log stored in the concealed portion storage unit 353, the encryption unit 314 , The process proceeds to step S1706. If there is a secret part that has not been processed other than the whole secret, the encryption unit 314 selects one secret part that has not been subjected to a step in the iterative process, and advances the process to step S1202. For example, it is assumed that the secret location information stored in the secret location storage unit 353 is as shown in FIG. 18, and the image log to be processed is that of the image log ID001. In this case, the secret parts that are the targets of the repetitive processing in step S1704 are the places where the encrypted positions are “aaaa to bbbb” and the places where “gggg to hhhh”. A portion where the encryption position is “<whole>” represents encryption of the entire image log, and is not a processing target in step S1704.

  In step S1705, the encryption unit 314 records the selected secret part as processed, and returns the process to step S1704.

  In step S <b> 1706, the encryption unit 314 determines whether there is a secret portion of the processing target image log stored in the secret portion storage unit 353 for the entire image log. If there is a secret part that is the entire image log, the encryption unit 314 advances the processing to step S1707. If there is no secret part that is the entire image log, the encryption unit 314 advances the process to step S709. For example, as shown in FIG. 18, when there is “<whole>” as the encryption position of the image log ID 001, the entire image log is set to be encrypted with respect to the image log of the image log ID 001. The process proceeds to step S1707.

  In step S1707, the encryption unit 314 encrypts the image log using an encryption key corresponding to the security level for the entire image log stored in the secret location storage unit 353.

  Next, the processing procedure of the image log display process in the log audit server 101 according to the third embodiment will be described with reference to the flowchart of FIG. Each step shown in the flowchart of FIG. 19 is realized by the CPU 211 of the log audit server 101 executing a program for realizing each functional unit shown in FIG. 3 stored in the ROM 212 or the HDD 214. Further, the CPU 211 uses the RAM 213 and the HDD 214 as a storage area as necessary.

  The process of FIG. 19 is obtained by adding steps S1901 to S1904 to the flowchart shown in FIG. The other steps in FIG. 14 that are the same as those in FIG. 14 are given the same numbers as in FIG.

  In step S1901, the decryption unit 315 determines whether the entire image log has been encrypted for the display target image log from the secret location information acquired in step S802. If the entire image log has been encrypted, the decryption unit 315 advances the process to step S1902. If the entire image log has not been encrypted, the decryption unit 315 advances the process to step S804.

  In step S1902, the decryption unit 315 determines whether the entire image log can be decrypted based on the authority information of the auditor acquired in step S803. If decryption is possible, the decryption unit 315 advances the processing to step S1903. If the decryption cannot be performed, the decryption unit 315 advances the process to step S1904.

  In step S1903, the decryption unit 315 decrypts the entire image log with the decryption key corresponding to the security level set for the entire image log, and the process proceeds to step S804.

  In step S1904, the auditing unit 322 displays to the auditor that the image log is encrypted and cannot be viewed, and ends the image log display process.

  Next, an operation example of image log display in the present embodiment will be described. In the image log of the document shown in FIG. 9A, it is assumed that the concealment condition is as shown in FIG. 16, the execution user is “user_b”, and the personal information is not encrypted due to a misjudgment. Consider a case where the auditor “auditor_a” shown in FIG. 10A audits this image log. The auditor “auditor_a” has an audit level of 1, and according to FIG. Therefore, if there is no security level 2 concealment condition for the entire document “user_b” in FIG. 16, personal information that cannot be viewed by “auditor_a” is in a state that can be viewed as shown in FIG. Will be displayed. However, there is actually a security level 2 concealment condition for the entire “user_b” document, and the entire image log is encrypted at the security level 2. Therefore, it is displayed that the auditor “auditor_a” is not authorized to view the image log, and personal information is not leaked to the auditor “auditor_a”.

  As described above, in the third embodiment, the concealment condition can be changed for each execution user, and the concealment condition setting for encrypting the entire image log by the execution user even when there is an erroneous determination of the concealment portion. By doing so, it is possible to appropriately conceal information from the auditor.

Example 4
Next, a fourth embodiment of the present invention will be described.

  The present embodiment relates to a display screen for an auditor in the audit unit 322 of the log audit system according to the second or third embodiment, and only that portion will be described.

  FIG. 21 is an example of an audit screen displayed by the auditing unit 322 to the auditor in the present embodiment. This screen is a screen displaying a list of job log attribute information. As attribute information, a job log ID, an execution user, a job type, and an execution date are displayed in columns with the same name. In the image row, an icon 2101 for displaying an image log is displayed. In addition to these, in this embodiment, the number of concealed parts for each security level is displayed in the column of concealed parts so that the inspector can recognize the image log of each job log.

  In the concealed part column, 2111 is an icon indicating the number of concealed parts of security level 1. Similarly, 2112, 2113, and 2114 are icons indicating the number of concealed places at security levels 2, 3, and 4, respectively. For example, in the image log of the job log ID 101, the number of concealed parts at the security level 1 is 2, the number of concealed parts at the security level 2 is 1, and the number of concealed parts at the security level 3 is 1.

  With the display as described above, in the fourth embodiment, the inspector can easily grasp the presence / absence and the number of concealed portions that he / she cannot view. As a result, when auditing the image log, the auditor will not be confused about the parts that cannot be viewed, and if an accurate audit is required, it will promptly determine which audit level the auditor should request. Therefore, the audit work can be performed efficiently.

(Example 5)
Next, a fifth embodiment of the present invention will be described. In this embodiment, in the log audit system according to any one of the first to fourth embodiments, convenience is improved when an auditor with low audit authority requests an auditor with high audit authority to audit an image log. .

  An example of the software configuration of the log audit system of this embodiment is shown in FIG. Each processing unit and each storage unit illustrated in FIG. 22 is obtained by adding a notification unit 2201 to each processing unit and each storage unit illustrated in FIG. 3. For this reason, the same processing units and storage units as those in FIG. 3 are denoted by the same numbers as those in FIG.

  The auditing unit 322 of the present embodiment has a menu for making an audit request to an auditor who has higher audit authority than the user regarding the image log displayed to the auditor. When this menu is selected by the auditor, an instruction for making a request is given to the notification unit 2201.

  Further, the auditor information storage unit 351 further has a notification destination of each auditor (in this embodiment, it is an email address).

  In response to the instruction from the audit unit 322, the notification unit 2201 acquires the secret location information of the target image log from the secret location storage unit 353. Then, an auditor who can browse the target image log without limitation and a mail address of the notification destination are acquired from the auditor information storage unit 351, and an audit request for the target image log is transmitted by mail.

  As described above, in the fifth embodiment, it is possible to make an audit request to an auditor with high audit authority directly from the audit screen displayed by the auditing unit 322, so that the audit work of the image log can be performed more efficiently. it can.

  In addition, when Example 5 is combined with Example 4, instead of making the notified auditor an auditor with no viewing restriction, an auditor having higher audit authority than himself / herself may be selected from the list. good. As a result, it is possible to reduce unnecessary requests from higher-level auditors. Further, in the fourth embodiment, the level and number of concealment points that are normally inaccessible to the auditor are displayed, and there is a possibility of being misused by a malicious auditor. Therefore, the concealed part string is normally hidden and when displayed, the inspector 322 sends the concealed part string to the notifying part 2201 together with the name of the inspector who performed the operation. You may make it notify that it displayed.

(Other examples)
The audit unit 322 of the log audit system of the present invention may have a full text search function. At this time, when the full-text search function is executed and the word corresponding to the secret part is included in the search result, the auditor who executed the search does not have the authority to view the secret part, and corresponds to the secret part. You may make it exclude a word from a search result.

  In the embodiments described so far, text has been described as an example of the concealment target, but a figure or a table may be the concealment target. The concealment condition setting unit 302 can set a diagram or table as a concealment condition, and the image log processing unit 312 recognizes the diagram or table, so that the concealment of the diagram or table can be performed by the same processing as text. it can.

  Further, although not particularly specified in the embodiments so far, the wording to be concealed and the area to be actually concealed may be set separately. For example, a certain keyword may be set as a concealment condition, and the entire paragraph including the keyword may be set as a concealment area. Similarly, the entire page including a certain keyword may be concealed, or the entire document including personal information may be concealed.

301 Inspector Information Setting Unit 302 Concealment Condition Setting Unit 312 Image Log Processing Unit 313 Concealed Location Identification Unit 314 Encryption Unit 315 Decryption Unit 321 Auditor Authentication Unit 322 Auditing Unit

Claims (5)

A log audit system comprising: an image forming apparatus (102); and a log audit server (101) for auditing an image log of a document processed by the image forming apparatus,
The log audit server
Auditor information setting means (301) for setting the authentication information and authority of the auditor,
A concealment condition setting means (302) for setting a condition for specifying a portion to be concealed in the image log;
Text information extraction means (312) for extracting the text in the image log in association with the position information of the text from the image log;
In accordance with the conditions set by the concealment condition setting means, from the text information extracted by the text information extraction means, a concealment place specifying means (313) for specifying a concealment place in the image log,
An encryption unit (314) for encrypting a secret part specified by the secret part specifying unit and storing an image log;
An authentication means (321) for authenticating the auditor;
Decryption means (315) for decrypting the secret part encrypted by the encryption means in accordance with the authority of the auditor authenticated by the authentication means;
Audit means (322) for receiving a request from an inspector, searching an image log, and displaying the image log while masking and displaying a secret portion that has been encrypted without being decrypted by the decryption means. When,
A log audit system comprising: The concealment condition setting means (302) can further set a security level for each condition,
The secret part specifying means associates a security level corresponding to a corresponding condition for each specified secret part (313, S1201),
The encryption means encrypts the secret portion using a different key depending on the security level (314, S1202),
The decryption means decrypts a secret part encrypted using a different key according to the security level according to the authority of the auditor (315, S1402),
The log audit system according to claim 1. The concealment condition setting means (302) can further set a concealment condition and a security level for each condition for each user of the image forming apparatus,
The concealed part specifying means (313) specifies a concealed part in the image log using a concealment condition corresponding to a user related to the image log (S1701, S1702, S703),
The log audit system according to claim 2. The said audit | inspection means (322) displays the information regarding the number of the concealment location specified by the said concealment location specification means (2111, 2112, 2113, 2114), Any one of Claim 1 thru | or 3 characterized by the above-mentioned. The log audit system according to item 1. A notification means (2201) for notifying a predetermined auditor of an audit request;
The audit means (322) receives a request for an audit request from another inspector for a specific image log from an inspector who performs an audit, and instructs the notification means to notify. The log audit system according to any one of claims 1 to 4.