JP2007304762A - Image file management device, program and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To store an image file recording print output in a form usable for both follow-up check and reuse. <P>SOLUTION: Print data is converted into a PDF format and further encrypted (S26). When reuse based on a browsing authority is permitted, a user password related to a print executing user is set as User Password. As Owner Password for setting a change authority, a password of a system manager is set. According to this, the print executing user can browse a log document related to his/her own printing, and the system manager can browse log documents related to printing by all users. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for managing print output history information, and more particularly to a technique for managing an image file that can reproduce a print output.

  In companies and organizations that handle important confidential data, it may be necessary to manage the history of printing performed by the user in order to follow up when an information leakage accident occurs. In the history management, an image file representing a print text is stored together with print attribute information.

  Japanese Patent Application Laid-Open No. 2004-228561 discloses a technique for storing and storing all print data by printing all print data from a user via a print server. Patent Document 2 below describes that data is saved in a PDF (Portable Document Format) file format in consideration of a search during a follow-up survey.

  Patent Document 3 below discloses a technique for storing print data for the purpose of reuse such as recovery in case of abnormal printing or confirmation of a display screen of print data. The technique described in Patent Document 4 below is also for saving an image file in preparation for reuse. In this case, the image file is divided, stored in a plurality of image forming apparatuses, and password management is performed to limit the re-users and enhance the security.

JP 2003-330677 A JP 2004-118243 A JP 2000-56936 A JP 2004-291290 A

  In tracking and reuse, storing the image file itself is the same, but the required security level is different. That is, it is necessary to prevent general users including the printing user from changing the image file from the viewpoint of the follow-up survey. On the other hand, in the reuse, a setting that allows the printing user to use the image file is required. However, the techniques of Patent Documents 1 to 4 are only intended for one of them.

  In view of this, it is conceivable to construct a database in which image files are associated with print attribute information, etc., and perform management by the management server. However, the introduction of such a system usually requires high costs. In addition, it is desirable that consideration should be given to maintaining the security of the image file even when the image file flows through the network and leaks to the outside due to some trouble or unauthorized access.

  An object of the present invention is to store an image file for printing in a manner that can be used for both tracking and reuse.

  Another object of the present invention is to establish a technique for applying security settings to an image file for printing using a stepwise security function included in each image file.

  An image file management apparatus according to the present invention is configured to perform browsing protection setting based on a browsing password on an image file that records print output, and to restrict browsing authority of a user, and to change the password on the image file. A change restriction unit configured to perform change protection setting and restrict a user's change authority, wherein the browsing restriction unit and the change restriction unit use the security setting function built in the image file, and Configure change protection settings.

  The image file management apparatus can be constructed by hardware having a calculation function and software defining its operation. The image file management apparatus may be constructed as a centralized processing system using a single piece of hardware or as a distributed processing system using a plurality of communicable hardware. The image file management apparatus includes browsing restriction means and change restriction means. The browsing restriction means is a means for restricting the viewing authority for the image file, and the change restriction means is a means for restricting the changing authority for the image file.

  Here, the image file refers to a file including image data for recording a print output. The image data may be the same as the print data used for printing (or a copy thereof), or the data that has undergone data format conversion, resolution conversion, division, identification image synthesis, etc. It may be. In other words, if the image data is converted as necessary, the print data can be expressed completely, or a part of the print data can be expressed or expressed at a low resolution (that is, expressed approximately). It is data. The degree to which print data should be expressed is preferably set in consideration of the degree of reproducibility required for image data and the data capacity. For example, if reproducibility is important, print data The data should be fully expressible. The image data is typically described in a raster format, but can of course be described in other formats such as a vector format.

  The image file is formed in a file format with a built-in password security setting function. That is, the image file includes not only image data but also a security setting function, and is set so that it cannot be read or written unless an appropriate password is input. For example, such a security setting function is provided in a document file such as PDF or DocuWorks. If this security setting function is used, even if an image file is leaked to the outside or a third party, it is possible to prevent browsing and modification by an unauthorized user. Further, it is possible to execute security setting at each image file level without constructing a large-scale management system based on a database. If the print data is not originally generated in such a file format, format conversion must be performed. The format conversion may be performed by the image file management apparatus, or may be performed by a printer or other external apparatus.

  The browsing password is a password for acquiring browsing authority. In order to browse an image file for which browsing protection is set, browsing authority must be acquired using a browsing password. Similarly, the change password is a password for acquiring change authority. In order to change an image file for which change protection is set, change authority must be acquired using a change password. Here, having the viewing authority means having the authority to read an image file, and usually allows screen display, printing, copying, and the like. Also, having the change authority means having the authority to change the state of the image file, and normally, it becomes possible to perform writing or erasing. The change authority is stronger than the browsing authority. Therefore, normally, a person who has been given the authority to change is also permitted to browse.

  According to this configuration, restriction of viewing authority and restriction of change authority are performed on the image data for reproducing the print output. For this reason, a person who has the viewing authority can reuse the image file for reprinting or display display. In addition, by performing the change authority, the image file can be used for the follow-up investigation at the time of secret leakage.

  An image file for which browsing authority setting or changing authority setting is (or has been) performed is stored in a storage device such as a semiconductor memory or a hard disk. This storage device may be built in the image file management device or provided externally. In addition, the image file management apparatus may be constructed as a printer or a multi-function peripheral (equipment provided with an image processing function such as a scanner in addition to a printer) having a built-in image forming function.

  In one aspect of the image file management apparatus of the present invention, the browsing password is data that can be grasped by the printing execution user, and thereby the browsing authority is given to the execution user. For example, in one aspect of the image file management apparatus of the present invention, the browsing password is data set in advance by the print execution user. Examples of data set in advance include a user login password, a secret key in the user's public key cryptosystem, and a character string pre-registered by the user. In the image file management apparatus according to the aspect of the invention, the browsing password is data set by the printing execution user when printing is performed. The data set at the time of printing is typically sent to the image forming apparatus as a print command such as a job ticket, and further transmitted to the image file management apparatus. Furthermore, in one aspect of the image file management apparatus of the present invention, the browsing password is a password used by the printing execution user to cancel browsing protection settings for the printing target and acquire browsing authority. . That is, any user who can view the original electronic file (file such as a document or an image) that has become print data can view the image file.

  In one aspect of the image file management apparatus of the present invention, the browsing password is data that cannot be grasped by the printing execution user, whereby the browsing user is not granted the browsing authority. In this case, generally, other users cannot grasp the browsing password, and thus the browsing authority of all users is limited. Examples of data that cannot be grasped by all users include data randomly generated by an image file management device or the like, a password of a management user (also called a privileged user or administrator) of the image file management device, or the like. .

  In one aspect of the image file management apparatus of the present invention, the change password is data that can be grasped by a management user of the image file management apparatus, and thereby the change authority is given to the management user. The password grasped by the management user is normally secretly managed for general users. Therefore, a setting that does not give a change authority to a general user is possible. In addition, since the image file can be browsed if the user has the change authority, the management user can browse the image files related to printing by all users. Therefore, it is particularly useful for the follow-up investigation at the time of secret leakage.

  In one aspect of the image file management apparatus of the present invention, the change password is data that cannot be grasped by a management user of the image file management apparatus, and accordingly, the change authority is not given to the management user. That is, even a management user cannot acquire change authority. As a result, the security of the image file can be increased.

  In one aspect of the image file management apparatus of the present invention, the browsing password is data that can be grasped by a management user of the image file management apparatus, and thereby the browsing authority is given to the management user. That is, it is impossible for anyone other than the management user to view the image file, and extremely high security is achieved.

  In one aspect of the image file management apparatus of the present invention, there is provided switching means for switching data adopted as the browsing password or data adopted as the change password. That is, two or more data candidates to be employed as passwords are prepared, and switching is performed according to user designation or programmed settings. Examples of data to be switched include the various data exemplified above. The switching is typically performed with an administrative user authority. For example, when switching is performed in a password grasped by the executing user, the switching may be performed with the user authority.

  In an aspect of the image file management apparatus of the present invention, the switching by the switching unit is performed based on attribute information about the printing. Attribute information about printing is a wide range of information related to printing. Specifically, the origin information of print data (whether it is based on a scanned electronic document, scanned, or stored electronic document) Such as whether the security setting has been made) and information on the user who executes printing (eg, the group to which the computer belongs, the actual department to which the computer belongs), and the like. That is, the print information is analyzed, and what kind of password setting is to be performed is determined according to preset criteria. The standard should be set in consideration of the need for follow-up and the need for reuse.

  FIG. 1 is a diagram illustrating a configuration example of a system according to the present embodiment. This system includes a client PC (personal computer) 10, a log storage shared folder 12, and a multifunction device 16, which are connected by a network 14 such as the Internet.

  The client PC 10 is a PC that a general user uses on a daily basis. The client PC 10 issues a print instruction 40 to the multifunction device 16 using a job ticket. Further, the client PC 10 can access the log document stored in the log storage shared folder 12 and perform the log document reference 44 when authorized. Here, the log document is a PDF file containing image data for recording print results made in the past. The log storage shared folder 12 is constructed using a storage device. The log storage shared folder 12 receives a log document for printing from the multi-function device 16 and performs log document storage 42.

  The multifunction device 16 is a device having a printing function and a scanning function. The multifunction device 16 includes a communication interface (I / F) 18, a job ticket analysis unit 20, an image drawing unit 22, an IOT unit 24, a copy instruction unit 26, an image reading unit 28, an image processing unit 30, and a log document generation unit 32. In addition, an encryption processing unit 34 is provided. A communication interface (I / F) 18 is a network interface, and transmits and receives data to and from the client PC 10 and the log storage shared folder 12. The job ticket analysis unit 20 analyzes a job ticket according to the print instruction 40. Specifically, the job ticket analysis unit 20 acquires print setting information such as information for specifying an electronic document to be printed, print number setting information, and duplex printing setting information by analysis. Also, the job ticket analysis unit 20 acquires the log document encryption password specified in the job ticket and outputs it to the log document generation unit 32. The image drawing unit 22 converts the electronic document to be printed to generate print data, and outputs the print data to the IOT unit 24 and the log document generation unit 32. Then, the IOT unit 24 performs printing based on the input print data and outputs paper.

  The copy instruction unit 26 is constructed using the user interface of the multifunction device 16. The user inputs a password into the copy instruction unit 26 and logs in, and inputs a copy instruction for the set paper. The image reading unit 28 includes a scanner, and reads a set sheet to generate a scanned image. The image processing unit 30 converts the scanned image into print data that matches the print settings, and outputs the print data to the IOT unit 24.

  The log document generation unit 32 receives the print data generated by the image drawing unit 22 or the image processing unit 30 and generates a PDF-format log document. Specifically, the log document generation unit 32 first encrypts the print data using the encryption processing unit 34. Next, the password input from the job ticket analysis unit 20 or the copy instruction unit 26 is set as UserPassword in the PDF file, and browsing prohibition setting is performed. In addition, the password of the system administrator registered in advance in the MFP is set as OwnerPassword, and change prohibition setting is performed. The log document generated in this way is transmitted to the log storage shared folder 12 via the communication I / F 18 and stored.

  Next, the flow of processing in this system will be described using the flowchart of FIG. When printing an electronic document, a print job is input from the client PC 10 to the multifunction device 16 (S10). The input of the print job is performed by transmitting an electronic document to be printed and a job ticket in which a print instruction setting and a password for encoding are written to the multifunction device 16. The job ticket analysis unit 20 analyzes the job ticket, and the image drawing unit 22 converts the electronic document data as necessary to generate print data.

  On the other hand, when copying is performed, that is, when continuous processing including scanning and printing is performed, a copy instruction is input from the copy instruction unit 26 by the logged-in user (S16). The image reading unit 28 reads a pattern written on a sheet to create a scanned image (S18), and the image processing unit 30 performs image processing for generating print data from the scanned image (S20).

  The log document generating unit 32 inputs print data (S22), and further acquires attribute information related to printing of the print data (S24). The acquired attribute information is information that should be saved together with the print data, such as print time information, print execution user information, and print setting information. The print data is converted into an encrypted PDF document by the encryption processing unit 34 (S26).

  Subsequently, it is determined whether or not the print execution user is allowed to reuse the print data (S28). This determination is made based on settings made in advance by the administrator. When re-use is permitted, the password acquired from the job ticket analysis unit 20 or the copy instruction unit 26 is set as the UserPassword in the encrypted PDF file. Thereby, browsing by the print execution user becomes possible. On the other hand, when the reuse is not permitted, a random character string is secretly generated (S32), and this random character string is set as UserPassword (S34). As a result, browsing by the print execution user becomes impossible. In the encrypted PDF document, the administrator password is set as OwnerPassword (S36). Thereby, the administrator can change and view the document. Further, the log document generation unit 32 sets information necessary for tracking investigation, such as a print execution user name, an original electronic document name, and a print date and time, in the document properties of the PDF document based on the print attributes acquired in step S24. To do. Thus, a log document is generated (S38) and stored in the log storage shared folder 12 (S40). The saved log document is given a character string that clearly indicates the print execution user name and print time information as the file name. In addition, read-only setting is made as a security attribute on the file system in the log storage shared folder 12. On the other hand, the IOT unit 24 performs printing based on the print data, and outputs the print result (S42).

  Here, a mode in which the print execution user reuses an electronic document printed in the past will be described. In this case, the user accesses the log storage shared folder 12 from the client PC 10, searches for and extracts a log document containing his / her user name, and opens it with a PDF viewer. However, in order to open a log document, the viewing authority must be acquired. Therefore, in response to an inquiry from the PDF viewer, the password set at the time of printing and the login password at the time of copying are input. When the opened log document is printed again, the same processing as the previous time is performed. If an attempt is made to view a log document related to another person's printing, the log document cannot be opened because a correct password cannot be entered. Even if the log document is related to its own printing, if a random character string is set as the UserPassword, the user cannot input the correct password and cannot open the log document. Furthermore, the user cannot change the log document unless the administrator password is input as OwnerPassword. As described above, the log document has sufficient security to be used for the follow-up survey. In addition, since the log document itself is protected by a password, even if the log document is intercepted during transfer or an unauthorized access is attempted, the log document can be kept secret.

  Next, the implementation of a follow-up survey when an information leakage incident occurs will be described. In this case, the system administrator can open all log documents by inputting the administrator password. Therefore, even if the user password set by the executing user is not grasped, the system administrator can perform a follow-up survey.

  In the above description, the log document is created inside the multifunction device 16. However, the log document may be created by a device different from the multifunction device 16 (or printer) such as a print server. In addition, the system configuration can be variously changed, for example, log storage is performed in the multifunction device 16 instead of the log storage shared folder 12. In addition to this, the password can be set in various ways. For example, it is also effective to set UserPassword as an administrator password and OwnerPassword as a random character string generated by the multifunction device. In this case, the general user is prohibited from browsing the log document, and the system administrator is permitted only the browsing authority and is not allowed to change the log document. Therefore, even a system administrator cannot tamper with log documents, and log document management with improved originality and reliability is realized.

  Here, the description has been made assuming that PDF is used as the file format of the log document. However, even with a file format such as DocuWorks, the same effect can be obtained because the change authority and the view authority can be set with different passwords as in the case of PDF.

It is a block diagram explaining a system configuration example. It is a flowchart which shows the flow of log document preparation.

Explanation of symbols

  10 client PC, 12 log storage shared folder, 14 network, 16 multifunction device, 18 communication I / F, 20 job ticket analysis unit, 22 image drawing unit, 24 IOT unit, 26 copy instruction unit, 28 image reading unit, 30 image Processing unit, 32 log document generation unit, 34 encryption processing unit, 40 print instruction, 42 log document storage, 44 log document reference.

Claims (13)

Browsing restriction means for performing browsing protection setting with a browsing password on the image file that records the output of printing and limiting the browsing authority of the user,
Change restriction means for performing change protection setting with a change password for the image file and restricting a user's change authority;
With
The image file management apparatus, wherein the browsing restriction unit and the change restriction unit perform the browsing protection setting and the change protection setting using a security setting function built in the image file. The image file management device according to claim 1,
The browsing password is data that can be grasped by an execution user of the printing, and thereby the browsing authority is given to the execution user. The image file management apparatus according to claim 2,
The image file management apparatus, wherein the browsing password is data preset by a user who executes the printing. The image file management apparatus according to claim 2,
The image file management apparatus, wherein the browsing password is data set by a user who executes the printing at the time of printing. The image file management apparatus according to claim 2,
The image password management apparatus, wherein the browsing password is a password used by the printing execution user to cancel browsing protection settings for the printing target and acquire browsing authority. The image file management device according to claim 1,
The browsing password is data that cannot be grasped by an execution user of the printing, and accordingly, the browsing authority is not given to the execution user. The image file management apparatus according to any one of claims 1 to 6,
The change password is data that can be grasped by a management user of the image file management apparatus, whereby the change authority is given to the management user. The image file management device according to claim 1,
The change password is data that cannot be grasped by a management user of the image file management apparatus, and accordingly, the change authority is not given to the management user. The image file management apparatus according to claim 8, wherein
The browsing password is data that can be grasped by a management user of the image file management apparatus, whereby the browsing authority is given to the management user. The image file management device according to claim 1,
An image file management apparatus comprising switching means for switching data adopted as the browsing password or data adopted as the change password. The image file management apparatus according to claim 10, wherein
The switching by the switching unit is performed based on attribute information relating to the printing. Against the computer
Browsing restriction means for performing browsing protection setting with a browsing password on the image file that records the output of printing and limiting the browsing authority of the user,
Change restriction means for performing change protection setting with a change password for the image file and restricting a user's change authority;
A program for executing
The image file management program, wherein the browsing restriction unit and the change restriction unit perform the browsing protection setting and the change protection setting using a security setting function built in the image file. A method performed by a computer,
For the image file that records the print output, set the browsing protection by browsing password and limit the browsing authority of the user,
A change restriction procedure for making a change protection setting with a change password for the image file and restricting the change authority of the user,
Including
In the browsing restriction procedure and the change restriction procedure, the browsing protection setting and the change protection setting are performed using a security setting function built in the image file.

Images