JP6226736B2 - Information processing apparatus, control method, and program - Google Patents

Description

  The present invention relates to an information processing apparatus, a control method, and a program for managing security information.

  In recent years, an increasing number of companies have introduced security policies in order to increase the security of office networks. Japanese Patent Application Laid-Open No. 2004-228561 describes that a user designates a security level and sets a setting value of a security function setting item for the security level.

  Generally, when managing a network device security policy with a network device management device, edit the security policy with the network device management device, check the settings, and then move to the network device under the management of the network device management device. To deliver.

JP 2007-185814 A

  However, when the setting information is changed due to a review of the security policy, etc. on the specified network device, the network device management device does not support the version of the security policy whose setting information has been changed, such as when the change is made There is. In such a case, the network device management apparatus may not be able to edit because it does not manage setting items for changes (for example, extensions).

  In view of the above points, an object of the present invention is to provide an information processing apparatus, a control method, and a program that display an appropriate editing screen of setting information according to a version to be edited.

  In order to solve the above problems, an information processing apparatus according to the present invention is an information processing apparatus capable of communicating with a network device, and includes an accepting unit that accepts editing of a file including a plurality of setting items, In response to the reception, a determination unit that determines whether the information processing apparatus supports versions corresponding to a plurality of setting items included in the file, and a plurality of settings included in the file by the determination unit When it is determined that the information processing apparatus supports a version corresponding to an item, the file editing screen is displayed on the display unit of the information processing apparatus, and a plurality of setting items included in the file are displayed. If it is determined that the information processing apparatus does not support the corresponding version, the network that supports the version Using an editing screen data displayed processed by chromatography click device, characterized in that it comprises a display control means for displaying an editing screen of the file on the display unit of the information processing apparatus.

  According to the present invention, it is possible to display an appropriate editing screen for setting information in accordance with the version to be edited.

It is a figure which shows the structure of a network equipment management system. It is a figure which shows the software structure of a network device management system. It is a figure which shows each table for managing setting information. It is a figure which shows each table for managing setting information. It is a figure which shows the procedure of the display control process of the edit screen of setting information. It is a figure which shows an example of the selection screen displayed by S501. It is a figure which shows an example of the selection screen of a network device. It is a figure which shows an example of the edit screen displayed by S516. It is a figure which shows an example of the edit screen displayed by S510.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the present invention according to the claims, and all combinations of features described in the embodiments are not necessarily essential to the solution means of the present invention. . The same constituent elements are denoted by the same reference numerals, and the description thereof is omitted.

  FIG. 1 is a diagram showing a configuration of a network device management system according to an embodiment of the present invention. As shown in FIG. 1, the system 1 includes an application server 100, a client terminal 120, and an MFP 130. The application server 100, the client terminal 120, and the MFP 130 are connected via a network 150 so that they can communicate with each other. The network 150 may be a wired network such as a LAN or a wireless network capable of wireless communication. The application server 100 manages each device connected to the network 150. As management, for example, the application server 100 edits security-related setting information applicable to each device connected to the network 150, and distributes the edited setting content to the setting target device. Hereinafter, the devices connected to the network 150 are collectively referred to as “network devices”.

  The security-related setting information is general information that can be used in the system 1 for the purpose of protecting user information and the like, and is, for example, setting information about whether or not user authentication is possible and a login time limit. There are a wide variety of security-related setting information that can be applied to each network device of the system 1, and in this embodiment, the information is classified into categories according to the version of firmware installed in the network device. For example, when the firmware version is Ver1.00, setting information of a category of “user authentication and password setting” including guest account prohibition and login time limit can be set. In addition, in the case of Ver 1.10, setting information of a network category including a firewall setting can be set in addition to a category of “user authentication and password setting”. In the present embodiment, categories that can be set are associated with firmware versions of network devices, and such association is referred to as a security policy (SP).

  The MFP 130 is a so-called multi-function peripheral device in which multi-functions such as a scan function, a FAX function, and a print function are integrated. In the system 1, the application server 100 can edit the setting information of the security policy corresponding to the firmware version designated by the user, and distribute (transmit) the edited setting information to the network device to be distributed (transmitted). . In FIG. 1, an MFP 130 is shown as a network device. The MFP 130 can receive the edited security policy setting information from the application server 100 and set it in its own apparatus. In FIG. 1, the client terminal 120 and the MFP 130 are shown as network devices, but a single-function device such as a printer or a FAX may be further connected to the network 150 as a network device.

  The client terminal 120 can request an application service by accessing the application server 100 through an HTTP request or the like. The application server 100 and the client terminal 120 are configured by, for example, a general-purpose PC (information processing apparatus). Hereinafter, the hardware configuration of the application server 100 will be described. However, since the client terminal 120 also corresponds to the description of the application server 100, the description of the client terminal 120 is omitted.

  The CPU 101 executes an application program (hereinafter referred to as an application) stored in an external memory 110 such as a ROM 103 or a hard disk (HDD) to control the application server 100 in an integrated manner. Further, the CPU 101 displays a user interface screen such as an editing screen on the display 109 (display unit). In the present embodiment, the CPU 101 can display a security policy setting information editing screen on the display 109. In addition, the user can input instructions such as editing contents registration by using the keyboard 108 or a cursor operation on the editing screen.

  The RAM 102 is used as a main memory or work area for the CPU 101. The ROM 103 is a read-only memory used as a storage area for basic I / O programs and the like. The ROM 103 or the external memory 110 stores an operating system (OS), various files and data used for application processing, a control program for realizing the operation of the present embodiment, and the like. The ROM 103 or the external memory 110 may also store a boot program, various applications, user files, edit files, and the like. The network I / F 104 connects the application server 100 to the network 150 and enables communication with other devices on the network 150.

  A keyboard I / F 105 controls access between the keyboard 108 and a pointing device (not shown) and the system bus 111. The display I / F 106 controls access between the display 109 and the system bus 111. The external memory I / F 107 controls access between the external memory 110 and the system bus 111. The system bus 111 connects the CPU 101 to the external memory I / F 107 so that they can communicate with each other.

  The application server 100 operates when the CPU 101 executes a basic I / O program and an OS stored in the ROM 103 or the external memory 110. When the application server 100 is powered on, the OS is read from the ROM 103 or the external memory 110 to the RAM 102 and executed by the initial program load function of the basic I / O program.

  Next, the hardware configuration of the MFP 130 will be described. A network I / F 131 connects the MFP 130 to the network 150 and enables communication with other devices on the network 150. The CPU 132 reads out the program stored in the ROM 134 or the external memory 142 to the RAM 133 and executes it, and controls the MFP 130 in an integrated manner. The ROM 134 or the external memory 142 stores a control program for realizing the operation of the present embodiment.

  The CPU 132 can communicate with the client terminal 120 via the network I / F 131 and can transmit device information of the MFP 130 to the application server 100. The device information is, for example, state information unique to the MFP 130 or security policy setting information set in the MFP 130.

  The RAM 133 is used as a main memory or work area of the CPU 132, and the memory capacity can be expanded by an optional RAM that can be connected to an expansion port (not shown). The RAM 133 is also used as an output information expansion area, environmental data storage area, NVRAM, and the like. The ROM 134 is a read-only memory, and the external memory 142 is configured by an HDD, an IC card, or the like. The ROM 134 or the external memory 142 stores applications, control programs, font data used when generating output information, other information used in the operation of the MFP 130, and the like.

  The operation unit I / F 135 controls access between the operation unit 136 and the system bus 143. For example, the operation unit I / F 135 outputs edit screen data for displaying an edit screen of security policy setting information to the operation unit 136 under the control of the CPU 132. Further, the operation unit I / F 135 outputs operation information input from the user via the operation unit 136 to the system bus 143. The operation unit 136 includes an operation panel provided with hard keys, LED displays, and the like, and accepts execution instructions for each function from the user.

  The printer I / F 138 controls access between the printer 138 and the system bus 143. For example, the printer I / F 138 outputs image data to be printed to the printer 138 under the control of the CPU 132. The printer 138 is a printer engine and includes an image processing unit that performs image processing on image data and a printing mechanism such as a recording head. The scanner I / F 139 controls access between the scanner 138 and the system bus 143. For example, the scanner I / F 139 inputs read data obtained by optically reading a document by the scanner 138 under the control of the CPU 132 and outputs the read data to the system bus 143.

  An external memory I / F 141 (memory controller) controls access between the external memory 142 and the system bus 143. For example, the external memory I / F 141 controls writing / reading of data to / from the external memory 142 from other blocks connected to the system bus 143. The external memory 142 may be one or more, and is configured such that an optional font card for adding to the built-in font and a plurality of external memories 142 storing programs for interpreting printer control languages having different language systems can be connected. Also good. The MFP 130 may include an NVRAM (not shown), and may store print mode setting information from the operation unit 136, for example. The system bus 143 connects the network I / F 131 to the operation unit I / F 135, the printer I / F 137, the scanner I / F 139, and the external memory I / F 141 so that they can communicate with each other.

  FIG. 2 is a diagram illustrating a software configuration of the network device management system 1. First, the software configuration of the application server 100 will be described. Each module of the application server 100 is stored in the external memory 110 in a file format. These files are loaded into the RAM 102 and executed by the CPU 101 when called from the OS or other modules. The network device management application 202 is stored in a CD-ROM (not shown) in the external memory 110 or stored in the external memory 110 via the network 150.

  The network module 200 communicates with other network devices such as the client terminal 120 and the MFP 150 via the network 150 using an arbitrary communication protocol. For example, when receiving an HTTP request for requesting a predetermined application service from the Web browser 221 of the client terminal 120, the Web server service module 201 responds with an HTTP response. The Web server service module 201 can also return Web page data stored in the external memory 110 as an HTTP response. Here, the HTTP response may be generated by a request from the UI module 203 of the network device management application 202.

  The network device management application 202 is an application for managing network devices such as the MFP 130 connected to the application server 100 via the network 150. For example, the network device management application 202 starts processing in response to a request for a Web page provided by the Web server service module 201. As described above, the network device management application 202 can provide a Web application service for managing network devices such as the MFP 130 in cooperation with the Web server service module 201.

  In the present embodiment, the network device management application 202 edits the setting value of the security policy setting information of each network device, and distributes the edited setting information to each network device. The network device management application 202 can also display an edit screen on the application server 100 using the edit screen information of other network devices, even for setting information of a version that is not supported. The edit screen information is, for example, drawing data (edit screen data) used for display processing of the edit screen. The unsupported version is, for example, a version (released later) that is newer than the version of the security policy currently supported.

  The UI module 203 of the network device management application 202 generates an HTTP response in response to a request from the Web server service module 201. The UI module 203 receives user input information transmitted from the Web browser 221 of the client terminal 120 and calls other modules such as the search module 204 and the security policy management module 205 as necessary.

  The search module 204 searches for a network device such as the MFP 130 connected to the application server 100 via the network 150 using an arbitrary communication protocol. The search module 204 performs a search using, for example, SNMP (Simple Network Management Protocol) or SLP (Service Location Protocol). In the search, other communication protocols such as WS-Discovery (Web Services Dynamic Discovery) may be used. For example, when searching for the MFP 130, the search module 204 acquires device information from the MFP 130 and stores it in the network device management table 301 of the database server service module 206 described later. Further, the application server 100 stores its own device information in the application server management table 300.

  The SP management module 205 acquires security policy setting information (SP setting information) from a network device such as the MFP 130. The SP management module 205 has an SP setting information editing function, and also has a function of distributing the SP setting information to a network device such as the MFP 130. The SP setting information editing function is a function for creating display data for an editing screen for editing SP setting information and displaying the editing screen on the display 109 based on the display data. As already described, items of security policy setting information differ depending on each version. For example, the predetermined version of the security policy includes guest account prohibition settings, password cache prohibition settings, initial password change forced settings, and the like as setting items. The network device management application 202 can display an edit screen on the display 109 for security policy versions that it can support. The SP management module 205 can dynamically update the management table for managing the network device shown in FIG. 3 according to the SPVer identifier included in the SP setting information acquired from the network device such as the MFP 130.

  The database server service module 206 manages each table shown in FIGS. 3 and 4 to be described later, and stores / retrieves the table in response to a request from another module. In FIG. 2, the database server service module 206 is configured in the application server 100, but may be configured in a device different from the application server 100 as long as it can be accessed from the network device management application 202.

  Next, the software configuration of the client terminal 120 will be described. Each module of the client terminal 120 is stored in the ROM 103 or the external memory 110 of the client terminal 120 in a file format. When called from the OS or other modules, these files are loaded into the RAM 102 of the client terminal 120 and executed by the CPU 101 of the client terminal 120.

  The network module 220 communicates with other network devices such as the application server 100 and the MFP 130 via the network 150 using an arbitrary communication protocol. For example, the Web browser 221 transmits an HTTP request to the application server 100 via the network module 220 and receives an HTTP response from the application server 100.

  Next, the software configuration of the MFP 130 will be described. Each module of the MFP 130 is stored in the ROM 134 or the external memory 142 in a file format, and is loaded into the RAM 133 by the CPU 132 and executed. The network module 230 communicates with other network devices such as the application server 100 and the client terminal 120 via the network 150 using an arbitrary communication protocol.

  The SP management module 231 manages SP setting information of the MFP 130. The SP management module 231 receives the SP setting information distributed from the SP management module 205 of the network device management application 202 via the network module 230, and sets the setting information in its own apparatus. Further, the SP management module 231 transmits the SP setting information of its own device to the application server 100 in response to a request from the SP management module 205 of the network device management application 202. Further, when the SP management module 231 has an SP setting information editing function, the SP management information editing function is sent to the application server 100 in response to the SP setting information editing function usage request from the SP management module 205. provide.

  The SP setting information editing function creates drawing data (editing screen data) used for display processing of an editing screen for editing SP setting information, and displays the editing screen on the operation unit 136 based on the display data. It is a function to do. When the MFP 130 has an SP setting information editing function and receives an SP setting information editing function use request from the application server 100, the drawing data of the editing screen is transmitted to the application server 100. The UI module 232 creates drawing data of a user interface screen (editing screen) displayed on the operation unit 136 of the MFP 130. Also, the UI module 232 creates drawing data in response to reception of a user operation on a user interface screen displayed on the operation unit 136 or remotely displayed on the application server 100.

  As described above, in this embodiment, when the MFP 130 receives an editing function use request from the application server 100, drawing data of an editing screen displayed on the MFP 130 is transmitted to the application server 100. When a user operation is performed on the display 109 of the application server 100, drawing data corresponding to the operation is returned to the MFP 130, and a remote operation as if the user operation is performed on the MFP 130 is realized. . As a result, the application server 100 can edit the setting information of the version that cannot be supported by the self-apparatus by the remote display function of the editing screen on the MFP 130.

  FIG. 3 and FIG. 4 are diagrams showing an example of each table stored in the database server service module 206. An application server management table 300 shown in FIG. 3A is a table for managing setting information about the application server 100. The application server management table 300 includes an application server identifier, a computer name, a system name, an IP address, an administrator, and an SPver identifier as items.

  The application server identifier is an identifier for uniquely identifying the application server 100. The computer name is the name of the application server 100, and the system name is the name of the system in which the application server 100 is used. The IP address is the IP address of the application server 100, and the administrator is the name of the administrator of the application server 100. The SPVer identifier indicates a security policy version that can be supported. In FIG. 3A, the SPVer identifier is “2”, which indicates that the version of the security policy supported by the application server 100 is “2”.

  A network device management table 301 shown in FIG. 3B is a table for managing information on network devices to be managed by the network device management application 202. The network device management table 301 includes, as items, a network device identifier, a device name, a product name, an IP address, a serial number, an installation location, an administrator, an SPVer identifier, and the presence or absence of an SP editing function. In FIG. 3B, only the multi-function peripheral device is shown as a management target, but other types of network devices such as a single-function device may be included. In the following description, the network device is described as the MFP 130.

  The network device identifier is an identifier for uniquely identifying the MFP 130. The device name is the name of the MFP 130, and the product name is the product name of the MFP 130. The IP address is the IP address of the MFP 130, and the serial number indicates identification information unique to the apparatus such as a MAC address. The installation location is a location where the MFP 130 is installed, and the administrator is the name of the administrator of the MFP 130. The SPVer identifier indicates a security policy version that can be supported. For example, the SPVer identifier of MFPA in FIG. 3B is “1”, which indicates that the version of the security policy set in MFPA is “1”. The SP editing function is information indicating the presence / absence of the above-described SP setting information editing function for each MFP. For example, the application server 100 may collect and acquire information on the presence or absence of the SP editing function as device information from each network device at regular intervals.

  The SP management table 302 shown in FIG. 3C is a table for managing each security policy. The SP management table 302 includes SP identifier, SP name, SPVer identifier, SP setting identifier, and last update date / time as items.

  The SP identifier is an identifier for uniquely identifying each security policy. The SP name is a name assigned to the security policy. The SPVer identifier indicates a security policy version. The SPVer identifier is used when identifying the setting management table of each version of the security policy shown in FIGS. The SP setting identifier is an identifier for uniquely identifying the setting contents in each setting management table identified by the SPVer identifier. For example, the setting content of “Security policy for building A” is identified by the SPVer identifier “1” and the SP setting identifier “1”. That is, “Guest account prohibited: FALSE to forced audit log: FALSE” at the top of FIG. The last update date and time is the date and time when the information about the security policy with the corresponding name was last updated.

  4A to 4C are tables showing setting information corresponding to each version of the security policy. The SPv1 management table 400 shown in FIG. 4A is a table for managing security policy setting information corresponding to version v1. The SPv1 management table 400 includes SP setting identifier, SPVer, guest account prohibition, password cache prohibition, initial password change forcing, plaintext authentication prohibition, SNMPv1 prohibition, and audit log forcing as items.

  The SP setting identifier corresponds to the SP setting identifier in FIG. SPVer indicates the version of the security policy, and FIG. 4 shows the subversion information. Guest account prohibition to audit log forcing are examples of general security items. For example, when the guest account prohibition is set as “TRUE”, login with the guest account is prohibited. As shown in FIG. 4A, the setting contents of the setting information can be uniquely identified by the SP setting identifier even when the version of the security policy is v1.

  The SPv2 management table 401 shown in FIG. 4B is a table for managing security policy setting information corresponding to version v2. The SPv2 management table 401 includes, as items, an SP setting identifier, SPVer, guest account prohibition, password cache prohibition, initial password change forcing, login expiration valid, password complexity, plain text authentication prohibition, SNMPv1 prohibition, and audit log forcing. The SP setting identifier and SPVer are the same as those described with reference to FIG. Guest account prohibition to audit log forcing are examples of general security items. However, items of valid login period and complexity of password are added to the SPv1 management table 400.

  The SPv3 management table 402 shown in FIG. 4C is a table for managing security policy setting information corresponding to version v3. The SVv3 management table 402 includes SP setting identifier, SPVer, guest account prohibition, password cache prohibition, and initial password change forcing as items. Also included are items such as valid login period, password complexity, plaintext authentication prohibited, SNMPv1 prohibited, firewall forced, SNTP forced, weak encryption prohibited, and audit log forced. The SP setting identifier and SPVer are the same as those described with reference to FIG. Guest account prohibition to audit log forcing are examples of general security items. However, items of firewall forcing, SNTP forcing, and weak encryption prohibition are added to the SPv2 management table 401.

  As shown in FIGS. 4A to 4C, as the version of the security policy increases, the setting items of the SP setting information are expanded, and the setting contents can be changed. Each of the tables in FIGS. 4A to 4C may be created from device information transmitted from a network device such as the MFP 130, or may be newly created based on the existing SPv1 management table 400 to SPv3 management table 402. May be created automatically.

  An SP distribution task management table 403 shown in FIG. 4D is a table for managing distribution task information for distributing SP setting information to network devices such as the MFP 130. The SP distribution task management table 306 includes a task identifier, a task name, an execution date, a task state, a network device identifier, and an SP identifier as items. The task identifier is an identifier for uniquely identifying the distribution task, and the task name is the name of the distribution task. The execution date / time indicates the distribution execution scheduled date / time of the distribution task or the distribution execution date / time. The task state indicates the state of transmission processing (distribution processing) for the network device corresponding to the distribution task. For example, it indicates that transmission processing has been completed for the network device corresponding to SP distribution task 1, and that network processing corresponding to SP distribution tasks 3 and 4 is waiting for transmission processing. . The network device identifier is an identifier for uniquely identifying a network device to be distributed, and an IP address or the like may be used. The SP identifier is an identifier for uniquely identifying each security policy, as in FIG.

  FIG. 5 is a flowchart showing the procedure of display control processing of the SP setting information editing screen. Each process illustrated in FIG. 5 is realized, for example, when the CPU 101 of the application server 100 reads a control program from the ROM 103 into the RAM 102 and executes it.

  In S500, the SP management module 205 of the network device management application 202 acquires the setting information of the SP management table 302 and the SPv1 management table 400 to the SPv3 management table 402 from the database server service module 206. In step S501, the SP management module 205 displays a selection screen for selecting the security policy to be edited on the display 109 based on the setting information acquired in step S500.

  FIG. 6 is a diagram illustrating an example of the selection screen displayed in S501. In the display area 601, the name, version, and last update date and time are displayed. “Name” corresponds to the SP name of the SP management table 302 in FIG. “Version” is version information uniquely identified from the SPv1 management table 400 to the SPv3 management table 402 by the SPVer identifier and the SP setting identifier of FIG. “Last update date / time” corresponds to the last update date / time of the SP management table 302 in FIG. The user selects one of the security policies displayed in the display area 601 using a radio button, and presses the edit button 600. In step S502, the SP management module 205 determines whether the edit button 600 has been pressed. If it is determined that the button has been pressed, the process advances to step S503. If it is determined that the button has not been pressed, the process of step S502 is repeated until it is determined that the button has been pressed.

  In step S503, the SP management module 205 refers to the application server management table 300 managed by the database server service module 206, and acquires information on the application server 100 including the SPVer identifier. In step S504, the SP management module 205 compares the security policy version selected on the selection screen of FIG. 6 by the user in step S501 with the SPVer identifier information acquired in step S503. If the version of the security policy selected on the selection screen in FIG. 6 by the user is newer, the process proceeds to S505. On the other hand, if the version indicated by the SPVer identifier acquired in S503 is older or the both versions are the same, the process proceeds to S516. In step S516, the SP management module 205 displays an edit screen for editing the security policy setting information on the display 109.

  In the present embodiment, it is determined whether or not the version selected on the selection screen is newer than the version supported by the application server 100. This is because the setting information items are considered to be expanded as the version becomes new (version number increases). That is, in the present embodiment, if the version supported by the application server 100 is “2”, the supported versions are “1” and “2”, and the version “3” or higher cannot be supported. Become. However, for example, it may be determined whether the version selected on the selection screen is the support version of the application server 100 according to the support availability information of each version of the application server 100. In this case, if it is determined that the version selected on the selection screen is a supported version of the application server 100, the process proceeds to S516.

  FIG. 8 is a diagram illustrating an example of the editing screen displayed in S516. In the display area 800 of FIG. 8, information about the security policy selected by the user on the selection screen of FIG. 6 is displayed. For example, the display area 800 displays the name, version, and last update date / time displayed in the display area 601 of FIG. In the display area 801, the setting information about the application server 100 acquired in S503 is displayed. In that case, you may make it display arbitrary items among the information acquired by S503.

  In the display area 802, an SP setting information editing screen is displayed based on the SP setting information acquired in S500. For example, in the display area 802, since the editing target is version v1.0.0 as displayed in the display area 800, the setting items for guest account prohibition to audit log forcing shown in FIG. Displayed as selectable with the button. When the button 803 in FIG. 8 is pressed by the user, the editing screen in FIG. 6 is displayed again. When the button 805 is pressed by the user, the user's selection operation is canceled.

  As shown in FIGS. 3A and 8, the SP management module 205 supports the security policy version “2”. Further, as shown in the display area 800, the version of the security policy selected by the user as an editing target on the selection screen in FIG. 6 is “1”. That is, since the user has selected a version that can be supported by the SP management module 205, the SP management module 205 displays the editing screen using its own editing screen display function.

  In step S517, the SP management module 205 determines whether the registration button 804 in FIG. 8 has been pressed by the user. If it is determined that the registration button 804 has been pressed, the process proceeds to S518. On the other hand, if it is determined that the button has not been pressed, the process of S517 is repeated until it is determined that the button has not been pressed. In step S <b> 518, the SP management module 205 stores the setting contents edited on the editing screen in the display area 802 in the database server service module 206. In the storage, the last update date and time in FIG. 3C is updated, and the corresponding tables in FIGS. 4A to 4C are updated based on the edited setting contents. Thereafter, in S514, the SP setting information edited on the editing screen 802 is transmitted to the network device to be distributed. The transmission process to the network device to be distributed will be described later.

  In the description of S504, it has been described that the SP management module 205 compares the version of the security policy selected by the user on the selection screen of FIG. 6 in S501 with the SPVer identifier information acquired in S503. However, in addition to the version comparison, it is determined whether each setting item of the security policy setting information selected on the selection screen of FIG. 6 by the user corresponds to the editing function of the SP management module 205. May be.

  Next, a case will be described in which it is determined in S504 that the version of the security policy selected by the user on the selection screen in FIG. 6 is newer.

  In step S505, the SP management module 205 refers to the network device management table 301 managed by the database server service module 206, and acquires information about each network device. In step S506, the SP management module 205 searches for a network device that matches the version of the security policy selected on the selection screen in FIG. 6 and can execute the SP setting information editing screen display function. Refer to the SPVer identifier item in the network device management table 301 for the version match, and refer to the SP edit function item for the presence or absence of the edit screen display function. The SP management module 205 determines whether there are a plurality of searched network devices. If it is determined that there are a plurality of units, the process proceeds to step S507. If it is determined that there are not a plurality (one unit), the process proceeds to step S509.

  In S507, the selection screen for the network device searched in S506 is displayed. FIG. 7 is a diagram illustrating an example of a network device selection screen. In the display area 703, a device name, a product name, and an IP address are displayed based on the information about the network device searched in S506, and each network device is displayed so as to be selectable by a radio button. At that time, an arbitrary item is displayed among the information about each network device searched in S506. Here, the version supported by each network device may be displayed together. If version 2.0.0 is selected on the selection screen of FIG. 6, for example, version 2.0.0 is displayed as the version supported by each network device displayed in FIG. In addition, if a version older than the version currently supported by the network device can be supported, for example, version 3.0.0 released after version 2.0.0 may be displayed together with the network device. When the button 700 in FIG. 7 is pressed by the user, the editing screen in FIG. 6 is displayed again. When the button 702 is pressed by the user, the user's selection operation is canceled.

  In step S508, the SP management module 205 determines whether or not the button 701 in FIG. If it is determined that the button 701 has been pressed, the process advances to step S509. On the other hand, if it is determined that the button has not been pressed, the process of S508 is repeated until it is determined that the button has not been pressed.

  In step S509, the SP management module 205 acquires SP setting information currently set in the network device based on the information on the network device selected by the user in the display area 703. This is because when the SP setting information of the version selected by the user is edited and the edited SP setting information is distributed, the distribution needs to be limited only to the network device to be distributed. . If a network device that supports the version selected by the user is searched in S506, the editing screen of the searched network device is remotely displayed on the application server 100 in S510, and the editing operation corresponding to the version is performed. Is possible. In this case, when the editing operation is terminated by pressing the registration button, the edited SP setting information is set for the network device. Therefore, if the network device is a device that is not a distribution target from the application server 100, an incorrect setting is performed. In the present embodiment, assuming such a case, before performing remote display, in S509, the SP setting information currently set (before editing) on the network device is acquired (saved) and temporarily stored. It is stored in the RAM 102 of the application server 100 or the like.

  In S510, the SP management module 205 accesses the editing function of the SP management module 231 of the network device searched in S506 or further selected in S507. Then, the SP management module 205 remotely displays an editing screen corresponding to the editing function of the network device on the display 109. The editing screen is displayed when the application server 100 acquires drawing data of the editing screen from the network device, and returns drawing data corresponding to the editing screen operation on the application server 100 to the network device.

  FIG. 9 is a diagram showing an example of the edit screen displayed in S510. In the display area 900 of FIG. 9, information about the security policy selected by the user on the selection screen of FIG. 6 is displayed. For example, the display area 900 displays the name, version, and last update date / time displayed in the display area 601 of FIG. In the display area 901, information about the network device selected in the display area 703 is displayed. In that case, you may make it display arbitrary items among the information about a network apparatus.

  In the display area 902, an SP setting information editing screen is displayed based on the SP setting information acquired in S500. For example, in the display area 902, the editing target is version v3.0.0 as displayed in the display area 900. Therefore, the setting items of guest account prohibition to audit log forcing shown in FIG. Displayed as selectable with the button. When the button 903 in FIG. 9 is pressed by the user, the selection screen in FIG. 7 is displayed again. When the button 905 is pressed by the user, the user's selection operation is canceled.

  As shown in FIGS. 3A and 9, the SP management module 205 supports the security policy version “2”. Further, as shown in the display area 900, the version of the security policy selected as the editing target by the user on the selection screen in FIG. 6 is “3”. That is, since the user has selected a version that is not supported by the SP management module 205, the SP management module 205 remotely displays the editing screen of the network device that supports the selected version, thereby performing an editing operation on the own device. Enable.

  In step S511, the SP management module 205 determines whether the registration button 904 in FIG. 9 has been pressed by the user. If it is determined that the registration button 904 has been pressed, the process proceeds to S512. On the other hand, if it is determined that the button has not been pressed, the process of S511 is repeated until it is determined that the button has not been pressed.

  In step S <b> 512, the SP management module 205 instructs the SP management module 231 of the MFP 130 to transmit the setting contents edited on the editing screen in the display area 902 to the SP management module 205 of the application server 100. The SP management module 205 stores the edited setting content received from the MFP 130 in the database server service module 206. In the storage, the last update date and time in FIG. 3C is updated, and the corresponding tables in FIGS. 4A to 4C are updated based on the edited setting contents.

  In step S513, the SP management module 205 determines whether the MFP 130 that is the target of the edit screen 902 is a target for distributing SP setting information (an example of device determination). Here, if it is determined that it is a distribution target, the process proceeds to S514, and if it is determined that it is not a distribution target, the process proceeds to S515. In S514, the SP setting information edited on the editing screen 902 is transmitted (distributed) to the network device to be distributed.

  In the determination of the distribution target in S513, the SP management module 205 refers to the distribution task information in the SP distribution task table 403 from the database server service module 206. Then, when the task state is “standby” in the distribution task information and the same network device identifier as the network device identifier of the MFP 130 selected in the display area 703 in FIG. On the other hand, if it does not exist, it is determined that the MFP 130 selected in the display area 703 is not a distribution target.

  In step S515, the SP management module 205 transmits the SP setting information acquired (saved) in step S509 and temporarily held to the MFP 130 determined not to be distributed in step S513 for restoration. Thereafter, in S514, the SP setting information edited on the editing screen 902 is transmitted (distributed) to other MFPs 130 on the network 150 that are determined to be distributed.

  The embodiment as described above can be applied to, for example, an office that is considering the phase-in introduction of a new network device of a new SP version in the existing network environment of FIG. In such a case, for a new network device introduced in advance, the application server edits new SP setting information using the editing screen of the new network device. The application server then distributes the edited new SP setting information to the new network device to be introduced later. The application server can distribute the edited new SP setting information to an existing network device before introducing the new network device. At that time, in the existing network device, only the setting items that can be interpreted by the existing network device are set in the new SP setting information, and the setting items that cannot be interpreted are discarded.

  In the above embodiment, the application server 100 has been described as managing security information (setting information) of the system 1. However, if the security information is managed by the client 120 or the MFP 130, these devices may have the tables in FIGS. 3 and 4 and perform the processing in FIG. 5.

  The present invention is also realized by executing the following processing. In other words, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various computer-readable storage media, and the computer of the system or apparatus (or CPU, MPU, etc.) This is a process of reading and executing a program.

Claims (9)

An information processing apparatus capable of communicating with a network device,
Accepting means for accepting edits to a file including a plurality of setting items;
A determination unit that determines whether the information processing apparatus supports versions corresponding to a plurality of setting items included in the file in response to the reception of the editing by the reception unit;
By the determination means,
If it is determined that the information processing apparatus supports versions corresponding to a plurality of setting items included in the file, an edit screen of the file is displayed on the display unit of the information processing apparatus,
If it is determined that the information processing apparatus does not support versions corresponding to a plurality of setting items included in the file, the edit screen data displayed on the network device that supports the version is used. Display control means for displaying an edit screen of the file on the display unit of the information processing apparatus;
An information processing apparatus comprising:   If it is determined by the determination unit that the information processing apparatus does not support versions corresponding to a plurality of setting items included in the file, the display control unit is connected to a network device that supports the version. The information processing apparatus according to claim 1, wherein a selection screen is displayed.   The information processing apparatus according to claim 2, wherein the display control unit displays a version supported by the network device on the selection screen.   Setting value before editing when the display control means displays the editing screen of the file on the display unit of the information processing apparatus using the editing screen data displayed on the network device that supports the version. The information processing apparatus according to claim 1, further comprising: an acquisition unit that acquires the information from a network device. A device determining unit that determines whether or not the network device from which the acquiring unit has acquired the setting value before editing is a transmission target of a file whose setting value has been edited;
When the device determining unit determines that the setting value is not a transmission target of the edited file, the file in which the setting value before editing acquired by the acquiring unit is set is transmitted to the network device after the editing. Sending means to
The information processing apparatus according to claim 4, further comprising:   The transmission unit transmits a file with an edited setting value to the network device when the determination unit determines that the setting value is an object to be transmitted. 5. The information processing apparatus according to 5.   If the information processing apparatus determines that the information processing apparatus does not support versions corresponding to a plurality of setting items included in the file, the display control unit determines that the display control unit is a network device that supports the version. 7. The editing screen of the file is remotely displayed on the display unit of the information processing apparatus using the editing screen data that is connected and processed for display by the network device. The information processing apparatus according to item. A control method executable in an information processing apparatus capable of communicating with a network device,
A reception process for accepting editing of a file including a plurality of setting items;
A determination step of determining whether or not the information processing apparatus supports versions corresponding to a plurality of setting items included in the file in response to reception of editing in the reception step;
In the determination step,
If it is determined that the information processing apparatus supports versions corresponding to a plurality of setting items included in the file, an edit screen of the file is displayed on the display unit of the information processing apparatus,
If it is determined that the information processing apparatus does not support versions corresponding to a plurality of setting items included in the file, the edit screen data displayed on the network device that supports the version is used. A display control step of displaying an edit screen of the file on the display unit of the information processing apparatus;
A control method characterized by comprising:   The program for functioning a computer as each means of the information processing apparatus of any one of Claim 1 thru | or 7.

Images