US20050021980A1 - Access control decision system, access control enforcing system, and security policy - Google Patents
Access control decision system, access control enforcing system, and security policy Download PDFInfo
- Publication number
- US20050021980A1 US20050021980A1 US10/872,574 US87257404A US2005021980A1 US 20050021980 A1 US20050021980 A1 US 20050021980A1 US 87257404 A US87257404 A US 87257404A US 2005021980 A1 US2005021980 A1 US 2005021980A1
- Authority
- US
- United States
- Prior art keywords
- information
- requirement
- access control
- document
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N1/00—Scanning, transmission or reproduction of documents or the like, e.g. facsimile transmission; Details thereof
- H04N1/44—Secrecy systems
- H04N1/4406—Restricting access, e.g. according to user identity
- H04N1/4426—Restricting access, e.g. according to user identity involving separate means, e.g. a server, a magnetic card
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
- G06F21/608—Secure printing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N1/00—Scanning, transmission or reproduction of documents or the like, e.g. facsimile transmission; Details thereof
- H04N1/44—Secrecy systems
- H04N1/4406—Restricting access, e.g. according to user identity
- H04N1/4413—Restricting access, e.g. according to user identity involving the use of passwords, ID codes or the like, e.g. PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N1/00—Scanning, transmission or reproduction of documents or the like, e.g. facsimile transmission; Details thereof
- H04N1/44—Secrecy systems
- H04N1/4406—Restricting access, e.g. according to user identity
- H04N1/444—Restricting access, e.g. according to user identity to a particular document or image or part thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N1/00—Scanning, transmission or reproduction of documents or the like, e.g. facsimile transmission; Details thereof
- H04N1/44—Secrecy systems
- H04N1/448—Rendering the image unintelligible, e.g. scrambling
- H04N1/4486—Rendering the image unintelligible, e.g. scrambling using digital data encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N2201/00—Indexing scheme relating to scanning, transmission or reproduction of documents or the like, and to details thereof
- H04N2201/0077—Types of the still picture apparatus
- H04N2201/0091—Digital copier; digital 'photocopier'
Definitions
- the present invention generally relates to an access control decision system, an access control enforcing system, and a security policy, in which an organizational security policy can be applied to an information processing system and an organizational security can be improved for not only digitalized documents but also a paper documents.
- Japanese Laid-open Patent Application No. 2004-102907 discloses a method for distributing the security policy and an apparatus for operating based on the security policy.
- Japanese Patent Application No. 2002-299712 discloses a method and an apparatus for controlling printing a digital document by encrypting and decrypting the digital document in accordance with the security policy.
- a system which object to sell digital contents mainly such as music data, image data, and the likes has a problem similar to a company secret management
- similar technologies are applied to this system (for example, refer to Japanese Laid-open Patent Application No. 8-263441, U.S. Pat. No. 5,715,403, Japanese Laid-open Patent Application No. 8-263438, and U.S. Pat. No. 6,236,971).
- a system is provided in that a condition should be satisfied when digital data (such as the music data, the image data, and the like which are called digital work) relating to a copyright.
- a protocol is disclosed to confirm whether or not the condition for exercising a security is satisfied.
- Glyphe code can be embedded into a printed matter. However, it is required to define information to be embedded for each document.
- Japanese Laid-open Patent Application No. 2001-184264 discloses an access control sub system configured by a policy evaluation module for determining an access allowed or not-allowed in accordance with a policy, an enforcement function verification module, and an enforcement module.
- a more specific object of the present invention is to provide an access control decision system, an access control enforcing system, and a security policy, in which an organizational security policy can be applied to an information processing system and securities can be secured for a paper document and a digital document.
- an access control decision system including; an abstraction converting part converting first information indicated by an access decision request into second information being abstract higher than the first information when the access decision request for requesting an access control decision for subject information to be accessed is received; an access control decision part determining the access control for the subject information by referring a security policy being abstractly regulated based on the second information; and a decision result sending part sending a decision result showing the access control for the subject information by said access control decision part, to a request originator that sent the access decision request.
- information for determining the access control can be converted into information having abstraction degree similar to an organizational security policy. Accordingly, it is possible to determine the access control in accordance with the security policy being abstract.
- an access control enforcing system including an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy, wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, and wherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.
- the access control decision system it is determined whether or not the requirement to allow the access to the subject information is executable in accordance with the security policy. Accordingly, it is possible to enforce the access control for the subject information so as to satisfy the requirement.
- a security policy comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
- the above objects of the present invention can be achieved by a program code for causing a computer to conduct processes described above in the document processing apparatus or by a computer-readable recording medium recorded with the program code.
- FIG. 1 is a diagram showing a configuration of a system according to an embodiment of the present invention
- FIG. 2 is a block diagram showing an access control model according to the embodiment of the present invention.
- FIG. 3 is a block diagram showing a hardware configuration of a security server according to the embodiment of the present invention.
- FIG. 4 is a block diagram showing a functional configuration of the security server according to the embodiment of the present invention.
- FIG. 5 is a diagram showing a data structure of a user security level table according to the embodiment of the present invention.
- FIG. 6 is a diagram showing a data structure of a document profile management table according to the embodiment of the present invention.
- FIG. 7 is a diagram showing a data structure of a zone management table according to the embodiment of the present invention.
- FIG. 8 is a diagram showing a data structure of a print profile management table according to the embodiment of the present invention.
- FIG. 9 is a diagram showing an access control sequence in a document management system according to the embodiment of the present invention.
- FIG. 10 is a flowchart for explaining an access control process in the document management system according to the embodiment of the present invention.
- FIG. 11 is a diagram for explaining an authenticating process by a user management server according to the embodiment of the present invention.
- FIG. 12 is a diagram showing a data structure of authentication result information according to the embodiment of the present invention.
- FIG. 13 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention.
- FIG. 14 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention.
- FIG. 15 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention.
- FIG. 16 is a diagram showing the data structure of context information according to the embodiment of the present invention.
- FIG. 17 is a diagram showing a data structure of decision result information according to the embodiment of the present invention.
- FIG. 18 is a flowchart for explaining a compensating process for requirements by the document management system according to the embodiment of the present invention.
- FIG. 19 is a flowchart for explaining a requirement process according to the embodiment of the present invention.
- FIG. 20 is a flowchart for explaining the requirement process according to the embodiment of the present invention.
- FIG. 21 is a diagram showing an access control sequence at a digital copier according to the embodiment of the present invention.
- FIG. 22 is a flowchart for explaining the access control process by the digital copier according to the embodiment of the present invention.
- FIG. 23 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention.
- FIG. 24 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention.
- FIG. 25 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention.
- FIG. 26 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention.
- FIG. 27 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention.
- FIG. 28 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention.
- FIG. 29 is a diagram showing an access control sequence in a document viewer according to the embodiment of the present invention.
- FIG. 30 is a flowchart for explaining the access control process by the document viewer according to the embodiment of the present invention.
- FIG. 31 is a flowchart for explaining the access control process by the document viewer according to the embodiment of the present invention.
- FIG. 32 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- FIG. 33 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- FIG. 34 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- FIG. 35 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- FIG. 36 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- FIG. 37A is a diagram showing a screen example for displaying settings for an alarm print according to the embodiment of the present invention
- FIG. 37B is a diagram showing a screen example for displaying detail settings for the alarm print according to the embodiment of the present invention
- FIG. 38A is a diagram showing a screen example in that the private print is set according to the embodiment of the present invention
- FIG. 38B is a diagram showing a screen example for setting the authentication information for the private print according to the embodiment of the present invention
- FIG. 39 is a diagram showing a screen example in a case in that a label is indicated to print as a stamp as the requirement according to the embodiment of the present invention.
- FIG. 40 is a diagram showing a screen example in a case in that the visible watermark letter print is indicated as the requirement according to the embodiment of the present invention.
- FIG. 41A is a diagram showing a screen example showing details in the case in an identification pattern print is indicated as the requirement
- FIG. 41B is a diagram showing an example of magnifying the identification pattern according to the embodiment of the present invention
- FIG. 41C is a diagram showing an encoding example of the identification pattern shown in FIG. 41B -according to the embodiment of the present invention
- FIG. 42 is a diagram showing a requirement process sequence in a private print mode according to the embodiment of the present invention.
- FIG. 43 is a diagram showing the requirement process sequence in the pattern print mode according to the present invention.
- FIG. 44 is a diagram showing a data example managed by the user security level table according to the embodiment of the present invention.
- FIG. 45 is a diagram showing a XML file of the user security level table according to the embodiment of the present invention.
- FIG. 46 is a diagram showing a data example managed by the document profile management table according to the embodiment of the present invention.
- FIG. 47 is a diagram showing a data example managed by the zone management table according to the embodiment of the present invention.
- FIG. 48 is a diagram showing a XML file of the zone management table according to the embodiment of the present invention.
- FIG. 49 is a diagram showing an access control rule described in the policy file according to the embodiment of the present invention.
- FIG. 50 is a diagram showing the access control rule described in the policy file according to the embodiment of the present invention.
- FIG. 51 is a diagram showing an example of the authentication result information
- FIG. 52 is a diagram showing an example of the context information according to the embodiment of the present invention.
- FIG. 53 is a diagram showing an example of the document identification information according to the embodiment of the present invention.
- FIG. 54 is a diagram showing an example of the decision result information according to the embodiment of the present invention.
- FIG. 55 is a diagram showing an example of the print profile management table according to the embodiment of the present invention.
- FIG. 56 is a diagram showing an example of the identification pattern being printed according to the embodiment of the present invention.
- FIG. 57 is a diagram showing another example of the authentication result information according to the embodiment of the present invention.
- FIG. 58A is a diagram showing an example of the document identification information in a case in that image data itself is actually sent to the security server according to the embodiment of the present invention
- FIG. 58B is a diagram showing another example of the document identification information in a case in that the image data is decoded and sent to the security server according to the embodiment of the present invention.
- FIG. 1 is a diagram showing a configuration of a system according to the embodiment of the present invention.
- a security server 200 for conducting an access control with respect to a digital document and a paper document is connected through a network to a document management system 100 for managing digital documents, a digital copier 70 including a plurality of different image forming functions served as a copy, a fax, a scanner, and a like, and a document viewer 53 for displaying the digital document at a client terminal 51 of a user.
- the document viewer 53 is a predetermined application running for the client terminal 51 .
- the client terminal 51 accesses a target document maintained in the document management system 100 .
- the user 52 may make copies of the paper document brought with the user by the digital copier 70 .
- the system shown in FIG. 1 may include a plurality of client terminals 51 and users 52 .
- the digital document which is managed by the document management system 100 and to which an access is controlled, is referred to as a server document 61 .
- the paper document, which is copied by the digital copier 70 is referred to as a paper document 62 .
- the digital document, which is downloaded from the document management system 100 and stored in a local storage of the client terminal 51 , and opened and referred to by the document viewer 53 is referred to as a portable document 53 .
- the document management system 100 When the user 52 connects to the document management system 100 by using the client terminal 51 and attempts to access to the server document 61 , the document management system 100 obtains authentication information from the user 52 and sends a request of a user authentication to the user management server 300 . The document management system 100 sends an access control decision request to the security server 200 based on an authentication result received from the user management server 300 . The document management system 100 accesses the server document 61 based on access control information received from the security server 200 .
- the digital copier 70 obtains the authentication information from the user 52 and sends a request of the user authentication to the user management server 300 .
- the digital copier 70 sends the access control decision request to the security server 200 based on the authentication result received from the user management server 300 .
- the digital copier 70 copies the paper document 62 based on the access control information received from the security server 200 .
- the document viewer 53 obtains the authentication information from the user 52 and sends the request of the user authentication to the user management server 300 .
- the document viewer 53 sends the access control decision request to the security server 200 based on the authentication result received from the security server 200 .
- the document viewer 53 displays the portable document 63 or further outputs the portable document 63 displayed at the client terminal 51 based on the access control information received form the security server 200 .
- the user management server 300 When the user management server 300 receives the authentication information of the user 52 from the document management system 100 , the digital copier 70 , or the document viewer 53 , the user management server 300 refers to a user management table 310 and authenticates the user 52 . The user management server 300 sends the authentication result to the document management system 100 , the digital copier 70 , or the document viewer 53 , which sent the request of the user authentication.
- the security server 200 includes a policy file 240 in that access control rules are described for an organization, a user security level table 250 for managing a user security for each user 52 , a document profile management table 260 for managing a profile for each document, a zone management table 270 for managing the access control for each zone, and a print profile management table 280 for managing information concerning a print for each print.
- the security server 200 corresponds to the access control requests from the document management system 100 , the digital copier 70 , and the document viewer 53 by using a policy file 240 and these tables 250 through 280 .
- a rule such as “Access Allowed for Related Persons Only” is regulated. However, a relationship showing who is a related person for which document should be managed. A table complimenting this policy showing this rule is managed in the security server 200 and separated from the policy. If this rule is described in the policy, the policy becomes lack of versatility. That is, a portion stipulating “rule” such as a company secret management regulation of the organization is stipulated as the policy, and portions being variously set corresponding to each document and for each user are managed by tables. Since a different “rule” for each organization is managed in a form of the policy file 240 , a replacement of each “rule” becomes possible.
- the server document 61 the paper document 62 , and the portable document 63 are generically called as a document 60 ( FIG. 2 ).
- a user who can be the client terminal 51 or the user 52 and accesses the document 60 , is called as an initiator 50 .
- the document management system 100 , the digital copier 70 , and the document viewer 53 are generically called as an application system 400 .
- the security server 200 is separated from the user management server 300 .
- a function serving as the security server 200 and a function serving as the user management server 300 can be included in a single server computer.
- FIG. 2 is a block diagram showing the access control model.
- the application system 400 sends a decision request to the security server 200 to have the security server 200 determined whether or not the access from the initiator 50 is allowed after the user authentication.
- an access permit can be requested for an anonymous user or a guest user.
- the security server 200 determines in accordance with the access control rule (policy) described in the security file 240 internally maintained in the security server 200 whether or not the user as the initiator 50 has the security to access the document 60 , that is, whether the user is allowed or prohibited to access the document 60 . If the user is allowed to access the document 60 , the security server 200 determines a requirement that should be satisfied to access the document 60 . Then, the security server 200 sends information showing that the user is allowed or not allowed and the requirement is satisfied or not, as a decision result, to the application system 400 .
- policy access control rule
- the application system 400 receives the decision result and processes an access requested from the user if the user is allowed. In this case, if the requirement is indicated, the application system 400 processes document 60 so as to satisfy the requirement. If the user is not allowed or the requirement is not satisfied, the application system 400 denies this access to the document 60 .
- FIG. 3 is a block diagram showing the hardware configuration of the security server according to the embodiment of the present invention.
- the security server 200 is a server computer and includes a CPU (Central Processing Unit) 41 , a memory unit 42 , a display unit 43 , an input unit 44 , a communication unit 45 , and a storage unit 46 , each of which is connected to a system bus B 2 .
- a CPU Central Processing Unit
- the CPU 41 controls the security server 200 in accordance with a program stored in the memory unit 42 .
- the memory unit 42 includes a RAM (Random Access Memory) and a ROM (Read-Only Memory), and stores the program to be executed by the CPU 41 , data necessary to process by the CPU 41 , and data obtained in the process by the CPU 41 .
- the memory unit 42 is partially used as a work area used in the process by the CPU 41 .
- the display unit 43 displays necessary information by the control of the CPU 41 .
- the communication unit 45 is a unit to communicate with the application system 400 when connecting to the application system 400 , for example, through a LAN (Local Area Network) or a like.
- the storage unit 46 includes a hardware unit, and stores management tables including a policy file 240 , a user security level table 250 , a document profile management table 260 , a zone management table 270 , a print profile management table 290 , and the like.
- a program controlling the security server 200 is installed into a storage unit 46 beforehand.
- FIG. 4 is a block diagram showing the functional configuration of the security server according to the embodiment of the present invention.
- the security server 200 mainly includes an abstraction processing part 231 for abstracting information received from the application system 400 by corresponding to the organizational security policy, and a policy base access control decision part 241 .
- the abstraction processing part 231 includes a user security level mapping part 232 , a user category mapping part 233 , a zone mapping part 234 , and a document security attribute mapping part 235 .
- the user security level mapping part 232 obtains an security level abstracted by referring to the user security level table 250 based on the user identification information ( 1 )
- the user category mapping part 233 obtains a user category that is abstracted by referring to the document profile management table 260 based on the user identification information and shows a related person or any person ( 2 )
- the access type information is maintained without any change ( 3 )
- the zone mapping part 234 obtains a zone category that is abstracted by referring to the document profile management table 260 and the zone management table 270 based on the context information and shows in-zone or out-zone ( 4 )
- the document security attribute mapping part 235 obtains a sensitivity level and a document category that are abstracted by referring to the document profile management table 260 and the print profile management table 280 based on the document identification information ( 5 ).
- a term may be set in the context information so as to obtain a term segment showing in-term or out-term.
- mapping parts 232 through 235 may be included in a single abstraction processing part.
- this single abstraction processing part refers to more than one management table.
- the security level and the user category can be categorized into a user security attribute
- the sensitivity level and the document category can be categorized into the document security attribute
- the zone category can be categorized into an access environment attribute, so that three attributes are used to categorize.
- an abstraction processing part may be provided for each attribute.
- each abstraction processing part includes more than one mapping processing part and each mapping part refers to more than one table.
- the policy base access control decision part 241 receives information being abstracted by the abstraction processing part 231 as a parameter, and determines the access control in accordance with the access control rule (policy) described in the policy file 240 .
- the policy file 240 can be set from outside. Accordingly, it is possible to easily change in response to the organizational security policy.
- the abstraction processing part 231 it is not required to change a formation of information to provide to the application system 400 when the security policy is changed. Since it is not required to change software for the application system 400 in response to the change of the security policy, maintenance in response to the change of the security policy can be easily conducted.
- the access control can be conducted so as to allow or prohibit what type of an access for which user by managing an ACL (Access Control List) for each document.
- ACL Access Control List
- a conventional system U.S. Pat. No. 6,289,450
- this ACL is called a security policy.
- a policy is defined for each document, there is a problem in that it is difficult to know that the security policy is applied in accordance with a company secret management regulation (policy) of an “organization” such as “confidential matter is allowed only for related persons”.
- policy company secret management regulation
- the security server 200 and determining the access control first separates a general decision rule for the access control and a security setting for details of each document, maps an attribute of a document or a user to an abstract security attribute, and then makes an access decision.
- a general decision rule can be described as a policy file, the rule is not fixed but becomes replaceable.
- the decision rule may be programmed as one logic in software. However, There is no example in that the decision rule can be flexibly defined and set in accordance with the organizational security policy.
- FIG. 5 is a diagram showing a data structure of a user security level table according to the embodiment of the present invention.
- a data structure 251 of the user security level table 250 includes a UserMapList for managing a plurality of users by an array of userMap showing a security for each user by code 252 showing “UserMapList ⁇ userMap[] userMap; ⁇ ;”
- the userMap includes a user ID or a group ID shown by a character string by code 253 - 1 showing “String principalId;”, a type of each entry a character string showing a user, a group, or a like by code 253 - 2 showing “String entryType”, a security level shown by a character string by code 253 - 3 showing “String levelId;”.
- FIG. 6 is a diagram showing a data structure of the document profile management table according to the embodiment of the present invention.
- a data structure 261 of the document profile management table 260 includes DocProfileTable for managing a plurality of digital documents by an array of docProfile showing the security policy for each digital document by code 262 showing “DocProfileTable ⁇ DocProfile[] docProfiles; ⁇ ;”.
- the docProfile includes an digital document ID shown by a character string by code 263 - 1 showing “String docId;”, a document category shown by a character string by code 263 - 2 showing “String DocCategory;”, a sensitivity level shown by a character string by code 263 - 3 showing “String docLevel;”, a list of a plurality of related persons shown by an array of related persons shown by a character string by code 263 - 4 showing “String[] relatedPersons;”, a list of a plurality of zone IDs shown by an array of zone IDs shown by a character string by code 263 - 5 showing “String[] zones;”, a nondisclosure date shown by a date by code 263 - 6 showing “Date nondisclosure”, a retention date shown by a date by code 263 - 7 showing “Date retention”, and a validity date shown by a date by code 263 - 8 showing “Date validity”.
- the document ID is information to identify each digital document.
- the document category and the sensitivity level indicates identification information of the document category and the sensitivity level used by the security policy.
- Zone IDs specifying zones where an access to the digital document is allowed are indicated in the zone ID list.
- FIG. 7 is a diagram showing a data structure of the zone management table according to the embodiment of the present invention.
- a data structure 271 of the zone management table 270 includes ZoneInfoTable for managing a plurality of zones by managing an array of ZoneInfo showing information specifying each zone by code 272 showing “ZoneInfo Table ⁇ ZoneInfo[] zones ⁇ ;”.
- the ZoneInfo includes a zone ID shown by a character string by code 273 - 1 showing “String id;”, a zone name shown by a character string by code 273 - 2 showing “String name;”, and an address of the zone shown by an array of AddressInfo[] by codes 273 - 3 showing “AddressInfo[] addresses;”.
- a data structure of the AddressInfo written in coded 273 - 3 includes an IP address or a MAC address shown by a character string by code 275 - 1 showing “String address;”, “IP” or “MAC” shown by a character string by code 275 - 2 showing “String addressType;”, and a subnet mask shown by a character string such as “255.255.255.0” when IP address by code 275 - 3 showing “String netmask;”.
- the zone management table 270 is a table for managing zones allowing an access by a list of zone addresses. A plurality of IP addresses or MAC addresses are assigned to one zone ID.
- FIG. 8 is a diagram showing a data structure of the print profile management table according to the embodiment of the present invention.
- a data structure 281 of the print profile management table 280 includes PrintProfileTable for managing a plurality of print profiles by an array of PrintProfile showing a profile concerning each print by code 281 showing “PrintProfileTable ⁇ PrintProfile[] printprofiles; ⁇ ;”.
- the PrintProfile includes a print ID shown by a character string by code 283 - 1 showing “String printId;”, a document ID of the digital document shown by a character string by code 283 - 2 showing “String docId;”, a printed date shown by a date by code 283 - 4 showing “String printed UserId;”, and a printed user name shown by a character string by code 283 - 5 showing “String printedUserName;”.
- the print ID is identification information to specify each print.
- the document ID is identification information showing a document being printed.
- the access control in the document management system 100 will be described with reference to FIG. 9 and FIG. 10 .
- FIG. 9 is a diagram showing an access control sequence in the document management system according to the embodiment of the present invention.
- FIG. 10 is a flowchart for explaining an access control process in the document management system according to the embodiment of the present invention.
- each process in the access control sequence shown in FIG. 9 corresponds by the same numeral number to each process shown in FIG. 10 .
- the document management system 100 receives a user ID and a password of the user 52 as well as a login request from the client terminal 51 (S 1001 ).
- the document management system 100 sends a user authentication request with the user ID and the password received from the client terminal 51 to the user management server 300 (S 1002 ).
- the user management server 300 conducts an authenticating process by the user ID and the password (S 1003 ).
- the user management server 300 sends authentication result information showing a success or failure of the authentication to the document management system 100 (S 1004 ).
- the authentication result information includes user identification information identifying a user and information showing the success or failure of the authentication.
- the document management system 100 conducts a process corresponding to the authentication result information (S 1005 ).
- the authentication result information shows the success of the authentication
- the document management system 100 sends the authentication result information received from the user management server 300 to the client terminal 51 and goes to S 1006 .
- the authentication result information shows the failure of the authentication
- the documents management system 100 terminates the access control process.
- the client terminal 51 sends a document read request for the server document 61 stored in the document management system 100 to the document management system 100 by indicating the document ID (S 1006 ).
- the document management system 100 sends the authentication result information of the user 52 and document ID of the server document 61 , an access type, and context information of the client terminal 51 to the security server 200 , to request the access control for the server document 61 (S 1007 ).
- the access type indicates a read access indicated by the document read request.
- the security server 200 determines whether or the access is allowed based on information being received (S 1008 ).
- the security server 200 sends a decision result to the document management system 100 (S 1009 ).
- the document management system 100 conducts a process corresponding to the decision result received from the security server 200 (S 1009 ).
- the decision result shows “Allowed”
- the document management system 100 processes a requirement indicated by the decision result and advances to S 1011 .
- the decision result shows “Not Allowed (Prohibited)”
- the access is prohibited and the access control process is terminated (S 1010 ).
- the document management system 100 conducts a process corresponding to an access request sent from the client terminal 51 , sends the server document 61 to the client terminal 51 , and normally terminates the access control process (S 1011 ).
- the user authentication request in S 1002 can be sent through the security server 200 .
- a method for authenticating the user 52 is not limited to a method for authenticating by the user ID and the password.
- a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied.
- FIG. 11 is a diagram for explaining the authenticating process by the user management server according to the embodiment of the present invention.
- the user management server 300 checks the user ID and the password received from the document management system 100 with the user management table 310 to authenticate the user 52 (L 0011 ).
- the user management server 300 obtains a list of group IDs to which the user 52 belongs (L 0013 ), and creates the authentication result information by the user ID, the user name, and the list of group IDs (L 0014 ).
- the authentication result information includes user identification information identifying a user and information showing the success of the authentication.
- the user management server 300 sends the authentication result information to the document management system 100 (L 0015 ), and terminates a process conducted when the user 52 is successfully authenticated (L 0016 ). Then, the authenticating process is terminated (L 0020 ).
- the user management server 300 creates the authentication result information showing the failure of the authentication and sends the authentication result information to the document management system 100 (L 0018 ). a process for the failure of the authentication for the user 52 is ended (L 0019 ), and terminates the authenticating process (L 0020 ).
- FIG. 12 is a diagram showing a data structure of the authentication result information according to the embodiment of the present invention.
- a data structure 501 of the authentication result information defines a structure AuthInfo and includes a user ID shown by a character string by code 503 - 1 showing “String userId;”, a user name shown by a character string by code 503 - 2 showing “String username;”, an array of group IDs of groups to which the user 52 belongs, shown by a character string by code 503 - 3 showing “String[] groups;”.
- FIG. 13 , FIG. 14 , and FIG. 15 are diagrams for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention.
- FIG. 13 , FIG. 14 , and FIG. 15 a process, in which an operation for reading the server document 61 of the document management system 100 is conducted at the client terminal 51 and a document read request is sent from the client terminal 51 to the document management system 100 , is illustrated.
- a property refer an original refer, an update, a delete, and a store as other operations at the client terminal 51
- a property refer request an original refer request, an update request, a delete request, and a store request are sent from the document management system 100 to the security server 200 , respectively.
- the original reference operation is an access for obtaining the server document 61 being an original managed in the document management system 100 .
- the document read operation illustrated in FIG. 13 through FIG. 15 is an access for obtaining the server document 61 , which is converted so that only the document viewer 53 being special can open the server document 61 being original.
- the decision process in the security system 100 is similarly conducted for each request.
- the security server 200 receives the authentication result information, the document ID, the access type, the context information from the document management system 100 conducting the decision request (L 0031 ).
- the access type indicates “document read for the server document”.
- a type of the document 60 that is, server document 61
- a type of the operation that is, document read
- the security server 200 obtains a document profile (docProfile) corresponding to the document ID (docid) received from the document management system 100 , from the document profile management table 260 (L 0032 ).
- docProfile a document profile corresponding to the document ID (docid) received from the document management system 100 , from the document profile management table 260 (L 0032 ).
- the security server 200 obtains the document category (docCategory) and the sensitivity level (docLevel) by referring to the document profile (docProfile) (L 0033 ).
- the security server 200 obtains the related persons list by referring to the document profile (docProfile) (L 0034 ).
- the security server 200 checks whether or not the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo) (L 0035 ).
- the security server 200 When the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), the security server 200 indicates the related persons (RELATED_PERSONS) to the user category (userCategory) (L 0036 ). On the other hand, when the related person list (relatedPersons) does not include the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), the security server 200 indicates anyperson (ANY) to the user category (userCategory) (L 0037 ).
- the security server 200 refers to the user security level table (UserMapTable) and stores a level corresponding to the user ID or the group ID (principalId) to the security level (userLevel) (L 0038 ).
- the security server 200 obtains the zone ID list (zones) by referring to the document profile (docProfile) (L 0039 ).
- the security server 200 refers to the zone management table (ZoneInfoTable), obtains the IP address or the MAC address corresponding to the zone ID list (zones), and creates an allowed address list (L 0040 ).
- ZoneInfoTable the zone management table
- L 0040 the zone management table
- the security server 200 checks whether or not the address included in the context information is included in the allowed address list created in L 0040 (L 0041 ).
- the security server 200 sets “restricted (RESTRICTED)” to the zone (zone) (L 0042 ).
- the security server 200 sets “any zone (ANY)” to the zone (zone) (L 0043 ).
- the security server 200 loads the security policy file to the memory unit 42 and obtains an array of the access control rule (rule) (L 0044 ).
- the security server 200 repeats processes by the following L 0046 through L 0071 for each access control rule (rule) (L 0045 ).
- the security server 200 checks whether or not the document category (docCategory) of the access control rule shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document level (docLevel) of the document profile (DocProfile) (L 0046 ).
- the security server 200 When the document category (docCategory) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) corresponds to “not restricted (ANY)” or the document level (docLevel) of the document profile (DocProfile), the security server 200 further repeats processes in the following L 0064 through L 0064 for each access control list (Ace) of the access control rule (rule) (L 0048 ).
- the security server 200 checks whether or not the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L 0036 or L 0037 , and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel) set in L 0038 , and the zone (zone) corresponds to “not restricted (ANY)” or the zone (zone) set in L 0042 or L 0043 (L 0049 , L 0050 , and L 0051 ).
- the security server 200 repeats the following L 0053 through L 0058 for each operation (Operation) of the access control list (Ace) (L 0052 ).
- the security server 200 goes back to L 0048 and repeats the above processes for a next access control list (Ace) of the access control rule (rule).
- the security server 200 checks whether or not an ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace) (L 0053 ).
- the ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace)
- “allowed (true)” is stored to an allowed item of the decision result information (decisionInfo) (L 0054 ).
- the security server 200 stores all requirements (requirement) indicated by the operation (operation) to the decision result information (L 0055 ) and advances to L 0072 (L 0056 ).
- the security server 200 checks whether or not there is a respective operation (Operation) (L 0060 ). When there is no respective operation, the security server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decision Info) and goes to L 0072 (L 0061 ).
- the security server 200 advances to L 0072 (L 0063 ).
- security server 200 checks whether or not there is a respective access control list (Ace) (L 0066 ). When there is no respective access control list (Ace), the security server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L 0067 ), and advances to L 0072 (L 0069 ).
- the security server 200 advances to L 0072 (L 0069 ).
- the security server 200 checks whether or not there is a respective access control rule (L 0072 ). When there is no respective access control rule (rule), the security server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L 0073 ), and advances to L 0075 . On the other hand, when there is a respective access control rule (rule) the security server 200 advances to L 0075 .
- the security server 200 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L 0075 ). When the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)”, the security server 200 sends the decision result information to the document management system 100 which sent the decision request (L 0076 ) and terminates the decision process (L 0082 ).
- the security server 200 conducts a compensating process for requirements (resquirement) included in the decision result information (decisionInfo) (L 0079 ), sends the decision result information (decisionInfo) to the document management system 100 that sent the decision request (L 0080 ), and then terminates the decision process (L 0082 ).
- FIG. 16 is a diagram showing the data structure of the context information according to the embodiment of the present invention.
- the context information is information showing an address of the client terminal 51 used by the user 52 .
- the data structure 511 of the context information is defined by a structure ContextInfo, and includes an IP address shown by a character string by code 513 - 1 showing “String ipAddress;”, and a MAC address shown by a character string by code 513 - 2 showing “String macAddress;”.
- FIG. 17 is a diagram showing a data structure of the decision result information according to the embodiment of the present invention.
- the decision result information is information showing a decision result of the access control.
- the data structure 521 of the decision result information is defined by a structure DecisionInfo, and includes allowance information shown by true or false by code 523 - 1 showing “Boolean allowed;”, and a plurality of requirements shown by an array of requirements by code 523 - 2 showing “Requirement[] requirements;”.
- each requirement is defined by a structure Requirement, and includes a requirement ID for identifying a requirement and being shown by a character string by code 252 - 1 showing “String requirement;”, a plurality of sets of supplement information shown by an array of the supplement information by code 525 - 2 showing “Property[] supplements;”, supplement data shown by an array of bytes by code 525 - 3 showing “Byte[] data;”, and a plurality of alternative requirements shown by an array of the requirement by code 525 - 4 showing “Requirement[] alternatives;”.
- the supplement information is defines by a structure Property, and includes a name shown by a character string by code 527 - 1 showing “String name;”, and a value shown by a character string by code 527 - 2 showing “String value;”.
- FIG. 18 is a flowchart for explaining the compensating process for requirements by the document management system according to the embodiment of the present invention.
- the document management system 100 repeats from L 1102 to L 1110 for each set of the supplement information (supplement) included in the requirement (requirement) of the decision result information (decisionInfo) (L 1101 ).
- the document management system 100 checks whether or not the name (name) of a property (Property) of the supplement information indicates a static image (static_image) (L 1102 ).
- the document management system 100 reads out data of a stamp image file indicated in a value (value) of the property (Property) of the supplement information from a local hard disk (storage unit 46 ), stores the data of the stamp image file as supplement data of the requirement (requirement) (L 1103 ), and advances to L 1105 .
- the static image is a stamp image or a like.
- the document management system 100 checks whether or not a dynamic image (dynamic_image) is indicated to the name (name) of the property (Property) of the supplement information, and the operation (operation) shows “print” (L 1105 ).
- the document management system 100 creates a new print profile (printProfiel) (L 1106 ).
- the document management system 100 encodes a print ID (printId) of the print profile (printProfile) to be identification image data (L 1107 ), and stores the identification image data to supplement data (data) of the requirement (requirement) of the identification image data (L 1108 ). Then, the document management system 100 terminates the compensating process for the requirement.
- the dynamic image (dynamic_image) is not indicated in the name (name) of the property (property) of the supplement information or the operation (operation) does not show “print”, the document management system 100 terminates the compensating process for the requirement.
- the dynamic image is a barcode image, identification pattern image, or a like.
- FIG. 19 and FIG. 20 are flowcharts for explaining the requirement process according to the embodiment of the present invention.
- the document management system 100 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L 1121 ). When “not allowed (false)” is shown, the document management system 100 denies the access and terminates the requirement process (L 1122 ).
- the document management system 100 repeats from L 1125 to L 1160 for each requirement (requirement) of the decision result information (decisionInfo) (L 1124 ).
- the document management system 100 checks whether or not a requirement (requirement) (hereinafter, referred to not-supported requirement), which is not supported by the document management system 100 , is indicated (L 1125 ). When the not-supported requirement is not indicated, the document management system 100 advances to L 1131 .
- a requirement hereinafter, referred to not-supported requirement
- the document management system 100 further checks whether or not the alternative requirement (alternative) of the not-supported requirement (requirement) is an alternative requirement, which is not supported (hereinafter, referred to not-supported alternative requirement), and is indicated (L 1126 ).
- the document management system 100 denies the access and terminates the requirement process (L 1127 ).
- the document management system 100 processes the alternative requirement (alternative) of the not-supported requirement (requirement) (L 1129 ).
- the document management system 100 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L 1131 ).
- the document management system 100 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, the context information (contextInfo) (L 1132 ).
- the document management system 100 sends the log data to security server 200 (L 1133 ).
- the document management system 100 checks whether or not the log data is successfully sent to the security server 200 (L 1134 ). When the log data is failed to send, the document management system 100 denies the access and terminates the requirement process (L 1135 ). On the other hand, when the log data is successfully sent to the security server 200 , the document management system 100 advances to L 1138 .
- the document management system 100 checks whether or not an encryption (encryption) is indicated to the requirement (requirement) (L 1138 ).
- the document management system 100 encrypts the document 60 stored therein (L 1139 ).
- the document management system 100 advances to L 1141 .
- the document management system 100 checks whether or not a protection of integrity of an original of the digital document is indicated in the requirement (requirement) (L 1141 ).
- the document management system 100 transmits and stores the digital document to an original document integrity protection supporting system (L 1142 ).
- the original document integrity protection supporting system may be a system disclosed in Japanese Laid-open Patent Application No. 2000-285024.
- this original document integrity protection supporting system can be provided within the document management system 100 .
- the document management system 100 checks whether or not the requirement (requirement) indicates to allow a multiple authentication (multi_authentication) for an access to the digital document (L 1144 ). When the requirement (requirement) does not indicate to allow the multiple authentication (multi_authentication), the document management system 100 advances to L 1150 .
- the document management system 100 requires for the user 52 using the client terminal 52 to conduct a strict user authentication (such as a finger print recognition or a like) (L 1145 ). After this strict user authentication, the document management system 100 checks whether or not the strict user authentication fails to authenticate the user 52 (L 1146 ). When the strict user authentication fails, the document management system 100 denies the access and terminates the requirement process (L 1147 ). On the other hand, when the strict user authentication succeeds to authenticate the user 52 , the document management system 100 advances to L 1150 .
- a strict user authentication such as a finger print recognition or a like
- the document management system 100 checks whether or not the requirement (requirement) indicates a version management (versioning) of the digital document (L 1150 ).
- the document management system 100 stores a revised document as a new version (L 1151 ) and advances to L 1153 .
- the document management system 100 checks whether or not the requirement (requirement) indicates a complete deletion of the digital document (L 1153 ). When the complete deletion is indicated, the document management system 100 executes a complete deleting process with respect to the digital document being deleted (L 1154 ), and advances to L 1156 . On the other hand, when the complete deletion is not indicated, the document management system 100 advances to L 1156 .
- the document management system 100 checks whether or not the requirement (requirement) indicates an alarm display (show_alarm) (L 1156 ).
- the alarm display shown alarm
- the document management system 100 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L 1157 ), and displays the alarm character string by a dialog box to the user 52 (L 1158 ).
- the document management system 100 goes back to L 1124 to repeat the above same processes for a next requirement (requirement).
- the alarm display (show_alarm) is not indicated, the document management system 100 advances to L 1124 .
- the document management system 100 conducts an access process requested from the client terminal 51 (L 1161 ), and terminates the requirement process (L 1162 ).
- the requirements (requirement) of the decision result information (decisionInfo) are processed in parallel.
- requirements (requirement) to be processed are defined for each operation (operation), it is not required to process all requirements (requirement).
- the complete deletion (complete_deletion) of the digital document is indicated only for the server document 61 .
- the above processes are illustrated in FIG. 19 and FIG. 20 .
- the document management system 100 conducts the above same processes for the alternative requirement.
- the document management system 100 can conduct the access control in accordance with the security policy set in the security server 200 .
- the requirement process can be flexibly required.
- the access control by the digital copier 70 will be described with reference to FIG. 21 and FIG. 22 .
- FIG. 21 is a diagram showing an access control sequence at the digital copier according to the embodiment of the present invention.
- FIG. 22 is a flowchart for explaining the access control process by the digital copier according to the embodiment of the present invention.
- each process in the access control sequence shown in FIG. 21 corresponds by the same numeral number to each process shown in FIG. 22 .
- the digital copier 70 receives the login request with the user ID and the password from the user 52 (S 2001 ).
- the digital copier 70 sends the user ID and the password received from the user 52 to the user management server 300 to make an authentication request (S 2002 ).
- the user management server 300 conducts the authenticating process by the user ID and the password received from the digital copier 70 (S 2003 ).
- the user management server 300 sends authentication result information showing success or failure of the authentication to the digital copier 70 (S 2004 ).
- the digital copier 70 conducts a process corresponding to the authentication result information (S 2005 ).
- the digital copier 70 sends the authentication result information received from the user management server 300 to the client terminal 51 , and advances to S 2006 .
- the digital copier 70 terminates the access control process.
- the user 52 makes a copy request for a paper document 62 at the digital copier 70 (S 2006 ).
- the digital copier 70 When the digital copier 70 receives the copy request for the paper document 62 , in order to identify the paper document 62 , the digital copier 70 cuts out an area for identification from image data obtained by scanning the paper document 62 (S 2007 ).
- the authentication information of the user 52 , a cut-out image, the access type, and the context information are sent to the security server 200 to request the access control (S 2008 ).
- a copy access for the copy request is indicated as the access type.
- the security server 200 determines based on the information received from the digital copier 70 whether the access is allowed or not allowed (S 2009 ).
- the security server 200 sends a decision result to the digital copier (S 2010 ).
- the digital copier 70 conducts a process corresponding to the decision result received from the security server 200 (S 2011 ). When the decision result shows “Allowed”, the digital copier 70 processes a requirement included in the decision result. On the other hand, when the decision result shows “Prohibited”, the digital copier 70 terminates the access control process without any access.
- the digital copier 70 processes the access request (copy request) request by the user 52 , outputs sheets being copied, and terminates the access control process (S 2012 ).
- the access request is the copy request.
- the same process can be conducted for a scan request, a fax transmission request, and a like.
- image data being scanned is stored in a predetermined storage area.
- the access request is the fax transmission request, the image data being scanned are sent to a destination indicated by the user 52 .
- the user authentication request in S 2009 can be sent through the security server 200 .
- a method for authenticating the user 52 is not limited to a method for authenticating by the user ID and the password.
- a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied.
- An authenticating process by the user management server 300 in S 2003 is the same as the authenticating process in the access control of the document management system 100 , and then explanation thereof will be omitted.
- a data structure of the authentication result information generated by the user management server 300 is the same as the data structure in the access control of the document management system 100 , and then explanation thereof will be omitted.
- FIG. 23 , FIG. 24 , and FIG. 25 are diagrams for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention.
- FIG. 23 , FIG. 24 , and FIG. 25 a case, in which the user 52 conducts the copy request to copy the paper document 62 by the digital copier 70 , is illustrated.
- the digital copier 70 there are a fax transmission, a scan, and a like and respective requests are sent from the digital copier 70 to the security system 100 as a fax transmission request, a scan request, and a like are
- An operation for the fax transmission is to send the paper document 62 being scanned by the digital copier 70 to a destination indicated by the user 52 by fax.
- An operation for a scan is to scan the paper document 62 and store image data in a predetermined storage area.
- the decision process in the security server 200 is the same for respective requests.
- the security server 200 receives the authentication result information, the document ID, the access type, the context information from the digital copier 70 that sent the decision request (L 2031 ). For example, “copy for the paper document” is indicated in the access type. A type of the document 60 (that is, paper document 62 ) and an type of operation (that is, copy) are specified.
- the security server 200 obtains a print ID (printId) by decoding the cut-out image received from the digital copier 70 (L 2032 ).
- the security server 200 determines whether or not the cut-out image can be decoded (L 2033 ). When the cut-out image cannot be decoded, the security server 200 sets “unknown (UNKNOWN)” to the document category (docCatetgory) (L 2034 ), sets “unknown (UNKNOWN)” to the document level (docLevel) (L 2035 ), sets “not restricted (ANY)” to the user category (userCategory) (L 2036 ), and sets “not restricted (ANY)” to the zone (zone) (L 2037 ).
- the security server 200 obtains a print profile (printProfile) corresponding to the print ID (printId) by referring to the print profile management table 280 (L 2040 ).
- the security server 200 checks whether or not the print profile corresponding to the print ID exists (L 2041 ). When the respective print profile corresponding to the print ID does not exist, the security server 200 sets “unknown (UNKNOWN)” to the document category (docCategory) (L 2042 ), sets “unknown (UNKNOWN)” to the document level (docLevel) (L 2043 ), sets “not restricted (ANY)” to the user category (userCategory) (L 2044 ), and sets “not restricted (ANY)” to the zone (zone) (L 2045 ).
- the security server 200 obtains the document ID (docid) from the print profile (printProfile) (L 2048 ), obtains the document profile (docProfile) corresponding to the document ID (docid) by referring to the document profile management table (L 2049 ), obtains the document category (docCategory) and the sensitivity level (docLevel) by referring to the document profile (docProfile) (L 2050 ), and obtains the related person list (relatedPersons) by referring to the document profile (docProfiel) (L 2051 ).
- the security server 200 further checks whether or not the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo) (L 2052 ). When the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), the security server 200 indicates the related persons (RELATED_PERSONS) to the user category (userCategory) (L 2053 ).
- the security server 200 indicates any person (ANY) to the user category (userCategory) (L 2054 ), and advances to L 2055 .
- the security server 200 obtains the zone ID list (zones) by referring to the document profile (docProfile) (L 2055 ).
- the security server 200 refers to the zone management table (ZoneInfoTable), obtains the IP address or the MAC address corresponding to the zone ID list (zones), and creates an allowed address list (L 2056 ).
- the security server 200 checks whether or not the address included in the context information is included in the allowed address list created in L 2056 (L 2057 ). When the address is included in the allowed address list, the security server 200 sets “restricted (RESTRICTED)” to the zone (zone) (L 2058 ), and advances to L 2062 . On the other hand, when the address is not included in the allowed address list, the security server 200 sets “any zone (ANY)” to the zone (zone) (L 2059 ), advances to L 2062 .
- the security server 200 refers to the user security level table (UserMapTable) and stores a level corresponding to the user ID (userId) or position groups (groups) to the user level (userLevel) ( 12062 ).
- the security server 200 loads the security policy file to the memory unit 42 and obtains an array of the access control rule (rule) (L 2063 ).
- the security server 200 repeats processes by the following L 0046 through L 0071 for each access control rule (rule) (L 0064 ).
- the security server 200 checks whether or not the document category (docCategory) of the access control rule shows “not restricted (ANY) ” or corresponds to the document category (docCategory) of the document profile (DocProfile) and the document level (docLevel) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document level (docLevel) of the document profile (DocProfile) (L 20065 and L 2066 ).
- the security server 200 When the document category (docCategory) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) corresponds to “not restricted (ANY)” or the document level (docLevel) of the document profile (DocProfile), the security server 200 further repeats processes in the following L 2068 through L 2083 for each access control list (Ace) of the access control rule (rule) (L 2067 ).
- the security server 200 checks whether or not the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L 2053 or L 2054 , and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel). set in L 2062 , and the zone (zone) corresponds to “not restricted (ANY)” or the zone (zone) set in L 2058 or L 2059 (L 2068 , L 2069 , and L 2070 ).
- the security server 200 repeats the following L 2072 through L 2077 for each operation (Operation) of the access control list (Ace) (L 2071 ).
- the security server 200 goes back to L 2067 and repeats the above processes for a next access control list (Ace) of the access control rule (rule).
- the security server 200 checks whether or not an ID of the operation (Operation.Id) corresponds to an ooperation (operation) of the access control list (Ace) (L 2072 ).
- the ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace)
- “allowed (true)” is stored to an allowed item of the decision result information (decisionInfo) (L 2073 ).
- the security server 200 stores all requirements (requirement) indicated by the operation (operation) to the decision result information (L 2074 ) and advances to L 0072 (L 2081 ).
- the security server 200 ends the process for each operation (Operation) of the access control list (Ace) in L 2071 .
- the security server 200 checks whether or not there is a respective operation (Operation) (L 2078 ).
- the security server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L 2079 ) and goes to L 2090 (L 2081 ).
- the security server 200 advances to L 2090 (L 2081 ).
- security server 200 checks whether or not there is an access control rule (rule) (L 2090 ). When there is no respective access control rule (rule), the security server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L 2091 ), and advances to L 2093 . On the other hand, when there is a respective access control rule (rule), the security server 200 advances to L 2093 .
- the security server 200 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L 2093 ). When the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)”, the security server 200 sends the decision result information to the digital copier 70 which sent the decision request (L 2094 ) and terminates the decision process (L 2100 ).
- the security server 200 conducts a compensating process for requirements (resquirement) included in the decision result information (decisionInfo) (L 2097 ), sends the decision result information (decisionInfo) to the digital copier 70 that sent the decision request (L 2098 ), and then terminates the decision process (L 2100 ).
- a data structure of the context information sent from the digital copier 70 to the security server 200 is the same as the data structure of the context information sent from the document management system 100 to the security server 200 , and explanation thereof will be omitted.
- a data structure of the decision result information sent from the security server 200 to the digital copier 70 is the same as the data structure of the decision result information sent from the security server 200 to the document management system 100 , and explanation thereof will be omitted.
- the compensating process of the requirement by the digital copier 70 is the same as the compensating process for the requirement by the document management system 100 , and explanation thereof will be omitted.
- FIG. 26 , FIG. 27 , and FIG. 28 are flowcharts for explaining the requirement process by the digital copier according to the embodiment of the present invention.
- the digital copier 70 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L 2121 ). When “not allowed (false)” is shown, the digital copier 70 denies the access and terminates the requirement process (L 2122 ).
- the digital copier 70 repeats from L 2125 to L 2178 for each requirement (requirement) of the decision result information (decisionInfo) (L 2124 ).
- the digital copier 70 checks whether or not a requirement (requirement) (hereinafter, referred to not-supported requirement), which is not supported by the digital copier 70 , is indicated (L 2125 ). When the not-supported requirement is not indicated, the digital copier 70 advances to L 2131 .
- a requirement hereinafter, referred to not-supported requirement
- the digital copier 70 further checks whether or not the alternative requirement (alternative) of the not-supported requirement (requirement) is an alternative requirement, which is not supported (hereinafter, referred to not-supported alternative requirement), and is indicated (L 2126 ).
- the digital copier 70 denies the access and terminates the requirement process (L 2127 ).
- the digital copier 70 processes the alternative requirement (alternative) of the not-supported requirement (requirement) (L 2128 ).
- the digital copier 70 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L 2131 ).
- the digital copier 70 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, the context information (contextInfo) (L 2132 ).
- the digital copier 70 sends the log data to security server 200 (L 2133 ).
- the digital copier 70 checks whether or not the log data is successfully sent to the security server 200 (L 2134 ). When the log data is failed to send, the digital copier 70 denies the access and terminates the requirement process (L 2135 ). On the other hand, when the log data is successfully sent to the security server 200 , the digital copier 70 advances to L 2138 .
- the digital copier 70 checks whether or not a label print (show_label) is indicated to the requirement (L 2138 ). When the label print (show_label) is indicated, the digital copier 70 embeds a stamp image indicated by the supplement information (supplement) of the requirement by printing to a printed document (L 2139 ). On the other hand, when the label print (show_label) is not indicated, the digital copier 70 advances to L 2141 .
- the digital copier 70 checks whether or not a user name print (show_operator) is indicated (L 2141 ). When the user name print (show_operator) is indicated, the digital copier 70 prints an operator name (operator) as the user name to a printed document (L 2142 ). On the other hand, when the user name print (show_operator) is not indicated, the digital copier 70 advances to L 2144 .
- the digital copier 70 checks whether or not a record of an image log (record_image_data) is indicated (L 2144 ).
- the digital copier 70 generates image log data including the user ID (userid), the document ID (docid), the operation (operation), the date and time, the contex information (contextInfo), and document data (scan data) (L 2145 ).
- the digital copier 70 stores the image log data to an internal hard disk (L 2146 ).
- the digital copier 70 advances to L 2148 .
- the digital copier 70 checks whether or not an alarm display (show_alarm) is indicated (L 2148 ).
- the digital copier 70 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L 2149 ), and displays the alarm character string at the operation panel to the user 52 (L 2150 ).
- the alarm display (show_alarm) is not indicated, digital copier 70 advances to L 2152 .
- the digital copier 70 checks whether or not an alarm print (print_alarm) is indicated (L 2152 ).
- the digital copier 70 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L 2153 ), and prints the alarm character string to embody to the printed document (L 2154 ).
- the digital copier 70 advances to L 2156 .
- the digital copier 70 checks whether or not a receiver restriction (address_restriction) for the fax transmission is indicated (L 2156 ).
- a receiver restriction address_restriction
- the digital copier 70 checks a receiver address indicated by the user 52 with a receiver condition indicated in the supplement information (supplement) of the requirement (requirement) (L 2157 ).
- the digital copier 70 checks whether or not the receiver address matches with the receiver condition (L 3258 ).
- the digital copier 70 displays, at an operation panel, a message showing that the receiver address does not match with the receiver condition, to inform it to the user 52 (L 2159 ), denies the access by the user 52 , and terminates the requirement process (L 2160 ).
- the digital copier 70 advances to L 2162 .
- the digital copier 70 determines in L 2156 that the receiver restriction (address_restriction) is not indicated, the digital copier 70 advances to L 2162 .
- the digital copier 70 decides whether or not a confidential transmission mode (private_send) is indicated (L 2163 ).
- the digital copier 70 sets the confidential transmission mode to a sender condition (L 2164 ).
- the digital copier 70 checks whether or not the confidential transmission mode cannot be set (L 2165 ).
- the digital copier 70 displays, at the operation panel, a message showing that a receiver cannot receive the confidential transmission, to inform it to the user 52 (L 2166 ), denies the access, and terminates the requirement process (L 2167 ).
- the digital copier 70 advances to L 2170 .
- the digital copier 70 determines in L 2163 that the confidential transmission mode (private_send) is not indicated, the digital copier 70 advances to L 2170 .
- the digital copier 70 checks whether or not a visible watermark letter print (visible_watermark) is indicated (L 2170 ).
- a visible watermark letter print visible_watermark
- the digital copier 70 creates a character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L 2171 ), and embeds the character string as a watermark to the printed documents (L 2172 ).
- the digital copier 70 advances to L 2174 .
- the digital copier 70 checks whether or not a digital watermark (digital_watermark) is indicated (L 2174 ).
- digital_watermark a digital watermark
- the digital copier 70 creates a character string in a character string format indicated by the supplement (supplement) of the requirement (requirement) (L 2175 ), and embeds the character string as the digital watermark to scanned data (L 2176 ).
- the digital copier 70 goes back to L 2124 and repeats the above processes for a next requirement (requirement).
- the digital copier 70 advances to L 2124 .
- the digital copier 70 conducts a process corresponding to the access by the client terminal 51 (L 2179 ) and terminates the requirement process (L 2180 ).
- the digital copier 70 can conduct the access control in accordance with the security policy set in the security server 200 .
- the recognition of the paper document 62 is not perfect at 100 percent, a recognition error may be occurred.
- the digital copier 70 cannot recognize the paper document 62 when copying the paper document 62 , basically the paper document 62 is required to be copied as a regular paper document. For this reason, it is required to conduct some kind of security protection in a case in that the paper document 62 cannot be recognized. Accordingly, in this embodiment, the paper document 62 , which is not recognized (categorized into “UNKNOWN” of the document category), can be processed in accordance with the security policy.
- FIG. 29 An access control conducted by the document viewer 53 will be described with FIG. 29 , FIG. 30 , and FIG. 31 .
- FIG. 29 is a diagram showing an access control sequence in the document viewer according to the embodiment of the present invention.
- FIG. 30 and FIG. 31 are flowcharts for explaining the access control process by the document viewer according to the embodiment of the present invention.
- each process in the access control sequence shown in FIG. 29 corresponds by the same numeral number to each process shown in FIG. 30 and FIG. 31 .
- the document viewer 53 receives an open request for opening a file (portable document 63 ) from the user 52 (S 3001 ).
- the document viewer 53 checks whether or not the portable document 63 is protected by a security (S 3002 ).
- the document viewer 53 conducts a process corresponding to a check result in S 3002 (protected or not protected) for the portable document 63 (S 3003 ).
- the document viewer 53 displays a content of the portable document 63 , and terminates the access control process.
- the document viewer 53 advances to S 3004 .
- the document viewer 53 prompts the user 52 to input the user ID and the password and receives the user ID and the password from the user 52 (S 3004 ).
- the document viewer 53 conducts a user authentication by sending the user ID and the password from the user 52 to the user management server 300 (S 3005 ).
- the user management server 300 conducts the user authentication by the user ID and the password received from the document viewer 53 (S 3006 ), and sends authentication result information to the document viewer 53 (S 3007 ).
- the document viewer 53 When the document viewer 53 receives the authentication result information from the user management server 300 , the document viewer 53 conducts a process corresponding to the authentication result information (S 2008 ). When the authentication is failed, the document viewer 53 displays an authentication error for the user 52 , and terminates the access control process. When the authentication is succeeded, the document viewer 53 advances to S 3009 .
- the document viewer 53 retrieves the document ID from the portable document 63 (S 3009 ). Then, the document viewer 53 sends the authentication result information, the document ID, an access type, context information for the client terminal 51 on which the document viewer 53 is running, to the security server 200 , and requests the access control (S 3010 ). For example, a read access is indicated as the access type for the open request.
- the security server 200 determines whether or not the access is allowed based on information received from the document viewer 53 (S 3011 ). The security server 200 sends a decision result to the document viewer 53 (S 3012 ).
- the document viewer 53 processes a requirement included in the decision result (S 3013 ).
- the decision result shows “prohibited (not allowed)”
- the document viewer 53 denies the access and terminates the access control process.
- the document viewer 53 processes the access (file open) requested by the user 52 , displays the contents of the portable document 63 (S 3014 ).
- the document viewer 53 receives a print request of the portable document 63 from the user 52 (S 3015 ).
- the document viewer 53 sends the authentication result information, the document ID, the access type, the context information of the client terminal 51 on which the document viewer 53 is running, to the security server 200 , and requests the access control to the security server 200 (S 3016 ). For example, a print access corresponding to the print request is indicated as the access type.
- the security server 200 determines based on information received from the document viewer 53 whether or not the access is allowed (S 3017 ), and sends a decision result to the document viewer 53 (S 3018 ).
- the document viewer 53 processes a requirement included in the decision result (S 3019 ).
- the decision result shows “prohibited (not allowed)”
- the document viewer 53 denies the access, and terminates the access control process.
- the document viewer 53 processes the access (print) request by the user 52 , and outputs printed contents of the portable document 63 (S 3020 ).
- the user authentication in S 3005 may be requested through the security server 200 .
- a method for authenticating the user 52 is not limited to a method for authenticating by the user ID and the password.
- a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied.
- An authenticating process conducted by the user management server 300 in S 3006 is the same as the authenticating process in the access control conducted by the document management system 100 , and explanation thereof will be omitted.
- a data structure of the authentication information in the access control conducted by the document management system 100 and explanation thereof will be omitted.
- An decision process conducted by the security server 200 in S 3001 and S 3017 is the same as the decision process in the access control conducted by the document management system 100 .
- a data structure of the decision result information is the same as the data structure of the decision result information in the access control conducted by the document management system 100 , and explanation thereof will be omitted.
- a compensating process for the requirement conducted by the document viewer 53 is the same as the compensating process for the requirement conducted by the document management system 100 , and explanation thereof will be omitted.
- FIG. 32 , FIG. 33 , FIG. 34 , FIG. 35 , and FIG. 36 are flowcharts for explaining the requirement process conducted the document viewer according to the embodiment of the present invention.
- the document viewer 53 checks whether or not the “allowed” item of the decision result information shows “false” (L 3121 ). When the “allowed” item shows “false”, the document viewer 53 denies the access and terminates the requirement process (L 3122 ).
- the document viewer 53 checks whether or not a requirement, which is not supported by the document viewer 53 (hereinafter, called not-supported requirement), is indicated (L 3125 ). When the not-supported requirement is not indicated, the document viewer 53 advances to L 3131 .
- the document viewer 53 further checks whether or not an alternative requirement, which is not supported by the document viewer 53 (hereinafter, called not-supported alternative requirement), is indicated (L 3126 ).
- not-supported alternative requirement the alternative requirement which is not supported by the document viewer 53
- the document viewer 53 denies the access and terminates the requirement process (L 3127 ).
- the document viewer 53 processes the alternative requirement (alternative) for the requirement (requirement) (L 3128 ).
- the document viewer 53 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L 3131 ).
- the log recod the document viewer 53 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, and the context information (contesxtInfo) (L 3132 ).
- the document viewer 53 sends the log data to the security server 200 (L 3133 ).
- the document viewer 53 determines whether or not the log data is successfully sent to the security server 200 (L 3134 ).
- the document viewer 53 denies the access and terminates the requirement process (L 3136 ).
- the document viewer 53 advances to L 3136 .
- the document viewer 53 checks whether or not the requirement indicates to allow the multiple authentication for the access to the digital document (L 3138 ).
- the document viewer 53 requires the user. 52 of a strict user authentication (such as the finger print recognition or the like) ( 13139 ).
- the document viewer 53 further determines whether or not the strict user authentication is failed (L 3140 ).
- the document viewer 53 denies the access and terminates the requirement process (L 3141 ).
- the document viewer 53 advances to L 3144 .
- the document viewer 53 checks whether or not the alarm display (show_alarm) is indicated (L 3144 ).
- the document viewer 53 creates an alarm character string in a character string indicated in the supplement information (supplement) of the requirement (requirement) (L 3145 ), and displays the alarm character string (L 3146 ).
- the alarm display is not indicated, the document viewer 53 advances to L 3148 .
- the document viewer 53 checks whether or not a private print mode (private_access) is indicated (L 3148 ). When the private print mode is indicated, the document viewer 53 advances to L 3160 .
- the document viewer 53 determines whether or not a printer to print out supports the private print mode (L 3149 ). When the private print mode is not supported, the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3150 ). Then, the document viewer 53 determines whether or not the alternative requirement is processed (L 3151 ). When the alternative requirement cannot be processed, the document viewer 53 denies the access and terminates the requirement process (L 3152 ). On the other hand, when the alternative requirement can be processed, the document viewer 53 advances to L 3160 .
- the document viewer 53 displays a dialog for the user 52 to input the password (L 3156 ), sets the password input by the user 52 to a printer driver in order to set the private print mode (L 3157 ). After that, the document viewer 53 advances to L 3160 .
- the document viewer 53 checks whether or not the image log record (recrd_image_data) is indicated (L 3160 ). When the image log record is indicated, the document viewer 53 further determines whether or not the printer to print out supports the image log record (L 3161 ). When the printer does not support the image log record, the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3162 ). Then, the document viewer 53 determines whether or not the alternative requirement cannot be processed (L 3163 ). when the alternative requirement cannot be processed, the access is denied and the requirement process is terminated (L 3164 ). On the other hand, when the alternative requirement (alternative) can be processed, the document viewer 53 advances to L 3173 .
- the document viewer 53 when the image log record is supported (L 3167 ), the document viewer 53 generates log data including the user ID (userid), the document ID (docid), the operation (operation), the date and time, and the context information (contextInfo) (L 3168 ). The document viewer 53 sets an image log bibliographic item to the printer driver (L 3169 ), and sets an image log record mode to the printer driver (L 3170 ). Then, the document viewer 53 advances to L 3173 .
- the document viewer 53 checks whether or not the requirement indicates to embed trace information (embed_trace_Info) (L 3173 ). When the requirement does not indicate to embed the trace information, the document viewer 53 advances to L 3187 .
- the document viewer 53 When the requirement indicates to embed the trace information, the document viewer 53 further determines whether or not a driver of the printer to print out supports a stamp print (L 3174 ). When the driver of the printer supports the stamp print, the document viewer 53 sets a barcode image indicated by the supplement information of the requirement to the printer driver to set a stamp print mode (L 3176 ). Then, the document viewer 53 advances to L 3187 .
- the document viewer 53 determines whether or not the document viewer 53 supports a document edit (L 3177 ).
- the document viewer 53 embeds the barcode indicated by the supplement information (supplement) of the requirement (requirement) to each page to be printed by editing the portable document 53 (L 3178 ).
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3181 ).
- the document viewer 53 determines whether or not the alternative requirement cannot be processed (L 3182 ).
- the alternative requirement cannot be processed, the document viewer 53 denies the access, and terminates the requirement process (L 3183 ).
- the alternative requirement can be processed, the document viewer 53 advances to L 3187 .
- the document viewer 53 checks whether or not the requirement indicates to print a label as a stamp (show_label) (L 3187 ). When the requirement does not indicate to print a label as a stamp, the document viewer 53 advances to L 3201 . When the requirement indicates to print a label as a stamp, the document viewer 53 further checks whether or not the driver of the printer to print out supports the stamp print (L 3188 ). When the stamp print is supported, the document viewer 53 sets the stamp image indicated by the supplement requirement (supplement) of the requirement (requirement) to the printer driver to set the stamp print mode (an embedding location is indicated by “embedding location” item in the supplement information (supplement) of the requirement (requirement)) (L 3189 ). After that, the document viewer 53 advances to L 3201 .
- the document viewer 53 determines whether or not the document viewer 53 supports the document edit (L 3191 ).
- the document viewer 53 sets the stamp image indicated by the supplement requirement (supplement) of the requirement (requirement) to the printer driver to set the stamp print mode (an embedding location is indicated by “embedding location” item in the supplement information (supplement) of the requirement (requirement)) (L 3192 ).
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3195 ). Then, the document viewer 53 determines whether or not the alternative requirement cannot be processed (L 3196 ). When the alternative requirement cannot be processed, the document viewer 53 denies the access and terminates the requirement process (L 3197 ). On the other hand, the document viewer 53 advances to L 3201 .
- the document viewer 53 checks whether or not the visible watermark letter print (visible_watermark) is indicated (L 3201 ). When the visible watermark letter print is not indicated, the document viewer 53 advances to L 3216 .
- the document viewer 53 when the visible watermark letter print is indicated, the document viewer 53 creates a background character string in a character string indicated by the supplement requirement (supplement) of the requirement (requirement) (L 3202 ). Then, the document viewer 53 further determines whether or not the driver of the printer to print out supports a combination print (L 3203 ). When the combination print is supported, the document viewer 53 sets the background character string as the combination character string to the printer driver (L 3204 ). After that, the document viewer 53 advances to L 3216 .
- the document viewer 53 determines whether or not the documents viewer 53 supports the document edit (L 3206 ).
- the document viewer 53 embeds the background character string to a background of the portable document 63 by editing the portable document 63 (L 3207 ).
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3210 ). Then, the document viewer 53 further determines whether or not the alternative requirement (alternative) cannot be processed (L 3211 ). When the alternative requirement (alternative) cannot be processed, the document viewer 53 denies the access and terminates the requirement process (L 3212 ). On the other hand, when the alternative requirement can be processed, the document viewer 53 advances to L 3216 .
- the document viewer 53 determines whether or not the requirement indicates to print an embossed watermark letter (anti_copy_watermark) (L 3216 ). When the requirement does not indicate to print the embossed watermark letter, the document viewer 53 advances to L 3232 .
- the document viewer 53 when the requirement indicates to print the embossed watermark letter, the document viewer 53 creates a pattern character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L 3217 ). The document viewer 53 further determines whether or not the driver of the printer to print out supports a pattern print (L 3218 ). When the pattern print is indicated, the document viewer 53 sets the pattern character string to the printer driver (L 3219 ). After that, the document viewer 53 advances to L 3232 .
- the document viewer 53 determines whether or not the document viewer 53 supports the document edit (L 3221 ).
- the document viewer 53 generates a pattern image based on the pattern character string (L 3222 ), and embeds the pattern image to the background of the portable document 63 by editing the portable document 63 (L 3223 ).
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3226 ). Then, the document viewer 53 determines whether or not the alternative requirement cannot be processed (L 3227 ). When the alternative requirement cannot be processed, the document viewer 53 denies the access and terminates the requirement process ( 13228 ). On the other hand, when the alternative requirement can be processed, the document viewer 53 advances to L 323 .
- the documents viewer 53 determines whether or not the requirement indicates to print an identification pattern (identifiable_bg_pattern) (L 3232 ). When the requirement does not indicate to print an identification pattern, the document viewer 53 advances to L 3247 .
- the document viewer 53 When the requirement indicates to print an identification pattern, the document viewer 53 creates the pattern character string by an identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) (L 3233 ). Then, the document viewer 53 further determines whether or not the driver of the printer to print out supports to repeat the stamp print (L 3234 ). When the driver of the printer supports to repeat the stamp print, the document viewer 53 sets the identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) to the printer driver to set a repeating stamp print mode (L 3235 ). After that, the document viewer 53 advances to L 3247 .
- the document viewer 53 further determines whether or not the document viewer 53 supports the document edit (L 3237 ).
- the document viewer 53 repeatedly embeds the identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) to the background of the portable document 63 by editing the portable document 63 (L 3238 ). After that, the document viewer 53 advances to L 3247 .
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3241 ). Then, the document viewer 53 determines whether or not the alternative requirement cannot be processed (L 3242 ). When the alternative requirement cannot be processed, the document viewer 53 denies the access and terminates the requirement process (L 3243 ). On the other hand, when the alternative requirement can be processed, the document viewer 53 advances to L 3247 .
- the document viewer 53 determines whether or not the alarm print is indicated (L 3247 ). When the alarm print is not indicated, the document viewer 53 goes back to L 3124 .
- the document viewer 53 when the alarm print is indicated, the document viewer 53 creates an alarm character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L 3248 ). Then, the document viewer 53 further whether or not the driver of the printer to print out supports a header/footer print (L 3249 ). When the header/footer print is supported, the document viewer 53 sets the alarm character string as a header/footer to the printer driver (L 3250 ).
- the document viewer 53 further determines whether or not the document viewer 53 supports the document edit (L 3252 ).
- the document viewer 53 embeds the alarm character string at the header/footer of the portable document 63 (L 3253 ).
- the document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L 3256 ). Then, the document viewer 53 further determines whether or not the alternative requirement cannot be processed (L 3257 ). When the alternative requirement cannot be processed, the document viewer 53 denies and terminates the requirement process (L 3258 ).
- the document viewer 53 conducts an access process requested by the user 62 (L 3263 ), and terminates the requirement process (L 3264 ).
- the document viewer 53 can conduct the access control in accordance with the security policy set in the security server 200 .
- the process for the supplement information necessary to satisfy the allowable requirement and the process for the alternative requirement can be conducted, it is possible to realize a flexible process in accordance with the organizational security policy.
- a key for using an encryption/decryption may be included in a special document viewer that can realize the above access control. Only if it confirms that the document viewer 53 is a special document viewer capable of enforcing the access control, the security server 200 allows transmitting a decryption key to the document viewer 53 .
- screen examples for displaying the document viewer 53 at the client terminal 51 will be described with reference to FIG. 37A through FIG. 41C .
- the user 52 can know by screens described in the following which requirements will be processed.
- FIG. 37A is a diagram showing a screen example for displaying settings for the alarm print according to the embodiment of the present invention.
- FIG. 37B is a diagram showing a screen example for displaying detail settings for the alarm print according to the embodiment of the present invention.
- a screen 600 is a screen showing a state in that the alarm print is indicated as the requirement.
- a setting area 601 is originally used as an area for a setting to print at a header or footer.
- the header/footer print is compulsory set and displayed in gray to prohibit the user 52 from changing the setting, by the requirement process conducted by the document viewer 53 .
- a screen 605 as shown in FIG. 37B is displayed at the client terminal 51 .
- the screen 605 is a screen for setting details in a case in that the alarm print is indicated as the requirement
- the setting are 606 is originally used for user 52 to set an arrangement location and a format of a character string to print at the header or the footer.
- the header/footer print is compulsory set and displayed in gray to prohibit the user 52 from changing the setting, by the requirement process conducted by the document viewer 53 .
- the user 52 is prohibited from changing the setting but can confirm that the alarm print is the requirement before printing the portable document 63 . By this confirmation, the user 52 determines to actually execute to print the portable document 63 or cancel to the print request.
- FIG. 38A is a diagram showing a screen example in that the private print is set according to the embodiment of the present invention.
- FIG. 38B is a diagram showing a screen example for setting the authentication information for the private print according to the embodiment of the present invention.
- a screen 610 is a screen displayed when the private print is indicated as the requirement.
- a selecting area 611 for selecting a print method is originally user for the user 62 to select one or more items.
- the requirement process conducted by the document viewer 53 compulsory selects the private print, display in gray, and also controls the selection not to change by the user 52 .
- the setting can be controlled so that the setting cannot be changed by the user 52 .
- a detail button in the setting area 611 a screen 613 is displayed as shown in FIG. 38B .
- the screen 613 is a screen for detail settings in the case in that the private print is indicated as the requirement.
- input areas 614 and 615 are originally used for the user 52 to set the authentication information.
- the input area 614 is an area for the user 52 to input the user ID
- the input area 615 is an area for the user 52 to input the password.
- the user 52 can output a document being printed from the portable document 63 from the digital copier 70 by inputting, at the digital copier 70 , the user ID and the password input at the screen 613 .
- the user 52 can know that the document is printed from the portable document 63 by the private print.
- FIG. 39 is a diagram showing a screen example in a case in that a label is indicated to print as a stamp as the requirement according to the embodiment of the present invention.
- a screen 620 is displayed when the label is indicated to print as the stamp as the requirement.
- a setting area 621 is originally used for the user 52 to set the stamp.
- the requirement process conducted by the document viewer 53 compulsory sets a stamp print, display in gray, and also controls the setting not to change by the user 52 .
- the user 52 is prohibited from changing the setting but can confirm that the stamp print is the requirement before the portable document 63 is printed out. By this confirmation, the user 52 can determines to actually print the portable document 63 or to cancel the print request.
- FIG. 40 is a diagram showing a screen example in a case in that the visible watermark letter print is indicated as the requirement according to the embodiment of the present invention.
- a screen 630 is displayed when the visible watermark letter print is indicated as the requirement.
- a setting area 631 is originally use for the user 52 to set the visible watermark letter print.
- the requirement process conducted by the document viewer 53 compulsory sets the visible watermark letter print, display in gray, and also controls the setting not to change by the user 52 .
- the user 52 is prohibited from changing the setting but can confirm the visible watermark letter print is the requirement before the portable document 63 is printed out. By this confirmation, the user can determine to actually print out the portable document 63 or to cancel the print request.
- FIG. 41A is a diagram showing a screen example showing details in the case in the identification pattern print is indicated as the requirement.
- FIG. 41A an image is displayed in a displaying area 641 of a screen 640 when the identification pattern print is indicated.
- the user 62 is prohibited from changing the setting at the screen 640 but can confirm that the identification print is indicated as the requirement before printing out the portable document 63 . By this confirmation, the user 52 can determine to actually print out the portable document 63 or to cancel the print request.
- the identification pattern is printed by dots as shown in FIG. 41B .
- FIG. 41B is a diagram showing an example of magnifying the identification pattern according to the embodiment of the present invention.
- an identification pattern 646 may be drawn by identification image data 12 dots high, 8 dots wide, and 3 dots interval (that is, an image size is 48 ⁇ 32 pixels).
- the code can be realized by a simple rule such that a dot is printed when a bit value is “1” and a dot is not printed when the bit value is “0”.
- FIG. 41C is a diagram showing an encoding example of the identification pattern shown in FIG. 41B according to the embodiment of the present invention.
- the identification pattern 646 shown in FIG. 41B can be encoded into a bit pattern 647 by using the above-described simple rule. Error correcting code may be printed since an identification error may occur when the dot pattern is disordered.
- FIG. 42 is a diagram showing a requirement process sequence in the private print mode according to the embodiment of the present invention.
- the document viewer 53 when the user 52 conducts the print request for the portable document 63 displayed by the document viewer 53 , the document viewer 53 requires the user 52 to input the password (S 4001 ).
- the document viewer 53 sets the private print mode and the password to a printer driver 54 being installed into the client terminal 51 (S 4003 ). Then, the document viewer 53 sends a print instruction to the printer driver 64 (S 4004 ).
- the printer driver 54 generates a PDL (Page Description Language) in response to the print instruction sent from the document viewer 53 (S 4005 ), and sends information including the PDS (for example, RPCS or postscript), the private print mode, and the password, to the digital copier 70 (S 4006 ). After that, the printer driver 54 sends a print end to the document viewer 53 (S 4007 ).
- PDL Page Description Language
- the digital copier 70 temporarily stores the information including the PDL, the private print mode, and the password in an internal hard disk (S 4008 ), and waits until the user 52 inputs the password.
- the user 52 inputs the password to the digital copier 70 to output a document printed from the portable document 63 at eh digital copier 70 (S 4009 ).
- the digital copier 70 compares the password input by the user 52 with the password received from the printer driver 54 , and conducts the print process when both the passwords correspond each other (S 4010 ). When both the passwords do not correspond each other, the digital copier 70 does not conduct the print process. By conducting the print process, the paper document 62 being printed from the portable document 63 is output from the digital copier 70 (S 4011 ).
- FIG. 43 is a diagram showing a requirement process sequence in the pattern print mode according to the present invention.
- the document viewer 53 determines whether or not the printer driver 54 installed into the client terminal 51 of the user 52 supports the pattern print (S 5001 ). After the document viewer 53 confirms that the printer driver 54 supports the pattern print, the document viewer 53 sends information including the pattern print mode and an indicated character string to the printer driver 54 (S 5002 ), and conducts a print instruction (S 5003 ).
- the print driver 54 When the printer driver 64 receives the pattern print mode and the indicated character string and receives the print instruction from the document viewer 53 , the print driver 54 generates a PDL (S 5004 ). Then, the printer driver 54 sends the PDL including a pattern to the digital copier 70 (S 5005 ).
- each of tables 250 through 270 manage data as shown in FIG. 44 through FIG. 48 .
- FIG. 44 is a diagram showing a data example managed by the user security level table according to the embodiment of the present invention.
- the user security level table 250 manages data by a structure UserMap shown in FIG. 5 .
- UserMap shown in FIG. 5 .
- the user security level table 250 may manage data by a XML file as shown in FIG. 45 .
- FIG. 45 is a diagram showing the XML file of the user security level table according to the embodiment of the present invention.
- data managed by the user security level table 250 are described, in accordance with the data structure 251 shown in FIG. 5 , by hierarchical data structure in that structure names and element names shown in the data structure 251 are shown by tags.
- tags For example, at a lower layer of a ⁇ UserMapList> tag data concerning a plurality of users are described by ⁇ principalId> tags in parallel.
- ⁇ principalId> tags At each of the ⁇ UserMap> tags, data corresponding to respective elements are described by a ⁇ principalId> tag, a ⁇ EntryType> tage, and a ⁇ LevelId> tag.
- FIG. 46 is a diagram showing a data example managed by the document profile management table according to the embodiment of the present invention.
- data managed by the document profile management table 260 are described, in accordance with the data structure 261 shown in FIG. 6 , by a hierarchical data structure in that structure names and element names shown in the data structure 261 are shown by tags.
- tags For example, In “0000000001” as “docId”, “docCategory” is “development”, “docLevel” is “secret”, “relatedPersons” is “Members/Dev/Com”, “zones” is “ANY”, “nondisclosure” is “2005/04/01”, “retention” is “2010/04/01”, and “validity” is empty. Other data are similarly shown.
- the document profile management table 260 can be a XML file similar to the user security level table 250 .
- the size of the table becomes bigger. Therefore, it is preferable to use a database for the document profile management table 260 .
- FIG. 47 is a diagram showing a data example managed by the zone management table according to the embodiment of the present invention.
- data managed by the zone management table 270 are described, in accordance with the data structure 271 shown in FIG. 7 , by a hierarchical structure in that structure names and element names shown in the data structure 271 are shown by tags.
- tags For example, in “id” as “saleszone01”, “name” is “sales (Yokohama)”, “address” of “addressInfo” is “192.207.138.1”, “addressType” of “addressesInfo” is “IP”, “netmask” of “addressesInfo” is “255.255.255.0”.
- the zone management table 270 may manage data in a XML file shown in FIG. 48 by describing in XML.
- FIG. 48 is a diagram showing a XML file of the zone management table according to the embodiment of the present invention.
- FIG. 48 data of the zone management table 270 are described, in accordance with the data structure 271 shown in FIG. 7 , by a hierarchical structure in that structure names and element names shown in the data structure 271 are shown by tags.
- tags For example, in a lower layer of a ⁇ ZoneInfoTable> tag, data concerning a plurality of zones by a ⁇ ZoneInfo> tag in parallel.
- a ⁇ ZoneInfo> tag In a lower layer of each ⁇ ZoneInfo> tag, data corresponding to respective elements are described by a ⁇ Id> tag, a ⁇ Name>, and a ⁇ AddressInfo>.
- the ⁇ AddressInfo> tag further includes a lower layer and data corresponding to respective elements are described by a ⁇ Address> tag, a ⁇ AddressType>, and a ⁇ Netmask> tag.
- the ⁇ AddressInfo> tag may have a plurality of the ⁇ AddressInfo>tags at a lower layer.
- FIG. 49 and FIG. 50 are diagrams showing the access control rule described in the policy file according to the embodiment of the present invention.
- the access control rule is regulated for each document 60 from a description 701 showing a ⁇ Policy> tag to a description 702 showing a ⁇ /Plicy> tag.
- a rule 1 corresponding to a document attribute is shown from a description 703 showing a ⁇ Rule> tag from a description 704 showing a ⁇ /Rule> tag
- other rule 2 and rule 3 corresponding to other document attributes are shown from other ⁇ Rule> tags to other ⁇ /Rule> tags, respectively.
- the rule 1 will be described in detail.
- the rule 2 and rule 3 are described in the same method as the rule 1 , and explanation thereof will be omitted.
- a description 705 for ⁇ DocCategory>sales ⁇ /DocCategory> and ⁇ DocLevel>topsecret ⁇ /DocLevel> shows that the access control rule corresponding to the document attribute, in which the document category is “sales (sales department)” and the document level shows “topsecret (top secret)”, is regulated.
- a plurality of the access control rules corresponding to user attributes are regulated by descriptions 710 and 720 from an ⁇ Ace> tag to a ⁇ /Ace> tag.
- a description 711 of ⁇ UserCategory>RELATED_PERSON ⁇ /UserCategory>, ⁇ UserLevel>manager ⁇ /UserLevel> and ⁇ Zone>RESTRICTED ⁇ /Zone> describes the access control rule for the user attribute in that the user category is “RELATED_PERSON”, the user level is “manager”, and the zone is “RESTRICTED”.
- a description 721 of ⁇ UserCategory>RELATED_PERSON ⁇ /UserCategory> and ⁇ UserLevel>ANY ⁇ /UserLevel> describes the access control rule for the user attribute in that the user category is “RELATED_PERSON”, and the user level is “ANY”.
- the description 721 does not indicate the zone.
- the access control rule is described for each of a plurality of user attributes with respect to one document attribute.
- descriptions 712 and 713 from an ⁇ Operation> tag to a ⁇ /Operation> tag indicate operations in which the access control rule is applied.
- the description 712 by a description of ⁇ id>read ⁇ /id>, for a document 60 belonging to the document category and the document level indicated by the description 705 , the user 52 belonging to the user category, the user level, and the zone indicated by the description 711 is allowed to read the document 60 .
- the user 52 belonging to as described by the description 711 is allowed to print out the document 60 in a condition in that requirements described as follows are processed.
- FIG. 51 is a diagram showing an example of the authentication result information.
- the authentication result information shows “Taro Yamada/Sales/Com” as “userId”, “Taro Yamada” as “userName”, and “Members/Sales/Com”, “Marketing/Sales/Com”, “Employee/Com”, and “GroupLeaders/Sales/Com” as “groups”.
- “Taro Yamda” is specified by this authentication result information and the security server 200 executes the decision process.
- the user security level mapping part 232 searches for “Taro Yamda” shown in the authentication result information from the user security level table 250 shown in FIG. 44 .
- “GroupLeaders/Sales/Com” in “userId” or “groups” corresponds to “Taro Yamda” and mapped to “manager” (( 1 ) in FIG. 4 ).
- the user category mapping part 233 searches “Members/Sales/Com” of “relatedPersons” of the document 60 identified by the document ID “0000000003” from the document profile management table 260 shown in FIG. 46 , and determines whether or not the user “Taro Yamada” is allowed for related persons.
- the user category mapping part 233 determines that the user “Taro Yamada” is a related person since the user “Taro Yamada” belongs to “Members/Sales/Com” (( 2 ) in FIG. 4 ).
- the access type shows “print” (( 3 ) in FIG. 4 ).
- the zone mapping part 234 receives context information as shown in FIG. 52 .
- FIG. 52 is a diagram showing an example of the context information according to the embodiment of the present invention.
- “192.207.138.64” as “ipAddress” and “02-36-55-22-78-01” as “macAddress” are indicated in the context information.
- the zone mapping part 234 obtains “saleszone01” and “saleszone02” as “zones” of the document 60 identified by the document ID “0000000003” by referring to the document profile management table 260 . Moreover, the zone mapping part 234 obtains a list of an IP address and a MAC address included in the zones “saleszone01” and “saleszone02”. Since an IP address “192.207.138.64” of the context information shown in FIG. 52 is included in the zone “saleszone01”, the zone mapping @art 234 determines that the IP address “192.207.138.64” is inside the zone (( 4 ) in FIG. 4 ).
- the document security attribute mapping part 235 receives document identification information as shown in FIG. 53 .
- FIG. 53 is a diagram showing an example of the document identification information according to the embodiment of the present invention. In FIG. 53 , “0000000003” as “docId” is indicated in the document identification information.
- the document security attribute mapping part 235 determines by referring to the document profile management table 260 that the document category of the document 60 identified by the document ID “0000000003” is “sales” and the sensitivity level is “topsecret” ((%) in FIG. 4 ).
- mapping processes conducted by the user security level mapping part 232 and the zone mapping part 234 it is possible to abstract parameters such as “manager” as the user security level, “related person” as the user category, “print” as the access type, “inside zone” as the zonecategory, “sales” as the document category, and “topsecret” as the sensitivity level.
- the policy base access control decision part 241 determines to allow or prohibit in accordance with the access control rule (policy) described in the policy file 240 shown in FIG. 49 .
- policy access control rule
- the document 60 belonging to “sales” and “topsecret” is allowed for related persons in “manager” class to “print”.
- private_access (private print mode)”, “print_alarm (alarm print)”, and “identifiable_bg_pattern (identification pattern print)” are regulated as the requirements, the access control decision result as shown in FIG. 54 is returned.
- FIG. 54 is a diagram showing an example of the decision result information according to the embodiment of the present invention.
- “true (allowed)” is indicated as an “allowed” item
- “private_access (private print mode)” is indicated as the “requirement” in “requirements”
- “supplements (supplement information)” is not indicated for this “requirement”.
- “print_alarm (alarm print)” is indicated as another “requirement”, and “data” and “alternatives” are not indicated.
- identity_bg_pattern (identification pattern print)” is indicated as a further “requirement”
- dynamic_image dynamic image
- supply information supply information
- binary image data actual dynamic image being binary data
- %u is variable and is replaced with Taro Yamada by the compensating process.
- FIG. 55 is a diagram showing an example of the print profile management table according to the embodiment of the present invention.
- FIG. 66 by creating the entry for the new print profile, a value of “printId” is obtained. Then, the value of “printId” is encoded to create identification image data, and the identification image data is stored in “data” as the binary image data.
- FIG. 56 is a diagram showing an example of the identification pattern being printed according to the embodiment of the present invention. For example, as shown in FIG. 66 , the identification pattern 646 shown in FIG. 41B is overlaid.
- FIG. 57 is a diagram showing another example of the authentication result information according to the embodiment of the present invention.
- the authentication result information shows in accordance with the data structure 501 shown in FIG. 12 in that “Hanako Satoh/Sales/Com” is indicated as “userId”, “Hanako Satoh” is indicated as “userName”, and “Members/Sales/Com”, “Marketing/Sales/Com”, and “Employee/Com” are indicated as groups”.
- the user “Hanako Satoh” is specified by this authentication result information, and then, the security server 200 executes the decision process.
- the security server 200 determines in accordance with the access control rule (policy) described in the policy file 240 .
- the access control decision result shows that the user “Hanako Satoh” is not allowed to print out the document 60 .
- the access control rule does not regulates this access “read” for the document 60 .
- the access control decision result indicates that the user “Taro Yamada” is not allowed to read the document 60 .
- the digital copier 70 sends the access decision request to the securing server 200 based on image data generated by scanning the paper document 62 .
- the security server 200 receives document identification information as shown in FIG. 58A or FIG. 58B from the digital copier 70 .
- FIG. 58A is a diagram showing an example of the document identification information in a case in that image data itself is actually sent to the security server according to the embodiment of the present invention.
- “docId” and “printId” are not indicated, and the image data is stored in binary in “image” (as binary image data).
- FIG. 58B is a diagram showing another example of the document identification information in a case in that the image data is decoded and sent to the security server according to the embodiment of the present invention.
- “docId” and “image” are not indicated, and the image data being encoded by the digital copier 70 and binary are stored in “printId”.
- the security server 200 When the security server 200 receives the image data in binary as shown in FIG. 58A from the digital copier 70 , the security server 200 obtains “p000000001” as “printId”. Based on “printId”, the security server 200 refers to the print profile and obtains “0000000003” as “docId”. Then, the security server 200 conducts the access control decision in accordance with the access control rule (policy) regulating a case in that the access type indicates “copy”, similarly to a case or “print” by “Taro Yamada”.
- policy access control rule
- the policy can regulate so as to improve a suppression effect for a leak of information with respect to the user 52 attempting to print out the portable document 63 . Therefore, it is possible to maintain a security of the portable document 63 .
- xxxx shows an English word for an operation.
- a title of each section shows the operation identification.
- this is an operation to request storing the document 60 to the document management server 00 .
- This operation is used to store the document 60 to a repository (storage unit) such as the document management system 100 , the digital copier 70 , or the like in that a security management can be conducted for a document file (this operation may be called new creation or new registration).
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, encryption, integrity_protection, and show_alarm can be indicated. Each of these requirements will be described later.
- this is an operation to request to refer to a property of the document 60 stored in the document management system 100 .
- attribute information such as a file size, a created date and time, and an owner of the document 60 is referred to by this operation.
- this operation is not allowed, an existence of the document 60 cannot be recognized.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- this is an operation to request to refer to (read out) the document 60 stored in the document management system 100 and to refer to (download) contents of the document 60 in the document management system 100 .
- a protected document file is downloaded.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- the document file being downloaded is called portable document 63 . Since an access to the portable document 63 is required to be controlled, the portable document 63 to be downloaded by the operation sdOpe_read is protected (protected document file).
- this is an operation to refer to (read out) an original file of the document 60 stored in the document management system 100 .
- the operation sdOpe_read conducts to download the document file without any protection and this operation sdOpe_get_org conducts to download the original document file without any protection.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- this is an operation to request to revise the document 60 stored in the document management system 100 .
- This operation is used to open, edit, and revise the document 60 stored in the document management system 100 by an editor or replace (resave) the document 60 stored in the document management system 100 .
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, versioning, and show_alarm can be indicated. Each of these requirements will be described later.
- this is an operation to request to delete the document 60 stored in the document management system 100 .
- the document 60 stored in the document management system 100 is deleted by this operation.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, complete_deletion, and show_alarm can be indicated. Each of these requirements will be described later.
- a file of the portable document 63 is open by this operation.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- record_audit_data, explicit_authorization, private_access, record_image_data, embed_trace_info, show_label, visible_watermark, anti_copy_watermark, trusted_bg_pattern, identifiable_bg_pattern, and show_alarm can be indicated.
- the contents of the file are directly transmitted by fax by this operation.
- This operation corresponds to a process for printing out by a printer object corresponding to the fax.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, address_restriction, private_send, record_image_data, show_label, visible_watermark, show_alarm, and print_alarmcan be indicated. Each of these requirements will be described later.
- the document 60 being papers is copied by this operation.
- record_audit_data, explicit_authorization, show_label, show_operator, owner_only, record_image_data, show_alarm, and print_alarmcan be indicated.
- the document 60 being papers is transmitted by fax by this operation.
- record_audit_data As adaptable requirements, record_audit_data, explicit_authorization, address_restriction, private_send, record_image_data, show_label, visible_watermark, show_alarm, and print_alarmcan be indicated. Each of these requirements will be described later.
- the document 60 being papers is read out by scanner and digitalized to be a digital file by this operation.
- record_audit_data, explicit_authorization, record_image_data, digital_watermark be indicated. Each of these requirements will be described later.
- each requirement is explained.
- a title of each section shows an identification of the requirement.
- Each requirement is differently processed.
- a process for the requirement is conducted by the application system 400 .
- a log may be recorded for each page when the document 60 is copied by the digital copier 70 .
- a log is recorded for the document 60 being copied by grouping by each security ID.
- This requirement requires allowing by a document management administrator.
- this requirement is regulated in the policy
- the security server 200 recognizes result that this requirement is regulated, by a determination obtained in the decision process, the security server 200 checks whether or not a permit is issued.
- This requirement requires encrypting a digital document.
- a server administrator is not wanted to read contents of the digital document.
- the application system 400 is required to encrypt the digital document so that even the server administrator cannot read it. That is, it is required to store a decryption key for decrypting this encryption so that the server administrator of the application system 400 cannot use the decryption key.
- the application system 400 protects the original of the digital document from being tampered.
- the application system 400 may store the digital document to a document protection area by itself.
- the application system 400 may request the security server 200 to store the original to the document protection area.
- the security server 200 stores the original document (file before converting into PDF) received from the application system 400 and a secured PDF file being converted to the document protection area.
- An original document ID of the original document stored in the document protection area is recorded as application data of the document profile management table 260 .
- the security server 200 In a case in that the document protection area is not setup in the security server 200 , storing to the document protection area causes an error.
- the security server 200 records a log having a higher security level even if a serious error occurs.
- the application system 400 requests storing to the document protection area to the security server 200 .
- the security server 200 stores to the document protection area when receiving the request.
- This requirement requires the multiple authentication for an access to the digital document.
- the application system 400 is required to conduct the multiple authentication such as a finger print recognition or an iris-recognition in addition to a regular user authentication.
- the application system 400 can determine to use which authentication method.
- the access may not be allowed when a further authentication is conducted successively after the regular user authentication and is failed.
- the further authentication may be conducted after being requested to the user 52 when this requirement is returned.
- the application system 400 is required to conduct the version management.
- the application system 400 does not support a function of the version management, the application system 400 must not revise the digital document since the requirement is not satisfied.
- This requirement requires conducting a perfect deletion of the digital document.
- the application system 400 not only delete an entry of the digital document simply but also conduct a perfect deleting process by writing random data on a disk area where the digital document was stored.
- This requirement requires using the private print mode.
- the printed paper sheets are output when the user 52 printing the digital document is confirmed by using an operation panel of a printer.
- the application system 400 is required to print out the digital document by using the private print mode. If the print does not support the private print mode, the application system 400 does not allow for the user 52 to print out the digital document. However, if the print does not support the private print mode but an environment of the printer has less possibility in that other persons take the printed paper sheets away, the user 52 probably wants to print out the digital document at the printer. In this case, show_alarm is indicated as the alternative requirement of this requirement private_access in the policy, so that an alarm is displayed and the user 52 is allowed to print out the digital document.
- This requirement requires recording an image log. A print image and a copy image themselves are recorded and maintained.
- the application system 400 indicates an image data record to a printer adapter of a printer to print out the digital document with a print instruction.
- this requirement is regulated as the requirement of a copy, an image copying an original paper document is stored in a hard disk (document box) in the digital copier 70 .
- This requirement requires embedding trace information to print out the digital document.
- identification information identifying the digital document is embedded to a paper sheet and the printed paper sheet is output.
- trace information a two dimensional barcode is used.
- the security server 200 sends this requirement embed_trace_info and also the supplement information showing to dynamically generate the trace information. That is, the security server 200 sends the supplement information (supplement) indicating dynamic_image.
- the security server 200 recognizes that the policy regulates the supplement information (supplement) of dynamic_image, the security server 200 obtains an embedding image from the document profile management table 260 , and sends the requirement embed_trace_info and also the embedding image as the supplement information (supplement) as a returned value of the decision process of the security server 200 (refer to a section of the supplement information dynamic_image).
- the application system 400 embeds the embedding image received from the security server 200 to the paper sheet to be printed.
- the security server 200 obtains the embedding image from the document profile management table 260 , and the application system 400 actually embeds the embedding image while printing.
- This requirement requires printing a label such as “secret” as a stamp.
- the security server 200 sends a bitmap data of a label stamp as the supplement information (supplement) with this requirement show_label by a returned value of the decision process.
- Information showing that which stamp is printed for what kind of the document 60 is set to the security server 200 beforehand.
- information concerning an ID of the label stamp and a location to stamp a label is regulated.
- a bitmap file corresponding to the ID is stored in a local hard disk of the security server 200 .
- the security server 200 read out the bitmap file and sends the supplement information (supplement) shown by a byte array to an upper layer.
- bitmap file corresponding to the ID of the label stamp regulated in the policy only the ID of the label stamp is included in the supplement information (supplement), and the requirement is sent without the bitmap data (refer to a section of static_image).
- a stamp image is not assumed to dynamically generate.
- the security server 200 sends the requirement and the supplement information (supplement) themselves to the application system 400 .
- the application system 400 overlays and print out the received stamp image.
- the security server 200 provides the stamp image, and the application system 400 (digital copier 70 ) stamps the label stamp to the paper sheets.
- This requirement requires printing the visible watermark letter on a background of a paper sheet.
- the security server 200 sends a character string format for printing as a watermark as the supplement information (supplement) with this requirement visible_watermark by a returned value of the decision process.
- the supplement information (supplement) of this requirement information showing that what kind of the document 60 requires which character string format in the policy.
- the security server 200 sends this requirement and the supplement information (supplement) themselves to the application system 400 .
- the application system 400 generates a watermark character string in accordance with the character string format received from the security server 200 (refer to a section of string_format).
- the security server 200 provides the character string format and the application system 400 (digital copier 70 ) prints out the character string to the paper sheet.
- This requirement requires printing an embossed watermark letter.
- the embossed watermark letter is embossed when a paper sheet having this embossed watermark letter is copied.
- the security server 200 sends a character string format for printing a watermark as the supplement information (supplement) with this requirement anti_copy_watermark by a returned value of the decision process.
- the security server 200 sends the requirement and the supplement information themselves to the application system 400 .
- the application system 400 generates and print out a watermark letter in accordance with the character string format received form the security server 200 (refer to a section of the supplement information string_format).
- the security server 200 provides a character string format, and the application system 400 prints a character string on a paper sheet.
- This requirement requires printing a background pattern for a tamper-detection.
- the security server 200 sent information showing that this requirement identifiable_bg_pattern and the supplement information is required to dynamically generate, as a returned value in the decision process.
- the security server 200 recognizes that a dynamic image generation (supplement information dynamic_image) is indicated, the security server 200 obtains an identification pattern from the document profile management 260 , sends this requirement identifiable_bg_pattern and the supplement information by the returned value of the decision process (refer to a section of supplement information dynamic_image).
- the application system 400 prints the identification pattern received from the security server 200 on the background of the paper sheet to be printed out.
- the security server 200 obtains the identification pattern from the document profile management table 260 , and the application system 400 actually prints the identification pattern on the background of the paper sheet.
- This requirement requires displaying an alarm.
- An alarm such as “Give attention to handle top secret” is displayed to warn the user 52 .
- This requirement aims to display the alarm at a display or an operation panel.
- print_alarm is used when the alarm is required to print to a paper sheet.
- Information showing that what kind of the document 60 is required to display which character string is regulated as the supplement information (supplement) of the requirement in the policy.
- the security server 200 sends the requirement and the supplement information themselves to the application 400 .
- the application system 400 generates and displays the character string in accordance with the character string format received from the security server 200 .
- the security server 200 provides the character string format to display, and the application system 400 display the alarm in the character string format.
- This requirement requires printing an alarm.
- An alarm such as “RRR Internal Use Only” is printed to warn the user 52 .
- This requirement aims to print the alarm on a paper sheet.
- show_alarm is used to display the alarm at a display or an operation panel.
- the security server 200 provides a character string format to display the alarm, and the application system 400 displays the alarm.
- the security server 200 sends this requirement and the supplement information (supplement) themselves to the application system 400 .
- the application system 300 generates and prints the character string in accordance with the character string format received from the security server 200 .
- the security server 200 provides the character string format to print, and the application system 400 prints the alarm in the character string format.
- the confidential transmission mode is used so that other persons cannot take a paper sheet transmitted by fax away. A fax transmission process is not conducted for a fax which does not support the confidential transmission mode.
- show_alarm is indicated as the alternative requirement of this requirement private_receive in the policy, so that an alarm is displayed and the user 52 is allowed to fax.
- This requirement requires controlling a destination to fax.
- This requirement requires printing a user name printing.
- the security server 200 sends a character string format to print with this requirement show_operator by a returned value of the decision process.
- Information showing that which character string is printed for what kind of the document 60 is regulated as the supplement information (supplement) of the requirement in the policy.
- the security server 200 sends the requirement and the supplement information (supplement) themselves.
- the application system 400 generates the character string in accordance with the character string format received from the security server 200 and prints the character string on a printed paper sheet.
- the security server 200 provides the character string format to print that is regulated in the policy, and the application system 400 prints the character string in accordance with the character string format when the document 60 is printed.
- the security server 200 sends the requirement owner_only by a returned value of the decision process.
- the security server 200 obtains the user ID of the user printing a copied document from the document profile management table 260 , and compares a user attempting to copy and a user who printed the document 60 .
- the security server 200 sends a result of the decision process expect for this requirement owner_only.
- the security server 200 sends “not allowed ” when the both users are not the same person.
- This requirement requires masking not to read the document 60 .
- this requirement masks the document 60 by printing the entire of the document 60 in gray so that the document 60 cannot be read.
- This requirement requires embedding a digital watermark in image data.
- the security server 200 sends a character string format to embed as the digital watermark with this requirement digital_watermark by a returned value of the decision process.
- Information showing that which character string format is used for what kind of the document 60 is regulated as the supplement information of this requirement in the policy.
- the security server 200 sends the supplement information (supplement) itself to the application system 400 .
- the application system 400 generates an embedding character string in accordance with the character string format received from the security server 200 and embeds as the digital watermark to the image data of the document 60 (refer to a sections of the supplement information string_format and watermark_type).
- the security server 200 provides the character string format
- the application system 400 embeds the digital watermark in accordance with the character string format received from the security server 200 .
- a method for indicating the supplement information is defined as follows. A title of each section shows an identification of the supplement information.
- This supplement information is used to indicate fixed image data.
- the fixed image data for example, there is a stamp image to use for the requirement of the label display (show_label). Since the fixed image data are not stored in the policy file 240 , an identification label identifying a fixed image data file is indicated in the policy file 240 . At the beginning of the identification label, “ref” is provided to indicate the identification label.
- a supplement information format is ref: [file_id]
- the supplement information is indicated in the policy file as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>show_label ⁇ /Id> ⁇ Supplement> ⁇ Id>static_image ⁇ /Id> ⁇ Data>ref:STAMP_IMAGE_01 ⁇ /Data> ⁇ /Supplement>
- the security server 200 reads out a file corresponding to the identification label and conducts an including process for including the file as binary data as the supplement information.
- This supplement information is used to indicate dynamic image data.
- the dynamic image data for example, there are a barcode image used for the requirement of the tracing information embedding (“embed_trace_info”) and an identification pattern image used for the requirement of the identification pattern (“identifiable_bg_pattern”).
- the policy file 240 indicates a type of information dynamically generated as the supplement information (for example, type of information such as the document ID and the user ID).
- a format of this supplement information is dyn: [info_type]. Only a section ID “SecId” can be indicated in info_type.
- this supplement information is indicated in the policy file 240 as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>embed_trace_info ⁇ /Id> ⁇ Supplement> ⁇ Id>dynamic_image ⁇ /Id> ⁇ Data>dyn:SecId ⁇ /Data> ⁇ /Supplement>
- the security server 200 receiving decision result information dynamically generates necessary image data, and sends the following as a result of the decision process.
- This supplement information is sued to indicate an embedding location of an image.
- this supplement information is indicated by an embedding requirement (such as “show_label”).
- an embedding requirement such as “show_label”.
- a different requirement such as “identifiable_bg_pattern” or the like.
- the embedding location is indicated by the identification label in the policy file 240 .
- position_id selectively indicates one of five location: upper_right, lower_right, upper_left, lower_left, and center.
- the embedding location is indicated in the policy file 240 as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>show_label ⁇ /Id> ⁇ Supplement> ⁇ Id>image_position ⁇ /Id> ⁇ Data>upper_right ⁇ /Data> ⁇ /Supplement>
- the security server 200 sets the supplement information in the decision result information to send back to a request originator.
- This supplement information is used to indicate a character string format.
- the character string format is indicated for the requirement such as the watermark (“visible_watermark”).
- a format of this supplement information is [“format_string”].
- the character string format is indicated in the policy file 240 as follows: format_string indicates a combination of the followings and any character string.
- the supplement information is indicated in the policy file 240 as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>visible_watermark ⁇ /Id> ⁇ Supplement> ⁇ Id>string_format ⁇ /Id> ⁇ Data>%8u %d2 DO NOT COPY ⁇ /Data> ⁇ /Supplement>
- the security server 200 sets this supplement information to the decision result information to send back to a request originator.
- the requirement may have a limitation of a maximum character number (for example, 32 characters for the requirement visible_watermark). Characters over the maximum character number are not used.
- This supplement information is used to indicate an embedding location of a character string.
- This supplement information is used for the embedding requirement embedding partially (“print_alarm” or a like) but not embedding the character string on a background. In a case of embedding the character string on the background, a different requirement (“visible_watermark” or a like).
- the embedding location is indicated by the identification label in the policy file 240 .
- position_id is selectively set from six positions; upper_right, lower_right, upper_left, lower_left, upper_center, lower_center, and upper_lower_center.
- this supplement information is indicated in the policy file 240 as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>print_alarm ⁇ /Id> ⁇ Supplement> ⁇ Id>string_position ⁇ /Id> ⁇ Data>upper_lower_center ⁇ /Data> ⁇ /Supplement>
- the security server 200 sets this supplement information in the decision result information to send back to a request originator.
- This supplement information is used to indicate a color. This supplement information is indicated for the requirement of a copy suppression pattern (“anti_copy_watermark”).
- a format of the supplement information is [color_id].
- color_id indicates either one of cyan and magenta.
- the supplement information is indicated in the policy file 240 as follows: ⁇ Ace> ⁇ Operation> ⁇ Id>pd_print ⁇ /Id> ⁇ Requirement> ⁇ Id>anti_copy_watermark ⁇ /Id> ⁇ Supplement> ⁇ Id>color ⁇ /Id> ⁇ Data>cyan ⁇ /Data> ⁇ /Supplement>
- the security server 200 sets this supplement information to the decision result information to send back to a request originator.
- This supplement information is used to indicate a watermark type. This supplement information is indicated by the requirement of a digital watermark (“digital_watermark”).
- watermak_type_id indicates traceability, integrity, and steganography.
- traceability indicates the digital watermark for a tracing purpose
- integrity indicates the digital watermark for a tamper-detection purpose
- steganography indicates the digital watermark for an information transmission purpose.
- this supplement information is indicated in the policy file 240 as follows: ⁇ DspAce> ⁇ DspOperation> ⁇ Id>pp_scan ⁇ /Id> ⁇ DspRequirement> ⁇ Id>digital_watermark ⁇ /Id> ⁇ DspSupplement> ⁇ Id>string_format ⁇ /Id> ⁇ Data>%u %d ⁇ /Data> ⁇ /DspSupplement> ⁇ DspSupplement> ⁇ Id>watermark_type ⁇ /Id> ⁇ Data>traceability ⁇ /Data> ⁇ /DspSupplement>
- the security server 200 sets this supplement information to the decision result information to send back to a request originator.
- the security server 200 it is possible for the security server 200 to abstract information provided from the application system 400 in order to correspond to the organizational security policy. That is, it is possible to convert information, which provided from the application system 400 and has a lower abstraction, into different information having a higher abstraction degree that the information received from the application system 400 in order to correspond to the security policy having a higher abstraction degree. Accordingly, it is possible to secure the security of both digital document and paper document in accordance with the organizational security policy.
- the document management system 100 and the document viewer 53 conduct the access control for the digital document such as the server document 61 and the portable document 63 , and the security process for securing the portable document 63 is conducted in accordance with the policy when the portable document 63 is printed from the document viewer 53 . Therefore, the user 52 printing the portable document 63 is required to properly handle the paper document 62 to which the portable document 63 is printed, in accordance with the policy.
- the copying process can be controlled in accordance with the policy.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
In an access control decision system, first information indicated by an access decision request is converted into second information being higher abstract when the access decision request is received. Next, the access control for the subject information is determined by referring a security policy being abstractly regulated based on the second information and a decision result showing the access control for the subject information is sent to a request originator that sent the access decision request.
Description
- 1. Field of the Invention
- The present invention generally relates to an access control decision system, an access control enforcing system, and a security policy, in which an organizational security policy can be applied to an information processing system and an organizational security can be improved for not only digitalized documents but also a paper documents.
- 2. Description of the Related Art
- While office works have been digitalized in business, importance of managing a digital document such as a confidential document has been increased. Thus, recently, an access control for the digital document is conducted in accordance with a predetermined security policy.
- In a viewpoint in that the security for the digital document is secured by the security policy being uniformed over an organization, a describing method of a security policy and an apparatus for transmitting the security policy is proposed (for example, refer to Japanese Laid-open Patent Application No. 2004-102907). Moreover, for example, Japanese Laid-open Patent Application No. 2004-094401 discloses a method for distributing the security policy and an apparatus for operating based on the security policy. Furthermore, Japanese Patent Application No. 2002-299712 discloses a method and an apparatus for controlling printing a digital document by encrypting and decrypting the digital document in accordance with the security policy.
- Moreover, since a system which object to sell digital contents mainly such as music data, image data, and the likes has a problem similar to a company secret management, similar technologies are applied to this system (for example, refer to Japanese Laid-open Patent Application No. 8-263441, U.S. Pat. No. 5,715,403, Japanese Laid-open Patent Application No. 8-263438, and U.S. Pat. No. 6,236,971). In particular, a system is provided in that a condition should be satisfied when digital data (such as the music data, the image data, and the like which are called digital work) relating to a copyright. A protocol is disclosed to confirm whether or not the condition for exercising a security is satisfied. By using this technology, it can be realized to use the music data and the image data being distributed under a condition of a payment of referring to and printing the music and the image, or a restriction of a term of using without any charge.
- However, these inventions described above do not take the company secret management at an office into account but do aim at sales of the digital contents. Accordingly, these inventions do not consider an access control including a printed matter output by copying the confidential document.
- Furthermore, a system for conducting various processes for a print (for example, refer to Japanese Laid-open Patent Application No. 2000-122977 and U.S. Pat. No. 6,233,684). For example, Glyphe code can be embedded into a printed matter. However, it is required to define information to be embedded for each document.
- Furthermore, for example, Japanese Laid-open Patent Application No. 2001-184264 (
FIG. 1 andFIG. 2 ) discloses an access control sub system configured by a policy evaluation module for determining an access allowed or not-allowed in accordance with a policy, an enforcement function verification module, and an enforcement module. - However, the above-described conventional technologies have the following problems such as a lack of flexibility of an operation and a like:
- Conventional Technologies
-
- cannot manage related persons for each document since the related persons are variously changed for each document in a case in that a policy regulates “Available for Related Persons to Refer”,
- cannot flexibly correspond to various stamps such as a confidential stamp, a top-secret stamp, an internal use only stamp, and a like in a case in that the policy regulates “Affix Confidential Stamp for Copy”,
- cannot change a warning message (sentence) in response to a type of a document in a case in that the policy regulates “Warn Users to Handle with Care”,
- cannot restrict to use within a zone even if the policy defines the zone to be “allowed zone” to handle a document, and
- cannot regulate and enforce a process in a case in that a paper document cannot be identified even if the paper document should be identified to control an operation with respect to the paper document.
- Even if these above problems are solved, in order to uniformly conduct the access control in accordance with the organizational security policy, it is desired to completely separate a part for determining the access control in accordance with the policy from various application systems to share the part for determining the access control with the various application systems, and it is desired to separate the part for determining the access control from the part for actually enforcing the access control.
- In addition, the conventional technologies cannot control an access in accordance with an abstract description such as the organizational security policy.
- It is a general object of the present invention to provide an access control decision system, an access control enforcing system, and a security policy, in which the above-mentioned problems are eliminated.
- A more specific object of the present invention is to provide an access control decision system, an access control enforcing system, and a security policy, in which an organizational security policy can be applied to an information processing system and securities can be secured for a paper document and a digital document.
- The above objects of the present invention are achieved by an access control decision system including; an abstraction converting part converting first information indicated by an access decision request into second information being abstract higher than the first information when the access decision request for requesting an access control decision for subject information to be accessed is received; an access control decision part determining the access control for the subject information by referring a security policy being abstractly regulated based on the second information; and a decision result sending part sending a decision result showing the access control for the subject information by said access control decision part, to a request originator that sent the access decision request.
- In the access control decision system according to the present invention, information for determining the access control can be converted into information having abstraction degree similar to an organizational security policy. Accordingly, it is possible to determine the access control in accordance with the security policy being abstract.
- The above objects of the present invention are achieved by an access control enforcing system, including an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy, wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, and wherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.
- In the access control decision system according the present invention, it is determined whether or not the requirement to allow the access to the subject information is executable in accordance with the security policy. Accordingly, it is possible to enforce the access control for the subject information so as to satisfy the requirement.
- The above objects of the present invention are achieved by a security policy, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
- In the security policy according the present invention, it is possible to regulate to allow the operation by executing the requirement.
- The above objects of the present invention can be achieved by a program code for causing a computer to conduct processes described above in the document processing apparatus or by a computer-readable recording medium recorded with the program code.
- In the following, embodiments of the present invention will be described with reference to the accompanying drawings.
-
FIG. 1 is a diagram showing a configuration of a system according to an embodiment of the present invention; -
FIG. 2 is a block diagram showing an access control model according to the embodiment of the present invention; -
FIG. 3 is a block diagram showing a hardware configuration of a security server according to the embodiment of the present invention; -
FIG. 4 is a block diagram showing a functional configuration of the security server according to the embodiment of the present invention; -
FIG. 5 is a diagram showing a data structure of a user security level table according to the embodiment of the present invention; -
FIG. 6 is a diagram showing a data structure of a document profile management table according to the embodiment of the present invention; -
FIG. 7 is a diagram showing a data structure of a zone management table according to the embodiment of the present invention; -
FIG. 8 is a diagram showing a data structure of a print profile management table according to the embodiment of the present invention; -
FIG. 9 is a diagram showing an access control sequence in a document management system according to the embodiment of the present invention; -
FIG. 10 is a flowchart for explaining an access control process in the document management system according to the embodiment of the present invention; -
FIG. 11 is a diagram for explaining an authenticating process by a user management server according to the embodiment of the present invention; -
FIG. 12 is a diagram showing a data structure of authentication result information according to the embodiment of the present invention; -
FIG. 13 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention; -
FIG. 14 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention; -
FIG. 15 is a diagram for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention; -
FIG. 16 is a diagram showing the data structure of context information according to the embodiment of the present invention; -
FIG. 17 is a diagram showing a data structure of decision result information according to the embodiment of the present invention; -
FIG. 18 is a flowchart for explaining a compensating process for requirements by the document management system according to the embodiment of the present invention; -
FIG. 19 is a flowchart for explaining a requirement process according to the embodiment of the present invention; -
FIG. 20 is a flowchart for explaining the requirement process according to the embodiment of the present invention; -
FIG. 21 is a diagram showing an access control sequence at a digital copier according to the embodiment of the present invention; -
FIG. 22 is a flowchart for explaining the access control process by the digital copier according to the embodiment of the present invention; -
FIG. 23 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention; -
FIG. 24 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention; -
FIG. 25 is a diagram for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention; -
FIG. 26 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention; -
FIG. 27 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention; -
FIG. 28 is a flowchart for explaining the requirement process by the digital copier according to the embodiment of the present invention; -
FIG. 29 is a diagram showing an access control sequence in a document viewer according to the embodiment of the present invention; -
FIG. 30 is a flowchart for explaining the access control process by the document viewer according to the embodiment of the present invention; -
FIG. 31 is a flowchart for explaining the access control process by the document viewer according to the embodiment of the present invention; -
FIG. 32 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention; -
FIG. 33 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention; -
FIG. 34 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention; -
FIG. 35 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention; -
FIG. 36 is a flowchart for explaining the requirement process conducted the document viewer according to the embodiment of the present invention; -
FIG. 37A is a diagram showing a screen example for displaying settings for an alarm print according to the embodiment of the present invention, andFIG. 37B is a diagram showing a screen example for displaying detail settings for the alarm print according to the embodiment of the present invention; -
FIG. 38A is a diagram showing a screen example in that the private print is set according to the embodiment of the present invention, andFIG. 38B is a diagram showing a screen example for setting the authentication information for the private print according to the embodiment of the present invention; -
FIG. 39 is a diagram showing a screen example in a case in that a label is indicated to print as a stamp as the requirement according to the embodiment of the present invention; -
FIG. 40 is a diagram showing a screen example in a case in that the visible watermark letter print is indicated as the requirement according to the embodiment of the present invention; -
FIG. 41A is a diagram showing a screen example showing details in the case in an identification pattern print is indicated as the requirement,FIG. 41B is a diagram showing an example of magnifying the identification pattern according to the embodiment of the present invention, andFIG. 41C is a diagram showing an encoding example of the identification pattern shown inFIG. 41B -according to the embodiment of the present invention; -
FIG. 42 is a diagram showing a requirement process sequence in a private print mode according to the embodiment of the present invention; -
FIG. 43 is a diagram showing the requirement process sequence in the pattern print mode according to the present invention; -
FIG. 44 is a diagram showing a data example managed by the user security level table according to the embodiment of the present invention; -
FIG. 45 is a diagram showing a XML file of the user security level table according to the embodiment of the present invention; -
FIG. 46 is a diagram showing a data example managed by the document profile management table according to the embodiment of the present invention; -
FIG. 47 is a diagram showing a data example managed by the zone management table according to the embodiment of the present invention; -
FIG. 48 is a diagram showing a XML file of the zone management table according to the embodiment of the present invention; -
FIG. 49 is a diagram showing an access control rule described in the policy file according to the embodiment of the present invention; -
FIG. 50 is a diagram showing the access control rule described in the policy file according to the embodiment of the present invention; -
FIG. 51 is a diagram showing an example of the authentication result information; -
FIG. 52 is a diagram showing an example of the context information according to the embodiment of the present invention; -
FIG. 53 is a diagram showing an example of the document identification information according to the embodiment of the present invention; -
FIG. 54 is a diagram showing an example of the decision result information according to the embodiment of the present invention; -
FIG. 55 is a diagram showing an example of the print profile management table according to the embodiment of the present invention; -
FIG. 56 is a diagram showing an example of the identification pattern being printed according to the embodiment of the present invention; -
FIG. 57 is a diagram showing another example of the authentication result information according to the embodiment of the present invention; and -
FIG. 58A is a diagram showing an example of the document identification information in a case in that image data itself is actually sent to the security server according to the embodiment of the present invention, andFIG. 58B is a diagram showing another example of the document identification information in a case in that the image data is decoded and sent to the security server according to the embodiment of the present invention. - In the following, an embodiment of the present invention according will be described with reference to the accompanying drawings.
- A system applying an access control decision system according to an embodiment of the present invention is illustrated as shown in
FIG. 1 .FIG. 1 is a diagram showing a configuration of a system according to the embodiment of the present invention. In thesystem 1000 shown inFIG. 1 , asecurity server 200 for conducting an access control with respect to a digital document and a paper document is connected through a network to adocument management system 100 for managing digital documents, adigital copier 70 including a plurality of different image forming functions served as a copy, a fax, a scanner, and a like, and adocument viewer 53 for displaying the digital document at aclient terminal 51 of a user. - In
FIG. 1 , thedocument viewer 53 is a predetermined application running for theclient terminal 51. Theclient terminal 51 accesses a target document maintained in thedocument management system 100. Theuser 52 may make copies of the paper document brought with the user by thedigital copier 70. The system shown inFIG. 1 may include a plurality ofclient terminals 51 andusers 52. - Hereinafter, the digital document, which is managed by the
document management system 100 and to which an access is controlled, is referred to as aserver document 61. The paper document, which is copied by thedigital copier 70, is referred to as apaper document 62. The digital document, which is downloaded from thedocument management system 100 and stored in a local storage of theclient terminal 51, and opened and referred to by thedocument viewer 53, is referred to as aportable document 53. - When the
user 52 connects to thedocument management system 100 by using theclient terminal 51 and attempts to access to theserver document 61, thedocument management system 100 obtains authentication information from theuser 52 and sends a request of a user authentication to theuser management server 300. Thedocument management system 100 sends an access control decision request to thesecurity server 200 based on an authentication result received from theuser management server 300. Thedocument management system 100 accesses theserver document 61 based on access control information received from thesecurity server 200. - Similarly, when the
user 52 copies thepaper document 62 by thedigital copier 70, thedigital copier 70 obtains the authentication information from theuser 52 and sends a request of the user authentication to theuser management server 300. Thedigital copier 70 sends the access control decision request to thesecurity server 200 based on the authentication result received from theuser management server 300. Thedigital copier 70 copies thepaper document 62 based on the access control information received from thesecurity server 200. - Similarly, when the
user 52 executes thedocument viewer 53 at theclient terminal 51 and displays theportable document 63 at theclient terminal 51, thedocument viewer 53 obtains the authentication information from theuser 52 and sends the request of the user authentication to theuser management server 300. Thedocument viewer 53 sends the access control decision request to thesecurity server 200 based on the authentication result received from thesecurity server 200. Thedocument viewer 53 displays theportable document 63 or further outputs theportable document 63 displayed at theclient terminal 51 based on the access control information received form thesecurity server 200. - When the
user management server 300 receives the authentication information of theuser 52 from thedocument management system 100, thedigital copier 70, or thedocument viewer 53, theuser management server 300 refers to a user management table 310 and authenticates theuser 52. Theuser management server 300 sends the authentication result to thedocument management system 100, thedigital copier 70, or thedocument viewer 53, which sent the request of the user authentication. - The
security server 200 includes apolicy file 240 in that access control rules are described for an organization, a user security level table 250 for managing a user security for eachuser 52, a document profile management table 260 for managing a profile for each document, a zone management table 270 for managing the access control for each zone, and a print profile management table 280 for managing information concerning a print for each print. Thesecurity server 200 corresponds to the access control requests from thedocument management system 100, thedigital copier 70, and thedocument viewer 53 by using apolicy file 240 and these tables 250 through 280. - In the
policy file 240, a rule such as “Access Allowed for Related Persons Only” is regulated. However, a relationship showing who is a related person for which document should be managed. A table complimenting this policy showing this rule is managed in thesecurity server 200 and separated from the policy. If this rule is described in the policy, the policy becomes lack of versatility. That is, a portion stipulating “rule” such as a company secret management regulation of the organization is stipulated as the policy, and portions being variously set corresponding to each document and for each user are managed by tables. Since a different “rule” for each organization is managed in a form of thepolicy file 240, a replacement of each “rule” becomes possible. - Hereinafter, the
server document 61, thepaper document 62, and theportable document 63 are generically called as a document 60 (FIG. 2 ). - A user, who can be the
client terminal 51 or theuser 52 and accesses thedocument 60, is called as aninitiator 50. - The
document management system 100, thedigital copier 70, and thedocument viewer 53 are generically called as anapplication system 400. - In the
system 1000, thesecurity server 200 is separated from theuser management server 300. However, a function serving as thesecurity server 200 and a function serving as theuser management server 300 can be included in a single server computer. - An overview of the access control will be described with reference to
FIG. 2 showing an access control model described in accordance with ISO/IEC 10181-3.FIG. 2 is a block diagram showing the access control model. - In
FIG. 2 , when theinitiator 50 sends an access request for accessing thedocument 60 to theapplication system 400, theapplication system 400 sends a decision request to thesecurity server 200 to have thesecurity server 200 determined whether or not the access from theinitiator 50 is allowed after the user authentication. In particular, in a case in that the user authentication is not required, an access permit can be requested for an anonymous user or a guest user. - The
security server 200 determines in accordance with the access control rule (policy) described in thesecurity file 240 internally maintained in thesecurity server 200 whether or not the user as theinitiator 50 has the security to access thedocument 60, that is, whether the user is allowed or prohibited to access thedocument 60. If the user is allowed to access thedocument 60, thesecurity server 200 determines a requirement that should be satisfied to access thedocument 60. Then, thesecurity server 200 sends information showing that the user is allowed or not allowed and the requirement is satisfied or not, as a decision result, to theapplication system 400. - The
application system 400 receives the decision result and processes an access requested from the user if the user is allowed. In this case, if the requirement is indicated, theapplication system 400 processes document 60 so as to satisfy the requirement. If the user is not allowed or the requirement is not satisfied, theapplication system 400 denies this access to thedocument 60. - Next, a hardware configuration and a functional configuration of the
security server 200 will be described with reference toFIG. 3 andFIG. 4 .FIG. 3 is a block diagram showing the hardware configuration of the security server according to the embodiment of the present invention. - In
FIG. 3 , thesecurity server 200 is a server computer and includes a CPU (Central Processing Unit) 41, amemory unit 42, adisplay unit 43, aninput unit 44, acommunication unit 45, and astorage unit 46, each of which is connected to a system bus B2. - The
CPU 41 controls thesecurity server 200 in accordance with a program stored in thememory unit 42. Thememory unit 42 includes a RAM (Random Access Memory) and a ROM (Read-Only Memory), and stores the program to be executed by theCPU 41, data necessary to process by theCPU 41, and data obtained in the process by theCPU 41. In addition, thememory unit 42 is partially used as a work area used in the process by theCPU 41. - The
display unit 43 displays necessary information by the control of theCPU 41. Thecommunication unit 45 is a unit to communicate with theapplication system 400 when connecting to theapplication system 400, for example, through a LAN (Local Area Network) or a like. Thestorage unit 46 includes a hardware unit, and stores management tables including apolicy file 240, a user security level table 250, a document profile management table 260, a zone management table 270, a print profile management table 290, and the like. - A program controlling the
security server 200 is installed into astorage unit 46 beforehand. -
FIG. 4 is a block diagram showing the functional configuration of the security server according to the embodiment of the present invention. InFIG. 4 , thesecurity server 200 mainly includes anabstraction processing part 231 for abstracting information received from theapplication system 400 by corresponding to the organizational security policy, and a policy base accesscontrol decision part 241. - The
abstraction processing part 231 includes a user securitylevel mapping part 232, a usercategory mapping part 233, azone mapping part 234, and a document securityattribute mapping part 235. - In the
abstraction processing part 231, when user identification information, access type information, document identification information, and context information are received from theapplication system 400, the user securitylevel mapping part 232 obtains an security level abstracted by referring to the user security level table 250 based on the user identification information (1), the usercategory mapping part 233 obtains a user category that is abstracted by referring to the document profile management table 260 based on the user identification information and shows a related person or any person (2), the access type information is maintained without any change (3), thezone mapping part 234 obtains a zone category that is abstracted by referring to the document profile management table 260 and the zone management table 270 based on the context information and shows in-zone or out-zone (4), and the document securityattribute mapping part 235 obtains a sensitivity level and a document category that are abstracted by referring to the document profile management table 260 and the print profile management table 280 based on the document identification information (5). - In this embodiment, a term may be set in the context information so as to obtain a term segment showing in-term or out-term.
- The
mapping parts 232 through 235 may be included in a single abstraction processing part. In this case, this single abstraction processing part refers to more than one management table. - Alternatively, the security level and the user category can be categorized into a user security attribute, the sensitivity level and the document category can be categorized into the document security attribute, and the zone category can be categorized into an access environment attribute, so that three attributes are used to categorize. Accordingly, an abstraction processing part may be provided for each attribute. In this case, each abstraction processing part includes more than one mapping processing part and each mapping part refers to more than one table.
- The policy base access
control decision part 241 receives information being abstracted by theabstraction processing part 231 as a parameter, and determines the access control in accordance with the access control rule (policy) described in thepolicy file 240. Thepolicy file 240 can be set from outside. Accordingly, it is possible to easily change in response to the organizational security policy. - In this embodiment, by processes in two steps of the
abstraction processing part 231 and the policy base accesscontrol decision part 241, it is possible to determine the access control in accordance with general security policy and by flexibly corresponding to a change of the security policy. - In addition, by providing the
abstraction processing part 231, it is not required to change a formation of information to provide to theapplication system 400 when the security policy is changed. Since it is not required to change software for theapplication system 400 in response to the change of the security policy, maintenance in response to the change of the security policy can be easily conducted. - The access control can be conducted so as to allow or prohibit what type of an access for which user by managing an ACL (Access Control List) for each document. And there is a conventional system (U.S. Pat. No. 6,289,450) in that this ACL is called a security policy. However, in the conventional system, since a policy is defined for each document, there is a problem in that it is difficult to know that the security policy is applied in accordance with a company secret management regulation (policy) of an “organization” such as “confidential matter is allowed only for related persons”.
- The
security server 200 according to the present invention and determining the access control first separates a general decision rule for the access control and a security setting for details of each document, maps an attribute of a document or a user to an abstract security attribute, and then makes an access decision. In addition, since a general decision rule can be described as a policy file, the rule is not fixed but becomes replaceable. - There may be one example in that the decision rule may be programmed as one logic in software. However, There is no example in that the decision rule can be flexibly defined and set in accordance with the organizational security policy.
- Data structures of tables managed by the
security server 200 will be described. -
FIG. 5 is a diagram showing a data structure of a user security level table according to the embodiment of the present invention. InFIG. 5 , adata structure 251 of the user security level table 250 includes a UserMapList for managing a plurality of users by an array of userMap showing a security for each user bycode 252 showing “UserMapList{userMap[] userMap;};” - The userMap includes a user ID or a group ID shown by a character string by code 253-1 showing “String principalId;”, a type of each entry a character string showing a user, a group, or a like by code 253-2 showing “String entryType”, a security level shown by a character string by code 253-3 showing “String levelId;”.
- An entry of userMap for each
user 52 using theapplication system 400 is created in UserMapList and theuser 52 is registered. -
FIG. 6 is a diagram showing a data structure of the document profile management table according to the embodiment of the present invention. InFIG. 6 , adata structure 261 of the document profile management table 260 includes DocProfileTable for managing a plurality of digital documents by an array of docProfile showing the security policy for each digital document bycode 262 showing “DocProfileTable{DocProfile[] docProfiles;};”. - The docProfile includes an digital document ID shown by a character string by code 263-1 showing “String docId;”, a document category shown by a character string by code 263-2 showing “String DocCategory;”, a sensitivity level shown by a character string by code 263-3 showing “String docLevel;”, a list of a plurality of related persons shown by an array of related persons shown by a character string by code 263-4 showing “String[] relatedPersons;”, a list of a plurality of zone IDs shown by an array of zone IDs shown by a character string by code 263-5 showing “String[] zones;”, a nondisclosure date shown by a date by code 263-6 showing “Date nondisclosure”, a retention date shown by a date by code 263-7 showing “Date retention”, and a validity date shown by a date by code 263-8 showing “Date validity”.
- An entry of the DocProfile for each digital document subject for the access control is created in the DocProfileTale and the digital document is registered. The document ID is information to identify each digital document. The document category and the sensitivity level indicates identification information of the document category and the sensitivity level used by the security policy.
- User IDs or group IDs of related persons for the digital document are shown in the related person list. Zone IDs specifying zones where an access to the digital document is allowed are indicated in the zone ID list.
-
FIG. 7 is a diagram showing a data structure of the zone management table according to the embodiment of the present invention. InFIG. 7 , adata structure 271 of the zone management table 270 includes ZoneInfoTable for managing a plurality of zones by managing an array of ZoneInfo showing information specifying each zone bycode 272 showing “ZoneInfo Table{ZoneInfo[] zones};”. - The ZoneInfo includes a zone ID shown by a character string by code 273-1 showing “String id;”, a zone name shown by a character string by code 273-2 showing “String name;”, and an address of the zone shown by an array of AddressInfo[] by codes 273-3 showing “AddressInfo[] addresses;”.
- A data structure of the AddressInfo written in coded 273-3 includes an IP address or a MAC address shown by a character string by code 275-1 showing “String address;”, “IP” or “MAC” shown by a character string by code 275-2 showing “String addressType;”, and a subnet mask shown by a character string such as “255.255.255.0” when IP address by code 275-3 showing “String netmask;”.
- The zone management table 270 is a table for managing zones allowing an access by a list of zone addresses. A plurality of IP addresses or MAC addresses are assigned to one zone ID.
-
FIG. 8 is a diagram showing a data structure of the print profile management table according to the embodiment of the present invention. InFIG. 8 , adata structure 281 of the print profile management table 280 includes PrintProfileTable for managing a plurality of print profiles by an array of PrintProfile showing a profile concerning each print bycode 281 showing “PrintProfileTable{PrintProfile[] printprofiles;};”. - The PrintProfile includes a print ID shown by a character string by code 283-1 showing “String printId;”, a document ID of the digital document shown by a character string by code 283-2 showing “String docId;”, a printed date shown by a date by code 283-4 showing “String printed UserId;”, and a printed user name shown by a character string by code 283-5 showing “String printedUserName;”.
- Each time the digital document under the access control is printed, an entry of the PrintProfile is created and registered in the PrintrofileTable. The print ID is identification information to specify each print. The document ID is identification information showing a document being printed.
- In the following, a sequence of the access control will be described in detail. The
document management system 100, thedigital copier 70, and thedocument viewer 53 will be described. - [Access Control in the Document Management System]
- The access control in the
document management system 100 will be described with reference toFIG. 9 andFIG. 10 . -
FIG. 9 is a diagram showing an access control sequence in the document management system according to the embodiment of the present invention.FIG. 10 is a flowchart for explaining an access control process in the document management system according to the embodiment of the present invention. InFIG. 9 andFIG. 10 , each process in the access control sequence shown inFIG. 9 corresponds by the same numeral number to each process shown inFIG. 10 . - In
FIG. 9 andFIG. 10 , thedocument management system 100 receives a user ID and a password of theuser 52 as well as a login request from the client terminal 51 (S1001). - The
document management system 100 sends a user authentication request with the user ID and the password received from theclient terminal 51 to the user management server 300 (S1002). Theuser management server 300 conducts an authenticating process by the user ID and the password (S1003). Theuser management server 300 sends authentication result information showing a success or failure of the authentication to the document management system 100 (S1004). The authentication result information includes user identification information identifying a user and information showing the success or failure of the authentication. - The
document management system 100 conducts a process corresponding to the authentication result information (S1005). When the authentication result information shows the success of the authentication, thedocument management system 100 sends the authentication result information received from theuser management server 300 to theclient terminal 51 and goes to S1006. On the other hand, when the authentication result information shows the failure of the authentication, thedocuments management system 100 terminates the access control process. - The
client terminal 51 sends a document read request for theserver document 61 stored in thedocument management system 100 to thedocument management system 100 by indicating the document ID (S1006). - The
document management system 100 sends the authentication result information of theuser 52 and document ID of theserver document 61, an access type, and context information of theclient terminal 51 to thesecurity server 200, to request the access control for the server document 61 (S1007). For example, the access type indicates a read access indicated by the document read request. - The
security server 200 determines whether or the access is allowed based on information being received (S1008). - The
security server 200 sends a decision result to the document management system 100 (S1009). Thedocument management system 100 conducts a process corresponding to the decision result received from the security server 200 (S1009). When the decision result shows “Allowed”, thedocument management system 100 processes a requirement indicated by the decision result and advances to S1011. On the other hand, when the decision result shows “Not Allowed (Prohibited)”, the access is prohibited and the access control process is terminated (S1010). - The
document management system 100 conducts a process corresponding to an access request sent from theclient terminal 51, sends theserver document 61 to theclient terminal 51, and normally terminates the access control process (S1011). - The user authentication request in S1002 can be sent through the
security server 200. A method for authenticating theuser 52 is not limited to a method for authenticating by the user ID and the password. Alternatively, a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied. - Next, the authenticating process conducted by the
user management server 300 will be described with reference toFIG. 11 .FIG. 11 is a diagram for explaining the authenticating process by the user management server according to the embodiment of the present invention. InFIG. 11 , theuser management server 300 checks the user ID and the password received from thedocument management system 100 with the user management table 310 to authenticate the user 52 (L0011). - It is checked whether or not the
user 52 is successfully authenticated (L0012) . When theuser 52 is successfully authenticated, theuser management server 300 obtains a list of group IDs to which theuser 52 belongs (L0013), and creates the authentication result information by the user ID, the user name, and the list of group IDs (L0014). The authentication result information includes user identification information identifying a user and information showing the success of the authentication. - The
user management server 300 sends the authentication result information to the document management system 100 (L0015), and terminates a process conducted when theuser 52 is successfully authenticated (L0016). Then, the authenticating process is terminated (L0020). - On the other hand, when the
user 52 fails to be authenticated (L0017), theuser management server 300 creates the authentication result information showing the failure of the authentication and sends the authentication result information to the document management system 100 (L0018). a process for the failure of the authentication for theuser 52 is ended (L0019), and terminates the authenticating process (L0020). -
FIG. 12 is a diagram showing a data structure of the authentication result information according to the embodiment of the present invention. InFIG. 12 , for example, adata structure 501 of the authentication result information defines a structure AuthInfo and includes a user ID shown by a character string by code 503-1 showing “String userId;”, a user name shown by a character string by code 503-2 showing “String username;”, an array of group IDs of groups to which theuser 52 belongs, shown by a character string by code 503-3 showing “String[] groups;”. - Next, the decision process conducted by the
security server 200 in S1008 will be described with reference toFIG. 13 ,FIG. 14 , andFIG. 15 .FIG. 13 ,FIG. 14 , andFIG. 15 are diagrams for explaining the decision process by the security server in response to a request from the document management system according to the embodiment of the present invention. - In
FIG. 13 ,FIG. 14 , andFIG. 15 , a process, in which an operation for reading theserver document 61 of thedocument management system 100 is conducted at theclient terminal 51 and a document read request is sent from theclient terminal 51 to thedocument management system 100, is illustrated. For example, there are a property refer, an original refer, an update, a delete, and a store as other operations at theclient terminal 51, and a property refer request, an original refer request, an update request, a delete request, and a store request are sent from thedocument management system 100 to thesecurity server 200, respectively. - The original reference operation is an access for obtaining the
server document 61 being an original managed in thedocument management system 100. In addition, the document read operation illustrated inFIG. 13 throughFIG. 15 is an access for obtaining theserver document 61, which is converted so that only thedocument viewer 53 being special can open theserver document 61 being original. - Moreover, the decision process in the
security system 100 is similarly conducted for each request. - In
FIG. 13 , thesecurity server 200 receives the authentication result information, the document ID, the access type, the context information from thedocument management system 100 conducting the decision request (L0031). For example, the access type indicates “document read for the server document”. A type of the document 60 (that is, server document 61) and a type of the operation (that is, document read) are specified by the access type. - The
security server 200 obtains a document profile (docProfile) corresponding to the document ID (docid) received from thedocument management system 100, from the document profile management table 260 (L0032). - The
security server 200 obtains the document category (docCategory) and the sensitivity level (docLevel) by referring to the document profile (docProfile) (L0033). - The
security server 200 obtains the related persons list by referring to the document profile (docProfile) (L0034). - The
security server 200 checks whether or not the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo) (L0035). - When the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), the
security server 200 indicates the related persons (RELATED_PERSONS) to the user category (userCategory) (L0036). On the other hand, when the related person list (relatedPersons) does not include the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), thesecurity server 200 indicates anyperson (ANY) to the user category (userCategory) (L0037). - The
security server 200 refers to the user security level table (UserMapTable) and stores a level corresponding to the user ID or the group ID (principalId) to the security level (userLevel) (L0038). - The
security server 200 obtains the zone ID list (zones) by referring to the document profile (docProfile) (L0039). - The
security server 200 refers to the zone management table (ZoneInfoTable), obtains the IP address or the MAC address corresponding to the zone ID list (zones), and creates an allowed address list (L0040). - The
security server 200 checks whether or not the address included in the context information is included in the allowed address list created in L0040 (L0041). - When the address is included in the allowed address list, the
security server 200 sets “restricted (RESTRICTED)” to the zone (zone) (L0042). On the other hand, when the address is not included in the allowed address list, thesecurity server 200 sets “any zone (ANY)” to the zone (zone) (L0043). - The
security server 200 loads the security policy file to thememory unit 42 and obtains an array of the access control rule (rule) (L0044). - The
security server 200 repeats processes by the following L0046 through L0071 for each access control rule (rule) (L0045). - The
security server 200 checks whether or not the document category (docCategory) of the access control rule shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document level (docLevel) of the document profile (DocProfile) (L0046). When the document category (docCategory) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) corresponds to “not restricted (ANY)” or the document level (docLevel) of the document profile (DocProfile), thesecurity server 200 further repeats processes in the following L0064 through L0064 for each access control list (Ace) of the access control rule (rule) (L0048). - On the other hand, when the above condition is not satisfied (L0070 and L0071), the
security server 200 goes back to L0045 and repeats the above processes for a next access control rule (rule). - When the above condition is satisfied, the
security server 200 checks whether or not the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L0036 or L0037, and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel) set in L0038, and the zone (zone) corresponds to “not restricted (ANY)” or the zone (zone) set in L0042 or L0043 (L0049, L0050, and L0051). When the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L0036 or L0037, and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel) set in L0038, and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel) set in L0038, and the zone (zone) of the access control list (Ace) corresponds to “not restriceted (ANY)” or the zone (zone) set in L0042 or L0044, thesecurity server 200 repeats the following L0053 through L0058 for each operation (Operation) of the access control list (Ace) (L0052). - On the other hand, when any one of conditions in L0049, L0050, and L0051 is not satisfied (L0064 and L0065), the
security server 200 goes back to L0048 and repeats the above processes for a next access control list (Ace) of the access control rule (rule). - When the conditions in L0049, L0050, and L0051 are satisfied, the
security server 200 checks whether or not an ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace) (L0053). When the ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace), “allowed (true)” is stored to an allowed item of the decision result information (decisionInfo) (L0054). In addition, thesecurity server 200 stores all requirements (requirement) indicated by the operation (operation) to the decision result information (L0055) and advances to L0072 (L0056). - On the other hand, when a condition in L0053 is not satisfied (L0058 and L0059), the
security server 200 goes back to L0052 and repeats the above processes for a next operation (Operation) of the access control list (Ace). - When the
security server 200 ends the process for each operation (Operation) of the access control list (Ace) thesecurity server 200 checks whether or not there is a respective operation (Operation) (L0060). When there is no respective operation, thesecurity server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decision Info) and goes to L0072 (L0061). - On the other hand, when there is a respective operation, the
security server 200 advances to L0072 (L0063). - When the
security server 200 ends the process in L0048 for each access control list (Ace) of the access control rule (rule),security server 200 checks whether or not there is a respective access control list (Ace) (L0066). When there is no respective access control list (Ace), thesecurity server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L0067), and advances to L0072 (L0069). - On the other hand, when there is a respective access control list (Ace), the
security server 200 advances to L0072 (L0069). - In L0045, when the process for each access control rule (rule), the
security server 200 checks whether or not there is a respective access control rule (L0072). When there is no respective access control rule (rule), thesecurity server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L0073), and advances to L0075. On the other hand, when there is a respective access control rule (rule) thesecurity server 200 advances to L0075. - The
security server 200 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L0075). When the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)”, thesecurity server 200 sends the decision result information to thedocument management system 100 which sent the decision request (L0076) and terminates the decision process (L0082). - On the other hand, when the allowed item (allowed) of the decision result information (decisionInfo) does not show “not allowed (false)” (L0078), the
security server 200 conducts a compensating process for requirements (resquirement) included in the decision result information (decisionInfo) (L0079), sends the decision result information (decisionInfo) to thedocument management system 100 that sent the decision request (L0080), and then terminates the decision process (L0082). - A data structure of the context information, which is sent from the
document management system 100 to the security server 20, will be described with reference toFIG. 16 .FIG. 16 is a diagram showing the data structure of the context information according to the embodiment of the present invention. - In
FIG. 16 , the context information is information showing an address of theclient terminal 51 used by theuser 52. For example, thedata structure 511 of the context information is defined by a structure ContextInfo, and includes an IP address shown by a character string by code 513-1 showing “String ipAddress;”, and a MAC address shown by a character string by code 513-2 showing “String macAddress;”. - The decision result information (decisionInfo), which is sent from the
security server 200 to thedocument management system 100, will be described with reference toFIG. 17 .FIG. 17 is a diagram showing a data structure of the decision result information according to the embodiment of the present invention. - In
FIG. 17 , the decision result information is information showing a decision result of the access control. For example, thedata structure 521 of the decision result information is defined by a structure DecisionInfo, and includes allowance information shown by true or false by code 523-1 showing “Boolean allowed;”, and a plurality of requirements shown by an array of requirements by code 523-2 showing “Requirement[] requirements;”. - Moreover, each requirement is defined by a structure Requirement, and includes a requirement ID for identifying a requirement and being shown by a character string by code 252-1 showing “String requirement;”, a plurality of sets of supplement information shown by an array of the supplement information by code 525-2 showing “Property[] supplements;”, supplement data shown by an array of bytes by code 525-3 showing “Byte[] data;”, and a plurality of alternative requirements shown by an array of the requirement by code 525-4 showing “Requirement[] alternatives;”.
- The supplement information is defines by a structure Property, and includes a name shown by a character string by code 527-1 showing “String name;”, and a value shown by a character string by code 527-2 showing “String value;”.
- Next, the compensating process for requirements by the
document management system 100 will be described with reference toFIG. 18 .FIG. 18 is a flowchart for explaining the compensating process for requirements by the document management system according to the embodiment of the present invention. - In
FIG. 18 , thedocument management system 100 repeats from L1102 to L1110 for each set of the supplement information (supplement) included in the requirement (requirement) of the decision result information (decisionInfo) (L1101). - The
document management system 100 checks whether or not the name (name) of a property (Property) of the supplement information indicates a static image (static_image) (L1102). When the static image (static_image) is indicated, thedocument management system 100 reads out data of a stamp image file indicated in a value (value) of the property (Property) of the supplement information from a local hard disk (storage unit 46), stores the data of the stamp image file as supplement data of the requirement (requirement) (L1103), and advances to L1105. - On the other hand, when the static image (static_iamge) is not indicated, the
document management system 100 advance to L1105. - For example, the static image is a stamp image or a like.
- The
document management system 100 checks whether or not a dynamic image (dynamic_image) is indicated to the name (name) of the property (Property) of the supplement information, and the operation (operation) shows “print” (L1105). When the dynamic image (dynamic_image) is set to the name (name) of the property (Property) of the supplement information, and the operation (operation) shows “print”, thedocument management system 100 creates a new print profile (printProfiel) (L1106). Moreover, thedocument management system 100 encodes a print ID (printId) of the print profile (printProfile) to be identification image data (L1107), and stores the identification image data to supplement data (data) of the requirement (requirement) of the identification image data (L1108). Then, thedocument management system 100 terminates the compensating process for the requirement. - On the other hand, the dynamic image (dynamic_image) is not indicated in the name (name) of the property (property) of the supplement information or the operation (operation) does not show “print”, the
document management system 100 terminates the compensating process for the requirement. - The dynamic image is a barcode image, identification pattern image, or a like.
- Next, the requirement process conducted by the
document management system 100 will be described with reference toFIG. 19 andFIG. 20 .FIG. 19 andFIG. 20 are flowcharts for explaining the requirement process according to the embodiment of the present invention. - In
FIG. 19 , thedocument management system 100 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L1121). When “not allowed (false)” is shown, thedocument management system 100 denies the access and terminates the requirement process (L1122). - On the other hand, when “not allowed (false)” is not shown, the
document management system 100 repeats from L1125 to L1160 for each requirement (requirement) of the decision result information (decisionInfo) (L1124). - The
document management system 100 checks whether or not a requirement (requirement) (hereinafter, referred to not-supported requirement), which is not supported by thedocument management system 100, is indicated (L1125). When the not-supported requirement is not indicated, thedocument management system 100 advances to L1131. - On the other hand, when the not-supported requirement is indicated, the
document management system 100 further checks whether or not the alternative requirement (alternative) of the not-supported requirement (requirement) is an alternative requirement, which is not supported (hereinafter, referred to not-supported alternative requirement), and is indicated (L1126). When the not-supported alternative requirement (alternative) for the not-supported requirement (requirement) is indicated, thedocument management system 100 denies the access and terminates the requirement process (L1127). - On the other hand, when the not-supported alternative requirement (alternative) for the not-supported requirement (requirement) is not indicated, the
document management system 100 processes the alternative requirement (alternative) of the not-supported requirement (requirement) (L1129). - Subsequently, the
document management system 100 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L1131). When the log record (record_audit_data) is indicated, thedocument management system 100 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, the context information (contextInfo) (L1132). - Then, the
document management system 100 sends the log data to security server 200 (L1133). Thedocument management system 100 checks whether or not the log data is successfully sent to the security server 200 (L1134). When the log data is failed to send, thedocument management system 100 denies the access and terminates the requirement process (L1135). On the other hand, when the log data is successfully sent to thesecurity server 200, thedocument management system 100 advances to L1138. - Furthermore, the
document management system 100 checks whether or not an encryption (encryption) is indicated to the requirement (requirement) (L1138). When the encryption (encryption) is indicated, thedocument management system 100 encrypts thedocument 60 stored therein (L1139). On the other hand, when the encryption (encryption) is not indicated, thedocument management system 100 advances to L1141. - Subsequently, the
document management system 100 checks whether or not a protection of integrity of an original of the digital document is indicated in the requirement (requirement) (L1141). When the protection of integrity of the original of the digital document is indicated, thedocument management system 100 transmits and stores the digital document to an original document integrity protection supporting system (L1142). For example, the original document integrity protection supporting system may be a system disclosed in Japanese Laid-open Patent Application No. 2000-285024. Alternatively, this original document integrity protection supporting system can be provided within thedocument management system 100. - On the other hand, when the protection of the integrity of an original (integrity_protection) is indicated in the requirement (requirement), the
document management system 100 advances to L1144. - Moreover the
document management system 100 checks whether or not the requirement (requirement) indicates to allow a multiple authentication (multi_authentication) for an access to the digital document (L1144). When the requirement (requirement) does not indicate to allow the multiple authentication (multi_authentication), thedocument management system 100 advances to L1150. - On the other hand, when the requirement (requirement) indicates to allow the multiple authentication (multi_authentication), the
document management system 100 requires for theuser 52 using theclient terminal 52 to conduct a strict user authentication (such as a finger print recognition or a like) (L1145). After this strict user authentication,,thedocument management system 100 checks whether or not the strict user authentication fails to authenticate the user 52 (L1146). When the strict user authentication fails, thedocument management system 100 denies the access and terminates the requirement process (L1147). On the other hand, when the strict user authentication succeeds to authenticate theuser 52, thedocument management system 100 advances to L1150. - Subsequently, the
document management system 100 checks whether or not the requirement (requirement) indicates a version management (versioning) of the digital document (L1150). When the version management (versioning) is indicated, thedocument management system 100 stores a revised document as a new version (L1151) and advances to L1153. - Moreover, the
document management system 100 checks whether or not the requirement (requirement) indicates a complete deletion of the digital document (L1153). When the complete deletion is indicated, thedocument management system 100 executes a complete deleting process with respect to the digital document being deleted (L1154), and advances to L1156. On the other hand, when the complete deletion is not indicated, thedocument management system 100 advances to L1156. - Subsequently, the
document management system 100 checks whether or not the requirement (requirement) indicates an alarm display (show_alarm) (L1156). When the alarm display (show alarm) is indicated, thedocument management system 100 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L1157), and displays the alarm character string by a dialog box to the user 52 (L1158). Then, thedocument management system 100 goes back to L1124 to repeat the above same processes for a next requirement (requirement). On the other hand, when the alarm display (show_alarm) is not indicated, thedocument management system 100 advances to L1124. - After the above processes are conducted for all requirements (requirement), the
document management system 100 conducts an access process requested from the client terminal 51 (L1161), and terminates the requirement process (L1162). - As described with reference to
FIG. 19 andFIG. 20 , the requirements (requirement) of the decision result information (decisionInfo) are processed in parallel. However, since requirements (requirement) to be processed are defined for each operation (operation), it is not required to process all requirements (requirement). For example, the complete deletion (complete_deletion) of the digital document is indicated only for theserver document 61. For the sake of convenience, the above processes are illustrated inFIG. 19 andFIG. 20 . Thedocument management system 100 conducts the above same processes for the alternative requirement. - As described above, the
document management system 100 can conduct the access control in accordance with the security policy set in thesecurity server 200. In this case, it is possible to apply an allowable requirement regulated by the security policy. Moreover, by including the processes for the supplement information and alternative requirement necessary to satisfy the allowable requirement, the requirement process can be flexibly required. - [Access Control by Digital Copier]
- The access control by the
digital copier 70 will be described with reference toFIG. 21 andFIG. 22 . -
FIG. 21 is a diagram showing an access control sequence at the digital copier according to the embodiment of the present invention.FIG. 22 is a flowchart for explaining the access control process by the digital copier according to the embodiment of the present invention. InFIG. 21 andFIG. 22 , each process in the access control sequence shown inFIG. 21 corresponds by the same numeral number to each process shown inFIG. 22 . - In
FIG. 21 andFIG. 22 , thedigital copier 70 receives the login request with the user ID and the password from the user 52 (S2001). - The
digital copier 70 sends the user ID and the password received from theuser 52 to theuser management server 300 to make an authentication request (S2002). Theuser management server 300 conducts the authenticating process by the user ID and the password received from the digital copier 70 (S2003). Theuser management server 300 sends authentication result information showing success or failure of the authentication to the digital copier 70 (S2004). - The
digital copier 70 conducts a process corresponding to the authentication result information (S2005). When the authentication result information shows that theuser 52 is successfully authenticated, thedigital copier 70 sends the authentication result information received from theuser management server 300 to theclient terminal 51, and advances to S2006. On the other hand, when the authentication result information shows that theuser 52 is failed to authenticate, thedigital copier 70 terminates the access control process. - The
user 52 makes a copy request for apaper document 62 at the digital copier 70 (S2006). - When the
digital copier 70 receives the copy request for thepaper document 62, in order to identify thepaper document 62, thedigital copier 70 cuts out an area for identification from image data obtained by scanning the paper document 62 (S2007). - The authentication information of the
user 52, a cut-out image, the access type, and the context information are sent to thesecurity server 200 to request the access control (S2008). For example, a copy access for the copy request is indicated as the access type. - The
security server 200 determines based on the information received from thedigital copier 70 whether the access is allowed or not allowed (S2009). Thesecurity server 200 sends a decision result to the digital copier (S2010). - The
digital copier 70 conducts a process corresponding to the decision result received from the security server 200 (S2011). When the decision result shows “Allowed”, thedigital copier 70 processes a requirement included in the decision result. On the other hand, when the decision result shows “Prohibited”, thedigital copier 70 terminates the access control process without any access. - The
digital copier 70 processes the access request (copy request) request by theuser 52, outputs sheets being copied, and terminates the access control process (S2012). - In this example, a case in that the access request is the copy request is described. The same process can be conducted for a scan request, a fax transmission request, and a like. For example, when the access request is the scan request, image data being scanned is stored in a predetermined storage area. When the access request is the fax transmission request, the image data being scanned are sent to a destination indicated by the
user 52. - The user authentication request in S2009 can be sent through the
security server 200. A method for authenticating theuser 52 is not limited to a method for authenticating by the user ID and the password. Alternatively, a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied. - An authenticating process by the
user management server 300 in S2003 is the same as the authenticating process in the access control of thedocument management system 100, and then explanation thereof will be omitted. In addition, a data structure of the authentication result information generated by theuser management server 300 is the same as the data structure in the access control of thedocument management system 100, and then explanation thereof will be omitted. - The decision process conducted by the
security server 200 in S2009 will be described with reference toFIG. 23 ,FIG. 24 , andFIG. 25 .FIG. 23 ,FIG. 24 , andFIG. 25 are diagrams for explaining the decision process in the security server in response to a request from the digital copier according to the embodiment of the present invention. - In
FIG. 23 ,FIG. 24 , andFIG. 25 , a case, in which theuser 52 conducts the copy request to copy thepaper document 62 by thedigital copier 70, is illustrated. For example, as other operations at thedigital copier 70, there are a fax transmission, a scan, and a like and respective requests are sent from thedigital copier 70 to thesecurity system 100 as a fax transmission request, a scan request, and a like are - An operation for the fax transmission is to send the
paper document 62 being scanned by thedigital copier 70 to a destination indicated by theuser 52 by fax. An operation for a scan is to scan thepaper document 62 and store image data in a predetermined storage area. - The decision process in the
security server 200 is the same for respective requests. - In
FIG. 23 , thesecurity server 200 receives the authentication result information, the document ID, the access type, the context information from thedigital copier 70 that sent the decision request (L2031). For example, “copy for the paper document” is indicated in the access type. A type of the document 60 (that is, paper document 62) and an type of operation (that is, copy) are specified. - The
security server 200 obtains a print ID (printId) by decoding the cut-out image received from the digital copier 70 (L2032). - The
security server 200 determines whether or not the cut-out image can be decoded (L2033). When the cut-out image cannot be decoded, thesecurity server 200 sets “unknown (UNKNOWN)” to the document category (docCatetgory) (L2034), sets “unknown (UNKNOWN)” to the document level (docLevel) (L2035), sets “not restricted (ANY)” to the user category (userCategory) (L2036), and sets “not restricted (ANY)” to the zone (zone) (L2037). - On the other hand, when the cut-out image can be decoded, the
security server 200 obtains a print profile (printProfile) corresponding to the print ID (printId) by referring to the print profile management table 280 (L2040). - The
security server 200 checks whether or not the print profile corresponding to the print ID exists (L2041). When the respective print profile corresponding to the print ID does not exist, thesecurity server 200 sets “unknown (UNKNOWN)” to the document category (docCategory) (L2042), sets “unknown (UNKNOWN)” to the document level (docLevel) (L2043), sets “not restricted (ANY)” to the user category (userCategory) (L2044), and sets “not restricted (ANY)” to the zone (zone) (L2045). - On the other hand, when the print profile corresponding to the print ID exists (L2047), the
security server 200 obtains the document ID (docid) from the print profile (printProfile) (L2048), obtains the document profile (docProfile) corresponding to the document ID (docid) by referring to the document profile management table (L2049), obtains the document category (docCategory) and the sensitivity level (docLevel) by referring to the document profile (docProfile) (L2050), and obtains the related person list (relatedPersons) by referring to the document profile (docProfiel) (L2051). - The
security server 200 further checks whether or not the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo) (L2052). When the related person list (relatedPersons) includes the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), thesecurity server 200 indicates the related persons (RELATED_PERSONS) to the user category (userCategory) (L2053). On the other hand, when the related person list (relatedPersons) does not include the user IDs (userId) or position groups (groups) of the authentication result information (authInfo), thesecurity server 200 indicates any person (ANY) to the user category (userCategory) (L2054), and advances to L2055. - The
security server 200 obtains the zone ID list (zones) by referring to the document profile (docProfile) (L2055). Thesecurity server 200 refers to the zone management table (ZoneInfoTable), obtains the IP address or the MAC address corresponding to the zone ID list (zones), and creates an allowed address list (L2056). - The
security server 200 checks whether or not the address included in the context information is included in the allowed address list created in L2056 (L2057). When the address is included in the allowed address list, thesecurity server 200 sets “restricted (RESTRICTED)” to the zone (zone) (L2058), and advances to L2062. On the other hand, when the address is not included in the allowed address list, thesecurity server 200 sets “any zone (ANY)” to the zone (zone) (L2059), advances to L2062. - The
security server 200 refers to the user security level table (UserMapTable) and stores a level corresponding to the user ID (userId) or position groups (groups) to the user level (userLevel) (12062). - The
security server 200 loads the security policy file to thememory unit 42 and obtains an array of the access control rule (rule) (L2063). - The
security server 200 repeats processes by the following L0046 through L0071 for each access control rule (rule) (L0064). - The
security server 200 checks whether or not the document category (docCategory) of the access control rule shows “not restricted (ANY) ” or corresponds to the document category (docCategory) of the document profile (DocProfile) and the document level (docLevel) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document level (docLevel) of the document profile (DocProfile) (L20065 and L2066). When the document category (docCategory) of the access control rule (rule) shows “not restricted (ANY)” or corresponds to the document category (docCategory) of the document profile (DocProfile), and the document level (docLevel) of the access control rule (rule) corresponds to “not restricted (ANY)” or the document level (docLevel) of the document profile (DocProfile), thesecurity server 200 further repeats processes in the following L2068 through L2083 for each access control list (Ace) of the access control rule (rule) (L2067). - On the other hand, when the above condition is not satisfied (L2088 and L2089), the
security server 200 goes back to L2064 and repeats the above processes for a next access control rule (rule). - When the above condition is satisfied, the
security server 200 checks whether or not the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L2053 or L2054, and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel). set in L2062, and the zone (zone) corresponds to “not restricted (ANY)” or the zone (zone) set in L2058 or L2059 (L2068, L2069, and L2070). When the user category (userCategory) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user category (userCategory) set in L2053 or L2054, and the user level (userLevel) of the access control list (Ace) corresponds to “not restricted (ANY)” or the user level (userLevel) set in L2062, and the zone (zone) corresponds to “not restricted (ANY)” or the zone (zone) set in L2058 or L2059, thesecurity server 200 repeats the following L2072 through L2077 for each operation (Operation) of the access control list (Ace) (L2071). - On the other hand, when any one of conditions in L2068, L2069, and L2070 is not satisfied (L2082 and L2083), the
security server 200 goes back to L2067 and repeats the above processes for a next access control list (Ace) of the access control rule (rule). - When the conditions in L2068, L2069, and L2070 are satisfied, the
security server 200 checks whether or not an ID of the operation (Operation.Id) corresponds to an ooperation (operation) of the access control list (Ace) (L2072). When the ID of the operation (Operation.Id) corresponds to an operation (operation) of the access control list (Ace), “allowed (true)” is stored to an allowed item of the decision result information (decisionInfo) (L2073). In addition, thesecurity server 200 stores all requirements (requirement) indicated by the operation (operation) to the decision result information (L2074) and advances to L0072 (L2081). - On the other hand, when a condition in L0053 is not satisfied (L2076 and L2077), the
security server 200 goes back to L2071 and repeats the above processes for a next operation (Operation) of the access control list (Ace). - When the
security server 200 ends the process for each operation (Operation) of the access control list (Ace) in L2071, thesecurity server 200 checks whether or not there is a respective operation (Operation) (L2078). When there is no respective operation, thesecurity server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L2079) and goes to L2090 (L2081). - On the other hand, when there is a respective operation, the
security server 200 advances to L2090 (L2081). - When the
security server 200 ends the process in L2067 for each access control rule (rule),security server 200 checks whether or not there is an access control rule (rule) (L2090). When there is no respective access control rule (rule), thesecurity server 200 stores “not allowed (false)” to the allowed item (allowed) of the decision result information (decisionInfo) (L2091), and advances to L2093. On the other hand, when there is a respective access control rule (rule), thesecurity server 200 advances to L2093. - The
security server 200 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L2093). When the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)”, thesecurity server 200 sends the decision result information to thedigital copier 70 which sent the decision request (L2094) and terminates the decision process (L2100). - On the other hand, when the allowed item (allowed) of the decision result information (decisionInfo) does not show “not allowed (false)” (L2096), the
security server 200 conducts a compensating process for requirements (resquirement) included in the decision result information (decisionInfo) (L2097), sends the decision result information (decisionInfo) to thedigital copier 70 that sent the decision request (L2098), and then terminates the decision process (L2100). - A data structure of the context information sent from the
digital copier 70 to thesecurity server 200 is the same as the data structure of the context information sent from thedocument management system 100 to thesecurity server 200, and explanation thereof will be omitted. - A data structure of the decision result information sent from the
security server 200 to thedigital copier 70 is the same as the data structure of the decision result information sent from thesecurity server 200 to thedocument management system 100, and explanation thereof will be omitted. - The compensating process of the requirement by the
digital copier 70 is the same as the compensating process for the requirement by thedocument management system 100, and explanation thereof will be omitted. - Next, the requirement process conducted by the
digital copier 70 will be described with reference toFIG. 26 ,FIG. 27 , andFIG. 28 .FIG. 26 ,FIG. 27 , andFIG. 28 are flowcharts for explaining the requirement process by the digital copier according to the embodiment of the present invention. - In
FIG. 26 , thedigital copier 70 checks whether or not the allowed item (allowed) of the decision result information (decisionInfo) shows “not allowed (false)” (L2121). When “not allowed (false)” is shown, thedigital copier 70 denies the access and terminates the requirement process (L2122). - On the other hand, when “not allowed (false)” is not shown, the
digital copier 70 repeats from L2125 to L2178 for each requirement (requirement) of the decision result information (decisionInfo) (L2124). - The
digital copier 70 checks whether or not a requirement (requirement) (hereinafter, referred to not-supported requirement), which is not supported by thedigital copier 70, is indicated (L2125). When the not-supported requirement is not indicated, thedigital copier 70 advances to L2131. - On the other hand, when the not-supported requirement is indicated, the
digital copier 70 further checks whether or not the alternative requirement (alternative) of the not-supported requirement (requirement) is an alternative requirement, which is not supported (hereinafter, referred to not-supported alternative requirement), and is indicated (L2126). When the not-supported alternative requirement (alternative) for the not-supported requirement (requirement) is indicated, thedigital copier 70 denies the access and terminates the requirement process (L2127). - On the other hand, when the not-supported alternative requirement (alternative) for the not-supported requirement (requirement) is not indicated, the
digital copier 70 processes the alternative requirement (alternative) of the not-supported requirement (requirement) (L2128). - Subsequently, the
digital copier 70 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L2131). When the log record (record_audit_data) is indicated, thedigital copier 70 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, the context information (contextInfo) (L2132). - Then, the
digital copier 70 sends the log data to security server 200 (L2133). Thedigital copier 70 checks whether or not the log data is successfully sent to the security server 200 (L2134). When the log data is failed to send, thedigital copier 70 denies the access and terminates the requirement process (L2135). On the other hand, when the log data is successfully sent to thesecurity server 200, thedigital copier 70 advances to L2138. - Furthermore, the
digital copier 70 checks whether or not a label print (show_label) is indicated to the requirement (L2138). When the label print (show_label) is indicated, thedigital copier 70 embeds a stamp image indicated by the supplement information (supplement) of the requirement by printing to a printed document (L2139). On the other hand, when the label print (show_label) is not indicated, thedigital copier 70 advances to L2141. - Subsequently, the
digital copier 70 checks whether or not a user name print (show_operator) is indicated (L2141). When the user name print (show_operator) is indicated, thedigital copier 70 prints an operator name (operator) as the user name to a printed document (L2142). On the other hand, when the user name print (show_operator) is not indicated, thedigital copier 70 advances to L2144. - Moreover, the
digital copier 70 checks whether or not a record of an image log (record_image_data) is indicated (L2144). When the record of the image log (record_image_data) is indicated, thedigital copier 70 generates image log data including the user ID (userid), the document ID (docid), the operation (operation), the date and time, the contex information (contextInfo), and document data (scan data) (L2145). Subsequently, thedigital copier 70 stores the image log data to an internal hard disk (L2146). On the other hand, when the record of the image log (record_image_data) is not indicated, thedigital copier 70 advances to L2148. - Subsequently, the
digital copier 70 checks whether or not an alarm display (show_alarm) is indicated (L2148). When the alarm display (show_alarm) is indicated, thedigital copier 70 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L2149), and displays the alarm character string at the operation panel to the user 52 (L2150). On the other hand, when the alarm display (show_alarm) is not indicated,digital copier 70 advances to L2152. - Furthermore, the
digital copier 70 checks whether or not an alarm print (print_alarm) is indicated (L2152). When the alarm print (print_alarm) is indicated, thedigital copier 70 creates an alarm character string in a character string format indicated in the supplement information (supplement) of the requirement (requirement) (L2153), and prints the alarm character string to embody to the printed document (L2154). On the other hand, when the alarm print (print_alarm) is not indicated, thedigital copier 70 advances to L2156. - Subsequently, the
digital copier 70 checks whether or not a receiver restriction (address_restriction) for the fax transmission is indicated (L2156). When the receiver restriction (address_restriction) is indicated, thedigital copier 70 checks a receiver address indicated by theuser 52 with a receiver condition indicated in the supplement information (supplement) of the requirement (requirement) (L2157). Moreover, thedigital copier 70 checks whether or not the receiver address matches with the receiver condition (L3258). When the receiver address does not match with the receiver condition, thedigital copier 70 displays, at an operation panel, a message showing that the receiver address does not match with the receiver condition, to inform it to the user 52 (L2159), denies the access by theuser 52, and terminates the requirement process (L2160). On the other hand, when the receiver address matches with the receiver condition, thedigital copier 70 advances to L2162. - When the
digital copier 70 determines in L2156 that the receiver restriction (address_restriction) is not indicated, thedigital copier 70 advances to L2162. - Moreover, the
digital copier 70 decides whether or not a confidential transmission mode (private_send) is indicated (L2163). When the confidential transmission mode (private_send) is indicated, thedigital copier 70 sets the confidential transmission mode to a sender condition (L2164). Then, thedigital copier 70 checks whether or not the confidential transmission mode cannot be set (L2165). When the confidential transmission mode cannot be set, thedigital copier 70 displays, at the operation panel, a message showing that a receiver cannot receive the confidential transmission, to inform it to the user 52 (L2166), denies the access, and terminates the requirement process (L2167). On the other hand, when the confidential transmission can be set, thedigital copier 70 advances to L2170. - When the
digital copier 70 determines in L2163 that the confidential transmission mode (private_send) is not indicated, thedigital copier 70 advances to L2170. - Subsequently, the
digital copier 70 checks whether or not a visible watermark letter print (visible_watermark) is indicated (L2170). When the visible watermark letter print is indicated, thedigital copier 70 creates a character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L2171), and embeds the character string as a watermark to the printed documents (L2172). On the other hand, when the visible watermark letter is not indicated, thedigital copier 70 advances to L2174. - Furthermore, the
digital copier 70 checks whether or not a digital watermark (digital_watermark) is indicated (L2174). When the digital watermark is indicated, thedigital copier 70 creates a character string in a character string format indicated by the supplement (supplement) of the requirement (requirement) (L2175), and embeds the character string as the digital watermark to scanned data (L2176). Then, thedigital copier 70 goes back to L2124 and repeats the above processes for a next requirement (requirement). On the other hand, when the digital watermark is not indicated, thedigital copier 70 advances to L2124. - After the above process is conducted for all requirement (requirement), the
digital copier 70 conducts a process corresponding to the access by the client terminal 51 (L2179) and terminates the requirement process (L2180). - As described above, the
digital copier 70 can conduct the access control in accordance with the security policy set in thesecurity server 200. In this case, it is possible to apply the allowable requirement regulated by the security policy. Moreover, it is possible to process for the supplement information necessary to satisfy the allowable requirement, and apply the process for the alternative requirement. - Since the recognition of the
paper document 62 is not perfect at 100 percent, a recognition error may be occurred. When thedigital copier 70 cannot recognize thepaper document 62 when copying thepaper document 62, basically thepaper document 62 is required to be copied as a regular paper document. For this reason, it is required to conduct some kind of security protection in a case in that thepaper document 62 cannot be recognized. Accordingly, in this embodiment, thepaper document 62, which is not recognized (categorized into “UNKNOWN” of the document category), can be processed in accordance with the security policy. - [Access Control by Document Viewer]
- An access control conducted by the
document viewer 53 will be described withFIG. 29 ,FIG. 30 , andFIG. 31 . -
FIG. 29 is a diagram showing an access control sequence in the document viewer according to the embodiment of the present invention.FIG. 30 andFIG. 31 are flowcharts for explaining the access control process by the document viewer according to the embodiment of the present invention. InFIG. 29 ,FIG. 30 , andFIG. 31 , each process in the access control sequence shown inFIG. 29 corresponds by the same numeral number to each process shown inFIG. 30 andFIG. 31 . - In
FIG. 29 andFIG. 30 , thedocument viewer 53 receives an open request for opening a file (portable document 63) from the user 52 (S3001). - The
document viewer 53 checks whether or not theportable document 63 is protected by a security (S3002). Thedocument viewer 53 conducts a process corresponding to a check result in S3002 (protected or not protected) for the portable document 63 (S3003). When theportable document 63 is not protected, thedocument viewer 53 displays a content of theportable document 63, and terminates the access control process. On the other hand, when theportable document 63 is protected, thedocument viewer 53 advances to S3004. - The
document viewer 53 prompts theuser 52 to input the user ID and the password and receives the user ID and the password from the user 52 (S3004). - The
document viewer 53 conducts a user authentication by sending the user ID and the password from theuser 52 to the user management server 300 (S3005). - The
user management server 300 conducts the user authentication by the user ID and the password received from the document viewer 53 (S3006), and sends authentication result information to the document viewer 53 (S3007). - When the
document viewer 53 receives the authentication result information from theuser management server 300, thedocument viewer 53 conducts a process corresponding to the authentication result information (S2008). When the authentication is failed, thedocument viewer 53 displays an authentication error for theuser 52, and terminates the access control process. When the authentication is succeeded, thedocument viewer 53 advances to S3009. - The
document viewer 53 retrieves the document ID from the portable document 63 (S3009). Then, thedocument viewer 53 sends the authentication result information, the document ID, an access type, context information for theclient terminal 51 on which thedocument viewer 53 is running, to thesecurity server 200, and requests the access control (S3010). For example, a read access is indicated as the access type for the open request. - The
security server 200 determines whether or not the access is allowed based on information received from the document viewer 53 (S3011). Thesecurity server 200 sends a decision result to the document viewer 53 (S3012). - When the decision result shows “allowed”, the
document viewer 53 processes a requirement included in the decision result (S3013). When the decision result shows “prohibited (not allowed)”, thedocument viewer 53 denies the access and terminates the access control process. - The
document viewer 53 processes the access (file open) requested by theuser 52, displays the contents of the portable document 63 (S3014). - The
document viewer 53 receives a print request of theportable document 63 from the user 52 (S3015). - The
document viewer 53 sends the authentication result information, the document ID, the access type, the context information of theclient terminal 51 on which thedocument viewer 53 is running, to thesecurity server 200, and requests the access control to the security server 200 (S3016). For example, a print access corresponding to the print request is indicated as the access type. - The
security server 200 determines based on information received from thedocument viewer 53 whether or not the access is allowed (S3017), and sends a decision result to the document viewer 53 (S3018). - When the decision result shows “allowed”, the
document viewer 53 processes a requirement included in the decision result (S3019). When the decision result shows “prohibited (not allowed)”, thedocument viewer 53 denies the access, and terminates the access control process. - The
document viewer 53 processes the access (print) request by theuser 52, and outputs printed contents of the portable document 63 (S3020). - The user authentication in S3005 may be requested through the
security server 200. A method for authenticating theuser 52 is not limited to a method for authenticating by the user ID and the password. Alternatively, a higher technical authentication such as a biometric authentication, a challenge-response authentication using a master card, or a like can be applied. - An authenticating process conducted by the
user management server 300 in S3006 is the same as the authenticating process in the access control conducted by thedocument management system 100, and explanation thereof will be omitted. In addition, a data structure of the authentication information in the access control conducted by thedocument management system 100, and explanation thereof will be omitted. - An decision process conducted by the
security server 200 in S3001 and S3017 is the same as the decision process in the access control conducted by thedocument management system 100. In addition, a data structure of the decision result information is the same as the data structure of the decision result information in the access control conducted by thedocument management system 100, and explanation thereof will be omitted. - A compensating process for the requirement conducted by the
document viewer 53 is the same as the compensating process for the requirement conducted by thedocument management system 100, and explanation thereof will be omitted. - Next, a requirement process conducted by the
document viewer 53 will be described with reference toFIG. 32 throughFIG. 36 .FIG. 32 ,FIG. 33 ,FIG. 34 ,FIG. 35 , andFIG. 36 are flowcharts for explaining the requirement process conducted the document viewer according to the embodiment of the present invention. - In
FIG. 32 , thedocument viewer 53 checks whether or not the “allowed” item of the decision result information shows “false” (L3121). When the “allowed” item shows “false”, thedocument viewer 53 denies the access and terminates the requirement process (L3122). - On the other hand, when the “allowed” item does not show “false”, the
document viewer 53 repeats L3125 through L3124 for each requirement indicated in the decision result information (decisionInfo) (L3124). - The
document viewer 53 checks whether or not a requirement, which is not supported by the document viewer 53 (hereinafter, called not-supported requirement), is indicated (L3125). When the not-supported requirement is not indicated, thedocument viewer 53 advances to L3131. - On the other hand, when the not-supported requirement is indicated, the
document viewer 53 further checks whether or not an alternative requirement, which is not supported by the document viewer 53 (hereinafter, called not-supported alternative requirement), is indicated (L3126). When the not-supported alternative requirement is indicated, thedocument viewer 53 denies the access and terminates the requirement process (L3127). - On the other hand, the not-supported alternative requirement is not indicated, the
document viewer 53 processes the alternative requirement (alternative) for the requirement (requirement) (L3128). - Subsequently, the
document viewer 53 checks whether or not a log record (record_audit_data) is indicated in the requirement (requirement) (L3131). When the log recod (record_audit_data), thedocument viewer 53 generates log data including the user ID (userid), the document ID (docid), the operation (operation), date and time, and the context information (contesxtInfo) (L3132). - Then, the
document viewer 53 sends the log data to the security server 200 (L3133). Thedocument viewer 53 determines whether or not the log data is successfully sent to the security server 200 (L3134). When the log data is failed to send, thedocument viewer 53 denies the access and terminates the requirement process (L3136). On the other hand, when the log data is successfully sent, thedocument viewer 53 advances to L3136. - Furthermore, the
document viewer 53 checks whether or not the requirement indicates to allow the multiple authentication for the access to the digital document (L3138). When the multiple authentication is indicated to allow, thedocument viewer 53 requires the user. 52 of a strict user authentication (such as the finger print recognition or the like) (13139). Thedocument viewer 53 further determines whether or not the strict user authentication is failed (L3140). When the strict user authentication is failed, thedocument viewer 53 denies the access and terminates the requirement process (L3141). On the other hand, when the authentication is not indicated or when the string user authentication is succeeded, thedocument viewer 53 advances to L3144. - Subsequently, the
document viewer 53 checks whether or not the alarm display (show_alarm) is indicated (L3144). When the alarm display is indicated, thedocument viewer 53 creates an alarm character string in a character string indicated in the supplement information (supplement) of the requirement (requirement) (L3145), and displays the alarm character string (L3146). On the other hand, when the alarm display is not indicated, thedocument viewer 53 advances to L3148. - Moreover, the
document viewer 53 checks whether or not a private print mode (private_access) is indicated (L3148). When the private print mode is indicated, thedocument viewer 53 advances to L3160. - On the other hand, the
document viewer 53 determines whether or not a printer to print out supports the private print mode (L3149). When the private print mode is not supported, thedocument viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3150). Then, thedocument viewer 53 determines whether or not the alternative requirement is processed (L3151). When the alternative requirement cannot be processed, thedocument viewer 53 denies the access and terminates the requirement process (L3152). On the other hand, when the alternative requirement can be processed, thedocument viewer 53 advances to L3160. - On the other hand, when the private print mode is supported (L3155), the
document viewer 53 displays a dialog for theuser 52 to input the password (L3156), sets the password input by theuser 52 to a printer driver in order to set the private print mode (L3157). After that, thedocument viewer 53 advances to L3160. - Subsequently, the
document viewer 53 checks whether or not the image log record (recrd_image_data) is indicated (L3160). When the image log record is indicated, thedocument viewer 53 further determines whether or not the printer to print out supports the image log record (L3161). When the printer does not support the image log record, thedocument viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3162). Then, thedocument viewer 53 determines whether or not the alternative requirement cannot be processed (L3163). when the alternative requirement cannot be processed, the access is denied and the requirement process is terminated (L3164). On the other hand, when the alternative requirement (alternative) can be processed, thedocument viewer 53 advances to L3173. - On the other hand, when the image log record is supported (L3167), the
document viewer 53 generates log data including the user ID (userid), the document ID (docid), the operation (operation), the date and time, and the context information (contextInfo) (L3168). Thedocument viewer 53 sets an image log bibliographic item to the printer driver (L3169), and sets an image log record mode to the printer driver (L3170). Then, thedocument viewer 53 advances to L3173. - Moreover, the
document viewer 53 checks whether or not the requirement indicates to embed trace information (embed_trace_Info) (L3173). When the requirement does not indicate to embed the trace information, thedocument viewer 53 advances to L3187. - When the requirement indicates to embed the trace information, the
document viewer 53 further determines whether or not a driver of the printer to print out supports a stamp print (L3174). When the driver of the printer supports the stamp print, thedocument viewer 53 sets a barcode image indicated by the supplement information of the requirement to the printer driver to set a stamp print mode (L3176). Then, thedocument viewer 53 advances to L3187. - On the other hand, when the driver of the printer to print out does not support the stamp print, the
document viewer 53 further determines whether or not thedocument viewer 53 supports a document edit (L3177). When the document edit is supported, thedocument viewer 53 embeds the barcode indicated by the supplement information (supplement) of the requirement (requirement) to each page to be printed by editing the portable document 53 (L3178). On the other hand, when the document edit is supported (L3180), thedocument viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3181). Thedocument viewer 53 determines whether or not the alternative requirement cannot be processed (L3182). When the alternative requirement cannot be processed, thedocument viewer 53 denies the access, and terminates the requirement process (L3183). When the alternative requirement can be processed, thedocument viewer 53 advances to L3187. - Subsequently, the
document viewer 53 checks whether or not the requirement indicates to print a label as a stamp (show_label) (L3187). When the requirement does not indicate to print a label as a stamp, thedocument viewer 53 advances to L3201. When the requirement indicates to print a label as a stamp, thedocument viewer 53 further checks whether or not the driver of the printer to print out supports the stamp print (L3188). When the stamp print is supported, thedocument viewer 53 sets the stamp image indicated by the supplement requirement (supplement) of the requirement (requirement) to the printer driver to set the stamp print mode (an embedding location is indicated by “embedding location” item in the supplement information (supplement) of the requirement (requirement)) (L3189). After that, thedocument viewer 53 advances to L3201. - On the other hand, when the stamp print is not supported the
document viewer 53 determines whether or not thedocument viewer 53 supports the document edit (L3191). When the document edit is supported, thedocument viewer 53 sets the stamp image indicated by the supplement requirement (supplement) of the requirement (requirement) to the printer driver to set the stamp print mode (an embedding location is indicated by “embedding location” item in the supplement information (supplement) of the requirement (requirement)) (L3192). - On the other hand, when the document edit is supported, the
document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3195). Then, thedocument viewer 53 determines whether or not the alternative requirement cannot be processed (L3196). When the alternative requirement cannot be processed, thedocument viewer 53 denies the access and terminates the requirement process (L3197). On the other hand, thedocument viewer 53 advances to L3201. - Furthermore, the
document viewer 53 checks whether or not the visible watermark letter print (visible_watermark) is indicated (L3201). When the visible watermark letter print is not indicated, thedocument viewer 53 advances to L3216. - On the other hand, when the visible watermark letter print is indicated, the
document viewer 53 creates a background character string in a character string indicated by the supplement requirement (supplement) of the requirement (requirement) (L3202). Then, thedocument viewer 53 further determines whether or not the driver of the printer to print out supports a combination print (L3203). When the combination print is supported, thedocument viewer 53 sets the background character string as the combination character string to the printer driver (L3204). After that, thedocument viewer 53 advances to L3216. - On the other hand, when the driver of the printer to print out does not support the combination print, the
document viewer 53 determines whether or not thedocuments viewer 53 supports the document edit (L3206). When the document edit is supported, thedocument viewer 53 embeds the background character string to a background of theportable document 63 by editing the portable document 63 (L3207). - On the other hand, when the document edit is not supported, the
document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3210). Then, thedocument viewer 53 further determines whether or not the alternative requirement (alternative) cannot be processed (L3211). When the alternative requirement (alternative) cannot be processed, thedocument viewer 53 denies the access and terminates the requirement process (L3212). On the other hand, when the alternative requirement can be processed, thedocument viewer 53 advances to L3216. - Subsequently, the
document viewer 53 determines whether or not the requirement indicates to print an embossed watermark letter (anti_copy_watermark) (L3216). When the requirement does not indicate to print the embossed watermark letter, thedocument viewer 53 advances to L3232. - On the other hand, when the requirement indicates to print the embossed watermark letter, the
document viewer 53 creates a pattern character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L3217). Thedocument viewer 53 further determines whether or not the driver of the printer to print out supports a pattern print (L3218). When the pattern print is indicated, thedocument viewer 53 sets the pattern character string to the printer driver (L3219). After that, thedocument viewer 53 advances to L3232. - On the other hand, when the pattern print is not supported, the
document viewer 53 determines whether or not thedocument viewer 53 supports the document edit (L3221). When the document edit is supported, thedocument viewer 53 generates a pattern image based on the pattern character string (L3222), and embeds the pattern image to the background of theportable document 63 by editing the portable document 63 (L3223). - On the other hand, when the document edit is not supported (L3225), the
document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3226). Then, thedocument viewer 53 determines whether or not the alternative requirement cannot be processed (L3227). When the alternative requirement cannot be processed, thedocument viewer 53 denies the access and terminates the requirement process (13228). On the other hand, when the alternative requirement can be processed, thedocument viewer 53 advances to L323. - Moreover, the
documents viewer 53 determines whether or not the requirement indicates to print an identification pattern (identifiable_bg_pattern) (L3232). When the requirement does not indicate to print an identification pattern, thedocument viewer 53 advances to L3247. - When the requirement indicates to print an identification pattern, the
document viewer 53 creates the pattern character string by an identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) (L3233). Then, thedocument viewer 53 further determines whether or not the driver of the printer to print out supports to repeat the stamp print (L3234). When the driver of the printer supports to repeat the stamp print, thedocument viewer 53 sets the identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) to the printer driver to set a repeating stamp print mode (L3235). After that, thedocument viewer 53 advances to L3247. - On the other hand, when the driver of the printer does not support to repeat the stamp print, the
document viewer 53 further determines whether or not thedocument viewer 53 supports the document edit (L3237). When the document edit is supported, thedocument viewer 53 repeatedly embeds the identification pattern image indicated by the supplement information (supplement) of the requirement (requirement) to the background of theportable document 63 by editing the portable document 63 (L3238). After that, thedocument viewer 53 advances to L3247. - On the other hand, when the document edit is not supported (L3240), the
document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3241). Then, thedocument viewer 53 determines whether or not the alternative requirement cannot be processed (L3242). When the alternative requirement cannot be processed, thedocument viewer 53 denies the access and terminates the requirement process (L3243). On the other hand, when the alternative requirement can be processed, thedocument viewer 53 advances to L3247. - Subsequently, the
document viewer 53 determines whether or not the alarm print is indicated (L3247). When the alarm print is not indicated, thedocument viewer 53 goes back to L3124. - On the other hand, when the alarm print is indicated, the
document viewer 53 creates an alarm character string in a character string format indicated by the supplement information (supplement) of the requirement (requirement) (L3248). Then, thedocument viewer 53 further whether or not the driver of the printer to print out supports a header/footer print (L3249). When the header/footer print is supported, thedocument viewer 53 sets the alarm character string as a header/footer to the printer driver (L3250). - On the other hand, when the header/footer print is not supported, the
document viewer 53 further determines whether or not thedocument viewer 53 supports the document edit (L3252). When the document edit is supported, thedocument viewer 53 embeds the alarm character string at the header/footer of the portable document 63 (L3253). - On the other hand, when the document edit is supported (L3255), the
document viewer 53 processes the alternative requirement (alternative) of the requirement (requirement) (L3256). Then, thedocument viewer 53 further determines whether or not the alternative requirement cannot be processed (L3257). When the alternative requirement cannot be processed, thedocument viewer 53 denies and terminates the requirement process (L3258). - On the other hand, when the alternative requirement can be processed, the
document viewer 53 goes back to L2124 to repeat the above same process for a next requirement (requirement). - After the above process is conducted for all requirements (requirement), the
document viewer 53 conducts an access process requested by the user 62 (L3263), and terminates the requirement process (L3264). - As described above, the
document viewer 53 can conduct the access control in accordance with the security policy set in thesecurity server 200. In this case, it is possible to apply the allowable requirement regulated in the security policy. In addition, since the process for the supplement information necessary to satisfy the allowable requirement and the process for the alternative requirement can be conducted, it is possible to realize a flexible process in accordance with the organizational security policy. - As described above, even if the requirement can not be realized, in the requirement process that determines whether or not the
documents viewer 53 supports the document edit, it is possible to temporarily edit the contents of theportable document 63, embed necessary information in theportable document 63, and then conduct a process requested by theuser 52. - It is required to encrypt the
portable document 63 so that theportable document 63 can be opened only by using thedocument viewer 53 that realize the access control as described above. - A key for using an encryption/decryption may be included in a special document viewer that can realize the above access control. Only if it confirms that the
document viewer 53 is a special document viewer capable of enforcing the access control, thesecurity server 200 allows transmitting a decryption key to thedocument viewer 53. - Accordingly, it is possible to protect the
portable document 63 from being opened by a regular document viewer that cannot realize the access control. - As described above, screen examples for displaying the
document viewer 53 at theclient terminal 51 will be described with reference toFIG. 37A throughFIG. 41C . Theuser 52 can know by screens described in the following which requirements will be processed. - Screen examples in a case in that the alarm print is indicated as the requirement will be described with reference to
FIG. 37A andFIG. 37B .FIG. 37A is a diagram showing a screen example for displaying settings for the alarm print according to the embodiment of the present invention.FIG. 37B is a diagram showing a screen example for displaying detail settings for the alarm print according to the embodiment of the present invention. - In
FIG. 37A , ascreen 600 is a screen showing a state in that the alarm print is indicated as the requirement. In thescreen 600, asetting area 601 is originally used as an area for a setting to print at a header or footer. In a case in that the alarm print is processed as the requirement to conduct the print request, the header/footer print is compulsory set and displayed in gray to prohibit theuser 52 from changing the setting, by the requirement process conducted by thedocument viewer 53. - When the
user 52 clicks a detail button in thesetting area 601, ascreen 605 as shown inFIG. 37B is displayed at theclient terminal 51. - In
FIG. 37B , thescreen 605 is a screen for setting details in a case in that the alarm print is indicated as the requirement, In thescreen 605, the setting are 606 is originally used foruser 52 to set an arrangement location and a format of a character string to print at the header or the footer. In a case in that the alarm print is processed as the requirement to conduct the print request, the header/footer print is compulsory set and displayed in gray to prohibit theuser 52 from changing the setting, by the requirement process conducted by thedocument viewer 53. - Accordingly, the
user 52 is prohibited from changing the setting but can confirm that the alarm print is the requirement before printing theportable document 63. By this confirmation, theuser 52 determines to actually execute to print theportable document 63 or cancel to the print request. - Screen examples in a case in that the private print is indicated as the requirement will be described with reference to
FIG. 38A andFIG. 38B .FIG. 38A is a diagram showing a screen example in that the private print is set according to the embodiment of the present invention.FIG. 38B is a diagram showing a screen example for setting the authentication information for the private print according to the embodiment of the present invention. - In
FIG. 38A , ascreen 610 is a screen displayed when the private print is indicated as the requirement. In thescreen 610, a selectingarea 611 for selecting a print method is originally user for theuser 62 to select one or more items. In a case in that the private print is processed as the requirement to execute the print request of theuser 52, the requirement process conducted by thedocument viewer 53 compulsory selects the private print, display in gray, and also controls the selection not to change by theuser 52. - Accordingly, the setting can be controlled so that the setting cannot be changed by the
user 52. When theuser 52 clicks a detail button in thesetting area 611, ascreen 613 is displayed as shown inFIG. 38B . - In
FIG. 38B , thescreen 613 is a screen for detail settings in the case in that the private print is indicated as the requirement. In thescreen 613,input areas user 52 to set the authentication information. Theinput area 614 is an area for theuser 52 to input the user ID, and theinput area 615 is an area for theuser 52 to input the password. Theuser 52 can output a document being printed from theportable document 63 from thedigital copier 70 by inputting, at thedigital copier 70, the user ID and the password input at thescreen 613. - The
user 52 can know that the document is printed from theportable document 63 by the private print. -
FIG. 39 is a diagram showing a screen example in a case in that a label is indicated to print as a stamp as the requirement according to the embodiment of the present invention. InFIG. 39 , ascreen 620 is displayed when the label is indicated to print as the stamp as the requirement. In thescreen 620, asetting area 621 is originally used for theuser 52 to set the stamp. In case in that the label is printed as the stamp as the requirement to execute the print request of theuser 62, the requirement process conducted by thedocument viewer 53 compulsory sets a stamp print, display in gray, and also controls the setting not to change by theuser 52. - Accordingly, the
user 52 is prohibited from changing the setting but can confirm that the stamp print is the requirement before theportable document 63 is printed out. By this confirmation, theuser 52 can determines to actually print theportable document 63 or to cancel the print request. -
FIG. 40 is a diagram showing a screen example in a case in that the visible watermark letter print is indicated as the requirement according to the embodiment of the present invention. InFIG. 40 , ascreen 630 is displayed when the visible watermark letter print is indicated as the requirement. In thescreen 630, asetting area 631 is originally use for theuser 52 to set the visible watermark letter print. In a case in that the visible watermark letter print is processed as requirement to execute the print request of theuser 52, the requirement process conducted by thedocument viewer 53 compulsory sets the visible watermark letter print, display in gray, and also controls the setting not to change by theuser 52. - Accordingly, the
user 52 is prohibited from changing the setting but can confirm the visible watermark letter print is the requirement before theportable document 63 is printed out. By this confirmation, the user can determine to actually print out theportable document 63 or to cancel the print request. - When the
user 52 clicks abutton 632 showing “ADD IMAGE STAMP” in thesetting area 631 of thescreen 630 displayed at theclient terminal 51, a screen is displayed as shown inFIG. 41A . - A screen example in a case in that the identification pattern print is indicated as the requirement will be described with reference to
FIG. 41A .FIG. 41A is a diagram showing a screen example showing details in the case in the identification pattern print is indicated as the requirement. - In
FIG. 41A , an image is displayed in a displayingarea 641 of ascreen 640 when the identification pattern print is indicated. Theuser 62 is prohibited from changing the setting at thescreen 640 but can confirm that the identification print is indicated as the requirement before printing out theportable document 63. By this confirmation, theuser 52 can determine to actually print out theportable document 63 or to cancel the print request. - For example, the identification pattern is printed by dots as shown in
FIG. 41B .FIG. 41B is a diagram showing an example of magnifying the identification pattern according to the embodiment of the present invention. InFIG. 41B , for example, anidentification pattern 646 may be drawn by identification image data 12 dots high, 8 dots wide, and 3 dots interval (that is, an image size is 48×32 pixels). - In order to identify a right, left, top, and bottom sides, for example, the entire of one right column and one bottom row may be dotted and code of 77 bits may be encoded at other 11×7=77 dots. The code can be realized by a simple rule such that a dot is printed when a bit value is “1” and a dot is not printed when the bit value is “0”.
-
FIG. 41C is a diagram showing an encoding example of the identification pattern shown inFIG. 41B according to the embodiment of the present invention. InFIG. 41C , theidentification pattern 646 shown inFIG. 41B can be encoded into abit pattern 647 by using the above-described simple rule. Error correcting code may be printed since an identification error may occur when the dot pattern is disordered. - For example, in a case in that the
user 52 uses a function serving as a printer at thedigital copier 70 and prints out theportable document 63 from thedocument viewer 53, a sequence of the requirement process in S3019 inFIG. 29 , which is conducted when the private print mode is indicated as the requirement, will be described in detail with reference toFIG. 42 .FIG. 42 is a diagram showing a requirement process sequence in the private print mode according to the embodiment of the present invention. - In
FIG. 42 , when theuser 52 conducts the print request for theportable document 63 displayed by thedocument viewer 53, thedocument viewer 53 requires theuser 52 to input the password (S4001). When theuser 52 inputs the password (S4002), thedocument viewer 53 sets the private print mode and the password to aprinter driver 54 being installed into the client terminal 51 (S4003). Then, thedocument viewer 53 sends a print instruction to the printer driver 64 (S4004). - The
printer driver 54 generates a PDL (Page Description Language) in response to the print instruction sent from the document viewer 53 (S4005), and sends information including the PDS (for example, RPCS or postscript), the private print mode, and the password, to the digital copier 70 (S4006). After that, theprinter driver 54 sends a print end to the document viewer 53 (S4007). - On the other hand, the
digital copier 70 temporarily stores the information including the PDL, the private print mode, and the password in an internal hard disk (S4008), and waits until theuser 52 inputs the password. - The
user 52 inputs the password to thedigital copier 70 to output a document printed from theportable document 63 at eh digital copier 70 (S4009). - The
digital copier 70 compares the password input by theuser 52 with the password received from theprinter driver 54, and conducts the print process when both the passwords correspond each other (S4010). When both the passwords do not correspond each other, thedigital copier 70 does not conduct the print process. By conducting the print process, thepaper document 62 being printed from theportable document 63 is output from the digital copier 70 (S4011). - By this process sequence in the private print mode, it is possible to prevent a user other than the
user 52 from seeing thepaper document 62 output from thedigital copier 70, and also, it is possible to prevent the user from taking along with the user. - Moreover, in the case in that the
user 52 uses the function serving as the printer at thedigital copier 70 and prints out theportable document 63 from thedocument viewer 53, a sequence of the requirement process in S3019 inFIG. 29 in a case in that the pattern print mode is indicated as the requirement to print out theportable document 63 will be described in detail with reference toFIG. 43 .FIG. 43 is a diagram showing a requirement process sequence in the pattern print mode according to the present invention. - In
FIG. 43 , thedocument viewer 53 determines whether or not theprinter driver 54 installed into theclient terminal 51 of theuser 52 supports the pattern print (S5001). After thedocument viewer 53 confirms that theprinter driver 54 supports the pattern print, thedocument viewer 53 sends information including the pattern print mode and an indicated character string to the printer driver 54 (S5002), and conducts a print instruction (S5003). - When the printer driver 64 receives the pattern print mode and the indicated character string and receives the print instruction from the
document viewer 53, theprint driver 54 generates a PDL (S5004). Then, theprinter driver 54 sends the PDL including a pattern to the digital copier 70 (S5005). - In the following, an abstraction process for corresponding information provided from the
application system 400 to the organizational security policy by thesecurity server 200 will be described in detail. - [Abstraction Process by Security Server]
- In order to explain the abstraction process conducted by the
security server 200, it is assumed that each of tables 250 through 270 manage data as shown inFIG. 44 throughFIG. 48 . -
FIG. 44 is a diagram showing a data example managed by the user security level table according to the embodiment of the present invention. InFIG. 44 , the user security level table 250 manages data by a structure UserMap shown inFIG. 5 . For example, in “GroupLeaders/Sales/Com” as “principalId”, “entryType” is “group”, and “levelId” is “manager”. Other data are similarly shown. - For example, by describing in XML (extensible Markup Language), the user security level table 250 may manage data by a XML file as shown in
FIG. 45 .FIG. 45 is a diagram showing the XML file of the user security level table according to the embodiment of the present invention. - In
FIG. 45 , data managed by the user security level table 250 are described, in accordance with thedata structure 251 shown inFIG. 5 , by hierarchical data structure in that structure names and element names shown in thedata structure 251 are shown by tags. For example, at a lower layer of a <UserMapList> tag data concerning a plurality of users are described by <principalId> tags in parallel. At each of the <UserMap> tags, data corresponding to respective elements are described by a <principalId> tag, a <EntryType> tage, and a <LevelId> tag. -
FIG. 46 is a diagram showing a data example managed by the document profile management table according to the embodiment of the present invention. InFIG. 46 , data managed by the document profile management table 260 are described, in accordance with thedata structure 261 shown inFIG. 6 , by a hierarchical data structure in that structure names and element names shown in thedata structure 261 are shown by tags. For example, In “0000000001” as “docId”, “docCategory” is “development”, “docLevel” is “secret”, “relatedPersons” is “Members/Dev/Com”, “zones” is “ANY”, “nondisclosure” is “2005/04/01”, “retention” is “2010/04/01”, and “validity” is empty. Other data are similarly shown. - As described above, the document profile management table 260 can be a XML file similar to the user security level table 250. However, in the document profile management table 260, since an entry is created for each
document 60, the size of the table becomes bigger. Therefore, it is preferable to use a database for the document profile management table 260. -
FIG. 47 is a diagram showing a data example managed by the zone management table according to the embodiment of the present invention. InFIG. 47 , data managed by the zone management table 270 are described, in accordance with thedata structure 271 shown inFIG. 7 , by a hierarchical structure in that structure names and element names shown in thedata structure 271 are shown by tags. For example, in “id” as “saleszone01”, “name” is “sales (Yokohama)”, “address” of “addressInfo” is “192.207.138.1”, “addressType” of “addressesInfo” is “IP”, “netmask” of “addressesInfo” is “255.255.255.0”. In addition, since a plurality of “addressInfo” items are managed for one “id”, in “saleszone01”, “address” of “addressInfo” is “192.207.139.1”, “addressType” of “addressesInfo” is “IP”, “netmask” of “addressesInfo” is “255.255.255.0”. Other data are similarly shown. - For example, the zone management table 270 may manage data in a XML file shown in
FIG. 48 by describing in XML.FIG. 48 is a diagram showing a XML file of the zone management table according to the embodiment of the present invention. - In
FIG. 48 , data of the zone management table 270 are described, in accordance with thedata structure 271 shown inFIG. 7 , by a hierarchical structure in that structure names and element names shown in thedata structure 271 are shown by tags. For example, in a lower layer of a <ZoneInfoTable> tag, data concerning a plurality of zones by a <ZoneInfo> tag in parallel. In a lower layer of each <ZoneInfo> tag, data corresponding to respective elements are described by a <Id> tag, a <Name>, and a <AddressInfo>. The <AddressInfo> tag further includes a lower layer and data corresponding to respective elements are described by a <Address> tag, a <AddressType>, and a<Netmask> tag. The <AddressInfo> tag may have a plurality of the <AddressInfo>tags at a lower layer. - For example, in the
policy file 240, the access control rule is described as shown inFIG. 49 andFIG. 50 .FIG. 49 andFIG. 50 are diagrams showing the access control rule described in the policy file according to the embodiment of the present invention. - In
FIG. 49 andFIG. 50 , in thepolicy file 240, the access control rule is regulated for eachdocument 60 from adescription 701 showing a <Policy> tag to adescription 702 showing a </Plicy> tag. For example, in thepolicy file 240, arule 1 corresponding to a document attribute is shown from adescription 703 showing a <Rule> tag from adescription 704 showing a </Rule> tag, andother rule 2 andrule 3 corresponding to other document attributes are shown from other <Rule> tags to other </Rule> tags, respectively. - The
rule 1 will be described in detail. Therule 2 andrule 3 are described in the same method as therule 1, and explanation thereof will be omitted. - In the
rule 1, adescription 705 for <DocCategory>sales</DocCategory> and <DocLevel>topsecret</DocLevel> shows that the access control rule corresponding to the document attribute, in which the document category is “sales (sales department)” and the document level shows “topsecret (top secret)”, is regulated. Next, In the document attribute by thedescription 705, a plurality of the access control rules corresponding to user attributes are regulated bydescriptions - In the
description 710, adescription 711 of <UserCategory>RELATED_PERSON</UserCategory>, <UserLevel>manager</UserLevel> and <Zone>RESTRICTED</Zone> describes the access control rule for the user attribute in that the user category is “RELATED_PERSON”, the user level is “manager”, and the zone is “RESTRICTED”. Moreover, in thedescription 720, adescription 721 of <UserCategory>RELATED_PERSON</UserCategory> and <UserLevel>ANY</UserLevel> describes the access control rule for the user attribute in that the user category is “RELATED_PERSON”, and the user level is “ANY”. Thedescription 721 does not indicate the zone. As described above, the access control rule is described for each of a plurality of user attributes with respect to one document attribute. - In the
description 710,descriptions - In the
description 712, by a description of <id>read</id>, for adocument 60 belonging to the document category and the document level indicated by thedescription 705, theuser 52 belonging to the user category, the user level, and the zone indicated by thedescription 711 is allowed to read thedocument 60. - In addition, in the
description 713, by a description of <id>print</id>, for thedocument 60 belonging to as described by thedescription 705, theuser 52 belonging to as described by thedescription 711 is allowed to print out thedocument 60 in a condition in that requirements described as follows are processed. - In the
description 713, three requirements are indicated to print out thedocument 60. By adescription 714 of <Requirement>, <id>private_access</id>, and </Requirement>, “private_access (private print mode)” is indicated as the requirement to print out thedocument 60. - Moreover, by a description 715 of <Requirement>, <id>print alarm</id>, and <Supplement>“Printed by %u”</Supplement>, it is indicated to conduct “print_alarm (alarm print)” by using a alarm character string in a character string format indicated “Printed by %u” as the requirement to print out the
document 60. - Furthermore, by a
description 716 of <id>identifiable_bg_pattern</id> and <Supplement>dynamic_image</Supplement>, it is indicated to conduct “identifiable_bg_2 pattern (identification pattern print)” by using a pattern character string shown by an identification pattern image indicated by “dynamic_image”. - In these assumptions described above, for example, in a case in that “Taro Yamada”, leader of a “Marketing” group in a “Sales” department of a “Com” company, prints out a
document 60 identified by the document ID “0000000003”, the authentication result information as shown inFIG. 51 is provided by theuser management server 300 to theapplication system 400.FIG. 51 is a diagram showing an example of the authentication result information. - In
FIG. 51 , for example, in accordance with thedata structure 501 shown inFIG. 12 , the authentication result information (AuthInfo) shows “Taro Yamada/Sales/Com” as “userId”, “Taro Yamada” as “userName”, and “Members/Sales/Com”, “Marketing/Sales/Com”, “Employee/Com”, and “GroupLeaders/Sales/Com” as “groups”. - Accordingly, “Taro Yamda” is specified by this authentication result information and the
security server 200 executes the decision process. In thesecurity server 200, the user securitylevel mapping part 232 searches for “Taro Yamda” shown in the authentication result information from the user security level table 250 shown inFIG. 44 . At first, “GroupLeaders/Sales/Com” in “userId” or “groups” corresponds to “Taro Yamda” and mapped to “manager” ((1) inFIG. 4 ). - Subsequently, the user
category mapping part 233 searches “Members/Sales/Com” of “relatedPersons” of thedocument 60 identified by the document ID “0000000003” from the document profile management table 260 shown inFIG. 46 , and determines whether or not the user “Taro Yamada” is allowed for related persons. The usercategory mapping part 233 determines that the user “Taro Yamada” is a related person since the user “Taro Yamada” belongs to “Members/Sales/Com” ((2) inFIG. 4 ). - The access type shows “print” ((3) in
FIG. 4 ). - For example, the
zone mapping part 234 receives context information as shown inFIG. 52 .FIG. 52 is a diagram showing an example of the context information according to the embodiment of the present invention. InFIG. 52 , “192.207.138.64” as “ipAddress” and “02-36-55-22-78-01” as “macAddress” are indicated in the context information. - The
zone mapping part 234 obtains “saleszone01” and “saleszone02” as “zones” of thedocument 60 identified by the document ID “0000000003” by referring to the document profile management table 260. Moreover, thezone mapping part 234 obtains a list of an IP address and a MAC address included in the zones “saleszone01” and “saleszone02”. Since an IP address “192.207.138.64” of the context information shown inFIG. 52 is included in the zone “saleszone01”, the zone mapping @art 234 determines that the IP address “192.207.138.64” is inside the zone ((4) inFIG. 4 ). - For example, the document security
attribute mapping part 235 receives document identification information as shown inFIG. 53 .FIG. 53 is a diagram showing an example of the document identification information according to the embodiment of the present invention. InFIG. 53 , “0000000003” as “docId” is indicated in the document identification information. - The document security
attribute mapping part 235 determines by referring to the document profile management table 260 that the document category of thedocument 60 identified by the document ID “0000000003” is “sales” and the sensitivity level is “topsecret” ((%) inFIG. 4 ). - By mapping processes conducted by the user security
level mapping part 232 and thezone mapping part 234, it is possible to abstract parameters such as “manager” as the user security level, “related person” as the user category, “print” as the access type, “inside zone” as the zonecategory, “sales” as the document category, and “topsecret” as the sensitivity level. - Based on these abstract parameters, the policy base access
control decision part 241 determines to allow or prohibit in accordance with the access control rule (policy) described in thepolicy file 240 shown inFIG. 49 . As a result, by thedescriptions document 60 belonging to “sales” and “topsecret” is allowed for related persons in “manager” class to “print”. However, since “private_access (private print mode)”, “print_alarm (alarm print)”, and “identifiable_bg_pattern (identification pattern print)” are regulated as the requirements, the access control decision result as shown inFIG. 54 is returned. -
FIG. 54 is a diagram showing an example of the decision result information according to the embodiment of the present invention. InFIG. 54 , in the decision result information, “true (allowed)” is indicated as an “allowed” item, “private_access (private print mode)” is indicated as the “requirement” in “requirements”, and “supplements (supplement information)”, “data”, and “alternatives” are not indicated for this “requirement”. Moreover, “print_alarm (alarm print)” is indicated as another “requirement”, and “data” and “alternatives” are not indicated. Furthermore, “identifiable_bg_pattern (identification pattern print)” is indicated as a further “requirement”, “dynamic_image (dynamic image)” as “supplements (supplement information)” and binary image data (actual dynamic image being binary data) as “data” for this “requirement”, and “alternatives” is not indicated. - In the access control rule in the
policy file 240, “Printed by %u” is described. %u is variable and is replaced with Taro Yamada by the compensating process. - In addition, in the access control rule in the
policy file 240, in a case in that “dynamic_image” is described and the access type is “print”, an entry for a new print profile is created in the print profile management table 280 as shown inFIG. 55 .FIG. 55 is a diagram showing an example of the print profile management table according to the embodiment of the present invention. InFIG. 66 , by creating the entry for the new print profile, a value of “printId” is obtained. Then, the value of “printId” is encoded to create identification image data, and the identification image data is stored in “data” as the binary image data. - For example, the identification image data are overlaied and printed on a sheet when the
document 60 is printed out, so that the identification image data can be utilized to identify or trace thedocument 60.FIG. 56 is a diagram showing an example of the identification pattern being printed according to the embodiment of the present invention. For example, as shown inFIG. 66 , theidentification pattern 646 shown inFIG. 41B is overlaid. - A case, in which another
user 52 conducts the print request for thesame document 60 from thesame client terminal 51 and is specified as “Hanako Satoh” by the authentication result information as shown inFIG. 57 , will be described.FIG. 57 is a diagram showing another example of the authentication result information according to the embodiment of the present invention. - In
FIG. 57 , for example, the authentication result information shows in accordance with thedata structure 501 shown inFIG. 12 in that “Hanako Satoh/Sales/Com” is indicated as “userId”, “Hanako Satoh” is indicated as “userName”, and “Members/Sales/Com”, “Marketing/Sales/Com”, and “Employee/Com” are indicated as groups”. - The user “Hanako Satoh” is specified by this authentication result information, and then, the
security server 200 executes the decision process. By executing the decision process, since the user security level indicates “regular”, the user category indicates “related person”, the access type indicates “print”, the zone category indicates “inside zone”, the document category indicates “sales”, and the sensitivity level is “topsecret”, thesecurity server 200 determines in accordance with the access control rule (policy) described in thepolicy file 240. As a result, the access control decision result shows that the user “Hanako Satoh” is not allowed to print out thedocument 60. - Moreover, in a case in that the user “Taro Yamada” attempts to read a
document 60 specified by the document ID “0000000001”, the access control rule (policy) does not regulates this access “read” for thedocument 60. As a result, the access control decision result indicates that the user “Taro Yamada” is not allowed to read thedocument 60. - Furthermore, in a case in that a
paper document 62 to which thedocument 60 is copied by the user “Taro Yamada” is copied by thedigital copier 70, thedigital copier 70 sends the access decision request to the securingserver 200 based on image data generated by scanning thepaper document 62. - The
security server 200 receives document identification information as shown inFIG. 58A orFIG. 58B from thedigital copier 70. - The document identification information will be described with reference to
FIG. 58A andFIG. 58B .FIG. 58A is a diagram showing an example of the document identification information in a case in that image data itself is actually sent to the security server according to the embodiment of the present invention. InFIG. 58A , “docId” and “printId” are not indicated, and the image data is stored in binary in “image” (as binary image data). -
FIG. 58B is a diagram showing another example of the document identification information in a case in that the image data is decoded and sent to the security server according to the embodiment of the present invention. InFIG. 58B , “docId” and “image” are not indicated, and the image data being encoded by thedigital copier 70 and binary are stored in “printId”. - When the
security server 200 receives the image data in binary as shown inFIG. 58A from thedigital copier 70, thesecurity server 200 obtains “p000000001” as “printId”. Based on “printId”, thesecurity server 200 refers to the print profile and obtains “0000000003” as “docId”. Then, thesecurity server 200 conducts the access control decision in accordance with the access control rule (policy) regulating a case in that the access type indicates “copy”, similarly to a case or “print” by “Taro Yamada”. - According to the present invention, for example, in a description of a policy requiring a print of a name of the
user 52, when theuser 52 prints out theportable document 63, that is, when theportable document 63 is output as thepaper document 62 outside a control of thedocument viewer 53 by conducting an operation for printing out theportable document 63, the policy can regulate so as to improve a suppression effect for a leak of information with respect to theuser 52 attempting to print out theportable document 63. Therefore, it is possible to maintain a security of theportable document 63. - Moreover, in the description of the policy, since it is possible to regulate the requirement to print the user name of the
user 52 attempting to print out a regular paper document when the regular paper document is printed out, it is possible to maintain a security of thepaper document 62 that copies the regular paper document and is output from thedigital copier 70, by printing the user name of theuser 52 to thepaper document 62. - Furthermore, in the description of the policy, since it is possible to regulate the requirement to record a log when the
server document 61 is read out from thedocument management system 100, it is possible to keep the log showing that theserver document 61 is read out. Accordingly, it is possible to prevent theuser 52 who read out theserver document 61 from leaking information and maintain a security of theserver document 61. - In the description of the policy, since the requirement to allow an operation can be regulated so as to conduct a process for maintaining the security after the operation, it is possible to consistently maintain the security of the
document 60 before and after the operation. - In a conventional security for the
document 60, the security of thedocument 60 cannot be maintained after the operation is conducted. - However, according to the present invention, it is possible to consistently maintain the security of the
document 60 even after the operation is conducted for thedocument 60. - In the following, the operations, the requirements, the supplement information in the access control rule regulated in the
policy file 240 will be described in detail. - [Details concerning Operations, Requirements, and Supplement information]
- [1 Details of Operations]
- Since there are operations having the same name for the
server document 61, thepaper document 62, and theportable document 63, the following prefixes are additionally provided at the beginning of an operation identification to distinguish each other. -
- operation for the
server document 61 sdOpe_xxxx - operation for the
paper document 62 ppOpe_xxxx - operation for the
portable document 63 pdOpe_xxxx
- operation for the
- xxxx shows an English word for an operation. In the following, a title of each section shows the operation identification.
- [1-1 sdOpe_Store]
- For example, this is an operation to request storing the
document 60 to the document management server 00. This operation is used to store thedocument 60 to a repository (storage unit) such as thedocument management system 100, thedigital copier 70, or the like in that a security management can be conducted for a document file (this operation may be called new creation or new registration). - As adaptable requirements, record_audit_data, explicit_authorization, encryption, integrity_protection, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-2 sdOpe_Prop_Read]
- For example, this is an operation to request to refer to a property of the
document 60 stored in thedocument management system 100. Instead of referring to (obtaining) contents of thedocument 60, attribute information such as a file size, a created date and time, and an owner of thedocument 60 is referred to by this operation. When this operation is not allowed, an existence of thedocument 60 cannot be recognized. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-3 sdOpe_Read]
- For example, this is an operation to request to refer to (read out) the
document 60 stored in thedocument management system 100 and to refer to (download) contents of thedocument 60 in thedocument management system 100. A protected document file is downloaded. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- The following explanation will be additionally provided for this operation.
- The document file being downloaded is called
portable document 63. Since an access to theportable document 63 is required to be controlled, theportable document 63 to be downloaded by the operation sdOpe_read is protected (protected document file). - [1-4 sdOpe_Get_Org]
- For example, this is an operation to refer to (read out) an original file of the
document 60 stored in thedocument management system 100. The operation sdOpe_read conducts to download the document file without any protection and this operation sdOpe_get_org conducts to download the original document file without any protection. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-5 sdOpe_Revise]
- For example, this is an operation to request to revise the
document 60 stored in thedocument management system 100. This operation is used to open, edit, and revise thedocument 60 stored in thedocument management system 100 by an editor or replace (resave) thedocument 60 stored in thedocument management system 100. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, versioning, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-6 sdOpe_Delete]
- For example, this is an operation to request to delete the
document 60 stored in thedocument management system 100. Thedocument 60 stored in thedocument management system 100 is deleted by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, complete_deletion, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-7 pdOpe Read]
- This is an operation to request to refer to (open) the
portable document 63. A file of theportable document 63 is open by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, multi_authentication, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-8 pdOpe_Print]
- This is an operation to request to print out the
portable document 63. Contents in a file is printed out by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, private_access, record_image_data, embed_trace_info, show_label, visible_watermark, anti_copy_watermark, trusted_bg_pattern, identifiable_bg_pattern, and show_alarm can be indicated. Each of these requirements will be described later.
- [1-9 pdOpe_Send_Fax]
- This is an operation to request to send the portable document by fax. The contents of the file are directly transmitted by fax by this operation. This operation corresponds to a process for printing out by a printer object corresponding to the fax.
- As adaptable requirements, record_audit_data, explicit_authorization, address_restriction, private_send, record_image_data, show_label, visible_watermark, show_alarm, and print_alarmcan be indicated. Each of these requirements will be described later.
- [1-10 ppOpe_Copy]
- This is an operation to request to copy the
paper document 60. Thedocument 60 being papers is copied by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, show_label, show_operator, owner_only, record_image_data, show_alarm, and print_alarmcan be indicated. Each of these requirements will be described later.
- [1-11 ppOpe_Send_Fax]
- This is an operation to request to transmit the
paper document 62 by fax. Thedocument 60 being papers is transmitted by fax by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, address_restriction, private_send, record_image_data, show_label, visible_watermark, show_alarm, and print_alarmcan be indicated. Each of these requirements will be described later.
- [1-12 ppOpe_Scan]
- This is an operation to request to scan the
paper document 62. Thedocument 60 being papers is read out by scanner and digitalized to be a digital file by this operation. - As adaptable requirements, record_audit_data, explicit_authorization, record_image_data, digital_watermark be indicated. Each of these requirements will be described later.
- [2 Details of Requirement]
- In the following, each requirement is explained. A title of each section shows an identification of the requirement. Each requirement is differently processed. A process for the requirement is conducted by the
application system 400. - [2-1 Record_Audit_Data]
- This requirement requires recording a log. For example, a log may be recorded for each page when the
document 60 is copied by thedigital copier 70. Alternatively, a log is recorded for thedocument 60 being copied by grouping by each security ID. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-2 Explicit_Authorization]
- This requirement requires allowing by a document management administrator. In a case in that this requirement is regulated in the policy, when it is not explicitly indicated to the
security server 200 that an operation requiring this requirement is allowed, the operation is not allowed. When thesecurity server 200 recognizes result that this requirement is regulated, by a determination obtained in the decision process, thesecurity server 200 checks whether or not a permit is issued. When the permit is issued, requirements showing “allowed=true” and excluding explicit_authorization are sent to theapplication system 400 as the determination result by the decision process. When the permit is not issued, “allowed=false” as the determination result is sent to theapplication system 400. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-3 Encryption]
- This requirement requires encrypting a digital document. When this requirement is regulated by the policy, a server administrator is not wanted to read contents of the digital document. Accordingly, the
application system 400 is required to encrypt the digital document so that even the server administrator cannot read it. That is, it is required to store a decryption key for decrypting this encryption so that the server administrator of theapplication system 400 cannot use the decryption key. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-4 Integrity_Protection]
- This requirement requires securing integrity of the digital document (integrity of an original). When this requirement is regulated in the policy, the
application system 400 protects the original of the digital document from being tampered. Theapplication system 400 may store the digital document to a document protection area by itself. Alternatively, theapplication system 400 may request thesecurity server 200 to store the original to the document protection area. - The
security server 200 stores the original document (file before converting into PDF) received from theapplication system 400 and a secured PDF file being converted to the document protection area. An original document ID of the original document stored in the document protection area is recorded as application data of the document profile management table 260. - In a case in that the document protection area is not setup in the
security server 200, storing to the document protection area causes an error. Thesecurity server 200 records a log having a higher security level even if a serious error occurs. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
application system 400 requests storing to the document protection area to thesecurity server 200. Thesecurity server 200 stores to the document protection area when receiving the request. - [2-5 Multi_Authentication]
- This requirement requires the multiple authentication for an access to the digital document. When this requirement is regulated in the policy, for example, the
application system 400 is required to conduct the multiple authentication such as a finger print recognition or an iris-recognition in addition to a regular user authentication. Theapplication system 400 can determine to use which authentication method. The access may not be allowed when a further authentication is conducted successively after the regular user authentication and is failed. Alternatively, the further authentication may be conducted after being requested to theuser 52 when this requirement is returned. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-6 Versioning]
- This requirement requires conducting a version management of the digital document.
- In a case in that this requirement is regulated in the policy, instead of saving a revised digital document to the original, the
application system 400 is required to conduct the version management. When theapplication system 400 does not support a function of the version management, theapplication system 400 must not revise the digital document since the requirement is not satisfied. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-7 Complete_Deletion]
- This requirement requires conducting a perfect deletion of the digital document. In a case in that this requirement is regulated in the policy, the
application system 400 not only delete an entry of the digital document simply but also conduct a perfect deleting process by writing random data on a disk area where the digital document was stored. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-8 Private_Access]
- This requirement requires using the private print mode. In order for other persons not to take printed paper sheets away, the printed paper sheets are output when the
user 52 printing the digital document is confirmed by using an operation panel of a printer. In a case in that this requirement is regulated in the policy, theapplication system 400 is required to print out the digital document by using the private print mode. If the print does not support the private print mode, theapplication system 400 does not allow for theuser 52 to print out the digital document. However, if the print does not support the private print mode but an environment of the printer has less possibility in that other persons take the printed paper sheets away, theuser 52 probably wants to print out the digital document at the printer. In this case, show_alarm is indicated as the alternative requirement of this requirement private_access in the policy, so that an alarm is displayed and theuser 52 is allowed to print out the digital document. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-9 Record_Image_Data]
- This requirement requires recording an image log. A print image and a copy image themselves are recorded and maintained. In a case in that this requirement is regulated in the policy, the
application system 400 indicates an image data record to a printer adapter of a printer to print out the digital document with a print instruction. When this requirement is regulated as the requirement of a copy, an image copying an original paper document is stored in a hard disk (document box) in thedigital copier 70. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-10 Embed_Trace_Info]
- This requirement requires embedding trace information to print out the digital document. When the digital document is printed out, identification information identifying the digital document is embedded to a paper sheet and the printed paper sheet is output. As the trace information, a two dimensional barcode is used.
- In a case in that this requirement is regulated in the policy, in the decision process, the
security server 200 sends this requirement embed_trace_info and also the supplement information showing to dynamically generate the trace information. That is, thesecurity server 200 sends the supplement information (supplement) indicating dynamic_image. When thesecurity server 200 recognizes that the policy regulates the supplement information (supplement) of dynamic_image, thesecurity server 200 obtains an embedding image from the document profile management table 260, and sends the requirement embed_trace_info and also the embedding image as the supplement information (supplement) as a returned value of the decision process of the security server 200 (refer to a section of the supplement information dynamic_image). Theapplication system 400 embeds the embedding image received from thesecurity server 200 to the paper sheet to be printed. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 obtains the embedding image from the document profile management table 260, and theapplication system 400 actually embeds the embedding image while printing. - [2-11 Show_Label]
- This requirement requires printing a label such as “secret” as a stamp. In a case in that this requirement is regulated in the policy, the
security server 200 sends a bitmap data of a label stamp as the supplement information (supplement) with this requirement show_label by a returned value of the decision process. Information showing that which stamp is printed for what kind of thedocument 60 is set to thesecurity server 200 beforehand. In the policy, information concerning an ID of the label stamp and a location to stamp a label is regulated. A bitmap file corresponding to the ID is stored in a local hard disk of thesecurity server 200. Thesecurity server 200 read out the bitmap file and sends the supplement information (supplement) shown by a byte array to an upper layer. - If the bitmap file corresponding to the ID of the label stamp regulated in the policy, only the ID of the label stamp is included in the supplement information (supplement), and the requirement is sent without the bitmap data (refer to a section of static_image).
- A stamp image is not assumed to dynamically generate. The
security server 200 sends the requirement and the supplement information (supplement) themselves to theapplication system 400. Theapplication system 400 overlays and print out the received stamp image. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 provides the stamp image, and the application system 400 (digital copier 70) stamps the label stamp to the paper sheets. - [2-12 Visible_Watermark]
- This requirement requires printing the visible watermark letter on a background of a paper sheet. In a case in that this requirement is regulated in the policy, the
security server 200 sends a character string format for printing as a watermark as the supplement information (supplement) with this requirement visible_watermark by a returned value of the decision process. As the supplement information (supplement) of this requirement, information showing that what kind of thedocument 60 requires which character string format in the policy. Thesecurity server 200 sends this requirement and the supplement information (supplement) themselves to theapplication system 400. Theapplication system 400 generates a watermark character string in accordance with the character string format received from the security server 200 (refer to a section of string_format). - There is no supplement information necessary for this requirement.
- As the requirement that cannot be indicated simultaneously (conflicting requirement), there are anti_copy_watermark, trusted_bg pattern, and identifiable_bg_pattern.
- In the requirement process, the
security server 200 provides the character string format and the application system 400 (digital copier 70) prints out the character string to the paper sheet. - [2-13 Anti_Copy_Watermark]
- This requirement requires printing an embossed watermark letter. The embossed watermark letter is embossed when a paper sheet having this embossed watermark letter is copied. In a case in that this requirement is regulated in the policy, the
security server 200 sends a character string format for printing a watermark as the supplement information (supplement) with this requirement anti_copy_watermark by a returned value of the decision process. Information showing that what kind of thedocument 60 requires which character string format is regulated as the supplement information (supplement) of this requirement in the policy. Thesecurity server 200 sends the requirement and the supplement information themselves to theapplication system 400. Theapplication system 400 generates and print out a watermark letter in accordance with the character string format received form the security server 200 (refer to a section of the supplement information string_format). - As the supplement information necessary for this requirement, there is string_format,color.
- As the requirement that cannot be indicated simultaneously (conflicting requirement), there are visible_watermark, trusted bg_pattern, identifiable_bg_pattern.
- In the requirement process, the
security server 200 provides a character string format, and theapplication system 400 prints a character string on a paper sheet. - [2-14 Trusted_bg_Pattern]
- This requirement requires printing a background pattern for a tamper-detection.
- [2-15 Identifiable_bg_Pattern]
- In a case in that this requirement is regulated in the policy, the
security server 200 sent information showing that this requirement identifiable_bg_pattern and the supplement information is required to dynamically generate, as a returned value in the decision process. When thesecurity server 200 recognizes that a dynamic image generation (supplement information dynamic_image) is indicated, thesecurity server 200 obtains an identification pattern from thedocument profile management 260, sends this requirement identifiable_bg_pattern and the supplement information by the returned value of the decision process (refer to a section of supplement information dynamic_image). - The
application system 400 prints the identification pattern received from thesecurity server 200 on the background of the paper sheet to be printed out. - As the necessary supplement information, there is dynamic_image.
- As the requirement that cannot be indicated simultaneously (conflicting requirement), there are visible_watermark, anti_copy_watermark, trusted_bg_pattern.
- In the requirement process, the
security server 200 obtains the identification pattern from the document profile management table 260, and theapplication system 400 actually prints the identification pattern on the background of the paper sheet. - [2-16 Show_Alarm]
- This requirement requires displaying an alarm. An alarm such as “Give attention to handle top secret” is displayed to warn the
user 52. This requirement aims to display the alarm at a display or an operation panel. Another requirement print_alarm is used when the alarm is required to print to a paper sheet. Information showing that what kind of thedocument 60 is required to display which character string is regulated as the supplement information (supplement) of the requirement in the policy. Thesecurity server 200 sends the requirement and the supplement information themselves to theapplication 400. Theapplication system 400 generates and displays the character string in accordance with the character string format received from thesecurity server 200. - As the necessary supplement information, there is string_format.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 provides the character string format to display, and theapplication system 400 display the alarm in the character string format. - [2-17 Print_Alarm]
- This requirement requires printing an alarm. An alarm such as “RRR Internal Use Only” is printed to warn the
user 52. This requirement aims to print the alarm on a paper sheet. Another requirement show_alarm is used to display the alarm at a display or an operation panel. - Information showing that which character string is printed for what kind of the
document 60 is regulated as the supplement information of this requirement in the policy. Thesecurity server 200 provides a character string format to display the alarm, and theapplication system 400 displays the alarm. Thesecurity server 200 sends this requirement and the supplement information (supplement) themselves to theapplication system 400. Theapplication system 300 generates and prints the character string in accordance with the character string format received from thesecurity server 200. - As the necessary supplement information, there is string_format and string_position. There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 provides the character string format to print, and theapplication system 400 prints the alarm in the character string format. - [2-18 Private_Send]
- This requirement requires using the confidential transmission mode. The confidential transmission mode is used so that other persons cannot take a paper sheet transmitted by fax away. A fax transmission process is not conducted for a fax which does not support the confidential transmission mode.
- If the fax does not support the confidential transmission mode but an environment of the fax has less possibility in that other persons take the faxed paper sheets away, the
user 52 probably wants to fax. In this case, show_alarm is indicated as the alternative requirement of this requirement private_receive in the policy, so that an alarm is displayed and theuser 52 is allowed to fax. - There is no supplement information necessary for this requirement.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- [2-19 Address_Restriction]
- This requirement requires controlling a destination to fax.
- [2-20 Show_Operator]
- This requirement requires printing a user name printing. In a case in that this requirement is regulated in the policy, the
security server 200 sends a character string format to print with this requirement show_operator by a returned value of the decision process. Information showing that which character string is printed for what kind of thedocument 60 is regulated as the supplement information (supplement) of the requirement in the policy. - The
security server 200 sends the requirement and the supplement information (supplement) themselves. Theapplication system 400 generates the character string in accordance with the character string format received from thesecurity server 200 and prints the character string on a printed paper sheet. - As the necessary supplement information, there is string_format.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 provides the character string format to print that is regulated in the policy, and theapplication system 400 prints the character string in accordance with the character string format when thedocument 60 is printed. - [2-21 )wner_Only]
- This requirement requires only for the
user 52 printing thedocument 60 to copy. In a case in that this requirement is regulated in the policy, thesecurity server 200 sends the requirement owner_only by a returned value of the decision process. When thesecurity server 200 recognizes this requirement, thesecurity server 200 obtains the user ID of the user printing a copied document from the document profile management table 260, and compares a user attempting to copy and a user who printed thedocument 60. When both the users are the same person, thesecurity server 200 sends a result of the decision process expect for this requirement owner_only. when both the users are not the same person, thesecurity server 200 sends the result of the decision process showing “allowed=false”. - There is no necessary supplement information.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement).
- In the requirement process, the
security server 200 sends “not allowed ” when the both users are not the same person. - [2-22 Unreadable_Mask]
- This requirement requires masking not to read the
document 60. When thedocument 60 is copied, in order to warn theuser 52 that thedocument 60 is not allowed to copy, this requirement masks thedocument 60 by printing the entire of thedocument 60 in gray so that thedocument 60 cannot be read. - There is no necessary supplement information.
- There is no requirement that cannot be indicated simultaneously (conflicting requirement). Even if the conflicting requirement such as show_label is indicated, this requirement ends up being meaningless.
- [2-23 Digital_Watermark]
- This requirement requires embedding a digital watermark in image data. In a case in that this requirement is regulated in the policy, the
security server 200 sends a character string format to embed as the digital watermark with this requirement digital_watermark by a returned value of the decision process. Information showing that which character string format is used for what kind of thedocument 60 is regulated as the supplement information of this requirement in the policy. Thesecurity server 200 sends the supplement information (supplement) itself to theapplication system 400. Theapplication system 400 generates an embedding character string in accordance with the character string format received from thesecurity server 200 and embeds as the digital watermark to the image data of the document 60 (refer to a sections of the supplement information string_format and watermark_type). - As the necessary supplement information, there are string_format and watermark_type.
- As the requirement that cannot be indicated simultaneously (conflicting requirement), there are anti_copy_watermark, trusted_bg_pattern, and identifiable_bg_pattern.
- In the requirement process, the
security server 200 provides the character string format, and theapplication system 400 embeds the digital watermark in accordance with the character string format received from thesecurity server 200. - [3 Details of Supplement Information]
- The requirement may require the supplement information. A method for indicating the supplement information is defined as follows. A title of each section shows an identification of the supplement information.
- [3-1 Static_Image]
- This supplement information is used to indicate fixed image data. As the fixed image data, for example, there is a stamp image to use for the requirement of the label display (show_label). Since the fixed image data are not stored in the
policy file 240, an identification label identifying a fixed image data file is indicated in thepolicy file 240. At the beginning of the identification label, “ref” is provided to indicate the identification label. - A supplement information format is ref: [file_id]
- For example, the supplement information is indicated in the policy file as follows:
<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>show_label</Id> <Supplement> <Id>static_image</Id> <Data>ref:STAMP_IMAGE_01</Data> </Supplement> - In a case in that this supplement information is indicated in the
policy file 240 as described above, when the a policy decision result is returned in an decision process method of thesecurity server 200, the policy decision result is returned as follows:DecisionInfo.requirements[x].requirement = “show_label”; DecisionInfo.requirements[x].supplements[y].name = “static_image”; DecisionInfo.requirements[x].supplements[y].value = “z”; DecisionInfo.requirements[x].dataz = image data (binary) corresponding to STAMP_IMAGE_01; where x, y, and z are numbers. - As described above, when “ref” is indicated as the supplement information, the
security server 200 reads out a file corresponding to the identification label and conducts an including process for including the file as binary data as the supplement information. - [3-2 Dynamic_Image]
- This supplement information is used to indicate dynamic image data. As the dynamic image data, for example, there are a barcode image used for the requirement of the tracing information embedding (“embed_trace_info”) and an identification pattern image used for the requirement of the identification pattern (“identifiable_bg_pattern”).
- Since these image data are dynamically generate by the
document 60, a description for the image data cannot be included in thepolicy file 240. Thepolicy file 240 indicates a type of information dynamically generated as the supplement information (for example, type of information such as the document ID and the user ID). - A format of this supplement information is dyn: [info_type]. Only a section ID “SecId” can be indicated in info_type.
- For example, this supplement information is indicated in the
policy file 240 as follows:<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>embed_trace_info</Id> <Supplement> <Id>dynamic_image</Id> <Data>dyn:SecId</Data> </Supplement> - In a case in that this supplement information is indicated in the
policy file 240 as described above, when the policy decision result is returned in the decision process method of thesecurity server 200, thesecurity server 200 do not conduct any process but the policy decision result is returned as follows:DecisionInfo.requirements[x].requirement = “embed_trace_info”; DecisionInfo.requirements[x].supplements[y].name = “dynamic_image”; DecisionInfo.requirements[x].supplements[y].value = “dyn:SecId”; where x and y are numbers. - Then, the
security server 200 receiving decision result information dynamically generates necessary image data, and sends the following as a result of the decision process.DecisionInfo.requirements[x].requirement = “embed_trace_info”; DecisionInfo.requirements[x].supplements[y].name = “dynamic_image”; DecisionInfo.requirements[x].supplements[y].value = “z”; DecisionInfo.requirements[x].dataz = image data dynamically generated (binary) -4); where x, y, and z are numbers.
[3-3 Image_Position] - This supplement information is sued to indicate an embedding location of an image. In a case of embedding partially, instead of embedding the image to the entire of a page, this supplement information is indicated by an embedding requirement (such as “show_label”). In a case of embedding the entire of the page (embedding a tile), a different requirement (“identifiable_bg_pattern” or the like) is used.
- The embedding location is indicated by the identification label in the
policy file 240. - A format of this supplement information is [position_id]. position_id selectively indicates one of five location: upper_right, lower_right, upper_left, lower_left, and center.
- For example, the embedding location is indicated in the
policy file 240 as follows:<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>show_label</Id> <Supplement> <Id>image_position</Id> <Data>upper_right</Data> </Supplement> - The
security server 200 sets the supplement information in the decision result information to send back to a request originator. - [3-4 String_Format]
- This supplement information is used to indicate a character string format. The character string format is indicated for the requirement such as the watermark (“visible_watermark”). A format of this supplement information is [“format_string”]. The character string format is indicated in the
policy file 240 as follows: format_string indicates a combination of the followings and any character string. -
- “%da” IP address (decimal notation such as 133.139.208.69 or a like)
- “%ha” IP address (hexadecimal notation such as BEAC143F or a like)
- “%8u” user name (account name), possible to indicate digits by a number (not necessary to indicate)
- “%d1” date (YYMMDD)
- “%d2” date and tine (YYMMDD HH:mm)
- “%d3” date and time (YYMMDD HH:mm:ss)
- “%id” document ID
- “%lv” sensitivity level ID
- “%ca” document category ID
- For example, the supplement information is indicated in the
policy file 240 as follows:<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>visible_watermark</Id> <Supplement> <Id>string_format</Id> <Data>%8u %d2 DO NOT COPY</Data> </Supplement> - The
security server 200 sets this supplement information to the decision result information to send back to a request originator. The requirement may have a limitation of a maximum character number (for example, 32 characters for the requirement visible_watermark). Characters over the maximum character number are not used. - [3-5 String_Position]
- This supplement information is used to indicate an embedding location of a character string. This supplement information is used for the embedding requirement embedding partially (“print_alarm” or a like) but not embedding the character string on a background. In a case of embedding the character string on the background, a different requirement (“visible_watermark” or a like). The embedding location is indicated by the identification label in the
policy file 240. - A format of this supplement information is [position_id]. position_id is selectively set from six positions; upper_right, lower_right, upper_left, lower_left, upper_center, lower_center, and upper_lower_center.
- For example, this supplement information is indicated in the
policy file 240 as follows:<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>print_alarm</Id> <Supplement> <Id>string_position</Id> <Data>upper_lower_center</Data> </Supplement> - The
security server 200 sets this supplement information in the decision result information to send back to a request originator. - [3-6 Color]
- This supplement information is used to indicate a color. This supplement information is indicated for the requirement of a copy suppression pattern (“anti_copy_watermark”).
- This supplement information is indicated in the
policy file 240 as follows; - A format of the supplement information is [color_id]. color_id indicates either one of cyan and magenta.
- For example, the supplement information is indicated in the
policy file 240 as follows:<Ace> <Operation> <Id>pd_print</Id> <Requirement> <Id>anti_copy_watermark</Id> <Supplement> <Id>color</Id> <Data>cyan</Data> </Supplement> - The
security server 200 sets this supplement information to the decision result information to send back to a request originator. - [3-7 Watermark_Type]
- This supplement information is used to indicate a watermark type. This supplement information is indicated by the requirement of a digital watermark (“digital_watermark”).
- This supplement information is indicated in the
policy file 240 as follows: - A format of this supplement information is [watermak_type_id]. watermak_type_id indicates traceability, integrity, and steganography. traceability indicates the digital watermark for a tracing purpose, integrity indicates the digital watermark for a tamper-detection purpose, and steganography indicates the digital watermark for an information transmission purpose.
- For example, this supplement information is indicated in the
policy file 240 as follows:<DspAce> <DspOperation> <Id>pp_scan</Id> <DspRequirement> <Id>digital_watermark</Id> <DspSupplement> <Id>string_format</Id> <Data>%u %d</Data> </DspSupplement> <DspSupplement> <Id>watermark_type</Id> <Data>traceability</Data> </DspSupplement> - The
security server 200 sets this supplement information to the decision result information to send back to a request originator. - As described above, according to the present invention, it is possible for the
security server 200 to abstract information provided from theapplication system 400 in order to correspond to the organizational security policy. That is, it is possible to convert information, which provided from theapplication system 400 and has a lower abstraction, into different information having a higher abstraction degree that the information received from theapplication system 400 in order to correspond to the security policy having a higher abstraction degree. Accordingly, it is possible to secure the security of both digital document and paper document in accordance with the organizational security policy. - The
document management system 100 and thedocument viewer 53 conduct the access control for the digital document such as theserver document 61 and theportable document 63, and the security process for securing theportable document 63 is conducted in accordance with the policy when theportable document 63 is printed from thedocument viewer 53. Therefore, theuser 52 printing theportable document 63 is required to properly handle thepaper document 62 to which theportable document 63 is printed, in accordance with the policy. - In addition, when the
paper document 62 to which theportable document 63 is printed is copied by thedigital copier 70, the copying process can be controlled in accordance with the policy. - Therefore, in a general office, it is possible to sufficiently maintain the security of the
paper document 62 and the digital document such as theserver document 61 and theportable document 63. - The present invention is not limited to the specifically disclosed embodiments, and variations and modifications may be made without departing from the scope of the present invention.
- The present application is based on the Japanese Priority Applications No. 2003-178033 filed on Jun. 23, 2003, No. 2003-315921 filed on Sep. 8, 2003, and No. 2002-315996 filed on Sep. 8, 2003, the entire contents of which are hereby incorporated by reference.
Claims (47)
1. An access control decision system comprising;
an abstraction converting part converting first information indicated by an access decision request into second information being abstract higher than the first information when the access decision request for requesting an access control decision for subject information to be accessed is received;
an access control decision part determining the access control for the subject information by referring a security policy being abstractly regulated based on the second information; and
a decision result sending part sending a decision result showing the access control for the subject information by said access control decision part, to a request originator that sent the access decision request.
2. The access control decision system as claimed in claim 1 , wherein said abstraction converting part includes a mapping part mapping into the second information based on the first information by referring to a management table managing by corresponding the first information to the second information, the first information and second information having different abstraction degree each other.
3. The access control decision system as claimed in claim 1 , wherein said abstraction converting part includes:
a first mapping part mapping based on the first information to the second information by referring to a first management table managing by corresponding the first information to the second information, the first information and second information having different abstraction degrees each other; and
a second mapping part mapping based on the first information to third information by referring to a second management table managing by corresponding the first information to the second information by the third information different from the first information and the second information having different abstraction degrees each other, and
wherein said access decision determining part determines the access control for the subject information by referring to the security policy based on either one of the second information and the third information.
4. The access control decision system as claimed in claim 1 , wherein said abstraction converting part including a mapping part obtaining intermediate information by referring to a first management table managing by corresponding the first information to the intermediate information having an attribute different from the first information, based on the first information, and mapping based on the intermediate information to the second information by referring to a second management table managing by corresponding the intermediate information and the first information to the second information having an abstract different from the intermediate information and the first information.
5. The access control decision system as claimed in claim 1 , wherein said first information is user identification information identifying a user who accesses the subject information, and the second information is information showing a security level of the user.
6. The access control decision system as claimed in claim 1 , wherein the first information is user identification information identifying a user who accesses the subject information, and the second information is information showing whether or not the user is a related person to the subject information.
7. The access control decision system as claimed in claim 1 , wherein the first information is information showing a location where an access is conducted to the subject information, and the second information is information showing whether or not the location is inside a predetermined zone.
8. The access control decision system as claimed in claim 1 , wherein the first information is image data generated by scanning a paper document having the subject information, and the second information is information showing a security attribute of the subject information based on the image data.
9. The access control decision system as claimed in claim 1 , wherein:
said access control decision part determines the access control having an requirement to allow an access to the subject information, based on the security policy; and
said decision result sending part sends the decision result additionally including information showing the requirement to the request originator.
10. The access control decision system as claimed in claim 9 , wherein said access control decision part includes supplement information that is indicated when the requirement is processed, to the requirement to allow the access to the subject information in accordance with the security policy.
11. The access control decision system as claimed in claim 9 , wherein said access control decision part includes an alternative requirement for a case in that the requirement cannot be processed, to the requirement to allow the access to the subject information.
12. The access control decision system as claimed in claim 1 , wherein the security policy is capable of being externally set.
13. An access control decision method, comprising the steps of:
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
14. A program product for causing a computer to determine an access control, said program product comprising the codes for:
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
15. A computer-readable recording medium recorded with a program for causing a computer to determine an access control, said program comprising the codes for:
storing a security policy being abstractly regulated and capable of being externally set in a storage area;
receiving an access decision request requesting an access control decision for subject information to be accessed;
converting a first information indicated by the access decision request into a second information having an abstraction degree higher than the first information;
determining an access control for the subject information by referring to the security policy stored in the storage area; and
sending a decision result showing the access control for the subject information to a request originator who sent the access decision request.
16. An access control enforcing system, comprising an access control enforcing part enforcing an access control for subject information based on access control information indicating a control concerning an access to the subject information in accordance with a security policy,
wherein said access control enforcing part further includes a requirement capability determining part determining whether or not a requirement to execute the access can be executed, the requirement indicated by the access control information, and
wherein the access control is enforced for the subject information based on a determination result by the requirement capability determining part so as to satisfy the requirement.
17. The access control enforcing system as claimed in claim 16 , wherein said access control enforcing part further includes an access prohibiting part prohibiting the access to the subject information when the decision result by the requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
18. The access control enforcing system as claimed in claim 17 , wherein said access control enforcing part enforces an alternative requirement indicated in the access control information when the determination result by the requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
19. The access control enforcing system as claimed in claim 18 , wherein said access control enforcing part further includes an alternative requirement capability determining part determining the alternative requirement indicated in the access control information can be executed when the decision result by said requirement capability determining part shows that the access cannot be executed so as to satisfy the requirement.
20. The access control enforcing system as claimed in claim 18 , wherein said access control enforcing part enforces the access control to the subject information so as to satisfy the requirement by using supplement information indicated in the access control information when the decision result by said requirement capability determining part shows that the access can be executed so as to satisfy the requirement.
21. The access control enforcing system as claimed in claim 16 , wherein at least one of a log record, an encryption and store, a protection of integrity of an original, a strict user authentication, a version management, a perfect deletion, and an alarm display is executable as the requirement.
22. The access control enforcing system as claimed in claim 16 , wherein at least one of a log record, a label print, an operator print, an image log record, an alarm display, an alarm print, a destination restriction, a confidential transmission, a watermark print, and a digital watermark is executable as the requirement.
23. The access control enforcing system as claimed in claim 16 , wherein a log record, a strict user authentication, an alarm display, a private print, an image log record, an identification information print, a label print, a watermark print, a copy suppression pattern print, an identification background pattern, and an alarm print is executable as the requirement.
24. The access control enforcing system as claimed in claim 16 , further comprising:
an access decision requesting part requesting an access control decision to an access control decision system determining the access control in accordance with the security policy being abstractly regulated in response to an access request to the subject information; and
an access control receiving part receiving access control information sent from the access control decision system corresponding to the access control decision requests,
wherein said access control enforcing part enforces the access control to the subject information based on the access control information received by said access control receiving part.
25. An access control enforcing method, comprising the steps of:
determining that a requirement indicated in access control information, the requirement to execute an access, when the access control is enforced to the subject information based on the access control information indicating a control concerning the access to the subject information in accordance to a security policy; and
enforcing the access control to the subject information so as to satisfy the requirement based on a determination result.
26. A security policy, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
27. The security policy as claimed in claim 26 , wherein said rule description regulates supplement information to be used when the requirement is executed.
28. The security policy as claimed in claim 26 , wherein the rule description regulates the supplement information being dynamically generated.
29. The security policy as claimed in claim 26 , wherein the supplement information is a character string or image data based on the rule being dynamically generated.
30. The security policy as claimed in claim 26 , wherein said rule description regulates based on a user category shown by the second security attribute of the user whether or not the operation is allowed,
wherein information showing whether or not the user is a related person is indicated in said user category based on a management table being different from the rule description and showing a user being the related person to the subject information.
31. The security policy as claimed in claim 26 , wherein said rule description regulates based on an access allowed zone indicated by the second security attribute of the user whether or not the operation is allowed, wherein information showing whether or not the user is a related person is indicated in said access allowed zone based on a management table being different from the rule description and showing a user being the related person to the subject information.
32. The security policy as claimed in claim 26 , wherein said rule description regulates whether or not the operation is allowed when the first security attribute of the subject information is unknown.
33. The security policy as claimed in claim 26 , wherein said rule description regulates an alternative requirement when the requirement is not satisfied.
34. The security policy as claimed in claim 26 , wherein said rule description regulates an access control rule for each first security attribute of the subject information.
35. The security policy as claimed in claim 34 , wherein said rule description regulates an access control list for each second security attribute of the user in the access control rule.
36. The security policy as claimed in claim 35 , wherein said rule description regulates in the access control list whether or not each of a plurality of different image forming processes as the operation is allowed.
37. The security policy as claimed in claim 36 , wherein said rule description regulates a plurality of requirements for each operation.
38. The security policy as claimed in claim 37 , wherein said rule description regulates a plurality of the supplement information for each requirement.
39. The security policy as claimed in claim 37 , wherein said rule description regulates a plurality of the alternative requirements for each requirement.
40. The security policy as claimed in claim 37 , wherein said rule description regulates to allow or not operations to refer to a server document, refer to a property of the server document, obtain an original of the server document, revise the server document, and delete the server document, operations to refer to a portable document, print out the portable document, transmit the portable document by fax, and operations to copy a paper document, transmit the paper document by fax and scan the paper document.
41. The security policy as claimed in claim 37 , wherein said rule description regulates at least one of a log record, an encryption, a tamper-detection, a version management, a perfect deletion, a private print, an image log record, an identification information embedding, a label print, a watermark, a copy suppression pattern, an identification background patter, an alarm display, an alarm print, a confidential print, and an operator print.
42. A computer-readable recording medium recorded with a security policy, said security policy comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
43. A security control system, comprising:
showing a rule regulating whether or not an operation is allowed, based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information; and
controlling the operation for the subject information in accordance with a security policy regulating that the operation is allowed when a requirement is satisfied.
44. A security policy regulating method, comprising a rule description showing a rule regulating whether or not an operation is allowed based on a first security attribute of subject information directed to the operation and a second security attribute of a user requesting the operation for the subject information, wherein the rule description regulates to allow the operation when a requirement is satisfied.
45. A security policy, comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
46. A computer-readable recording medium recorded with a security policy, said security policy comprising a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information, wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
47. A system for controlling an operation, comprising:
managing subject information directed to the operation; and
a rule description being managed by a system and showing a rule regulating a requirement required to satisfy to allow an operation, said operation incapable of being controlled to allow or prohibit with respect to a subject information when the subject information is output outside the system by allowing the operation to the subject information,
wherein said rule description regulates that the operation is allowed when the requirement is satisfied, said requirement capable of repeatedly conducting the control with respect to the subject information being output outside the system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/275,796 US8302205B2 (en) | 2003-06-23 | 2008-11-21 | Access control decision system, access control enforcing system, and security policy |
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003178033 | 2003-06-23 | ||
JP2003-178033 | 2003-06-23 | ||
JP2003315921A JP4398685B2 (en) | 2003-06-23 | 2003-09-08 | Access control determination system, access control determination method, access control determination program, and computer-readable storage medium storing the program |
JP2003315996A JP2005038372A (en) | 2003-06-23 | 2003-09-08 | Access control decision system, and access control execution system |
JP2003-315996 | 2003-09-08 | ||
JP2003-315921 | 2003-09-08 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/275,796 Division US8302205B2 (en) | 2003-06-23 | 2008-11-21 | Access control decision system, access control enforcing system, and security policy |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050021980A1 true US20050021980A1 (en) | 2005-01-27 |
Family
ID=33568343
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/872,574 Abandoned US20050021980A1 (en) | 2003-06-23 | 2004-06-22 | Access control decision system, access control enforcing system, and security policy |
US12/275,796 Expired - Fee Related US8302205B2 (en) | 2003-06-23 | 2008-11-21 | Access control decision system, access control enforcing system, and security policy |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/275,796 Expired - Fee Related US8302205B2 (en) | 2003-06-23 | 2008-11-21 | Access control decision system, access control enforcing system, and security policy |
Country Status (2)
Country | Link |
---|---|
US (2) | US20050021980A1 (en) |
EP (1) | EP1507402A3 (en) |
Cited By (126)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050050008A1 (en) * | 2000-07-24 | 2005-03-03 | Root Steven A. | Interactive advisory system |
US20060015477A1 (en) * | 2004-07-16 | 2006-01-19 | Kabushiki Kaisha Toshiba | Method for managing profiles and management system of profiles |
US20060015741A1 (en) * | 2004-07-15 | 2006-01-19 | Lieberman Software Corporation | System for protecting domain system configurations from users with local privilege rights |
US20060017970A1 (en) * | 2004-07-24 | 2006-01-26 | Samsung Electronics Co., Ltd. | Image forming system, apparatus and method |
US20060017951A1 (en) * | 2004-07-22 | 2006-01-26 | Sharp Kabushiki Kaisha | Data output apparatus, system and method, and printer driver and storage medium |
US20060026434A1 (en) * | 2004-07-27 | 2006-02-02 | Konica Minolta Business Technologies, Inc. | Image forming apparatus and image forming system |
US20060031923A1 (en) * | 2004-08-04 | 2006-02-09 | Yoichi Kanai | Access control list attaching system, original content creator terminal, policy server, original content data management server, program and computer readable information recording medium |
US20060047481A1 (en) * | 2004-08-25 | 2006-03-02 | Yoichi Kanai | Maintenance mediation apparatus, maintenance target apparatus maintenance method, and maintenance system |
US20060106775A1 (en) * | 2004-11-18 | 2006-05-18 | Microsoft Corporation | Multilevel device capabilities hierarchy |
US20060161469A1 (en) * | 2005-01-14 | 2006-07-20 | Weatherbank, Inc. | Interactive advisory system |
US20060178140A1 (en) * | 2005-02-02 | 2006-08-10 | Steven Smith | Location-based data communications system and method |
US20060236113A1 (en) * | 2005-03-31 | 2006-10-19 | Mitsuru Uzawa | Information processing apparatus and method thereof |
US20060265733A1 (en) * | 2005-05-23 | 2006-11-23 | Xuemin Chen | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US20060265599A1 (en) * | 2005-05-17 | 2006-11-23 | Yoichi Kanai | Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data |
US20060274384A1 (en) * | 2005-05-24 | 2006-12-07 | Canon Kabushiki Kaisha | Image reading apparatus, image forming apparatus incorporating the same, image reading control method therefor, and program implementing the method |
US20060277185A1 (en) * | 2005-06-06 | 2006-12-07 | Akiko Sato | Access control server, a user terminal, and an information access control, method |
US20060294152A1 (en) * | 2005-06-27 | 2006-12-28 | Shigehisa Kawabe | Document management server, document management system, computer readable recording medium, document management method, client of document management system, and node |
US20070097448A1 (en) * | 2005-11-02 | 2007-05-03 | Canon Kabushiki Kaisha | Print system and access control method thereof, access control program, information processing device, and storage medium |
US20070103715A1 (en) * | 2005-11-04 | 2007-05-10 | Hiroaki Nakata | Printing management system and printing management method |
US20070118650A1 (en) * | 2005-11-21 | 2007-05-24 | Konica Minolta Business Technologies, Inc. | Data input/output system, data input/output server, and data input/output method |
US20070133044A1 (en) * | 2005-12-12 | 2007-06-14 | Canon Kabushiki Kaisha | Data processing apparatus, image processing apparatus, print job production method, and print job output method |
US20070136292A1 (en) * | 2005-12-06 | 2007-06-14 | Hiromi Ohara | Apparatus and method for generating an electronic document, and storage medium |
US20070146768A1 (en) * | 2005-12-27 | 2007-06-28 | Takashi Isoda | Information processing method and apparatus thereof |
US20070156694A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and system to manage access of information using policies |
US20070174896A1 (en) * | 2006-01-25 | 2007-07-26 | Hiroshi Furuya | Security policy assignment apparatus and method and storage medium stored with security policy assignment program |
US20070174610A1 (en) * | 2006-01-25 | 2007-07-26 | Hiroshi Furuya | Security policy assignment apparatus and method and storage medium stored with security policy assignment program |
US20070179748A1 (en) * | 2006-01-27 | 2007-08-02 | Yoichi Kanai | Measuring device, measuring method, measuring program product, measurement data editing device, measurement data editing method, measurement data editing program product, measurement time verifying device, measurement time verifying method and measurement time verifying program product |
US20070209076A1 (en) * | 2005-03-02 | 2007-09-06 | Facetime Communications, Inc. | Automating software security restrictions on system resources |
US20070211954A1 (en) * | 2006-03-08 | 2007-09-13 | Fuji Xerox Co., Ltd. | Image-Processing Control Device, Image-Processing Control Method, And Image-Processing Control Program Storage Medium |
US20070245145A1 (en) * | 2004-04-08 | 2007-10-18 | Yoko Nishiyama | Image processing apparatus capable of authenticating document |
US20070261051A1 (en) * | 2005-03-02 | 2007-11-08 | Facetime Communications, Inc. | Automating software security restrictions on applications |
US20070299969A1 (en) * | 2006-06-22 | 2007-12-27 | Fuji Xerox Co., Ltd. | Document Management Server, Method, Storage Medium And Computer Data Signal, And System For Managing Document Use |
US20070299880A1 (en) * | 2006-06-22 | 2007-12-27 | Fuji Xerox Co., Ltd. | Document Management Server, Document Management Method, Computer Readable Medium, Computer Data Signal, and System For Managing Document Use |
US20080016549A1 (en) * | 2006-07-13 | 2008-01-17 | Brian Smithson | Approach for securely processing an electronic document |
US20080043274A1 (en) * | 2006-08-16 | 2008-02-21 | Lida Wang | Secure printing system with privilege table referenced across different domains |
US20080057907A1 (en) * | 2006-09-06 | 2008-03-06 | Fuji Xerox Co., Ltd. | Service Usage Control System, Service Usage Controller, Method For The Same, Computer Readable Medium For The Same, And Computer Data Signal of The Same |
US20080077996A1 (en) * | 2006-09-25 | 2008-03-27 | Fuji Xerox Co., Ltd. | Documents manipulation authentication apparatus, document manipulation apparatus, image formation apparatus, document manipulation authentication system, computer readable medium and computer data signal |
US20080098455A1 (en) * | 2006-10-20 | 2008-04-24 | Canon Kabushiki Kaisha | Document management system and document management method |
US20080133618A1 (en) * | 2006-12-04 | 2008-06-05 | Fuji Xerox Co., Ltd. | Document providing system and computer-readable storage medium |
US20080141237A1 (en) * | 2006-12-07 | 2008-06-12 | Sap Ag | Software for managing data between a client and server |
US20080162944A1 (en) * | 2006-12-28 | 2008-07-03 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, and computer readable storage medium |
US20080165783A1 (en) * | 2002-12-04 | 2008-07-10 | Cisco Technology, Inc. | Access list key compression |
US20080178303A1 (en) * | 2007-01-19 | 2008-07-24 | Fuji Xerox Co., Ltd. | Information-processing apparatus, information-processing system, information-processing method, computer-readable medium, and computer data signal |
US20080243831A1 (en) * | 2007-04-02 | 2008-10-02 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, and storage medium |
US20080239346A1 (en) * | 2007-03-28 | 2008-10-02 | Hitachi, Ltd. | Copy machine control apparatus and copy machine control method |
US20080313037A1 (en) * | 2007-06-15 | 2008-12-18 | Root Steven A | Interactive advisory system |
US20090044283A1 (en) * | 2007-08-07 | 2009-02-12 | Fuji Xerox Co., Ltd. | Document management apparatus, document management system and method, and computer-readable medium |
US20090066990A1 (en) * | 2005-08-22 | 2009-03-12 | Hidekazu Segawa | Image processing system, image processing method, image processing program, and image forming apparatus |
US20090077086A1 (en) * | 2007-09-19 | 2009-03-19 | International Business Machines Corporation | Policy-based method for configuring an access control service |
US20090125472A1 (en) * | 2007-01-25 | 2009-05-14 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, information processing method, and computer readable storage medium |
US20090165084A1 (en) * | 2007-12-25 | 2009-06-25 | Fuji Xerox Co., Ltd. | Security policy switching device, security policy management system, and storage medium |
US20090271610A1 (en) * | 2008-04-28 | 2009-10-29 | Seiko Epson Corporation | Multi-Function Apparatus and Method of Restricting Use of Multi-Function Apparatus |
US20090276413A1 (en) * | 2008-04-30 | 2009-11-05 | Ricoh Company, Ltd | Managing electronic data with index data corresponding to said electronic data |
US20090276846A1 (en) * | 2008-05-01 | 2009-11-05 | Seiko Epson Corporation | Multi-Function Apparatus and Method of Restricting Use of Multi-Function Apparatus |
US20090300708A1 (en) * | 2008-06-02 | 2009-12-03 | International Business Machines Corporation | Method for Improving Comprehension of Information in a Security Enhanced Environment by Representing the Information in Audio Form |
US20090327293A1 (en) * | 2007-10-02 | 2009-12-31 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, storage medium, information processing method, and data signal |
US20100073730A1 (en) * | 2008-09-24 | 2010-03-25 | Samsung Electronics Co., Ltd | Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method |
US20100077186A1 (en) * | 2008-09-24 | 2010-03-25 | Fuji Xerox Co., Ltd. | Processing apparatus, processing system, and computer readable medium |
US20100169982A1 (en) * | 2008-12-25 | 2010-07-01 | Fuji Xerox Co., Ltd. | License management apparatus, license management method, and computer readable medium |
US20100313240A1 (en) * | 2007-11-29 | 2010-12-09 | Sounghyun Kim | Authentication system and method between server and client |
US20100332653A1 (en) * | 2009-06-29 | 2010-12-30 | Kabushiki Kaisha Toshiba | Image forming apparatus and image forming method |
US20110072490A1 (en) * | 2005-05-23 | 2011-03-24 | Broadcom Corporation | Method and apparatus for constructing an accss control matrix for a set-top box security |
US7987494B1 (en) * | 2005-12-19 | 2011-07-26 | Adobe Systems Incorporated | Method and apparatus providing end to end protection for a document |
US8176535B2 (en) | 2008-11-25 | 2012-05-08 | Fuji Xerox Co., Ltd. | Information processing system, information processing method, and computer readable medium |
US20120162688A1 (en) * | 2009-09-09 | 2012-06-28 | Tatsuro Ikeda | Access control system, apparatus, and program |
US20120317239A1 (en) * | 2011-06-08 | 2012-12-13 | Workshare Ltd. | Method and system for collaborative editing of a remotely stored document |
CN102834841A (en) * | 2010-03-31 | 2012-12-19 | 株式会社东芝 | Document management system, evaluation device, data output control device, document management method and document management program |
US8341734B1 (en) * | 2008-06-27 | 2012-12-25 | Symantec Corporation | Method and system to audit physical copy data leakage |
US20130022230A1 (en) * | 2010-03-31 | 2013-01-24 | Nec Corporation | Digital content management system, verification device, program thereof, and data processing method |
US20130067368A1 (en) * | 2011-09-09 | 2013-03-14 | Ricoh Company, Ltd. | Apparatus, System, And Method Of Controlling Display Of User Interface, And Recording Medium Storing User Interface Display Control Program |
US20130219462A1 (en) * | 2010-09-22 | 2013-08-22 | International Business Machines Corporation | Generating a distrubition package having an access control execution program for implementing an access control mechanism and loading unit for a client |
US20130268677A1 (en) * | 2013-06-02 | 2013-10-10 | SkySocket, LLC | Shared Resource Watermarking and Management |
US8613108B1 (en) * | 2009-03-26 | 2013-12-17 | Adobe Systems Incorporated | Method and apparatus for location-based digital rights management |
US8611927B2 (en) | 2006-01-19 | 2013-12-17 | Locator Ip, Lp | Interactive advisory system |
US8634814B2 (en) | 2007-02-23 | 2014-01-21 | Locator IP, L.P. | Interactive advisory system for prioritizing content |
US20140293344A1 (en) * | 2013-03-29 | 2014-10-02 | Kyocera Document Solutions Inc. | Image forming apparatus, image forming method, and computer-readable non-transitory recording medium having image forming program recorded thereon |
US8892495B2 (en) | 1991-12-23 | 2014-11-18 | Blanding Hovenweep, Llc | Adaptive pattern recognition based controller apparatus and method and human-interface therefore |
US8904478B2 (en) | 2005-12-29 | 2014-12-02 | Nextlabs, Inc. | Inspecting code and reducing code size associated to a target |
US9177176B2 (en) | 2006-02-27 | 2015-11-03 | Broadcom Corporation | Method and system for secure system-on-a-chip architecture for multimedia data processing |
US9195811B2 (en) | 2013-07-03 | 2015-11-24 | Airwatch Llc | Functionality watermarking and management |
US9202025B2 (en) | 2013-07-03 | 2015-12-01 | Airwatch Llc | Enterprise-specific functionality watermarking and management |
US9209975B2 (en) | 2008-10-15 | 2015-12-08 | Ricoh Company, Ltd. | Secure access of electronic documents and data from client terminal |
US20160052498A1 (en) * | 2014-08-21 | 2016-02-25 | Toyota Jidosha Kabushiki Kaisha | Brake-Hydraulic-Pressure Control Device |
US9489318B2 (en) | 2006-06-19 | 2016-11-08 | Broadcom Corporation | Method and system for accessing protected memory |
US20160335420A1 (en) * | 2014-12-05 | 2016-11-17 | Business Partners Limited | Secure Document Management |
US20160350134A1 (en) * | 2015-05-28 | 2016-12-01 | Google Inc. | Personal assistant providing predictive intelligence using enterprise content |
US9535563B2 (en) | 1999-02-01 | 2017-01-03 | Blanding Hovenweep, Llc | Internet appliance system and method |
US9552463B2 (en) | 2013-07-03 | 2017-01-24 | Airwatch Llc | Functionality watermarking and management |
US9584437B2 (en) | 2013-06-02 | 2017-02-28 | Airwatch Llc | Resource watermarking and management |
US9614813B2 (en) | 2008-07-21 | 2017-04-04 | Workshare Technology, Inc. | Methods and systems to implement fingerprint lookups across remote agents |
US9652637B2 (en) | 2005-05-23 | 2017-05-16 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for allowing no code download in a code download scheme |
US20170150322A1 (en) * | 2015-11-24 | 2017-05-25 | Fortinet, Inc. | Associating position information collected by a mobile device with amanaged network appliance |
US9665723B2 (en) | 2013-08-15 | 2017-05-30 | Airwatch, Llc | Watermarking detection and management |
US20170206401A1 (en) * | 2016-01-19 | 2017-07-20 | Magic Leap, Inc. | Eye image combination |
US9829114B2 (en) | 2014-08-21 | 2017-11-28 | Toyota Jidosha Kabushiki Kaisha | Pressure regulator and hydraulic brake system for vehicle equipped with the same |
US9904809B2 (en) | 2006-02-27 | 2018-02-27 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for multi-level security initialization and configuration |
US20180096060A1 (en) * | 2015-04-16 | 2018-04-05 | Docauthority Ltd. | Structural document classification |
US20180196623A1 (en) * | 2017-01-06 | 2018-07-12 | Color123, Ltd. | Print output management system and the method of operation thereof |
US10088990B2 (en) * | 2013-02-13 | 2018-10-02 | Dropbox, Inc. | Seamless editing and saving of online content items using applications |
US10133723B2 (en) | 2014-12-29 | 2018-11-20 | Workshare Ltd. | System and method for determining document version geneology |
US10229284B2 (en) * | 2007-02-21 | 2019-03-12 | Palantir Technologies Inc. | Providing unique views of data based on changes or rules |
WO2019157578A1 (en) * | 2018-02-15 | 2019-08-22 | Inttelix Brasil Tecnologia E Sistemas Ltda | Device and system for managing access to equipment by means of facial recognition |
US20190268307A1 (en) * | 2018-02-26 | 2019-08-29 | Mcafee, Llc | Gateway with access checkpoint |
US10445572B2 (en) | 2010-11-29 | 2019-10-15 | Workshare Technology, Inc. | Methods and systems for monitoring documents exchanged over email applications |
US10540510B2 (en) * | 2011-09-06 | 2020-01-21 | Ricoh Company, Ltd. | Approach for managing access to data on client devices |
US10574729B2 (en) | 2011-06-08 | 2020-02-25 | Workshare Ltd. | System and method for cross platform document sharing |
US10581887B1 (en) * | 2017-05-31 | 2020-03-03 | Ca, Inc. | Employing a relatively simple machine learning classifier to explain evidence that led to a security action decision by a relatively complex machine learning classifier |
USRE48159E1 (en) * | 2006-08-23 | 2020-08-11 | Threatstop, Inc. | Method and system for propagating network policy |
US10783326B2 (en) | 2013-03-14 | 2020-09-22 | Workshare, Ltd. | System for tracking changes in a collaborative document editing environment |
US10798098B2 (en) | 2015-05-28 | 2020-10-06 | Google Llc | Access control for enterprise knowledge |
CN112104791A (en) * | 2020-09-10 | 2020-12-18 | 珠海奔图电子有限公司 | Image forming control method, image forming apparatus, and electronic device |
US10880359B2 (en) | 2011-12-21 | 2020-12-29 | Workshare, Ltd. | System and method for cross platform document sharing |
US10911492B2 (en) | 2013-07-25 | 2021-02-02 | Workshare Ltd. | System and method for securing documents prior to transmission |
US20210090371A1 (en) * | 2019-09-24 | 2021-03-25 | International Business Machines Corporation | Content validation document transmission |
US10963578B2 (en) | 2008-11-18 | 2021-03-30 | Workshare Technology, Inc. | Methods and systems for preventing transmission of sensitive data from a remote computer device |
US10977361B2 (en) | 2017-05-16 | 2021-04-13 | Beyondtrust Software, Inc. | Systems and methods for controlling privileged operations |
US11030163B2 (en) | 2011-11-29 | 2021-06-08 | Workshare, Ltd. | System for tracking and displaying changes in a set of related electronic documents |
US11182551B2 (en) | 2014-12-29 | 2021-11-23 | Workshare Ltd. | System and method for determining document version geneology |
US11341191B2 (en) | 2013-03-14 | 2022-05-24 | Workshare Ltd. | Method and system for document retrieval with selective document comparison |
US11386394B2 (en) | 2011-06-08 | 2022-07-12 | Workshare, Ltd. | Method and system for shared document approval |
US11392550B2 (en) | 2011-06-23 | 2022-07-19 | Palantir Technologies Inc. | System and method for investigating large amounts of data |
US11503035B2 (en) * | 2017-04-10 | 2022-11-15 | The University Of Memphis Research Foundation | Multi-user permission strategy to access sensitive information |
US11528149B2 (en) | 2019-04-26 | 2022-12-13 | Beyondtrust Software, Inc. | Root-level application selective configuration |
US11567907B2 (en) | 2013-03-14 | 2023-01-31 | Workshare, Ltd. | Method and system for comparing document versions encoded in a hierarchical representation |
US11763013B2 (en) | 2015-08-07 | 2023-09-19 | Workshare, Ltd. | Transaction document management system and method |
US12050604B2 (en) | 2015-02-20 | 2024-07-30 | Threatstop, Inc. | Normalization and extraction of log data |
Families Citing this family (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100544478B1 (en) * | 2003-12-01 | 2006-01-24 | 삼성전자주식회사 | Device, system and method of authorizing to print information according to security level |
JP2006331203A (en) * | 2005-05-27 | 2006-12-07 | Ricoh Co Ltd | System and apparatus for printing, program, and recording medium |
JP4881615B2 (en) * | 2005-12-23 | 2012-02-22 | パナソニック株式会社 | Identification management system for authentication of electronic devices |
EP1840777A1 (en) * | 2006-03-27 | 2007-10-03 | Mediasec Technologies GmbH | Method for inserting a digital marking in a digital document |
US8452711B2 (en) * | 2006-04-18 | 2013-05-28 | Xerox Corporation | System and method to prevent unauthorized copying of a document |
JP4879785B2 (en) * | 2007-03-19 | 2012-02-22 | 株式会社リコー | Information processing apparatus, information processing method, and information processing system |
US8115951B2 (en) | 2007-04-20 | 2012-02-14 | Ricoh Company, Ltd. | Approach for implementing locked printing with unlock via a user input device |
US8797563B2 (en) * | 2008-03-31 | 2014-08-05 | Ricoh Company, Ltd. | Approach for printing policy-enabled electronic documents using locked printing |
US9311031B2 (en) * | 2008-03-31 | 2016-04-12 | Ricoh Company, Ltd. | Approach for printing policy-enabled electronic documents using locked printing and a shared memory data structure |
US9513857B2 (en) * | 2008-03-31 | 2016-12-06 | Ricoh Company, Ltd. | Approach for processing print data using password control data |
EP2113850A3 (en) * | 2008-04-30 | 2009-11-11 | Ricoh Company, Limited | Managing electronic data with index data corresponding to said electronic data and secure access of electronic documents and data from client terminal |
US9411956B2 (en) * | 2008-07-02 | 2016-08-09 | Ricoh Company, Ltd. | Locked print with intruder detection and management |
JP2011003116A (en) * | 2009-06-22 | 2011-01-06 | Fuji Xerox Co Ltd | Information processor and program |
US8489685B2 (en) | 2009-07-17 | 2013-07-16 | Aryaka Networks, Inc. | Application acceleration as a service system and method |
US8495730B2 (en) | 2009-10-12 | 2013-07-23 | International Business Machines Corporation | Dynamically constructed capability for enforcing object access order |
JP4951092B2 (en) * | 2010-06-03 | 2012-06-13 | 株式会社東芝 | Access control program and apparatus |
JP5708197B2 (en) * | 2011-04-21 | 2015-04-30 | 富士ゼロックス株式会社 | Information processing apparatus and program |
US9600684B2 (en) * | 2012-11-15 | 2017-03-21 | International Business Machines Corporation | Destruction of sensitive information |
KR20140108749A (en) * | 2013-02-27 | 2014-09-15 | 한국전자통신연구원 | Apparatus for generating privacy-protecting document authentication information and method of privacy-protecting document authentication using the same |
JP6579735B2 (en) * | 2014-08-05 | 2019-09-25 | キヤノン株式会社 | Information processing system, information processing apparatus, information processing system control method, information processing apparatus control method, and program |
US10986131B1 (en) * | 2014-12-17 | 2021-04-20 | Amazon Technologies, Inc. | Access control policy warnings and suggestions |
US10043030B1 (en) | 2015-02-05 | 2018-08-07 | Amazon Technologies, Inc. | Large-scale authorization data collection and aggregation |
US11314858B2 (en) * | 2018-10-10 | 2022-04-26 | Comcast Cable Communications, Llc | Event monitoring |
US11122054B2 (en) | 2019-08-27 | 2021-09-14 | Bank Of America Corporation | Security tool |
US11595385B2 (en) * | 2019-11-26 | 2023-02-28 | Twingate, Inc. | Secure controlled access to protected resources |
JP2022098940A (en) * | 2020-12-22 | 2022-07-04 | 富士フイルムビジネスイノベーション株式会社 | Information processor and information processing program |
US12079314B2 (en) * | 2021-08-03 | 2024-09-03 | Dell Products, L.P. | Intelligent orchestration of digital watermarking using a platform framework |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3638612A (en) * | 1969-04-24 | 1972-02-01 | Int Standard Electric Corp | Apparatus for marking conductor cables |
US4457258A (en) * | 1983-01-04 | 1984-07-03 | Cocks Eric H | Marking apparatus for paints and inks |
US4503437A (en) * | 1981-10-26 | 1985-03-05 | Siemens Aktiengesellschaft | Ink jet color-coding method for leads |
US4877645A (en) * | 1988-02-26 | 1989-10-31 | American Telephone & Telegraph At&T Technologies, Inc. | Methods of and apparatus for applying a coating material to elongated material |
US5032850A (en) * | 1989-12-18 | 1991-07-16 | Tokyo Electric Co., Ltd. | Method and apparatus for vapor jet printing |
US5153025A (en) * | 1989-12-22 | 1992-10-06 | Kabelmetal Electro Gesellschaft Mit Beschrankter Haftung | Method for the continuous marking of elongated material |
US5444466A (en) * | 1991-03-11 | 1995-08-22 | Electronic Cable Specialists, Inc. | Wire marking system and method |
US5715403A (en) * | 1994-11-23 | 1998-02-03 | Xerox Corporation | System for controlling the distribution and use of digital works having attached usage rights where the usage rights are defined by a usage rights grammar |
US6105027A (en) * | 1997-03-10 | 2000-08-15 | Internet Dynamics, Inc. | Techniques for eliminating redundant access checking by access filters |
US6233684B1 (en) * | 1997-02-28 | 2001-05-15 | Contenaguard Holdings, Inc. | System for controlling the distribution and use of rendered digital works through watermaking |
US6236971B1 (en) * | 1994-11-23 | 2001-05-22 | Contentguard Holdings, Inc. | System for controlling the distribution and use of digital works using digital tickets |
US20010019604A1 (en) * | 1998-09-15 | 2001-09-06 | In Touch Technologies Limited, British Virgin Islands | Enhanced communication platform and related communication method using the platform |
US6289450B1 (en) * | 1999-05-28 | 2001-09-11 | Authentica, Inc. | Information security architecture for encrypting documents for remote access while maintaining access control |
US20010023421A1 (en) * | 1999-12-16 | 2001-09-20 | International Business Machines Corporation | Access control system, access control method, storage medium and program transmission apparatus |
US20020077803A1 (en) * | 2000-09-08 | 2002-06-20 | Michiharu Kudoh | Access control system and methods |
US6725941B2 (en) * | 2000-05-18 | 2004-04-27 | Paul Edwards | Fire retardant delivery system |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5629980A (en) | 1994-11-23 | 1997-05-13 | Xerox Corporation | System for controlling the distribution and use of digital works |
JP2000122977A (en) | 1997-02-28 | 2000-04-28 | Xerox Corp | System for controlling distribution and use of digital work and supply method for water mark |
US6275941B1 (en) * | 1997-03-28 | 2001-08-14 | Hiatchi, Ltd. | Security management method for network system |
JP2996937B2 (en) | 1997-12-01 | 2000-01-11 | 三菱電機株式会社 | server |
US6233618B1 (en) * | 1998-03-31 | 2001-05-15 | Content Advisor, Inc. | Access control of networked data |
JPH11338825A (en) | 1998-05-29 | 1999-12-10 | Hitachi Ltd | Access control method considering configuration of organization |
JP3349978B2 (en) | 1999-02-10 | 2002-11-25 | 三菱電機株式会社 | Access control method in computer system |
JP2001142874A (en) | 1999-11-16 | 2001-05-25 | Ricoh Co Ltd | Document managing system |
EP1296250A1 (en) | 2000-06-30 | 2003-03-26 | Matsushita Electric Industrial Co., Ltd. | User information control device |
JP4089171B2 (en) | 2001-04-24 | 2008-05-28 | 株式会社日立製作所 | Computer system |
JP4280036B2 (en) | 2001-08-03 | 2009-06-17 | パナソニック株式会社 | Access right control system |
JP2003069595A (en) | 2001-08-24 | 2003-03-07 | Sanyo Electric Co Ltd | Access control system |
JP3862553B2 (en) | 2001-11-22 | 2006-12-27 | キヤノン株式会社 | Document management system |
JP2004094401A (en) | 2002-08-29 | 2004-03-25 | Ricoh Co Ltd | Security policy distributing system, device operating on the basis of security policy, security policy distributing method, security policy distributing program, and recording medium with program recorded thereon |
JP2004102907A (en) | 2002-09-12 | 2004-04-02 | Ricoh Co Ltd | Security policy description method, recording medium and transmitter |
JP2004280227A (en) | 2003-03-13 | 2004-10-07 | E4C-Link Corp | Documentation management system |
-
2004
- 2004-06-22 US US10/872,574 patent/US20050021980A1/en not_active Abandoned
- 2004-06-22 EP EP04014618A patent/EP1507402A3/en not_active Ceased
-
2008
- 2008-11-21 US US12/275,796 patent/US8302205B2/en not_active Expired - Fee Related
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3638612A (en) * | 1969-04-24 | 1972-02-01 | Int Standard Electric Corp | Apparatus for marking conductor cables |
US4503437A (en) * | 1981-10-26 | 1985-03-05 | Siemens Aktiengesellschaft | Ink jet color-coding method for leads |
US4457258A (en) * | 1983-01-04 | 1984-07-03 | Cocks Eric H | Marking apparatus for paints and inks |
US4877645A (en) * | 1988-02-26 | 1989-10-31 | American Telephone & Telegraph At&T Technologies, Inc. | Methods of and apparatus for applying a coating material to elongated material |
US5032850A (en) * | 1989-12-18 | 1991-07-16 | Tokyo Electric Co., Ltd. | Method and apparatus for vapor jet printing |
US5153025A (en) * | 1989-12-22 | 1992-10-06 | Kabelmetal Electro Gesellschaft Mit Beschrankter Haftung | Method for the continuous marking of elongated material |
US5444466A (en) * | 1991-03-11 | 1995-08-22 | Electronic Cable Specialists, Inc. | Wire marking system and method |
US6236971B1 (en) * | 1994-11-23 | 2001-05-22 | Contentguard Holdings, Inc. | System for controlling the distribution and use of digital works using digital tickets |
US5715403A (en) * | 1994-11-23 | 1998-02-03 | Xerox Corporation | System for controlling the distribution and use of digital works having attached usage rights where the usage rights are defined by a usage rights grammar |
US6233684B1 (en) * | 1997-02-28 | 2001-05-15 | Contenaguard Holdings, Inc. | System for controlling the distribution and use of rendered digital works through watermaking |
US6105027A (en) * | 1997-03-10 | 2000-08-15 | Internet Dynamics, Inc. | Techniques for eliminating redundant access checking by access filters |
US20010019604A1 (en) * | 1998-09-15 | 2001-09-06 | In Touch Technologies Limited, British Virgin Islands | Enhanced communication platform and related communication method using the platform |
US6289450B1 (en) * | 1999-05-28 | 2001-09-11 | Authentica, Inc. | Information security architecture for encrypting documents for remote access while maintaining access control |
US20010023421A1 (en) * | 1999-12-16 | 2001-09-20 | International Business Machines Corporation | Access control system, access control method, storage medium and program transmission apparatus |
US6647388B2 (en) * | 1999-12-16 | 2003-11-11 | International Business Machines Corporation | Access control system, access control method, storage medium and program transmission apparatus |
US6725941B2 (en) * | 2000-05-18 | 2004-04-27 | Paul Edwards | Fire retardant delivery system |
US20020077803A1 (en) * | 2000-09-08 | 2002-06-20 | Michiharu Kudoh | Access control system and methods |
Cited By (224)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8892495B2 (en) | 1991-12-23 | 2014-11-18 | Blanding Hovenweep, Llc | Adaptive pattern recognition based controller apparatus and method and human-interface therefore |
US9535563B2 (en) | 1999-02-01 | 2017-01-03 | Blanding Hovenweep, Llc | Internet appliance system and method |
US10021525B2 (en) | 2000-07-24 | 2018-07-10 | Locator IP, L.P. | Interactive weather advisory system |
US9668091B2 (en) | 2000-07-24 | 2017-05-30 | Locator IP, L.P. | Interactive weather advisory system |
US20060294147A1 (en) * | 2000-07-24 | 2006-12-28 | Root Steven A | Interactive weather advisory system |
US9998295B2 (en) | 2000-07-24 | 2018-06-12 | Locator IP, L.P. | Interactive advisory system |
US9204252B2 (en) | 2000-07-24 | 2015-12-01 | Locator IP, L.P. | Interactive advisory system |
US9197990B2 (en) | 2000-07-24 | 2015-11-24 | Locator Ip, Lp | Interactive advisory system |
US9191776B2 (en) | 2000-07-24 | 2015-11-17 | Locator Ip, Lp | Interactive advisory system |
US11108582B2 (en) | 2000-07-24 | 2021-08-31 | Locator IP, L.P. | Interactive weather advisory system |
US9661457B2 (en) | 2000-07-24 | 2017-05-23 | Locator Ip, Lp | Interactive advisory system |
US8909679B2 (en) | 2000-07-24 | 2014-12-09 | Locator Ip, Lp | Interactive advisory system |
US10411908B2 (en) | 2000-07-24 | 2019-09-10 | Locator IP, L.P. | Interactive advisory system |
US9560480B2 (en) | 2000-07-24 | 2017-01-31 | Locator Ip, Lp | Interactive advisory system |
US9554246B2 (en) | 2000-07-24 | 2017-01-24 | Locator Ip, Lp | Interactive weather advisory system |
US20050050008A1 (en) * | 2000-07-24 | 2005-03-03 | Root Steven A. | Interactive advisory system |
US8782739B2 (en) * | 2002-12-04 | 2014-07-15 | Cisco Technology, Inc. | Access list key compression |
US20080165783A1 (en) * | 2002-12-04 | 2008-07-10 | Cisco Technology, Inc. | Access list key compression |
US7827415B2 (en) | 2004-04-08 | 2010-11-02 | Ricoh Company, Ltd. | Image processing apparatus capable of authenticating document |
US20070245145A1 (en) * | 2004-04-08 | 2007-10-18 | Yoko Nishiyama | Image processing apparatus capable of authenticating document |
US8060937B2 (en) * | 2004-07-15 | 2011-11-15 | Lieberman Software Corporation | System for protecting domain system configurations from users with local privilege rights |
US20060015741A1 (en) * | 2004-07-15 | 2006-01-19 | Lieberman Software Corporation | System for protecting domain system configurations from users with local privilege rights |
US20060015477A1 (en) * | 2004-07-16 | 2006-01-19 | Kabushiki Kaisha Toshiba | Method for managing profiles and management system of profiles |
US20060017951A1 (en) * | 2004-07-22 | 2006-01-26 | Sharp Kabushiki Kaisha | Data output apparatus, system and method, and printer driver and storage medium |
US20060017970A1 (en) * | 2004-07-24 | 2006-01-26 | Samsung Electronics Co., Ltd. | Image forming system, apparatus and method |
US20060026434A1 (en) * | 2004-07-27 | 2006-02-02 | Konica Minolta Business Technologies, Inc. | Image forming apparatus and image forming system |
US20060031923A1 (en) * | 2004-08-04 | 2006-02-09 | Yoichi Kanai | Access control list attaching system, original content creator terminal, policy server, original content data management server, program and computer readable information recording medium |
US7561985B2 (en) | 2004-08-25 | 2009-07-14 | Ricoh Company, Ltd. | Maintenance mediation apparatus, maintenance target apparatus maintenance method, and maintenance system |
US20060047481A1 (en) * | 2004-08-25 | 2006-03-02 | Yoichi Kanai | Maintenance mediation apparatus, maintenance target apparatus maintenance method, and maintenance system |
US7216059B2 (en) | 2004-08-25 | 2007-05-08 | Ricoh Company, Ltd. | Maintenance mediation apparatus, maintenance target apparatus maintenance method, and maintenance system |
US20080133179A1 (en) * | 2004-08-25 | 2008-06-05 | Yoichi Kanai | Maintenance mediation apparatus, maintenance target apparatus maintenance method, and maintenance system |
US20060106775A1 (en) * | 2004-11-18 | 2006-05-18 | Microsoft Corporation | Multilevel device capabilities hierarchy |
US11150378B2 (en) | 2005-01-14 | 2021-10-19 | Locator IP, L.P. | Method of outputting weather/environmental information from weather/environmental sensors |
US20060161469A1 (en) * | 2005-01-14 | 2006-07-20 | Weatherbank, Inc. | Interactive advisory system |
US20060178140A1 (en) * | 2005-02-02 | 2006-08-10 | Steven Smith | Location-based data communications system and method |
US8832121B2 (en) | 2005-02-02 | 2014-09-09 | Accuweather, Inc. | Location-based data communications system and method |
US7870613B2 (en) * | 2005-03-02 | 2011-01-11 | Facetime Communications, Inc. | Automating software security restrictions on applications |
US8046831B2 (en) | 2005-03-02 | 2011-10-25 | Actiance, Inc. | Automating software security restrictions on system resources |
US20070261051A1 (en) * | 2005-03-02 | 2007-11-08 | Facetime Communications, Inc. | Automating software security restrictions on applications |
US20070209076A1 (en) * | 2005-03-02 | 2007-09-06 | Facetime Communications, Inc. | Automating software security restrictions on system resources |
US20060236113A1 (en) * | 2005-03-31 | 2006-10-19 | Mitsuru Uzawa | Information processing apparatus and method thereof |
US8122254B2 (en) * | 2005-03-31 | 2012-02-21 | Canon Kabushiki Kaisha | Information processing apparatus and method thereof |
US7716490B2 (en) | 2005-05-17 | 2010-05-11 | Ricoh Company, Ltd. | Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data |
US20060265599A1 (en) * | 2005-05-17 | 2006-11-23 | Yoichi Kanai | Access control apparatus, access control method, access control program, recording medium, access control data, and relation description data |
US7913289B2 (en) * | 2005-05-23 | 2011-03-22 | Broadcom Corporation | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US8347357B2 (en) | 2005-05-23 | 2013-01-01 | Broadcom Corporation | Method and apparatus for constructing an access control matrix for a set-top box security processor |
US20060265733A1 (en) * | 2005-05-23 | 2006-11-23 | Xuemin Chen | Method and apparatus for security policy and enforcing mechanism for a set-top box security processor |
US9652637B2 (en) | 2005-05-23 | 2017-05-16 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for allowing no code download in a code download scheme |
US20110072490A1 (en) * | 2005-05-23 | 2011-03-24 | Broadcom Corporation | Method and apparatus for constructing an accss control matrix for a set-top box security |
US8305656B2 (en) * | 2005-05-24 | 2012-11-06 | Canon Kabushiki Kaisha | Image reading apparatus, image forming apparatus incorporating the same, image reading control method therefor, and program implementing the method |
US20060274384A1 (en) * | 2005-05-24 | 2006-12-07 | Canon Kabushiki Kaisha | Image reading apparatus, image forming apparatus incorporating the same, image reading control method therefor, and program implementing the method |
US20060277185A1 (en) * | 2005-06-06 | 2006-12-07 | Akiko Sato | Access control server, a user terminal, and an information access control, method |
US20060294152A1 (en) * | 2005-06-27 | 2006-12-28 | Shigehisa Kawabe | Document management server, document management system, computer readable recording medium, document management method, client of document management system, and node |
US8086570B2 (en) * | 2005-06-27 | 2011-12-27 | Fuji Xerox Co., Ltd. | Secure document management using distributed hashing |
US20090066990A1 (en) * | 2005-08-22 | 2009-03-12 | Hidekazu Segawa | Image processing system, image processing method, image processing program, and image forming apparatus |
US20070097448A1 (en) * | 2005-11-02 | 2007-05-03 | Canon Kabushiki Kaisha | Print system and access control method thereof, access control program, information processing device, and storage medium |
US20070103715A1 (en) * | 2005-11-04 | 2007-05-10 | Hiroaki Nakata | Printing management system and printing management method |
US8199356B2 (en) * | 2005-11-04 | 2012-06-12 | Canon Kabushiki Kaisha | Printing management system and printing management method |
US20070118650A1 (en) * | 2005-11-21 | 2007-05-24 | Konica Minolta Business Technologies, Inc. | Data input/output system, data input/output server, and data input/output method |
US8042146B2 (en) | 2005-12-06 | 2011-10-18 | Fuji Xerox Co., Ltd. | Apparatus and method for generating an electronic document, and storage medium |
US20070136292A1 (en) * | 2005-12-06 | 2007-06-14 | Hiromi Ohara | Apparatus and method for generating an electronic document, and storage medium |
US8456653B2 (en) | 2005-12-12 | 2013-06-04 | Canon Kabushiki Kaisha | Data processing apparatus for producing print job data whose authority is managed by external server, and image processing apparatus for printing a print job whose authority is managed by external server |
US20070133044A1 (en) * | 2005-12-12 | 2007-06-14 | Canon Kabushiki Kaisha | Data processing apparatus, image processing apparatus, print job production method, and print job output method |
US7987494B1 (en) * | 2005-12-19 | 2011-07-26 | Adobe Systems Incorporated | Method and apparatus providing end to end protection for a document |
US8264703B2 (en) * | 2005-12-27 | 2012-09-11 | Canon Kabushiki Kaisha | Information processing method and apparatus thereof |
US20070146768A1 (en) * | 2005-12-27 | 2007-06-28 | Takashi Isoda | Information processing method and apparatus thereof |
US9384363B2 (en) | 2005-12-29 | 2016-07-05 | Nextlabs, Inc. | Deploying policies and allowing off-line policy evaluations |
US20070156694A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and system to manage access of information using policies |
US8904478B2 (en) | 2005-12-29 | 2014-12-02 | Nextlabs, Inc. | Inspecting code and reducing code size associated to a target |
US8875218B2 (en) * | 2005-12-29 | 2014-10-28 | Nextlabs, Inc. | Deploying policies and allowing off-line policy evaluations |
US8640191B2 (en) | 2005-12-29 | 2014-01-28 | Nextlabs, Inc. | Inspecting code and reducing code size associated to a target |
US20070156727A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Associating Code To a Target Through Code Inspection |
US20070157288A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Deploying Policies and Allowing Off-Line Policy Evaluations |
US9081981B2 (en) * | 2005-12-29 | 2015-07-14 | Nextlabs, Inc. | Techniques and system to manage access of information using policies |
US20150324602A1 (en) * | 2005-12-29 | 2015-11-12 | Nextlabs, Inc. | Managing Access of Information Using Policies |
US9684795B2 (en) | 2005-12-29 | 2017-06-20 | Nextlabs, Inc. | Inspecting code and reducing code size associated to a target |
US9740703B2 (en) | 2005-12-29 | 2017-08-22 | Nextlabs, Inc. | Deploying policies and allowing offline policy evaluation |
US8156566B2 (en) * | 2005-12-29 | 2012-04-10 | Nextlabs, Inc. | Associating code to a target through code inspection |
US9203868B2 (en) | 2005-12-29 | 2015-12-01 | Nextlabs, Inc. | Inspecting code and reducing code size associated to a target |
US10181047B2 (en) * | 2005-12-29 | 2019-01-15 | Nextlabs, Inc. | Managing access of information using policies |
US10362435B2 (en) | 2006-01-19 | 2019-07-23 | Locator IP, L.P. | Interactive advisory system |
US8611927B2 (en) | 2006-01-19 | 2013-12-17 | Locator Ip, Lp | Interactive advisory system |
US9094798B2 (en) | 2006-01-19 | 2015-07-28 | Locator IP, L.P. | Interactive advisory system |
US9215554B2 (en) | 2006-01-19 | 2015-12-15 | Locator IP, L.P. | Interactive advisory system |
US9210541B2 (en) | 2006-01-19 | 2015-12-08 | Locator IP, L.P. | Interactive advisory system |
US20070174896A1 (en) * | 2006-01-25 | 2007-07-26 | Hiroshi Furuya | Security policy assignment apparatus and method and storage medium stored with security policy assignment program |
US20070174610A1 (en) * | 2006-01-25 | 2007-07-26 | Hiroshi Furuya | Security policy assignment apparatus and method and storage medium stored with security policy assignment program |
US7558704B2 (en) | 2006-01-27 | 2009-07-07 | Ricoh Company, Ltd. | Method and device for time verifying measurement data |
US20070179748A1 (en) * | 2006-01-27 | 2007-08-02 | Yoichi Kanai | Measuring device, measuring method, measuring program product, measurement data editing device, measurement data editing method, measurement data editing program product, measurement time verifying device, measurement time verifying method and measurement time verifying program product |
US9904809B2 (en) | 2006-02-27 | 2018-02-27 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and system for multi-level security initialization and configuration |
US9177176B2 (en) | 2006-02-27 | 2015-11-03 | Broadcom Corporation | Method and system for secure system-on-a-chip architecture for multimedia data processing |
US20070211954A1 (en) * | 2006-03-08 | 2007-09-13 | Fuji Xerox Co., Ltd. | Image-Processing Control Device, Image-Processing Control Method, And Image-Processing Control Program Storage Medium |
US9489318B2 (en) | 2006-06-19 | 2016-11-08 | Broadcom Corporation | Method and system for accessing protected memory |
US20070299969A1 (en) * | 2006-06-22 | 2007-12-27 | Fuji Xerox Co., Ltd. | Document Management Server, Method, Storage Medium And Computer Data Signal, And System For Managing Document Use |
US20070299880A1 (en) * | 2006-06-22 | 2007-12-27 | Fuji Xerox Co., Ltd. | Document Management Server, Document Management Method, Computer Readable Medium, Computer Data Signal, and System For Managing Document Use |
US8069243B2 (en) | 2006-06-22 | 2011-11-29 | Fuji Xerox Co., Ltd. | Document management server, method, storage medium and computer data signal, and system for managing document use |
US8826374B2 (en) | 2006-07-13 | 2014-09-02 | Ricoh Company, Ltd. | Approach for securely processing an electronic document |
US8239966B2 (en) * | 2006-07-13 | 2012-08-07 | Ricoh Company, Ltd. | Approach for securely processing an electronic document |
US20080016549A1 (en) * | 2006-07-13 | 2008-01-17 | Brian Smithson | Approach for securely processing an electronic document |
US20080016548A1 (en) * | 2006-07-13 | 2008-01-17 | Brian Smithson | Approach for securely processing an electronic document |
US8151363B2 (en) * | 2006-07-13 | 2012-04-03 | Ricoh Company, Ltd. | Approach for securely processing an electronic document |
US20080043274A1 (en) * | 2006-08-16 | 2008-02-21 | Lida Wang | Secure printing system with privilege table referenced across different domains |
USRE48159E1 (en) * | 2006-08-23 | 2020-08-11 | Threatstop, Inc. | Method and system for propagating network policy |
USRE50068E1 (en) | 2006-08-23 | 2024-07-30 | Threatstop, Inc. | Method and system for propagating network policy |
US20080057907A1 (en) * | 2006-09-06 | 2008-03-06 | Fuji Xerox Co., Ltd. | Service Usage Control System, Service Usage Controller, Method For The Same, Computer Readable Medium For The Same, And Computer Data Signal of The Same |
US20080077996A1 (en) * | 2006-09-25 | 2008-03-27 | Fuji Xerox Co., Ltd. | Documents manipulation authentication apparatus, document manipulation apparatus, image formation apparatus, document manipulation authentication system, computer readable medium and computer data signal |
US8191156B2 (en) * | 2006-09-25 | 2012-05-29 | Fuji Xerox Co., Ltd. | Documents manipulation authentication apparatus, document manipulation apparatus, image formation apparatus, document manipulation authentication system, computer readable medium and computer data signal |
US20080098455A1 (en) * | 2006-10-20 | 2008-04-24 | Canon Kabushiki Kaisha | Document management system and document management method |
US8561128B2 (en) * | 2006-10-20 | 2013-10-15 | Canon Kabushiki Kaisha | Document management system and document management method |
US20080133618A1 (en) * | 2006-12-04 | 2008-06-05 | Fuji Xerox Co., Ltd. | Document providing system and computer-readable storage medium |
US8719691B2 (en) | 2006-12-04 | 2014-05-06 | Fuji Xerox Co., Ltd. | Document providing system and computer-readable storage medium |
US8402060B2 (en) * | 2006-12-07 | 2013-03-19 | Sap Ag | Software for managing data between a client and server |
US20080141237A1 (en) * | 2006-12-07 | 2008-06-12 | Sap Ag | Software for managing data between a client and server |
US20080162944A1 (en) * | 2006-12-28 | 2008-07-03 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, and computer readable storage medium |
US20080178303A1 (en) * | 2007-01-19 | 2008-07-24 | Fuji Xerox Co., Ltd. | Information-processing apparatus, information-processing system, information-processing method, computer-readable medium, and computer data signal |
US20090125472A1 (en) * | 2007-01-25 | 2009-05-14 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, information processing method, and computer readable storage medium |
US7925609B2 (en) | 2007-01-25 | 2011-04-12 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, information processing method, and computer readable storage medium |
US10229284B2 (en) * | 2007-02-21 | 2019-03-12 | Palantir Technologies Inc. | Providing unique views of data based on changes or rules |
US8634814B2 (en) | 2007-02-23 | 2014-01-21 | Locator IP, L.P. | Interactive advisory system for prioritizing content |
US9237416B2 (en) | 2007-02-23 | 2016-01-12 | Locator IP, L.P. | Interactive advisory system for prioritizing content |
US10021514B2 (en) | 2007-02-23 | 2018-07-10 | Locator IP, L.P. | Interactive advisory system for prioritizing content |
US10616708B2 (en) | 2007-02-23 | 2020-04-07 | Locator Ip, Lp | Interactive advisory system for prioritizing content |
US20080239346A1 (en) * | 2007-03-28 | 2008-10-02 | Hitachi, Ltd. | Copy machine control apparatus and copy machine control method |
US20080243831A1 (en) * | 2007-04-02 | 2008-10-02 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, and storage medium |
US20080313037A1 (en) * | 2007-06-15 | 2008-12-18 | Root Steven A | Interactive advisory system |
US20090044283A1 (en) * | 2007-08-07 | 2009-02-12 | Fuji Xerox Co., Ltd. | Document management apparatus, document management system and method, and computer-readable medium |
US20090077086A1 (en) * | 2007-09-19 | 2009-03-19 | International Business Machines Corporation | Policy-based method for configuring an access control service |
US8024771B2 (en) * | 2007-09-19 | 2011-09-20 | International Business Machines Corporation | Policy-based method for configuring an access control service |
US20090327293A1 (en) * | 2007-10-02 | 2009-12-31 | Fuji Xerox Co., Ltd. | Information processing apparatus, information processing system, storage medium, information processing method, and data signal |
US7912859B2 (en) | 2007-10-02 | 2011-03-22 | Fuji Xerox Co., Ltd. | Information processing apparatus, system, and method for managing documents used in an organization |
US20100313240A1 (en) * | 2007-11-29 | 2010-12-09 | Sounghyun Kim | Authentication system and method between server and client |
US20090165084A1 (en) * | 2007-12-25 | 2009-06-25 | Fuji Xerox Co., Ltd. | Security policy switching device, security policy management system, and storage medium |
US8656450B2 (en) | 2007-12-25 | 2014-02-18 | Fuji Xerox Co., Ltd. | Security policy switching device, security policy management system, and storage medium |
US20090271610A1 (en) * | 2008-04-28 | 2009-10-29 | Seiko Epson Corporation | Multi-Function Apparatus and Method of Restricting Use of Multi-Function Apparatus |
US20090276413A1 (en) * | 2008-04-30 | 2009-11-05 | Ricoh Company, Ltd | Managing electronic data with index data corresponding to said electronic data |
US8095541B2 (en) | 2008-04-30 | 2012-01-10 | Ricoh Company, Ltd. | Managing electronic data with index data corresponding to said electronic data |
US20090276846A1 (en) * | 2008-05-01 | 2009-11-05 | Seiko Epson Corporation | Multi-Function Apparatus and Method of Restricting Use of Multi-Function Apparatus |
US8302151B2 (en) * | 2008-06-02 | 2012-10-30 | International Business Machines Corporation | Improving comprehension of information in a security enhanced environment by representing the information in audio form |
US20090300708A1 (en) * | 2008-06-02 | 2009-12-03 | International Business Machines Corporation | Method for Improving Comprehension of Information in a Security Enhanced Environment by Representing the Information in Audio Form |
US8341734B1 (en) * | 2008-06-27 | 2012-12-25 | Symantec Corporation | Method and system to audit physical copy data leakage |
US9146953B1 (en) | 2008-06-27 | 2015-09-29 | Symantec Corporation | Method and system to audit physical copy data leakage |
US9614813B2 (en) | 2008-07-21 | 2017-04-04 | Workshare Technology, Inc. | Methods and systems to implement fingerprint lookups across remote agents |
US9727745B2 (en) | 2008-09-24 | 2017-08-08 | S-Printing Solution Co., Ltd. | Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method |
US8773705B2 (en) | 2008-09-24 | 2014-07-08 | Samsung Electronics Co., Ltd. | Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method |
US20100073730A1 (en) * | 2008-09-24 | 2010-03-25 | Samsung Electronics Co., Ltd | Data transmitting method of image forming apparatus and image forming apparatus for performing data transmitting method |
US8438368B2 (en) * | 2008-09-24 | 2013-05-07 | Fuji Xerox Co., Ltd. | Processing apparatus, processing system, and computer readable medium |
US20100077186A1 (en) * | 2008-09-24 | 2010-03-25 | Fuji Xerox Co., Ltd. | Processing apparatus, processing system, and computer readable medium |
US9209975B2 (en) | 2008-10-15 | 2015-12-08 | Ricoh Company, Ltd. | Secure access of electronic documents and data from client terminal |
US10963578B2 (en) | 2008-11-18 | 2021-03-30 | Workshare Technology, Inc. | Methods and systems for preventing transmission of sensitive data from a remote computer device |
US8176535B2 (en) | 2008-11-25 | 2012-05-08 | Fuji Xerox Co., Ltd. | Information processing system, information processing method, and computer readable medium |
US8799321B2 (en) * | 2008-12-25 | 2014-08-05 | Fuji Xerox Co., Ltd. | License management apparatus, license management method, and computer readable medium |
US20100169982A1 (en) * | 2008-12-25 | 2010-07-01 | Fuji Xerox Co., Ltd. | License management apparatus, license management method, and computer readable medium |
US8613108B1 (en) * | 2009-03-26 | 2013-12-17 | Adobe Systems Incorporated | Method and apparatus for location-based digital rights management |
US20100332653A1 (en) * | 2009-06-29 | 2010-12-30 | Kabushiki Kaisha Toshiba | Image forming apparatus and image forming method |
US8456659B2 (en) * | 2009-09-09 | 2013-06-04 | Kabushiki Kaisha Toshiba | Access control system, apparatus, and program |
US8599397B2 (en) * | 2009-09-09 | 2013-12-03 | Kabushiki Kaisha Toshiba | Access control system, apparatus, and program |
US20120162688A1 (en) * | 2009-09-09 | 2012-06-28 | Tatsuro Ikeda | Access control system, apparatus, and program |
US20130004078A1 (en) * | 2010-03-31 | 2013-01-03 | Toshiba Solutions Corporation | Document management system, evaluation device, data output control device, document management method and document management program |
CN102834841A (en) * | 2010-03-31 | 2012-12-19 | 株式会社东芝 | Document management system, evaluation device, data output control device, document management method and document management program |
US9104845B2 (en) * | 2010-03-31 | 2015-08-11 | Nec Corporation | Digital content management system, verification device, programs thereof, and data processing method |
US20130022230A1 (en) * | 2010-03-31 | 2013-01-24 | Nec Corporation | Digital content management system, verification device, program thereof, and data processing method |
US20130219462A1 (en) * | 2010-09-22 | 2013-08-22 | International Business Machines Corporation | Generating a distrubition package having an access control execution program for implementing an access control mechanism and loading unit for a client |
US9501628B2 (en) * | 2010-09-22 | 2016-11-22 | International Business Machines Corporation | Generating a distrubition package having an access control execution program for implementing an access control mechanism and loading unit for a client |
US10445572B2 (en) | 2010-11-29 | 2019-10-15 | Workshare Technology, Inc. | Methods and systems for monitoring documents exchanged over email applications |
US11042736B2 (en) | 2010-11-29 | 2021-06-22 | Workshare Technology, Inc. | Methods and systems for monitoring documents exchanged over computer networks |
US10963584B2 (en) * | 2011-06-08 | 2021-03-30 | Workshare Ltd. | Method and system for collaborative editing of a remotely stored document |
US11386394B2 (en) | 2011-06-08 | 2022-07-12 | Workshare, Ltd. | Method and system for shared document approval |
US10574729B2 (en) | 2011-06-08 | 2020-02-25 | Workshare Ltd. | System and method for cross platform document sharing |
US20120317239A1 (en) * | 2011-06-08 | 2012-12-13 | Workshare Ltd. | Method and system for collaborative editing of a remotely stored document |
US11392550B2 (en) | 2011-06-23 | 2022-07-19 | Palantir Technologies Inc. | System and method for investigating large amounts of data |
US10540510B2 (en) * | 2011-09-06 | 2020-01-21 | Ricoh Company, Ltd. | Approach for managing access to data on client devices |
US20130067368A1 (en) * | 2011-09-09 | 2013-03-14 | Ricoh Company, Ltd. | Apparatus, System, And Method Of Controlling Display Of User Interface, And Recording Medium Storing User Interface Display Control Program |
US11030163B2 (en) | 2011-11-29 | 2021-06-08 | Workshare, Ltd. | System for tracking and displaying changes in a set of related electronic documents |
US10880359B2 (en) | 2011-12-21 | 2020-12-29 | Workshare, Ltd. | System and method for cross platform document sharing |
US10088990B2 (en) * | 2013-02-13 | 2018-10-02 | Dropbox, Inc. | Seamless editing and saving of online content items using applications |
US11567907B2 (en) | 2013-03-14 | 2023-01-31 | Workshare, Ltd. | Method and system for comparing document versions encoded in a hierarchical representation |
US10783326B2 (en) | 2013-03-14 | 2020-09-22 | Workshare, Ltd. | System for tracking changes in a collaborative document editing environment |
US11341191B2 (en) | 2013-03-14 | 2022-05-24 | Workshare Ltd. | Method and system for document retrieval with selective document comparison |
US12038885B2 (en) | 2013-03-14 | 2024-07-16 | Workshare, Ltd. | Method and system for document versions encoded in a hierarchical representation |
US20140293344A1 (en) * | 2013-03-29 | 2014-10-02 | Kyocera Document Solutions Inc. | Image forming apparatus, image forming method, and computer-readable non-transitory recording medium having image forming program recorded thereon |
US11962510B2 (en) | 2013-06-02 | 2024-04-16 | Vmware, Inc. | Resource watermarking and management |
US9584437B2 (en) | 2013-06-02 | 2017-02-28 | Airwatch Llc | Resource watermarking and management |
US9900261B2 (en) * | 2013-06-02 | 2018-02-20 | Airwatch Llc | Shared resource watermarking and management |
US20130268677A1 (en) * | 2013-06-02 | 2013-10-10 | SkySocket, LLC | Shared Resource Watermarking and Management |
US9202025B2 (en) | 2013-07-03 | 2015-12-01 | Airwatch Llc | Enterprise-specific functionality watermarking and management |
US9699193B2 (en) | 2013-07-03 | 2017-07-04 | Airwatch, Llc | Enterprise-specific functionality watermarking and management |
US9552463B2 (en) | 2013-07-03 | 2017-01-24 | Airwatch Llc | Functionality watermarking and management |
US9195811B2 (en) | 2013-07-03 | 2015-11-24 | Airwatch Llc | Functionality watermarking and management |
US10911492B2 (en) | 2013-07-25 | 2021-02-02 | Workshare Ltd. | System and method for securing documents prior to transmission |
US9665723B2 (en) | 2013-08-15 | 2017-05-30 | Airwatch, Llc | Watermarking detection and management |
US20160052498A1 (en) * | 2014-08-21 | 2016-02-25 | Toyota Jidosha Kabushiki Kaisha | Brake-Hydraulic-Pressure Control Device |
US9829114B2 (en) | 2014-08-21 | 2017-11-28 | Toyota Jidosha Kabushiki Kaisha | Pressure regulator and hydraulic brake system for vehicle equipped with the same |
US20160335420A1 (en) * | 2014-12-05 | 2016-11-17 | Business Partners Limited | Secure Document Management |
US10726104B2 (en) | 2014-12-05 | 2020-07-28 | Business Partners Limited | Secure document management |
US9922174B2 (en) * | 2014-12-05 | 2018-03-20 | Business Partners Limited | Secure document management |
US10133723B2 (en) | 2014-12-29 | 2018-11-20 | Workshare Ltd. | System and method for determining document version geneology |
US11182551B2 (en) | 2014-12-29 | 2021-11-23 | Workshare Ltd. | System and method for determining document version geneology |
US12050604B2 (en) | 2015-02-20 | 2024-07-30 | Threatstop, Inc. | Normalization and extraction of log data |
US10614113B2 (en) * | 2015-04-16 | 2020-04-07 | Docauthority Ltd. | Structural document classification |
US20180096060A1 (en) * | 2015-04-16 | 2018-04-05 | Docauthority Ltd. | Structural document classification |
US10798098B2 (en) | 2015-05-28 | 2020-10-06 | Google Llc | Access control for enterprise knowledge |
US20160350134A1 (en) * | 2015-05-28 | 2016-12-01 | Google Inc. | Personal assistant providing predictive intelligence using enterprise content |
US11763013B2 (en) | 2015-08-07 | 2023-09-19 | Workshare, Ltd. | Transaction document management system and method |
US20170150322A1 (en) * | 2015-11-24 | 2017-05-25 | Fortinet, Inc. | Associating position information collected by a mobile device with amanaged network appliance |
US9986387B2 (en) * | 2015-11-24 | 2018-05-29 | Fortinet, Inc. | Associating position information collected by a mobile device with a managed network appliance |
US11209898B2 (en) | 2016-01-19 | 2021-12-28 | Magic Leap, Inc. | Eye image collection |
US10466778B2 (en) | 2016-01-19 | 2019-11-05 | Magic Leap, Inc. | Eye image selection |
US20170206401A1 (en) * | 2016-01-19 | 2017-07-20 | Magic Leap, Inc. | Eye image combination |
US11231775B2 (en) | 2016-01-19 | 2022-01-25 | Magic Leap, Inc. | Eye image selection |
US11579694B2 (en) | 2016-01-19 | 2023-02-14 | Magic Leap, Inc. | Eye image selection |
US10831264B2 (en) * | 2016-01-19 | 2020-11-10 | Magic Leap, Inc. | Eye image combination |
US20180196623A1 (en) * | 2017-01-06 | 2018-07-12 | Color123, Ltd. | Print output management system and the method of operation thereof |
US11503035B2 (en) * | 2017-04-10 | 2022-11-15 | The University Of Memphis Research Foundation | Multi-user permission strategy to access sensitive information |
US10977361B2 (en) | 2017-05-16 | 2021-04-13 | Beyondtrust Software, Inc. | Systems and methods for controlling privileged operations |
US10581887B1 (en) * | 2017-05-31 | 2020-03-03 | Ca, Inc. | Employing a relatively simple machine learning classifier to explain evidence that led to a security action decision by a relatively complex machine learning classifier |
WO2019157578A1 (en) * | 2018-02-15 | 2019-08-22 | Inttelix Brasil Tecnologia E Sistemas Ltda | Device and system for managing access to equipment by means of facial recognition |
US20190268307A1 (en) * | 2018-02-26 | 2019-08-29 | Mcafee, Llc | Gateway with access checkpoint |
US10728218B2 (en) * | 2018-02-26 | 2020-07-28 | Mcafee, Llc | Gateway with access checkpoint |
US11558355B2 (en) * | 2018-02-26 | 2023-01-17 | Mcafee, Llc | Gateway with access checkpoint |
US11528149B2 (en) | 2019-04-26 | 2022-12-13 | Beyondtrust Software, Inc. | Root-level application selective configuration |
US11943371B2 (en) | 2019-04-26 | 2024-03-26 | Beyond Trust Software, Inc. | Root-level application selective configuration |
US11455855B2 (en) * | 2019-09-24 | 2022-09-27 | International Business Machines Corporation | Content validation document transmission |
US20210090371A1 (en) * | 2019-09-24 | 2021-03-25 | International Business Machines Corporation | Content validation document transmission |
CN112104791A (en) * | 2020-09-10 | 2020-12-18 | 珠海奔图电子有限公司 | Image forming control method, image forming apparatus, and electronic device |
Also Published As
Publication number | Publication date |
---|---|
US8302205B2 (en) | 2012-10-30 |
US20090083831A1 (en) | 2009-03-26 |
EP1507402A2 (en) | 2005-02-16 |
EP1507402A3 (en) | 2005-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8302205B2 (en) | Access control decision system, access control enforcing system, and security policy | |
US20040125402A1 (en) | Document printing program, document protecting program, document protecting system, document printing apparatus for printing out a document based on security policy | |
US20050171914A1 (en) | Document security management for repeatedly reproduced hardcopy and electronic documents | |
JP4455462B2 (en) | Data distribution apparatus, data distribution method, and program for realizing the same | |
US7532836B2 (en) | Document management method, document management system, and computer program product | |
JP4826265B2 (en) | Security policy assigning apparatus, program, and method | |
US8335985B2 (en) | Document use managing system, document processing apparatus, manipulation authority managing apparatus, document managing apparatus and computer readable medium | |
JP4527374B2 (en) | Image forming apparatus and document attribute management server | |
US20090271839A1 (en) | Document Security System | |
KR20050078462A (en) | Security printing system and method | |
JP4398685B2 (en) | Access control determination system, access control determination method, access control determination program, and computer-readable storage medium storing the program | |
US20090106249A1 (en) | Document management system, document management device, document management method and recording medium storing a document management program | |
US20060082816A1 (en) | Printer device and related method for handling print-and-hold jobs | |
US7657610B2 (en) | Authentication output system, network device, device utilization apparatus, output data management apparatus, output control program, output request program, output data management program, and authentication output method | |
JP4282301B2 (en) | Access control server, electronic data issuing workflow processing method, program thereof, computer apparatus, and recording medium | |
US20090001154A1 (en) | Image forming apparatus and method | |
JP2004164604A (en) | Electronic file management device, program, and file access control method | |
US20050094182A1 (en) | Printer access control | |
JP2005038372A (en) | Access control decision system, and access control execution system | |
JP2004152261A (en) | Document print program, document protection program, and document protection system | |
US8976966B2 (en) | Information processor, information processing method and system | |
US8208157B2 (en) | System and apparatus for authorizing access to a network and a method of using the same | |
JP2005202888A (en) | Access permission giving method, access permission processing method, program therefor, and computer apparatus | |
JP7484294B2 (en) | Information processing device and information processing system | |
JP4954254B2 (en) | Security policy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: RICOH COMPANY, LTD., JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KANAI, YOICHI;REEL/FRAME:016033/0369 Effective date: 20040616 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |