1. Field of the Invention
The present invention relates to a restriction information generation apparatus and method, a printing system with functional restriction, and a printing authentication method for utilizing a peripheral device or the like which determines whether to permit/inhibit the use of its function in accordance with functional restriction defined for each user role.
2. Description of the Related Art
Computer networks (to be simply referred to as networks hereinafter), which connect computers to each other, further connect to each other to form a global network or so-called Internet.
In many cases, a network connects peripheral devices (printing apparatuses) such as a printer, facsimile apparatus, and copying machine in addition to computers. A computer can utilize these peripheral devices via the network. Printing via the network (network printing) has advantages of sharing a large-scale high-speed printer or expensive color printer between computers, and printing from a remote site. These days, network printing becomes popular.
Recent copying machines have not only a function of copying a document, but also a function of printing a print job from an external client apparatus and a function of electronically transmitting a scanned document outside using an email/file transfer function. Such a copying machine is called an MFP (Multi Function Peripheral).
While the functions of the MFP vary, management problems arise such as high risk of information leakage because the MFP can send scanned information outside. These are conventional problems. As the number of print sheets increases, the costs of consumed paper and toner also rise. There are needs to restrict the print function and the number of printable sheets for each user. These needs are essential in terms of reduction of TCO (Total Cost of Ownership).
Several solutions to these problems have already been proposed. For example, there is proposed a method of managing each user by his ID, and restricting available functions, resources, and time for each ID (Japanese Patent Laid-Open No. 11-134136). There is also proposed a method of issuing access policy information to an authenticated user (Japanese Patent Laid-Open No. 2004-185629).
Access to the MFP is restricted by identifying and confirming an MFP user by an authentication system, and approving only an operation permitted to the user. Whether to permit or inhibit an operation is generally set for each role permitted to each organization or each user's job title based on personnel information in a company or school to which a user belongs. For example, users are classified into roles such as an administrator, power user, general user, and guest. Functional restriction (synonymous to access restriction in this specification) is defined for each role.
A user belongs to a plurality of organizations in accordance with the hierarchical structure of organizations. An organization is definable as a user group in a computer. Similar to a user, groups are also classified into roles, and functional restriction for each role is also applied to the group. Even an operation inhibited to a role into which a given user is directly classified may be permitted to a role into which a group containing the user is classified. However, how to solve a situation in which contradictory functional restrictions are set for one user is not mentioned in even the above-described references.
Functional restriction defined for each role may be determined by calculation based on a given rule by referring to a plurality of roles when a user or group is classified into only a role into which the user is classified. However, reference and calculation of the role are done in user's login in real time with high-speed performance. From the viewpoint of the process speed and cost, it is not desirable to execute these processes by each MFP.
The authentication system and role setting system often change depending on the user environment at the installation destination. It is not flexible to change the program of each MFP in accordance with the user environment.
When the user wants to change the role calculation rule, it is not flexible and increases the management cost to change the program of each MFP and a program installed in a client PC which uses the MFP.