Field of the Invention
The present invention relates to an information processing apparatus and a method of controlling the same.
Description of the Related Art
Multi function peripherals (MFP: multi function peripheral) having functions such as those for scanning, printing, and communication are known. An MFP is equipped with an operation panel on a main body, and a user can use a copy function, a scanning function, or the like, of the MFP by operating the operation panel. Also, in recent years, MFPs are equipped with functions such as those for a file sharing server, a Web server, or the like, and a terminal on a network is able to access the server functions of the MFP using a communication protocol such as SMB (Server Message Block), HTTP, or the like. Also, MFPs are equipped with an MIB (Management Information Base), and a terminal on a network is able access the MIB of the MFP using SNMP v3 (RFC3414 (User-based Security Model (USM)) for version 3 of the Simple Network Management Protocol (SNMP v3)) which is known as a network device management protocol.
Furthermore, in recent years, MFPs are equipped with a user authentication mechanism for identifying a user that uses the MFP. In general, in cases where a single MFP is provided with a plurality of functions, communication protocols, or the like, the MFP is provided with a plurality of user authentication mechanisms corresponding to each of the functions, communication protocols, or the like. For example, there are cases in which the user authentication mechanisms for an operation panel, for a Web server, for a file sharing server, and for SNMP v3 are each different.
In cases where a single MFP is equipped with a plurality of user authentication mechanisms in this way, there are the following techniques of coordinating the authentication mechanisms. An approach for associating and synchronizing user information used mainly for authentication for an operation panel, and user information managed by a USM (User-based Security Model) of SNMP v3 is known (for example, Japanese Patent Laid-Open No. 2006-195755).
Also, in recent years, it is considered that similar security to that of a network terminal such as a personal computer is necessary for MFPs. For this reason, MFPs equipped with a user authentication mechanism corresponding to a password policy (password validity period, password complexity, settings/control of lockout), an authentication log(authentication success/failure logs records), or the like, have emerged.
In a case where a plurality of user authentication mechanisms exist in a single device, the following issues exist.
There are cases in which for each user authentication mechanism, an account for the same user is registered, and management of user information is cumbersome. Coordination between mechanisms for performing authentication of users becomes necessary, as in the invention recited in Japanese Patent Laid-Open No. 2006-195755, in order to make the same account useable for the plurality of user authentication mechanisms and not put a burden on the user.
From a security perspective, it is not preferable that a user authentication mechanism supporting a password policy, authentication logging, or the like, and a user authentication mechanism that does not support password policy, authentication logging, or the like, be mixed on a single device. For this reason, the issue exists that it is necessary for vendors that manufactures devices to incur development costs in order to provide an equivalent security function for a plurality of the user authentication mechanisms.
In a case where a plurality of user authentication mechanisms exists in a single device, because of the above described issues, a configuration in which a single user authentication mechanism is used commonly, in a case where communication protocols, functions, or the like, are different, is advantageous. However, there are specification differences in each user authentication method of each kind of communication protocol, and supporting processing related to user authentication for all of the communication protocols in a single user authentication mechanism is difficult. For example, because a scheme defined in a USM of SNMP v3 performs not only user authentication using the password of the user, but also performs cryptographic processing, signature/falsification detection processing, or the like, with a key generated based on the password, such processing is complex.
Also, for protocols that are defined by an RFC and generally well known, software modules or source code that implement the protocol are generally published. For this reason, vendors implementing a server are able to use existing software modules, source code, or the like. However, it will take a very large amount of effort and many man-hours in order for the vendors that manufacture devices to replace the existing software modules and source code that is different for each protocol with a user authentication mechanism common for all parts of the device with regards to user authentication. Also, in cases where specifications regarding password policy checking, password changing, and authentication log recording are not defined in a protocol, the existing published software modules and source code do not have such functions. Accordingly, the vendor that manufactures the device has to add/implement functions such as password policy checking, password changing, and authentication log recording in the existing software modules and source code, and there is a problem in that this takes a very large amount of effort and many man-hours.