When the Access Management System has been enabled, users must log in to the device using SSO
user authentication. Access Management System supports authentication through local device
authentication as well as Active Directory using SSO-H*, which includes support for Kerberos
Authentication. Once a user logs into the device with their user name and password, the device
can determine which roles are assigned to that particular user. Restrictions are applied based on
the assigned roles. If an entire function is restricted, it will appear grayed out to the user after
authentication.
Function Level Authentication
Canon imageRUNNER ADVANCE systems offer the ability to limit the use of specific functions by
authorized users by requiring authentication to use sensitive functions with Function Level
Authentication. Function Level Authentication is a part of Access Management System and works with
SSO-H for authentication. It enables administrators to choose precisely which functions are permitted
by walk-up and network users without entering credentials versus the ones that require a user to
login. For example, administrators may choose to allow all users to make black-and-white copies
while prompting users to login if they choose to output color or use the Scan and Send function.
Scan and Send Security
On devices that have Scan and Send enabled, certain information such as fax numbers and e-mail
addresses may be considered confidential and sensitive. For these devices, there are additional
security features to prevent confidential information from being accessed.
Address Book Password
Administrative and individual passwords can be set for Address Book Management functions.
A system administrator can define the specific Address Book data that can be viewed by users,
effectively masking private details. This password may be set separately so individuals other
than the System Manager can administer the Address Book.
By setting a password for an Address Book, the ability to Store, Edit, or Erase individual and
group e-mail addresses in the Address Book is restricted. Therefore, only individuals with the
correct password for an Address Book will be able to make modifications.
This same password is also used for the Address Book Import/Export function through the
Remote UI utility.
9
White Paper: Canon imageRUNNER ADVANCE Security
* Requires imageWARE Enterprise Management Console and the Access Management System Plug-In when authenticating through
Active Directory.
Section 2 — Device Security