Summary of the invention
In view of this, the embodiment of the invention provides a kind of authority control method, system, application software and platform software, with the control and the management of implementation platform software to application software authority.
In order to achieve the above object, a kind of authority control method that the embodiment of the invention provides is applied to a system, wherein, described system comprises application software and platform software, and wherein, application software visits the data that leave described platform software side in by platform software; Described method comprises:
Leave the permissions data of record application software authority in the platform software side, wherein said application software authority is carried out operation permission for the data that described platform software side is deposited;
When desire was carried out the operation relevant with the application software authority to described data, described application software was to the information of the described permissions data of described platform software request;
The information of the permissions data that provides according to described platform software, described application software participates in the control to described operation.
In order to achieve the above object, a kind of authority control system that the embodiment of the invention provides comprises:
Application software is used for visiting the data that leave described platform software side in by platform software;
Described platform software is used for the instruction according to described application software, and the data of described platform software side are provided for described application software;
Wherein,
Described application software is further used for leaving the permissions data of record application software authority in the platform software side, and wherein the application software authority is carried out operation permission for the data that described platform software side is deposited; And, be further used for when desire is carried out the operation relevant with the application software authority to described data, to the information of the described permissions data of described platform software request; And the information of the permissions data that provides according to described platform software participates in the control to described operation;
Described platform software is further used for the instruction according to described application software, the permissions data of put application software authority; And, be further used for instruction according to described application software, the information of permissions data is provided to described application software.
In order to achieve the above object, a kind of application software of providing of the embodiment of the invention comprises:
First module, when being used for desire the platform software side data being carried out the operation relevant with the application software authority, to the authority information of platform software request record application software authority, wherein said platform software side deposit will record application software authority permissions data;
Second module, the permissions data that is used for arriving to the platform software request according to first module participates in the control to the operation of platform software side data.
In order to achieve the above object, a kind of platform software of providing of the embodiment of the invention comprises:
First module is used for the instruction according to application software, the permissions data of put application software authority;
Second module is used for the instruction according to application software, and the information of permissions data is provided to application software.
The authority control method, system, application software and the platform software that provide by the embodiment of the invention, the permissions data that application software will record the application software authority leaves the platform software side in, when application software is carried out the operation relevant with the application software authority to data, application software arrives first platform software and goes to inquire about it and whether have the corresponding application software authority, after platform software offered application software with corresponding authority information, application software could participate in the control of this operation according to the information of this permissions data.In this way, just realized that platform software is to using the control and the management of software authority.
In addition, leave the platform software side in, data and associated authority information are stored together, also can greatly improve the security of data permission control by the permissions data that will record the application software authority.
Moreover, because the security that generally platform software had is integrated into the permissions data that records the application software authority under the management of platform software far above application side, make that the degree of safety of permissions data itself is higher.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
In the authority control method that the embodiment of the invention provides, the permissions data of record application software authority leaves the platform software side in, and wherein the application software authority is carried out operation permission for the data that the platform software side is deposited; When the data of the platform software side being deposited when the application software desire are carried out the operation relevant with the application software authority, platform software offers application software with the information of described permissions data, and the information of the permissions data that application software provides according to platform software participates in the control to the data operation.
Fig. 1 is the structural representation of authority control system in the embodiment of the invention.As shown in Figure 1, this authority control system comprises application software 101 and platform software 102, treats that wherein service data 103 is positioned at the platform software side.Wherein application software 101 by platform software 102 visit leave platform software 102 sides in treat service data 103, platform software 102 is treated service data 103 according to the instruction of application software 101 for application software 101 provides.In case application software 101 has access to by platform software 102 and treats service data 103, then the operation of 101 pairs of data 103 of application software need not through platform software 102.The extracts operation of carrying out as 101 pairs of data of application software 103 just need not through platform software 102.
Application software 101 is used for leaving the permissions data of record application software authority in platform software 102 sides, and wherein the application software authority is carried out operation permission for the service data 103 for the treatment of that platform software 102 sides are deposited; When desire is carried out the operation relevant with the application software authority to data 103, at first obtain the information of permissions data, yet participate in control data 103 operations according to the information of the permissions data of obtaining from platform software 102 to platform software 102.
Platform software 102 is used for the instruction according to application software 101, the permissions data of put application software authority; According to the instruction of application software 101, provide the information of permissions data to application software 101.
Specifically, comprise the application software authority that at least one role has in the permissions data of record application software authority, when application software 101 and desire carry out operating accordingly with the application software authority to data 103, application software 101 is to the information of platform software 102 request permissions data, platform software 102 provides the information of permissions data for application software 101, the information of the permissions data that application software 101 provides according to platform software 102, judge whether current login role has the application software authority of carrying out this operation, if current login role does not have the corresponding application software authority, then application software 101 can not be carried out corresponding operation to data 103.
It will be appreciated by those skilled in the art that, the application software that the permissions data of record application software authority is left in the platform software side and the permissions data control that provides to platform software request permissions data message and according to platform software also can be different application software to the application software of data operation, even both are inequality under normal conditions.
The permissions data that will write down the application software authority such as application software A leaves the platform software side in, suppose to record in this permissions data role A, B, the application software authority information that C had, work as application software B so with role A login platform software, and desire is carried out A when operation to the data of platform software side, application software B is at first to platform software request permissions data, the permissions data that application software B can platform software provides judges whether role B has and A operation corresponding application software authority, if role B has the corresponding application software authority, then application software B can carry out the A operation to the data of platform software side, otherwise application software B can not carry out the A operation to the data of platform software side.
Further, application software 101 or platform software 102 can also be safeguarded permissions data.
When platform software 102 does not understand the concrete implication of permissions data, finish maintenance to permissions data by application software 101.Specifically, platform software 102 is for after application software 101 provides permissions data, application software 101 can be to the permissions data maintenance of making amendment, as deletion or increase role, merge, delete or increase application software authority, revise application permission that the role had or the like, yet more amended permissions data is left in platform software 102 sides to upgrade original permissions data.
When platform software 102 was understood the concrete implication of permissions data, platform software 102 can be safeguarded according to the content of permissions data on one's own initiative, such as the merging of carrying out the application software authority and deletion.Also can the content of permissions data be safeguarded, as deleting or increasing role, deletion or increase application software authority, modification application permission that the role had or the like according to the instruction of application software 101.
The merging of application software authority and deletion are described in detail in the back extended meeting, just repeat no more here.
When platform software was document file library system, the data of platform software side can be unstructured datas such as document data, and when platform software was audio-visual system, the data of platform software side can be the video display audio data.
Fig. 2 is the process flow diagram of right management method in the embodiment of the invention.As shown in Figure 2, the right management method that the embodiment of the invention provides is applied to the described Rights Management System of Fig. 1, specifically comprises:
Step 201: the permissions data that will write down the application software authority leaves the platform software side in.The permissions data that wherein writes down the application software authority comprises the application software authority that at least one role has, and this application software authority is carried out operation permission for the data that the platform software side is deposited.
Specifically, can set the application software authority that at least one role has according to user's demand.The permissions data of record application software authority can leave in the document data.
In embodiments of the present invention, the permissions data of record application software authority can be stored together with the permissions data that records the platform software authority, also can separate storage.
Step 202: when desire is carried out the operation relevant with the application software authority to the platform software side data, application software is to the information of platform software request permissions data, and the information of the permissions data that provides according to platform software participates in the control to the operation of platform software side data.
When application software is logined the platform software desire data of platform software side is operated with the role, platform software offers application software with the information of permissions data, application software judges according to the information of the permissions data that platform software provides whether this current login role has and operation corresponding application software authority, if current login role has and operation corresponding application software authority, application software just can be operated the data of platform software side so, otherwise application software can not be operated the data of platform software side.
In embodiments of the present invention, the file layout of permissions data can be the role and the application software authority table of comparisons.Promptly can represent different roles whether to have corresponding application software authority with the content in the table of comparisons.
In embodiments of the present invention, the content in the table of comparisons can be a zone bit, such as numerical value or character string.Such as zone bit can be numeral 1 or 0, represents that with numeral 1 role has corresponding application software authority; Represent that with numeral 0 role does not have corresponding application software authority.
In another embodiment of the present invention, content in the table of comparisons can also be to carry out the needed information of application software limiting operation, as key (can be private key or the PKI in the asymmetric key, also can be symmetric key, can also be password) and the encrypt data encrypted.Carrying out the needed information of application software limiting operation can also be the information of other type, as the case may be can be different, here do not give unnecessary details one by one.When application software was logined desire the data of platform software example are carried out the application software limiting operation with the role like this, application software need correctly provide this application software limiting operation required information, just is allowed to carry out corresponding operation.
Such as, if the content in a certain cell is a key information in the table of comparisons, show that then the role of this cell correspondence has corresponding application software authority.If the content on the table of comparisons in a certain cell does not comprise the needed information of application software limiting operation of carrying out, for example be NULL, sky or other value (any information except that carrying out the needed information of application software limiting operation), show that then the role of this cell correspondence does not have corresponding application software authority.
Represent whether the role has among the embodiment of application software authority, and the security of system can only depend on the code safety of application software utilizing zone bit.But utilizing the needed information of execution application software limiting operation to represent whether the role has among the embodiment of application software authority, simple code intrusion no longer can break the security of ring control of authority.This be because application software only get access to with the corresponding required information of execution application software limiting operation of current login role, application software just is allowed to carry out corresponding operation, so this control of authority is difficult to walk around platform software.Usually therefore the security of platform software makes that far above the security of application software the method for the required information of storage execution application software limiting operation has higher security in permissions data.In this case, even the code of application software is explorative code, also can not influence the security of control of authority.
Such as for the print right of above-mentioned more refinement, when utilizing zone bit to represent whether the role has the application software authority, the permissions data that application software searching platform software provides, whether the role who judges current login has this print right, when current login role has this print right, the control printer prints.But the assailant can allow application software directly skip the step whether current login of checking role has print right by revising application software, and directly by printer prints, in this case, system just can not control the operation of application software effectively.But utilizing the needed information representation role of execution application software limiting operation whether to have under the situation of application software authority, have only application software to get access to current login role from the permissions data that platform software provides and carry out the needed information of printing, printer could be carried out printing.Therefore not learning under the situation of carrying out the required information of printing, can't walk around platform software and carry out printing.Obviously, so just can obtain higher security.
Application software judges according to the information of the permissions data that platform software provides whether this current login role has and the process of operation corresponding application software authority can be: application software travels through permissions data one by one, find and current login role and the corresponding cell of this operating right, judge by the content in this cell whether current login role has this operating right.As long as have a role to have this operating right among the current login role, allow to carry out this operation; Otherwise refuse the execution of this operation.
Table 1 is the table of comparisons file layout of permissions data.As shown in table 1, this table of comparisons has the capable n row of m, and wherein row are represented the role, and total n role shown in the n tabulation; Row is represented the application software authority, and the m line display has m kind application software authority.Whether the capable j column unit of i lattice content representation role j has application software authority i.Here hypothesis represents that with 1 the role has the application software authority, represents that with 0 the role does not have the application software authority.Suppose application software with role 1 and role's 2 logins, so as known from Table 1, application software can be carried out and authority 1, authority 2 and the corresponding operation of authority m.
Table 1
Application software judges according to the information of the permissions data that platform software provides whether current login role has and the process of operation corresponding application software authority can also be: the permissions data that application software provides according to platform software, obtain the sub-table of comparisons of current login role and all application software authorities, travel through each cell corresponding, judge according to the content in each cell whether current login role has this operating right with this operating right.As long as have a role to have this operating right among the current login role, then application software is allowed to carry out this operation.Such as, suppose application software with role 1, role 2 ..., role k login, then table 2 is the current login role that obtains and the sub-table of comparisons of all authorities from table 1; If the operating right that will inquire about at present of hypothesis is an authority 3 again, then only need search the content in the cell corresponding with authority 3.
Table 2
Certainly, application software judges according to the information of the permissions data that platform software provides whether current login role has and the process of operation corresponding application software authority can also be: the permissions data that application software provides according to platform software, obtain the sub-table of comparisons of all roles and this operating right, in this sub-table of comparisons, travel through and pairing each cell of current login role one by one, judge according to the content in each cell whether current login role has this operating right.
Application software judges according to the information of the permissions data that platform software provides whether current login role has and the process of operation corresponding application software authority can also be: the permissions data that application software provides according to platform software, obtain the sub-table of comparisons of current login role and this operating right, travel through each cell in this table of comparisons, judge according to the content in each cell whether current login role has this operating right.
Though more than four kinds of lookup methods be that zone bit is the example explanation with cell content in the table of comparisons, those skilled in the art are readily appreciated that, for carrying out the situation of application software limiting operation information needed, these four kinds of lookup methods also are same being suitable for for the content in the table of comparisons.
Above-mentioned all to describe in all supposition systems all be irrelevant and separate between each application software authority, and in practice, have overlapping between some application software authority or relation of inclusion is arranged, this moment merges by the application software authority and deletion can further be optimized permissions data.Illustrate the method that the application software authority merges below.
If have relation of inclusion between certain two authority a, b, if authority a is promptly arranged, then authority b must be arranged, can think that so authority a is that wherein authority c is the supplementary set of authority b in authority a by authority b and another implicit authority c merging and next.In permissions data, rights of using c replaces authority a, allows the role who had authority a originally have authority b and authority c now simultaneously simultaneously.
Suppose that original application software authority comprises access limit, increased a write permission now again, just need this moment so to revise permissions data, replace access limit, allow the role who has access limit originally have write permission and read right now simultaneously simultaneously with read right.
If there is the relation of overlapping between certain two authority a, b, if authority a is promptly arranged, the authority that then has part ownership b, can think that so authority a is made of authority ab and authority c, and authority b is made of authority ab and authority d, wherein authority ab is the common factor of authority a and authority b, and authority c is the supplementary set of authority ab in authority a, and authority d is the supplementary set of authority ab in authority b.In permissions data, replacing authority a and authority b is authority ab, authority c and authority d, and specifically can be increases authority ab, replaces authority a with authority c, replaces authority b with authority d.Allow the role who had authority a originally have authority ab and authority c now simultaneously simultaneously, and allow the role who has authority b originally have authority ab and authority d now simultaneously.
Comprise access limit such as the original application software authority of hypothesis, having increased by one now again writes/print right, just need to revise permissions data so this moment, replace access limit and write/print right with read right, write permission and print right, allow the role who had access limit originally have write permission and read right now simultaneously simultaneously, allow have originally write/role of print right has write permission and print right now simultaneously.
Comprise and overlapping relation if having, can repeatedly use above-mentioned disassemble technique more than existing between two authorities.
Fig. 3 is the structural representation that is used for the application software of control of authority in the embodiment of the invention.As shown in Figure 3, the application software that provides of the embodiment of the invention comprises permissions data acquisition module 301 and operational module 302.
Permissions data acquisition module 301 is used for desire when the platform software side data is carried out the operation relevant with the application software authority, to the authority information of platform software request record application software authority, wherein said platform software side is deposited the permissions data with record application software authority.
The permissions data that operational module 302 is used for arriving to the platform software request according to permissions data acquisition module 301 participates in the control to the operation of platform software side data.
Application software can further include the permissions data interactive module, is used for leaving the permissions data of record application software authority in the platform software side.
Application software further can also comprise the permissions data maintenance module, be used to safeguard the permissions data of permissions data acquisition module 301 acquisitions, and the permissions data after will safeguarding by the permissions data interactive module stores the platform software side into, to upgrade the permissions data of platform software side.
It will be understood by those skilled in the art that in some cases some application software can only have the function of permissions data interactive module.
Fig. 4 is the structural representation that is used for the platform software of control of authority in the embodiment of the invention.As shown in Figure 4, this platform software comprises:
Permissions data memory module 401 is used for the instruction according to application software, the permissions data of put application software authority;
Permissions data interactive module 402 is used for the instruction according to application software, and the information of permissions data is provided to application software.
Platform software further can also comprise the permissions data maintenance module, is used for when described platform software is understood the concrete implication of described permissions data, safeguards the permissions data that is stored in the permissions data memory module 401.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement etc., all should be included within protection scope of the present invention.