Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
The embodiment of the invention provides a kind of method that realizes rights management control, and referring to Fig. 1, this method comprises:
Step 101: according to the attribute of destination node on the clientage information configuration management tree between mandatory administration side and the on commission manager; Wherein, comprise mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority and trust grade in the clientage information.
Step 102: receive the operation requests of first manager to destination node, whether said determined property first manager who is configured according to this destination node has operating right, if then execution in step 103, otherwise, execution in step 104.
Step 103: according to operation requests destination node is carried out corresponding operation, finish current flow process.
Step 104: refuse first manager to the destination node executable operations.
It is thus clear that; Because in the method for the realization rights management control that the embodiment of the invention proposes; Can be according to the attribute of destination node on the clientage information configuration management tree between mandatory administration side and the on commission manager; Specifically comprise mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority in the clientage information and entrust grade; Like this, just can make the terminal know the clientage to a destination node, promptly which kind of a destination node manager entrust grade to entrust to another manager its which kind of authority with; Thereby can carry out corresponding control of authority to this clientage, thereby improve QoS.
On the management tree at terminal, there are corresponding each manager's the tree structure and the various attributes of corresponding each node, so, and in the realization of the embodiment of the invention, the specific object that is configured of firm order relation information according to actual needs.The difference of the attribute that is configured according to clientage information, specifically can there be following business scenario in the embodiment of the invention:
Business scenario one, under terminal management account number (hereinafter to be referred as " the DMAcc ") management object of management tree; Stored each manager's account; Therefore; Can under this DMAcc management object, add a trust (hereinafter to be referred as " Delegation ") subtree to each manager who relates to the authority trust; The Delegation subtree configuration clientage information of utilize adding, and according to ACL (hereinafter to be referred as " the ACL ") attribute of the clientage information configuration destination node of this Delegation subtree configuration.
Business scenario two, under the DMAcc of management tree management object; Stored each manager's account; Corresponding each manager is reserved with expanding node; Therefore, the expanding node that can under this DMAcc management object, utilize each to relate to the manager that authority entrusts disposes clientage information, and according to the ACL property of the clientage information configuration destination node that disposes in this expanding node.
Business scenario three, on management tree, each destination node of being managed all has the attribute of oneself, therefore, can be in the attribute of destination node direct configuration clientage information.
Lift a specific embodiment respectively to three kinds of business scenarios below and specify the process of carrying out rights management control.
Embodiment 1:
This embodiment 1 is applicable to above-mentioned business scenario one, utilizes the Delegation subtree configuration clientage of adding, and the ACL property of configuration destination node, thereby realizes follow-up rights management control to clientage.Referring to Fig. 2, in the embodiment of the invention 1, realize that the process of rights management control comprises the steps:
Step 201: under the DMAcc of management tree management object, add a Delegation subtree to the manager who relates to the authority trust.
Step 202: with the clientage information configuration between mandatory administration side and the on commission manager on the Delegation subtree of being added.
In above-mentioned steps, can add corresponding to mandatory administration side when adding the Delegation subtree, also can add corresponding on commission manager, can also all add mandatory administration side and on commission manager; Accordingly; Clientage information can be configured on the Delegation subtree of mandatory administration side; Also can be configured on commission manager's the Delegation subtree, can also clientage information be configured in respectively on the Delegation subtree of mandatory administration side on the Delegation subtree with on commission manager.
Clientage information between mandatory administration side and the on commission manager specifically can comprise: mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority and trust grade.
About clientage information, at first, the information of destination node comprises following at least a: the generic resource identifier of destination node (being designated hereinafter simply as " URI "), management object sign (hereinafter to be referred as " MOI ") or MOI and particular sections point value.
Secondly, on commission authority representes mandatory administration side has entrusted on commission manager with which kind of authority of oneself to destination node.The value of on commission authority can conformance with standard ACL value literary style.Such as, mandatory administration side ServerA has entrusted on commission manager ServerB with " Get " and " Delete " authority, and so, the value of on commission authority is " Get=ServerB&Delete=ServerB ".
Once more, entrusting grade is to control and be provided with based on the rights management of clientage in order to realize, is used to reflect mandatory administration side and the have degree of on commission manager to institute's scope of authority.Entrust grade to be arranged to: the full trust, expression mandatory administration side is after entrusting on commission manager with an authority, and this mandatory administration side has this authority no longer.Entrust grade also can be arranged to: share and entrust, expression mandatory administration side is after entrusting on commission manager with an authority, and this mandatory administration side still has this authority.
At last, in order further to improve the effect of carrying out rights management control based on clientage, the clientage information between mandatory administration side and the on commission manager can further include: trust comes into force time started and/or entrust the effective duration.Wherein, entrust the time started of coming into force to be used to control and entrust the time point that comes into force, thereby make mandatory administration can reach the operating position of controlling institute's scope of authority better.Wherein, entrust the effective duration to be used for the authority that the terminal can be reclaimed mandatory administration side voluntarily and entrusted away, make on commission manager no longer continue to have on commission authority.
Can be through Delegation subtree configuration clientage information referring to shown in Figure 3.Can further reserve the expanding node shown in Fig. 3 on the Delegation subtree, so that when the content enhancing that clientage information comprises, can be through the content of this expanding node record enhancing.
Step 203: when timing arrival trust comes into force the time started, on management tree, find destination node.
If the information of destination node is the URI of this destination node in the clientage information, so, directly find the destination node of the correspondence on the management tree in this step according to this URI.
If the information of destination node is MOI in the clientage information, so, because the common corresponding one or more subtrees of MOI, therefore, in this step the root node that on management tree, finds subtree that should MOI.
If the information of destination node is MOI and particular sections point value in the clientage information, then at first on management tree, find each subtree that should MOI, find the root node of subtree then with this particular sections point value from this each subtree.
Step 204:, revise the ACL value of the destination node that is found according to mandatory administration square mark, on commission manager sign, on commission authority and trust grade.
If entrusting grade be full the trust, so, the process of revising the ACL value of the destination node that is found comprises: the corresponding authority of using mandatory administration side in the ACL value of the destination node that on commission authority covering found.Such as; Mandatory administration side ServerA will entrust on commission manager ServerB entirely to " Get " and " Delete " authority of node 1; The value of on commission authority is " Get=ServerB&Delete=ServerB "; So, in the ACL of the node that is found 1 value, comprised the authority " Get=ServerA&Delete=ServerA " of mandatory administration side ServerA originally to this node; Entrusting grade be under the full situation of entrusting, and use " Get=ServerB&Delete=ServerB " covers " Get=ServerA&Delete=ServerA " in the ACL value of this node 1.Thereby make mandatory administration side ServerA no longer continue to have " Get " and " Delete " authority to this node 1.Further, no longer continue to have this authority in order to ensure mandatory administration side ServerA, also further " Get " of corresponding A CL value and " Delete " authority are added the label of getting rid of this mandatory administration side ServerA.
If entrust grade to entrust for sharing, so, the process of revising the ACL value of the destination node that is found comprises: in the ACL of the node that is found 1 value, add on commission authority.Such as; Mandatory administration side ServerA will share " Get " and " Delete " authority of node 1 and entrust on commission manager ServerB; The value of on commission authority is " Get=ServerB&Delete=ServerB ", so, and in the ACL of the node that is found 1 value; Originally comprised the authority " Get=ServerA&Delete=ServerA " of mandatory administration side ServerA to this node 1; Entrusting grade for sharing under the situation of entrusting, still keep " Get=ServerA&Delete=ServerA ", in the ACL value, add again simultaneously " Get=ServerB&Delete=ServerB ".Thereby make mandatory administration side ServerA and on commission manager ServerB all have " Get " and " Delete " authority to this node 1.
Step 205: the terminal receives the operation requests of a manager (being designated as " manager 1 ") to a destination node (being designated as " node 1 ").
Step 206: the terminal judges according to node 1 current ACL value whether manager 1 has operating right, if then execution in step 207, otherwise, execution in step 208.
Step 207: according to operation requests node 1 is carried out corresponding operation, finish current flow process.
Step 208: 1 pair of node 1 executable operations of refusal manager.
Entrust the effective duration if comprise in the clientage information that disposes on the Delegation subtree; So; After above-mentioned steps 204 is revised the ACL value of the destination node that is found; Above-mentioned flow process shown in Figure 2 can further include: when the finish time of effective duration arrive is entrusted in timing, the ACL value of the said destination node that finds reverted to revise preceding ACL value.
In the embodiment of the invention 1; Can be through disposing the clientage information between mandatory administration side and the on commission manager in the Delegation subtree of adding on the management tree; And the ACL value of modifying target node, like this, just can make the terminal know clientage to a destination node; Promptly a destination node manager has entrusted to another manager with its which kind of authority, thereby can carry out corresponding control of authority to this clientage.Such as, entrust grade can realize full trust and shared entrust of mandatory administration side through being provided with, thereby increased the flexibility of rights management control greatly on commission manager, optimized service feature.
Embodiment 2:
This embodiment 2 is applicable to above-mentioned business scenario two; Utilize the expanding node of reserving under the DMAcc management object to dispose clientage information; And according to the ACL value of this clientage information modifying target node, thereby realize follow-up rights management control to clientage.Referring to Fig. 4, in the embodiment of the invention 2, realize that the process of rights management control comprises the steps:
Step 401: under the DMAcc of management tree management object, utilize the manager's who relates to the authority trust expanding node to dispose the clientage information between mandatory administration side and the on commission manager.
Particularly, can be in the corresponding expanding node value in mandatory administration side and/or be configured in the corresponding expanding node value of on commission manager with the clientage information configuration.
Entrust the content of relation information and act on identical in the content of entrusting relation information in this step and effect and the above-mentioned steps 202.
The content that step 402~407 are described is identical with the content that step 203~208 are described.
In the expanding node value under the DMAcc management object; If comprising, the clientage information of configuration entrusts the effective duration; So; Revise the ACL value of the destination node that is found in above-mentioned steps 402 after, above-mentioned flow process shown in Figure 4 may further include: when timing arrives the finish time of entrusting the effective duration, the ACL value of the said destination node that finds is reverted to the preceding ACL value of modification.
In the embodiment of the invention 2; Can dispose the clientage information between mandatory administration side and the on commission manager through the expanding node of reserving under the DMAcc management object; And, like this, just can make the terminal know clientage to a destination node according to this clientage information modification ACL value; Promptly a destination node manager has entrusted to another manager with its which kind of authority, thereby can carry out corresponding control of authority to this clientage.Such as, entrust grade can realize full trust and shared entrust of mandatory administration side through being provided with, thereby increased the flexibility of rights management control greatly on commission manager, optimized service feature.
Embodiment 3:
This embodiment 3 is applicable to above-mentioned business scenario three, utilizes the newly-increased attribute of destination node to dispose clientage information, thereby realizes follow-up rights management control to clientage.Referring to Fig. 5, in the embodiment of the invention 3, realize that the process of rights management control comprises the steps:
Step 501: after mandatory administration side will entrust on commission manager to the operating right of destination node, mandatory administration side generated the certificate of authority of the clientage information between mandatory administration side and the on commission manager that stores.
In this step, the clientage information in the certificate of authority can comprise: mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority and trust grade.
Wherein, entrust grade specifically can for: entrust entirely, share and entrust or son is entrusted.When entrusting grade to be the son trust; On commission manager's sign comprises the on commission manager's sign of the on commission manager's sign of the first order and the second level; After expression mandatory administration side entrusts to the on commission manager of the first order with authority, allow the on commission manager of this first order that this authority is continued to entrust to the on commission manager in the second level.
And further, the clientage information in the certificate of authority can also comprise: entrust the time started and/or entrust the effective duration of coming into force.
In the present embodiment 3, on commission authority, complete entrust, share and entrust, entrust description corresponding in the effect that comes into force the time started and entrust the effective duration and associated description and the above-mentioned steps 202 identical.
Step 502: mandatory administration side sends to the terminal with the certificate of authority.
Step 503: the terminal is configured in the certificate of authority in the newly-increased attribute of destination node on the management tree.
Such as, mandatory administration side ServerA will entrust on commission manager ServerB to " Get " and " Delete " authority of destination node 1, and so, the certificate of authority just is configured in the newly-increased attribute of destination node 1 on the management tree.
Step 504: the terminal receives the operation requests of a manager (being designated as " manager 1 ") to a destination node (being designated as " node 1 ").
Step 505: the terminal judges according to the certificate of authority in node 1 attribute whether manager 1 has operating right, if having, then execution in step 506, otherwise, execution in step 507.
In this step, the trust in the certificate of authority come into force time started, mandatory administration square mark, on commission manager sign, on commission authority and entrust grade can be used for judging whether manager 1 has operating right.Process such as a kind of judgement comprises the steps:
Step 5051: judge the current time whether after trust comes into force the time started, if then execution in step 5052, otherwise, direct execution in step 507.
Step 5052: judge according to mandatory administration square mark, on commission manager sign, on commission authority and trust grade whether manager 1 has operating right, if having, execution in step 506, otherwise, execution in step 507.
If entrusting grade is full the trust; So; Concrete deterministic process comprises in this step: identify to judge whether manager 1 is on commission manager according on commission manager, if then judge according on commission authority whether intra vires said operation requests; If, confirm that then manager 1 has operating right;
If entrusting grade entrusts for sharing; So; Concrete deterministic process comprises in this step: identify to judge whether manager 1 is any among mandatory administration side and the on commission manager according to mandatory administration square mark and on commission manager, if then judge according on commission authority whether intra vires said operation requests; If, confirm that then manager 1 has operating right;
If entrusting grade is that son is entrusted; So; Concrete deterministic process comprises in this step: identify to judge whether manager 1 is the on commission manager in the second level according to the on commission manager in the second level, if then judge according on commission authority whether intra vires said operation requests; If, confirm that then manager 1 has operating right.
Step 506: according to operation requests node 1 is carried out corresponding operation, finish current flow process.
Step 507: 1 pair of node 1 executable operations of refusal manager.
Entrust the effective duration if comprise in the certificate of authority; So; After above-mentioned steps 503 is configured in the certificate of authority in the newly-increased attribute of destination node on the management tree; Above-mentioned flow process shown in Figure 5 further comprises: when timing arrives the finish time of entrusting the effective duration, and this certificate of authority of deletion from the attribute of this destination node.
In the embodiment of the invention 3; Can utilize the newly-increased attribute of destination node on the management tree to dispose the clientage information of certificate of authority mode; Like this; Just can make the terminal know the clientage to a destination node, promptly a destination node manager has entrusted to another manager with its which kind of authority, thereby can carry out corresponding control of authority to this clientage.Such as, entrust grade can realize that mandatory administration side entrusts and shared the trust on commission manager's full trust, son through being provided with, thereby increased the flexibility of rights management control greatly, optimized service feature.
Need to prove; The mode of adding the Delegation subtree among the embodiment 1 has just been added a branch on the management tree at terminal; Just utilized the original expanding node well of just reserving under the DMAcc management object among the embodiment 2, embodiment 3 has just utilized the newly-increased attribute of destination node, therefore; All less to the change of terminal original structure, be easy to realize.
Further, in embodiments of the invention 1 to embodiment 3, can control and entrust the time point that comes into force through the trust that is provided with time started of coming into force, thereby make mandatory administration can reach the operating position of controlling institute's scope of authority better.In addition; Through the effective duration of trust that is provided with; The terminal can be automatically returns to the preceding ACL value of modification with the ACL value of destination node among embodiment 1 and the embodiment 2, and among the embodiment 3, the terminal can be deleted the certificate of authority in the destination node attribute automatically; Carry out authority trust authority before thereby can both make follow-up limiting operation return to mandatory administration side, thereby realized that mandatory administration side's safety reclaims the authority of being entrusted away this destination node.
In embodiments of the invention 1 to embodiment 3; Can carry out the processing of each step in the above-mentioned flow chart by the terminal; Perhaps, also can carry out the processing of each step by the control appliance that the terminal connects, understandable; The connected mode of terminal and control appliance includes but not limited to wired connection mode or wireless connections mode, and concrete wired connection mode or wireless connections mode are not construed as limiting the invention.
The embodiment of the invention has also proposed a kind of terminal.Referring to Fig. 6, this terminal comprises:
Management tree Executive Module 601 is used for the attribute according to destination node on the clientage information configuration management tree between mandatory administration side and the on commission manager; Wherein, comprise mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority and trust grade in the clientage information;
Equipment control proxy module 602 is used to receive the operation requests of first manager to destination node, and whether said determined property first manager who is configured according to destination node has operating right; If, according to operation requests destination node is carried out corresponding operation, otherwise, first manager refused to the destination node executable operations.
It is thus clear that; Because the terminal that the embodiment of the invention proposes can be according to the attribute of destination node on the clientage information configuration management tree between mandatory administration side and the on commission manager; Specifically comprise mandatory administration square mark, on commission manager sign, the information of destination node, on commission authority in the clientage information and entrust grade; Like this, just can make the terminal know the clientage to a destination node, promptly which kind of a destination node manager entrust grade to entrust to another manager its which kind of authority with; Thereby can carry out corresponding control of authority to this clientage, thereby improve QoS.
The terminal that the embodiment of the invention proposes can be applied to above-mentioned three kinds of business scenarios, and idiographic flow is referring to above-mentioned method embodiment.
The concrete structure and the function of each module when terminal equipment is applied to above-mentioned business scenario one or business scenario two at first, are described:
Optional; Referring to Fig. 7; In inventive embodiments 4, said management tree Executive Module 601 comprises the first management tree Executive Module 701, and this first management tree Executive Module 701 is used under the terminal management Account Administration object of management tree; Perhaps add the trust subtree corresponding to mandatory administration side, the clientage information configuration between mandatory administration side and the on commission manager is entrusted on subtree at this corresponding on commission manager; And according to entrusting the said clientage information that disposes on the subtree, the configuration management tree goes up the ACL attribute of destination node.
Optional; Referring to Fig. 8; In inventive embodiments 5; Said management tree Executive Module 601 comprises the second management tree Executive Module 801, and this second management tree Executive Module 801 is used under the terminal management Account Administration object of management tree, with the clientage information configuration between said mandatory administration side and the on commission manager in the corresponding expanding node value in this mandatory administration side or be configured in the corresponding expanding node value of on commission manager; And according to the said clientage information that disposes in this expanding node value, the configuration management tree goes up the ACL attribute of destination node.
Optional, referring to Fig. 7 and Fig. 9, in the embodiment of the invention 6; Can also comprise modified module 901 in the first management tree Executive Module 701; Referring to Fig. 8 and Figure 10, in the embodiment of the invention 7, also may further include modified module 1001 in the second management tree Executive Module 801; In the modified module 901 of Fig. 9 and the modified module 1001 of Figure 10 at least one can be used for the information according to said clientage information destination node; On management tree, find destination node,, revise the ACL value of the destination node that is found according to mandatory administration square mark, on commission manager sign, on commission authority and trust grade in the said clientage information;
Correspondingly,
Referring to Fig. 9, in the embodiment of the invention 6, said equipment control proxy module 602 also comprises judge module 902; Referring to Figure 10; In the embodiment of the invention 7; Said equipment control proxy module 602 also comprises judge module 1002, and at least one in said judge module 902 and the judge module 1002 can judge whether first manager has operating right according to the current ACL value of destination node.
Optional, referring to Fig. 9 and Figure 11, in the embodiment of the invention 8, also comprise Executive Module 1101 in the modified module 901 in the first management tree Executive Module 701; Referring to Figure 10 and Figure 12; In the embodiment of the invention 9; Also comprise Executive Module 1201 in the modified module 1001 in the second management tree Executive Module 801; In Executive Module 1101 and the Executive Module 1201 at least one can be used for coming into force time started and/or when entrusting effective duration when said clientage information further comprises trust; Trust according in the said clientage information comes into force the time started, arrives the ACL value of carrying out the destination node that said modification finds when this trust comes into force the time started; According to the effective duration of trust in the said clientage information; After the ACL value of the destination node that said modification is found; Further when arrive entrusting the finish time of effective duration, the ACL value of said destination node is reverted to the ACL value before revising.
Secondly, the concrete structure and the function of terminal applies each module when above-mentioned business scenario three are described:
Optional; Referring to Figure 13; In the embodiment of the invention 10; Said management tree Executive Module 601 also comprises the 3rd management tree Executive Module 1301, and said the 3rd management tree Executive Module 1301 is used for the certificate of authority that stores the clientage information between mandatory administration side and the on commission manager is configured in the newly-increased attribute of destination node on the management tree;
Correspondingly,
Said equipment control proxy module 602 also comprises the 3rd equipment control proxy module 1302, and said the 3rd equipment control proxy module 1302 is used for according to the mandatory administration square mark of the certificate of authority of destination node, on commission manager sign, on commission authority and entrusts grade to judge whether first manager has operating right.
Optional; Referring to Figure 14; In the embodiment of the invention 11; Said equipment control proxy module 602 also comprises the 4th equipment control proxy module 1402, and said the 4th equipment control proxy module 1402 is used for trust according to the certificate of authority of destination node time started of coming into force and judges whether first manager has operating right.
Referring to Figure 14; No matter whether comprise the 4th equipment control proxy module 1402 in the said equipment control proxy module 602; Can further comprise the 4th management tree Executive Module 1401 in the said management tree Executive Module 601; Said the 4th management tree Executive Module 1401 is used for after the certificate of authority is configured in the attribute of the corresponding destination node on the management tree; During finish time of the effective duration of trust in arriving the certificate of authority, this certificate of authority of deletion from the newly-increased attribute of this destination node.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.