CN113221138B - Authority management system - Google Patents
Authority management system Download PDFInfo
- Publication number
- CN113221138B CN113221138B CN202110479442.9A CN202110479442A CN113221138B CN 113221138 B CN113221138 B CN 113221138B CN 202110479442 A CN202110479442 A CN 202110479442A CN 113221138 B CN113221138 B CN 113221138B
- Authority
- CN
- China
- Prior art keywords
- authority
- service
- module
- user
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 claims abstract description 43
- 238000000034 method Methods 0.000 claims abstract description 15
- 238000013475 authorization Methods 0.000 claims abstract description 11
- 238000007726 management method Methods 0.000 claims description 60
- 230000010354 integration Effects 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000011161 development Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 5
- 238000013480 data collection Methods 0.000 claims description 4
- 238000013500 data storage Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 238000009877 rendering Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 10
- 230000008859 change Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 238000009430 construction management Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Economics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioethics (AREA)
- Public Health (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Water Supply & Treatment (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a rights management system. The system is based on unified authority management service, and facilitates the authority maintenance and management of each service unit module; in addition, the conflict detection can quickly judge whether the roles between the associated operations have logic conflicts or not, so that the reliability of the user permission is improved; meanwhile, the authority control among different service system roles of the cross-system can be realized, the access requirement that a user needs resources of other service systems under certain conditions is met, the problems that in the prior art, a manual application mode is adopted when authorization is applied, procedures are complicated, and human resource consumption is large are solved, system resources can be fully utilized, and user experience can be improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a permission management system.
Background
With the continuous development of the informatization of the nuclear power plant, more and more information systems are applied to the nuclear power plant, the systems basically comprise user authority control modules or are butted with corresponding unified authentication and authority management platforms, and therefore a mode of autonomous construction or integrated construction can meet certain management requirements. Meanwhile, the problems of integrated data authentication, complex integration, difficult management and the like between platforms can be caused, and especially in an autonomous construction management mode, once some role authority relationships in a system are changed, security policies of role control need to be adjusted, so that security holes caused by authority changes are avoided. In the prior art, the role authority is difficult to adjust on the premise of ensuring the system safety.
Disclosure of Invention
The invention mainly aims to provide an authority management system, and aims to solve the technical problem that the role authority is difficult to adjust on the premise of ensuring the system safety in the prior art.
In order to solve the above technical problem, the present invention provides an authority management system, including:
the client display layer is used for dynamically displaying all operations and configurations based on user requests and providing a calling interface for the outside;
the security access control layer based on the micro service is used for carrying out token verification on the authority operation request and determining role authority information corresponding to the authority operation request;
the permission logic control layer is used for carrying out conflict detection on the logic information of the role permission information when the user triggering the permission operation request is determined to be an authorized user, sending a conflict detection result to the database layer, acquiring the permission information of the role carried by the user from the database layer, and integrating the permission information and the conflict detection result;
and the database layer is used for collecting and storing the resource data.
Optionally, the client display layer includes:
the authority configuration management module is used for creating a login user and distributing roles and authorities owned by the user;
the service function menu module is a service authority which can be finally embodied by the user in the system and can be accessed by the user, the data of the service function menu module controls the authority range set of the role carried by the user, and the service function menu module is connected and bound with the authority configuration management module through the data;
and the service unit module is each subsystem based on distributed development in the whole system, and the authority of the subsystems is managed and maintained through a unified management system.
Optionally, the authority configuration management module is configured to:
entering an operation page through a role management menu or a user management menu to authorize roles or functions for personnel/system users of each service unit module, or after binding the personnel/system users of each service unit module through a permission menu tree, authorizing roles or functions for the personnel/system users of each service unit module;
the service function menu module is used for changing the function permission range controlled by the user under the role through the selective configuration of the function menu;
the service unit module is a plurality of service systems developed based on micro-service, and each service system is relatively independent and establishes a connection through data interaction.
Optionally, the microservice-based security access control layer includes:
the micro service API gateway is configured with a micro service route, and the authority request sent by the client realizes a uniform authentication entrance through the micro service API gateway;
the security policy access module is used for defining a rule requesting authentication and configuring a security policy of default access, wherein the security policy configuration describes security policy mapping of a request URL rule by using a regular expression, and the security policy comprises a user authentication policy, a password intensity policy, a resource authentication authorization policy and a black-and-white list policy.
Optionally, the authority logic control layer includes:
the role conflict detection module defines a constraint-based minimum conflict detection rule and detects whether the authority of one role or a plurality of roles carried by a user triggering the authority operation request conflicts in business logic;
the authority control integration module is used for integrating the requested authority information and then assigning the integrated authority information to the user, and rendering and releasing a service authority hierarchical structure owned by the user on a function menu;
and the authority control service monitoring module is used for processing the whole process from the request to the release of the user, and performing page and background level abnormal recording and alarming.
Optionally, the authority logic control layer further includes:
and the authority control service registration module is used for registering resource information after personnel/system users of all the service unit modules with configured authority successfully log in the authority client, and the registered resource information comprises a service function URL address, a function name, function description and a function code.
Optionally, the role conflict detection module defines a constraint-based minimum conflict detection rule, and is configured to detect whether a conflict exists in a service logic in a permission of one or more roles carried by a user triggering a permission operation request, and determine the permission logic according to a preset rule in a permission range in a minimized current role set based on the constraint-based minimum conflict detection rule.
Optionally, the authority control integration module is configured to perform unified integration on the authorities of the role information that passes the collision detection, and perform resource typesetting on the role authority information that has each business unit module.
Optionally, the authority control service monitoring module is configured to render and display the function menu that is successfully requested and has no logic problem on a WEB page, so that a person/system user having an operation authority can perform corresponding business operation.
Optionally, the database layer includes:
the data collection module is used for collecting service data and authority data, wherein the service data comprises all data to which each unit module belongs, the authority data comprises mapping relation data of the authority management module to users, roles and authorities, and dynamic transmission of information is kept between the authority management module and each module in real time through a message bus;
and the data storage module is used for storing the service data and the authority data which can be stored persistently.
In the present invention, a rights management system comprises: the client display layer is used for dynamically displaying all operations and configurations based on user requests and providing a calling interface for the outside; the security access control layer based on the micro service is used for carrying out token verification on the authority operation request and determining role authority information corresponding to the authority operation request; the permission logic control layer is used for carrying out conflict detection on the logic information of the role permission information when the user triggering the permission operation request is determined to be an authorized user, sending a conflict detection result to the database layer, acquiring the permission information of the role carried by the user from the database layer, and integrating the permission information and the conflict detection result; and the database layer is used for collecting and storing the resource data. By the invention, double control of security authentication and authority control is realized, the security and the robustness of authorization are ensured, and the system is based on unified authority management service, thereby facilitating the authority maintenance and management of each service unit module; in addition, the conflict detection can quickly judge whether the roles between the associated operations have logic conflicts or not, so that the reliability of the user permission is improved; meanwhile, the authority control among different service system roles of the cross-system can be realized, the access requirement that a user needs resources of other service systems under certain conditions is met, the problems that in the prior art, a manual application mode is adopted when authorization is applied, procedures are complicated, and human resource consumption is large are solved, system resources can be fully utilized, and user experience can be improved.
Drawings
FIG. 1 is a diagram of an architecture of a rights management system;
FIG. 2 is a detailed diagram of the client presentation layer 10 in one embodiment;
FIG. 3 is a detailed diagram of the microservice-based security access control layer 20 in one embodiment;
FIG. 4 is a detailed diagram of privilege logic control layer 30 in one embodiment;
FIG. 5 is a diagram illustrating a refinement of database tier 40 in one embodiment.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention provides a permission management system.
Referring to fig. 1, fig. 1 is a schematic diagram of an architecture of a rights management system. As shown in fig. 1, the rights management system includes:
the client display layer 10 is used for dynamically displaying all operations and configurations based on user requests and providing calling interfaces for the outside;
in this embodiment, the client presentation layer is a medium for service interaction and information transmission between the system and the user, and all operations and configurations based on a user request can be dynamically presented on the interface, and a calling interface, such as a data read-write interface, an authority query interface, and the like, is provided to the outside.
The security access control layer 20 based on the micro service is used for carrying out token verification on the authority operation request and determining role authority information corresponding to the authority operation request;
in this embodiment, the security access control layer based on the microservice monitors and controls the running state and the service call relation of the service based on containerization, and the service gateway checks the token of the permission operation request sent by the client.
The authority logic control layer 30 is configured to, when it is determined that the user triggering the authority operation request is an authorized user, perform conflict detection on the logic information of the role authority information, send a conflict detection result to the database layer, acquire the authority information of the role carried by the user from the database layer, and integrate the authority information and the conflict detection result;
in this embodiment, the permission logic control layer determines whether the requesting user is an authorized user, and when it is determined that the requesting user is an authorized user, acquires all permission information of the user carrying the role from the database layer, and performs conflict detection result and permission integration.
A database layer 40 for collecting and storing resource data.
In this embodiment, the database layer provides collection and storage services for respective resource data, and the database stores structured data and unstructured data, such as user information data, a user password, user authority configuration, log record information, and the like, in a manner of combining MySQL and MongoDB.
In this embodiment, the rights management system includes: the client display layer is used for dynamically displaying all operations and configurations based on user requests and providing a calling interface for the outside; the security access control layer based on the micro service is used for carrying out token verification on the authority operation request and determining role authority information corresponding to the authority operation request; the permission logic control layer is used for carrying out conflict detection on the logic information of the role permission information when the user triggering the permission operation request is determined to be an authorized user, sending a conflict detection result to the database layer, acquiring the permission information of the role carried by the user from the database layer, and integrating the permission information and the conflict detection result; and the database layer is used for collecting and storing the resource data. By the embodiment, double control of security authentication and authority control is realized, the security and the robustness of authorization are guaranteed, and the system is based on unified authority management service and is convenient for authority maintenance and management of each service unit module; in addition, the conflict detection can quickly judge whether the roles between the associated operations have logic conflicts or not, so that the reliability of the user permission is improved; meanwhile, the authority control between different service system roles across the system can be realized, the access requirement that a user needs resources of other service systems under certain conditions is met, the problems that in the prior art, a manual application mode is adopted during authorization application, procedures are complicated, and human resource consumption is high are solved, system resources can be fully utilized, and user experience can be improved.
Further, in an embodiment, referring to fig. 2, fig. 2 is a detailed schematic diagram of the client presentation layer 10 in an embodiment. As shown in fig. 2, the client presentation layer 10 includes:
the authority configuration management module 101 is used for creating a login user and distributing roles and authorities owned by the user;
the service function menu module 102 is a service authority which can be accessed by the user and is finally embodied in the system by the user, the data of the service function menu module controls the authority range set of the role carried by the user, and the service function menu module is connected and bound with the authority configuration management module through the data;
the service unit module 103 is each subsystem based on distributed development in the whole system, and the authority of the subsystem is managed and maintained through a unified management system.
In this embodiment, the client display layer 10 includes a right configuration management module 101, a service function menu module 102, and a service unit module 103. The authority configuration management module 101 is used for creating information such as organization, role, user, personnel, post and the like, creating a login user, and distributing roles and authorities owned by the user; the service function menu module 102 is a service authority which can be accessed by the user and is finally embodied in the system by the user, the data of the service function menu module controls the authority range set of the role carried by the user, and the service function menu module is connected and bound with the authority configuration management module through the data; the service unit module 103 is each subsystem based on distributed development in the whole system, and the authority of the subsystem is managed and maintained through a unified management system.
Further, in an embodiment, the authority configuration management module 101 is configured to:
entering an operation page through a role management menu or a user management menu to authorize roles or functions for personnel/system users of each service unit module, or binding the personnel/system users of each service unit module through a permission menu tree and then authorizing roles or functions for the personnel/system users of each service unit module;
a service function menu module 102, configured to change a function permission range controllable by a user under a role through selective configuration of a function menu;
the service unit module 103 is a plurality of service systems developed based on micro services, and each service system is relatively independent and establishes a connection through data interaction.
In this embodiment, the authority management system is configured to perform an authorization role or function on a user of each service unit module, so as to log in an authority client to perform a service operation. The method for the authority configuration management module to perform authorization roles or functions for the users of the service unit modules comprises the following steps: and entering an operation page through a role management menu or a user management menu to authorize roles or functions for personnel/system users of each service unit module, or binding the personnel/system users through a permission menu tree and then authorizing roles or functions for the personnel/system users of each service unit module. The service function menu module can add, delete and change the menu, and can change the function permission range controlled by the user under the role through the selective configuration of the function menu, thereby simplifying the flow of permission control, realizing configurable, expandable and telescopic permission control and embodying the idea of data-driven view change. The business unit module refers to a plurality of business systems developed based on micro-services in the system, and each business system is relatively independent and establishes a connection through data interaction.
Further, referring to fig. 3, fig. 3 is a detailed diagram of the security access control layer 20 based on the microservice in an embodiment. As shown in fig. 3, the microservice-based security access control layer 20 includes:
the micro service API gateway 201 is configured with a micro service route, and the authority request sent by the client realizes a uniform authentication entrance through the micro service API gateway;
the security policy access module 202 is configured to define a rule requesting authentication and a security policy configuring default access, where the security policy configuration describes security policy mapping of a request URL rule by using a regular expression, and the security policy includes a user authentication policy, a password intensity policy, a resource authentication authorization policy, and a black-and-white list policy.
In this embodiment, a microservice API gateway 201, a security policy access module 202, and a Redis cluster are constructed in the microservice-based security access control layer 20. The method comprises the steps that a security policy access module defines a rule requesting authentication and configuration of a default access security policy, the security policy configuration describes security policy mapping of a request URL rule by a regular expression, and the security policy comprises a user authentication policy, a password intensity policy, a resource authentication authorization policy and a black and white list policy. A micro service route is configured in the micro service API gateway 201, and a permission request sent by a client realizes a uniform authentication entry through the micro service API gateway 201.
Further, in an embodiment, referring to fig. 4, fig. 4 is a detailed schematic diagram of the privilege logic control layer 30 in an embodiment. As shown in fig. 3, the authority logic control layer 30 includes:
the role conflict detection module 301 defines a constraint-based minimum conflict detection rule, and detects whether the permissions of one or more roles carried by the user triggering the permission operation request have business logic conflicts;
the authority control integration module 302 is configured to integrate the requested authority information and then assign the integrated authority information to the user, and render and issue a service authority hierarchical structure owned by the user on a function menu;
and the authority control service monitoring module 303 is configured to perform overall processing on the request of the user from publication to perform page and background level exception recording and warning.
In this embodiment, a token verification mechanism based on the server cache determines whether the requesting user is an authorized user, and further obtains all authority information of the user carrying the role from the database layer. A role conflict detection module 301 defines a constraint-based minimum conflict detection rule, and detects whether the authority of one or more roles carried by a requesting user has a conflict in service logic; the authority control integration module 302 integrates the requested authority information and gives the integrated information to the requesting user, and renders and releases the service authority hierarchical structure owned by the user on the function menu; the right control service monitoring module 303 performs the whole process from the request to the issue of the user, and performs the page and background level exception recording and warning.
Further, in an embodiment, the authority logic control layer 30 further includes:
and the authority control service registration module is used for registering resource information after personnel/system users of all the service unit modules with configured authority successfully log in the authority client, and the registered resource information comprises a service function URL address, a function name, function description and a function code.
In this embodiment, the authority control service registration module is configured to register resource information, including contents such as a service function URL address, a function name, a function description, and a function code, after a person/system user of each service unit module configured with an authority successfully logs in the authority client.
Further, in an embodiment, the role conflict detection module defines a constraint-based minimum conflict detection rule, which is used to detect whether a conflict exists in the business logic of the authority of one or more roles carried by the user triggering the authority operation request, and the constraint-based minimum conflict detection rule judges the authority logic in the scope of authority in the minimized current role set according to a preset rule.
In this embodiment, the role permission conflict detection module defines a constraint-based minimum conflict detection rule, and detects whether a conflict in business logic exists in the permissions of one or more roles carried by a requesting user. And judging the authority logic according to a certain rule in the authority range in the minimized current role set based on the constraint type minimized conflict detection rule. It should be noted that the constraint control of roles refers to a mandatory rule that should be followed when defining that a right is given to a role, or a role is given to a user, and when a user activates a role at a certain time, the constraint control of roles plays a role of separating responsibilities, for example, the same user can only have the right of at least one role in a mutually exclusive role set.
Further, in an embodiment, the authority control integration module 302 is configured to perform unified integration on the authorities of the role information that passes the collision detection, and perform resource typesetting on the role authority information that has each business unit module.
In this embodiment, the authority control integration module performs unified integration on the authorities of the role information that passes the conflict detection, that is, performs resource typesetting on the role authority information that has each business unit module.
Further, in an embodiment, the authority control service monitoring module 303 is configured to render and display the function menu that is successfully requested and has no logic problem on a WEB page, so that a person/system user currently having an operation authority can perform a corresponding business operation.
In this embodiment, the authority control service monitoring module 303 renders and displays the function menu which is successfully requested and has no logic problem on the WEB page, so that the personnel/system users who currently have the operation authority can perform corresponding business operations.
Further, in an embodiment, referring to fig. 5, fig. 5 is a detailed diagram of the database layer 40 in an embodiment. As shown in fig. 5, the database layer 40 includes:
the data collection module 401 collects service data and authority data, wherein the service data comprises all data to which each unit module belongs, the authority data comprises mapping relation data of the authority management module to users, roles and authorities, and dynamic transmission of information is kept between the authority management module and each module in real time through a message bus;
a data storage module 402, configured to store service data and permission data that may be persistently stored.
In this embodiment, the data collection module 401 in the database layer 40 reads/writes service data and permission data of the entire system in real time for each service module, the service data includes all data to which each unit module belongs, the permission data includes mapping relation data of the permission management module to users, roles and permissions, and dynamic transmission of information is maintained between each module and each module through a message bus in real time; the data storage module 402 is mainly used for storing business data and authority data which can be stored persistently.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A rights management system, comprising:
the client display layer is used for dynamically displaying all operations and configurations based on user requests and providing a calling interface for the outside;
the security access control layer based on the micro service is used for carrying out token verification on the authority operation request and determining role authority information corresponding to the authority operation request;
the permission logic control layer is used for carrying out conflict detection on the logic information of the role permission information when the user triggering the permission operation request is determined to be an authorized user, sending a conflict detection result to the database layer, acquiring the permission information of the role carried by the user from the database layer, and integrating the permission information and the conflict detection result;
and the database layer is used for collecting and storing the resource data.
2. The rights management system of claim 1, wherein the client presentation layer comprises:
the authority configuration management module is used for creating a login user and distributing roles and authorities owned by the user;
the service function menu module is a service authority which can be finally embodied by the user in the system and can be accessed by the user, the data of the service function menu module controls the authority range set of the role carried by the user, and the service function menu module is connected and bound with the authority configuration management module through the data;
and the service unit module is each subsystem based on distributed development in the whole system, and the authority of the subsystem is managed and maintained through a unified management system.
3. The rights management system of claim 2, wherein the rights configuration management module is to:
entering an operation page through a role management menu or a user management menu to authorize roles or functions for personnel/system users of each service unit module, or binding the personnel/system users of each service unit module through a permission menu tree and then authorizing roles or functions for the personnel/system users of each service unit module;
the service function menu module is used for changing the function permission range controlled by the user under the role through the selective configuration of the function menu;
the service unit module is a plurality of service systems developed based on micro-services, and each service system is relatively independent and establishes a connection through data interaction.
4. The rights management system of claim 1, wherein the microservice-based secure access control layer comprises:
the micro service API gateway is configured with a micro service route, and the authority request sent by the client realizes a uniform authentication entrance through the micro service API gateway;
the security policy access module is used for defining a rule requesting authentication and configuring a security policy of default access, wherein the security policy configuration describes security policy mapping of a request URL rule by using a regular expression, and the security policy comprises a user authentication policy, a password intensity policy, a resource authentication authorization policy and a black-and-white list policy.
5. The rights management system of claim 1, wherein the rights logic control layer comprises:
the role conflict detection module defines a constraint-based minimum conflict detection rule and detects whether the authority of one role or a plurality of roles carried by a user triggering the authority operation request conflicts in business logic;
the authority control integration module is used for integrating the requested authority information and then assigning the integrated authority information to the user, and rendering and releasing a service authority hierarchical structure owned by the user on a function menu;
and the authority control service monitoring module is used for processing the whole process from the request to the release of the user, and performing page and background level abnormal recording and alarming.
6. The rights management system of claim 5, wherein the rights logic control layer further comprises:
and the authority control service registration module is used for registering resource information after personnel/system users of all the service unit modules with configured authority successfully log in the authority client, and the registered resource information comprises a service function URL address, a function name, function description and a function code.
7. The privilege management system according to claim 5, wherein the role conflict detection module defines a constraint-based minimum conflict detection rule, which is used to detect whether a conflict exists in the business logic for the privilege of one or more roles carried by the user triggering the privilege operation request, and the constraint-based minimum conflict detection rule determines the privilege logic according to a preset rule in a scope of the privilege in the minimized current role set.
8. The privilege management system according to claim 5, wherein the privilege control integration module is configured to perform unified integration on the privileges of the role information that passes the collision detection, and perform resource typesetting on the role privilege information that has each business unit module.
9. The rights management system of claim 5, wherein the rights control service monitoring module is configured to render and display a functional menu that is requested successfully and has no logic problem on a WEB page, so that a person/system user currently having an operation right can perform a corresponding business operation.
10. The rights management system of claim 1, wherein the database tier comprises:
the data collection module is used for collecting service data and authority data, wherein the service data comprises all data to which each unit module belongs, the authority data comprises mapping relation data of the authority management module to users, roles and authorities, and dynamic transmission of information is kept between the authority management module and each module in real time through a message bus;
and the data storage module is used for storing the service data and the authority data which can be stored persistently.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110479442.9A CN113221138B (en) | 2021-04-30 | 2021-04-30 | Authority management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110479442.9A CN113221138B (en) | 2021-04-30 | 2021-04-30 | Authority management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113221138A CN113221138A (en) | 2021-08-06 |
| CN113221138B true CN113221138B (en) | 2022-11-18 |
Family
ID=77090388
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110479442.9A Active CN113221138B (en) | 2021-04-30 | 2021-04-30 | Authority management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113221138B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113691539A (en) * | 2021-08-25 | 2021-11-23 | 中国银行股份有限公司 | Enterprise internal unified function authority management method and system |
| CN113709143B (en) * | 2021-08-26 | 2023-03-07 | 四川启睿克科技有限公司 | Accurate authority access control system and method for Web integrated system |
| CN114567504B (en) * | 2022-03-07 | 2023-08-25 | 福建天晴在线互动科技有限公司 | Dynamic authority cross management method and system based on web architecture |
| CN116522316B (en) * | 2023-02-23 | 2023-11-14 | 武汉禾正丰科技有限公司 | Service management system based on distributed network |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015121962A (en) * | 2013-12-24 | 2015-07-02 | 日本電気株式会社 | Information processing system for executing access control, information processing device, access control method and program |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8990910B2 (en) * | 2007-11-13 | 2015-03-24 | Citrix Systems, Inc. | System and method using globally unique identities |
| CN102387145B (en) * | 2011-10-21 | 2014-03-12 | 北京航空航天大学 | System and method for detecting access control strategy collision in collaborative environment |
| US10679160B1 (en) * | 2012-05-24 | 2020-06-09 | Jpmorgan Chase Bank | Enterprise fulfillment system with dynamic prefetching capabilities, secured data access capabilities and system monitoring |
| CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
| CN106951773B (en) * | 2017-03-15 | 2020-04-14 | 泰康保险集团股份有限公司 | User role distribution checking method and system |
| CN111447222A (en) * | 2020-03-26 | 2020-07-24 | 广东电网有限责任公司 | Distributed system authority authentication system and method based on micro-service architecture |
| CN112118224B (en) * | 2020-08-12 | 2021-07-23 | 北京大学 | Trusted mechanism authority management method and system for big data block chain |
-
2021
- 2021-04-30 CN CN202110479442.9A patent/CN113221138B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015121962A (en) * | 2013-12-24 | 2015-07-02 | 日本電気株式会社 | Information processing system for executing access control, information processing device, access control method and program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113221138A (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113221138B (en) | Authority management system | |
| US10848520B2 (en) | Managing access to resources | |
| US9311679B2 (en) | Enterprise social media management platform with single sign-on | |
| US9071626B2 (en) | Method and apparatus for surveillance system peering | |
| US8156537B2 (en) | Method and system for access control using resource filters | |
| US8191115B2 (en) | Method and apparatus for extensible security authorization grouping | |
| US20080120302A1 (en) | Resource level role based access control for storage management | |
| US20100081417A1 (en) | System and Method for Secure Management of Mobile User Access to Enterprise Network Resources | |
| US20120179787A1 (en) | Systems and methods for requesting and delivering network content | |
| CN100375033C (en) | Fine grain privileges in an operating system | |
| US11206269B1 (en) | Managing non-persistent privileged and non-privileged operator access to infrastructure systems hosted in a cloud computing environment | |
| CN102938043A (en) | Access of authorized application to secure resources | |
| CN112543169B (en) | Authentication method, authentication device, terminal and computer readable storage medium | |
| US11741254B2 (en) | Privacy centric data security in a cloud environment | |
| Wang et al. | Ubiquitous computing environments and its usage access control | |
| US20060156021A1 (en) | Method and apparatus for providing permission information in a security authorization mechanism | |
| US11763409B2 (en) | Determine passenger drop-off location based on influencing factors | |
| US20060156020A1 (en) | Method and apparatus for centralized security authorization mechanism | |
| CN113268450A (en) | File access method and device, electronic equipment and storage medium | |
| US20220006812A1 (en) | System to control access to web resources based on an internet of things authorization mechanism | |
| JP2003216260A (en) | Data processor and program | |
| Ravidas et al. | An authorization framework for cooperative intelligent transport systems | |
| Preuveneers et al. | SparkXS: Efficient access control for intelligent and large-scale streaming data applications | |
| KR100845309B1 (en) | Method and Apparatus for controlling accessing right of contents | |
| CN114363373A (en) | Application communication management system, method, device, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |