CN113935063A - Authority service platform, method and system - Google Patents
Authority service platform, method and system Download PDFInfo
- Publication number
- CN113935063A CN113935063A CN202111090353.1A CN202111090353A CN113935063A CN 113935063 A CN113935063 A CN 113935063A CN 202111090353 A CN202111090353 A CN 202111090353A CN 113935063 A CN113935063 A CN 113935063A
- Authority
- CN
- China
- Prior art keywords
- entity
- application system
- user
- entities
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a permission service platform, a method and a system. The authority service platform comprises: the application management module is used for managing an application system entity; the role management module is used for managing role entities; an organization management module for managing organization entities; the user management module is used for managing the user entity; the role management module or the user management module also provides a user authorization function, and the user authorization is completed by simultaneously selecting the user entity, the role entity and the organization entity. The invention provides a unified user authentication/authority authorization flow, can effectively standardize the user management of the service system, and simplifies the user authentication/authority authorization ecology of the service system.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a permission service platform, a method and a system.
Background
With the increase of the informatization degree of governments and enterprises, the number of application systems is gradually increased, and the authority management of the application systems becomes a very troublesome problem. The user authentication/authority authorization of the current service system is ecologically complex, and a unified authentication/authorization complete flow does not exist. How to effectively standardize the user management of the business system, improve the authority standardization consciousness of business personnel, accelerate the user authentication and the authority management function development of a new business system, promote the promotion of the information system authority service construction, and become the problem which needs to be solved urgently.
Disclosure of Invention
The invention mainly aims to provide a permission service platform, a permission service method and a permission service system, which are used for solving the problems in the prior art.
In a first aspect of the present invention, a permission service platform is provided, including: the system comprises an application management module, a role management module, an organization management module and a user management module; the application management module is used for managing an application system entity; the application system entity is correspondingly established aiming at the actual application system and plays an isolation role; the role management module is used for managing role entities and providing a user authorization function; the role entity is an authorized object of the application system entity, belongs to the application system entity, and is isolated from the role entities configured under different application system entities; an organization management module for managing organization entities; the organization entity is composed of a management architecture, projects and/or stages, adopts a tree structure and comprises organization nodes and an organization view; the user management module is used for managing a user entity and providing a user authorization function, wherein the user entity is an authorization object of a role entity in the authority service; wherein the user authorization is performed by simultaneously selecting the user entity, the role entity and the organization entity.
Further, the authority service platform may further include: the system comprises a menu management module, a user-defined management module and a position management module; the menu management module is used for managing a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated; the user-defined management module is used for managing a user-defined object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other; the position management module is used for managing position entities; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
Further, the authority service platform may further include: the system comprises a service interface module and a data integration module; the service interface module is used for providing a service interface of an external application system; and the data integration module is used for synchronizing the authority data to an external application system and monitoring the integration state through the integration log.
In the embodiment of the invention, the user entity comprises an internal user and an external user; the internal user is from the unified user management system, and the basic information of the internal user is not allowed to be created and modified in the authority service platform; the external user is manually input, and the basic information of the external user is allowed to be created and modified in the authority service platform; the organization nodes comprise non-global self-defined organization nodes, the self-defined organization nodes belong to the application system entity to which the creator belongs, and other application system entities have no right to view; the organizational view comprises views of different perspectives generated based on one or more subsets of the organizational entities; the role entities comprise built-in roles and common roles, the built-in roles are automatically created when application system entities are newly added, the built-in roles comprise application system authority management roles, and one application system authority management role is automatically created under each application system entity; the common role is created by an application rights manager, which is a user entity authorized by the system rights manager role.
In a second aspect of the present invention, a method for providing a permission service is provided, including: acquiring an application system entity, wherein the application system entity is correspondingly established aiming at an actual application system and plays an isolation role; acquiring role entities configured under application system entities, wherein the role entities are authorization objects of the application system entities and belong to the application system entities, and the role entities configured under different application system entities are mutually isolated; acquiring a management organization entity, wherein the organization entity is composed of a management framework, projects and/or stages in a fusion manner, adopts a tree structure and comprises organization nodes and an organization view; acquiring a user entity, wherein the user entity is an authorized object of a role entity in the authority service; and performing user authorization, wherein the user authorization is completed by simultaneously selecting the user entity, the role entity and the organization entity.
Further, the rights service method may further include: acquiring a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated; acquiring a custom object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other; acquiring a position entity; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
Further, the rights service method may further include: providing a service interface of an external application system; and synchronizing the authority data to an external application system, and monitoring the integration state through the integration log.
In a third aspect of the present invention, there is provided a rights service platform, including a processor and a memory, where the memory stores a program, and the program includes computer-executable instructions, and when the computer device runs, the processor executes the computer-executable instructions stored in the memory, so as to make the computer device execute the rights service method as described above.
In a fourth aspect of the present invention, there is provided an authority service system, including: the system comprises a permission service management workbench, a service interface, a gateway, a cache library, a metadata library and a synchronous service device; the metadatabase is connected with the authority service management workbench, the synchronous service device is connected with the metadatabase, the cache library is connected with the service interface and takes service interface parameters as key values, the service interface is connected with an external application system through the gateway, and the cache library and the service interface are connected with the metadatabase; when the authority service system works, the authority service method is executed.
According to the technical scheme, the embodiment of the invention has the following advantages:
the authority service platform of the embodiment of the invention provides a unified user authentication/authority authorization process, can effectively standardize the user management of a business system, improves the authority standardization awareness of business personnel, accelerates the user authentication and authority management function development of a new business system, and promotes the promotion of the information system authority service construction. In addition, the platform isolates other entities such as users, roles and organizations by adding an application system entity, simplifies the user authentication/authority authorization ecology of the service system, and is beneficial to solving the problem that the number of application systems is more and more managed and more complicated.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following briefly introduces the embodiments and the drawings used in the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a rights service platform according to an embodiment of the present invention;
FIG. 2 is a relational diagram of entity models in an embodiment of the invention;
FIG. 3 is a diagram of a position entity model relationship in an embodiment of the present invention;
FIG. 4 is a diagram illustrating two special scenarios of the organizational management architecture according to the embodiment of the present invention;
FIG. 5 is a functional architecture diagram of a rights service platform in an embodiment of an application scenario of the present invention;
FIG. 6 is a diagram of a deployment architecture of a rights service system in an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," and the like in the description and in the claims, and in the above-described drawings, are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The following are detailed descriptions of the respective embodiments.
Referring to fig. 1, an embodiment of the invention provides a rights service platform. The authority service platform adopts a Single Sign On (SSO) technology, introduces various entities such as a user, an organization management framework (organization for short), an application system (application for short), a role and the like, is used for standardizing the user management of a business system and providing a uniform user authentication/authority authorization process, and the user can access all mutually trusted application systems only by logging once.
The authority service platform at least comprises: an application management module 11, a role management module 12, an organization management module 13, and a user management module 14. Wherein the content of the first and second substances,
an application management module 11, configured to manage an application system entity; the application system entity is correspondingly established aiming at the actual application system and plays an isolation role;
a role management module 12, which is used for managing role entities and providing a user authorization function; the role entity is an authorized object of the application system entity, belongs to the application system entity, and is isolated from the role entities configured under different application system entities;
an organization management module 13 for managing organization entities; the organization entity is composed of a management architecture, projects and/or stages, adopts a tree structure and comprises organization nodes and an organization view;
the user management module 14 is used for managing a user entity and providing a user authorization function, wherein the user entity is an authorization object of a role entity in the authority service;
wherein the user authorization is performed by simultaneously selecting the user entity, the role entity and the organization entity.
Optionally, the permission service platform further includes: a menu management module 15, a custom management module 16 and a job management module 17. Wherein the content of the first and second substances,
the menu management module is used for managing a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated;
the user-defined management module is used for managing a user-defined object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other;
the position management module is used for managing position entities; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
Further, the authority service platform further comprises: a service interface module 18 and a data integration module 19;
a service interface module 18 for providing a service interface of an external application system;
and the data integration module 19 is used for synchronizing the authority data to an external application system and monitoring the integration state through the integration log.
The authority service platform of the embodiment of the invention provides a unified user authentication/authority authorization process, can effectively standardize the user management of a business system, improves the authority standardization awareness of business personnel, accelerates the user authentication and authority management function development of a new business system, and promotes the promotion of the information system authority service construction. In addition, the platform isolates other entities such as users, roles and organizations by adding an application system entity, simplifies the user authentication/authority authorization ecology of the service system, and is beneficial to solving the problem that the number of application systems is more and more managed and more complicated.
In order to facilitate an understanding of the present invention, the SSO technique and the various introduced solid models are described in further detail below.
Single Sign On (SSO) overview
SSO is a popular enterprise business integration solution. SSO is defined as the fact that in multiple applications, a user only needs to log in once to access all mutually trusted applications.
The authority service platform adopts SSO technology. To this end, various solid models (entities for short) are introduced, including: "user", "organization management architecture (organization for short)", "application system (application for short)", "menu", "role", "custom object (custom for short)" and the like. Compared with the prior art, the invention particularly introduces a new entity model: an "application system" and a "custom object". The relationships of the respective solid models are shown in fig. 2.
Optionally, a job concept exists for part of applications in the business field, that is, the upper and lower levels of reporting of the non-organization level of the user are realized through a job level relationship, so that a job entity is reserved for the business specific application in the preferred scheme of the present invention. The position mockup relationship is shown in fig. 3.
The authorization types of the entities in the invention are divided into two types:
and (3) forward authorization: the grant represents the right, such as: user, menu, custom object, organization.
And (4) negative authorization: the grant represents no authority, only the authorization of the menu supports the negative authorization.
Hereinafter, each entity related to the present invention will be described in detail in turn.
(II) user
1. Description of the entities:
the user entity is an authorized object of the role entity in the authority service. And further, the user can only grant roles; granting other entities to the user is in principle not supported, such as: applications, menus, custom objects, etc. Two kinds of users are involved in the rights service: an internal user and an external user.
Internal user: the data is from a unified user management system based on an LDAP (lightweight Directory Access protocol) system, and comprises all employees in the enterprise; the basic information of the internal user is subject to the LDAP system, and the creation and modification such as passwords, mailboxes, mobile phone numbers and the like are not allowed in the authority service platform.
The external user: data is manually input, and partial application systems (such as an engineering cloud system) relate to the permission of opening an external user, so that the external user needs to be supported to be added into a permission service puzzle, and the basic information of the external user can be created and modified in the permission service.
2. Attribute list
The attributes of the user entity are shown in table 1 below.
Table 1 user entity attribute list
| Attribute name | Type (B) | Whether or not it is necessary to | Description of the invention |
| Type of user | Character string | Y | User identification internal or external user |
| Affiliation mechanism | Character string | N | |
| Name of registration | Character string | Y | |
| Shop number | Numerical value | N | |
| Name (I) | Character string | Y | |
| Cipher code | Character string | Y | |
| Mailbox | Character string | N | |
| Mobile phone | Numerical value | N | |
| Job title | Character string | N | |
| Remarks for note | Character string | N |
3. Data integration
The data integration mode of the internal users is from a unified user management system;
the data integration mode of the external user is manual input and batch import.
Organization management architecture
1. Description of the entities:
an organization management architecture (organization for short) in the authority service can be a fusion entity formed by combining a management architecture, a project and a stage in main data, because most applications manage and authorize the project or the stage in an organization form. The organization management architecture represents a unique and complete organization tree structure (i.e., the basic organization management architecture) in the rights service.
As shown in fig. 4, there are two special scenarios in the management and authorization process of the organization management architecture:
(1) and (4) self-defining the organization nodes: for a scene that an individual application needs to expand an organization node by itself (only the expansion based on a basic organization management architecture is supported), a user is allowed to add a non-global self-defined organization node, the self-defined organization node belongs to an application system to which a creator belongs, and other application systems have no right to view the self-defined organization node.
(2) Multi-view tissue views
For some applications, authorization management does not need to be performed based on a basic organization management architecture, but only based on a subset of the basic organization management architecture, organization view configuration needs to be supported, that is, flexible filtering is performed based on the basic organization management architecture, organization views of different perspectives are generated, and an application system performs authorization management based on a specified organization view. The organization tree that the application rights administrator has the right to view is a collection that includes the organization view and the custom organization nodes of the affiliated application system.
In addition, when performing organization authorization, it is default that data of an authorized organization and data of a lower organization of the authorized organization can be viewed, but there is a case where "although the authority of a certain hierarchy organization is authorized, only the data of the current hierarchy of the organization is viewed, and the data of the lower hierarchy of the organization is not viewed", so that the present invention supports the establishment of a data range (only the current hierarchy, and the lower hierarchy) when performing the organization authorization.
2. Attribute list
The attributes of the user entity are shown in table 2 below.
Table 2 user entity attribute list
3. Data integration
The data integration mode of the user-defined organization nodes in the basic organization management architecture is manual input.
(IV) application system
1. Description of entities
The application system is a new entity in the authority service of the invention. The embodiment of the invention creates an application system entity aiming at each practical application system, and the application system entity plays an isolation role and is used for isolating entity information such as roles, menus, custom objects, custom organization nodes and the like and isolating the entities from the practical application systems. The application system is not involved in the authorization action. For each application system, the rights service platform needs to automatically create a built-in role (i.e. application system rights management role, see the "roles" section below).
2. Attribute list
The attributes of the application system entities are shown in table 3 below.
Table 3 application system entity attribute list
3. Data integration
The data integration mode of the application system entity is manual input.
(V) Menu
1. Description of entities
The menu entity belongs to the application system entity, namely, a menu directory is configured under a certain application system entity, and the menu entities configured under different application systems are mutually isolated; the menu entity is an authorization object of the role entity in the rights service, and further, the menu can be granted only to the role.
2. Attribute list
The attributes of the menu entity are shown in table 4 below.
Table 4 menu entity attribute list
| Attribute name | Type (B) | Whether or not it is necessary to | Description of the invention |
| The application of | Character string | Y | Associating application system entities |
| Upper menu | Character string | N | |
| Name (R) | Character string | Y | |
| Linking | Character string | N | |
| Icon | Linking | N | |
| Sorting | Numerical value | N | |
| Whether it is visible or not | Character string | Y | |
| Authority identifier | Character string | N | |
| Menu type | Character string | N | |
| Remarks for note | Character string | N |
3. Data integration
The data integration mode of the menu entity is manual input and batch import.
(VI) roles
1. Description of entities
Optionally, the present invention does not support hierarchical roles, and all authorizations are based on one level of role hierarchy. The role entity is subordinate to the application system entity, namely, the role is configured under a certain application system, and the roles configured under different application systems are mutually isolated. There are two types of roles in the system:
(1) the role is built in: created automatically by the system, does not allow the user to manually modify, such as: the application system authority management role is automatically created when an application system is newly added;
(2) common roles: application roles created by an application rights administrator, such roles being creatable and modifiable by the application rights administrator.
Authorization of the menu by the role entity supports negative authorization.
2. Attribute list
The attributes of the role entities are shown in table 5 below.
Table 5 role entity attribute list
| Attribute name | Type (B) | Whether or not it is necessary to | Description of the invention |
| The application of | Character string | Y | Associating application system entities |
| Role names | Character string | Y | |
| Whether or not to be internally provided with | Character string | Y | For identifying whether a role is built-in |
| Remarks for note | Character string | N |
3. Data integration
The data integration mode of the built-in role is automatic creation;
the data integration mode of common roles is manual input and batch import.
(VII) custom object
1. Description of entities
In order to support flexible and changeable authorization scenes of all application systems, the authority service of the invention is additionally provided with a custom object entity to allow all application systems to automatically add authorization objects, and the custom entities are subordinate to the application system entity and configured under the application systems, so that the custom entities configured under different application systems are mutually isolated. Optionally, the custom entity supports maintaining parent-child relationships, and the custom object set for a particular type may form an object tree through the parent-child relationships.
2. Attribute list
The attributes of the custom object entity are shown in table 6 below.
TABLE 6 custom object entity Attribute List
| Attribute name | Type (B) | Whether or not it is necessary to | Description of the invention |
| The application of | Character string | Y | Associating application system entities |
| Object name | Character string | Y | |
| Object type | Character string | Y | |
| Parent object | Character string | N | |
| Remarks for note | Character string | N |
3. Data integration
The data integration mode of the user-defined object entity is manual input and batch import.
(eighth) position of employment
1. Description of entities
The method aims at partial application in the business field and has a position concept, namely, the superior and inferior reports of the non-organization level of a user are realized through the position level relationship, and the position entity is reserved for the business specific application by the authority service.
2. Attribute list
The attributes of the position entity are shown in table 7 below.
TABLE 7 Job entity Attribute List
| Attribute name | Type (B) | Whether or not it is necessary to | Description of the invention |
| The application of | Character string | Y | Associating application system entities |
| Name of job | Character string | Y | |
| Father position | Character string | N | |
| Remarks for note | Character string | N |
Referring to fig. 5, a functional architecture diagram of a rights service platform in an application scenario embodiment of the present invention is shown, which may specifically include the following functional modules:
first page: and displaying the statistical data in the authority range of the login user.
Service interface: and providing a service interface integrated by an application system.
Data integration: and synchronizing the authority data to each application system, and monitoring the integration state through the integration log.
User management: user review and maintenance (only supporting external user maintenance) and user authorization management can be carried out, wherein the user authorization refers to simultaneously selecting: and the combination of four types of entities such as users, roles, organizations, custom objects and the like.
Organization and management: organization review and maintenance (supporting only the maintenance of custom organization nodes), organization view configuration, and tree structure browsing of organization trees.
Application management: and the application system is consulted and maintained, and an entity list related to the application system is allowed to be viewed in a consulted page.
And (3) menu management: the menu is consulted and maintained, and the menu authorization management can be carried out.
And (3) role management: the role is consulted and maintained, and the authorization management of a menu and a user can be carried out, and the user authorization means that: and the combination of four types of entities such as users, roles, organizations, custom objects and the like.
Managing a custom object: and (4) user-defined object lookup and maintenance.
And (3) job management: the position is consulted and maintained, and the position authorization management can be carried out.
Parameter configuration: configuring global system parameters such as: cache expiration time, etc.
And (3) permission configuration: and carrying out authority management on the page and the operation of the authority service.
And (4) auditing logs: an audit log of system operation is consulted.
Cache management: the lookup and cleaning of the cache entries supports single-item, multi-item and full-amount entry cleaning.
Referring to fig. 6, a schematic diagram of a deployment architecture of the rights service system of the present invention is shown, including:
a rights service management workbench (WEB SERVER), a service interface (API SERVER), a GATEWAY (GATEWAY), a CACHE library (CACHE DATABASE), a metadata library and a synchronization service device (INFORMATICA); the metadatabase further includes a META DATABASE MASTER (META DATABASE MASTER) and a META DATABASE SLAVE (META DATABASE SLAVE).
The metadata base is connected to the authority service management workbench, the synchronization service device is connected to the metadata base, the cache base is connected to the service interface and takes service interface parameters as key values, the service interface is connected with an external application system through the gateway, and the cache base and the service interface are connected to the metadata base.
The function of each component is as follows:
WEB SERVER: and the authority service management workbench is used for interface operations such as entity management maintenance, user authorization management and the like.
API SERVER: executing a permission service interface, and performing multi-instance stateless deployment;
GATEWAY: the gateway is used for bearing the functions of load balancing and reverse proxy;
CACHE DATABASE: in the cache library with service interface parameters as key values, two modes are supported by cache entry failure:
configuring failure time: automatically clearing expired entries based on the configured failure period;
manually cleaning the entries: manual cleaning is supported;
META DATABASE MASTER: the metadata master library is used for storing platform and application authority data;
META DATABASE SLAVE: the metadata backup database automatically synchronizes the modification log of the main database;
INFORMATICA: the ETL synchronization service synchronizes the permission data to an application system database (APP DATEBASE) based on the configured synchronization period.
The invention also provides an authority service method, which comprises the following steps:
s1, acquiring an application system entity, wherein the application system entity is correspondingly established aiming at the actual application system and plays an isolation role;
s2, acquiring role entities configured under the application system entities, wherein the role entities are authorization objects of the application system entities and belong to the application system entities, and the role entities configured under different application system entities are mutually isolated;
s3, acquiring a management organization entity, wherein the organization entity is composed of a management architecture, projects and/or stages and is fused and adopts a tree structure and comprises an organization node and an organization view;
s4, acquiring a user entity, wherein the user entity is an authorized object of a role entity in the authority service;
and S5, performing user authorization, wherein the user authorization is completed by simultaneously selecting the user entity, the role entity and the organization entity.
Optionally, the method further includes:
s6, acquiring a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated;
s7, obtaining a custom object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other;
s8, acquiring a position entity; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
Optionally, the user entity includes an internal user and an external user; the internal user is from the unified user management system, and the basic information of the internal user is not allowed to be created and modified in the authority service platform; the external user is manually input, and the basic information of the external user is allowed to be created and modified in the authority service platform;
the organization nodes comprise non-global self-defined organization nodes, the self-defined organization nodes belong to the application system entity to which the creator belongs, and other application system entities have no right to view; the organizational view comprises views of different perspectives generated based on one or more subsets of the organizational entities;
the role entities comprise built-in roles and common roles, the built-in roles are automatically created when application system entities are newly added, the built-in roles comprise application system authority management roles, and one application system authority management role is automatically created under each application system entity; the common role is created by an application rights manager, which is a user entity authorized by the system rights manager role.
Optionally, the method further includes: providing a service interface of an external application system; and synchronizing the authority data to an external application system, and monitoring the integration state through the integration log.
It should be noted that, the execution sequence of each step in the above method is not limited.
The technical solution of the present invention is explained in detail by the specific embodiments above. In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.
It should be understood that the above embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same. The technical solutions described in the above embodiments can be modified or part of the technical features can be equivalently replaced by those skilled in the art; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the spirit and the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A rights service platform, comprising: the system comprises an application management module, a role management module, an organization management module and a user management module;
the application management module is used for managing an application system entity; the application system entity is correspondingly established aiming at the actual application system and plays an isolation role;
the role management module is used for managing role entities and providing a user authorization function; the role entity is an authorized object of the application system entity, belongs to the application system entity, and is isolated from the role entities configured under different application system entities;
an organization management module for managing organization entities; the organization entity is composed of a management architecture, projects and/or stages, adopts a tree structure and comprises organization nodes and an organization view;
the user management module is used for managing a user entity and providing a user authorization function, wherein the user entity is an authorization object of a role entity in the authority service;
wherein the user authorization is performed by simultaneously selecting the user entity, the role entity and the organization entity.
2. The rights service platform of claim 1, further comprising: the system comprises a menu management module, a user-defined management module and a position management module;
the menu management module is used for managing a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated;
the user-defined management module is used for managing a user-defined object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other;
the position management module is used for managing position entities; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
3. The rights service platform of claim 1,
the user entity comprises an internal user and an external user; the internal user is from the unified user management system, and the basic information of the internal user is not allowed to be created and modified in the authority service platform; the external user is manually input, and the basic information of the external user is allowed to be created and modified in the authority service platform;
the organization nodes comprise non-global self-defined organization nodes, the self-defined organization nodes belong to the application system entity to which the creator belongs, and other application system entities have no right to view; the organizational view comprises views of different perspectives generated based on one or more subsets of the organizational entities;
the role entities comprise built-in roles and common roles, the built-in roles are automatically created when application system entities are newly added, the built-in roles comprise application system authority management roles, and one application system authority management role is automatically created under each application system entity; the common role is created by an application rights manager, which is a user entity authorized by the system rights manager role.
4. The rights service platform of claim 1, further comprising: the system comprises a service interface module and a data integration module;
the service interface module is used for providing a service interface of an external application system;
and the data integration module is used for synchronizing the authority data to an external application system and monitoring the integration state through the integration log.
5. A rights service method, comprising:
acquiring an application system entity, wherein the application system entity is correspondingly established aiming at an actual application system and plays an isolation role;
acquiring role entities configured under application system entities, wherein the role entities are authorization objects of the application system entities and belong to the application system entities, and the role entities configured under different application system entities are mutually isolated;
acquiring a management organization entity, wherein the organization entity is composed of a management framework, projects and/or stages in a fusion manner, adopts a tree structure and comprises organization nodes and an organization view;
acquiring a user entity, wherein the user entity is an authorized object of a role entity in the authority service;
and performing user authorization, wherein the user authorization is completed by simultaneously selecting the user entity, the role entity and the organization entity.
6. The rights service method of claim 5, further comprising:
acquiring a menu entity; the menu entity is an authorized object of the role entity in the authority service; the menu entity belongs to the application system entity, and the menu entities configured under different application system entities are mutually isolated;
acquiring a custom object entity; the user-defined object entity is an authorized object of the application system entity and belongs to the application system entity; the self-defined object entities configured by different application system entities are isolated from each other;
acquiring a position entity; the position entity is an authorized object of the application system entity and belongs to the application system entity; the job entities configured under different application system entities are isolated from each other.
7. The rights service method of claim 5,
the user entity comprises an internal user and an external user; the internal user is from the unified user management system, and the basic information of the internal user is not allowed to be created and modified in the authority service platform; the external user is manually input, and the basic information of the external user is allowed to be created and modified in the authority service platform;
the organization nodes comprise non-global self-defined organization nodes, the self-defined organization nodes belong to the application system entity to which the creator belongs, and other application system entities have no right to view; the organizational view comprises views of different perspectives generated based on one or more subsets of the organizational entities;
the role entities comprise built-in roles and common roles, the built-in roles are automatically created when application system entities are newly added, the built-in roles comprise application system authority management roles, and one application system authority management role is automatically created under each application system entity; the common role is created by an application rights manager, which is a user entity authorized by the system rights manager role.
8. The rights service method of claim 5, further comprising:
providing a service interface of an external application system;
and synchronizing the authority data to an external application system, and monitoring the integration state through the integration log.
9. A rights service platform comprising a processor and a memory, the memory having stored therein a program comprising computer-executable instructions that, when executed by the computer device, the processor executes the computer-executable instructions stored in the memory to cause the computer device to perform the rights service method of any of claims 5-8.
10. A rights service system, comprising:
the system comprises a permission service management workbench, a service interface, a gateway, a cache library, a metadata library and a synchronous service device; the metadatabase is connected with the authority service management workbench, the synchronous service device is connected with the metadatabase, the cache library is connected with the service interface and takes service interface parameters as key values, the service interface is connected with an external application system through the gateway, and the cache library and the service interface are connected with the metadatabase;
when the rights service system is operating, the rights service method of any of claims 5-8 is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111090353.1A CN113935063A (en) | 2021-09-17 | 2021-09-17 | Authority service platform, method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111090353.1A CN113935063A (en) | 2021-09-17 | 2021-09-17 | Authority service platform, method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113935063A true CN113935063A (en) | 2022-01-14 |
Family
ID=79275953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111090353.1A Pending CN113935063A (en) | 2021-09-17 | 2021-09-17 | Authority service platform, method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113935063A (en) |
-
2021
- 2021-09-17 CN CN202111090353.1A patent/CN113935063A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10754932B2 (en) | Centralized consent management | |
| CA2599518C (en) | Enterprise entitlement framework | |
| US6067548A (en) | Dynamic organization model and management computing system and method therefor | |
| US9384361B2 (en) | Distributed event system for relational models | |
| CN109684701B (en) | BIM model resource management system and BIM model creation method | |
| CN110708322A (en) | Method for realizing proxy service of industrial internet identification analysis system | |
| CN102017687B (en) | Method and device for instantiating management object of management tree in terminal device | |
| WO2021032146A1 (en) | Metadata management method and apparatus, device, and storage medium | |
| WO2018036324A1 (en) | Smart city information sharing method and device | |
| SG181621A1 (en) | Unified user login for co-location facilities | |
| KR20050032618A (en) | Web services apparatus and methods | |
| CN110968653B (en) | Tree-shaped data dictionary maintenance system and method | |
| CN112230832B (en) | Hierarchical management system of cross-organization users | |
| CN113505996A (en) | Authority management method and device | |
| CN111800460A (en) | Data synchronization method, device and equipment of LDAP (lightweight directory Access protocol) service node and storage medium | |
| CN113935063A (en) | Authority service platform, method and system | |
| CN101576981A (en) | Scene-type service system | |
| US10769294B2 (en) | Asynchronous update of explosion definitions based on change triggers for evaluation of authorization rights | |
| CN111611220A (en) | File sharing method and system based on hierarchical nodes | |
| CN112836207B (en) | Mala user authority unified management system and method | |
| US8200716B2 (en) | Method and system for automatically defining organizational data in unified messaging systems | |
| CN114092065A (en) | Data governance platform organizational structure and system management | |
| CN109117152B (en) | Service generation system and method | |
| CN111143322A (en) | Data standard treatment system and method | |
| CN117726243A (en) | Group level entity data management method and device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |