TWI356352B - Authority management system applied for several in - Google Patents

Description

1356352 IX. Description of the invention: [Technical field to which the invention pertains] In particular, and in particular, it relates to a rights management system that can recognize the underlying information system _ limited management/update [previous technology] the rapid development of information technology and With the popularization of information systems, various information systems have been developed in ί, 里. The secret question is that because every information system is possible and has to remember many groups of accounts and passwords at the same time, it will have a considerable impact on the use of the day and the manager. In addition, those who have accidentally forgotten these accounts or passwords are also likely to cause heavy burdens on the management and maintenance of each of them. a into ^ " Γ $ 疋 academic circles or the industry are investing a large number of research and development resources in the development of a single 0 eight img e, "gn_on, sso" platform. The current single-substitute platform is mainly two: 2 the following two categories: enterprise-level single login (ente esso e sso) platform, web early-bean (Web SSO) platform or federal-style single-during d_d ss〇) week Page. The neighboring platform is used to manage the client/Se system and the second application in the enterprise. The related vendors include Citrix System, Computer Associates, Dingxuan, N〇vdi, Xia Office, etc. , and the shun-single-boarding platform is based on the network of the department and the corporate website.

NetegX^MW^ C〇mPUter ASS〇dateS ' ^ TiV〇li ' 5

I single platform mainly wants to solve the problem under the domain of independent security domain ί singular; the boarding platform is to solve the heterogeneous safety network IBM Tivoli S / · ° Eight related Weishang includes C〇mputer Associates, «Μ Tivoli , Netegnty and RSA Security. — ίίΐίί ", outside the world, there are many experts and scholars in the academic world to study the mechanism, such as the lion, the mobile computing environment or the household a a a '. Some scholars also focus on independent security domains and alliance security Face Wei research and development. _ 绝 υ υ ΐΐ ΐΐ 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若A user of ίίϊ^ί^ (4), and can convey the appropriate ^ number and password to the post (four) each Wei _ towel, scale to the secret of the self-confidence Wei. Group Panyu unified account management, for use The authorization level listed in the group is for the access of the website. 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理In the management of the nature, the core system has been open to the website, but the information system of the back end has not been used, and the group relationship of the user has been caused, which has caused the situation of divergence of authority. Authorization has also increased. Examples In terms of the position of a company, it has a considerable amount of authority to change. Therefore, even in the prior art, there are some patents that disclose corporate organizations. Permission tube 6 ^56352 In addition, the current system, user authorization management., Taiwan's hair: still can not provide in the development of the ΐ - 登入 login platform, still no number management platform and single-login limit assignment management mechanism. And a valid inter-system right to solve the above problems. Therefore, the present invention provides a rights management system, [the content of the changed j can be synchronized by the group, that is, the login or its Pour _, (10) County shots through the city to reflect the management interface provided by the manager to provide a privilege assignment. Or the group of the information system ^ ^ - the group system of the entrant system becomes aging 'The present invention proposes - can be applied to the single-login system. The embodiment is a rights management system. The rights management group has two connections, and the information system is connected. Each information system stores a -_ limit management system including a login mode. Group, one process The module can be used to authorize the rights management system to assign a request through the boarding module. The process module is used to assign requests from the authority according to the authority. The update module is configured to update at least one set of existing permission settings in the existing permission settings according to the rights management process. Compared with the prior art, the rights management system according to the present invention provides 1 7 13563, 52 2 =: Guardian ϊ 饼 饼 饼 ( 四 四 四 四 四 四 四 四 τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ The specific implementation _ - a kind of privilege management secret two f a series of green shows the functional block diagram of the privilege management system. The privilege management is unified, the solid information system is connected. The figure shown in Figure 1; the middle: mouth: two d: Transfer to - group has permission settings. The rights management system 1() includes an f-mode, a group 12, and an update module 13. - The manager can log in to the rights management system 1G and provide a rights assignment request. The new mode is also used to generate a "privilege management process" based on the permission assignment request. More rights management process update, the management system 1G can further include the storage module group 13, and is connected to the login module U, the process module 12 and the update module, and 3 is used to store the rights assignment request and the rights management process. Restricted; said, as shown in FIG. 3, the storage module 14 can further include - rights and - execute f, - group mapping database 32, - process silk database 33 execution day (four) material library 34. The rights management database 31 is used to store the authority 13563^r save, slave. The process stores the execution log. The line 5 database 34 is used to group the database 32. Group Jingjing (4) Block η t stores this mapping setting in the group new execution program 27. , , , (10) data will be provided to the authority to execute = Ϊ ί; material == = process definition can be description - process

=txeeutabie _ Clear formal model. This i twists " or other process definition language. That is, the 产·process definition can be used to describe the order in which the rights management system 10 executes the process. W V includes one = Bu-ϋ 理 理 〇 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每The two groups can be in an LDAP (Lightwdght Directoiy Access (7) environment or a relational database environment. For example, __ iiectory Server > Microsoft Active Directory > Lotus Domino Name aMAd^ss j〇ok or IBM SeCureWay Directoiy Server. As shown in Figure 3, 'Information System 1, Information System 2 and Information System 3 respectively contain group database 4, group database 5 and group database 6 ^ This group has permission settings Is a user group consisting of a collection of users, one user can belong to multiple groups at the same time. Each user group is based on general characteristics (such as job rights and responsibilities) Classification of user categories. Define the resource access policy by the administrator to define which role allows the use of 9 1356352 specific system resources. The manager then establishes the management interface group provided by the resource access policy and the role f. This layer connection mechanism mother; = can contain multiple groups of permissions when changes occur, you can use the level. So when the user access rights. Group to adjust its actual application order, login module u a rights management unit 16, - mapping j progress including - login interface 15, - scheduling setting unit 19 and - Lu early ^ 17, - process management unit 18. The login right can be accessed through the login interface 15 as shown in the figure. The management = rights management unit 16 is electrically connected to the group permission setting login interface 15 and is electrically connected to the setting by the π system. One of the unique mm γ _ one of the information systems 2 and 3 phase 15 ' is used to manage and electrically connect to the login interface /; IL 。. Schedule setting unit 19 is used to set and The information system 1, 2 and 3 system 20 are electrically connected to the login interface 15 Xingbei County, and 2 and 3 related to each other. (4) Lu Li (4) Ϊ ί, the above mapping settings can represent different groups _ 对映关#. ^ Different pastes of the mapping relationship or rationality as shown in the figure - the 'process model' fine 12 can further include a rights management event at the 2b-na management process service interface 22, - rights management Process execution 一 a synchronization process recording unit 24 and a synchronization process monitoring unit 25. The process execution engine 23 is configured to generate an execution instruction according to the schedule. The authority, the event processing unit 21 is electrically connected to the rights management unit 16 and the rights management flow = execution engine 23' and is used to receive and process The rights assignment request. The rights management process service interface 22 is electrically connected to one of the rights management process execution engines 23 and is used to receive and respond to the rights assignment request in accordance with a SOAP agreement. In addition, the flow of the rights management system 10; and the flow of the monitoring of the executed process can be recorded as early as 24 lines of electrical connection to the rights management ^ godliness. The synchronization process step records the execution date of the management process 23, and is used to perform the same state of the management process of the fresh & process flow monitoring unit 25. It is used to monitor this permission synchronously. As for the execution result of the rights management process, it should be tracked. The synchronization flow recording unit 24 is mainly provided in the log: "In the log", the execution of the search message processing date, the message delivery date, and the execution date are recorded. Η Successful 5 recorded and failed in the actual application, the update module 13 can enter 26, a plurality of privilege update execution program 27 right (four) H service receiving interface i service = face 26 system connection to the rights management flow element = service program 27 new execution program 27, and to support the scale update execution of the same cattle! ^ Each of the above-mentioned rights update execution program 27 can further include - and a data transfer interface 30. The synchronization service interface 29 is an electrical connection surface 26 and is used to transmit the authority through a network service connection. The 2 switching interface 3G is electrically connected to the synchronization service interface 29, and the beacon is transferred to the phase. Corresponding to the information system. In the actual application, 'data transfer interface 3〇 can be _ irectory interface) or —jj)BC (Java data base connectivity). 11 13563.52 ^Example, 'If the rights management system 1 〇 : 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者The account number and the set of permission provided by the administrator are based on the limit of the administrator. In addition, the freshman i is used in an increased way: the management of the test, the miscellaneous "process,"

The agreement receives and responds to the limit assignment request. The right J s〇AP will be based on the monthly subscription engine generated by the login module u. Then three of the update modules 13: two: Cheng = , 2 and 3. Suppose the manager wants to update the information system} Privilege 2 = poor news money 1 job update executive program 27 will be: update the poor secret secret 〗 〖 _ slave. As in the Gu: the implementation of the 'synchronization service interface 29 can be transmitted through the network service Tree 卩 二 工 ^ and data transfer interface 3 〇 can transfer data to the information system 资 ^ ^ ^ In another example, assume that the privilege assignment of the synchronization update process updates the two information system group f library Change to update four resources (four) system, mis-f database "When redesigned rights management process service interface 22 lines, = 13563.52 every need to call update group database execution engine 15 communication. To be managed" | Line =: and the rights management process limit management process execution engine will call each of the responsible persons to receive the instructions, the flow of the system 10 within the original three communication systems, plus the addition of 10, in addition to The process module 12 performs the synchronization update process, and the slave connection The corpse is inconsistent with the technology's rights management system according to the present invention, which provides an SSH===;; ί inverse=== uncovering restrictions. Conversely, the purpose is to cover various changes/ The equality is arranged within the scope of the patent scope of the present invention. 13 1356352 t [Simple diagram of the diagram] FIG. 1 is a diagram of the functional diagram of the rights management according to the present invention. Block diagram. The rights management system shown further includes the function of the storage module. Figure 3 is the detailed function of the rights management system shown in Figure 2. [Main component symbol description] 1~3: Information system 10, 10': Rights Management System 12: Process Module 14: Storage Module 16: Rights Management Unit 18. Process Management Unit 20. Management Unit 22: Rights Management Process Service Interface 24: Synchronization Process Recording Unit 26: Service Receiving Interface 28: Rights Synchronization Core Component 30: Data Transfer Interface 4~6: Group Database 11: Login Module 13: Update Module 15. Login Interface 17: Mapping Management Unit 19: Schedule Setting Unit 21: Authority Tube Event processing unit 23: Rights Management Process Execution bow | engine 25: 27 between the synchronization process monitoring unit: permission to update execution program 29: Synchronization Service Interface 31: Information rights management built house 1356352

< V 32 : Group mapping database 33 : Process definition database 34 : Execution log database

15

Claims (1)

1356352, the scope of application for patents: the system-to-system authority of the single-signing environment, the rights management system depends on each other, each information system stores one, and has a limit setting, the rights management system includes: Through a login module, a manager can log in to the rights management system 23:: permission assignment request, manage the related information of the plurality of information systems, and set the related information system. A row of gums, the group L is electrically connected to the six-entry module, and is used to assign a non-privilege management process according to the authority, which makes the process definition describe a process execution--the m-the rights management process According to the job definition, 1^ is not - the executable process form - the model, the process module is advanced - 3 - the rights management process execution engine is used according to the line instruction; the muscle-privilege management unit, Electrically connected to the county module and the authority management process execution engine; On August 23, 100, the replacement page-permission management process service interface is electrically connected to one of the network service interfaces of the management process execution engine, and is used to receive and respond to the permission assignment request according to a SOAP agreement; - Synchronous process recording unit 'Electrical connection to _ limit management process execution ^ engine, 'to synchronize the recording of one of the rights management process execution day - synchronization process monitoring unit, electrical connection rights management process, engine, 'to synchronize monitoring An execution state of one of the rights management processes; and an update module 'electrically connected to the process module for updating at least one of the rights settings in the complex array according to the _ limit management process, wherein the administrator has a permission setting Through the boarding module, the authority can be accessed and the group permission setting can be provided. The boarding module generates 16 1356352 according to the permission setting. 2, 3, lAt August 23, 100, 绦正桂拉百' Assigning a request 'The rights management event processing element is used to receive the permission assignment request, the update module further includes: a service receiving interface, electrically connected to the rights management process a line engine for receiving the execution command; a plurality of limit update execution programs electrically connected to the service receiving interface 2 each of the rights update execution program systems respectively corresponding to one of the information systems of the information systems, and is used Updating the set of existing rights settings of the information system according to the execution instruction; and a rights update core component electrically connected to the plurality of rights update execution programs for supporting the rights update program. The privilege management system of claim 1, wherein the login module further comprises: , an input interface, the administrator can log in to the authority system through the login interface and provide the group permission setting; Connected to the login interface for generating the permission assignment request according to the set of permissions s; a pair of smart management units electrically connected to one of the login interfaces of the login interface; a process management a unit electrically connected to the process definition associated with the login interface information system; a schedule setting unit electrically connected to the schedule associated with the login interface information system; and a log 'management unit' electrically connected to the login One of the interface information systems is used to manage and use the plural to manage and use the plural to set and use the plural to manage the day and the plural called Beikou Twm. = Shen: The rights management system described in the second item of the patent fen, its relationship with the ridges or different information = the rights management system, where each of the rights is more synchronized service interface 'electrically connected to the ship minus interface, for Through. Net 17 4. 1356352 5, 6, 9. On August 23, 100, the permission assignment request was transmitted for the service link; and a data transfer interface was electrically connected to the synchronization service interface for transferring data to the information system. The rights management system of claim 4, wherein the data transfer interface is a JNDI (Java naming and directory interface) or a JDBC (Java data base connectivity) ° as described in claim 1 The rights management system further includes: a storage module, an electrical connection to the login module, the process module, and the update module, and is used for storing the permission assignment request and the rights management process. For example, the rights management system described in claim 6 wherein the storage module further comprises: a rights management database for storing the rights assignment request; a group mapping database for storing a pair of mapping machines; a process definition database for storing 1 process; meaning; and performing log data Library to store an execution log. The privilege system described in item 1 of the patent application scope is in the department of -LDAp· or __物+^^' and - the library 18