1356352 九、發明說明: 【發明所屬之技術領域】 統’並且特別地,係關於一種能 认%境下進盯資訊系統_限管理/更新的權限管理系 【先前技術】 資訊科技的蓬勃發展及資訊系統的普及化,在 、ί、裡,各式各樣的資訊系統已陸續被開發完成。 Γ祕ϊ之而來的問題是’由於每―個資訊系統均可能且有翔 須同時記住很多組的帳號與密碼,對於 -日管理者^用而=,均會造成相當大的影響。此外, 者或,者不小心忘記了這些帳號或密碼,亦容易造成 各個貝訊糸統在管理及維護上之沈重負擔。 a入^"Γ$ 疋學界或業界均投人大量的研發資源在單一 0八img e,」gn_on,sso)平台的研發。目前的單—登人平台主要 二:2下列二類:企業級單一登入(ente神e sso)平台、網頁 早-豆人(Web SSO)平台或聯邦式單—登碌d_d ss〇)平周台頁。 邻廣單Γί入平台是用於管理Client/Se膽系統與企業内 二應用糸、、先的自動登入,相關的廠商包含Citrix System、 Computer Associates、麵 丁減、N〇vdi、霞办等。 、、顺式單-登人平台則制以處料部網路與企業網站1356352 IX. Description of the invention: [Technical field to which the invention pertains] In particular, and in particular, it relates to a rights management system that can recognize the underlying information system _ limited management/update [previous technology] the rapid development of information technology and With the popularization of information systems, various information systems have been developed in ί, 里. The secret question is that because every information system is possible and has to remember many groups of accounts and passwords at the same time, it will have a considerable impact on the use of the day and the manager. In addition, those who have accidentally forgotten these accounts or passwords are also likely to cause heavy burdens on the management and maintenance of each of them. a into ^ " Γ $ 疋 academic circles or the industry are investing a large number of research and development resources in the development of a single 0 eight img e, "gn_on, sso" platform. The current single-substitute platform is mainly two: 2 the following two categories: enterprise-level single login (ente esso e sso) platform, web early-bean (Web SSO) platform or federal-style single-during d_d ss〇) week Page. The neighboring platform is used to manage the client/Se system and the second application in the enterprise. The related vendors include Citrix System, Computer Associates, Dingxuan, N〇vdi, Xia Office, etc. , and the shun-single-boarding platform is based on the network of the department and the corporate website.
NetegX^MW^ C〇mPUter ASS〇dateS ' ^ TiV〇li ' 5NetegX^MW^ C〇mPUter ASS〇dateS ' ^ TiV〇li ' 5
I 單平台主要均欲解決於獨立安全網域下之 域下ί單一式;登人平台則是為了解決於異質安全網 IBMTivoli S / · ° 八相關的薇商包含 C〇mputer Associates、 «Μ Tivoli、Netegnty 與 RSA Security 等。 —ίίΐίί”,人外’在學術界亦有許多專家學者研究 Ή機制,例如獅端、行動運算環境或家用 盘妒人a ’亦有部分學者將研究重心放在獨立安全網域 與聯盟式安麵魏研發上。 _ 絶中ίυ^ΐΐί統若要能夠糊地運行,除了需要在該系 題:外’仍有許多帳號管理與權限管理的問 而要解決。因此,皁一登入系統必須具備一 ΐίίϊ^ί^之使用者㈣,並且能將適當^號及密碼傳 达至後㈣各個魏_巾,鱗到自祕登人的魏。 組盘番Ϊ了統一的帳號管理外,對於使用者群 糸統所列管的授權層級是針對網站之存取ί 權ί。一1°的糸,ϊ則是管理至每張網頁或系統功能的存取 二系統無法對使用者群組作-致性的管理,芯 統已開放網站存取,但是後端之資訊系統卻未 、吏用者的群組關係’因而造成權限分歧的情況發生。 典理統逐新增加之情形下,使用者授權 亦隨之增加。舉例而言,對於一公司所擁有之$ 職;資; 益、土…爭千^生即會造成相當多的權限變化。因此,甚 在先前技術中’目前雖已有某些專利揭示企業組織的權限管 6 ^56352 此外,目前系統,使用者授權管理。 !,台的?發:仍無法提供在ΐ - ΐ入登入 平台的研發,仍無號管理平台與單—登入 限指派管理機制。 、 且入裱境_一個有效的系統間權 以解決上述之問題。 因此’本發明提供—種權限管理系統, 【發明内容j 改變後之關係能藉由該群組同步即該 —登入纽或其倾_、⑽縣射ϋ透補城反映至單 讓管 理者於提供—個權限指派的管理介面。 或是資訊系統的群組整^^—登人系統的群組資料 變時效’本發明提出-種能應用於單-登入‘ 理系ί體實施例係一種權限管理系統。該權限管 组既有^,訊系統相連接。每—個資訊系統分別儲存有- _限管理系統包含一登入模組、一流程模組 德i新ϊ、、,且。—官理者能透過該登人模組登人該權限管理系統 權?指派請求。該流程模組係用以根據該權限指派請求 從兮楚權限官理流程。該更新模組係用以根據該權限管理流程更 新5亥專既有權限設定中的至少一組既有權限設定。 種 相較於先前技術,根據本發明之權限管理系統,提供了一 7 13563,52 二=:護致 ϊ據餅低對㈣各資㈣統之成 到進點與精神可啼_τ的發哪述及所附圖式得 【實施方式】 根據本發明之-具體實施_—種權限管理祕 二f一係綠示該權限管理系統的功能方塊圖。該權限管理夺统 ,固資訊系統相連接。於圖一所示之範;中:口: 二d:轉有—組既有權限設定。權限管理系統1()包含 f 流程模、组12及一更新模組13。-管理者能透 iiilt11登人權限管理系統1G並提供—權限指派請求。流 新模也η ΐ用以根據該權限指派請求產生―權限管理流程。更 權限管理流程更新該等既有權限設定中 管理系統1G可進—步包含—儲存模組 组13,计;、且糸電連接至登入模組U、流程模組12及更新模 、、且3並係用以儲存該權限指派請求及該權限管理流程。 限管;說’如圖三所示,儲存模組14可進-步包含-權 及-執f、—群組對映資料庫32、—流程絲資料庫33 執仃日㈣料庫34。權限管理資料庫31係用以儲存該權限 13563^ r 存,奴。流程定 儲存該執行日誌。 行日5志資料庫34係用以 組對映資料庫32。群纟靖㈣料座η t將此對映設定儲存於群 新執行程式27使用。、、、解⑽資料將提供給權限更 執行=Ϊί;料===程定義可為描述-流程I single platform mainly wants to solve the problem under the domain of independent security domain ί singular; the boarding platform is to solve the heterogeneous safety network IBM Tivoli S / · ° Eight related Weishang includes C〇mputer Associates, «Μ Tivoli , Netegnty and RSA Security. — ίίΐίί ", outside the world, there are many experts and scholars in the academic world to study the mechanism, such as the lion, the mobile computing environment or the household a a a '. Some scholars also focus on independent security domains and alliance security Face Wei research and development. _ 绝 υ υ ΐΐ ΐΐ 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若 若A user of ίίϊ^ί^ (4), and can convey the appropriate ^ number and password to the post (four) each Wei _ towel, scale to the secret of the self-confidence Wei. Group Panyu unified account management, for use The authorization level listed in the group is for the access of the website. 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理In the management of the nature, the core system has been open to the website, but the information system of the back end has not been used, and the group relationship of the user has been caused, which has caused the situation of divergence of authority. Authorization has also increased. Examples In terms of the position of a company, it has a considerable amount of authority to change. Therefore, even in the prior art, there are some patents that disclose corporate organizations. Permission tube 6 ^56352 In addition, the current system, user authorization management., Taiwan's hair: still can not provide in the development of the ΐ - 登入 login platform, still no number management platform and single-login limit assignment management mechanism. And a valid inter-system right to solve the above problems. Therefore, the present invention provides a rights management system, [the content of the changed j can be synchronized by the group, that is, the login or its Pour _, (10) County shots through the city to reflect the management interface provided by the manager to provide a privilege assignment. Or the group of the information system ^ ^ - the group system of the entrant system becomes aging 'The present invention proposes - can be applied to the single-login system. The embodiment is a rights management system. The rights management group has two connections, and the information system is connected. Each information system stores a -_ limit management system including a login mode. Group, one process The module can be used to authorize the rights management system to assign a request through the boarding module. The process module is used to assign requests from the authority according to the authority. The update module is configured to update at least one set of existing permission settings in the existing permission settings according to the rights management process. Compared with the prior art, the rights management system according to the present invention provides 1 7 13563, 52 2 =: Guardian ϊ 饼 饼 饼 ( 四 四 四 四 四 四 四 四 τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ τ The specific implementation _ - a kind of privilege management secret two f a series of green shows the functional block diagram of the privilege management system. The privilege management is unified, the solid information system is connected. The figure shown in Figure 1; the middle: mouth: two d: Transfer to - group has permission settings. The rights management system 1() includes an f-mode, a group 12, and an update module 13. - The manager can log in to the rights management system 1G and provide a rights assignment request. The new mode is also used to generate a "privilege management process" based on the permission assignment request. More rights management process update, the management system 1G can further include the storage module group 13, and is connected to the login module U, the process module 12 and the update module, and 3 is used to store the rights assignment request and the rights management process. Restricted; said, as shown in FIG. 3, the storage module 14 can further include - rights and - execute f, - group mapping database 32, - process silk database 33 execution day (four) material library 34. The rights management database 31 is used to store the authority 13563^r save, slave. The process stores the execution log. The line 5 database 34 is used to group the database 32. Group Jingjing (4) Block η t stores this mapping setting in the group new execution program 27. , , , (10) data will be provided to the authority to execute = Ϊ ί; material == = process definition can be description - process
=txeeutabie _晰式的正規模型。此i 疋扭"或其他流程定義語言。也就是說,兮·产程定 義可用以描述權限管理系統10執行流程之順序。W V 含一=卜-ϋ官理系統ι〇所連接之每-個資訊系統可分別包 該資料庫係用以儲存該組既有權限設定。 二群組匕科庫可處於一 LDAP(Lightwdght Directoiy Access 则⑺咏境或一關聯式資料庫環境。例如馳__ iiectory Server > Microsoft Active Directory > Lotus Domino Name aMAd^ss j〇ok 或 IBM 的 SeCureWay Directoiy Server。如圖三 所不’資訊系統1、資訊系統2及資訊系統3分別包含了群組資 料庫4、群組資料庫5及群組資料庫6 ^ 该組既有權限設定可以是一使用者群組。該使用者群組係由 使用者的集合所組成,一個使用者可以同時隸屬多個群組。每一 個使用者群組均係依循一般特性(例如職務權責)進行使用者類別 的分類。透過管理者設定資源存取策略,定義何種角色允許使用 9 1356352 特定的系統資源。管理者再 將資源存取策略與角色建立關系f所提供的管理介面 組,藉由此層層連結機制母;=中可以包含多個群 的權限產生變動時,即可將使用級。因此當使用者 存取權限。 者抬/底到適當的群組,以調整其 在實際應用令,登入模組u 一權限管理單元16、—對映 j進步包含—登入介面15、 -排程設定單元19及—祿早^ 17、—流程管理單元18、 者能透過登入介面15登入權 $ ’如=所示。該管理 =權限管理單元16係、電連接至組權限設 登入介面15,並係π係電連接至 設定。流程管理料18s電独mm γ _之一對映 該等資訊系統卜2及3相15 ’並係用以管理與 電連接至登入介面/;IL轾疋義。排程設定單元19係 夕並係用以設定與資訊系統1、2及3 统理單元20係電連接至登入介面15 興貝縣統卜2及3相關之一日諸。 ㈣吕理 ㈣Ϊ際ί,上述之該對映設定可代表不同群組_對映關#。 ^不同糊的對映關係或是 理仰如圖—所示’流程模'细12可進一步包含一權限管理事件處 引2卜—娜管理流程服務介面22、—權限管理流程執行 ί 一同步流程記錄單元24及一同步流程監控單元25。權 限,理流程執行引擎23係用以根據該排程產生一執行指令。權 ,官理事件處理單元21係電連接至權限管理單元16及權限管理 流=執行引擎23 ’並係用以接收並處理該權限指派請求。權限管 理流程服務介面22係電連接至權限管理流程執行引擎23之一網 路服務介面’並係用以根據一 SOAP協定接收並回應該權限指派 請求。 此外,權限管理系統10之流 器;並能對被執行之流程進行監控务導向之流 記錄早兀24係電連接至權限管理 ^敬彔。其中同步流程 步記錄該觀管理流程之—執行日23,並係用以同 係電連接至權限管理流程執行鮮& 步流程監控單元25 管理流程之一執行狀態。 並係用以同步監控該權限 至於權限管理流程之執行結果,應 ^ 追蹤。同步流程記錄單元24主供^ :日誌中’以存查 錄訊息處理執行日諸、訊息收送日^供執行日諸,可記 s己錄。 Η成功5己錄及呼叫失敗 在實際應用中,更新模組13可進 26、複數個權限更新執行程式27 權㈣H務接收介面 i务=面26係電連接至權限管理流元=用服 程式27新執行程式27,並制以支援鱗更新執行 同牛!^人上述之每—個權限更新執行程式27可進—步包含- 接及一資料轉接介面30。同步服務介面29係電連 接面26,並係用以透過一網路服務連結傳送該權限 用曰“2轉接介面3G係電連接至同步服務介面29,並係 用將貝枓轉接至相對應之該資訊系統。 在實際應用中’資料轉接介面3〇可以是一励取請_ irectory interface)或—jj)BC(Java data base connectivity)。 11 13563.52 ^例而,’若權限管理系統1〇係 下:並且分別與資訊系統卜資訊系讯:;=境 一管理者可以透過登入模組u之登入 貝=糸流3相連接。 密碼以登人雜管理彡統1G。接著 广正確的帳號及 理者所提供之-組權限設定產生根據該管 者a之_限。此外,鮮理者i如增加使用 :狀驗狀管理、雜“ 流程 程,' 理該會接收並處=txeeutabie _ Clear formal model. This i twists " or other process definition language. That is, the 产·process definition can be used to describe the order in which the rights management system 10 executes the process. W V includes one = Bu-ϋ 理 理 〇 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每 每The two groups can be in an LDAP (Lightwdght Directoiy Access (7) environment or a relational database environment. For example, __ iiectory Server > Microsoft Active Directory > Lotus Domino Name aMAd^ss j〇ok or IBM SeCureWay Directoiy Server. As shown in Figure 3, 'Information System 1, Information System 2 and Information System 3 respectively contain group database 4, group database 5 and group database 6 ^ This group has permission settings Is a user group consisting of a collection of users, one user can belong to multiple groups at the same time. Each user group is based on general characteristics (such as job rights and responsibilities) Classification of user categories. Define the resource access policy by the administrator to define which role allows the use of 9 1356352 specific system resources. The manager then establishes the management interface group provided by the resource access policy and the role f. This layer connection mechanism mother; = can contain multiple groups of permissions when changes occur, you can use the level. So when the user access rights. Group to adjust its actual application order, login module u a rights management unit 16, - mapping j progress including - login interface 15, - scheduling setting unit 19 and - Lu early ^ 17, - process management unit 18. The login right can be accessed through the login interface 15 as shown in the figure. The management = rights management unit 16 is electrically connected to the group permission setting login interface 15 and is electrically connected to the setting by the π system. One of the unique mm γ _ one of the information systems 2 and 3 phase 15 ' is used to manage and electrically connect to the login interface /; IL 。. Schedule setting unit 19 is used to set and The information system 1, 2 and 3 system 20 are electrically connected to the login interface 15 Xingbei County, and 2 and 3 related to each other. (4) Lu Li (4) Ϊ ί, the above mapping settings can represent different groups _ 对映关#. ^ Different pastes of the mapping relationship or rationality as shown in the figure - the 'process model' fine 12 can further include a rights management event at the 2b-na management process service interface 22, - rights management Process execution 一 a synchronization process recording unit 24 and a synchronization process monitoring unit 25. The process execution engine 23 is configured to generate an execution instruction according to the schedule. The authority, the event processing unit 21 is electrically connected to the rights management unit 16 and the rights management flow = execution engine 23' and is used to receive and process The rights assignment request. The rights management process service interface 22 is electrically connected to one of the rights management process execution engines 23 and is used to receive and respond to the rights assignment request in accordance with a SOAP agreement. In addition, the flow of the rights management system 10; and the flow of the monitoring of the executed process can be recorded as early as 24 lines of electrical connection to the rights management ^ godliness. The synchronization process step records the execution date of the management process 23, and is used to perform the same state of the management process of the fresh & process flow monitoring unit 25. It is used to monitor this permission synchronously. As for the execution result of the rights management process, it should be tracked. The synchronization flow recording unit 24 is mainly provided in the log: "In the log", the execution of the search message processing date, the message delivery date, and the execution date are recorded. Η Successful 5 recorded and failed in the actual application, the update module 13 can enter 26, a plurality of privilege update execution program 27 right (four) H service receiving interface i service = face 26 system connection to the rights management flow element = service program 27 new execution program 27, and to support the scale update execution of the same cattle! ^ Each of the above-mentioned rights update execution program 27 can further include - and a data transfer interface 30. The synchronization service interface 29 is an electrical connection surface 26 and is used to transmit the authority through a network service connection. The 2 switching interface 3G is electrically connected to the synchronization service interface 29, and the beacon is transferred to the phase. Corresponding to the information system. In the actual application, 'data transfer interface 3〇 can be _ irectory interface) or —jj)BC (Java data base connectivity). 11 13563.52 ^Example, 'If the rights management system 1 〇 : 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 并且 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 资讯 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者 管理者The account number and the set of permission provided by the administrator are based on the limit of the administrator. In addition, the freshman i is used in an increased way: the management of the test, the miscellaneous "process,"
協定接收並回應簡限指派請求。權J s〇AP 會自根據於登入模組u所產月執订引擎”則 令。更新模組13中之三個中:二:程 = 、2及3。假設管理者欲更新資訊系統}之權限二 =貧訊钱1之職更新執行程式27會衍: 更新貧訊祕〗之觀奴_作。至於在顧更:執^ 中’同步服務介面29可透過—網路服務賴傳送該樹卩二工 ^而資料轉接介面3〇可將資料轉接至資訊系統丨之^資^ 在另「個例子中,假設權限指派的同步更新流程 更新二個資訊系統的群組f料庫更改為更新四個資㈣統、雜f 資料庫’當重新設計的權限管理流程服務介面22御^行時,= 13563.52 每-個需要呼叫更新群組資料庫 執行引擎15溝通。待權限管理』|行=:與權限管理流程 限管理流程執行引擎會呼叫每—個負責同收到指令後,權 系統10内之各流程 了原來連接之三個資訊系統外,另外增加系,10除 可以透過流程模組12進行同步更新流程之調g糸、奴連接,均 尸口相Ϊ於,技術’根據本發明之權限管理系統,提供了一種 SSH===;; ί逆逆具===揭 料加以限制。相反地,其目的是希望能涵蓋各種改變 /、相等性的安排於本發明所欲申請之專利範圍的範疇内。 13 1356352 t 【圖式簡單說明】 塊圖圖一為根據本發明之-具體實施狀權限管理純的功能方 圖二為圖 方塊圖。 一所示之權限管理系統進一步包含儲存模組之功能 圖三為圖二所示之權限管理系統的詳細功能方埦ι圖。 【主要元件符號說明】 1〜3 :資訊系統 10、10’ :權限管理系統 12 :流程模組 14 :儲存模組 16 :權限管理單元 18 .流程管理單元 20 .曰諸管理單元 22 :權限管理流程服務介面 24 :同步流程記錄單元 26 :服務接收介面 28 :權限同步核心元件 30 :資料轉接介面 4〜6 :群組資料庫 11 :登入模組 13 :更新模組 15 .登入介面 17 :對映管理單元 19 :排程設定單元 21:權限管理事件處理單元 23:權限管理流程執行弓|擎 25 :同步流程間監控單元 27 :權限更新執行程式 29 :同步服務介面 31 :權限管理資料庳 1356352The agreement receives and responds to the limit assignment request. The right J s〇AP will be based on the monthly subscription engine generated by the login module u. Then three of the update modules 13: two: Cheng = , 2 and 3. Suppose the manager wants to update the information system} Privilege 2 = poor news money 1 job update executive program 27 will be: update the poor secret secret 〗 〖 _ slave. As in the Gu: the implementation of the 'synchronization service interface 29 can be transmitted through the network service Tree 卩 二 工 ^ and data transfer interface 3 〇 can transfer data to the information system 资 ^ ^ ^ In another example, assume that the privilege assignment of the synchronization update process updates the two information system group f library Change to update four resources (four) system, mis-f database "When redesigned rights management process service interface 22 lines, = 13563.52 every need to call update group database execution engine 15 communication. To be managed" | Line =: and the rights management process limit management process execution engine will call each of the responsible persons to receive the instructions, the flow of the system 10 within the original three communication systems, plus the addition of 10, in addition to The process module 12 performs the synchronization update process, and the slave connection The corpse is inconsistent with the technology's rights management system according to the present invention, which provides an SSH===;; ί inverse=== uncovering restrictions. Conversely, the purpose is to cover various changes/ The equality is arranged within the scope of the patent scope of the present invention. 13 1356352 t [Simple diagram of the diagram] FIG. 1 is a diagram of the functional diagram of the rights management according to the present invention. Block diagram. The rights management system shown further includes the function of the storage module. Figure 3 is the detailed function of the rights management system shown in Figure 2. [Main component symbol description] 1~3: Information system 10, 10': Rights Management System 12: Process Module 14: Storage Module 16: Rights Management Unit 18. Process Management Unit 20. Management Unit 22: Rights Management Process Service Interface 24: Synchronization Process Recording Unit 26: Service Receiving Interface 28: Rights Synchronization Core Component 30: Data Transfer Interface 4~6: Group Database 11: Login Module 13: Update Module 15. Login Interface 17: Mapping Management Unit 19: Schedule Setting Unit 21: Authority Tube Event processing unit 23: Rights Management Process Execution bow | engine 25: 27 between the synchronization process monitoring unit: permission to update execution program 29: Synchronization Service Interface 31: Information rights management built house 1356352
< V 32 :群組對映資料庫 33 :流程定義資料庫 34 :執行日誌資料庫< V 32 : Group mapping database 33 : Process definition database 34 : Execution log database
1515