CN101739526A - Service system-oriented and oriented object-based rights management method - Google Patents

Service system-oriented and oriented object-based rights management method Download PDF

Info

Publication number
CN101739526A
CN101739526A CN200910242553A CN200910242553A CN101739526A CN 101739526 A CN101739526 A CN 101739526A CN 200910242553 A CN200910242553 A CN 200910242553A CN 200910242553 A CN200910242553 A CN 200910242553A CN 101739526 A CN101739526 A CN 101739526A
Authority
CN
China
Prior art keywords
function
goal systems
role
service
add
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910242553A
Other languages
Chinese (zh)
Other versions
CN101739526B (en
Inventor
马传峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaxun Feihong Electrical Co Ltd
Original Assignee
Beijing Jiaxun Feihong Electrical Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaxun Feihong Electrical Co Ltd filed Critical Beijing Jiaxun Feihong Electrical Co Ltd
Priority to CN2009102425537A priority Critical patent/CN101739526B/en
Publication of CN101739526A publication Critical patent/CN101739526A/en
Application granted granted Critical
Publication of CN101739526B publication Critical patent/CN101739526B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a service system-oriented and oriented object-based rights management method, belonging to the technical field of computer security. The method comprises the steps of: identifying the function of an operation system in the form of service; abstracting and organizing open service functions in the form of orienting an object; taking each service function as a rights management object; and enveloping the operation, the attribute and the data range which are contained by the function in the object to identify by being taken as an atomic scale rights management unit. By analyzing the scene, different views are abstracted to be taken as authorization templates of object levels. The function visibility of a user is controlled by ensuring whether the service has been distributed when authorizing, and a more perfect rights management mechanism is provided to an application developer by authorizing the rights management unit of the object level in each authorization template, thereby reducing the complexity of the authorization management and the management cost, flexibly supporting security policies of enterprises, and having great flexibility to the change of the enterprises.

Description

A kind of service-oriented system based on OO right management method
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of service-oriented system based on OO right management method.
Background technology
In rights management, mainly contain following dual mode at present:
1. service-oriented rights management
2. based on role's rights management
More than in two kinds of methods, first kind of mode makes other application program to use these services by issuing with findable interface, thereby realizes the management to user right with the open business function of the form of software service; The second way is carried out rights management with the relation of user-role-function items.Introduced this middle relation of role between user and function items, system then for each role assigns corresponding user, thereby reaches the purpose that operating right is managed by being the operating right of each role assignments function items.These two kinds of methods, though all provide perfect rights management mechanism for application developer, but the rights management to function is all more single, when handling the rights management of the many scenes of same function, has certain limitation, thereby increased the complicacy of empowerment management, can not support the security strategy of enterprise neatly.
Summary of the invention
The objective of the invention is the problem that exists in the present rights management described in the top background technology, proposed a kind of service-oriented system based on OO right management method.
It is characterized in that, may further comprise the steps:
1) function of recognition objective system and according to functional classification is stored in the goal systems database;
2) attribute that each function comprised of recognition objective system is stored in the goal systems database;
3) in the goal systems database, add role's table, and in goal systems, add the role function module;
4) in the goal systems database, add corresponding tables;
5) in goal systems, add authorization module;
6) in goal systems, add the user authority management public module;
7), after mandate is finished, information is saved in the above-mentioned corresponding tables for each role carries out Authorized operation;
Described method is in OO mode, with the function of goal systems as permission object, with operation, attribute and the data area information of the inner encapsulation of permission object, as the rights management unit of atom level, as shown in Figure 1;
By the scene difference, generate the mandate template of different views as object level; When being role authorization, respectively the pairing mandate template of role is authorized.
The present invention reduces the complicacy of empowerment management for application developer provides more perfect rights management mechanism, reduces administration overhead; Support the security strategy of enterprise neatly, and the variation of enterprise is had very big retractility.
Description of drawings
Fig. 1: overall construction drawing;
Fig. 2: the agent list structural drawing of storing in the goal systems database;
Fig. 3: the menu structural drawing of storing in the goal systems database;
Fig. 4: the operation table structural drawing of storing in the goal systems database;
Fig. 5: the attribute list structural drawing of storing in the goal systems database;
Fig. 6: the view table structural drawing of storing in the goal systems database;
Fig. 7: the data area list structure figure that stores in the goal systems database;
Fig. 8: character stored list structure figure in the goal systems database;
Fig. 9: character stored function corresponding tables structural drawing in the goal systems database;
Figure 10: character stored operation corresponding tables structural drawing in the goal systems database;
Figure 11: character stored attribute corresponding tables structural drawing in the goal systems database;
Figure 12: character stored user corresponding tables structural drawing in the goal systems database;
Figure 13: character stored data area corresponding tables structural drawing in the goal systems database.
Embodiment
Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that following explanation only is exemplary, rather than in order to limit the scope of the invention and to use.
Step 1: the service of recognition objective system and the function that comprises thereof, simultaneously in the goal systems database, the required basic data of model of creation:
With the service in the goal systems, be stored in the goal systems database service table with Fig. 2 structure;
With the function in the goal systems, be stored in the goal systems database function table with Fig. 3 structure.
Step 2: the attribute that each function comprised of recognition objective system, simultaneously in the goal systems database, the required basic data of model of creation: i.e. input control that comprises and button in this function interface,
The button that comprises in the function interface with each function is stored in the goal systems database manipulation table with Fig. 4 structure;
With the input control that function interface comprised of each function, be stored in the goal systems Database Properties table with Fig. 5 structure;
With the scene that each function comprised, be stored in the goal systems data base view table with Fig. 6 structure;
With the data presentation scope of each scene, be stored in the goal systems database data scope table with Fig. 7 structure.
Step 3: in the goal systems database, add role's table, and in goal systems, add the role function module; The Role Information of goal systems is stored in the goal systems database role table with Fig. 8 structure.Authorize the module operation attribute by authorization function for each role, add the user for each role by user function under adding.
Step 4: in the goal systems database, add corresponding tables:
Determine role and function corresponding relation, be stored in the goal systems database role function corresponding tables with Fig. 9 structure;
Determine role and operation corresponding relation, be stored in the goal systems database role operation corresponding tables with Figure 10 structure;
Determine role and attribute corresponding relation, be stored in the goal systems database role attribute corresponding tables with Figure 11 structure;
Determine role and user's corresponding relation, be stored in the goal systems database role user corresponding tables with Figure 12 structure;
Determine role and data area corresponding relation, be stored in the goal systems database role data area corresponding tables with Figure 13 structure;
Step 5: in goal systems, add authorization module, be used for each role is carried out empowerment management; The empowerment management interface, the goal systems function shows with tree-like formula, makes things convenient for subscriber authorisation; Its Authorized operation comprises:
To the observability of button that function interface comprises mandate, the mode of its mandate is: visible, invisible;
2. the input authority of the input control that function interface comprised is authorized, its mandate comprises four kinds of modes: hiding, read-only, full operation, acquiescence;
3. promptly authorize the authority of checking data area to the user to the mandate of data scope, its authorization is: for this role adds the data filter condition.
Step 6: in goal systems, add the user authority management public module, and in goal systems, the module that control of authority is carried out in identification; Utilization AOP technology is the functional module definition tangent plane that identifies; In the AOP model, add authority control method, this method is done following processing:
1. in user conversation, obtain user function ID, scene information;
2. by user function ID, reach scene information, obtain corresponding with it view;
3. by view, return the defined atom level control of authority of each view unit setting, generate the control of authority script and return to functional module;
4. the authority script that returns according to AOP of functional module reorganizes each key element in the function interface, then new function interface is returned to the operation user, thereby the management that realizes authority is controlled.
Step 7: the login goal systems, enter entitlement management module, to authorize for goal systems, mandate is finished, and clicks and preserves, and with user data, is stored in respectively in the mapping table.
After the user logined goal systems, goal systems was according to role in the corresponding tables and function information, for the user presents the service that it can use.Select a certain function, can call corresponding view according to user's scene of living in, according to the sign of view, in the look of chamfering operation corresponding tables, role attribute corresponding tables and the data area corresponding tables, obtain relevant information, reorganize and present to the user then, thereby reach the management of authority;
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and is familiar with those skilled in the art in the technical scope of the present invention's exposure; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (8)

  1. A service-oriented system based on OO right management method, it is characterized in that, may further comprise the steps:
    1) function of recognition objective system and according to functional classification is stored in the goal systems database;
    2) attribute that each function comprised of recognition objective system is stored in the goal systems database;
    3) in the goal systems database, add role's table, and in goal systems, add the role function module;
    4) in the goal systems database, add corresponding tables;
    5) in goal systems, add authorization module;
    6) in goal systems, add the user authority management public module;
    7), after mandate is finished, information is saved in the above-mentioned corresponding tables for each role carries out Authorized operation;
    Described method is in OO mode, with the function of goal systems as permission object, with operation, attribute and the data area information of the inner encapsulation of permission object, as the rights management unit of atom level;
    By the scene difference, generate the mandate template of different views as object level; When being role authorization, respectively the pairing mandate template of role is authorized.
  2. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that the function of described recognition objective system and according to functional classification is stored in the goal systems database, its operation comprises:
    1) service in the recognition objective system is stored in the goal systems database service table;
    2) function in the recognition objective system is stored in the goal systems database function table.
  3. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that the attribute that each function comprised of described recognition objective system is stored in the goal systems database, its operation comprises:
    1) button that comprises in the function interface of each function in the recognition objective system is stored in the goal systems database manipulation table;
    2) input control that function interface comprised of each function in the recognition objective system is stored in the goal systems Database Properties table;
    3) scene of each function of recognition objective system is stored in the goal systems data base view table;
    4) each contextual data indication range in the recognition objective system is stored in the goal systems database data scope table.
  4. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that described role function module allows operation that the role in the goal systems is added, deletes and revises; And for each role authorization function is provided and add under user function;
  5. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that describedly add corresponding tables in the goal systems database, its operation comprises:
    1) adds the role function corresponding tables, storage role and function corresponding relation;
    2) add the role and operate corresponding tables, storage role and operation corresponding relation;
    3) add the role attribute corresponding tables, storage role and attribute corresponding relation;
    4) add the Role Users corresponding tables, storage role and user's corresponding relation;
    5) add role data scope corresponding tables, storage role and data area corresponding relation.
  6. 6. a kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that, described authorization module is used to realize the user right Authorized operation, comprises the open control to function, and the attribute that function comprised is carried out Authorized operation.
  7. A kind of service-oriented system according to claim 6 based on OO right management method, it is characterized in that described user right Authorized operation, its operation interface are tree structure.
  8. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that described user authority management public module is used for according to user profile, interface control is carried out initialization control.
CN2009102425537A 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method Expired - Fee Related CN101739526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102425537A CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102425537A CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Publications (2)

Publication Number Publication Date
CN101739526A true CN101739526A (en) 2010-06-16
CN101739526B CN101739526B (en) 2012-04-18

Family

ID=42463000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102425537A Expired - Fee Related CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Country Status (1)

Country Link
CN (1) CN101739526B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102201935A (en) * 2011-05-13 2011-09-28 大唐移动通信设备有限公司 Access control method and device based on VIEW
CN102270218A (en) * 2010-06-04 2011-12-07 米特尔网络公司 Method and apparatus for sharing user service classes
CN103917976A (en) * 2011-09-07 2014-07-09 迈可菲公司 Computer system security dashboard
CN104217146A (en) * 2014-09-04 2014-12-17 浪潮通用软件有限公司 Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control)
CN105005730A (en) * 2015-08-13 2015-10-28 杭州杉石科技有限公司 Authority design method based on APP (application)
CN105046119A (en) * 2015-08-13 2015-11-11 杭州杉石科技有限公司 Permission design system based on APP (Application)
CN105227551A (en) * 2015-09-24 2016-01-06 四川长虹电器股份有限公司 The uniform permission administration method of XBRL application platform
CN105278982A (en) * 2014-06-17 2016-01-27 耐点科技股份有限公司 Mobile communication device and server applied to ordering function for starting application program
CN106682487A (en) * 2016-11-04 2017-05-17 浙江蘑菇加电子商务有限公司 User authority management method and system
CN110113369A (en) * 2019-06-27 2019-08-09 无锡华云数据技术服务有限公司 A kind of method for authenticating of based role permission control
CN111814174A (en) * 2020-09-04 2020-10-23 平安国际智慧城市科技股份有限公司 Data access control method and device and computer equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100495422C (en) * 2006-11-09 2009-06-03 华为技术有限公司 Controlling method of business operations authority
CN101034990B (en) * 2007-02-14 2010-06-23 华为技术有限公司 Right management method and device
CN101499906A (en) * 2008-02-02 2009-08-05 厦门雅迅网络股份有限公司 Method for implementing subscriber authority management based on role function mapping table

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102270218A (en) * 2010-06-04 2011-12-07 米特尔网络公司 Method and apparatus for sharing user service classes
CN102201935B (en) * 2011-05-13 2013-11-06 大唐移动通信设备有限公司 Access control method and device based on VIEW
CN102201935A (en) * 2011-05-13 2011-09-28 大唐移动通信设备有限公司 Access control method and device based on VIEW
CN103917976A (en) * 2011-09-07 2014-07-09 迈可菲公司 Computer system security dashboard
US10031646B2 (en) 2011-09-07 2018-07-24 Mcafee, Llc Computer system security dashboard
CN103917976B (en) * 2011-09-07 2017-03-01 迈可菲公司 Computer system security instrument board
CN105278982A (en) * 2014-06-17 2016-01-27 耐点科技股份有限公司 Mobile communication device and server applied to ordering function for starting application program
CN104217146B (en) * 2014-09-04 2017-02-15 浪潮通用软件有限公司 Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control)
CN104217146A (en) * 2014-09-04 2014-12-17 浪潮通用软件有限公司 Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control)
CN105046119A (en) * 2015-08-13 2015-11-11 杭州杉石科技有限公司 Permission design system based on APP (Application)
CN105005730A (en) * 2015-08-13 2015-10-28 杭州杉石科技有限公司 Authority design method based on APP (application)
CN105227551A (en) * 2015-09-24 2016-01-06 四川长虹电器股份有限公司 The uniform permission administration method of XBRL application platform
CN106682487A (en) * 2016-11-04 2017-05-17 浙江蘑菇加电子商务有限公司 User authority management method and system
CN110113369A (en) * 2019-06-27 2019-08-09 无锡华云数据技术服务有限公司 A kind of method for authenticating of based role permission control
CN111814174A (en) * 2020-09-04 2020-10-23 平安国际智慧城市科技股份有限公司 Data access control method and device and computer equipment

Also Published As

Publication number Publication date
CN101739526B (en) 2012-04-18

Similar Documents

Publication Publication Date Title
CN101739526B (en) Service system-oriented object-oriented-based authority management method
CN110443010B (en) Authority visual configuration control method, device, terminal and storage medium in information system
US10230732B2 (en) Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm
CN104516777B (en) User interface management method and system
US20080141334A1 (en) Method and Apparatus for Dissociating Binding Information from Objects to Enable Proper Rights Management
CN100456311C (en) System and method for actualizing content-based file system security
CN113297550A (en) Authority control method, device, equipment, storage medium and program product
US8326874B2 (en) Model-based implied authorization
US7613726B1 (en) Framework for defining and implementing behaviors across and within content object types
CN104573478A (en) User authority management system of Web application
EP2405607A1 (en) Privilege management system and method based on object
CN103593602A (en) User authorization management method and system
EP2711860B1 (en) System and method for managing role based access control of users
AU2017217235B2 (en) Systems and methods for securing an entity-relationship system
WO2013109450A1 (en) Installation and management of client extensions
CN103150165A (en) Frame and method for building outdoor data acquisition program
CN112100658A (en) Medical system and authority management method thereof
US9158932B2 (en) Modeled authorization check implemented with UI framework
US20200233907A1 (en) Location-based file recommendations for managed devices
KR101504490B1 (en) Method for control of phonebook synchronization in device and device enabling the method
CN102446258B (en) Attachment authority type expansion method and device and system adopting same
Oh New role-based access control in ubiquitous e-business environment
CN109815714A (en) Authority control method, device and computer readable storage medium
US9754119B1 (en) Containerized security for managed content
CN115174177B (en) Rights management method, device, electronic apparatus, storage medium, and program product

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120418

Termination date: 20181216