CN101976314A - Access control method and system - Google Patents
Access control method and system Download PDFInfo
- Publication number
- CN101976314A CN101976314A CN 201010289764 CN201010289764A CN101976314A CN 101976314 A CN101976314 A CN 101976314A CN 201010289764 CN201010289764 CN 201010289764 CN 201010289764 A CN201010289764 A CN 201010289764A CN 101976314 A CN101976314 A CN 101976314A
- Authority
- CN
- China
- Prior art keywords
- authority
- application
- mutually exclusive
- exclusive privilege
- mutex relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an access control method comprising the following steps of receiving an access application in step 102; searching a mutual exclusion access of the access application in the operated and applied access in step 104; carrying out step 108 when not searching the mutual exclusion access; refusing the access application in step 106; adding the applying access in the applied access and searching the mutual exclusion access of the applying access in the operated and applied access in step 108, wherein carrying out step 110 when not searching the mutual exclusion access and carrying out step 112 when searching the mutual exclusion access; confirming the success of the access application in step 110; and deleting the applying access from the applied access and refusing the access application in step 112. The invention also provides an access control system. The access control method and system can be realized and the application of the access can be dynamically and accurately controlled according to the technical scheme of the invention.
Description
Technical field
The present invention relates to the authority technology in the information management system, relate in particular to authority control method and system.
Background technology
In existing enterprise information system,, generally all can relate to the problem of user right control for security consideration.Common authority system mainly is to solve the problem that " who " carried out " what operation " to " what resource ", the just problem of user, role, functional resources three elements.Common mandate system is based on role function mapping table and realizes user authority management, usually way is to be module with the systemic-function rough segmentation earlier, in module, segment various subfunctions then, then " module+subfunction " is defined as a delegatable functional object, further, but to authorization object configuration incompatible relation, in licensing process, judge, the authority that meets mutex relation can not be authorized same user, or same role's main body, as the management of the functional resources described in the correlation technique.
But in real operation system, only describing which user has authority to which resource and also is nowhere near, also need to judge when the authority of exercising them as the certain user is carried out some operation, even other users have had some authorities, also because these functions of moving, cause themselves visit unsuccessful to resource, carry out some system-level attended operations such as party A-subscriber's login system, other users all can not login system carry out business operation this moment, and there is following defective in original mandate system:
1. too simple to the layering of functional resources, perhaps not stratified, perhaps the branch level is inferior fixes.As in the correlation technique only being level in increase function and module on resource.
2. only paid close attention to static authorization message, in case promptly this user has been awarded authority, other users' operation can not influence this user to the use of authorization function so, and the different application of reality system, the operation between the different clients be have interactional.
3. if control the problem of this functional incompatibility at authorization stages, in a single day will cause a function to be assigned with away so, his mutual exclusion function all can not be assigned with again, has seriously reduced the operation concurrency of system.
So need to formulate a concurrent strategy, in system's operational process,, judge dynamically whether the function of user applies is available according to this concurrent strategy.
Again because mutual exclusion that need control operation in operational process, apply for authority simultaneously such as a plurality of users, if a plurality of users have applied for authority simultaneously at synchronization, the words that system is left intact, can produce the concurrent problem of reading, cause a plurality of users to apply for success simultaneously, can cause the application result mistake, at this moment just also need a kind of controlling mechanism, control the application of multi-user mutually exclusive privilege.
The existing system major part is finished this generic operation by database at present; usually can take out a lock variable to the object that will control; before each operation the lock object is added lock control; the lock object leaves in the database; execute from database, to discharge and lock object, just as handled in the correlation technique.Make in this way, face following three kinds of defectives:
The lock variable still be stored in the database, to the lock variable concurrent control still the lock mechanism of dependency database guarantee.
2. according to the Subscriber Locked business logic objects, cause same user when the different clients operating operation, uncontrollable alternative.
3. though the business logic objects pond is arranged, the still mutual exclusion of a support point, and can't support the mutual exclusion of gathering, such as certain business logic objects and other all business logic objects mutual exclusions.
Therefore, need a kind of control of authority mode, can avoid the interactional problem of operation between the above-mentioned different client, mutual exclusion that need control operation in operational process, the control multi-user is to the application of mutually exclusive privilege.
Summary of the invention
Technical matters to be solved by this invention is, a kind of authority control method and system are provided, and avoids the interactional problem of operation between the different client, mutual exclusion that need control operation in operational process, and the control multi-user is to the application of mutually exclusive privilege.
The invention provides a kind of authority control method, comprising: step 102 receives authority application; Step 104 in the authority of moving and having applied for, is searched the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, enter step 106, when the mutually exclusive privilege of the authority that does not find described this application, enter step 108; Described step 106 is refused this authority application; Described step 108, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, enter step 110, when the mutually exclusive privilege of the authority that finds described this application, enter step 112; Described step 110 is confirmed the authority application success, uses the authority of described this application for the user; Described step 112 is deleted the authority of described this application from described authority of having applied for, refuse this authority application.By this technical scheme, can dynamically control the authority application process by mutually exclusive privilege, considered influencing each other of multi-user operation, avoid the multi-user concurrent authority to handle, improve and authorize efficient.
In technique scheme, preferably, also comprise: step 101, for each authority is formulated mutex relation, in described step 104, according to the mutex relation of described each authority, search the mutually exclusive privilege of the authority of described this application, in described step 108,, search the mutually exclusive privilege of the authority of described this application according to the mutex relation of described each authority.By this technical scheme, formulate mutex relation for each authority, can distinguish each operation flexibly, go for different application scenarioss, more hommization and intellectuality.
In technique scheme, preferably, described mutex relation comprises: permission ID identifies described each authority; Mutually exclusive privilege ID and mutually exclusive privilege ID not, in the authority of described mutually exclusive privilege ID sign, remove the authority of described not mutually exclusive privilege ID sign after, as the mutually exclusive privilege of described each authority; Mutual exclusion type, the authority of described mutual exclusion type correspondence are also as the mutually exclusive privilege of described each authority.By this technical scheme, classify and define the more realistic application of mutex relation according to the characteristics of practical business, and can standard authority mutex relation, summarize type according to business characteristic, promptly can carry out batch processing, improve authority application efficient.
In technique scheme, preferably, in described step 102, the authority of described this application is the final stage authority, and in the described step 101, the authority of formulating mutex relation is the final stage authority.
In technique scheme, preferably, the described authority records of having moved and having applied for is in database, in described step 108, when the authority of described this application is added the authority of having applied for, adopt the mode of row level lock to be recorded in the described database authority of described this application, in described step 112, the authority of described this application is deleted from described authority of having applied for, the mode that the authority employing row level of described this application is locked is deleted from described database.By this technical scheme, can avoid a plurality of mutual exclusion tasks to apply for simultaneously, row level lock has guaranteed that the operation between row and the row is concurrent processing fully, can not cause all concurrent applications all to get nowhere, for extensive frequent application authority, can be because of the exclusiveness of authority application, and influence the efficient of whole service system.
In technique scheme, preferably, in described step 102, for the unique sequence number of the right assignment of described this application, in described step 104, according to described unique sequence number, search the mutually exclusive privilege of the authority of described this application, in described step 108,, search the mutually exclusive privilege of the authority of described this application according to described unique sequence number.By this technical scheme, unique sequence number can correctly be distinguished each operation as the unique identification of client, avoids same client may move the situation of a plurality of application that have mutex relation.
The present invention also provides a kind of authority control system, comprising: the authority application receiver module receives authority application; First mutually exclusive privilege is searched module, in the authority of moving and having applied for, search the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, refuse this authority application, when the mutually exclusive privilege of the authority that does not find described this application, start second mutually exclusive privilege and search module; Described second mutually exclusive privilege is searched module, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, confirm the authority application success, use the authority of described this application for the user, when the mutually exclusive privilege of the authority that finds described this application, the authority of described this application is deleted from described authority of having applied for, refuse this authority application.By this technical scheme, can dynamically control the authority application process by mutually exclusive privilege, considered influencing each other of multi-user operation, avoid the multi-user concurrent authority to handle, improve and authorize efficient.
In technique scheme, preferably, also comprise: mutex relation is formulated module, for each authority is formulated mutex relation, described first mutually exclusive privilege is searched the mutex relation of module according to described each authority, search the mutually exclusive privilege of the authority of described this application, described second mutually exclusive privilege is searched the mutex relation of module according to described each authority, searches the mutually exclusive privilege of the authority of described this application.By this technical scheme, formulate mutex relation for each authority, can distinguish each operation flexibly, go for different application scenarioss, more hommization and intellectuality.
In technique scheme, preferably, the authority that described authority application receiver module is accepted applications is the final stage authority, and the authority of formulating module formulation mutex relation by described mutex relation is the final stage authority.
In technique scheme, preferably, also comprise: the authority application processing module when the authority of user applies comprises sub-authority, is treated to one or more final stage authorities with the authority of described user applies.
Pass through technique scheme, can realize a kind of authority control method and system, dynamic control authority in the authority of moving and having applied for, when the function that has mutex relation in when operation, this user just can't visit this function, increase the dirigibility of authorizing, saved the database storing space, improved search efficiency.
Description of drawings
Fig. 1 is the processing flow chart of authority control method according to an embodiment of the invention;
Fig. 2 is the block diagram of authority control system according to an embodiment of the invention;
Fig. 3 is the schematic flow sheet of authority control method according to an embodiment of the invention; And
Fig. 4 is the schematic flow sheet of authority control method according to an embodiment of the invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the present invention is further described in detail.
Set forth a lot of details in the following description so that fully understand the present invention, still, the present invention can also adopt other to be different from other modes described here and implement, and therefore, the present invention is not limited to the restriction of following public specific embodiment.
Fig. 1 is the processing flow chart of authority control method according to an embodiment of the invention.
As shown in Figure 1, the invention provides a kind of authority control method, comprising: step 102 receives authority application; Step 104 in the authority of moving and having applied for, is searched the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, enter step 106, when the mutually exclusive privilege of the authority that does not find described this application, enter step 108; Described step 106 is refused this authority application; Described step 108, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, enter step 110, when the mutually exclusive privilege of the authority that finds described this application, enter step 112; Described step 110 is confirmed the authority application success, uses the authority of described this application for the user; Described step 112 is deleted the authority of described this application from described authority of having applied for, refuse this authority application.By this technical scheme, can dynamically control the authority application process by mutually exclusive privilege, considered influencing each other of multi-user operation, avoid the multi-user concurrent authority to handle, improve and authorize efficient.
In technique scheme, also comprise: step 101, for each authority is formulated mutex relation, in described step 104, according to the mutex relation of described each authority, search the mutually exclusive privilege of the authority of described this application, in described step 108, according to the mutex relation of described each authority, search the mutually exclusive privilege of the authority of described this application.By this technical scheme, formulate mutex relation for each authority, can distinguish each operation flexibly, go for different application scenarioss, more hommization and intellectuality.
In technique scheme, described mutex relation comprises: permission ID identifies described each authority; Mutually exclusive privilege ID and mutually exclusive privilege ID not, in the authority of described mutually exclusive privilege ID sign, remove the authority of described not mutually exclusive privilege ID sign after, as the mutually exclusive privilege of described each authority; Mutual exclusion type, the authority of described mutual exclusion type correspondence are also as the mutually exclusive privilege of described each authority.By this technical scheme, classify and define the more realistic application of mutex relation according to the characteristics of practical business, and can standard authority mutex relation, summarize type according to business characteristic, promptly can carry out batch processing, improve authority application efficient.
In technique scheme, in described step 102, the authority of described this application is the final stage authority, and in the described step 101, the authority of formulating mutex relation is the final stage authority.
In technique scheme, the described authority records of having moved and having applied for is in database, in described step 108, when the authority of described this application is added the authority of having applied for, adopt the mode of row level lock to be recorded in the described database authority of described this application, in described step 112, the authority of described this application is deleted from described authority of having applied for, the mode that the authority employing row level of described this application is locked is deleted from described database.By this technical scheme, can avoid a plurality of mutual exclusion tasks to apply for simultaneously, row level lock has guaranteed that the operation between row and the row is concurrent processing fully, can not cause all concurrent applications all to get nowhere, for extensive frequent application authority, can be because of the exclusiveness of authority application, and influence the efficient of whole service system.
In technique scheme, in described step 102, be the unique sequence number of the right assignment of described this application, in described step 104, according to described unique sequence number, search the mutually exclusive privilege of the authority of described this application, in described step 108, according to described unique sequence number, search the mutually exclusive privilege of the authority of described this application.By this technical scheme, unique sequence number can correctly be distinguished each operation as the unique identification of client, avoids same client may move the situation of a plurality of application that have mutex relation.
Pass through technique scheme, can realize a kind of authority control method, dynamic control authority in the authority of moving and having applied for, when the function that has mutex relation in when operation, this user just can't visit this function, increase the dirigibility of authorizing, saved the database storing space, improved search efficiency.
Fig. 2 is the block diagram of authority control system according to an embodiment of the invention.
As shown in Figure 2, the present invention also provides a kind of authority control system 200, comprising: authority application receiver module 202 receives authority application; First mutually exclusive privilege is searched module 204, in the authority of moving and having applied for, search the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, refuse this authority application, when the mutually exclusive privilege of the authority that does not find described this application, start second mutually exclusive privilege and search module; Described second mutually exclusive privilege is searched module 206, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, confirm the authority application success, use the authority of described this application for the user, when the mutually exclusive privilege of the authority that finds described this application, the authority of described this application is deleted from described authority of having applied for, refuse this authority application.By this technical scheme, can dynamically control the authority application process by mutually exclusive privilege, considered influencing each other of multi-user operation, avoid the multi-user concurrent authority to handle, improve and authorize efficient.
In technique scheme, also comprise: mutex relation is formulated module, for each authority is formulated mutex relation, described first mutually exclusive privilege is searched the mutex relation of module according to described each authority, search the mutually exclusive privilege of the authority of described this application, described second mutually exclusive privilege is searched the mutex relation of module according to described each authority, searches the mutually exclusive privilege of the authority of described this application.By this technical scheme, formulate mutex relation for each authority, can distinguish each operation flexibly, go for different application scenarioss, more hommization and intellectuality.
In technique scheme, the authority that described authority application receiver module is accepted applications is the final stage authority, and the authority of formulating module formulation mutex relation by described mutex relation is the final stage authority.
In technique scheme, also comprise: the authority application processing module when the authority of user applies comprises sub-authority, is treated to one or more final stage authorities with the authority of described user applies.
Pass through technique scheme, can realize a kind of authority control system, dynamic control authority in the authority of moving and having applied for, when the function that has mutex relation in when operation, this user just can't visit this function, increase the dirigibility of authorizing, saved the database storing space, improved search efficiency.
Fig. 3 is the schematic flow sheet of authority control method according to an embodiment of the invention.
As shown in Figure 3, step 302, definition authority tree.Earlier systemic-function is classified according to business features, store these functions according to classification relation, classification can copy the menu tree of system to carry out multiclass classification, (division of fineness degree can be different modules according to delineation of activities earlier also, then all systemic-functions are pressed Module Division, each function has and only has the module corresponding with it), require higher level's authority of classifying to comprise all subordinate right.
Wherein, whether the authority storage format is { permission ID, father's permission ID, final stage }, uses this storage mode, and the authority level time can be divided arbitrarily.The user is when authorizing, if selected the patriarchy limit, automatically that it is all sub-authorities are chosen, and have made things convenient for subscriber authorisation, and the authority layering is thin more, and subscriber authorisation is then convenient more.
Mutex relation is defined as four-tuple: { permission ID, mutually exclusive privilege ID, mutually exclusive privilege ID not, mutual exclusion type }, wherein:
Father's permission ID: each authority has only a direct parent authority at most, and the patriarchy limit is the set of its all sub-authority.
Final stage whether: be, represent that this authority is a leaf node in the authority tree, below him without any sub-authority.
Permission ID: needing the function of definition mutex relation, must be the final stage authority.
Mutually exclusive privilege ID: with the function of permission ID mutual exclusion, if this authority is not the final stage authority, all child's authorities of then representing this authority are functional incompatibility therewith all, in case definition, these two functions (perhaps function set) just can not be moved in system the while.
Mutually exclusive privilege ID not: do not have only when the mutually exclusive privilege of definition is not the final stage authority and work, if mutually exclusive privilege ID is a patriarchy limit, what then he represented is one group of authority, in this group authority, if defined not mutually exclusive privilege ID, the not mutually exclusive privilege ID of sub-authority that then represents mutually exclusive privilege ID the inside except having defined, all the other authorities all with the permission ID mutual exclusion.
Mutual exclusion type: for standard authority mutual exclusion rule, in system, increase the mutual exclusion type, can summarize self-defining type, be defaulted as 0, point-to-point mutual exclusion between the expression authority according to the characteristics of operation system.According to the type that business characteristic is concluded, in record application task, these characteristics also need be noted.Control mutual exclusion such as the option in the general ledger module according to year, as long as any one function is arranged in operation this year, the option application is failure just.The mutual exclusion type specification is shown in following chart:
Understand definition authority tree and formulate mutex relation, the following description of giving an example for better:
Suppose GL201, GL202, GL203, GL204 are the final stage authority, and GL20 is their patriarchy limit, shown in chart.
| Permission ID | Mutually exclusive privilege ID | Not mutual exclusion module | The mutual exclusion type |
| GL201 | GL204 | Null | 0 |
| GL202 | GL20 | Null | 0 |
| GL203 | GL20 | GL204 | 0 |
1){GL201,GL204,NULL,0}
Presentation function GL201 and GL204 functional incompatibility, promptly these two functions can not be carried out simultaneously.
2){GL202,GL20,NULL,0}
Expression GL202 and { GL201, GL202, GL203, GL204} mutual exclusion.
3){GL203,GL20,GL204,0}
Expression GL203 and { GL201, GL202, GL203} mutual exclusion.
Next the flow process of processing authority control is described.
Step 306 begins authority application after having specified the mutex relation of authority.
Step 308 begins to search mutually exclusive privilege, judges whether a user has the authority of this function of operation, have this authority and must satisfy two conditions, at first authorizes really in permission system, and has this authority.
Step 314 is carried out business operation then.
Step 316 confirms whether to finish business operation.
Step 318 when finishing business operation, discharges authority.
Step 320 if in step 310, do not satisfy the mutual exclusion condition, promptly has the mutual exclusion function that is moving, and then stops business operation, applies for authority again, gets back to step 306.
Pass through technique scheme, classify and define the more realistic application of mutex relation according to the characteristics of practical business, and can standard authority mutex relation, summarize type according to business characteristic, promptly can carry out batch processing, improve authority application efficient, twice judgement can be avoided the problem of multi-user concurrent operation, processing is dynamically controlled to authority, has increased the dirigibility of authorizing.
Fig. 4 is the schematic flow sheet of authority control method according to an embodiment of the invention.
As shown in Figure 4,,, obtain the mutual exclusion type of application authority, mutually exclusive privilege set and not mutually exclusive privilege set according to the mutual exclusion table in step 402.As GL203: mutually exclusive sets be combined into GL201, GL202, GL203}, mutually exclusive sets is not combined into { GL204}.
Generate unique sequence number stationid according to each client then, use the GUID+ machine name, it is carried out the hash hash, preserved the unique identification that is used as client as original value.Consider that same client may move a plurality of application, also have mutual exclusion control between these are used, so do not consider to use IP address or the relevant information of operating system not to calculate unique sequence number.And for the authority task of current application generates unique sequence number taskid, create-rule: the unique sequence number of client+with the random number of time as the seed generation.Remove any table level lock in this step.
In step 404, carry out query statement, in the authority application task list, judge whether to exist in the mutual exclusion set of authid according to authid (being the permission ID among Fig. 3 embodiment), but the task in the non-exclusive set of authid does not exist, and all query statements are carried out in the mode of NOLOCK.
In step 406, if there is no this generic task uses and inserts statement with userid (user ID, the user of corresponding application authority), authid, and stationid, taskid record in the database, only allow to use row level lock rowlock this moment.
In step 408, after data are inserted into database, data in the reading database once more, rejudge, remove any table level lock this moment,, inquire about the mutual exclusion set that whether exists in authid once more according to taskid and authid in step 410, but the task in the non-exclusive set of authid does not exist, and this task taskid and this taskid are inequality, in step 412, if find to exist mutual exclusion, then mean and concurrent reading occurred, a plurality of mutual exclusion tasks are arranged simultaneously in application, then carry out cancel statement, the record deletion that inserted just now, think that this operation failure, operation this time also can only use row level lock.In step 410, the task success is then applied in if there is no mutual exclusion.
Handling extreme case like this may cause two concurrent applications all to get nowhere, but owing to removed table level lock, shared lock, clearly used capable level lock to inserting and deleting, guaranteed that the operation between row and the row is concurrent processing fully, made search efficiency very high, for extensive frequent application authority, can be because of the exclusiveness of authority application, and influence the efficient of whole service system.
At last, after the user uses current operation, need to apply for successful authority, discharge, need use the user of the mutual exclusion function of this function in time to begin their regular traffic for other.Release function only need get final product the deletion of business lock.
Wherein, in the authority application process, in order to prevent that data library locking from causing concurrent processing efficient to reduce, abandoned the mechanism that automatically locks of database, removed the issued transaction of database, by reducing the isolation rank, increase and manually recall the mode of compensation, come the integrality of service data, avoid producing the database deadlock as far as possible, improve concurrency.
To sum up, compared with prior art, there are following advantage in the technical scheme authority control method and the system that realize according to an embodiment of the invention:
At first, at original static mandate, now can be in operational process dynamic control authority, when the function that has mutex relation was being moved, this user just had no right to visit this function, had increased the dirigibility of authorizing, and had safeguarded the integrality of business datum.
Next has introduced the mutual exclusion granularity, not only can dispose the authority mutex relation on the final stage node, can also dispose on non-final stage node, by introducing the notion of not mutual exclusion, has promptly saved the database storing space, has simplified configuration operation again.
At last, removed table level lock, shared lock has clearly used capable level lock to inserting and deleting, and has guaranteed that the operation between row and the row is concurrent processing fully, makes search efficiency very high.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. an authority control method is characterized in that, comprising:
Step 102 receives authority application;
Step 104 in the authority of moving and having applied for, is searched the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, enter step 106, when the mutually exclusive privilege of the authority that does not find described this application, enter step 108;
Described step 106 is refused this authority application;
Described step 108, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, enter step 110, when the mutually exclusive privilege of the authority that finds described this application, enter step 112;
Described step 110 is confirmed the authority application success, uses the authority of described this application for the user;
Described step 112 is deleted the authority of described this application from described authority of having applied for, refuse this authority application.
2. authority control method according to claim 1 is characterized in that, also comprises:
Step 101, for each authority is formulated mutex relation,
In described step 104, according to the mutex relation of described each authority, search the mutually exclusive privilege of the authority of described this application,
In described step 108,, search the mutually exclusive privilege of the authority of described this application according to the mutex relation of described each authority.
3. authority control method according to claim 2 is characterized in that, described mutex relation comprises:
Permission ID identifies described each authority;
Mutually exclusive privilege ID and mutually exclusive privilege ID not, in the authority of described mutually exclusive privilege ID sign, remove the authority of described not mutually exclusive privilege ID sign after, as the mutually exclusive privilege of described each authority;
Mutual exclusion type, the authority of described mutual exclusion type correspondence are also as the mutually exclusive privilege of described each authority.
4. authority control method according to claim 2 is characterized in that, in described step 102, the authority of described this application is the final stage authority,
In the described step 101, the authority of formulating mutex relation is the final stage authority.
5. according to each described authority control method in the claim 1 to 4, it is characterized in that, the described authority records of having moved and having applied in database,
In described step 108, when the authority of described this application is added the authority of having applied for, adopt the mode of row level lock to be recorded in the described database authority of described this application,
In described step 112, the authority of described this application is deleted from described authority of having applied for, the mode that the authority employing row level of described this application is locked is deleted from described database.
6. according to each described authority control method in the right 1 to 4, it is characterized in that, in described step 102, be the unique sequence number of the right assignment of described this application,
In described step 104, according to described unique sequence number, search the mutually exclusive privilege of the authority of described this application,
In described step 108,, search the mutually exclusive privilege of the authority of described this application according to described unique sequence number.
7. an authority control system is characterized in that, comprising:
The authority application receiver module receives authority application;
First mutually exclusive privilege is searched module, in the authority of moving and having applied for, search the mutually exclusive privilege of the authority of this application, when the mutually exclusive privilege of the authority that finds described this application, refuse this authority application, when the mutually exclusive privilege of the authority that does not find described this application, start second mutually exclusive privilege and search module;
Described second mutually exclusive privilege is searched module, the authority of described this application is added the authority of having applied for, and in other authorities of moving and having applied for, search the mutually exclusive privilege of the authority of described this application, when the mutually exclusive privilege of the authority that does not find described this application, confirm the authority application success, use the authority of described this application for the user, when the mutually exclusive privilege of the authority that finds described this application, the authority of described this application is deleted from described authority of having applied for, refuse this authority application.
8. authority control system according to claim 7 is characterized in that, also comprises:
Mutex relation is formulated module, for each authority is formulated mutex relation,
Described first mutually exclusive privilege is searched the mutex relation of module according to described each authority, searches the mutually exclusive privilege of the authority of described this application,
Described second mutually exclusive privilege is searched the mutex relation of module according to described each authority, searches the mutually exclusive privilege of the authority of described this application.
9. authority control system according to claim 8 is characterized in that, the authority that described authority application receiver module is accepted applications is the final stage authority,
The authority of formulating module formulation mutex relation by described mutex relation is the final stage authority.
10. authority control system according to claim 9 is characterized in that, also comprises:
The authority application processing module when the authority of user applies comprises sub-authority, is treated to one or more final stage authorities with the authority of described user applies.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010289764 CN101976314B (en) | 2010-09-21 | 2010-09-21 | Access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010289764 CN101976314B (en) | 2010-09-21 | 2010-09-21 | Access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101976314A true CN101976314A (en) | 2011-02-16 |
| CN101976314B CN101976314B (en) | 2012-08-01 |
Family
ID=43576199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010289764 Active CN101976314B (en) | 2010-09-21 | 2010-09-21 | Access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101976314B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102708416A (en) * | 2012-05-10 | 2012-10-03 | 华为软件技术有限公司 | Method, device and system for ordering business by users |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN103886109A (en) * | 2014-04-18 | 2014-06-25 | 北京搜狐新媒体信息技术有限公司 | Method and device for realizing row lock of database |
| CN104579756A (en) * | 2014-12-19 | 2015-04-29 | 西安理邦科学仪器有限公司 | Method and system for managing client operation of distribution type monitoring network |
| CN105373714A (en) * | 2015-11-26 | 2016-03-02 | 深圳市金证科技股份有限公司 | User permission control method and device |
| CN107679749A (en) * | 2017-09-30 | 2018-02-09 | 新奥(中国)燃气投资有限公司 | The measures and procedures for the examination and approval and Current Authorization Management Platform of a kind of authority application |
| CN109829331A (en) * | 2018-12-28 | 2019-05-31 | 金螳螂家装电子商务(苏州)有限公司 | A kind of data managing method based on finishing chain employee unified rights |
| CN110336802A (en) * | 2019-06-20 | 2019-10-15 | 苏州浪潮智能科技有限公司 | A kind of remote operation method and device of server |
| US10701139B2 (en) | 2015-07-20 | 2020-06-30 | Huawei Technologies Co., Ltd. | Life cycle management method and apparatus |
| CN113538089A (en) * | 2021-06-30 | 2021-10-22 | 北京思特奇信息技术股份有限公司 | CRM system-based newly-added order correction method and system, electronic device and storage medium |
| CN114697369A (en) * | 2022-03-08 | 2022-07-01 | 青岛海尔科技有限公司 | Control method and device of intelligent equipment, storage medium and electronic device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1510867A (en) * | 2002-12-21 | 2004-07-07 | 华为技术有限公司 | Multiuser access authority controlled realizing method |
| CN101141297A (en) * | 2007-08-23 | 2008-03-12 | 华为技术有限公司 | Authority relation data generating and regulating method and management system |
| CN101415009A (en) * | 2008-11-21 | 2009-04-22 | 中兴通讯股份有限公司 | Management method and system for multi-user authority of communication system |
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
-
2010
- 2010-09-21 CN CN 201010289764 patent/CN101976314B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1510867A (en) * | 2002-12-21 | 2004-07-07 | 华为技术有限公司 | Multiuser access authority controlled realizing method |
| CN101141297A (en) * | 2007-08-23 | 2008-03-12 | 华为技术有限公司 | Authority relation data generating and regulating method and management system |
| CN101415009A (en) * | 2008-11-21 | 2009-04-22 | 中兴通讯股份有限公司 | Management method and system for multi-user authority of communication system |
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102708416B (en) * | 2012-05-10 | 2015-11-25 | 华为软件技术有限公司 | A kind of method, apparatus and system of user subscribes service |
| CN102708416A (en) * | 2012-05-10 | 2012-10-03 | 华为软件技术有限公司 | Method, device and system for ordering business by users |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN103886109A (en) * | 2014-04-18 | 2014-06-25 | 北京搜狐新媒体信息技术有限公司 | Method and device for realizing row lock of database |
| CN103886109B (en) * | 2014-04-18 | 2017-04-12 | 北京搜狐新媒体信息技术有限公司 | Method and device for realizing row lock of database |
| CN104579756B (en) * | 2014-12-19 | 2018-10-23 | 西安理邦科学仪器有限公司 | The client actions management method and system of distributed monitoring network |
| CN104579756A (en) * | 2014-12-19 | 2015-04-29 | 西安理邦科学仪器有限公司 | Method and system for managing client operation of distribution type monitoring network |
| US10701139B2 (en) | 2015-07-20 | 2020-06-30 | Huawei Technologies Co., Ltd. | Life cycle management method and apparatus |
| CN105373714B (en) * | 2015-11-26 | 2018-08-31 | 深圳市金证科技股份有限公司 | A kind of user authority control method and device |
| CN105373714A (en) * | 2015-11-26 | 2016-03-02 | 深圳市金证科技股份有限公司 | User permission control method and device |
| CN107679749A (en) * | 2017-09-30 | 2018-02-09 | 新奥(中国)燃气投资有限公司 | The measures and procedures for the examination and approval and Current Authorization Management Platform of a kind of authority application |
| CN107679749B (en) * | 2017-09-30 | 2021-05-25 | 新奥(中国)燃气投资有限公司 | Authority application approval method and authorization management platform |
| CN109829331A (en) * | 2018-12-28 | 2019-05-31 | 金螳螂家装电子商务(苏州)有限公司 | A kind of data managing method based on finishing chain employee unified rights |
| CN110336802A (en) * | 2019-06-20 | 2019-10-15 | 苏州浪潮智能科技有限公司 | A kind of remote operation method and device of server |
| CN113538089A (en) * | 2021-06-30 | 2021-10-22 | 北京思特奇信息技术股份有限公司 | CRM system-based newly-added order correction method and system, electronic device and storage medium |
| CN114697369A (en) * | 2022-03-08 | 2022-07-01 | 青岛海尔科技有限公司 | Control method and device of intelligent equipment, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101976314B (en) | 2012-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101976314B (en) | Access control method and system | |
| CN111338766B (en) | Transaction processing method and device, computer equipment and storage medium | |
| CN102354356B (en) | Data authority management device and method | |
| US8930382B2 (en) | High performance secure data access in a parallel processing system | |
| DE202018006529U1 (en) | Common use or sharing of data in a multi-tenant database system | |
| US20080016104A1 (en) | Automatic Policy Generation Based on Role Entitlements and Identity Attributes | |
| CN102932415A (en) | Method and device for storing mirror image document | |
| CN109906447B (en) | Managing transactions requesting index keys that do not exist in a database system | |
| CN103067463A (en) | Centralized management system and centralized management method for user root permission | |
| US20100082546A1 (en) | Storage Tiers for Database Server System | |
| CN111680041A (en) | Safe and efficient access method for heterogeneous data | |
| CN101789963A (en) | Data synchronization system | |
| WO2007022107A2 (en) | Managing and using shared digital information on a network | |
| CN105430013A (en) | Information access control method and information access control system | |
| CN115114643A (en) | Rank-level data authority management and access query method and system | |
| CN113986545A (en) | Method and device for associating user with role | |
| CN114049005A (en) | Workflow task allocation and control method and device and electronic equipment | |
| JPH04104342A (en) | Data distributed control method and control system | |
| CN112163024A (en) | Configuration information exporting and importing method based on hierarchical association structure | |
| CN115525889B (en) | Security authority control method and device, electronic equipment and storage medium | |
| US11650991B2 (en) | Efficient optimization of SQL queries having set operators with a multi-set semantic | |
| US11921787B2 (en) | Identity-aware data management | |
| CN116662373A (en) | Data access control method, device, equipment and medium | |
| CN115760132A (en) | Resource interaction method and device, computer equipment and storage medium | |
| CN102193980B (en) | Control method for inserting data into offline transaction of graphic database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160217 Address after: 100094 Beijing City, North Road, Haidian District, No. 68, building 2, floor 2 Patentee after: You Pu Information Technology Co., Ltd of UFSOFT Address before: 100094 Beijing city Haidian District North Road No. 68, UFIDA Software Park Patentee before: UFIDA Software Co., Ltd. |