CN102075357B - Multi-domain security management method for network management system - Google Patents
Multi-domain security management method for network management system Download PDFInfo
- Publication number
- CN102075357B CN102075357B CN 201010621252 CN201010621252A CN102075357B CN 102075357 B CN102075357 B CN 102075357B CN 201010621252 CN201010621252 CN 201010621252 CN 201010621252 A CN201010621252 A CN 201010621252A CN 102075357 B CN102075357 B CN 102075357B
- Authority
- CN
- China
- Prior art keywords
- user
- network element
- security management
- domain
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention provides a multi-domain security management method for a network management system, which comprises the following steps of: 1) creating one or more logic security management domains; 2) distributing network elements to corresponding logic security management domains; 3) creating a user group and assigning different users to the user groups; 4) creating an operating rights set; 5) specifying the rights set for the logic security management domains and establishing an association relation of the logic security management domains and the operating rights set; and 6) specifying an association relation of the one or more logic security management domains and the operating rights set for the user group, and finally establishing an association relation of the user group, the logic security management domains and the operating rights set. By the method, a problem of control in different domains by different rights in the network management system is solved, and different rights in different management domains are distributed to the users flexibly.
Description
Technical field
The present invention relates to SDH (SDH (Synchronous Digital Hierarchy))/MSTP (based on the multi-service transport platform of SDH)/PTN (Packet Transport Network) transmission network, pay close attention to the Authority and Domain Based Management management of network management system, control flexibly user right, stop undelegated customer access network resource and Network Management Function.
Background technology
In recent years, along with the transmission network scale constantly enlarges, the transmission network of telecom operators had formed many producers, the situation of transmitting more and depositing.The equipment of transmission network management centralized management all kinds and each producer, real-time monitoring warning and performance, the configuration diverse network connects and business.Because transmission network management is centralized management, and the function of the scope of management and realization is more and more, therefore the safety management of webmaster is proposed higher requirement.User expectation provides control of authority means flexibly, for designated user is given one or more operating right.
The various types of equipment of the various producers of management in network management system, and be distributed in different physical regions.User expectation has different administration authorities to different zones, for example there is the modification authority in the A territory, to the B territory only checking authority.Configure user authority and control its operation, facilitate the control of authority management so flexibly, improves Security of the system.
The prior art relevant with the present invention, its technical scheme one is as follows:
The granularity of control of authority is the territory, and binds with the physical domain of true environment, and a user's authority is for specific one or more physical domain.
Can be found out by technique scheme, there is following defective in prior art scheme one:
User right directly and the physical domain binding, may scene and exist: the user has operating right to some some network element of physical domain A, and some network element of territory B is had operating right, the user authority setting management area just has problems under this scene.
Technical scheme two:
The granularity of control of authority is network element, and user's authority arranges for each network element.
Can be found out by technique scheme, there is following defective in the prior art scheme:
It is loaded down with trivial details that user right distributes, and need to carry out right assignment and control for each network element, and exist a large amount of redundant informations.
Summary of the invention
Technical problem to be solved by this invention is: a kind of multi-domain security management method for network management system is provided, and by this method, in the solution network management system, authority control problem is divided in a minute territory, gives flexibly the different rights of the different management domains of user assignment.
The technical solution adopted in the present invention is: multi-domain security management method for network management system comprises:
S1) create one or more logical security management domain;
S2) distribute network element to corresponding logical security management domain;
S3) create user's group, assign different user to this user's group;
S4) creation operation authority set;
S5) to the set of logical security management domain specified right, set up the incidence relation of logical security management domain-operating right set;
S6) user is organized the incidence relation of specifying one or more logical security management domains-operating right set, finally set up the incidence relation of user's group-logical security management domain-operating right set.
The logical security management domain of described step S1 is virtual domain logic, and it comprises the network element of one or more physical domain.
User's group of described step S3 comprises keeper, Systems Operator and observer.These user's groups are system default values, can also be according to user's oneself requirements definition New Consumers group.
The operating right set of described step S4 comprises system, operates and checks authority set.
Described System Privileges collection comprises system manager's relevant operating right item, for example comprises that network element operating right item, network element check that authority items, business operations competence item, business check authority items and user's operating right item; The operating right collection comprises that network element operating right item, network element check that authority items, business operations competence item and business check authority items; Check that authority set comprises that network element checks that authority items and business check authority items.
Described network element checks that authority items comprises the operation of checking network element attribute, checking network element state, and network element operating right item comprises the operation that creates NE, deletes network element and revise network element.
The incidence relation of user's group-logical security management domain of described step S6-operating right set comprises: administrator's group-all logical security management domain-System Privileges collection, operator user's group-all logical security management domain-operating right collection, and observer user's group-all domain logics-check authority set.
Advantage of the present invention: in network management system, the method has solved the subject matter of minute territory safety, for different user, provides rights management mechanism flexibly.
At first it has solved the binding of safety and physical domain, and without any related, the user can assign the range of management of network element to the scope of user management network element flexibly with physical address.Secondly, it has reduced the operating time of security configuration, need to not carry out independent authority configuration for each network element, only uses the logical security management domain is unified configure user group and authority set, alleviates the servicing time.
Description of drawings
Fig. 1 is key diagram of the present invention.
Fig. 2 is normal flow figure of the present invention.
Fig. 3 is authority incidence relation figure of the present invention.
Embodiment
At first create virtual logical security management domain (this territory and physical domain are not contacted directly, and the logical security management domain can be regarded the set of a group NEs as, but the network element in this set can belong to respectively different physical domain) according to user's needs; Then according to user's actual safety management demand, the physical NE of different physical domain is divided in this logic manage territory; Create user's group, add the associated user to this user's group; Give different safety management authorities to the logical security management domain at last, and the contact of designated user group and logical security management domain.The user just can manage different network elements in various different physical domain flexibly according to actual conditions like this, and different equipment is had different operating right set, satisfies minute territory decentralized management requirement of webmaster.
The invention provides following technical scheme:
This programme mainly comprises following concept:
1. network element: true physical equipment and Virtual NE equipment.
2. physical domain: real equipment control territory, generally divide according to the region, for example all physical equipments of Wuhan City can be regarded a physical domain as.
3. logical security management domain: virtual logical security management domain out, be mainly used in user's security control, virtual Domain and physical domain are not contacted directly, and he is the set of a group NEs, the network element that can comprise different physical domain, can the flexible assignment network element in domain logic.
Example: domain logic=network element 1, network element 24 ...
4. user: real user.
5. the user organizes: one group of user's set with identity logic safety management domain and identical authority.
Example: user's group=keeper, the Systems Operator ...
The user organizes that the default administrator of having organizes, operator user's group and observer user's group etc., and the user can also self-defined user's group.
6. authority items: the set of operating right can configure according to the function granularity.
Example: network element operating right item=create NE, the deletion network element is revised network element ...
7. authority set: distribute to the set of user function authority items.
Example: keeper's operating right collection=network element operating right item, the business operations competence item ...
Wherein, action-item is that system is self-defining, and action-item is the set of operation; Authority set is the set of action-item, and which action-item the user can select see the following form 1~3.
The authority items that table 1 authority set comprises
Annotate: the authority set system default has system, operates, checks authority set etc.OAM refers to Operations, Administration and Maintenance.
The operational set that table 2 authority items comprises
| The authority key name | Operational set |
| Network element operating right item | Create NE, the deletion network element is revised network element .. etc. |
| Network element is checked authority | Check network element attribute, check network element state .. etc. |
Annotate: by system definition, the user can not be self-defined according to the function granularity for authority items.
Table 3 user organizes the incidence relation of corresponding domain logic-authority set
| User's group name | Domain logic: corresponding authority set |
| Administrator's group | All network element domain logics: System Privileges collection |
| Operator user's group | All network element domain logics: operating right collection |
| Observer user's group | All network element domain logics: check authority set |
| User Defined |
Domain logic A: System Privileges collection |
| User Defined group 2 | Domain logic A: operating right collection; Domain logic B: check authority set |
Annotate: authority is user's group, domain logic, operating right collection three incidence relation at last.
This mechanism mainly comprises the steps:
S1) at first create one to a plurality of domain logics according to user's request.
S2) then according to user's actual requirement, the network element of different physical domain is divided in different domain logics.
S3) create user's group, and assign the associated user in user's group.
S4) create the authority set (the authority set acquiescence has the keeper, operator, observer etc.) of different authority set or use system default.
S5) different logical security management domains is distributed different authority set.
S6) one or more logical securities territories (containing operating right collection relation) are assigned to particular group of users.
Embodiment:
For a kind of webmaster right management method is provided, by this method, in the solution network management system, authority control problem is divided in a minute territory, gives flexibly the different rights of the different management domains of user assignment.
Normal flow of the present invention is as follows:
Step 1: create the logical security territory.
Step 2: distribute network element to the logical security territory.
Step 3: creation operation authority set.
Step 4: virtual Domain is formulated the authority set.
Step 5: the user is specified virtual Domain and authority set.
Claims (6)
1. multi-domain security management method for network management system is characterized in that comprising:
S1) create one or more logical security management domain; Described logical security management domain is virtual domain logic, and it comprises the network element of one or more physical domain;
S2) distribute network element to corresponding logical security management domain;
S3) create user's group, assign different user to this user's group;
S4) creation operation authority set;
S5) to the set of logical security management domain specified right, set up the incidence relation of logical security management domain-operating right set;
S6) user is organized the incidence relation of specifying one or more logical security management domains-operating right set, finally set up the incidence relation of user's group-logical security management domain-operating right set.
2. method according to claim 1 is characterized in that: user's group of step S3 comprises keeper, Systems Operator and observer.
3. method according to claim 1, it is characterized in that: the operating right set of step S4 comprises system, operates and checks authority set.
4. method according to claim 3 is characterized in that: the System Privileges collection comprises that network element operating right item, network element check that authority items, business operations competence item, business check authority items and user's operating right item; The operating right collection comprises that network element operating right item, network element check that authority items, business operations competence item and business check authority items; Check that authority set comprises that network element checks that authority items and business check authority items.
5. method according to claim 4, it is characterized in that: network element checks that authority items comprises the operation of checking network element attribute, checking network element state, network element operating right item comprises the operation that creates NE, deletes network element and revise network element.
6. according to claim 2 or 3 described methods, it is characterized in that: the incidence relation of user's group-logical security management domain of step S6-operating right set comprises: administrator's group-all logical security management domain-System Privileges collection, operator user's group-all logical security management domain-operating right collection, and observer user's group-all domain logics-check authority set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010621252 CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010621252 CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102075357A CN102075357A (en) | 2011-05-25 |
| CN102075357B true CN102075357B (en) | 2013-05-08 |
Family
ID=44033712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010621252 Expired - Fee Related CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102075357B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571745A (en) * | 2011-11-16 | 2012-07-11 | 烽火通信科技股份有限公司 | User access authority management method aiming at large capacity of objects |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN103916304B (en) * | 2012-12-31 | 2017-06-20 | 中国移动通信集团公司 | A kind of method of SNS system, network and treatment SNS requests |
| CN106506238A (en) * | 2015-08-24 | 2017-03-15 | 中兴通讯股份有限公司 | A kind of network element management method and system |
| CN106685902A (en) * | 2015-11-10 | 2017-05-17 | 大唐移动通信设备有限公司 | User authority management method, client and server |
| CN107196795A (en) * | 2017-05-18 | 2017-09-22 | 上海耐相智能科技有限公司 | A kind of efficient Internet user's management system |
| CN110139174A (en) * | 2019-06-03 | 2019-08-16 | 北京盟力星科技有限公司 | A kind of NE management device based on Network Management System |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741464A (en) * | 2004-08-27 | 2006-03-01 | 华为技术有限公司 | Network user management system and method thereof |
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
-
2010
- 2010-12-31 CN CN 201010621252 patent/CN102075357B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741464A (en) * | 2004-08-27 | 2006-03-01 | 华为技术有限公司 | Network user management system and method thereof |
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102075357A (en) | 2011-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102075357B (en) | Multi-domain security management method for network management system | |
| CN108921551B (en) | Alliance block chain system based on Kubernetes platform | |
| CN109155758B (en) | Hierarchical management device and method for virtual infrastructure resources | |
| CN107153565B (en) | Method for configuring resource and network equipment thereof | |
| CN108134764B (en) | Distributed data sharing and exchanging method and system | |
| CN111159755B (en) | Cross-link data cooperation method based on alliance link | |
| CN110851278A (en) | Distribution network automation master station mobile application service management method and system based on micro-service architecture | |
| CN109074287B (en) | Infrastructure resource status | |
| CN104202264A (en) | Carrying resource allocation method for clouded data center network, device and system | |
| CN103096030B (en) | A kind of video monitoring multi-service fusion platform and solution | |
| CN101753996A (en) | Management method for user rights in video monitoring system, and video monitoring system | |
| CN107493524B (en) | Method for realizing virtual OLT | |
| CN105894159A (en) | Implementation method of cross-domain and cross-platform user unified management system | |
| CN104486103A (en) | Message transmission method and equipment | |
| EP4176545A1 (en) | Method and system for providing time-critical services | |
| CN109714188A (en) | Configuration data management method, equipment and storage medium based on Zookeeper | |
| CN101764711A (en) | Resource control method on sharing network element, sharing network element and relevant equipment | |
| CN107682411A (en) | A kind of extensive SDN controllers cluster and network system | |
| CN107562547B (en) | CTDB cluster system, creation method and creation system | |
| DE112021002487T5 (en) | SHARING A GEOGRAPHICALLY CONCENTRATED WORKLOAD BETWEEN NEIGHBORHOOD MEC HOSTS OF MULTIPLE NETWORK OPERATORS | |
| CN107404442A (en) | Flow processing method and system | |
| CN107846297A (en) | A kind of user's Explore of Unified Management Ideas for network platform exploitation | |
| WO2017000630A1 (en) | Method and apparatus for sharing license resource between multiple virtual network functions | |
| CN105491061A (en) | Access control system and method | |
| CN113596168A (en) | Block chain alliance chain-based verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Jue Inventor after: Cao Dong Inventor before: Zhang Jue |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHANG JUE TO: ZHANG JUE CAO DONG |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130508 Termination date: 20191231 |