CN102468971A - Authority management method and device, and authority control method and device - Google Patents
Authority management method and device, and authority control method and device Download PDFInfo
- Publication number
- CN102468971A CN102468971A CN2010105365920A CN201010536592A CN102468971A CN 102468971 A CN102468971 A CN 102468971A CN 2010105365920 A CN2010105365920 A CN 2010105365920A CN 201010536592 A CN201010536592 A CN 201010536592A CN 102468971 A CN102468971 A CN 102468971A
- Authority
- CN
- China
- Prior art keywords
- authority
- role
- user
- mapping relations
- roles
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides an authority management method, an authority management device, an authority control method and an authority control device. The authority control method specifically comprises the following steps of: acquiring a plurality of roles corresponding to the current users according to a preset many-to-many mapping relation between the users and the roles; acquiring authorities corresponding to the plurality of roles according to a preset role authority mapping relation; and opening the authorities to the current users according to the authorities corresponding to the plurality of roles. By the invention, the working efficiency of the users can be improved, and the convenience in authority use is enhanced.
Description
Technical field
The present invention relates to rights management techniques, particularly relate to a kind of right management method and device, authority control method and device.
Background technology
In recent years; Along with developing rapidly and extensive use of computer networking technology, the network information security seems and is even more important that its basic goal is confidentiality, integrality and the availability that ensures information in the computer; Wherein, access control is a kind of important technology that ensures management information safety.In multiple access control technology; Owing to pass through to introduce this intermediary of role (Role), the role that manual allocation user is suitable based on role's access control (RBAC, Role Based Access Control); Thereby authorized user role's authority; Realized the logical separation of user and authority, made things convenient for the management of authority widely, so the RBAC model has obtained extensive use in numerous industries.
For example, large-scale collection bunch Equipment Control software mainly adopts the RBAC model, and this Control Software is a multi-user's a system.Wherein, user's role generally comprises the user of different identity such as operator, Facilities Engineer, process engineer, and different roles can carry out the operation of different stage through software.For example, operator role is defined as the board degree of understanding not high, the production operation of only fixing; And for example, for the Facilities Engineer, this role definition often carries out the operation of some maintenance type for board is understood very much to board; Perhaps, process engineer role is defined as design, the manufacture craft of being familiar with very much product, so often carry out the establishment of some technological processes (Recipe).
With reference to Fig. 1, show the user right allocative decision of a kind of typical semiconductor equipment Control Software of prior art.In this scheme, between user and the role many-to-one relation, promptly a user can only belong to a role, but a role can comprise a plurality of users, and for example, user 1 is role 1 member, and user 2 and user 3 all are members of role 3.Be the relation of multi-to-multi between role and the authority, promptly a role can have a plurality of authorities, and a kind of authority also can belong to a plurality of roles.
But sometimes, a natural person possibly have multiple role's authority simultaneously, and for example, this natural person both need have the authority of " operator ", also will have the authority of " Facilities Engineer " and " process engineer ".Like this, use prior art, it just needs a plurality of numbers of the account of registration to satisfy the demand.For example, it applies for " operator " role with " Zhang San " number of the account, applies for " Facilities Engineer " role with " Li Si " number of the account, and, apply for " process engineer " role with " king five " number of the account.But; A lot of Control Software are not supported the login of many numbers of the account, and like this, this natural person just carries out the switching of number of the account inevitably in the process of using Control Software; Said switching had both influenced this natural person's operating efficiency, and the convenience that makes authority use again descends greatly.
In a word, need the urgent technical problem that solves of those skilled in the art to be exactly: how can improve the operating efficiency under the said circumstances, and, the convenience that authority is used.
Summary of the invention
The present invention provides a kind of right management method and device, can improve user's operating efficiency, and increases the convenience that authority is used.
Accordingly, the present invention also provides a kind of authority control method and device, in order to ensure realization and the application of said method in reality.
In order to address the above problem, the invention discloses a kind of right management method, comprising:
Definition user's polygonal look generates the multi-to-multi mapping relations between user and the role;
The definition authority generates the role-security mapping relations.
Preferably, said method also comprises:
Carry out user's maintenance, wherein, said user safeguards and comprises the new user of establishment, deletion user, compiles user and the pairing a plurality of roles of modification user.
Preferably, said method also comprises:
Safeguard according to said user, upgrade the multi-to-multi mapping relations between user and the role.
Preferably, said method also comprises:
Carry out role's maintenance and/or authority and safeguard, wherein, said role's maintenance comprises the establishment new role, the deletion role, and editor's role and the pairing authority of modification user, said authority are safeguarded and are comprised establishment new authority, erase right and editing authority.
Preferably, said method also comprises:
Safeguard and/or the authority maintenance according to said role, upgrade multi-to-multi mapping relations and/or role-security mapping relations between user and the role.
According to another embodiment, the invention also discloses a kind of authority control method, comprising:
According to user who presets and the multi-to-multi mapping relations between the role, obtain the pairing a plurality of roles of active user;
According to the role-security mapping relations that preset, obtain the corresponding authority of said a plurality of role;
According to the corresponding authority of said a plurality of roles, open authority to said active user.
Preferably, the corresponding authority of the said a plurality of roles of said foundation, the step to said active user opens authority comprises:
When in the corresponding authority of said a plurality of roles, having the authority of conflict; From the authority of said conflict, select least privilege or highest authority to offer the active user; Wherein, the authority of said conflict is meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
Preferably, the corresponding authority of the said a plurality of roles of said foundation, the step to said active user opens authority comprises:
Desire is shown as operable state to the authority that said active user opens.
According to another embodiment, the invention also discloses a kind of rights management device, comprising:
The user role mapping block is used to define user's polygonal look, generates the multi-to-multi mapping relations between user and the role;
The role-security mapping block is used to define authority, generates the role-security mapping relations.
Preferably, said device also comprises:
User's maintenance module is used to carry out user's maintenance, and wherein, said user safeguards and comprises the new user of establishment, deletion user, compiles user and the pairing a plurality of roles of modification user;
Preferably, said device also comprises:
First update module is used for safeguarding according to said user, upgrades the multi-to-multi mapping relations between user and the role.
Preferably, said device also comprises:
The role-security maintenance module is used to carry out role's maintenance and/or authority and safeguards, wherein; Said role safeguards and comprises the establishment new role; The deletion role, editor's role and the pairing authority of modification user, said authority are safeguarded and are comprised establishment new authority, erase right and editing authority;
Preferably, said device also comprises:
Second update module is used for safeguarding and/or the authority maintenance according to said role, upgrades multi-to-multi mapping relations and/or role-security mapping relations between user and the role.
According to another embodiment, the invention also discloses a kind of control of authority device, comprising:
Role's acquisition module is used for obtaining the pairing a plurality of roles of active user according to user who presets and the multi-to-multi mapping relations between the role;
The authority acquiring module is used for according to the role-security mapping relations that preset, and obtains the corresponding authority of said a plurality of role; And
The open module of authority is used for the corresponding authority according to said a plurality of roles, opens authority to said active user.
Preferably; The open module of said authority; Specifically be used for when there is the authority of conflict in the corresponding authority of said a plurality of roles; From the authority of said conflict, select least privilege or highest authority to offer the active user, wherein, the authority of said conflict is meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
Preferably, the open module of said authority specifically is used for desire is shown as operable state to the authority that said active user opens.
Compared with prior art, the present invention has the following advantages:
The present invention adopts the multi-to-multi mapping relations between user and the role, particularly, when natural person's register account number, allows a number of the account to belong to a plurality of different roles simultaneously; Thereby, for user side, can avoid unnecessary many numbers of the account registration action; And, frequent number of the account change action, thereby; The convenience of user's rights of using can be increased, simultaneously, user's operating efficiency can also be improved.
In addition, for the Rights Management System side, owing to the number of users that will safeguard reduces, thereby the complexity of rights management reduces greatly.
Moreover when in the corresponding authority of said a plurality of roles, having the authority of conflict, indication that can those skilled in the art selects least privilege or highest authority to offer the active user from the authority of said conflict, to satisfy current authority demand.
Description of drawings
Fig. 1 is the user right allocative decision of a kind of typical semiconductor equipment Control Software of prior art;
Fig. 2 is the flow chart of a kind of right management method embodiment of the present invention;
Fig. 3 is the example of a kind of digital right management scheme of the present invention;
Fig. 4 is the structure chart of a kind of rights management device of the present invention embodiment;
Fig. 5 is the flow chart of a kind of authority control method embodiment of the present invention;
Fig. 6 is the flow example of a kind of logging in system by user of the present invention;
Fig. 7 is the structure chart of a kind of control of authority device of the present invention embodiment.
Embodiment
For make above-mentioned purpose of the present invention, feature and advantage can be more obviously understandable, below in conjunction with accompanying drawing and embodiment the present invention done further detailed explanation.
The present invention can be used in numerous general or special purpose calculation element environment or the configuration.For example: personal computer, server computer, handheld device or portable set, flat equipment, multiprocessor device, comprise DCE of above any device or equipment or the like.
The present invention can describe in the general context of the computer executable instructions of being carried out by computer, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the present invention, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.
For making those skilled in the art understand the present invention better, below the principle of rights management is done further to introduce.
Authority can be expressed as such logical expression: whether the logical expression of judging " Who carries out the operation of How to What " is true.
Who: the gathering around of authority with person or main body (User, Role or the like);
What: object that authority is directed against or resource (Resource etc.);
How: concrete authority (Privilege);
Role: the role has certain number of right;
Operator: operation shows the How operation to What;
User: the user, relevant with Role, but can not be directly related with Privilege, User will have the authority to certain resource, must go association through Role, to solve the problem of Who;
Resource: the resource of system, for example, in the program making field, these resources can be department's news, the various objects that can be provided for user capture such as document; (these resources can comprise employee's data for OA, OfficeAutomation) field in office automation; At audit field, these resources can be the budget datas of each link; In semiconductor equipment control field, these resources can comprise control of EM equipment module or the like;
Privilege: the authority relevant with Resource, also promptly, this authority is to be bundled on the specific resource instance.The issue authority of department's news for example is called " department's news briefing authority ", perhaps, employee's data check authority, be called " staff number it is investigated and seen authority ", perhaps, the power of examination and approval of budget data is called " budget power of examination and approval " or the like.
In practical application, can be directed against different application, need be according to the actual conditions and concrete framework of project, the scheme that meets is selected in relatively balance between a plurality of digital right management scheme such as maintainability, flexibility, integrality.
Wherein, because the extensive use of managing entitlement in the OA field, thereby model is played in the OA field in various fields.The OA field has been realized the logical separation of user and authority, thereby has been increased the flexibility of rights management based on adopting the RBAC model to carry out rights management; Particularly; Role in the OA field often links up with post, and many times, it itself is exactly the role that post " general manager ", " line manager ", " employee " wait; And a natural person only has unique post usually in the OA field; Meaning that a natural person also just only has unique role, therefore, is many-to-one relation between user and the role in the OA field.Because this many-to-one relation of RBAC model has the high advantage of flexibility, thereby other field also imitates one after another, this many-to-one pass of RBAC model tied up near period obtained extensive and good application and development.Like this; These many-to-one mapping relations that concern that the rights management techniques field is generally adopted for the technical staff; Therefore, these technical staff are difficult to expect, even do not go consider to adopt other mapping relations, like one-one relationship, many-to-many relationship, many-one relationship etc.
But the inventor herein notices when running into a natural person and possibly have multiple role's the demand of authority simultaneously; If allow a user to belong to a plurality of different roles simultaneously, will avoid many numbers of the account registration action of a natural person, and; Frequent number of the account change action, thereby, the convenience of user's rights of using can be increased; Simultaneously, can also improve user's operating efficiency.
With reference to Fig. 2, show the flow chart of a kind of right management method embodiment of the present invention, specifically can comprise:
The present invention can be applied to various fields that can application permission such as program making, OA, audit, production equipment control; For for simplicity, mainly in specific embodiment of the present invention adopt semiconductor equipment in the production equipment control field to be controlled to be concrete applied environment to introduce, but it should be as application limitations of the present invention.
This step can be used for a user and a plurality of role are bound, for the user distributes polygonal look, and the mapping relations of recording user and polygonal look.
Suppose that user profile is as shown in table 1:
Table 1
| User profile |
| Zhang San |
| Li Si |
| The king five |
| Zhao six |
Role Information is as shown in table 2:
Table 2
| Role Information |
| The operator |
| The Facilities Engineer |
| The Electrical Engineer |
| The process engineer |
Show a kind of example of user bound information and Role Information with reference to table 3:
Table 3
| User profile | Role Information |
| Zhang San | Operator, Facilities Engineer, process engineer |
| Li Si | Operator, Facilities Engineer |
| The king five | Facilities Engineer, process engineer |
| Zhao six | Operator, process engineer, customer administrator |
With reference to Fig. 3, show the example of a kind of digital right management scheme of the present invention, 301 parts wherein are the another kind of example of the multi-to-multi mapping relations between user and the role; For example; User 1 simultaneously corresponding role 1 and role 2, user 2 corresponding roles 3, user 3 corresponding roles 2; User 4 corresponding roles 5, the simultaneously corresponding role of user 54, role 5 and role 6 or the like.
Can find out that except multi-to-multi, the mapping relations between user and the role can also have one to one, many-one, one-to-many; Those skilled in the art can be the polygonal look of user's 1 distribution, perhaps according to actual needs; Be user 2 schedule of apportionment roles etc.; The present invention is primarily aimed at the multi-to-multi mapping relations effect of the present invention is described, but these multi-to-multi mapping relations can be used in combination with other mapping relations, and the present invention does not limit this.
In reality, essential informations such as user's number of the account, password, and the role that the user is defined can deposit to user role mapping relations; Thereby preferred, said user role mapping relations can comprise username field, password field and role's field; For example, with reference to table 4:
Table 4
| Number of the account | Password | The role |
| Zhang San | ****** | Operator, Facilities Engineer, process engineer |
| Li Si | ****** | Operator, Facilities Engineer |
| The king five | ****** | Facilities Engineer, process engineer |
| Zhao six | ****** | Operator, process engineer, customer administrator |
In the semiconductor equipment control system; Usually there are user roles such as operator, Facilities Engineer, process engineer, customer administrator, under certain conditions, allow a natural person can have two or more roles concurrently; Such as a user, be process engineer and Facilities Engineer simultaneously.
In the scheme of prior art, each user can only belong to a role; When a natural person occurring and possibly have multiple role's the demand of authority simultaneously, relating to needs a plurality of users of registration (number of the account) satisfy the demand.For user side, can increase actions such as many number of the account registrations, frequent number of the account switching, thereby can bring the decline of ease of use and the problem that operating efficiency descends; For the Rights Management System side, then need safeguard, thereby cause the complexity of rights management to a plurality of numbers of the account.
And the embodiment of the invention allows a number of the account to belong to a plurality of different roles simultaneously when natural person's register account number, thereby; For user side, can avoid unnecessary many numbers of the account registration action, and; Frequent number of the account change action, thereby, the convenience of user's rights of using can be increased; Simultaneously, can also improve user's operating efficiency.For the Rights Management System side, owing to the number of users that will safeguard reduces, thereby the complexity of rights management reduces greatly.
This step is bound role and authority, and record role-security mapping relations.
With reference to 302 parts among Fig. 3; Show the example of a kind of role-security mapping relations of the present invention, its defined role 1, role 2 ... 6 six kinds of roles of role, and; Authority 1, authority 2... authority 9 be with regard to middle authority, and the mapping relations between said six kinds of roles and the nine kinds of authorities are as shown in table 5:
Table 5
| Role Information | Authority information |
| The role 1 | Authority 1, authority 3 |
| The role 2 | Authority 2 |
| The role 3 | Authority 3, authority 6 |
| The role 4 | Authority 5 |
| The role 5 | Authority 7 |
| The role 6 | Authority 7, authority 8, authority 9 |
Be appreciated that the present invention allows to have the maintenance that the user of administration authority (like the customer administrator) carries out rights management, said maintenance specifically can comprise:
1, carry out user's maintenance, wherein, said user safeguards specifically can comprise the new user of establishment, deletion user, compiles user and the pairing a plurality of roles of modification user etc.;
In reality, also should safeguard according to said user, upgrade the multi-to-multi mapping relations between user and the role.For example, when creating new user, should generate the multi-to-multi mapping relations between this new user and the role according to step 201; And for example, when the new user of deletion, delete the multi-to-multi mapping relations between corresponding user and the role; Perhaps, when revising the pairing a plurality of role of user, should in the multi-to-multi mapping relations table between user and the role, carry out corresponding modification.
2, carrying out role's maintenance and/or authority safeguards; Wherein, said role safeguards specifically can comprise the establishment new role, the deletion role; Editor's role and the pairing authority of modification user, said authority are safeguarded specifically can comprise establishment new authority, erase right and editing authority;
At this moment, can also safeguard and/or the authority maintenance, upgrade multi-to-multi mapping relations and/or role-security mapping relations between user and the role according to said role.
With table 4 is example, if deleted " operator " role, then should in table 4, upgrade " Zhang San ", " Li Si's " and " Zhao six " corresponding role, also should delete in the role-security mapping relations and " operator " corresponding part.
To sum up, the present invention can safeguard rights management neatly, strengthens the autgmentability of rights management.
Corresponding with aforementioned right management method embodiment, the invention also discloses a kind of rights management device, with reference to Fig. 4, specifically can comprise:
User role mapping block 401 is used to define user's polygonal look, generates the multi-to-multi mapping relations between user and the role;
Role-security mapping block 402 is used to define authority, generates the role-security mapping relations.
In a kind of preferred embodiment of the present invention, said device can also comprise:
User's maintenance module is used to carry out user's maintenance, and wherein, said user's maintenance comprises creates new user, and volume removes the user, compiles user and the pairing a plurality of roles of modification user;
More preferred, said device can also comprise: first update module, be used for safeguarding according to said user, and upgrade the multi-to-multi mapping relations between user and the role.
In another kind of preferred embodiment of the present invention, said device can also comprise:
The role-security maintenance module is used to carry out role's maintenance and/or authority and safeguards, wherein; Said role safeguards and comprises the establishment new role; The deletion role, editor's role and the pairing authority of modification user, said authority are safeguarded and are comprised establishment new authority, erase right and editing authority;
Further, said device can also comprise: second update module, be used for safeguarding and/or the authority maintenance according to said role, and upgrade multi-to-multi mapping relations and/or role-security mapping relations between user and the role.
For rights management device embodiment, because it is similar basically with right management method embodiment shown in Figure 2, so description is fairly simple, relevant part gets final product referring to the part explanation of right management method embodiment.
With reference to Fig. 5, show the flow chart of a kind of authority control method embodiment of the present invention, specifically can comprise:
User that step 501, foundation preset and the multi-to-multi mapping relations between the role are obtained the pairing a plurality of roles of active user;
The role-security mapping relations that step 502, foundation preset are obtained the corresponding authority of said a plurality of role;
In reality, can be with reference to right management method embodiment shown in Figure 2, carry out between user and the role the multi-to-multi mapping relations and preset presetting of role-security mapping relations.
Because authority is appreciated that and is " Who carries out the operation of How to What "; Here " What " refers to object or resource; So in some cases, when the corresponding a plurality of role of a user, different role possibly have different two or more authorities to same target or resource; And said two or more authority probably can be carried out identical operations to same target or resource, so may have the authority of conflict in two or more authorities that this user had.For example, in the OA field, user's correspondence " employee ", " line manager ", " general manager " three kinds of roles; And these roles all have " checking authority " to object " employee's data "; But each role " checking authority " is different, is in particular in: " employee " can check the employee's data of oneself; " line manager " can check own all employees' of department data, and " general manager " can check own all employees' of company data; This just makes the authority that the user had produce conflict.
And for example; At audit field; All " budget " has " the budget power of examination and approval " to object for " role 1 ", " role 2 ", " role 3 ", but concrete " the budget power of examination and approval " is different: the budget less than 5000 can be examined in " role 1 ", and the budget less than 10000 can be examined in " role 2 "; The budget less than 50000 can be examined in " role 3 ", and this also is the authority collision problem.
For another example; In semiconductor equipment control field; " Facilities Engineer ", " process engineer " all have operating right to " module control ", and still, " Facilities Engineer " can only carry out the operation of checking of " module control "; But " process engineer " can carry out checking and edit operation of " module control ".
To above-mentioned authority collision problem; In a kind of preferred embodiment of the present invention; When in the corresponding authority of said a plurality of roles, having the authority of conflict; Can from the authority of said conflict, select least privilege or highest authority to offer the active user, wherein, the authority of said conflict be meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
Be appreciated that those skilled in the art can select minimum or highest authority according to actual needs.For example, in semiconductor equipment control field, the expansion of authority causes easily and causes board or equipment to go wrong to the misoperation of system, thereby least privilege is selected in decision; And for example, at audit field, because 10000 budgets of 5000 budgets of " role 1 " and " role 2 " are more or less the same, so can select highest authority.The present invention does not limit concrete selection mode.
In another kind of preferred embodiment of the present invention, can desire be shown as operable state to the authority that said active user opens; Further, can also other authority be shown as not operable state.Wherein, said operable state can be some exercisable buttons, and is shown as the state that can click; Said not operable state can be some buttons that can not operate, and is shown as the state of can not clicking.Like this, though the user can see other authority, owing to can not operate, so can reduce the probability of user misoperation, thus the fail safe of work increased.
To sum up, control of authority of the present invention has property versatile and flexible, handled easily, is simple and easy to the advantage of usefulness.
For making those skilled in the art understand the present invention better, with reference to Fig. 6, in a kind of applying examples of the present invention, the flow process of logging in system by user can comprise:
Whether step 603, judges pass through checking, if then execution in step 604, otherwise, return step 602;
User that step 605, foundation preset and the multi-to-multi mapping relations between the role are obtained the pairing a plurality of roles of active user;
The role-security mapping relations that step 606, foundation preset are obtained the corresponding authority of said a plurality of role;
For example; After " king five " pass through authentification of user; Can be according to the corresponding role of table 4 getter: " Facilities Engineer " and " process engineer ", there is the authority conflict in said two roles to the module control, so the selection least privilege offers the active user; Also promptly, the active user can only use the operation of checking that " Facilities Engineer " role carries out the module control.
For authority control method embodiment; Because the multi-to-multi mapping relations between its user and the role and preset the role-security mapping relations; Similar basically with right management method embodiment shown in Figure 2; So that describes is fairly simple, relevant part gets final product referring to the part explanation of right management method embodiment.
Corresponding with aforementioned authority control method, the invention also discloses a kind of control of authority device, with reference to Fig. 7, specifically can comprise:
Role's acquisition module 701 is used for obtaining the pairing a plurality of roles of active user according to user who presets and the multi-to-multi mapping relations between the role;
The open module 703 of authority is used for the corresponding authority according to said a plurality of roles, opens authority to said active user.
In a kind of preferred embodiment of the present invention; The open module 703 of said authority; Can specifically be used for when there is the authority of conflict in the corresponding authority of said a plurality of roles; From the authority of said conflict, select least privilege or highest authority to offer the active user, wherein, the authority of said conflict is meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
In another kind of preferred embodiment of the present invention, the open module 704 of said authority can specifically be used for desire is shown as operable state to the authority that said active user opens.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.
More than to a kind of right management method provided by the present invention and device, a kind of authority control method and device; Carried out detailed introduction; Used concrete example among this paper principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as limitation of the present invention.
Claims (16)
1. a right management method is characterized in that, comprising:
Definition user's polygonal look generates the multi-to-multi mapping relations between user and the role;
The definition authority generates the role-security mapping relations.
2. the method for claim 1 is characterized in that, also comprises:
Carry out user's maintenance, wherein, said user safeguards and comprises the new user of establishment, deletion user, compiles user and the pairing a plurality of roles of modification user.
3. method as claimed in claim 2 is characterized in that, also comprises:
Safeguard according to said user, upgrade the multi-to-multi mapping relations between user and the role.
4. like each described method in the claim 1 to 3, it is characterized in that, also comprise:
Carry out role's maintenance and/or authority and safeguard, wherein, said role's maintenance comprises the establishment new role, the deletion role, and editor's role and the pairing authority of modification user, said authority are safeguarded and are comprised establishment new authority, erase right and editing authority.
5. method as claimed in claim 4 is characterized in that, also comprises:
Safeguard and/or the authority maintenance according to said role, upgrade multi-to-multi mapping relations and/or role-security mapping relations between user and the role.
6. an authority control method is characterized in that, comprising:
According to user who presets and the multi-to-multi mapping relations between the role, obtain the pairing a plurality of roles of active user;
According to the role-security mapping relations that preset, obtain the corresponding authority of said a plurality of role;
According to the corresponding authority of said a plurality of roles, open authority to said active user.
7. method as claimed in claim 6 is characterized in that, the corresponding authority of the said a plurality of roles of said foundation, and the step to said active user opens authority comprises:
When in the corresponding authority of said a plurality of roles, having the authority of conflict; From the authority of said conflict, select least privilege or highest authority to offer the active user; Wherein, the authority of said conflict is meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
8. like claim 6 or 7 described methods, it is characterized in that, the corresponding authority of the said a plurality of roles of said foundation, the step to said active user opens authority comprises:
Desire is shown as operable state to the authority that said active user opens.
9. a rights management device is characterized in that, comprising:
The user role mapping block is used to define user's polygonal look, generates the multi-to-multi mapping relations between user and the role;
The role-security mapping block is used to define authority, generates the role-security mapping relations.
10. device as claimed in claim 9 is characterized in that, also comprises:
User's maintenance module is used to carry out user's maintenance, and wherein, said user safeguards and comprises the new user of establishment, deletion user, compiles user and the pairing a plurality of roles of modification user;
11. device as claimed in claim 10 is characterized in that, also comprises:
First update module is used for safeguarding according to said user, upgrades the multi-to-multi mapping relations between user and the role.
12. like each described device in the claim 9 to 11, it is characterized in that, also comprise:
The role-security maintenance module is used to carry out role's maintenance and/or authority and safeguards, wherein; Said role safeguards and comprises the establishment new role; The deletion role, editor's role and the pairing authority of modification user, said authority are safeguarded and are comprised establishment new authority, erase right and editing authority;
13. device as claimed in claim 12 is characterized in that, also comprises:
Second update module is used for safeguarding and/or the authority maintenance according to said role, upgrades multi-to-multi mapping relations and/or role-security mapping relations between user and the role.
14. a control of authority device is characterized in that, comprising:
Role's acquisition module is used for obtaining the pairing a plurality of roles of active user according to user who presets and the multi-to-multi mapping relations between the role;
The authority acquiring module is used for according to the role-security mapping relations that preset, and obtains the corresponding authority of said a plurality of role; And
The open module of authority is used for the corresponding authority according to said a plurality of roles, opens authority to said active user.
15. device as claimed in claim 14; It is characterized in that; The open module of said authority specifically is used for when there is the authority of conflict in the corresponding authority of said a plurality of roles, from the authority of said conflict, selecting least privilege or highest authority to offer the active user; Wherein, the authority of said conflict is meant that different role that same user answers carries out two or more authorities of same operation to same target or resource.
16., it is characterized in that the open module of said authority specifically is used for desire is shown as operable state to the authority that said active user opens like claim 14 or 15 described devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105365920A CN102468971A (en) | 2010-11-04 | 2010-11-04 | Authority management method and device, and authority control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105365920A CN102468971A (en) | 2010-11-04 | 2010-11-04 | Authority management method and device, and authority control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102468971A true CN102468971A (en) | 2012-05-23 |
Family
ID=46072181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105365920A Pending CN102468971A (en) | 2010-11-04 | 2010-11-04 | Authority management method and device, and authority control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102468971A (en) |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750473A (en) * | 2012-06-01 | 2012-10-24 | 中兴通讯股份有限公司 | Authority control method and authority control device |
| CN104516777A (en) * | 2013-10-04 | 2015-04-15 | 三星电子株式会社 | User interface management method and system |
| CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
| CN105631266A (en) * | 2015-12-28 | 2016-06-01 | 上海赞越软件服务中心 | Mechanism for achieving multi-user switching through jQuery shell |
| CN106096907A (en) * | 2016-06-01 | 2016-11-09 | 比美特医护在线(北京)科技有限公司 | A kind of item information processing method and system |
| CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
| CN106790060A (en) * | 2016-12-20 | 2017-05-31 | 微梦创科网络科技(中国)有限公司 | The right management method and device of a kind of role-base access control |
| CN106951773A (en) * | 2017-03-15 | 2017-07-14 | 泰康保险集团股份有限公司 | User role distributes method of calibration and system |
| CN108090734A (en) * | 2017-12-12 | 2018-05-29 | 深圳市买买提信息科技有限公司 | User role matching process and device |
| CN108205280A (en) * | 2016-12-16 | 2018-06-26 | 横河电机株式会社 | Setting device, setting method, recording medium and terminal installation |
| CN108549797A (en) * | 2018-03-26 | 2018-09-18 | 安徽笛申科技有限公司 | A kind of user and user group and the System right management method of role |
| WO2018196876A1 (en) * | 2017-04-29 | 2018-11-01 | 成都牵牛草信息技术有限公司 | Workflow control method and system based on one-to-one correspondence between roles and users |
| CN108734400A (en) * | 2017-05-23 | 2018-11-02 | 成都牵牛草信息技术有限公司 | The method that examination & approval role is arranged by role for workflow approval node |
| CN108764833A (en) * | 2017-05-23 | 2018-11-06 | 成都牵牛草信息技术有限公司 | The method that workflow approval node examines role by Department formation |
| CN108932610A (en) * | 2017-07-20 | 2018-12-04 | 成都牵牛草信息技术有限公司 | A kind of system work dispatching method |
| CN108985659A (en) * | 2017-08-10 | 2018-12-11 | 成都牵牛草信息技术有限公司 | The method that approval process and its approval node authorization are carried out to user |
| CN108985648A (en) * | 2017-07-31 | 2018-12-11 | 成都牵牛草信息技术有限公司 | The management method of issued transaction in management system |
| WO2018224023A1 (en) * | 2017-06-08 | 2018-12-13 | 成都牵牛草信息技术有限公司 | Method for displaying permission after employee logs into account thereof in system |
| CN109033810A (en) * | 2018-08-08 | 2018-12-18 | 郑州市景安网络科技股份有限公司 | A kind of Rights Management System |
| CN109033861A (en) * | 2017-08-07 | 2018-12-18 | 成都牵牛草信息技术有限公司 | The method that authorised operator is authorized in system |
| CN109064138A (en) * | 2017-08-07 | 2018-12-21 | 成都牵牛草信息技术有限公司 | Show the authorization method of all system user current entitlement states |
| CN109087001A (en) * | 2017-08-03 | 2018-12-25 | 成都牵牛草信息技术有限公司 | The method for supervising review operation, Authorized operation and list operation |
| WO2019011304A1 (en) * | 2017-07-13 | 2019-01-17 | 成都牵牛草信息技术有限公司 | Role acquisition-based method for authorizing form data |
| WO2019011162A1 (en) * | 2017-07-09 | 2019-01-17 | 成都牵牛草信息技术有限公司 | Shortcut function setting method |
| WO2019015657A1 (en) * | 2017-07-20 | 2019-01-24 | 成都牵牛草信息技术有限公司 | Attendance tracking configuration method for system |
| WO2019019981A1 (en) * | 2017-07-24 | 2019-01-31 | 成都牵牛草信息技术有限公司 | Method for setting permission of user in information exchange unit in system |
| WO2019019980A1 (en) * | 2017-07-24 | 2019-01-31 | 成都牵牛草信息技术有限公司 | Forum management method |
| CN109472154A (en) * | 2018-09-30 | 2019-03-15 | 武汉达梦数据库有限公司 | The multi-layer mechanism of zero configuration, user maintenance method |
| CN109741123A (en) * | 2018-11-23 | 2019-05-10 | 上海豆为教育科技有限公司 | Family's account management method and system |
| CN109886013A (en) * | 2019-01-17 | 2019-06-14 | 平安城市建设科技(深圳)有限公司 | Enterprise's authority control method, equipment, storage medium and device |
| CN112765589A (en) * | 2019-11-01 | 2021-05-07 | 北京京东尚科信息技术有限公司 | Permission relation visualization method and device in containerized application management cluster |
| CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1787456A (en) * | 2005-10-24 | 2006-06-14 | 南京邮电大学 | Method for controlling five layer resource access based on extending role |
| US7421500B2 (en) * | 2003-01-10 | 2008-09-02 | Hewlett-Packard Development Company, L.P. | Grid computing control system |
| CN101571897A (en) * | 2009-06-04 | 2009-11-04 | 浙江大学 | Method for controlling access permission of massive objects in computer system |
-
2010
- 2010-11-04 CN CN2010105365920A patent/CN102468971A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7421500B2 (en) * | 2003-01-10 | 2008-09-02 | Hewlett-Packard Development Company, L.P. | Grid computing control system |
| CN1787456A (en) * | 2005-10-24 | 2006-06-14 | 南京邮电大学 | Method for controlling five layer resource access based on extending role |
| CN101571897A (en) * | 2009-06-04 | 2009-11-04 | 浙江大学 | Method for controlling access permission of massive objects in computer system |
Non-Patent Citations (1)
| Title |
|---|
| 陈泉冰,王会进: "一种改进的基于任务-角色的访问控制模型", 《暨南大学学报》, vol. 31, no. 1, 28 February 2010 (2010-02-28) * |
Cited By (49)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750473A (en) * | 2012-06-01 | 2012-10-24 | 中兴通讯股份有限公司 | Authority control method and authority control device |
| CN104516777A (en) * | 2013-10-04 | 2015-04-15 | 三星电子株式会社 | User interface management method and system |
| CN104573478B (en) * | 2014-11-20 | 2018-11-06 | 深圳市远行科技股份有限公司 | A kind of user authority management system of Web applications |
| CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
| CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
| CN105631266A (en) * | 2015-12-28 | 2016-06-01 | 上海赞越软件服务中心 | Mechanism for achieving multi-user switching through jQuery shell |
| CN106096907A (en) * | 2016-06-01 | 2016-11-09 | 比美特医护在线(北京)科技有限公司 | A kind of item information processing method and system |
| CN108205280B (en) * | 2016-12-16 | 2022-07-01 | 横河电机株式会社 | Setting device, setting method, recording medium, and terminal device |
| CN108205280A (en) * | 2016-12-16 | 2018-06-26 | 横河电机株式会社 | Setting device, setting method, recording medium and terminal installation |
| CN106790060A (en) * | 2016-12-20 | 2017-05-31 | 微梦创科网络科技(中国)有限公司 | The right management method and device of a kind of role-base access control |
| CN106951773A (en) * | 2017-03-15 | 2017-07-14 | 泰康保险集团股份有限公司 | User role distributes method of calibration and system |
| CN106951773B (en) * | 2017-03-15 | 2020-04-14 | 泰康保险集团股份有限公司 | User role distribution checking method and system |
| US11363026B2 (en) | 2017-04-29 | 2022-06-14 | Chengdu Qianniucao Information Technology Co., Ltd. | Workflow control method and system based on one-to-one correspondence between roles and users |
| WO2018196876A1 (en) * | 2017-04-29 | 2018-11-01 | 成都牵牛草信息技术有限公司 | Workflow control method and system based on one-to-one correspondence between roles and users |
| CN108734400A (en) * | 2017-05-23 | 2018-11-02 | 成都牵牛草信息技术有限公司 | The method that examination & approval role is arranged by role for workflow approval node |
| CN108764833A (en) * | 2017-05-23 | 2018-11-06 | 成都牵牛草信息技术有限公司 | The method that workflow approval node examines role by Department formation |
| WO2018224023A1 (en) * | 2017-06-08 | 2018-12-13 | 成都牵牛草信息技术有限公司 | Method for displaying permission after employee logs into account thereof in system |
| WO2019011162A1 (en) * | 2017-07-09 | 2019-01-17 | 成都牵牛草信息技术有限公司 | Shortcut function setting method |
| WO2019011304A1 (en) * | 2017-07-13 | 2019-01-17 | 成都牵牛草信息技术有限公司 | Role acquisition-based method for authorizing form data |
| US11586758B2 (en) | 2017-07-13 | 2023-02-21 | Chengdu Qianniucao Information Technology Co., Ltd. | Authorization method for form data acquired based on role |
| CN108932610A (en) * | 2017-07-20 | 2018-12-04 | 成都牵牛草信息技术有限公司 | A kind of system work dispatching method |
| CN108932610B (en) * | 2017-07-20 | 2021-04-06 | 成都牵牛草信息技术有限公司 | System dispatching method |
| WO2019015656A1 (en) * | 2017-07-20 | 2019-01-24 | 成都牵牛草信息技术有限公司 | System dispatching method |
| WO2019015657A1 (en) * | 2017-07-20 | 2019-01-24 | 成都牵牛草信息技术有限公司 | Attendance tracking configuration method for system |
| JP7272344B2 (en) | 2017-07-24 | 2023-05-12 | 成都牽牛草信息技術有限公司 | How to set the rights that exist in the user's information exchange unit in the system |
| US11423128B2 (en) | 2017-07-24 | 2022-08-23 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for setting permission of user in information exchange unit in system |
| WO2019019981A1 (en) * | 2017-07-24 | 2019-01-31 | 成都牵牛草信息技术有限公司 | Method for setting permission of user in information exchange unit in system |
| WO2019019980A1 (en) * | 2017-07-24 | 2019-01-31 | 成都牵牛草信息技术有限公司 | Forum management method |
| JP2020529654A (en) * | 2017-07-24 | 2020-10-08 | 成都牽牛草信息技術有限公司Chengdu Qianniucao Information Technology Co., Ltd. | How to set permissions on a user's information exchange unit in the system |
| CN108985648B (en) * | 2017-07-31 | 2021-04-06 | 成都牵牛草信息技术有限公司 | Management method for transaction processing in management system |
| CN108985648A (en) * | 2017-07-31 | 2018-12-11 | 成都牵牛草信息技术有限公司 | The management method of issued transaction in management system |
| WO2019024899A1 (en) * | 2017-08-03 | 2019-02-07 | 成都牵牛草信息技术有限公司 | Method for supervising approval operations, authorization operations and form operations |
| CN109087001A (en) * | 2017-08-03 | 2018-12-25 | 成都牵牛草信息技术有限公司 | The method for supervising review operation, Authorized operation and list operation |
| CN109087001B (en) * | 2017-08-03 | 2021-04-16 | 成都牵牛草信息技术有限公司 | Method for monitoring examination and approval operation, authorization operation and form operation |
| CN109033861B (en) * | 2017-08-07 | 2022-03-22 | 成都牵牛草信息技术有限公司 | Method for authorizing authorized operator in system |
| CN109064138B (en) * | 2017-08-07 | 2021-04-20 | 成都牵牛草信息技术有限公司 | Authorization method for displaying current authority state of all system users |
| CN109064138A (en) * | 2017-08-07 | 2018-12-21 | 成都牵牛草信息技术有限公司 | Show the authorization method of all system user current entitlement states |
| CN109033861A (en) * | 2017-08-07 | 2018-12-18 | 成都牵牛草信息技术有限公司 | The method that authorised operator is authorized in system |
| CN108985659A (en) * | 2017-08-10 | 2018-12-11 | 成都牵牛草信息技术有限公司 | The method that approval process and its approval node authorization are carried out to user |
| US11750616B2 (en) | 2017-08-10 | 2023-09-05 | Chengdu Qianniucao Information Technology Co., Ltd. | Method for authorizing approval processes and approval nodes thereof for user |
| CN108090734A (en) * | 2017-12-12 | 2018-05-29 | 深圳市买买提信息科技有限公司 | User role matching process and device |
| CN108549797A (en) * | 2018-03-26 | 2018-09-18 | 安徽笛申科技有限公司 | A kind of user and user group and the System right management method of role |
| CN109033810A (en) * | 2018-08-08 | 2018-12-18 | 郑州市景安网络科技股份有限公司 | A kind of Rights Management System |
| CN109472154A (en) * | 2018-09-30 | 2019-03-15 | 武汉达梦数据库有限公司 | The multi-layer mechanism of zero configuration, user maintenance method |
| CN109741123A (en) * | 2018-11-23 | 2019-05-10 | 上海豆为教育科技有限公司 | Family's account management method and system |
| CN109886013A (en) * | 2019-01-17 | 2019-06-14 | 平安城市建设科技(深圳)有限公司 | Enterprise's authority control method, equipment, storage medium and device |
| CN112765589A (en) * | 2019-11-01 | 2021-05-07 | 北京京东尚科信息技术有限公司 | Permission relation visualization method and device in containerized application management cluster |
| CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
| CN113590118B (en) * | 2021-07-23 | 2024-02-09 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102468971A (en) | Authority management method and device, and authority control method and device | |
| EP2510473B1 (en) | Unified user login for co-location facilities | |
| CN110472388B (en) | Equipment management and control system and user permission control method thereof | |
| CN101960439B (en) | Client environment creates system and client environment creation method | |
| CN103460184A (en) | System and method for monitoring and managing data center resources incorporating a common data model repository | |
| CN103106368A (en) | Vulnerability scanning method for grade protection | |
| Zafar et al. | System security requirements analysis: A smart grid case study | |
| CN109962805A (en) | A kind of multi-platform cut-in method and equipment based on Authority and Domain Based Management | |
| US8312515B2 (en) | Method of role creation | |
| CN105893593A (en) | Data fusion method | |
| CN105184144A (en) | Multi-system privilege management method | |
| CN102571815B (en) | A kind of method of e-procurement privately owned cloud integrating ERP authenticating user identification | |
| CN107330580A (en) | Power marketing Base data platform construction method | |
| CN103873547A (en) | Storage area network | |
| CN106716968A (en) | Account management method, device and account management system | |
| WO2010028583A1 (en) | Method and apparatus for managing the authority in workflow component based on authority component | |
| CN111581650B (en) | Business system authority management method, system and electronic equipment | |
| WO2017114210A1 (en) | Apparatus and method for security control of data processing system | |
| Yin et al. | Extending the problem frames approach for capturing non-functional requirements | |
| CN107563206A (en) | Unified rights method of servicing and system | |
| CN104166581B (en) | A kind of virtual method towards increment manufacturing equipment | |
| CN103763370A (en) | Method, system and device for changing screen locking password of working area of mobile terminal | |
| CN109903046A (en) | User data management and device based on block chain | |
| CN111861383A (en) | On-line home office safety platform | |
| CN115328053B (en) | Permission realization method based on security level DCS system of nuclear power plant |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120523 |