CN102487377B - A kind of certification and Rights Management System - Google Patents
A kind of certification and Rights Management System Download PDFInfo
- Publication number
- CN102487377B CN102487377B CN201010568342.5A CN201010568342A CN102487377B CN 102487377 B CN102487377 B CN 102487377B CN 201010568342 A CN201010568342 A CN 201010568342A CN 102487377 B CN102487377 B CN 102487377B
- Authority
- CN
- China
- Prior art keywords
- management
- certification
- application
- module
- rights management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to a kind of certification and Rights Management System, the certification includes authentication module, entitlement management module, delegation management module, Audit Module with Rights Management System;The authentication module is used to be authenticated the identity of user and equipment;The entitlement management module is used to carry out the user by the authentication module certification empowerment management based on user and role;The delegation management module is used for by delegation mode, and related application or operation are delegated to the user specified;The Audit Module is used to provide security audit to application.The present invention can meet the application authorization and Rights Management System platform of customer service requirement, realize to the centralized and unified management of the security information such as user identity, device resource, role-security, access control and security strategy in application system.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of certification and Rights Management System.
Background technology
With the rapid development of information technology, information industry turns into the pillar industry that international trade promptly develops, so as to promote
The development that new and high technology, global IT application are advanced by leaps and bounds, pushes forward office automation, networking, electronization, comprehensive information comprehensively
Shared is the trend of the times of Informatization Development.Information security importance becomes increasingly conspicuous also with the development of scientific and technological information.
With the increase of application scale, the difficulty of safety management also improves therewith.In compact applications system, due to scale
Small, resource quantity is less, and number of users is few, and security strategy can be able to dispose without bringing management inconsistent safely quickly
Problem;But in big-and-middle-sized application system, how to ensure between each constituent of system the rapid deployment of security strategy and its
Uniformity perform just turn into one it is very real the problem of, the fine or not degree of this Resolving probiems directly determines the safety of system
Efficiency and effect.
Certification and the important content that control of authority is safety management.Therefore, it is necessary to a kind of certification and rights management system
Unite to realize safe centralized management.
The content of the invention
For defect present in prior art and deficiency, the present invention proposes a kind of certification and Rights Management System, with more
Solves the problems, such as the centralized management in information security well.
To achieve these goals, the present invention proposes a kind of certification and Rights Management System, the certification and rights management
System includes authentication module, entitlement management module, delegation management module, Audit Module;Wherein:
The authentication module is used to be authenticated the identity of user and equipment;
The entitlement management module is used to the user by the authentication module certification is carried out to be based on user and angle
The empowerment management of color;
The delegation management module is used for by delegation mode, and related application or operation are delegated into what is specified
User;
The Audit Module is used to provide security audit to application.
As the preferred of above-mentioned technical proposal, the certification also includes with Rights Management System:Built-in LDAP service modules,
Be converted in real time using energy directly for real-time update safety management information or strategy, and by these safety management information or strategy
The application security strategy of access.
As the preferred of above-mentioned technical proposal, the certification also includes application management module with Rights Management System, is used for
Certificate, user profile, role, resource and object are managed.
As the preferred of above-mentioned technical proposal, the certification also includes safe transmission module with Rights Management System, is used for
The information in system is set to carry out safe transmission.
As the preferred of above-mentioned technical proposal, the certification is supported to establish distributed certification and power with Rights Management System
Limit the cloud management pattern of management.
Certification proposed by the present invention can meet application authorization and the rights management of customer service requirement with Rights Management System
System platform, realize to the security information such as user identity, device resource, role-security, access control and safety in application system
The centralized and unified management of strategy.
Below in conjunction with the accompanying drawings, the embodiment of the present invention is described in further detail.Led for affiliated technology
For the technical staff in domain, from detailed description of the invention, above and other objects, features and advantages of the invention will be aobvious
And it is clear to.
Brief description of the drawings
Fig. 1 is the schematic diagram of certification proposed by the present invention and Rights Management System;
Fig. 2 is " cloud management " structural representation of certification and Rights Management System;
Fig. 3 is using local authentication and rights management pattern diagram.
Embodiment
As shown in figure 1, certification proposed by the present invention includes authentication module, empowerment management mould with Rights Management System
Block, delegation management module, Audit Module;Wherein:
The authentication module is used to be authenticated the identity of user and equipment;
The entitlement management module is used to the user by the authentication module certification is carried out to be based on user and angle
The empowerment management of color;
The delegation management module is used for by delegation mode, and related application or operation are delegated into what is specified
User;
The Audit Module is used to provide security audit to application.
Wherein, the certification can also include with Rights Management System:Built-in LDAP service modules, pacify for real-time update
Full management information or strategy, and these safety management information or strategy are converted to using the application safety that can directly access in real time
Strategy.
The certification can also include with Rights Management System:Application management module, for certificate, user profile, angle
Color, resource and object are managed.
The certification can also include safe transmission module with Rights Management System, for being pacified the information in system
Full transmission.
The certification is supported to establish the cloud management pattern of distributed certification and rights management with Rights Management System.
Certification proposed by the invention is with Rights Management System with Identity Management, certificate management, resource management, Jiao Seguan
Reason, safety label and security policy manager are the integrated application safety management platform of content, and it has following functions feature:
1. the empowerment management based on user and role.The system supports the empowerment management mechanism based on user and role, i.e.,
Safety officer can distribute according to user identity or determine their access rights to resource according to role (business post).
2. the administrative mechanism based on delegation.The system can specifically will be answered by delegation mode with business
Specific fit and proper person is delegated to closely related safety management details, and senior management staff or mechanism pass through this establishment
Or the mode of cancellation delegation realizes that its manages will.It can be effectively realized by delegation mechanism " centralized direction, more
The real way to manage of level management " and management are required, existing service management flow is supported in a manner of most proper.
3. support " least privilege " security doctrine.The system limits each safety officer by safe access control mechanism
To the administration authority of security catalog information (including identity, resource, role, certificate, safety label, security strategy etc.), and pass through
The reasonable setting of administration authority ensures that safety officer possesses abundant and appropriate managerial scope and managerial ability.
4. credible management.The system is established in believable directory assistance platform, supports the safety management people based on certificate
Member and the authentication of management equipment, ensure that the identity of administrative staff and safety management platform is credible;Support is based on cryptographic technique
Security catalog information transfer and duplication, ensure secure directory service content it is credible;Safety is ensured by Trust transitivity mechanism
The operation of management platform is credible.
5. real-time high-efficiency.The system is reduced by LDAP services built in application and applies the property in security mechanism implementation procedure
Energy expense, improve the management real-time and high efficiency of system.Any change of safety management information or security strategy all can be by reality
Shi Gengxin services related tool by these bursting tubes into the built-in LDAP services of application by the ldap directory built in these
Reason information and security strategy are converted to using the application security strategy that can directly access in real time;Using built-in LDAP services pair
In application, the safe execution mechanism of itself is fully transparent, and this transparent management mode both ensure that the real-time of safety management
Property, the calculating using central access LDAP services and transport overhead are turn avoid, improves security performance.
6. high availability structure.The built-in LDAP service mechanisms that the system is supported substantially ensure that to be held using security strategy
Loose coupling between row entity and safety management system, though safety management system because failure can not provide strategy modification and
Inquiry service, application system still can be based on the safety management information locally preserved and security strategy control with high safety.
In addition, the certification can also provide the High Availabitity of safety management with Rights Management System by modes such as two-node cluster hot backups
Property.
Sharpest edges using the certification and Rights Management System are:First, it is basic based on standardized technique, very
Easily it is customized for the real system of user;Secondly, it fully with reference to actual organization management pattern, make management process
More meet user's requirement;Again, on the other hand, middle iron letter " farsighted peace " certification is easily safeguarded with Rights Management System using simply
And optimization.
Solution example:
Railway is the system of one " centralized direction, three-level management ", in the premise for meeting system-wide United Dispatching, assuming unified command of
Under, the Ministry of Railways, each road bureau and station section have its each independent administration authority, therefore the certification of Railway Information System and authority pipe
Reason has following complexity feature:
1. collection neutralizes unified management requirement.To ensure the system safety operation in each management level underrange, every grade of management
Mechanism or department must have the ability to have jurisdiction over it safe operation strategy implement unified management of lower business and system, United Dispatching, protect
The harmony and uniformity of management are demonstrate,proved, so as to ensure the safety in production of railway transportation;
2. multiple management system.On the premise of the unified command that yields obedience to the higher-ups, units at different levels should have the ability oneself
In range of management and administration authority, formulate the secure topical strategy related with our unit business, with efficiently and effectively adapt to
Meet the actual demand of own service;
Railway applications system authentication and the design of Rights Management System and construction object are exactly to meet railway applications system
Safety management requirement, realize professional application safety management, it then follows national information protection based on security rank system and relevant criterion.
Meet above-mentioned requirements, user can select the certification of the present invention to pacify with Rights Management System as the application concentrated
Full management platform, its support and the safety-related personnel of railway applications, resource, role, certificate, safety label and security strategy etc.
The centralized management of content.
Management databases at different levels can be according to its its sharing mode of purposes property definition and shared scope.For example each road bureau exists
During respective personnel identity management, the personal management information of correlation can be imported from higher level's database.
Railway applications certification is of overall importance with Rights Management System, there is some management databases, such as numeral card
Stack room.Personnel identity, equipment and other management objects, in management, institute are uniquely identified by digital certificate in the railway system
The all unified certificate center (CA) specified by the Ministry of Railways of some digital certificates (including staff credentials, device certificate etc.) is issued, its
Its department or application are the user of this diploma system, therefore certificate repository is a global management data in the railway system
Storehouse.Certificate repository only unifies maintenance and management in railway departmental level, and all road bureaus, section of standing, application at different levels can only all pass through issuer
Formula accesses this certificate repository.
Railway applications system has following characteristics:1) it is in large scale, system ovelay range is wide, the Ministry of Railways, road bureau and station section
Between Wide Area Network bandwidth typically only have 4Mbps or 2Mbps;2) business real-time and continuity require high.Therefore its application
The performance and availability of certification and Rights Management System are very crucial.
Restricted by the application authorization and Rights Management System of technical foundation of LDAP in performance by following factor:
1. application authorization and right management server performance;
2. network bandwidth;
3. largely concurrently access the performance bottleneck for bringing application authorization and right management server;
Fundamentally to overcome above-mentioned performance issue, the certification can also support " cloud management " mould with Rights Management System
Formula.So-called " cloud management " pattern refers to establish distributed application authorization and Rights Management System, and is needed according to business, must
Certification and the authorization administration information needed is copied to using local system, and applies the certification being not relevant for required for it and authority pipe
Manage the particular location where information.
The benefit of " cloud management " pattern is that the central access to certification and authorization administration information is distributed into application locally, from
Fundamentally overcome large-scale concurrent and access the service performance bottleneck problem brought, reduce and application authorization and rights management are taken
The demand of device performance of being engaged in and network bandwidth.
Such as Fig. 2, shown in Fig. 3, " cloud management " structure of railway applications certification and authority is by application authorizations at different levels and authority pipe
Backbone node and application local LDAP service compositions are managed, application authorization services with rights management backbone node and the local LDAP of application
Collaboration, will be replicated to application related application authorization and authorization administration information and be transformed into local policy database, to apply or
Operating system provides security management services.It is fully transparent for operating system and application, said process.
" cloud management " mode of railway applications certification and authority avoids application systems at different levels largely by network to railway
The access of application authorization and Rights Management System so that the safety management performance of system and network bandwidth and the property of management server
Can, and avoid the security bottleneck of application authorization and right management server.
In addition, certification can support that " centralized direction, the three-level management " of the railway system will well with Rights Management System
Ask.The certification supports delegation mechanism with Rights Management System, and railway applications system can realize safety by this mechanism
The reallocation of mandate ability, then sharing out the work and helping one another for management work is realized by way of more roles of manager, meet management on levels
Structure present situation and requirement, the final object of safety management for realizing " centralized direction, three-level management ".For example the Ministry of Railways is according to business need
Will, increase a post establishment, its responsibility is responsible for the safety management of application App1 belonging to the Ministry of Railways.The work of root safety officer
Include as flow:1) a role R1 is created, and role R will be given using safety management delegation accordingly;2) establishment/determination
One user A, is assigned it in role R.After completing this management operation, user's A can management applications App1;Once A
The post is transferred from, root safety officer only needs to delete the user from role R.In this example, A is professional
Using safety officer, root safety officer can be realized to application App1's indirectly by the control and management to role
Management, this management mode reflect management status and the objective requirement of railway system's " centralized direction, three-level management " exactly.
Although of the invention by above example and its accompanying drawing and clear explanation, but without departing substantially from spirit of the invention
And its in the case of essence, person of ordinary skill in the field various change and repaiied accordingly when can be made according to the present invention
Just, but these corresponding variations and modifications should all belong to the scope of the claims of the present invention.
Claims (3)
1. a kind of certification and Rights Management System, it is characterised in that the certification includes authentication mould with Rights Management System
Block, entitlement management module, delegation management module, Audit Module;Wherein:
The authentication module is used to be authenticated the identity of user and equipment;
The entitlement management module is used to carry out the user by the authentication module certification based on user and role
Empowerment management;
The delegation management module is used for by delegation mode, and related application or operation are delegated to the user specified
Or role;
The Audit Module is used to provide security audit to application;
The certification also includes with Rights Management System:Built-in LDAP service modules, for real-time update safety management information or
Strategy, and these safety management information or strategy are converted to using the application security strategy that can directly access in real time;
The certification is supported to establish the cloud management pattern of distributed certification and rights management, the certification with Rights Management System
Realize that the cloud management structure of certification and authority is by each by the cloud management structure of certification and authority with the cloud management pattern of rights management
Level application authorization forms with rights management backbone node and the local LDAP service modules of application, and application authorization is key with rights management
Node and the local LDAP service modules of application cooperate with, according to business need, by locally applied related required application authorization
Replicated with authorization administration information from application authorization and right management server and be transformed into local policy database, to apply or grasping
Make system and security management services are provided, wherein it is complete to apply built-in LDAP to service the safe execution mechanism of itself for application
Transparent.
2. certification according to claim 1 and Rights Management System, it is characterised in that the certification and Rights Management System
Also include application management module, for being managed to certificate, user profile, role, resource and object.
3. certification according to claim 1 and Rights Management System, it is characterised in that the certification and Rights Management System
Also include safe transmission module, for making the information in system carry out safe transmission.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010568342.5A CN102487377B (en) | 2010-12-01 | 2010-12-01 | A kind of certification and Rights Management System |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010568342.5A CN102487377B (en) | 2010-12-01 | 2010-12-01 | A kind of certification and Rights Management System |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102487377A CN102487377A (en) | 2012-06-06 |
CN102487377B true CN102487377B (en) | 2017-12-19 |
Family
ID=46152831
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010568342.5A Active CN102487377B (en) | 2010-12-01 | 2010-12-01 | A kind of certification and Rights Management System |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102487377B (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103745282A (en) * | 2012-10-17 | 2014-04-23 | 镇江雅迅软件有限责任公司 | Authority management method based on post abstraction |
CN103106357B (en) * | 2012-11-12 | 2015-09-30 | 成都锦瑞投资有限公司 | Based on property system of real name authentication and authorization system and the method for CFCA Valuation Standard |
TWI515601B (en) * | 2012-11-21 | 2016-01-01 | 蘋果公司 | Electronic device, method for establishing and enforcing a security policy associated with anaccess control element, and secure element |
CN103117999A (en) * | 2012-11-29 | 2013-05-22 | 无锡华御信息技术有限公司 | Safe computer system and method based on cloud framework |
CN103905402B (en) * | 2012-12-27 | 2018-04-10 | 北京中船信息科技有限公司 | A kind of secret and safe management method based on safety label |
CN103281313B (en) * | 2013-05-14 | 2016-03-02 | 成都交大光芒科技股份有限公司 | Based on distributed right management method in track traffic synthetic monitoring system |
CN105357197A (en) * | 2015-11-03 | 2016-02-24 | 浪潮集团有限公司 | Identity authentication and authority management system and method for cloud computing platform |
CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
TWI696968B (en) * | 2018-03-30 | 2020-06-21 | 彰化商業銀行股份有限公司 | Transaction authorization setting system |
CN111145377A (en) * | 2019-12-31 | 2020-05-12 | 河南思维信息技术有限公司 | Intelligent and integrated attendance and attendance management method and system |
CN111107105B (en) * | 2019-12-31 | 2022-05-27 | 厦门熵基科技有限公司 | Identity authentication system and identity authentication method thereof |
CN111241519B (en) * | 2020-01-19 | 2022-07-26 | 北京工业大学 | Certificate-based access control system and method |
CN111680278A (en) * | 2020-05-20 | 2020-09-18 | 青岛黄海学院 | Computer information security management system |
CN113742664B (en) * | 2020-05-29 | 2024-03-29 | 钉钉控股(开曼)有限公司 | Monitoring and auditing method, equipment and system |
CN114157457A (en) * | 2021-11-17 | 2022-03-08 | 南方电网数字电网研究院有限公司 | Authority application and monitoring method for network data information security |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1483270A (en) * | 1999-06-10 | 2004-03-17 | �йȲ��� | Strategy based network architecture |
CN1758650A (en) * | 2005-10-27 | 2006-04-12 | 上海交通大学 | Dependence management system structure based on confidence reckon |
CN101047552A (en) * | 2006-04-28 | 2007-10-03 | 华为技术有限公司 | Distribution service management method, system and distribution authorization capacibility discrimination and authorization method, system |
CN101441734A (en) * | 2007-11-19 | 2009-05-27 | 上海久隆电力科技有限公司 | Unite identification authentication system |
CN101512962A (en) * | 2006-09-08 | 2009-08-19 | 微软公司 | Controlling the delegation of rights |
-
2010
- 2010-12-01 CN CN201010568342.5A patent/CN102487377B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1483270A (en) * | 1999-06-10 | 2004-03-17 | �йȲ��� | Strategy based network architecture |
CN1758650A (en) * | 2005-10-27 | 2006-04-12 | 上海交通大学 | Dependence management system structure based on confidence reckon |
CN101047552A (en) * | 2006-04-28 | 2007-10-03 | 华为技术有限公司 | Distribution service management method, system and distribution authorization capacibility discrimination and authorization method, system |
CN101512962A (en) * | 2006-09-08 | 2009-08-19 | 微软公司 | Controlling the delegation of rights |
CN101441734A (en) * | 2007-11-19 | 2009-05-27 | 上海久隆电力科技有限公司 | Unite identification authentication system |
Also Published As
Publication number | Publication date |
---|---|
CN102487377A (en) | 2012-06-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102487377B (en) | A kind of certification and Rights Management System | |
CN102025710B (en) | Multi-application smart card and the many AMSs of smart card and method | |
CN102088351B (en) | Authorization management system and implementation method thereof | |
AU2012252388B2 (en) | Method for handling privacy data | |
CN100502307C (en) | Integrated user safety management method and device | |
CN108234456A (en) | A kind of energy internet trusted service management system and method based on block chain | |
CN103842984B (en) | Parameter based key derivation | |
CN110349026A (en) | Decentralized Autonomous energy internet power exchange and energy system based on block chain | |
CN101478398B (en) | Authorization management system oriented to resource management and establishing method | |
CN102916954A (en) | Attribute-based encryption cloud computing safety access control method | |
CN107066867A (en) | A kind of big data cluster resource allocation methods and device | |
CN106302334A (en) | Access role acquisition methods, Apparatus and system | |
CN106295377A (en) | A kind of medical treatment endowment data secure exchange agent apparatus and construction method thereof | |
CN202004786U (en) | Authentication and authority management server | |
CN205721983U (en) | A kind of smart city general character service platform | |
CN105610780A (en) | Interoperation platform among clouds used for education mechanism and method thereof | |
CN110189440A (en) | A kind of smart lock monitoring equipment and its method based on block chain | |
Liping et al. | Research on trust model of PKI | |
CN103856340A (en) | China People's Bank information network access system based on second-generation ID cards and China People's Bank information network accessing method | |
CN1738241A (en) | Identity attestation safety control method based on remote distributed assembly | |
CN107733881A (en) | Digital authenticating system based on data exchange | |
CN114285867B (en) | Air-railway combined transport data sharing system based on alliance chain and attribute encryption | |
Yan et al. | Distributed authentication scheme for industry internet platform application based on consortium blockchain | |
CN201557132U (en) | Cross-domain management device based on PKI/PMI technology | |
CN105897796A (en) | Information sharing and service platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20171009 Address after: 100044 Beijing city Haidian District Road No. 22 Hing Building 8 Applicant after: Sinorail Information Computer Engineering Co., Ltd. Address before: 100044 Beijing city Haidian District Road No. 22 Hing Building 8 Applicant before: Sinorail Information Computer Engineering Co., Ltd. Applicant before: Sinorail Hongyuan (Beijing) Information Software Development Company Limited |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |