CN103078859B - Operation system right management method, equipment and system - Google Patents
Operation system right management method, equipment and system Download PDFInfo
- Publication number
- CN103078859B CN103078859B CN201210594494.1A CN201210594494A CN103078859B CN 103078859 B CN103078859 B CN 103078859B CN 201210594494 A CN201210594494 A CN 201210594494A CN 103078859 B CN103078859 B CN 103078859B
- Authority
- CN
- China
- Prior art keywords
- user
- metadata
- data resource
- access
- mapping relations
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
Embodiments provide a kind of operation system right management method, equipment and system.The method comprises: receive the logging request that user terminal sends, logging request comprises the identification information of user, according to the identification information of user, obtain the first metadata of user-accessible, mapping relations between the action type prestored according to the first metadata query and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user, receive the access request that user terminal sends, access request comprises metadata and the action type code of data resource to be visited, according to the first access authority information and access request, whether legally judge that user treats the access of visit data resource.The present invention, by setting up above-mentioned mapping relations in advance, realizes the control of the access rights to operation system data resource fine-grain scalability, improves the ability of operation system being carried out to rights management.
Description
Technical field
The present invention relates to data processing technique, particularly relate to a kind of operation system right management method, equipment and system.
Background technology
At present, adopt the authority of access control based roles (Role-basedAccessControl, referred to as RBAC) model to operation system to manage more.Authority and role connect by RBAC model, in this RBAC model, needing for different work position creates corresponding role according to operation system, and distribute corresponding authority for different role, the user like this as different role uses different authorities to conduct interviews to operation system.
Existing RBAC model can realize the coarseness overlay management of the authority to operation system, but current management granularity can not meet the demand of operation system data resource being carried out to fine-grain scalability rights management.How further the granularity of the rights management of data resource is carried out in refinement to operation system, to improve the ability of operation system being carried out to rights management, becomes and has problem to be solved.
Summary of the invention
The invention provides a kind of operation system right management method, equipment and system, in order to refinement, the data resource of operation system is carried out to the granularity of rights management, improve the ability of operation system being carried out to rights management.
To achieve these goals, the invention provides a kind of operation system right management method, comprising:
Receive the logging request of the request registering service system that user terminal sends, described logging request comprises the identification information of user corresponding to described user terminal;
According to the identification information of described user, obtain the first metadata of described user-accessible;
According to described first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of described user to the first data resource corresponding to described first metadata;
Receive the access request that described user terminal sends, described access request comprises metadata and the action type code of data resource to be visited, and described action type code is for identifying the action type of carrying out described data resource to be visited;
According to described first access authority information and described access request, judge that whether the access of described user to described data resource to be visited be legal.
To achieve these goals, the invention provides a kind of server, comprising:
Receiver module, for receiving the logging request of the request registering service system that user terminal sends, described logging request comprises the identification information of user corresponding to described user terminal and receives the access request that described user terminal sends, described access request comprises metadata and the action type code of data resource to be visited, and described action type code is for identifying the action type of carrying out described data resource to be visited;
First acquisition module, for the identification information according to described user, obtain described user-accessible the first metadata and according to described first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of described user to the first data resource corresponding to described first metadata;
First judge module, for according to described first access authority information and described access request, judges that whether the access of described user to described data resource to be visited be legal.
To achieve these goals, the invention provides a kind of operation system Rights Management System, comprising:
Above-mentioned server and at least one user terminal.
A kind of operation system right management method provided by the invention, equipment and system, receive the logging request that user terminal sends, this logging request comprises the identification information of user, according to the identification information of user, obtain the first metadata of user-accessible, according to the first metadata, mapping relations between the action type that inquiry prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user to the first data resource corresponding to the first metadata, receive the access request that user terminal sends, access request comprises metadata and the action type code of data resource to be visited, this action type code is for identifying the action type treated visit data resource and carry out, according to the first access authority information and access request, whether legally judge that user treats the access of visit data resource.The present invention is by obtaining the metadata of data resource, set up the mapping relations between data resource and metadata and the mapping relations between action type and metadata in advance, by above-mentioned mapping relations, the control of the access rights of the fine-grain scalability to data resource can be realized, improve the ability of operation system being carried out to rights management.
Accompanying drawing explanation
Fig. 1 is the operation system Rights Management System based on RBAC model;
Fig. 2 is based on differentiated control mechanism common privilege designation model;
A kind of operation system right management method schematic diagram that Fig. 3 provides for the embodiment of the present invention;
A kind of server architecture schematic diagram that Fig. 4 provides for the embodiment of the present invention;
A kind of operation system Rights Management System structural representation that Fig. 5 provides for the embodiment of the present invention.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Fig. 1 is based on RBAC model operation system Rights Management System.As shown in Figure 1, data resource, the action type and user profile etc. of operation system all store in a database, wherein, the data resource of operation system is mainly all kinds of business object, such as, sales order, paying bill etc. in marketing system, such as, and data resource is tree structure, in vehicle distribution network, 0vehicle marketing order comprises the sales order of each vehicle comprising modules, and comprising modules sales order can comprise the sales order of parts under this comprising modules.Action type represents the operation possible to data resource, such as, increases, deletes, revises, checks and the operation such as inquiry.Further, set up the mapping relations between data resource and action type, i.e. the authority of operation system, these mapping relations are stored in the database of operation system.The authority of operation system represents the accessing operation that can carry out data resource.Based on RBAC model operation system Rights Management System according to operation system rule and institutional framework be that operation system arranges role, and by the Role Information of system storage in a database.Wherein, the position in role representation operation system or the division of labor, represent a kind of qualification, right and responsibility, and such as, in marketing system, sales manager represents a kind of role in operation system.Further, after setting up role for operation system, operation system Rights Management System based on RBAC model sets up the mapping relations between Role and privilege and the mapping relations between user and role, and these above-mentioned mapping relations is stored in a database.Wherein, authority is the operable function of role, and role is the set of authority.When user wants to conduct interviews to the data resource of operation system, user sends access request by user terminal to operation system, request operates the data resource in operation system, Rights Management System judges according to the access rights of above-mentioned mapping relations to user, judges that whether this user is legal to the access request sent.See the record of related content of the prior art, can repeat no more about the detailed introduction based on RBAC model operation system Rights Management System herein.
Fig. 2 is based on differentiated control mechanism common privilege designation model.As shown in Figure 2, this common privilege designation model expands further the operation system Rights Management System based on RBAC model shown in Fig. 1.Add the control to operation system data permission in this common privilege designation model, first the data type of operation system data resource and data object are arranged, and data object and data type are stored in the data.Wherein, in data types to express operation system, need the object type controlled, such as, department, storehouse, employee, client and supplier etc.Data object represents concrete business object, is the object instance of data type, as Beijing sales department, Shanghai sales department, Zhang San, Li Si etc.Further, set up the pass mapping relations of data resource and data type, such as, the mapping relations of sales order and department or sales order and client, and the mapping relations set up between data object and role, mapping relations between role and data object are exactly the mapping relations between sales manager and Zhang San, or the mapping relations between sales manager and Shanghai sales department.This common privilege designation module, by the pass mapping relations of data resource and data type, can obtain the control point of data resource, realizes the management to the data permission of data resource according to the mapping relations between data object and role.See the record of related content of the prior art, can repeat no more about the detailed introduction based on differentiated control mechanism common privilege designation model herein.But the management granularity of above-mentioned existing business System right management system can not meet the demand of operation system being carried out to rights management.In order to the granularity of rights management is carried out in further refinement to operation system, to improve the ability of operation system being carried out to rights management, following technical scheme is proposed.
A kind of operation system right management method schematic diagram that Fig. 3 provides for the embodiment of the present invention.As shown in Figure 3, this operation system right management method comprises the following steps:
301, receive the logging request of the request registering service system that user terminal sends, described logging request comprises the identification information of user corresponding to described user terminal.
In the present embodiment, the executive agent of the method can be server.Before step 301, server is first from the database shown in Fig. 2, obtain the metadata of operation system, wherein, metadata is the data of data, the information such as title, constraint, mark, attribute, field type, field length, description of tables of data and field in data resource can be indicated by metadata, also can carry out essential information description to data of non relational database resource.Metadata can be stored in the database or data file path that it defines, and generally can be able to be encrypted to strengthen fail safe to metadata and related resource access configures information in actual applications.About the related content of metadata see the introduction of related content in prior art, repeat no more herein.After getting the metadata of operation system, set up the mapping relations between action type and metadata and the mapping relations between data resource and metadata, and above-mentioned mapping relations are stored in a database.Further, set up the mapping relations between user totem information and role and the mapping relations between role and metadata, and above-mentioned mapping relations are stored in a database.
When user wants to conduct interviews to the data resource in operation system, first user logs in this operation system by residing user terminal.Particularly, user is by the server transmission logging request of user terminal to operation system place, this logging request is for asking registering service system, and the identification information carried in this logging request with this user, such as, the identification information of user can for log-on message when user registers this operation system, or the authorization message of user.
302, according to the identification information of described user, the first metadata of described user-accessible is obtained.
After receiving logging request, server obtains the identification information of user, according to the identification information of user in the identity information of the user prestored and logging request, carries out legitimate verification to the identity of user.If the identity information of the user prestored is consistent with user side identification information in logging request, illustrate that the identity of user is legal, then allow this user's registering service system.Wherein, the identity information of the user prestored can be the log-on message of user or authorization message.The present embodiment is verified by the legitimacy of the identity to user, can avoid the invasion to operation system of disabled user, improves the fail safe of operation system.
After the identity verifying user is legal, server, according to the identification information of user, is inquired about the mapping relations between user totem information and role prestored, is determined the role of this user.After determining the role of this user, server, according to the role of user, is inquired about the mapping relations between role and metadata prestored, is got the first metadata of user-accessible.
303, according to described first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of described user to the first data resource corresponding to described first metadata.
After getting the first metadata, mapping relations between the action type that server prestores according to the first metadata query and metadata, getting can to the accessing operation of the first metadata, and inquire about the mapping relations between data resource and metadata prestored, to get first data resource corresponding to the first metadata, this first data resource is the data resource that user can access.Mapping relations between the action type that server lookup prestores and metadata and the mapping relations between data resource and metadata, the Query Result obtained, first access authority information of user to the first data resource can be obtained, particularly, the first access authority information can store in the form of a list.
304, receive the access request that described user terminal sends, described access request comprises metadata and the action type code of data resource to be visited, and described action type code is for identifying the action type of carrying out described data resource to be visited.
When conducting interviews to operation system, user sends access request by user terminal to server, and carry metadata and the action type code of user's data resource to be visited in access request, wherein, action type code is for identifying the action type treated visit data resource and carry out.
305, according to described first access authority information and described access request, judge that whether the access of described user to described data resource to be visited be legal.
After receiving access request, server is according to the metadata of the user carried in access request data resource to be visited and action type code, first access authority information of inquiring user, if the metadata of data resource to be visited belongs to the first metadata that the first access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the first access authority information comprises, server judges that the access request that user sends is legal, illustrate that user can operate accordingly to data resource to be visited.
The operation system right management method that the present embodiment provides, receive the logging request that user terminal sends, this logging request comprises the identification information of user, according to the identification information of user, obtain the first metadata of user-accessible, according to the first metadata, mapping relations between the action type that inquiry prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user to the first data resource corresponding to the first metadata, receive the access request that user terminal sends, access request comprises metadata and the action type code of data resource to be visited, this action type code is for identifying the action type treated visit data resource and carry out, according to the first access authority information and access request, whether legally judge that user treats the access of visit data resource.The present embodiment is by obtaining the metadata of data resource, set up the mapping relations between data resource and metadata and the mapping relations between action type and metadata in advance, by above-mentioned mapping relations, the control of the access rights of the data resource fine-grain scalability to operation system can be realized, in further refinement operation system, the authority of user carries out the granularity managed, and improves the ability of operation system being carried out to rights management.
Further, in operation system, part specific user under same role, the authority that particular data resource is conducted interviews can be had, in order to not change the authority of all users under role, the mapping relations between the identification information of user and metadata can be pre-set, and these mapping relations are stored in a database.Wherein, in these mapping relations, metadata is the corresponding metadata of particular data resource.These mapping relations can identify this user except having authority that affiliated role has, some can also have specific authority, such as, other users under same role do not have for the access rights etc. of a certain service fields in some traffic table in specific span, and due to work requirements, need this service fields in this this traffic table to give this user in the access rights of specific span.Mapping relations between the user totem information metadata corresponding with this specific span so just can be set.
After judging that Client-initiated access request is illegal according to the first access authority information, server is according to the identification information of user, inquire about the mapping relations between user totem information and metadata prestored, if the identification information of user belongs to the user totem information that these mapping relations comprise, server can obtain the second metadata of this user-accessible.Mapping relations between the action type that server prestores according to the second metadata query and metadata and the mapping relations between data resource and metadata, the Query Result obtained, can obtain second access authority information of user to the second data resource corresponding to the second metadata.Server is according to the second access authority information and access request, whether legally judge that user treats the access of visit data resource, particularly, server is according to the metadata of the data resource to be visited carried in access request and action type code, second access authority information of inquiring user, if the metadata of data resource to be visited belongs to the second metadata that the second access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the second access authority information comprises, server judges that the access request that user sends is legal, user can operate accordingly to data resource to be visited, if the identification information of user does not belong to the user totem information that the mapping relations between user totem information and metadata comprise, server judges that the access request that user sends is illegal.Alternatively, server can return the information of indicating user without these access rights to user.
Alternatively, first access authority information of the user got and the second access authority information are sent to the user terminal at user place by server, such user is again by this user terminal registering service system, when the data resource of operation system is conducted interviews, no legal when user terminal just can carry out judging this access request with the first access authority information stored on the subscriber terminal and the second authority information according to access request.Particularly, user terminal is according to the metadata of the data resource to be visited carried in access request and action type code, first access authority information of inquiring user, if the metadata of data resource to be visited belongs to the first metadata that the first access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the first access authority information comprises, user terminal judges that the access request that user sends is legal, and user can operate accordingly to data resource to be visited.Further, after judging that Client-initiated access request is illegal according to the first access authority information, user terminal is according to access request and the second access authority information, whether legally judge that user treats the access of visit data resource, particularly, user terminal is according to the metadata of the data resource to be visited carried in access request and action type code, second access authority information of inquiring user, if the metadata of data resource to be visited belongs to the second metadata that the second access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the second access authority information comprises, user terminal judges that the access request that user sends is legal, user can operate accordingly to data resource to be visited.In the present embodiment, after user's first login operation system, server will get the first access authority information and second access authority information of this user, be sent to the user terminal at user place, when user again registering service system time, user terminal just can carry out validity judgement to Client-initiated access request, improves the ageing of operation system rights management, and reduces the load of server.
Further, server can send access rights updating message to user terminal, this access rights updating message can the access authority information of user corresponding to informing user terminal upgrade, and needs user terminal again to obtain the first access authority information and second access authority information of this user.Particularly, server can by carrying the identification information of user in this access rights updating message, this access rights updating message is sent to user terminal, after user terminal receives this access rights updating message, when user is after registering service system is carried out in this locality, from server, again obtain the first access authority information and second access authority information of this user according to this access rights updating message.
Alternatively, user terminal can also to getting the first access authority information and the second access authority information is encrypted, to improve the fail safe of operation system.
A kind of server architecture schematic diagram that Fig. 4 provides for the embodiment of the present invention.As shown in Figure 4, this server comprises: receiver module 41, first acquisition module 42 and the first judge module 43.
Wherein, receiver module 41 receives the logging request of the request registering service system that user terminal sends, logging request comprises the identification information of user corresponding to this user terminal and receives the access request that sends of user terminal, this access request comprises metadata and the action type code of data resource to be visited, and this action type code is for identifying the action type treated visit data resource and carry out.First acquisition module 42 is according to the identification information of user, obtain user-accessible the first metadata and according to the first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user to the first data resource corresponding to the first metadata.First judge module 43, according to described first access authority information and described access request, judges that whether the access of described user to described data resource to be visited be legal.
In the present embodiment, server also comprises a presetting module 40, this presetting module obtains the metadata of operation system, wherein, metadata is the data of data, the information such as title, constraint, mark, attribute, field type, field length, description of tables of data and field in data resource can be indicated by metadata, also can carry out essential information description to data of non relational database resource.Metadata can be stored in the database or data file path that it defines, and generally can be able to be encrypted to strengthen fail safe to metadata and related resource access configures information in actual applications.After getting the metadata of operation system, set up the mapping relations between action type and metadata and the mapping relations between data resource and metadata, and above-mentioned mapping relations are stored in a database.Further, set up the mapping relations between user totem information and role and the mapping relations between role and metadata, and above-mentioned mapping relations are stored in a database.
When user wants to conduct interviews to the data resource in operation system, first user logs in this operation system by residing user terminal.Particularly, user sends logging request by user terminal to the receiver module 41 in the server at operation system place, this logging request is for asking registering service system, and the identification information carried in this logging request with this user, such as, the identification information of user can for log-on message when user registers this operation system, or the authorization message of user.
After receiving logging request, the identification information of the first acquisition module 42 user, obtains the first metadata of user-accessible.Particularly, after receiver module 41 receives logging request, first acquisition module 42 obtains the identification information of user, and the first acquisition module 42, according to the identification information of user in the identity information of the user prestored and logging request, carries out legitimate verification to the identity of user.If the identity information of the user prestored is consistent with user side identification information in logging request, illustrate that the identity of user is legal, then allow this user's registering service system.Wherein, the identity information of the user prestored can be the log-on message of user or authorization message.The present embodiment is verified by the legitimacy of the identity to user, can avoid the invasion to operation system of disabled user, improves the fail safe of operation system.
After the identity verifying user is legal, the first acquisition module 42, according to the identification information of user, is inquired about the mapping relations between user totem information and role prestored, is determined the role of this user.After determining the role of this user, then according to the role of user, inquire about the mapping relations between role and metadata prestored, get the first metadata of user-accessible.
Further, after getting the first metadata, mapping relations between the action type that first acquisition module 42 prestores according to the first metadata query and metadata, getting can to the accessing operation of the first metadata, and inquire about the mapping relations between data resource and metadata prestored, to get first data resource corresponding to the first metadata, this first data resource is the data resource that user can access.First acquisition module 42 inquires about the mapping relations between action type and metadata that prestore and the mapping relations between data resource and metadata, the Query Result obtained, first access authority information of user to the first data resource can be obtained, particularly, the first access authority information can store in the form of a list.
After user signs in operation system, when the data resource of operation system is conducted interviews, user sends access request by user terminal to receiver module 41, and in access request, carry metadata and the action type code of user's data resource to be visited, wherein, action type code is for identifying the action type treated visit data resource and carry out.
After receiver module 41 receives access request, whether legal the first judge module 43, according to the first access authority information and access request, judge that user treats the access of visit data resource.Particularly, first judge module 43 is according to the metadata of the user carried in access request data resource to be visited and action type code, first access authority information of inquiring user, if the metadata of data resource to be visited belongs to the first metadata that the first access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the first access authority information comprises, first judge module 43 judges that the access request that user sends is legal, illustrate that user can operate accordingly to data resource to be visited.
The server that the present embodiment provides, receive the logging request that user terminal sends, this logging request comprises the identification information of user, according to the identification information of user, obtain the first metadata of user-accessible, according to the first metadata, mapping relations between the action type that inquiry prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user to the first data resource corresponding to the first metadata, receive the access request that user terminal sends, access request comprises metadata and the action type code of data resource to be visited, this action type code is for identifying the action type treated visit data resource and carry out, according to the first access authority information and access request, whether legally judge that user treats the access of visit data resource.The present embodiment is by obtaining the metadata of data resource, set up the mapping relations between data resource and metadata and the mapping relations between action type and metadata in advance, by above-mentioned mapping relations, the control of the access rights of the data resource fine-grain scalability to operation system can be realized, the granularity that in refinement operation system, the carrying out of user right manages further, improves the ability of operation system being carried out to rights management.
Further, the server that the embodiment of the present invention provides also comprises: the second acquisition module 44 and the second judge module 45.This second acquisition module 44 for judge at the first judge module 43 user treat the access of visit data resource illegal after, according to the identification information of user, inquire about the mapping relations between user totem information and metadata prestored, obtain the second metadata of user-accessible, and according to the second metadata, mapping relations between query manipulation type and metadata and the mapping relations between data resource and metadata, obtain second access authority information of user to the second data resource corresponding to the second metadata.Whether legal second judge module 45, for after getting the second access authority information at the second acquisition module 44, according to the second access authority information and access request, judge that user treats the access of visit data resource.
In operation system, part specific user under same role, the authority that particular data resource is conducted interviews can be had, in order to not change the authority of all users under role, the mapping relations between the identification information of user and metadata can be pre-set, and these mapping relations are stored in a database.Wherein, in these mapping relations, metadata is the corresponding metadata of particular data resource.These mapping relations can identify this user except having authority that affiliated role has, some can also have specific authority, such as, other users under same role do not have for the access rights etc. of a certain service fields in some traffic table in specific span, and due to work requirements, need this service fields in this this traffic table to give this user in the access rights of specific span.Mapping relations between the user totem information metadata corresponding with this specific span so just can be set.
After according to the first access authority information, the first judge module 43 judges that Client-initiated access request is illegal, second acquisition module 44 is according to the identification information of user, inquire about the mapping relations between user totem information and metadata prestored, if the identification information of user belongs to the user totem information that these mapping relations comprise, the second acquisition module 44 can obtain the second metadata of this user-accessible.Mapping relations between the action type that second acquisition module 44 prestores according to the second metadata query and metadata and the mapping relations between data resource and metadata, obtain Query Result, second access authority information of user to the second data resource corresponding to addressable second metadata can be obtained.Whether legal second judge module 45, according to the second access authority information and access request, judge that user treats the access of visit data resource.Particularly, second judge module 45 is according to the metadata of the data resource to be visited carried in access request and action type code, second access authority information of inquiring user, if the metadata of data resource to be visited belongs to the second metadata that the second access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the second access authority information comprises, second judge module 45 judges that the access request that user sends is legal, user can operate accordingly to data resource to be visited, if the identification information of user does not belong to the user totem information that the mapping relations between user totem information and metadata comprise, or the metadata of data resource to be visited belongs to the second metadata that the second access authority information comprises, or the action type of visit data resource that what action type code identified treat, belong to the action type that the second access authority information comprises, the second judge module 45 judges that the access request that user sends is illegal.Alternatively, the second judge module 45 can return the information of prompting user without these access rights to user.
Alternatively, the server that the present embodiment provides also comprises sending module 46, first access authority information of the user got and the second access authority information can be sent to the user terminal at user place by this sending module 46, such user is again by this user terminal registering service system, when the data resource of operation system is conducted interviews, no legal when user terminal just can carry out judging this access request with the first access authority information stored on the subscriber terminal and the second authority information according to access request.Particularly, user terminal is according to the metadata of the data resource to be visited carried in access request and action type code, first access authority information of inquiring user, if the metadata of data resource to be visited belongs to the first metadata that the first access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the first access authority information comprises, user terminal judges that the access request that user sends is legal, and user can operate accordingly to data resource to be visited.If according to the first access authority information, user terminal judges that Client-initiated access request is illegal, whether legal user terminal, then according to the second access authority information and access request, judge that user treats the access of visit data resource.Particularly, user terminal is according to the metadata of the data resource to be visited carried in access request and action type code, second access authority information of inquiring user, if the metadata of data resource to be visited belongs to the second metadata that the second access authority information comprises, and the action type of visit data resource that what action type code identified treat, belong to the action type that the second access authority information comprises, user terminal judges that the access request that user sends is legal, and user can operate accordingly to data resource to be visited.In the present embodiment, first access authority information and second access authority information of this user will be got, be sent to the user terminal at user place, such user again registering service system time, directly can carry out validity judgement by user terminal to Client-initiated access request, improve the ageing of operation system rights management, and reduce the load of server.
Further, server can send access rights updating message by sending module 46 to user terminal, this access rights updating message can the access authority information of user corresponding to informing user terminal upgrade, and needs user terminal again to obtain the first access authority information and second access authority information of this user.Particularly, server sends access rights updating message by sending module 46 to user terminal, the identification information of user is carried in this access rights updating message, this access rights updating message is sent to user terminal, after user terminal receives this access rights updating message, when user is after registering service system is carried out in this locality, from server, again obtain the first access authority information and second access authority information of this user according to this access rights updating message.
Alternatively, user terminal can also to getting the first access authority information and the second access authority information is encrypted, to improve the fail safe of operation system.
Fig. 5 is a kind of operation system Rights Management System structural representation provided by the invention.As shown in Figure 5, this operation system Rights Management System comprises: server 51 and at least one user terminal 52.Wherein, the server of server 51 for providing in above-described embodiment, user terminal 52 can be the terminal equipments such as personal computer, and user is by carrying out information interaction between this user terminal 52 and server 51.About the introduction of server 51 and user terminal 52 see the record of related content in above-described embodiment, repeat no more herein.
The operation system Rights Management System that the present embodiment provides, receive the logging request that user terminal sends, this logging request comprises the identification information of user, according to the identification information of user, obtain the first metadata of user-accessible, according to the first metadata, mapping relations between the action type that inquiry prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of user to the first data resource corresponding to the first metadata, receive the access request that user terminal sends, access request comprises metadata and the action type code of data resource to be visited, this action type code is for identifying the action type treated visit data resource and carry out, according to the first access authority information and access request, whether legally judge that user treats the access of visit data resource.The present embodiment is by obtaining the metadata of data resource, set up the mapping relations between data resource and metadata and the mapping relations between action type and metadata in advance, realize the control to the access rights of the data resource fine-grain scalability of operation system, the granularity that in refinement operation system, the carrying out of user right manages further, improve the ability of operation system being carried out to rights management, and will the first access authority information and second access authority information of user be got, be sent to user terminal and can carry out validity judgement to Client-initiated access request to make user terminal, improve the ageing of operation system rights management, and reduce the load of server.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (5)
1. an operation system right management method, is characterized in that, comprising:
Receive the logging request of the request registering service system that user terminal sends, described logging request comprises the identification information of user corresponding to described user terminal;
According to the identification information of user described in the identity information of the described user prestored and described logging request, legitimate verification is carried out to the identity of described user;
If the result is legal, according to the identification information of described user, inquire about the mapping relations between user totem information and role prestored, determine the role of described user;
According to the role of described user, inquire about the mapping relations between role and metadata prestored, obtain the first metadata of described user-accessible;
According to described first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of described user to the first data resource corresponding to described first metadata;
Receive the access request that described user terminal sends, described access request comprises metadata and the action type code of data resource to be visited, and described action type code is for identifying the action type of carrying out described data resource to be visited;
According to described first access authority information and described access request, judge that whether the access of described user to described data resource to be visited be legal;
Described according to described first access authority information and described access request, judge that whether the access of described user to described data resource to be visited be legal and comprise:
If the metadata of described data resource to be visited belongs to described first metadata that described first access authority information comprises, and described action type code identify the action type that described first access authority information comprises is belonged to the action type of described data resource to be visited, judge that described access request is legal;
Also comprise:
If according to described first access authority information and described access request, judge that the access of described user to described data resource to be visited is illegal, according to the identification information of described user, inquire about the mapping relations between user totem information and metadata prestored, obtain the second metadata of described user-accessible;
According to described second metadata, inquire about the mapping relations between described action type and metadata and the mapping relations between described data resource and metadata, obtain second access authority information of described user to the second data resource corresponding to described second metadata;
According to described second access authority information and described access request, judge that whether the access of described user to described data resource to be visited be legal.
2. operation system right management method according to claim 1, is characterized in that, also comprise:
Described first access authority information and the second access authority information are sent to described user terminal.
3. a server, is characterized in that, comprising:
Receiver module, for receiving the logging request of the request registering service system that user terminal sends, described logging request comprises the identification information of user corresponding to described user terminal, and receive the access request that described user terminal sends, described access request comprises metadata and the action type code of data resource to be visited, and described action type code is for identifying the action type of carrying out described data resource to be visited;
First acquisition module, for the identification information according to user described in the identity information of described user prestored and described logging request, legitimate verification is carried out to the identity of described user, if the result is legal, according to the identification information of described user, inquire about the mapping relations between user totem information and role prestored, determine the role of described user, according to the role of described user, inquire about the mapping relations between role and metadata prestored, obtain the first metadata of described user-accessible, and
According to described first metadata, inquire about the mapping relations between the action type that prestores and metadata and the mapping relations between data resource and metadata, obtain first access authority information of described user to the first data resource corresponding to described first metadata;
First judge module, for according to described first access authority information and described access request, judges that whether the access of described user to described data resource to be visited be legal;
If described first judge module belongs to specifically for the metadata of described data resource to be visited described first metadata that described first access authority information comprises, and described action type code identify the action type that described first access authority information comprises is belonged to the action type of described data resource to be visited, judge that described access request is legal;
Also comprise: the second acquisition module and the second judge module;
Described second acquisition module, after judging that at described first judge module the access of described user to described data resource to be visited is illegal, according to the identification information of described user, inquire about the mapping relations between user totem information and metadata prestored, obtain the second metadata of described user-accessible, according to described second metadata, inquire about the mapping relations between described action type and metadata and the mapping relations between described data resource and metadata, obtain second access authority information of described user to the second data resource corresponding to described second metadata,
Described second judge module, for after described second acquisition module gets described second access authority information, according to described second access authority information and described access request, judges that whether the access of described user to described data resource to be visited be legal.
4. server according to claim 3, is characterized in that, also comprises:
Sending module, for sending to described user terminal by described first access authority information and the second access authority information.
5. an operation system Rights Management System, is characterized in that, comprising: the server described in the claims 3 or 4 and at least one user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210594494.1A CN103078859B (en) | 2012-12-31 | 2012-12-31 | Operation system right management method, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210594494.1A CN103078859B (en) | 2012-12-31 | 2012-12-31 | Operation system right management method, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103078859A CN103078859A (en) | 2013-05-01 |
| CN103078859B true CN103078859B (en) | 2016-03-02 |
Family
ID=48155263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210594494.1A Active CN103078859B (en) | 2012-12-31 | 2012-12-31 | Operation system right management method, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103078859B (en) |
Families Citing this family (52)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701801B (en) * | 2013-12-26 | 2015-07-15 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN104796280B (en) * | 2014-01-21 | 2018-06-26 | 中国移动通信集团河北有限公司 | A kind of service authority detection method and device |
| WO2016015363A1 (en) * | 2014-08-01 | 2016-02-04 | 苏州阔地网络科技有限公司 | Resource control architecture, and method using said architecture |
| WO2016015366A1 (en) * | 2014-08-01 | 2016-02-04 | 苏州阔地网络科技有限公司 | Resource control architecture based on identity service identifier, and method using said architecture |
| CN104348666B (en) * | 2014-10-16 | 2018-09-11 | 北京奇虎科技有限公司 | Data capture method, apparatus and system |
| CN104462903B (en) * | 2014-12-15 | 2019-01-08 | 北京国双科技有限公司 | The treating method and apparatus of operation system permission |
| CN104994086B (en) * | 2015-06-26 | 2018-09-04 | 北京京东尚科信息技术有限公司 | A kind of control method and device of data-base cluster permission |
| CN105227315B (en) * | 2015-08-31 | 2021-11-16 | 青岛海尔智能家电科技有限公司 | Web application authentication method, server and system thereof |
| CN105912949B (en) * | 2016-04-13 | 2019-11-05 | 北京京东尚科信息技术有限公司 | Data permission management method, data right management system and business management system |
| CN106096347B (en) * | 2016-06-03 | 2018-10-09 | 上海携程商务有限公司 | Hierarchical authorisation method based on login status and system |
| CN107508783A (en) * | 2016-06-14 | 2017-12-22 | 阿里巴巴集团控股有限公司 | A kind for the treatment of method and apparatus of data |
| CN106533693B (en) * | 2016-11-03 | 2021-01-19 | 中车青岛四方机车车辆股份有限公司 | Access method and device of railway vehicle monitoring and overhauling system |
| CN108268780A (en) * | 2016-12-30 | 2018-07-10 | 航天信息股份有限公司 | A kind of method and device for being used to control system access |
| WO2018126381A1 (en) * | 2017-01-05 | 2018-07-12 | 深圳市前海中康汇融信息技术有限公司 | Database access control method |
| CN107133505B (en) * | 2017-03-30 | 2020-07-31 | 武汉斗鱼网络科技有限公司 | Authority management method, authentication method and system |
| CN107169745A (en) * | 2017-06-05 | 2017-09-15 | 广州诚予国际市场信息研究有限公司 | A kind of project management system |
| CN107483495B (en) * | 2017-09-21 | 2020-06-16 | 浪潮软件股份有限公司 | Big data cluster host management method, management system and server |
| CN108629484A (en) * | 2018-03-30 | 2018-10-09 | 平安科技(深圳)有限公司 | It attends a banquet qualification management method, apparatus and storage medium |
| CN109241358A (en) * | 2018-08-14 | 2019-01-18 | 中国平安财产保险股份有限公司 | Metadata management method, device, computer equipment and storage medium |
| CN110909373B (en) * | 2018-09-18 | 2023-06-20 | 阿里巴巴集团控股有限公司 | Access control method, equipment, system and storage medium |
| CN110968890A (en) * | 2018-09-30 | 2020-04-07 | 北京国双科技有限公司 | Operation control method and device based on permission |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN111352740B (en) * | 2018-12-21 | 2023-04-18 | 腾讯科技(深圳)有限公司 | Application interaction processing method and device |
| CN111385264A (en) * | 2018-12-29 | 2020-07-07 | 卓望数码技术(深圳)有限公司 | Communication service data access system and method |
| CN111966996A (en) * | 2019-05-20 | 2020-11-20 | 杭州海康威视数字技术股份有限公司 | Data processing method and device |
| CN111984343B (en) * | 2019-05-22 | 2024-03-01 | 百度(中国)有限公司 | Plug-in resource searching method, device, equipment and readable storage medium |
| CN110191470B (en) * | 2019-06-03 | 2022-05-03 | 武汉思普崚技术有限公司 | Method and corresponding system for security firewall |
| CN110474897A (en) * | 2019-08-06 | 2019-11-19 | 合肥泓泉档案信息科技有限公司 | A kind of file permission management system |
| CN110636054B (en) * | 2019-09-05 | 2020-08-21 | 珠海格力电器股份有限公司 | Resource multiplexing method, device, equipment and system |
| CN110704871A (en) * | 2019-09-23 | 2020-01-17 | 北京百分点信息科技有限公司 | Authority management method and device |
| CN110941683B (en) * | 2019-11-05 | 2023-05-26 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for acquiring object attribute information in space |
| CN110929280B (en) * | 2019-11-25 | 2023-03-28 | 普元信息技术股份有限公司 | System and method for realizing data authority control based on metadata in big data environment |
| CN111191210B (en) * | 2019-12-10 | 2022-09-27 | 未鲲(上海)科技服务有限公司 | Method and device for controlling data access authority, computer equipment and storage medium |
| CN110889142B (en) * | 2019-12-20 | 2022-08-26 | 中国银行股份有限公司 | Data authority management method, device, system and equipment |
| CN111753340B (en) * | 2020-05-18 | 2023-07-18 | 贵州电网有限责任公司 | USB interface information security prevention and control method and system |
| CN111769939B (en) * | 2020-06-29 | 2021-02-09 | 北京海泰方圆科技股份有限公司 | Business system access method and device, storage medium and electronic equipment |
| CN112100585A (en) * | 2020-08-19 | 2020-12-18 | 北京小米移动软件有限公司 | Authority management method, device and storage medium |
| CN111984949B (en) * | 2020-08-24 | 2023-11-28 | 北京达佳互联信息技术有限公司 | Authentication method, device, electronic equipment and storage medium |
| CN112231659A (en) * | 2020-09-25 | 2021-01-15 | 山东浪潮通软信息科技有限公司 | Hierarchical protection access control method and device under multi-security system |
| CN114338060A (en) * | 2020-09-28 | 2022-04-12 | 北京金山云网络技术有限公司 | Authority verification method, device, system, equipment and storage medium |
| CN112291250B (en) * | 2020-10-31 | 2022-11-25 | 贵州电网有限责任公司 | Multi-energy device digital twin data stream communication authority management method and system |
| CN112532595B (en) * | 2020-11-18 | 2022-07-22 | 四川安迪科技实业有限公司 | Satellite network data authority control method, device and storage medium |
| CN112597510B (en) * | 2020-12-16 | 2024-01-30 | 中国工商银行股份有限公司 | Access control method and device |
| CN112615925B (en) * | 2020-12-22 | 2022-11-01 | 北京金山云网络技术有限公司 | Configuration and management method and device of service resources and electronic equipment |
| CN112651001A (en) * | 2020-12-30 | 2021-04-13 | 中国平安财产保险股份有限公司 | Access request authentication method, device, equipment and readable storage medium |
| CN112822207B (en) * | 2021-01-29 | 2022-10-14 | 上海分布信息科技有限公司 | Method and system for managing block chain data |
| CN113779616B (en) * | 2021-02-08 | 2024-04-05 | 北京沃东天骏信息技术有限公司 | Method and device for identifying data |
| CN112906028A (en) * | 2021-03-04 | 2021-06-04 | 广州虎牙科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN113190870A (en) * | 2021-05-27 | 2021-07-30 | 新华三技术有限公司 | Redis database access authority control method and device |
| CN113704285A (en) * | 2021-08-30 | 2021-11-26 | 北京达佳互联信息技术有限公司 | Permission-based retrieval method, device and equipment |
| CN114553484B (en) * | 2022-01-18 | 2024-05-24 | 国电南瑞科技股份有限公司 | Dual access right control method and system based on two-dimensional security mark |
| CN115906155A (en) * | 2022-11-04 | 2023-04-04 | 浙江联运知慧科技有限公司 | Data management system of sorting center |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282330A (en) * | 2007-04-04 | 2008-10-08 | 华为技术有限公司 | Method and apparatus for managing network memory access authority, network memory access control method |
| CN102012981A (en) * | 2010-11-16 | 2011-04-13 | 传神联合(北京)信息技术有限公司 | Distributing and matching method and system of general permission grade |
| CN102457555A (en) * | 2010-10-28 | 2012-05-16 | 中兴通讯股份有限公司 | Security system and method for distributed storage |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
-
2012
- 2012-12-31 CN CN201210594494.1A patent/CN103078859B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282330A (en) * | 2007-04-04 | 2008-10-08 | 华为技术有限公司 | Method and apparatus for managing network memory access authority, network memory access control method |
| CN102457555A (en) * | 2010-10-28 | 2012-05-16 | 中兴通讯股份有限公司 | Security system and method for distributed storage |
| CN102012981A (en) * | 2010-11-16 | 2011-04-13 | 传神联合(北京)信息技术有限公司 | Distributing and matching method and system of general permission grade |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103078859A (en) | 2013-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103078859B (en) | Operation system right management method, equipment and system | |
| CN107342992B (en) | System authority management method and device and computer readable storage medium | |
| CN109840591B (en) | Model training system, method and storage medium | |
| US11063767B2 (en) | Apparatus and method to perform secure data sharing in a distributed network by using a blockchain | |
| CN102771102B (en) | The network of distribute digital content and management method | |
| CN111600899A (en) | Micro-service access control method and device, electronic equipment and storage medium | |
| CN105871914B (en) | CRM system access control method | |
| CN101373504B (en) | Management method and system for downloading digital content | |
| CN108200050A (en) | Single logging-on server, method and computer readable storage medium | |
| CN102546664A (en) | User and authority management method and system for distributed file system | |
| CN106127368A (en) | Date storage method for ERP System | |
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN102473229A (en) | Modification of access control lists | |
| CN105225072A (en) | A kind of access management method of multi-application system and system | |
| CN105262780A (en) | Authority control method and system | |
| CN102571380A (en) | Multi-instance GIS platform unified user management method and system | |
| CN103780580A (en) | Method, server and system for providing capability access strategy | |
| CN105518689A (en) | Method and system related to authentication of users for accessing data networks | |
| CN100586123C (en) | A safe audit method based on role management and system thereof | |
| CN101493872A (en) | Fine grain authority management method based on classification method | |
| CN101119197A (en) | Contracting method and system | |
| CN111767551A (en) | Browsing permission control method and system based on block chain | |
| Yoon et al. | Blockchain-based object name service with tokenized authority | |
| US11075922B2 (en) | Decentralized method of tracking user login status | |
| CN103069767B (en) | Consigning authentication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |