CN105262780B - A kind of authority control method and system - Google Patents
A kind of authority control method and system Download PDFInfo
- Publication number
- CN105262780B CN105262780B CN201510849761.9A CN201510849761A CN105262780B CN 105262780 B CN105262780 B CN 105262780B CN 201510849761 A CN201510849761 A CN 201510849761A CN 105262780 B CN105262780 B CN 105262780B
- Authority
- CN
- China
- Prior art keywords
- management tool
- target service
- service system
- authority management
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 60
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 241000196324 Embryophyta Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
Abstract
This application provides a kind of authority control method, the permission for obtaining target service system controls request instruction;Call Authority Management Tool;The target service system, resource and role are registered on the Authority Management Tool, and are authorized.The permission control of target service system is completed by Authority Management Tool, only call Authority Management Tool that the control of permission can be realized, it is encoded from the beginning without developer and realizes permission control function, the permission control that developer carries out system function is facilitated, the efficiency of rights management is improved.
Description
Technical field
This application involves rights management field, in particular to a kind of authority control method and system.
Background technique
With the development of technology, requirement of the people to permission control management is higher and higher.
Most Web application requires to realize permission control function, however if whenever construction one new business letter
When ceasing system item, all coding realizes permission control function from the beginning, then development process is undoubtedly inefficiency, function
It is also unstable.
Therefore, permission control how is effectively carried out, improving rights management efficiency is that those skilled in the art need at present
The technical issues of solution.
Summary of the invention
The technical problem to be solved by the application is to provide a kind of authority control method and systems, solve in the prior art
Whenever building a new operating information system project, the problem of realizing permission control function is all encoded from the beginning.
Its concrete scheme is as follows:
A kind of authority control method, this method comprises:
The permission for obtaining target service system controls request instruction;
Call Authority Management Tool;
The target service system, resource and role are registered on the Authority Management Tool, and are authorized.
Above-mentioned method, further includes:
Obtain the access request instruction of the target service system;
The Authority Management Tool is sent by access request instruction by filter;
Purview certification is carried out by the Authority Management Tool;
After the purview certification passes through, allow to access to the target service system.
Above-mentioned method, further includes:
The resource to be matched by Authority Management Tool inquiry with the target service system and role.
Above-mentioned method, further includes:
The login or single-sign-on of target service system are carried out by the Authority Management Tool.
Above-mentioned method, further includes:
Exiting for target service system is carried out by the Authority Management Tool.
A kind of authority control system, the system include:
It obtains permission and controls request instruction unit, the permission for obtaining target service system controls request instruction;
Call unit, for calling Authority Management Tool;
Registering unit is gone forward side by side for registering the target service system, resource and role on the Authority Management Tool
Row authorization.
Above-mentioned system, further includes:
Access request command unit is obtained, the access request for obtaining the target service system instructs;
Transmission unit, for sending the Authority Management Tool for access request instruction by filter;
Purview certification unit, for carrying out purview certification by the Authority Management Tool;
Access unit, for after the purview certification passes through, allowing to access to the target service system.
Above-mentioned system, further includes:
Query unit, resource for being matched by Authority Management Tool inquiry with the target service system and
Role.
Above-mentioned system, further includes:
Unit is logged in, for carrying out the login or single-sign-on of target service system by the Authority Management Tool.
Above-mentioned system, further includes:
Unit is exited, for carrying out exiting for target service system by the Authority Management Tool.
In a kind of authority control method provided by the present application, the permission for obtaining target service system controls request instruction;It adjusts
Use Authority Management Tool;The target service system, resource and role are registered on the Authority Management Tool, and are awarded
Power.The permission control that target service system is completed by Authority Management Tool, only calls Authority Management Tool that power can be realized
The control of limit encodes from the beginning without developer and realizes permission control function, facilitates developer and carries out system
The permission of function controls, and improves the efficiency of rights management.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those of ordinary skill in the art, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is a kind of flow chart of authority control method embodiment of the application;
Fig. 2 is a kind of schematic diagram of authority control method specific implementation of the application;
Fig. 3 is a kind of schematic diagram of authority control system embodiment of the application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
With reference to Fig. 1, a kind of flow chart of authority control method embodiment of the application is shown, may comprise steps of:
Step S101: the permission for obtaining target service system controls request instruction.
Step S102: Authority Management Tool is called.
Authority Management Tool in the application provides a set of API (Rest service or jar packet mode) for operation system tune
With.
Authority Management Tool in the application is designed based on RBAC theory and technology, and basic permission pipe is provided not only
Manage function, including the big function of organization and user management, operation system management, resource management, Role Management and empowerment management etc. 5
Can, and the advanced integrated functionalities such as single-sign-on, security control, security audit are provided.
RBAC (role-base access control): the element of role-base access control includes that user, role, license etc. are basic
Definition.User be exactly one can be with the master of data or other resources indicated with data in independent access computer system
Body.Role refers to a tissue or work or position in task, it represents a kind of right, qualification and responsibility.License is (special
Power) it is exactly the operation for allowing to execute one or more objects.One user may be authorized and possess multiple roles, a role
It can be made of multiple users;Each role can possess a variety of licenses, and each license can also license to multiple and different roles.Each
Operation can be applied to multiple objects (controll plant), and each object can also receive multiple operations.
Step S103: the target service system, resource and role are registered on the Authority Management Tool, and is awarded
Power.
Multiple operation systems can realize the control of permission on an Authority Management Tool simultaneously, realize that unified management is used
The function of family permission and user's audit.
In a kind of authority control method provided by the present application, the permission of target service system is completed by Authority Management Tool
Control only calls Authority Management Tool that the control of permission can be realized, encodes realization from the beginning without developer
Permission control function facilitates the permission control that developer carries out system function, improves the efficiency of rights management.
In the application, further includes:
Obtain the access request instruction of the target service system.
The Authority Management Tool is sent by access request instruction by filter.
Purview certification is carried out by the Authority Management Tool.
After the purview certification passes through, allow to access to the target service system.
With reference to Fig. 2, a kind of schematic diagram of authority control method specific implementation of the application is shown.
Multiple operation systems can share a set of user model, and operation system user is made no longer to need to remember multiple accounts.
Operation system registers operation system, resource and role by management tool, and is authorized.The application is by providing some services
Operation system and management tool are integrated, management work will be jumped to the access request of operation system by filter
Tool is conversated management by management tool, and realizes log on this basis, exits and single-sign-on function, management tool take
Business also has model data service.
Authority Management Tool in the application has the function of unified certification and Services Integration.
In terms of unified certification, management tool provides the locked resource that service application is protected in a manner of filter.
Each HTTP request to come from client is filtered, while analyzing and whether wrapping request Service in HTTP request
Ticket, if it is not, illustrating that the user is to redirect user's request to uniform permission administration system not by certification
Unite isc_sso.
If user provides correct authentication information, management tool can generate a random Service Ticket,
A Ticket granting cookie (TGC) can be sent to the browser of user, and be redirected to operation system.
It needs to complete the identity verification to user between management tool and operation system, finds user information with Ticket
(user property in database returns to client with Json format), certification passes through.
It mainly include two parts in terms of Services Integration: first is that providing identity, tissue, permissions data for business application system
Supply and maintenance function, second is that providing the service such as Authority Verification for business application system.Detailed process is as follows:
Organization, role, function, permission object, data set are registered in management tool by business application system, business
These data are not saved in application system.
When user accesses service application resource, the interface service that business application system calls management tool to provide, to user
The resource of request carries out authorization check.
Business application system is as needed, the service that management tool can be called to provide, the phases such as inquiry tissue, role, resource
Close information.
Corresponding with method provided by a kind of authority control method embodiment of above-mentioned the application, referring to Fig. 3, the application is also
A kind of authority control system embodiment is provided, in the present embodiment, which includes:
It obtains permission and controls request instruction unit 301, the permission for obtaining target service system controls request instruction.
Call unit 302, for calling Authority Management Tool.
Registering unit 303, for registering the target service system, resource and role on the Authority Management Tool,
And it is authorized.
In the application, further includes:
Access request command unit is obtained, the access request for obtaining the target service system instructs.
Transmission unit, for sending the Authority Management Tool for access request instruction by filter.
Purview certification unit, for carrying out purview certification by the Authority Management Tool.
Access unit, for after the purview certification passes through, allowing to access to the target service system.
In the application, further includes:
Query unit, resource for being matched by Authority Management Tool inquiry with the target service system and
Role.
In the application, further includes:
Unit is logged in, for carrying out the login or single-sign-on of target service system by the Authority Management Tool.
In the application, further includes:
Unit is exited, for carrying out exiting for target service system by the Authority Management Tool.
The application manages user data concentratedly by Authority Management Tool, and provide unified role, resource and
The empowerment management of permission simplifies the development process of operation system privilege feature, makes its absorbed and service logic.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginseng
See the part explanation of embodiment of the method.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this
The function of each unit can be realized in the same or multiple software and or hardware when application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
It realizes by means of software and necessary general hardware platform.Based on this understanding, the technical solution essence of the application
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the certain of each embodiment of the application or embodiment
Method described in part.
A kind of authority control method provided herein and system are described in detail above, it is used herein
The principle and implementation of this application are described for specific case, and the above embodiments are only used to help understand originally
The method and its core concept of application;At the same time, for those skilled in the art, according to the thought of the application, specific
There will be changes in embodiment and application range, in conclusion the content of the present specification should not be construed as to the application's
Limitation.
Claims (8)
1. a kind of authority control method, which is characterized in that this method comprises:
The permission for obtaining target service system controls request instruction;
Call Authority Management Tool;
The target service system, resource and role are registered on the Authority Management Tool, and are authorized;
Obtain the access request instruction of the target service system;
The Authority Management Tool is sent by access request instruction by filter;
Purview certification is carried out by the Authority Management Tool;
After the purview certification passes through, allow to access to the target service system.
2. the method according to claim 1, wherein further include:
The resource to be matched by Authority Management Tool inquiry with the target service system and role.
3. according to the method described in claim 2, it is characterized by further comprising:
The login or single-sign-on of target service system are carried out by the Authority Management Tool.
4. according to the method described in claim 3, it is characterized by further comprising:
Exiting for target service system is carried out by the Authority Management Tool.
5. a kind of authority control system, which is characterized in that the system includes:
It obtains permission and controls request instruction unit, the permission for obtaining target service system controls request instruction;
Call unit, for calling Authority Management Tool;
Registering unit for registering the target service system, resource and role on the Authority Management Tool, and is awarded
Power;
Access request command unit is obtained, the access request for obtaining the target service system instructs;
Transmission unit, for sending the Authority Management Tool for access request instruction by filter;
Purview certification unit, for carrying out purview certification by the Authority Management Tool;
Access unit, for after the purview certification passes through, allowing to access to the target service system.
6. system according to claim 5, which is characterized in that further include:
Query unit, resource and angle for being matched by Authority Management Tool inquiry with the target service system
Color.
7. system according to claim 6, which is characterized in that further include:
Unit is logged in, for carrying out the login or single-sign-on of target service system by the Authority Management Tool.
8. system according to claim 7, which is characterized in that further include:
Unit is exited, for carrying out exiting for target service system by the Authority Management Tool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510849761.9A CN105262780B (en) | 2015-11-27 | 2015-11-27 | A kind of authority control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510849761.9A CN105262780B (en) | 2015-11-27 | 2015-11-27 | A kind of authority control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105262780A CN105262780A (en) | 2016-01-20 |
| CN105262780B true CN105262780B (en) | 2018-12-18 |
Family
ID=55102284
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510849761.9A Active CN105262780B (en) | 2015-11-27 | 2015-11-27 | A kind of authority control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105262780B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105912949B (en) * | 2016-04-13 | 2019-11-05 | 北京京东尚科信息技术有限公司 | Data permission management method, data right management system and business management system |
| CN106302497A (en) * | 2016-08-25 | 2017-01-04 | 广州唯品会信息科技有限公司 | The authority control method of micro services and device |
| CN109587187A (en) | 2017-09-28 | 2019-04-05 | 华为技术有限公司 | For calling the methods, devices and systems of network function service |
| CN110472406B (en) * | 2018-05-10 | 2021-01-05 | 苏宁易购集团股份有限公司 | Cross-service system data authority control method and system |
| CN109413195B (en) * | 2018-11-12 | 2021-06-22 | 北京云狐时代科技有限公司 | Service processing method and device |
| CN110955903B (en) * | 2019-11-22 | 2021-03-30 | 支付宝(杭州)信息技术有限公司 | Privacy resource authority control method, device and equipment based on intelligent graph calculation |
| CN111970228B (en) * | 2020-06-19 | 2022-04-19 | 吴建廷 | Unified management method and platform for user permission of multi-service system integration |
| CN114567504B (en) * | 2022-03-07 | 2023-08-25 | 福建天晴在线互动科技有限公司 | Dynamic authority cross management method and system based on web architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930226A (en) * | 2012-10-25 | 2013-02-13 | 无锡中科泛在信息技术研发中心有限公司 | Method for controlling use permission of fine-grained client |
| CN103136620A (en) * | 2011-11-29 | 2013-06-05 | 北京建龙重工集团有限公司 | Method for achieving project management system permission authorization |
| CN104486357A (en) * | 2014-12-30 | 2015-04-01 | 北京经开投资开发股份有限公司 | Method for achieving role-based access control (RBAC) based on SSH website |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7961715B1 (en) * | 2005-07-29 | 2011-06-14 | Cisco Technology, Inc. | Technique for reserving resources for authorized entities in a communication network |
-
2015
- 2015-11-27 CN CN201510849761.9A patent/CN105262780B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136620A (en) * | 2011-11-29 | 2013-06-05 | 北京建龙重工集团有限公司 | Method for achieving project management system permission authorization |
| CN102930226A (en) * | 2012-10-25 | 2013-02-13 | 无锡中科泛在信息技术研发中心有限公司 | Method for controlling use permission of fine-grained client |
| CN104486357A (en) * | 2014-12-30 | 2015-04-01 | 北京经开投资开发股份有限公司 | Method for achieving role-based access control (RBAC) based on SSH website |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105262780A (en) | 2016-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105262780B (en) | A kind of authority control method and system | |
| US11405376B2 (en) | System and method for single sign-on technical support access to tenant accounts and data in a multi-tenant platform | |
| CN106411857B (en) | A kind of private clound GIS service access control method based on virtual isolation mech isolation test | |
| CN101986599B (en) | Network security control method based on cloud service and cloud security gateway | |
| CN103051631B (en) | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| CN101207485B (en) | System and method of unification identification safety authentication for users | |
| US9613219B2 (en) | Managing cross perimeter access | |
| CN111314340B (en) | Authentication method and authentication platform | |
| WO2013138954A1 (en) | Computer account management system and implementation method thereof | |
| CN106055967A (en) | SAAS platform user organization permission management method and system | |
| US8578452B2 (en) | Method for securely creating a new user identity within an existing cloud account in a cloud computing system | |
| CN103259663A (en) | User unified authentication method in cloud computing environment | |
| US20150350194A1 (en) | Systems, methods, and software to provide access control in cloud computing environments | |
| CN108701175A (en) | User account and enterprise work space correlation are joined | |
| CN107070894A (en) | A kind of software integrating method based on enterprise's cloud service platform | |
| CN103118030A (en) | Desktop cloud based identity authentication method | |
| CN106534202A (en) | Permission processing method and device | |
| CN104580081A (en) | Integrated SSO (single sign on) system | |
| EP3062254B1 (en) | License management for device management system | |
| Ahn et al. | User authentication platform using provisioning in cloud computing environment | |
| CN102054203A (en) | Processing method and device for enterprise-oriented information resource application integration | |
| CN103428191A (en) | Single sign on method based on combination of CAS framework and fingerprint | |
| CN103152319A (en) | Cloud maintenance, and method and system for authorization | |
| CN106487770A (en) | Method for authenticating and authentication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |