CN105373714B - A kind of user authority control method and device - Google Patents
A kind of user authority control method and device Download PDFInfo
- Publication number
- CN105373714B CN105373714B CN201510843681.2A CN201510843681A CN105373714B CN 105373714 B CN105373714 B CN 105373714B CN 201510843681 A CN201510843681 A CN 201510843681A CN 105373714 B CN105373714 B CN 105373714B
- Authority
- CN
- China
- Prior art keywords
- role
- authorized
- mutual exclusion
- exclusion group
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The present invention provides a kind of user authority control methods to include:Obtain role user role to be authorized and authorized;It obtains preset role to be authorized and has authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, mutual exclusion between all roles in the wherein described interior mutual exclusion group, all roles are compatible in the outer mutual exclusion group, all roles and all Mutual exclusion of roles not in group in the outer mutual exclusion group;According to the role to be authorized and authorized interior mutual exclusion group and outer mutual exclusion group belonging to role judge whether will be to be authorized role authorization to user.It is compared with existing function manner of comparison, user authority control method of the present invention, permission comparison procedure is relatively easy, and control accuracy is higher, greatly improves the control efficiency of user right.
Description
Technical field
The invention belongs to user authority management field more particularly to a kind of user authority control methods and device.
Background technology
In multi-user system, according to the difference of the permission of user and position, need to distribute different permissions for user, from
And provide safer reliable system service to the user.
(English is all Role-Based Access Control to RBAC, and Chinese name is advised for access control based roles
Model), it is the effective ways of solution enterprise application system rights management generally acknowledged at present.In RBAC, permission is related to role
Connection, user, to obtain the permission of these roles, greatly simplifie the management complexity of permission by becoming appropriate role.
There are three security doctrines by RBAC:Minimum right principle, responsibility degree principle and the data principle of abstraction.And RBAC96 is
Most basic RBAC specifications, it includes 4 kinds of models:Basic model RBAC0, role hierarchy model RBAC1, limited model RBAC2,
Unified model RBAC3.Limited model therein, which describes, realizes responsibility degree principle.
A basic limitation in RBAC2 is the limitation of mutually exclusive roles, and mutually exclusive roles refer to that respective permission conditions each other
Two roles.One of role can only be assigned in certain primary activity for one user of this kind of role, it cannot be simultaneously
Obtain the right to use of two roles.
For example, in audit activities, a user cannot be assigned to accounting role and auditor role simultaneously.Alternatively,
In company, the role of manager and assistant manager are also mutual exclusion, and contract or check can only be signed by manager, cannot be signed by assistant manager
Word.In the RBAC2 models established for company, a user cannot get both two roles of manager and assistant manager simultaneously.Limit mould
The mutual exclusion limitation of type can support the realization of power and responsibility separation principle.
Common mutual exclusion method for limiting is realized using function at present, when for user's assigned role or be that role distributes power
These functions are just called to be checked in limited time, the result returned according to function determines whether distribution meets the requirement of limitation, usually
Only those can effectively be checked and some simple limitations of those customaries can be realized.
Realize that mutual exclusion limits by the way of function, method is more flexible, may be implemented arbitrarily to limit.But with
The increase of user, when being that each user authorizes, needs to compare the compatibility with the permission of other users one by one, not only compare
Trouble, and it is easy error.
Invention content
The purpose of the present invention is to provide a kind of user authority control methods, to solve increasing of the prior art with user
Add, when being that each user authorizes, needs to compare the compatibility with the permission of other users one by one, it is not only cumbersome, but also
The problem of being easy error.
In a first aspect, an embodiment of the present invention provides a kind of user authority control method, the method includes:
Obtain role user role to be authorized and authorized;
It obtains preset role to be authorized and has authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, wherein described
Mutual exclusion between all roles in interior mutual exclusion group, all roles compatibility in the outer mutual exclusion group own in the outer mutual exclusion group
Role and all Mutual exclusion of roles not in group;
According to the role to be authorized and interior mutual exclusion group and outer mutual exclusion group belonging to role is authorized to judge whether to wait awarding
The role authorization of power is to user.
With reference to first aspect, in the first possible realization method of first aspect, role to be authorized described in the basis
Authorized interior mutual exclusion group and outer mutual exclusion group belonging to role judge whether include to user steps by role authorization to be authorized:
Judge role to be authorized and the role that has authorized whether in same interior mutual exclusion group;
If role to be authorized and the role that has authorized refuse to authorize, otherwise, further sentence in same interior mutual exclusion group
Whether the outer mutual exclusion group belonging to disconnected role to be authorized includes all roles authorized;
If the outer mutual exclusion group belonging to role to be authorized does not include all roles authorized, refuse to authorize, otherwise,
Further judge whether the outer mutual exclusion group belonging to all roles authorized includes role to be authorized;
If the outer mutual exclusion group belonging to all roles authorized does not include role to be authorized, refuse to authorize, otherwise
Allow to authorize.
With reference to first aspect, in second of possible realization method of first aspect, the method further includes:
When user, which is not present, has authorized role, then allow to authorize.
With reference to first aspect, in the third possible realization method of first aspect, role to be authorized described in the basis
Authorized interior mutual exclusion group and outer mutual exclusion group belonging to role judge whether include to user steps by role authorization to be authorized:
If the same outer mutual exclusion group belonging to role to be authorized include it is all authorized role, allow to authorize.
With reference to first aspect, in the 4th kind of possible realization method of first aspect, preset wait for is obtained described
Before authorizing role and having authorized interior mutual exclusion group and the outer mutual exclusion group step belonging to role, the method further includes:
Establish the interior mutual exclusion group of system and outer mutual exclusion group, the number of the interior mutual exclusion group include zero, one or one
More than, the number of the outer mutual exclusion group include zero, one or more than one, the interior mutual exclusion group includes at least two angles
Color, the outer mutual exclusion group include at least a role..
Second aspect, an embodiment of the present invention provides a kind of user right control device, described device includes:
Role's acquiring unit, the role for obtaining user role to be authorized and having authorized;
Relationship group acquiring unit, for obtaining preset role to be authorized and having authorized the interior mutual exclusion group belonging to role
With outer mutual exclusion group, wherein mutual exclusion between role all in the interior mutual exclusion group, all roles compatibility in the outer mutual exclusion group,
All roles and all Mutual exclusion of roles not in group in the outer mutual exclusion group;
First granted unit for the role to be authorized according to and has authorized interior mutual exclusion group and the outer mutual exclusion belonging to role
Group judge whether will be to be authorized role authorization to user.
In conjunction with second aspect, in the first possible realization method of second aspect, first granted unit includes:
First judgment sub-unit, whether the role for judging role to be authorized and having authorized is in same interior mutual exclusion group;
Second judgment sub-unit, if refused in same interior mutual exclusion group for role to be authorized and the role authorized
It authorizes absolutely, otherwise, further judges whether the outer mutual exclusion group belonging to role to be authorized includes all roles authorized;
Third judgment sub-unit, if not including all angles authorized for the outer mutual exclusion group belonging to role to be authorized
Color is then refused to authorize, and otherwise, further judges whether the outer mutual exclusion group belonging to all roles authorized includes angle to be authorized
Color;
Subelement is authorized, if the outer mutual exclusion group belonging to all roles for having authorized does not include role to be authorized,
Then refuse to authorize, otherwise allows to authorize.
In conjunction with second aspect, in second of possible realization method of second aspect, described device further includes:
Second granted unit, for when user is not present and has authorized role, then allowing to authorize.
In conjunction with second aspect, in the third possible realization method of second aspect, first granted unit is specifically used
In:
If the same outer mutual exclusion group belonging to role to be authorized include it is all authorized role, allow to authorize.
In conjunction with second aspect, in the 4th kind of possible realization method of second aspect, described device further includes:
Relationship group establishes unit, the interior mutual exclusion group for establishing system and outer mutual exclusion group, the number packet of the interior mutual exclusion group
Include zero, the number of either more than one outer mutual exclusion group include zero, one or more than one, it is described it is interior mutually
Reprimand group includes at least two roles, and the outer mutual exclusion group includes at least a role.
In the present invention, by obtaining user role to be authorized and having authorized role, according to preset angle to be authorized
Interior mutual exclusion group belonging to color and outer mutual exclusion group, and authorized interior mutual exclusion group and outer mutual exclusion group belonging to role carry out judge to
Decide whether will role authorization be authorized to user.It is compared with existing function manner of comparison, user right control of the present invention
Method processed, permission comparison procedure is relatively easy, and control accuracy is higher, greatly improves the control efficiency of user right.
Description of the drawings
Fig. 1 is the implementation flow chart for the user authority control method that first embodiment of the invention provides;
Fig. 2 is the implementation flow chart that subscriber entitlement method is carried out according to relationship group that second embodiment of the invention provides;
Fig. 3 is the structural schematic diagram for the user right control device that third embodiment of the invention provides.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
User authority control method described in the embodiment of the present invention, it is therefore intended that solve in the prior art to carry out user right
When control, need one by one to compare by functional operation the role that specifies for user whether and the role conflict that has authorized, pass through letter
Several returns the result the requirement for determining whether distribution meets limitation.In this way for set of system, for N number of angle in system
Color needs the compatibility that each angle and other N-1 roles is arranged, in this way the compatibility matrix there have been a N*N, is being every
When individual authorizes, it will check that this matrix, structure are safeguarded and be more troublesome using this matrix, and be easy error.It is based on
This, the present invention proposes that a kind of use is more easy, authorizes more efficient user authority control method, below in conjunction with the accompanying drawings specifically
It illustrates.
Embodiment one:
Fig. 1 shows the implementation process for the user authority control method that first embodiment of the invention provides, and details are as follows:
In step S101, role user role to be authorized and authorized is obtained.
Specifically, role to be authorized described in the embodiment of the present invention, the role that will videlicet be distributed to user, for example use
The occasions such as family carries out registration, position is transferred and promoted, or because of need of work, distributing user has the role of certain specified permissions, such as
It needs to authorize into certain important events, or data modification is needed to obtain mandate etc., need to distribute angle in systems for it
Color or setting role.The prior position role of the role authorized, i.e., the role that user has had in advance, such as user
For " assistant manager ", after promotion, position role is changed to " handle ".
The role authorized described in the embodiment of the present invention can be one or more, naturally it is also possible to for sky, that is, use
Family is currently without any position, such as the user of new registration.When the role authorized is empty, then subsequent judgement behaviour is not needed
Make, can directly allow Authorized operation.
In step s 102, it obtains preset role to be authorized and has authorized interior mutual exclusion group belonging to role and outer mutual
Reprimand group, wherein mutual exclusion between role all in the interior mutual exclusion group, all roles compatibility in the outer mutual exclusion group is described outer
All roles and all Mutual exclusion of roles not in group in mutual exclusion group.
Specifically, the interior mutual exclusion group described in the embodiment of the present invention, refers to the relationship between all roles in the group
For mutex relation.It is located at the role of same interior mutual exclusion group, same user cannot be authorized simultaneously.Such as accounting role and auditor
Role can belong to same interior mutual exclusion group, may further include other roles in the interior mutual exclusion group, it is only necessary to meet in group
Any role is mutex relation with other roles in group.
The outer mutual exclusion group, refers to all roles in a group, is all compatibility relation, i.e., any role in group, with
Other roles in group are compatible.Also, for each role in outer mutual exclusion group, and not in the outer mutual exclusion group
Any role is mutex relation, if that is, user has authorized the role in outer mutual exclusion group, user cannot just award
Weigh the role other than the outer mutual exclusion group.
For example, role A, A1, A2 belong to the same outer mutual exclusion group, and role B, C are not belonging to the outer mutual exclusion group, then user
One or more in role A, A1, A2 can be authorized.If user has authorized the role in the outer mutual exclusion group, use
Family would not allow for authorizing any role other than outer mutual exclusion group.
Preset role to be authorized is obtained in the embodiment of the present invention and has authorized interior mutual exclusion group belonging to role and outer
Mutual exclusion group, can by advance to all roles in system establish belonging to interior mutual exclusion group and outer mutual exclusion group, and will be in foundation
Mutual exclusion group is stored with outer mutual exclusion group.When requiring to look up role to be authorized and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group
When, directly invoke the data of storage.
After the interior mutual exclusion group of system and outer mutual exclusion group are established, change in the role for newly increasing user or user
When, it is not usually required to be updated operation to the data.If system newly increases role, need according to the role newly increased
Again adjustment is carried out to the relationship group of storage.
In embodiments of the present invention, the interior mutual exclusion group of system and outer mutual exclusion group are established, the number of the interior mutual exclusion group can be with
Including zero, one either more than one outer mutual exclusion group number include one or more than one, the interior mutual exclusion group
Including at least two roles, the outer mutual exclusion group includes at least a role.
In step s 103, according to the role to be authorized and interior mutual exclusion group and outer mutual exclusion group belonging to role has been authorized to sentence
It is disconnected whether by role authorization to be authorized to user.
Interior mutual exclusion group belonging to role to be authorized and outer mutual exclusion group, and authorized interior mutual exclusion group belonging to role and
Whether outer mutual exclusion group, it is incompatible with user role to be authorized more can quickly to detect the role that user has authorized, if there is
It is incompatible, then refuse to authorize, if it is, allowing to authorize.
The present invention is by obtaining user role to be authorized and having authorized role, belonging to preset role to be authorized
Interior mutual exclusion group and outer mutual exclusion group, and authorized interior mutual exclusion group and outer mutual exclusion group belonging to role carry out judge to determine be
It is no will role authorization be authorized to user.It is compared with existing function manner of comparison, user authority control method of the present invention,
Permission comparison procedure is relatively easy, and control accuracy is higher, greatly improves the control efficiency of user right.
Embodiment two:
Fig. 2 shows role to be authorized described in the basis of second embodiment of the invention offer and authorize in belonging to role
Mutual exclusion group and outer mutual exclusion group judge whether will be to be authorized role authorization to the implementation process of user, details are as follows:
In step s 201, judge role to be authorized and the role that has authorized whether in same interior mutual exclusion group.
Specifically, in practical operation, for role to be authorized and authorizes role that mutex relation cannot occur, i.e., cannot
The role of two mutex relations, such as accountant role are distributed into the same user with auditor role.
And other users in any one user in interior mutual exclusion group of the present invention, with the group are mutex relations,
Therefore, when detecting when authorizing role and having authorized any of role in same mutual exclusion group, then it is rejected by mandate.
It is described judge role to be authorized and the role that has authorized whether same interior mutual exclusion group method, can be by obtaining
The interior mutual exclusion group belonging to role to be authorized is taken, if having authorized the interior mutual exclusion for thering is any one to be located at belonging to role to be authorized in role
Group is then refused to authorize.
It is of course also possible to each interior mutual exclusion group authorized belonging to role be obtained, if each authorized belonging to role
In interior mutual exclusion group, it includes role to be authorized to have any interior mutual exclusion group, then refuses to authorize.
In step S202, if role to be authorized and the role that has authorized refuse to authorize in same interior mutual exclusion group,
Otherwise, further judge whether the outer mutual exclusion group belonging to role to be authorized includes all roles authorized.
Further, if cannot directly be judged as that refusing user authorizes, and further judges to wait awarding by interior mutual exclusion group
Weigh whether the outer mutual exclusion group belonging to role includes all roles authorized.
I.e. in the outer mutual exclusion group belonging to role to be authorized, other roles in each role and group are compatible
, still, the role in each outer mutual exclusion group is the relationship of mutual exclusion with the role in outer mutual exclusion group.
Since role to be authorized may include multiple outer mutual exclusion groups, if the outer mutual exclusion group belonging to role to be authorized
Including it is all authorized role when, can't directly judge the role to be authorized and authorize role as compatibility relation.Also need
Further to be judged by step S203.
In step S203, if the outer mutual exclusion group belonging to role to be authorized does not include all roles authorized,
Refusal authorizes, and otherwise, further judges whether the outer mutual exclusion group belonging to all roles authorized includes role to be authorized.
If the outer mutual exclusion group belonging to role to be authorized does not include all roles authorized, refuse to authorize.If
Outer mutual exclusion group belonging to role to be authorized includes all roles authorized, then further judges all role institutes authorized
Whether the outer mutual exclusion group belonged to includes role to be authorized.
By judging the role for having authorized the outer mutual exclusion group belonging to role to include, if authorized belonging to role
In outer mutual exclusion group, also includes role to be authorized, then illustrate that role to be authorized meets authorising conditional, enter step S204, it is right
Role to be authorized authorizes.
In step S204, if the outer mutual exclusion group belonging to all roles authorized does not include role to be authorized,
Refusal authorizes, and otherwise allows to authorize
In the embodiment advanced optimized as the present invention, the method can also include, if judging angle to be authorized
The same outer mutual exclusion group belonging to color include it is all authorized role, then allow to authorize.The benefit judged in this way is can
To improve the efficiency for authorizing and judging.
The present invention has authorized role, the outer mutual exclusion group of role to be authorized, interior mutual exclusion group to carry out mandate judgement by combining, and
Manner of comparison one by one in the prior art is compared, and mandate of the present invention is more efficient.
Embodiment three:
Fig. 3 shows the structural schematic diagram for the user right control device that third embodiment of the invention provides, and details are as follows:
User right control device described in the embodiment of the present invention, including:
Role's acquiring unit 301, the role for obtaining user role to be authorized and having authorized;
Relationship group acquiring unit 302, for obtaining preset role to be authorized and having authorized in belonging to role mutually
Reprimand group and outer mutual exclusion group, wherein mutual exclusion between role all in the interior mutual exclusion group, all roles in the outer mutual exclusion group
It is compatible, all roles and all Mutual exclusion of roles not in group in the outer mutual exclusion group;
First granted unit 303, for the role to be authorized according to and authorized interior mutual exclusion group belonging to role with outside
Mutual exclusion group judge whether will be to be authorized role authorization to user.
Preferably, first granted unit includes:
First judgment sub-unit, whether the role for judging role to be authorized and having authorized is in same interior mutual exclusion group;
Second judgment sub-unit, if refused in same interior mutual exclusion group for role to be authorized and the role authorized
It authorizes absolutely, otherwise, further judges whether the outer mutual exclusion group belonging to role to be authorized includes all roles authorized;
Third judgment sub-unit, if not including all angles authorized for the outer mutual exclusion group belonging to role to be authorized
Color is then refused to authorize, and otherwise, further judges whether the outer mutual exclusion group belonging to all roles authorized includes angle to be authorized
Color;
Subelement is authorized, if the outer mutual exclusion group belonging to all roles for having authorized does not include role to be authorized,
Then refuse to authorize, otherwise allows to authorize.
Preferably, described device further includes:
Second granted unit, for when user is not present and has authorized role, then allowing to authorize.
Preferably, first granted unit is specifically used for:
If the same outer mutual exclusion group belonging to role to be authorized include it is all authorized role, allow to authorize.
Preferably, described device further includes:
Relationship group establishes unit, the interior mutual exclusion group for establishing system and outer mutual exclusion group, the number packet of the interior mutual exclusion group
Include zero, one either more than one outer mutual exclusion group number include one or more than one, the interior mutual exclusion group is extremely
Include two roles less, the outer mutual exclusion group includes at least a role.
User right control device described in the embodiment of the present invention, with embodiment one, the two user authority control method phases
It is corresponding, so here is no more repetition.
In several embodiments provided by the present invention, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
Only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be the INDIRECT COUPLING or logical by some interfaces, device or unit
Letter connection can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list
The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can be stored in a computer read/write memory medium.Based on this understanding, technical scheme of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the present invention
Portion or part.And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory),
Random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can to store program code
Medium.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.
Claims (10)
1. a kind of user authority control method, which is characterized in that the method includes:
Obtain role user role to be authorized and authorized;
It obtains preset role to be authorized and has authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, wherein described interior mutual
Mutual exclusion between all roles in reprimand group, all roles compatibility in the outer mutual exclusion group, all angles in the outer mutual exclusion group
Color and all Mutual exclusion of roles not in group;
According to the role to be authorized and authorized interior mutual exclusion group and outer mutual exclusion group belonging to role to judge whether will be to be authorized
Role authorization to user, if role to be authorized with authorized role incompatible, refuse to authorize, if role to be authorized with authorized
Role is compatible with, then allows to authorize.
2. method according to claim 1, which is characterized in that role to be authorized described in the basis and authorized belonging to role
Interior mutual exclusion group and outer mutual exclusion group judge whether include to user steps by role authorization to be authorized:
Judge role to be authorized and the role that has authorized whether in same interior mutual exclusion group;
If role to be authorized and the role that has authorized refuse to authorize in same interior mutual exclusion group, otherwise, further judge to wait for
Whether the outer mutual exclusion group belonging to the role of mandate includes all roles authorized;
If the outer mutual exclusion group belonging to role to be authorized does not include all roles authorized, refuse to authorize, otherwise, into one
Step judges whether the outer mutual exclusion group belonging to all roles authorized includes role to be authorized;
If the outer mutual exclusion group belonging to all roles authorized does not include role to be authorized, refuses to authorize, otherwise allow
It authorizes.
3. method according to claim 1, which is characterized in that the method further includes:
When user, which is not present, has authorized role, then allow to authorize.
4. method according to claim 1, which is characterized in that role to be authorized described in the basis and authorized belonging to role
Interior mutual exclusion group and outer mutual exclusion group judge whether include to user steps by role authorization to be authorized:
If the same outer mutual exclusion group belonging to role to be authorized include it is all authorized role, allow to authorize.
5. method according to claim 1, which is characterized in that in the preset role to be authorized of the acquisition and authorized
Before interior mutual exclusion group and outer mutual exclusion group step belonging to role, the method further includes:
Establish the interior mutual exclusion group of system and outer mutual exclusion group, the number of the interior mutual exclusion group include zero, one or more than one,
The number of the outer mutual exclusion group include zero, one or more than one, the interior mutual exclusion group include at least two roles, it is described
Outer mutual exclusion group includes at least a role.
6. a kind of user right control device, which is characterized in that described device includes:
Role's acquiring unit, the role for obtaining user role to be authorized and having authorized;
Relationship group acquiring unit, for obtaining preset role to be authorized and having authorized interior mutual exclusion group belonging to role and outer
Mutual exclusion group, wherein mutual exclusion between role all in the interior mutual exclusion group, all roles compatibility, described in the outer mutual exclusion group
All roles and all Mutual exclusion of roles not in group in outer mutual exclusion group;
First granted unit for the role to be authorized according to and has authorized interior mutual exclusion group and outer mutual exclusion group belonging to role to sentence
It is disconnected whether by role authorization to be authorized to user, if role to be authorized with authorized role incompatible, refuse to authorize, if waiting for
It authorizes role and has authorized role compatible, then allow to authorize.
7. device according to claim 6, which is characterized in that first granted unit includes:
First judgment sub-unit, whether the role for judging role to be authorized and having authorized is in same interior mutual exclusion group;
Second judgment sub-unit, if for role to be authorized and the role authorized in same interior mutual exclusion group, refusal is awarded
Otherwise power further judges whether the outer mutual exclusion group belonging to role to be authorized includes all roles authorized;
Third judgment sub-unit, if not including all roles authorized for the outer mutual exclusion group belonging to role to be authorized,
Then refuse to authorize, otherwise, further judges whether the outer mutual exclusion group belonging to all roles authorized includes role to be authorized;
Subelement is authorized, if the outer mutual exclusion group belonging to all roles for having authorized does not include role to be authorized, is refused
It authorizes absolutely, otherwise allows to authorize.
8. device according to claim 6, which is characterized in that described device further includes:
Second granted unit, for when user is not present and has authorized role, then allowing to authorize.
9. device according to claim 6, which is characterized in that first granted unit is specifically used for:
If the same outer mutual exclusion group belonging to role to be authorized include it is all authorized role, allow to authorize.
10. device according to claim 6, which is characterized in that described device further includes:
Establish the interior mutual exclusion group of system and outer mutual exclusion group, the number of the interior mutual exclusion group include zero, one or more than one,
The number of the outer mutual exclusion group include zero, one or more than one, the interior mutual exclusion group include at least two roles, it is described
Outer mutual exclusion group includes at least a role.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510843681.2A CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510843681.2A CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105373714A CN105373714A (en) | 2016-03-02 |
| CN105373714B true CN105373714B (en) | 2018-08-31 |
Family
ID=55375907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510843681.2A Active CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105373714B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939221B (en) * | 2016-05-09 | 2019-05-07 | 杭州迪普科技股份有限公司 | The configuration method and device of the network equipment |
| CN107679749B (en) * | 2017-09-30 | 2021-05-25 | 新奥(中国)燃气投资有限公司 | Authority application approval method and authorization management platform |
| CN109246079B (en) * | 2018-08-02 | 2021-09-24 | 网易乐得科技有限公司 | Authority management method, system, medium and electronic device |
| CN110750780B (en) * | 2019-10-16 | 2023-04-18 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110929250A (en) * | 2019-12-02 | 2020-03-27 | 山东中创软件工程股份有限公司 | Permission inheritance method, device, equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976314A (en) * | 2010-09-21 | 2011-02-16 | 用友软件股份有限公司 | Access control method and system |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9137263B2 (en) * | 2013-01-04 | 2015-09-15 | International Business Machines Corporation | Generating role-based access control policies based on discovered risk-averse roles |
-
2015
- 2015-11-26 CN CN201510843681.2A patent/CN105373714B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976314A (en) * | 2010-09-21 | 2011-02-16 | 用友软件股份有限公司 | Access control method and system |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
Non-Patent Citations (2)
| Title |
|---|
| RBAC模型中角色互斥研究及应用;陈胜 等;《计算机技术与发展》;20121231;第22卷(第12期);第21-24,28页 * |
| RBAC系统中职责分离的实现;付志峰 等;《计算机工程》;20030430;第29卷(第6期);第61-63页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105373714A (en) | 2016-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105373714B (en) | A kind of user authority control method and device | |
| CN102981835B (en) | Android application program permanent Root permission acquiring method | |
| CN109889517B (en) | Data processing method, permission data set creating device and electronic equipment | |
| US9372964B2 (en) | Software license control | |
| US6678682B1 (en) | Method, system, and software for enterprise access management control | |
| US9460272B2 (en) | Method and apparatus for group licensing of device features | |
| CN104050401A (en) | User permission management method and system | |
| CN104036166B (en) | The user of forced symmetric centralization is supported to put forward power method | |
| EP3805962B1 (en) | Project-based permission system | |
| US20040088563A1 (en) | Computer access authorization | |
| CN104392159A (en) | User on-demand authorization method capable of supporting least privilege | |
| CN108092945A (en) | Definite method and apparatus, the terminal of access rights | |
| CN110138767B (en) | Transaction request processing method, device, equipment and storage medium | |
| KR102184928B1 (en) | Total Account management System based on Token and Method | |
| US20100031352A1 (en) | System and Method for Enforcing Licenses During Push Install of Software to Target Computers in a Networked Computer Environment | |
| CN109817347A (en) | Inline diagnosis platform, its right management method and Rights Management System | |
| CN102685122B (en) | The method of the software protection based on cloud server | |
| US8359636B2 (en) | Method and system for modeling options for opaque management data for a user and/or an owner | |
| CN113239386A (en) | API (application program interface) permission control method and device | |
| CN111062028A (en) | Authority management method and device, storage medium and electronic equipment | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| CN103763370B (en) | A kind of method, system and device for changing mobile terminal workspace screen-lock password | |
| CN104866774A (en) | Method and system for managing account authorities | |
| GB2515736A (en) | Controlling access to one or more datasets of an operating system in use | |
| CN107124429B (en) | Network service safety protection method and system based on double data table design |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |