CN105760745A - Authority management method and device - Google Patents

Authority management method and device Download PDF

Info

Publication number
CN105760745A
CN105760745A CN201410779339.6A CN201410779339A CN105760745A CN 105760745 A CN105760745 A CN 105760745A CN 201410779339 A CN201410779339 A CN 201410779339A CN 105760745 A CN105760745 A CN 105760745A
Authority
CN
China
Prior art keywords
authorization data
authentications
authentication
described authorization
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410779339.6A
Other languages
Chinese (zh)
Inventor
王强兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201410779339.6A priority Critical patent/CN105760745A/en
Publication of CN105760745A publication Critical patent/CN105760745A/en
Pending legal-status Critical Current

Links

Abstract

The invention embodiment provides an authority management method and device; the method comprises the following steps: obtaining historical authentication times of each authorization data in a first time period, wherein the authorization data types comprise authorization-role combination, role-user combination, and authorization-user combination; determining whether the authorization distribution of each authorization data is reasonable or not respectively according to the historical authentication times and an authentication time threshold value, and recovering the authorization data if a random authorization data is determined to be unreasonable in authorization distribution; timely and effectively detecting authorization problem or risk, and carrying out rectification.

Description

Right management method and device
Technical field
The present embodiments relate to computer technology, particularly relate to a kind of right management method and device.
Background technology
Rights management refers to that safety regulation that user arranges according to system or security strategy can access and can only access the resource oneself being authorized to, at present, rights management occurs nearly in any system, rights management such as enterprise, wherein, the rights management of enterprise is a complicated process, relates to the combing in tissue and post, and the flowing of personnel and management, and may face authority disorderly, authority amplifies or composes the scattered problems of rights management such as Quan Nan.
In order to solve the scattered problem of described rights management; the rights management of existing enterprise is typically based on the access of role and controls (RoleBasedAccessControl; it is called for short RBAC) mechanism, adopt unified rights registration, concentration to authorize and concentrate the unified security administrative centers such as authentication to carry out rights management.Consider safety factors; prior art is typically based on the inquiry view of permission grant data; carry out artificial enquiry comparison to identify whether authority distributes rationally; such as; check that whether role that described employee authorizes and authority be correct from certain employee's dimension; or check that whether all kinds of authorities that described role authorizes are correct from certain role's dimension, or check that whether role that described authority associates or employee be correct from certain authority dimension.
But by the mode of artificial enquiry comparison to identify whether authority distributes rationally in prior art, identify that process is cumbersome, identify that difficulty is bigger and error-prone.
Summary of the invention
The embodiment of the present invention provides a kind of right management method and device, it is possible to effectively detects Problems existing or risk in mandate at the right time, and corrects.
First aspect, the embodiment of the present invention provides a kind of right management method, including:
Obtain each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In conjunction with first aspect, in the first possible implementation of first aspect, described whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, including:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, described acquisition each authorization data history number of authentications in first time period, including:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
In conjunction with the first or any one possible implementation of the second of first aspect, first aspect, in the third possible implementation of first aspect, before the described authorization data of described recovery, also include:
Reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In conjunction with the first implementation that any one is possible to the third of first aspect, first aspect, in the 4th kind of possible implementation of first aspect, before described acquisition each authorization data history number of authentications in first time period, also include:
Record the authentication routing information of the authentication every time of described each authorization data.
Second aspect, the embodiment of the present invention provides a kind of rights management device, including:
Acquisition module, for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Judge module, whether for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In conjunction with second aspect, in the first possible implementation of second aspect, described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
In conjunction with the first possible implementation of second aspect or second aspect, in the implementation that the second of second aspect is possible, described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
In conjunction with the first or any one possible implementation of the second of second aspect, second aspect, in the third possible implementation of second aspect, also include:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In conjunction with the first implementation that any one is possible to the third of second aspect, second aspect, in the 4th kind of possible implementation of second aspect, also include:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
In the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the rights management schematic diagram based on RBAC mechanism;
Fig. 2 A is right management method principle schematic of the present invention;
Fig. 2 B is the schematic flow sheet of right management method embodiment one of the present invention;
Fig. 3 is the schematic flow sheet of right management method embodiment two of the present invention;
Fig. 4 is the schematic flow sheet of right management method embodiment four of the present invention;
Fig. 5 is testing process schematic diagram of the present invention;
Fig. 6 is the structural representation of rights management device embodiment one of the present invention;
Fig. 7 is the structural representation of rights management device embodiment two of the present invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
Fig. 1 is the rights management schematic diagram based on RBAC mechanism, RBAC is a kind of effective access control scheme implementing To enterprises security strategy, shown in Fig. 1, the basic thought of RBAC is: the various authorities to system operation are not directly authorize concrete user, but between user's set and authority set, set up role's set, wherein, the corresponding one group of corresponding authority of each role (alternatively, forming role-security table);Once user suitable role is assigned after (alternatively, formed user role table), described user just has all operations authority of described role.RBAC mechanism is adopted need not to be all allocated the operation of authority when creating user every time, only need to distribute corresponding role to user, and the permission modification of role wants much less than the permission modification of user, so by simplifying the rights management of user, certain overhead can be reduced.
In another rights management mechanism, also can support directly to authorize on user authority, without the problem considering that role-security expands or authority is amplified, it is possible to authorize more neatly and convenient for user.
Fig. 2 A is right management method principle schematic of the present invention, and as shown in Figure 2 A, rights management is broadly divided into authorizing and authentication two parts of authority of authority;Wherein, authority authorize part be the role in definition system, for the suitable authority of role assignments, and distribute suitable role's (Fig. 2 A is based on RBAC mechanism principle schematic diagram) for user;Alternatively, when adopt authority directly authorized user machine-processed time, the part of authorizing of authority distributes suitable authority (non-diagram) for user;Authority in business use is verified by the authentication part of authority, so that whether verified users possesses corresponding authority.As shown in Figure 2 A, by the record to authentication path histories in the present invention, obtain authentication routing information (described authentication routing information belongs to core data), further, according to the authorization data after authority distribution and described authentication routing information, described authorization data is detected, and whether the authorized appropriation to judge described authorization data is reasonable;If judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data, to reach to prevent in time the purpose of other user's unauthorized access.
In the embodiment of the present invention, authentication routing information based on RBAC mechanism is user (User)-> role (Role)-> authority (Permission), corresponding authentication process is: first obtain certain Role of current User, then judge whether to possess under described Role certain Permission, if not, then obtain the another one Role of described User, then judge whether described Role possesses certain Permission, until having searched all of Role;Wherein, the accessed path information (namely authentication track history) during authentication can be recorded every time, in order to according to authentication routing information, described authorization data is detected.
Fig. 2 B is the schematic flow sheet of right management method embodiment one of the present invention.The executive agent of the present embodiment can for being arranged in the rights management device in information technology (InformationTechnology is called for short IT) system, and this device can pass through software and/or hardware realizes.The scheme of the present embodiment can be applicable to the resource security access scenario in IT system, makes the user logging in described IT system be only capable of accessing the resource licensing to described user, and can not access the uncommitted resource to described user.As shown in Figure 2 B, the method for the present embodiment may include that
S201, obtain each authorization data history number of authentications in first time period.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period, in order to judge that according to described history number of authentications whether the authorized appropriation of each described authorization data is reasonable.Alternatively, the type of described authorization data includes: authority (Permission) and role (Role) combination, role and user (User) combination and authority and user combine;Wherein, described authorization data is different according to the difference of rights management mechanism, when adopt authority directly authorized user machine-processed time, described authorization data types is authority and user's combination;When adopting RBAC mechanism, described authorization data types can be authority and role combinations or role and user combine.Alternatively, described first time period can be systemic presupposition or for user-defined.
Alternatively, step S201 includes: add up, by inquiring about authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period respectively.
In the embodiment of the present invention, alternatively, also include before step S201: record the authentication routing information of the authentication every time of described each authorization data, wherein, described authentication routing information comprises every time the accessed path information (namely authentication track history) during authentication, and alternatively, described authentication routing information can store in table form, table 1A is authentication path information storage form table one, and table 1B is authentication path information storage form table two.
Table 1A is authentication path information storage form table one
Permission ID Authentication serial number Authentication path Authentication time
Permission*** *** User***→Role***→Permission*** ******
Table 1B is authentication path information storage form table two
Permission ID Authentication serial number Authentication path Authentication time
Permission*** *** User***→Permission*** ******
Alternatively, when (1) is based on RBAC mechanism, as shown in table 1A, authentication routing information form is " user-role-authority ";(2) when adopt authority directly authorized user machine-processed time, as shown in table 1B, authentication routing information form is " user-authority ".Further, determine, according to described authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period;Alternatively, add up, by inquiry authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period respectively.
Alternatively, before step S201, also include: from core data, obtain described each authorization data.
In the embodiment of the present invention, as shown in Figure 2 A, from core data, described each authorization data is first obtained, in order to obtain each described authorization data history number of authentications in first time period further respectively.
Whether S202, reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In the embodiment of the present invention, respectively according to each described authorization data history number of authentications in first time period and number of authentications threshold value, judging that whether the authorized appropriation of each described authorization data is reasonable, wherein, described number of authentications threshold value can be systemic presupposition or user-defined;Alternatively, if the history number of authentications that described authorization data is in described first time period is less than described number of authentications threshold value, (namely the actual number of authentications of described authorization data is less, it is likely to mandate unreasonable), then judge that the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data, can effectively detect Problems existing or risk in mandate, alternatively, also can reclaim authorization data to correct by a key, thus preventing the unauthorized access of other user in time;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
Alternatively, for all of authorization data, corresponding described first time period can be set to same numerical value, and the described number of authentications threshold value of correspondence can also be set to same numerical value;But different first time period and/or number of authentications threshold value can also be set for different authorization datas, first time period as corresponding for management class user can be set to the number of authentications threshold value B1 of A1 and correspondence, the number of authentications threshold value B2 etc. of A2 and correspondence can be set to for the first time period that technology class user is corresponding, accordingly, when according to history number of authentications and number of authentications threshold decision, whether the authorized appropriation of authorization data is reasonable, the history number of authentications (in the A1 time period) of management class user contrasts with number of authentications threshold value B1, and the history number of authentications of technology class user (in the A2 time period) contrasts with number of authentications threshold value B2.Certainly, the set-up mode for described first time period and described number of authentications threshold value can also be other form, and the present invention is to this and is not limited as.
In order to ensure the accuracy reclaiming authorization data, alternatively, in step S202 before reclaiming described authorization data, also include: reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data;If it is determined that when the authorized appropriation of described data is reasonable, then directly terminate, or reset described first time period and/or described number of authentications threshold value and return execution step S201.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, know that described authorization data is by user's A use etc.), further, inquire about the authority information of described user A, judge whether the authority information of described user A comprises the authority in described authorization data, if not comprising, it is determined that described user A is authorization data (namely authorized appropriation is unreasonable) described in Misuse;Otherwise, then authorize rationally.Alternatively, when (1) is based on RBAC mechanism, it is possible to whether the authority that all roles by judging described user A are corresponding comprises the authority in described authorization data;(2) when adopt authority directly authorized user machine-processed time, then directly judge whether the authority information of described user A comprises the authority in described authorization data.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Alternatively, after the described authorization data of described recovery, also include: if judging, described authorization data reclaims mistake, then recover described authorization data.
In the embodiment of the present invention, alternatively, after reclaiming described authorization data, if judging, described authorization data reclaims mistake, then recover described authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation), thus again the authority that mistake reclaims being added in corresponding role or user.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data;On rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, the permission grant relation of described authorization data recovery daily record One-key recovery reclaimer operation before corresponding to the described authorization data of mistake recovery, wherein, One-key recovery can be realized by software mode.
Fig. 3 is the schematic flow sheet of right management method embodiment two of the present invention, as it is shown on figure 3, the method for the present embodiment includes:
S301, Initialize installation.
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S302, from core data, obtain all authorization datas.
S303, obtain each described authorization data history number of authentications in first time period.
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that PermissionA is assigned in RoleA and RoleB altogether, then PermissionA has two authorization datas (PermissionA-RoleA and PermissionA-RoleB), assumed within past 6 months, authenticated the related content that have recorded PermissionA in routing information, table 2 is authentication routing information table one, as shown in table 2.
Table 2 is authentication routing information table one
Permission ID Authentication serial number Authentication path Authentication time
Permission A ×× User C→Role A→Permission A ******
Permission A ×× User C→Role A→Permission A ******
Permission A ×× User C→Role B→Permission A ******
Permission A ×× User D→Role B→Permission A ******
Permission A ×× User E→Role B→Permission A ******
Permission A ×× User C→Role B→Permission A ******
Table 3A is number of authentications statistical table one, table 3B is authentication routing information table two, known to table 2, the PermissionA-RoleA authorization data history number of authentications interior at 6 months be 2 times (as shown in table 3A, the corresponding path of authentication in detail is such as shown in table 3B), the PermissionA-RoleB authorization data history number of authentications interior at 6 months is 4 times.
Table 3A is number of authentications statistical table one
Permission ID Role History number of authentications
Permission A Role A 2
Table 3B is authentication routing information table two
Permission ID Authentication path Authentication time
Permission A User C→Role A→Permission A ******
Permission A User C→Role A→Permission A ******
Whether S304, respectively authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision be reasonable.
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 2, the PermissionA-RoleB authorization data history number of authentications interior at 6 months is 4 times, more than default described authentication threshold value (3 times), then illustrates that the authorized appropriation of described PermissionA-RoleB authorization data is reasonable.According to table 2, table 3A and table 3B, the PermissionA-RoleA authorization data history number of authentications interior at 6 months is 2 times, less than default described authentication threshold value (3 times), then PermissionA-RoleA authorization data meets testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described PermissionA-RoleA authorization data is shown on the page.
S305, according to authentication routing information reaffirm that the authorized appropriation of described authorization data is unreasonable.
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, determine that using for 2 times of PermissionA-RoleA is all that UserC is using), further, inquire about the authority information of described user C, judge the authority (PermissionA) whether comprising in described authorization data in the authority information of described user C, if not comprising, then determine that described user C is authorization data (namely authorized appropriation is unreasonable) described in Misuse, and perform step S306;Otherwise, then authorize rationally, directly terminate, or reset described first time period and/or described number of authentications threshold value and return execution step S303.
S306, reclaim described authorization data.
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, described authorization data can be reclaimed by a key, as PermissionA is removed from RoleA, wherein, a key is reclaimed and can be realized by software mode, alternatively, can provide at the detection page and reclaim button, the operation reclaiming authorization data by clicking described recovery button to trigger.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Right management method embodiment three of the present invention can adopt the step shown in above-mentioned Fig. 3, and in the method for the present embodiment, S301 specific implementation is as follows:
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S303 specific implementation is as follows:
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that RoleA is assigned on tetra-users of UserA, UserB, UserC and UserD, then RoleA has four authorization datas (RoleA-UserA, RoleA-UserB, RoleA-UserC and RoleA-UserD), it is assumed that authenticated the related content that have recorded RoleA in routing information within past 6 months.Table 4A is number of authentications statistical table two, table 4B is authentication routing information table three, as shown in table 4A and table 4B, assume according to routing information count RoleA-UserA the history number of authentications that past 6 months is interior be 1, RoleA-UserB the history number of authentications that past 6 months is interior be 0, RoleA-UserC the history number of authentications that past 6 months is interior be 50 and RoleA-UserD be 120 at the history number of authentications that past 6 months is interior, wherein, the path of authentication in detail that each described authorization data is corresponding is such as shown in table 4B.
Table 4A is number of authentications statistical table two
Role User History number of authentications
Role A User A 1
Role A User B 0
Role A User C 50
Role A User D 120
Table 4B is authentication routing information table three
Role Authentication path Authentication time
Role A User A→Role A→Permission X ******
Role A User B→Role A→Permission X ******
Role A User C→Role A→Permission X ******
Role A User D→Role A→Permission X ******
S304 specific implementation is as follows:
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 4A and table 4B, RoleA-UserC the history number of authentications that past 6 months is interior be 50 and RoleA-UserD be 120 at the history number of authentications that past 6 months is interior, it both is greater than the described authentication threshold value (3 times) preset, then illustrates that the authorized appropriation of described RoleA-UserC authorization data and described RoleA-UserD authorization data is reasonable.According to table 4A and table 4B, RoleA-UserA the history number of authentications that past 6 months is interior be 1 and RoleA-UserB be 0 at the history number of authentications that past 6 months is interior, it is both less than the described authentication threshold value (3 times) preset, then described RoleA-UserA authorization data and described RoleA-UserB authorization data meet testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described RoleA-UserA authorization data and described RoleA-UserB authorization data are shown on the page.
S305 specific implementation is as follows:
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, that checks RoleA-UserA and RoleA-UserB authenticates track in detail), further, inquire about the Role Information of described UserA and UserB respectively, judge the role (RoleA) whether comprising in described authorization data in the Role Information of described UserA and UserB respectively, if not comprising, then determine that described UserA and UserB is authorization data (namely authorized appropriation is unreasonable) described in Misuse, and perform following steps S306 in the embodiment of the present invention;Otherwise, then authorize rationally, terminate.
S306 specific implementation is as follows:
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, can reclaiming described authorization data by a key, UserA and described UserB removes from RoleA as will be described, and wherein, a key is reclaimed and can be realized by software mode.Alternatively, detailed recovery daily record (role reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Fig. 4 is the schematic flow sheet of right management method embodiment four of the present invention, and as shown in Figure 4, the method for the present embodiment includes:
S401, Initialize installation.
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S402, from core data, obtain all authorization datas.
S403, obtain each described authorization data history number of authentications in first time period.
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that PermissionA is assigned on tri-users of UserA, UserB and UserC, then PermissionA has three authorization datas (PermissionA-UserA, PermissionA-UserB and PermissionA-UserC), it is assumed that authenticated the related content that have recorded PermissionA in routing information within past 6 months.Table 5A is number of authentications statistical table three, table 5B is authentication routing information table four, as shown in table 5A and table 5B, assume according to routing information count PermissionA-UserA the history number of authentications that past 6 months is interior be 0, PermissionA-UserB the history number of authentications that past 6 months is interior be 1 and PermissionA-UserC be 40 at the history number of authentications that past 6 months is interior, wherein, the path of authentication in detail that each described authorization data is corresponding is such as shown in table 5B.
Table 5A is number of authentications statistical table three
Permission ID User History number of authentications
Permission A User A 0
Permission A User B 1
Permission A User C 40
Table 5B is authentication routing information table four
Permission ID Authentication path Authentication time
Permission A User A→Permission A ******
Permission A User B→Permission A ******
Permission A User C→Permission A ******
Whether S404, respectively authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision be reasonable.
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 5A and table 5B, PermissionA-UserC is 40 at the history number of authentications that past 6 months is interior, more than default described authentication threshold value (3 times), then illustrates that the authorized appropriation of described PermissionA-UserC authorization data is reasonable.According to table 5A and table 5B, PermissionA-UserA the history number of authentications that past 6 months is interior be 0 and PermissionA-UserB be 1 at the history number of authentications that past 6 months is interior, it is both less than the described authentication threshold value (3 times) preset, then described PermissionA-UserA authorization data and described PermissionA-UserB authorization data meet testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described PermissionA-UserA authorization data and described PermissionA-UserB authorization data are shown on the page.
S405, reclaim described authorization data.
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, can reclaiming described authorization data by a key, UserA and described UserB removes from PermissionA as will be described.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Fig. 5 is testing process schematic diagram of the present invention, as it is shown in figure 5, alternatively, detection process concrete in the present invention above-mentioned right management method any embodiment is as follows: 1) obtain the authorization data of all authorities from core data;2) each described authorization data history number of authentications in first time period is obtained respectively according to described authentication routing information;3) whether authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively;4) all authorization datas (i.e. the irrational authorization data of all authorized appropriations) meeting testing conditions are shown, in order to further, reclaimed by described authorization data.
Fig. 6 is the structural representation of rights management device embodiment one of the present invention, and as shown in Figure 6, the rights management device 60 that the present embodiment provides may include that acquisition module 601 and judge module 602.
Wherein, acquisition module 601 is for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether judge module 602 is for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
Alternatively, described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
Alternatively, described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
Alternatively, described device also includes:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
Alternatively, described device also includes:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
The rights management device of the present embodiment, it is possible to for performing the technical scheme in the above-mentioned right management method any embodiment of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.
Fig. 7 is the structural representation of rights management device embodiment two of the present invention, as it is shown in fig. 7, the rights management device 70 that the present embodiment provides can include processor 701 and memorizer 702.Rights management device 70 can also include data interface unit 703, and this data interface unit 703 can be connected with processor 701.Wherein, data interface unit 703 is used for receiving/sending data, and memorizer 702 is used for storing execution instruction.When authority managing device 70 is run, communicating between processor 701 with memorizer 702, processor 701 calls the execution instruction in memorizer 702, in order to perform the operation in above-mentioned right management method any embodiment.
The rights management device of the present embodiment, it is possible to for performing the technical scheme in the above-mentioned right management method any embodiment of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program upon execution, performs to include the step of above-mentioned each embodiment of the method;And aforesaid storage medium includes: the various media that can store program code such as ROM, RAM, magnetic disc or CDs.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement;And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a right management method, it is characterised in that including:
Obtain each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
2. method according to claim 1, it is characterised in that described whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, including:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
3. method according to claim 1 and 2, it is characterised in that described acquisition each authorization data history number of authentications in first time period, including:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
4. the method according to any one of claim 1-3, it is characterised in that before the described authorization data of described recovery, also include:
Reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
5. the method according to any one of claim 1-4, it is characterised in that before described acquisition each authorization data history number of authentications in first time period, also include:
Record the authentication routing information of the authentication every time of described each authorization data.
6. a rights management device, it is characterised in that including:
Acquisition module, for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Judge module, whether for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
7. device according to claim 6, it is characterised in that described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
8. the device according to claim 6 or 7, it is characterised in that described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
9. the device according to any one of claim 6-8, it is characterised in that also include:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
10. the device according to any one of claim 6-9, it is characterised in that also include:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
CN201410779339.6A 2014-12-15 2014-12-15 Authority management method and device Pending CN105760745A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410779339.6A CN105760745A (en) 2014-12-15 2014-12-15 Authority management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410779339.6A CN105760745A (en) 2014-12-15 2014-12-15 Authority management method and device

Publications (1)

Publication Number Publication Date
CN105760745A true CN105760745A (en) 2016-07-13

Family

ID=56336799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410779339.6A Pending CN105760745A (en) 2014-12-15 2014-12-15 Authority management method and device

Country Status (1)

Country Link
CN (1) CN105760745A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108023873A (en) * 2017-11-08 2018-05-11 深圳市文鼎创数据科技有限公司 channel establishing method and terminal device
CN108537011A (en) * 2018-03-16 2018-09-14 维沃移动通信有限公司 A kind of application permission processing method, terminal and server
CN108549797A (en) * 2018-03-26 2018-09-18 安徽笛申科技有限公司 A kind of user and user group and the System right management method of role
CN109249898A (en) * 2017-07-13 2019-01-22 丰田自动车株式会社 authentication device and authentication method
CN109409097A (en) * 2017-08-16 2019-03-01 中国石油天然气股份有限公司 Approaches to IM, device and computer readable storage medium
CN111159719A (en) * 2019-12-31 2020-05-15 奇安信科技集团股份有限公司 Determination method and device of conflict authority, computer equipment and storage medium
CN112818309A (en) * 2021-03-04 2021-05-18 重庆度小满优扬科技有限公司 Method and device for controlling data access authority and storage medium
CN114882974A (en) * 2022-05-27 2022-08-09 江苏智慧智能软件科技有限公司 Psychological diagnosis database access artificial intelligence verification system and method
CN116881956A (en) * 2023-09-08 2023-10-13 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072129A (en) * 2007-06-25 2007-11-14 北京邮电大学 JMX based network service management method and its application system
US20110185402A1 (en) * 2010-01-26 2011-07-28 Wang Shaolan Access control system
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN102340541A (en) * 2011-10-13 2012-02-01 深圳市江波龙电子有限公司 System and method for cloud volume production
CN103605916A (en) * 2013-12-06 2014-02-26 山东高速信息工程有限公司 RBAC (Role-Based policies Access Control) accessing control model based on organization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072129A (en) * 2007-06-25 2007-11-14 北京邮电大学 JMX based network service management method and its application system
US20110185402A1 (en) * 2010-01-26 2011-07-28 Wang Shaolan Access control system
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN102340541A (en) * 2011-10-13 2012-02-01 深圳市江波龙电子有限公司 System and method for cloud volume production
CN103605916A (en) * 2013-12-06 2014-02-26 山东高速信息工程有限公司 RBAC (Role-Based policies Access Control) accessing control model based on organization

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109249898A (en) * 2017-07-13 2019-01-22 丰田自动车株式会社 authentication device and authentication method
CN109409097B (en) * 2017-08-16 2020-11-03 中国石油天然气股份有限公司 Information management method, device and computer readable storage medium
CN109409097A (en) * 2017-08-16 2019-03-01 中国石油天然气股份有限公司 Approaches to IM, device and computer readable storage medium
CN108023873A (en) * 2017-11-08 2018-05-11 深圳市文鼎创数据科技有限公司 channel establishing method and terminal device
CN108023873B (en) * 2017-11-08 2020-12-11 深圳市文鼎创数据科技有限公司 Channel establishing method and terminal equipment
CN108537011A (en) * 2018-03-16 2018-09-14 维沃移动通信有限公司 A kind of application permission processing method, terminal and server
CN108537011B (en) * 2018-03-16 2021-03-23 维沃移动通信有限公司 Application permission processing method, terminal and server
CN108549797A (en) * 2018-03-26 2018-09-18 安徽笛申科技有限公司 A kind of user and user group and the System right management method of role
CN111159719A (en) * 2019-12-31 2020-05-15 奇安信科技集团股份有限公司 Determination method and device of conflict authority, computer equipment and storage medium
CN111159719B (en) * 2019-12-31 2022-02-08 奇安信科技集团股份有限公司 Determination method and device of conflict authority, computer equipment and storage medium
CN112818309A (en) * 2021-03-04 2021-05-18 重庆度小满优扬科技有限公司 Method and device for controlling data access authority and storage medium
CN114882974A (en) * 2022-05-27 2022-08-09 江苏智慧智能软件科技有限公司 Psychological diagnosis database access artificial intelligence verification system and method
CN116881956A (en) * 2023-09-08 2023-10-13 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management
CN116881956B (en) * 2023-09-08 2024-01-09 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management

Similar Documents

Publication Publication Date Title
CN105760745A (en) Authority management method and device
US7971017B1 (en) Memory card with embedded identifier
CN104566822A (en) Management system of air conditioning unit
CN100446021C (en) Method of realizing intelligence cryptographic key set of fingerprint for multiple users to use
CN201548974U (en) Unification authentication platform based on palm vena recognition
CN106230818A (en) A kind of resource authorization method of information management system
KR20120112598A (en) Implementing method, system of universal card system and smart card
CN100419719C (en) Method for automatic protection of U disc by using filtering driver and intelligent key device
CN109960917A (en) A kind of time slot scrambling and device of document
CN108280361A (en) A kind of authority classification management method and device
CN111914278A (en) Input data checking method of database and database management system
CN101324913B (en) Method and apparatus for protecting computer file
CN102663313A (en) Method for realizing information security of computer system
CN104866774A (en) Method and system for managing account authorities
CN104732160B (en) A kind of control method for preventing from divulging a secret inside database information
CN105631291A (en) Fingerprint authentication method and electronic equipment
CN103699828A (en) Information security management method
CN107273725B (en) Data backup method and system for confidential information
CN102868521A (en) Method for enhancing secret key transmission of symmetrical secret key system
CN110472423A (en) A kind of nuclear power station file permission management method, device and equipment
CN104866760B (en) A kind of smart mobile phone safety protecting method
CN101291333B (en) Controlling method of used node number by network software
CN104866761B (en) A kind of high security Android intelligent terminal
ATE259509T1 (en) METHOD FOR SECURING STORED DATA IN A STORAGE ARRANGEMENT OF A COMPUTER SYSTEM AND DEVICE FOR IMPLEMENTING SAME
JP2018041452A (en) Input collation method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200213

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Applicant after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: 210012 Ande Gate No. 94, Yuhuatai District, Jiangsu, Nanjing

Applicant before: Huawei Technologies Co.,Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20160713

RJ01 Rejection of invention patent application after publication