CN105760745A - Authority management method and device - Google Patents
Authority management method and device Download PDFInfo
- Publication number
- CN105760745A CN105760745A CN201410779339.6A CN201410779339A CN105760745A CN 105760745 A CN105760745 A CN 105760745A CN 201410779339 A CN201410779339 A CN 201410779339A CN 105760745 A CN105760745 A CN 105760745A
- Authority
- CN
- China
- Prior art keywords
- authorization data
- authentications
- authentication
- described authorization
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention embodiment provides an authority management method and device; the method comprises the following steps: obtaining historical authentication times of each authorization data in a first time period, wherein the authorization data types comprise authorization-role combination, role-user combination, and authorization-user combination; determining whether the authorization distribution of each authorization data is reasonable or not respectively according to the historical authentication times and an authentication time threshold value, and recovering the authorization data if a random authorization data is determined to be unreasonable in authorization distribution; timely and effectively detecting authorization problem or risk, and carrying out rectification.
Description
Technical field
The present embodiments relate to computer technology, particularly relate to a kind of right management method and device.
Background technology
Rights management refers to that safety regulation that user arranges according to system or security strategy can access and can only access the resource oneself being authorized to, at present, rights management occurs nearly in any system, rights management such as enterprise, wherein, the rights management of enterprise is a complicated process, relates to the combing in tissue and post, and the flowing of personnel and management, and may face authority disorderly, authority amplifies or composes the scattered problems of rights management such as Quan Nan.
In order to solve the scattered problem of described rights management; the rights management of existing enterprise is typically based on the access of role and controls (RoleBasedAccessControl; it is called for short RBAC) mechanism, adopt unified rights registration, concentration to authorize and concentrate the unified security administrative centers such as authentication to carry out rights management.Consider safety factors; prior art is typically based on the inquiry view of permission grant data; carry out artificial enquiry comparison to identify whether authority distributes rationally; such as; check that whether role that described employee authorizes and authority be correct from certain employee's dimension; or check that whether all kinds of authorities that described role authorizes are correct from certain role's dimension, or check that whether role that described authority associates or employee be correct from certain authority dimension.
But by the mode of artificial enquiry comparison to identify whether authority distributes rationally in prior art, identify that process is cumbersome, identify that difficulty is bigger and error-prone.
Summary of the invention
The embodiment of the present invention provides a kind of right management method and device, it is possible to effectively detects Problems existing or risk in mandate at the right time, and corrects.
First aspect, the embodiment of the present invention provides a kind of right management method, including:
Obtain each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In conjunction with first aspect, in the first possible implementation of first aspect, described whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, including:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, described acquisition each authorization data history number of authentications in first time period, including:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
In conjunction with the first or any one possible implementation of the second of first aspect, first aspect, in the third possible implementation of first aspect, before the described authorization data of described recovery, also include:
Reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In conjunction with the first implementation that any one is possible to the third of first aspect, first aspect, in the 4th kind of possible implementation of first aspect, before described acquisition each authorization data history number of authentications in first time period, also include:
Record the authentication routing information of the authentication every time of described each authorization data.
Second aspect, the embodiment of the present invention provides a kind of rights management device, including:
Acquisition module, for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Judge module, whether for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In conjunction with second aspect, in the first possible implementation of second aspect, described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
In conjunction with the first possible implementation of second aspect or second aspect, in the implementation that the second of second aspect is possible, described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
In conjunction with the first or any one possible implementation of the second of second aspect, second aspect, in the third possible implementation of second aspect, also include:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In conjunction with the first implementation that any one is possible to the third of second aspect, second aspect, in the 4th kind of possible implementation of second aspect, also include:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
In the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the rights management schematic diagram based on RBAC mechanism;
Fig. 2 A is right management method principle schematic of the present invention;
Fig. 2 B is the schematic flow sheet of right management method embodiment one of the present invention;
Fig. 3 is the schematic flow sheet of right management method embodiment two of the present invention;
Fig. 4 is the schematic flow sheet of right management method embodiment four of the present invention;
Fig. 5 is testing process schematic diagram of the present invention;
Fig. 6 is the structural representation of rights management device embodiment one of the present invention;
Fig. 7 is the structural representation of rights management device embodiment two of the present invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
Fig. 1 is the rights management schematic diagram based on RBAC mechanism, RBAC is a kind of effective access control scheme implementing To enterprises security strategy, shown in Fig. 1, the basic thought of RBAC is: the various authorities to system operation are not directly authorize concrete user, but between user's set and authority set, set up role's set, wherein, the corresponding one group of corresponding authority of each role (alternatively, forming role-security table);Once user suitable role is assigned after (alternatively, formed user role table), described user just has all operations authority of described role.RBAC mechanism is adopted need not to be all allocated the operation of authority when creating user every time, only need to distribute corresponding role to user, and the permission modification of role wants much less than the permission modification of user, so by simplifying the rights management of user, certain overhead can be reduced.
In another rights management mechanism, also can support directly to authorize on user authority, without the problem considering that role-security expands or authority is amplified, it is possible to authorize more neatly and convenient for user.
Fig. 2 A is right management method principle schematic of the present invention, and as shown in Figure 2 A, rights management is broadly divided into authorizing and authentication two parts of authority of authority;Wherein, authority authorize part be the role in definition system, for the suitable authority of role assignments, and distribute suitable role's (Fig. 2 A is based on RBAC mechanism principle schematic diagram) for user;Alternatively, when adopt authority directly authorized user machine-processed time, the part of authorizing of authority distributes suitable authority (non-diagram) for user;Authority in business use is verified by the authentication part of authority, so that whether verified users possesses corresponding authority.As shown in Figure 2 A, by the record to authentication path histories in the present invention, obtain authentication routing information (described authentication routing information belongs to core data), further, according to the authorization data after authority distribution and described authentication routing information, described authorization data is detected, and whether the authorized appropriation to judge described authorization data is reasonable;If judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data, to reach to prevent in time the purpose of other user's unauthorized access.
In the embodiment of the present invention, authentication routing information based on RBAC mechanism is user (User)-> role (Role)-> authority (Permission), corresponding authentication process is: first obtain certain Role of current User, then judge whether to possess under described Role certain Permission, if not, then obtain the another one Role of described User, then judge whether described Role possesses certain Permission, until having searched all of Role;Wherein, the accessed path information (namely authentication track history) during authentication can be recorded every time, in order to according to authentication routing information, described authorization data is detected.
Fig. 2 B is the schematic flow sheet of right management method embodiment one of the present invention.The executive agent of the present embodiment can for being arranged in the rights management device in information technology (InformationTechnology is called for short IT) system, and this device can pass through software and/or hardware realizes.The scheme of the present embodiment can be applicable to the resource security access scenario in IT system, makes the user logging in described IT system be only capable of accessing the resource licensing to described user, and can not access the uncommitted resource to described user.As shown in Figure 2 B, the method for the present embodiment may include that
S201, obtain each authorization data history number of authentications in first time period.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period, in order to judge that according to described history number of authentications whether the authorized appropriation of each described authorization data is reasonable.Alternatively, the type of described authorization data includes: authority (Permission) and role (Role) combination, role and user (User) combination and authority and user combine;Wherein, described authorization data is different according to the difference of rights management mechanism, when adopt authority directly authorized user machine-processed time, described authorization data types is authority and user's combination;When adopting RBAC mechanism, described authorization data types can be authority and role combinations or role and user combine.Alternatively, described first time period can be systemic presupposition or for user-defined.
Alternatively, step S201 includes: add up, by inquiring about authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period respectively.
In the embodiment of the present invention, alternatively, also include before step S201: record the authentication routing information of the authentication every time of described each authorization data, wherein, described authentication routing information comprises every time the accessed path information (namely authentication track history) during authentication, and alternatively, described authentication routing information can store in table form, table 1A is authentication path information storage form table one, and table 1B is authentication path information storage form table two.
Table 1A is authentication path information storage form table one
| Permission ID | Authentication serial number | Authentication path | Authentication time |
| Permission*** | *** | User***→Role***→Permission*** | ****** |
Table 1B is authentication path information storage form table two
| Permission ID | Authentication serial number | Authentication path | Authentication time |
| Permission*** | *** | User***→Permission*** | ****** |
Alternatively, when (1) is based on RBAC mechanism, as shown in table 1A, authentication routing information form is " user-role-authority ";(2) when adopt authority directly authorized user machine-processed time, as shown in table 1B, authentication routing information form is " user-authority ".Further, determine, according to described authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period;Alternatively, add up, by inquiry authentication routing information, the history number of authentications that each described authorization data is corresponding in described first time period respectively.
Alternatively, before step S201, also include: from core data, obtain described each authorization data.
In the embodiment of the present invention, as shown in Figure 2 A, from core data, described each authorization data is first obtained, in order to obtain each described authorization data history number of authentications in first time period further respectively.
Whether S202, reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
In the embodiment of the present invention, respectively according to each described authorization data history number of authentications in first time period and number of authentications threshold value, judging that whether the authorized appropriation of each described authorization data is reasonable, wherein, described number of authentications threshold value can be systemic presupposition or user-defined;Alternatively, if the history number of authentications that described authorization data is in described first time period is less than described number of authentications threshold value, (namely the actual number of authentications of described authorization data is less, it is likely to mandate unreasonable), then judge that the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data, can effectively detect Problems existing or risk in mandate, alternatively, also can reclaim authorization data to correct by a key, thus preventing the unauthorized access of other user in time;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
Alternatively, for all of authorization data, corresponding described first time period can be set to same numerical value, and the described number of authentications threshold value of correspondence can also be set to same numerical value;But different first time period and/or number of authentications threshold value can also be set for different authorization datas, first time period as corresponding for management class user can be set to the number of authentications threshold value B1 of A1 and correspondence, the number of authentications threshold value B2 etc. of A2 and correspondence can be set to for the first time period that technology class user is corresponding, accordingly, when according to history number of authentications and number of authentications threshold decision, whether the authorized appropriation of authorization data is reasonable, the history number of authentications (in the A1 time period) of management class user contrasts with number of authentications threshold value B1, and the history number of authentications of technology class user (in the A2 time period) contrasts with number of authentications threshold value B2.Certainly, the set-up mode for described first time period and described number of authentications threshold value can also be other form, and the present invention is to this and is not limited as.
In order to ensure the accuracy reclaiming authorization data, alternatively, in step S202 before reclaiming described authorization data, also include: reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data;If it is determined that when the authorized appropriation of described data is reasonable, then directly terminate, or reset described first time period and/or described number of authentications threshold value and return execution step S201.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, know that described authorization data is by user's A use etc.), further, inquire about the authority information of described user A, judge whether the authority information of described user A comprises the authority in described authorization data, if not comprising, it is determined that described user A is authorization data (namely authorized appropriation is unreasonable) described in Misuse;Otherwise, then authorize rationally.Alternatively, when (1) is based on RBAC mechanism, it is possible to whether the authority that all roles by judging described user A are corresponding comprises the authority in described authorization data;(2) when adopt authority directly authorized user machine-processed time, then directly judge whether the authority information of described user A comprises the authority in described authorization data.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Alternatively, after the described authorization data of described recovery, also include: if judging, described authorization data reclaims mistake, then recover described authorization data.
In the embodiment of the present invention, alternatively, after reclaiming described authorization data, if judging, described authorization data reclaims mistake, then recover described authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation), thus again the authority that mistake reclaims being added in corresponding role or user.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data;On rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, the permission grant relation of described authorization data recovery daily record One-key recovery reclaimer operation before corresponding to the described authorization data of mistake recovery, wherein, One-key recovery can be realized by software mode.
Fig. 3 is the schematic flow sheet of right management method embodiment two of the present invention, as it is shown on figure 3, the method for the present embodiment includes:
S301, Initialize installation.
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S302, from core data, obtain all authorization datas.
S303, obtain each described authorization data history number of authentications in first time period.
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that PermissionA is assigned in RoleA and RoleB altogether, then PermissionA has two authorization datas (PermissionA-RoleA and PermissionA-RoleB), assumed within past 6 months, authenticated the related content that have recorded PermissionA in routing information, table 2 is authentication routing information table one, as shown in table 2.
Table 2 is authentication routing information table one
| Permission ID | Authentication serial number | Authentication path | Authentication time |
| Permission A | ×× | User C→Role A→Permission A | ****** |
| Permission A | ×× | User C→Role A→Permission A | ****** |
| Permission A | ×× | User C→Role B→Permission A | ****** |
| Permission A | ×× | User D→Role B→Permission A | ****** |
| Permission A | ×× | User E→Role B→Permission A | ****** |
| Permission A | ×× | User C→Role B→Permission A | ****** |
Table 3A is number of authentications statistical table one, table 3B is authentication routing information table two, known to table 2, the PermissionA-RoleA authorization data history number of authentications interior at 6 months be 2 times (as shown in table 3A, the corresponding path of authentication in detail is such as shown in table 3B), the PermissionA-RoleB authorization data history number of authentications interior at 6 months is 4 times.
Table 3A is number of authentications statistical table one
| Permission ID | Role | History number of authentications |
| Permission A | Role A | 2 |
Table 3B is authentication routing information table two
| Permission ID | Authentication path | Authentication time |
| Permission A | User C→Role A→Permission A | ****** |
| Permission A | User C→Role A→Permission A | ****** |
Whether S304, respectively authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision be reasonable.
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 2, the PermissionA-RoleB authorization data history number of authentications interior at 6 months is 4 times, more than default described authentication threshold value (3 times), then illustrates that the authorized appropriation of described PermissionA-RoleB authorization data is reasonable.According to table 2, table 3A and table 3B, the PermissionA-RoleA authorization data history number of authentications interior at 6 months is 2 times, less than default described authentication threshold value (3 times), then PermissionA-RoleA authorization data meets testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described PermissionA-RoleA authorization data is shown on the page.
S305, according to authentication routing information reaffirm that the authorized appropriation of described authorization data is unreasonable.
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, determine that using for 2 times of PermissionA-RoleA is all that UserC is using), further, inquire about the authority information of described user C, judge the authority (PermissionA) whether comprising in described authorization data in the authority information of described user C, if not comprising, then determine that described user C is authorization data (namely authorized appropriation is unreasonable) described in Misuse, and perform step S306;Otherwise, then authorize rationally, directly terminate, or reset described first time period and/or described number of authentications threshold value and return execution step S303.
S306, reclaim described authorization data.
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, described authorization data can be reclaimed by a key, as PermissionA is removed from RoleA, wherein, a key is reclaimed and can be realized by software mode, alternatively, can provide at the detection page and reclaim button, the operation reclaiming authorization data by clicking described recovery button to trigger.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Right management method embodiment three of the present invention can adopt the step shown in above-mentioned Fig. 3, and in the method for the present embodiment, S301 specific implementation is as follows:
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S303 specific implementation is as follows:
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that RoleA is assigned on tetra-users of UserA, UserB, UserC and UserD, then RoleA has four authorization datas (RoleA-UserA, RoleA-UserB, RoleA-UserC and RoleA-UserD), it is assumed that authenticated the related content that have recorded RoleA in routing information within past 6 months.Table 4A is number of authentications statistical table two, table 4B is authentication routing information table three, as shown in table 4A and table 4B, assume according to routing information count RoleA-UserA the history number of authentications that past 6 months is interior be 1, RoleA-UserB the history number of authentications that past 6 months is interior be 0, RoleA-UserC the history number of authentications that past 6 months is interior be 50 and RoleA-UserD be 120 at the history number of authentications that past 6 months is interior, wherein, the path of authentication in detail that each described authorization data is corresponding is such as shown in table 4B.
Table 4A is number of authentications statistical table two
| Role | User | History number of authentications |
| Role A | User A | 1 |
| Role A | User B | 0 |
| Role A | User C | 50 |
| Role A | User D | 120 |
Table 4B is authentication routing information table three
| Role | Authentication path | Authentication time |
| Role A | User A→Role A→Permission X | ****** |
| Role A | User B→Role A→Permission X | ****** |
| Role A | User C→Role A→Permission X | ****** |
| Role A | User D→Role A→Permission X | ****** |
S304 specific implementation is as follows:
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 4A and table 4B, RoleA-UserC the history number of authentications that past 6 months is interior be 50 and RoleA-UserD be 120 at the history number of authentications that past 6 months is interior, it both is greater than the described authentication threshold value (3 times) preset, then illustrates that the authorized appropriation of described RoleA-UserC authorization data and described RoleA-UserD authorization data is reasonable.According to table 4A and table 4B, RoleA-UserA the history number of authentications that past 6 months is interior be 1 and RoleA-UserB be 0 at the history number of authentications that past 6 months is interior, it is both less than the described authentication threshold value (3 times) preset, then described RoleA-UserA authorization data and described RoleA-UserB authorization data meet testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described RoleA-UserA authorization data and described RoleA-UserB authorization data are shown on the page.
S305 specific implementation is as follows:
In the embodiment of the present invention, when the authorized appropriation tentatively judging described authorization data according to described history number of authentications and number of authentications threshold value is unreasonable, further, again judge that whether the authorized appropriation of described authorization data is reasonable according to authentication routing information, if again determining when the authorized appropriation of described authorization data is unreasonable, then reclaim described authorization data.Alternatively, can according to described authentication routing information again inquire about described authorization data authentication information (as, that checks RoleA-UserA and RoleA-UserB authenticates track in detail), further, inquire about the Role Information of described UserA and UserB respectively, judge the role (RoleA) whether comprising in described authorization data in the Role Information of described UserA and UserB respectively, if not comprising, then determine that described UserA and UserB is authorization data (namely authorized appropriation is unreasonable) described in Misuse, and perform following steps S306 in the embodiment of the present invention;Otherwise, then authorize rationally, terminate.
S306 specific implementation is as follows:
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, can reclaiming described authorization data by a key, UserA and described UserB removes from RoleA as will be described, and wherein, a key is reclaimed and can be realized by software mode.Alternatively, detailed recovery daily record (role reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Fig. 4 is the schematic flow sheet of right management method embodiment four of the present invention, and as shown in Figure 4, the method for the present embodiment includes:
S401, Initialize installation.
In the embodiment of the present invention, can pre-setting described first time period and number of authentications threshold value, if first time period as described in setting was as 6 months, described number of authentications threshold value is 3 times.
S402, from core data, obtain all authorization datas.
S403, obtain each described authorization data history number of authentications in first time period.
In the embodiment of the present invention, add up, by inquiring about the authentication routing information recorded, the history number of authentications that each described authorization data is corresponding in 6 months respectively.Assume that PermissionA is assigned on tri-users of UserA, UserB and UserC, then PermissionA has three authorization datas (PermissionA-UserA, PermissionA-UserB and PermissionA-UserC), it is assumed that authenticated the related content that have recorded PermissionA in routing information within past 6 months.Table 5A is number of authentications statistical table three, table 5B is authentication routing information table four, as shown in table 5A and table 5B, assume according to routing information count PermissionA-UserA the history number of authentications that past 6 months is interior be 0, PermissionA-UserB the history number of authentications that past 6 months is interior be 1 and PermissionA-UserC be 40 at the history number of authentications that past 6 months is interior, wherein, the path of authentication in detail that each described authorization data is corresponding is such as shown in table 5B.
Table 5A is number of authentications statistical table three
| Permission ID | User | History number of authentications |
| Permission A | User A | 0 |
| Permission A | User B | 1 |
| Permission A | User C | 40 |
Table 5B is authentication routing information table four
| Permission ID | Authentication path | Authentication time |
| Permission A | User A→Permission A | ****** |
| Permission A | User B→Permission A | ****** |
| Permission A | User C→Permission A | ****** |
Whether S404, respectively authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision be reasonable.
In the embodiment of the present invention, if the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.According to table 5A and table 5B, PermissionA-UserC is 40 at the history number of authentications that past 6 months is interior, more than default described authentication threshold value (3 times), then illustrates that the authorized appropriation of described PermissionA-UserC authorization data is reasonable.According to table 5A and table 5B, PermissionA-UserA the history number of authentications that past 6 months is interior be 0 and PermissionA-UserB be 1 at the history number of authentications that past 6 months is interior, it is both less than the described authentication threshold value (3 times) preset, then described PermissionA-UserA authorization data and described PermissionA-UserB authorization data meet testing conditions, the authorized appropriation of described authorization data is likely to unreasonable, alternatively, described PermissionA-UserA authorization data and described PermissionA-UserB authorization data are shown on the page.
S405, reclaim described authorization data.
In the embodiment of the present invention, when the authorized appropriation determining described authorization data is unreasonable, can reclaiming described authorization data by a key, UserA and described UserB removes from PermissionA as will be described.Alternatively, detailed recovery daily record (authority reclaimed such as record and the relation of mandate) is recorded when reclaiming authorization data, so that on rare occasion, if judging when described authorization data reclaims mistake, can pass through to inquire about to reclaim daily record, authorization data (namely permission grant relation of the described authorization data before recovery reclaimer operation) described in the recovery daily record One-key recovery corresponding to the described authorization data of mistake recovery.
In the embodiment of the present invention, by obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;Further, whether the authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively, if judging when the authorized appropriation of arbitrary described authorization data is unreasonable, reaffirm that the authorized appropriation of described authorization data is unreasonable according further to authentication routing information, then reclaim described authorization data;Such that it is able to effectively detect Problems existing or risk in mandate at the right time, and correct.
Fig. 5 is testing process schematic diagram of the present invention, as it is shown in figure 5, alternatively, detection process concrete in the present invention above-mentioned right management method any embodiment is as follows: 1) obtain the authorization data of all authorities from core data;2) each described authorization data history number of authentications in first time period is obtained respectively according to described authentication routing information;3) whether authorized appropriation according to each described authorization data of described history number of authentications and number of authentications threshold decision is reasonable respectively;4) all authorization datas (i.e. the irrational authorization data of all authorized appropriations) meeting testing conditions are shown, in order to further, reclaimed by described authorization data.
Fig. 6 is the structural representation of rights management device embodiment one of the present invention, and as shown in Figure 6, the rights management device 60 that the present embodiment provides may include that acquisition module 601 and judge module 602.
Wherein, acquisition module 601 is for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether judge module 602 is for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
Alternatively, described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
Alternatively, described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
Alternatively, described device also includes:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
Alternatively, described device also includes:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
The rights management device of the present embodiment, it is possible to for performing the technical scheme in the above-mentioned right management method any embodiment of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.
Fig. 7 is the structural representation of rights management device embodiment two of the present invention, as it is shown in fig. 7, the rights management device 70 that the present embodiment provides can include processor 701 and memorizer 702.Rights management device 70 can also include data interface unit 703, and this data interface unit 703 can be connected with processor 701.Wherein, data interface unit 703 is used for receiving/sending data, and memorizer 702 is used for storing execution instruction.When authority managing device 70 is run, communicating between processor 701 with memorizer 702, processor 701 calls the execution instruction in memorizer 702, in order to perform the operation in above-mentioned right management method any embodiment.
The rights management device of the present embodiment, it is possible to for performing the technical scheme in the above-mentioned right management method any embodiment of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program upon execution, performs to include the step of above-mentioned each embodiment of the method;And aforesaid storage medium includes: the various media that can store program code such as ROM, RAM, magnetic disc or CDs.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement;And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a right management method, it is characterised in that including:
Obtain each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
2. method according to claim 1, it is characterised in that described whether reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, including:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
3. method according to claim 1 and 2, it is characterised in that described acquisition each authorization data history number of authentications in first time period, including:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
4. the method according to any one of claim 1-3, it is characterised in that before the described authorization data of described recovery, also include:
Reaffirm that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
5. the method according to any one of claim 1-4, it is characterised in that before described acquisition each authorization data history number of authentications in first time period, also include:
Record the authentication routing information of the authentication every time of described each authorization data.
6. a rights management device, it is characterised in that including:
Acquisition module, for obtaining each authorization data history number of authentications in first time period;Wherein, the type of described authorization data includes: authority and role combinations, role and user's combination and authority and user combine;
Judge module, whether for reasonable according to the authorized appropriation of each described authorization data of described history number of authentications and number of authentications threshold decision respectively, if judging, the authorized appropriation of arbitrary described authorization data is unreasonable, then reclaim described authorization data.
7. device according to claim 6, it is characterised in that described judge module specifically for:
If the history number of authentications that described authorization data is in described first time period is less than described authentication threshold value, then judge that the authorized appropriation of described authorization data is unreasonable;Otherwise, it is judged that the authorized appropriation of described authorization data is reasonable.
8. the device according to claim 6 or 7, it is characterised in that described acquisition module specifically for:
The history number of authentications that each described authorization data is corresponding in described first time period is added up respectively by inquiring about authentication routing information;Wherein, described authentication routing information comprises accessed path information when every time authenticating.
9. the device according to any one of claim 6-8, it is characterised in that also include:
Confirm module, for reaffirming that the authorized appropriation of described authorization data is unreasonable according to authentication routing information.
10. the device according to any one of claim 6-9, it is characterised in that also include:
Logging modle, for recording the authentication routing information of the authentication every time of described each authorization data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410779339.6A CN105760745A (en) | 2014-12-15 | 2014-12-15 | Authority management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410779339.6A CN105760745A (en) | 2014-12-15 | 2014-12-15 | Authority management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105760745A true CN105760745A (en) | 2016-07-13 |
Family
ID=56336799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410779339.6A Pending CN105760745A (en) | 2014-12-15 | 2014-12-15 | Authority management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105760745A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN108537011A (en) * | 2018-03-16 | 2018-09-14 | 维沃移动通信有限公司 | A kind of application permission processing method, terminal and server |
| CN108549797A (en) * | 2018-03-26 | 2018-09-18 | 安徽笛申科技有限公司 | A kind of user and user group and the System right management method of role |
| CN109249898A (en) * | 2017-07-13 | 2019-01-22 | 丰田自动车株式会社 | authentication device and authentication method |
| CN109409097A (en) * | 2017-08-16 | 2019-03-01 | 中国石油天然气股份有限公司 | Approaches to IM, device and computer readable storage medium |
| CN111159719A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Determination method and device of conflict authority, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
| CN114882974A (en) * | 2022-05-27 | 2022-08-09 | 江苏智慧智能软件科技有限公司 | Psychological diagnosis database access artificial intelligence verification system and method |
| CN116881956A (en) * | 2023-09-08 | 2023-10-13 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072129A (en) * | 2007-06-25 | 2007-11-14 | 北京邮电大学 | JMX based network service management method and its application system |
| US20110185402A1 (en) * | 2010-01-26 | 2011-07-28 | Wang Shaolan | Access control system |
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| CN102340541A (en) * | 2011-10-13 | 2012-02-01 | 深圳市江波龙电子有限公司 | System and method for cloud volume production |
| CN103605916A (en) * | 2013-12-06 | 2014-02-26 | 山东高速信息工程有限公司 | RBAC (Role-Based policies Access Control) accessing control model based on organization |
-
2014
- 2014-12-15 CN CN201410779339.6A patent/CN105760745A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072129A (en) * | 2007-06-25 | 2007-11-14 | 北京邮电大学 | JMX based network service management method and its application system |
| US20110185402A1 (en) * | 2010-01-26 | 2011-07-28 | Wang Shaolan | Access control system |
| CN102325062A (en) * | 2011-09-20 | 2012-01-18 | 北京神州绿盟信息安全科技股份有限公司 | Abnormal login detecting method and device |
| CN102340541A (en) * | 2011-10-13 | 2012-02-01 | 深圳市江波龙电子有限公司 | System and method for cloud volume production |
| CN103605916A (en) * | 2013-12-06 | 2014-02-26 | 山东高速信息工程有限公司 | RBAC (Role-Based policies Access Control) accessing control model based on organization |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109249898A (en) * | 2017-07-13 | 2019-01-22 | 丰田自动车株式会社 | authentication device and authentication method |
| CN109409097B (en) * | 2017-08-16 | 2020-11-03 | 中国石油天然气股份有限公司 | Information management method, device and computer readable storage medium |
| CN109409097A (en) * | 2017-08-16 | 2019-03-01 | 中国石油天然气股份有限公司 | Approaches to IM, device and computer readable storage medium |
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN108023873B (en) * | 2017-11-08 | 2020-12-11 | 深圳市文鼎创数据科技有限公司 | Channel establishing method and terminal equipment |
| CN108537011A (en) * | 2018-03-16 | 2018-09-14 | 维沃移动通信有限公司 | A kind of application permission processing method, terminal and server |
| CN108537011B (en) * | 2018-03-16 | 2021-03-23 | 维沃移动通信有限公司 | Application permission processing method, terminal and server |
| CN108549797A (en) * | 2018-03-26 | 2018-09-18 | 安徽笛申科技有限公司 | A kind of user and user group and the System right management method of role |
| CN111159719A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Determination method and device of conflict authority, computer equipment and storage medium |
| CN111159719B (en) * | 2019-12-31 | 2022-02-08 | 奇安信科技集团股份有限公司 | Determination method and device of conflict authority, computer equipment and storage medium |
| CN112818309A (en) * | 2021-03-04 | 2021-05-18 | 重庆度小满优扬科技有限公司 | Method and device for controlling data access authority and storage medium |
| CN114882974A (en) * | 2022-05-27 | 2022-08-09 | 江苏智慧智能软件科技有限公司 | Psychological diagnosis database access artificial intelligence verification system and method |
| CN116881956A (en) * | 2023-09-08 | 2023-10-13 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
| CN116881956B (en) * | 2023-09-08 | 2024-01-09 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105760745A (en) | Authority management method and device | |
| US7971017B1 (en) | Memory card with embedded identifier | |
| CN104566822A (en) | Management system of air conditioning unit | |
| CN100446021C (en) | Method of realizing intelligence cryptographic key set of fingerprint for multiple users to use | |
| CN201548974U (en) | Unification authentication platform based on palm vena recognition | |
| CN106230818A (en) | A kind of resource authorization method of information management system | |
| KR20120112598A (en) | Implementing method, system of universal card system and smart card | |
| CN100419719C (en) | Method for automatic protection of U disc by using filtering driver and intelligent key device | |
| CN109960917A (en) | A kind of time slot scrambling and device of document | |
| CN108280361A (en) | A kind of authority classification management method and device | |
| CN111914278A (en) | Input data checking method of database and database management system | |
| CN101324913B (en) | Method and apparatus for protecting computer file | |
| CN104866774A (en) | Method and system for managing account authorities | |
| CN104732160B (en) | A kind of control method for preventing from divulging a secret inside database information | |
| CN105631291A (en) | Fingerprint authentication method and electronic equipment | |
| CN103699828A (en) | Information security management method | |
| CN107273725B (en) | Data backup method and system for confidential information | |
| CN102868521A (en) | Method for enhancing secret key transmission of symmetrical secret key system | |
| CN110472423A (en) | A kind of nuclear power station file permission management method, device and equipment | |
| CN104866760B (en) | A kind of smart mobile phone safety protecting method | |
| CN103220265B (en) | Industrial automation system and the method protected to it | |
| CN101291333B (en) | Controlling method of used node number by network software | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| ATE259509T1 (en) | METHOD FOR SECURING STORED DATA IN A STORAGE ARRANGEMENT OF A COMPUTER SYSTEM AND DEVICE FOR IMPLEMENTING SAME | |
| JP2018041452A (en) | Input collation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200213 Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant after: HUAWEI TECHNOLOGIES Co.,Ltd. Address before: 210012 Ande Gate No. 94, Yuhuatai District, Jiangsu, Nanjing Applicant before: Huawei Technologies Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160713 |
|
| RJ01 | Rejection of invention patent application after publication |