CN106599718B - The control method and device of information access rights - Google Patents

The control method and device of information access rights Download PDF

Info

Publication number
CN106599718B
CN106599718B CN201611126359.9A CN201611126359A CN106599718B CN 106599718 B CN106599718 B CN 106599718B CN 201611126359 A CN201611126359 A CN 201611126359A CN 106599718 B CN106599718 B CN 106599718B
Authority
CN
China
Prior art keywords
user
group
dimension
permission
relation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611126359.9A
Other languages
Chinese (zh)
Other versions
CN106599718A (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PEOPLE'S BANK OF CHINA NATIONAL CLEARING CENTER
Original Assignee
PEOPLE'S BANK OF CHINA NATIONAL CLEARING CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PEOPLE'S BANK OF CHINA NATIONAL CLEARING CENTER filed Critical PEOPLE'S BANK OF CHINA NATIONAL CLEARING CENTER
Priority to CN201611126359.9A priority Critical patent/CN106599718B/en
Publication of CN106599718A publication Critical patent/CN106599718A/en
Application granted granted Critical
Publication of CN106599718B publication Critical patent/CN106599718B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention proposes a kind of control method and device of information access rights, comprising: creation subscriber group information table, dimension authority list and user group-dimension authority relation;It creates user message table and establishes user-user group relationship and user-dimension authority relation;According to the user message table of Role Information table, role-menu function information table and the creation, user-role relation table is established, and the control of user's operation permission is carried out according to the user-role relation table;According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, user data access privilege control is carried out;When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission.

Description

The control method and device of information access rights
Technical field
The present invention relates to System right management field more particularly to a kind of control method and device of information access rights.
Background technique
Information system, which generally requires, provides service for multi-user, and needs to carry out different priority assignations (such as to user The access right of function menu, button), i.e. information system user rights management.In traditional rights management policy, than more typical Be RBAC model.RBAC model does not have exact definition to role's criteria for classifying, when system complexity is high, needs to define Role's quantity sharply increase;Secondly, it is difficult to meet flexibility permission demand for control, when especially using in large scale system; Moreover, the characteristics of RBAC model more controls from software systems angle consideration permission, has ignored the organization structure of the enterprise in reality.Example Such as, a certain user of a certain organization is frequently necessary to simulate the user query different dimensions path datagram of another organization Table, i.e. switching role access report.According to traditional RBAC model, user role switching (user in RBAC can not be supported Role is determining), and need to define a large amount of role, cause the relationship between role-access authorization for resource complicated and be not easy to Extension.
Summary of the invention
In order to solve the problems, such as that user role defines excessive in Large Information Systems, and better conform to real business organization Topology requirement, and then the invention proposes a kind of control methods of information access rights, comprising:
Create subscriber group information table, dimension authority list and user group-dimension authority relation;
It creates user message table and establishes user-user group relationship and user-dimension authority relation;
According to the user message table of Role Information table, role-menu function information table and the creation, user-is established Role relation table, and the control of user's operation permission is carried out according to the user-role relation table;
According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, carry out User data access privilege control;
When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension Authority relation and user-user group relationship are spent, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user Range, and when beyond the extent of competence of the user group where the user, user group-dimension authority relation is adjusted, institute is controlled State the data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used Family-user group relationship, controls the data access authority of the user.
Further, creation subscriber group information table is created according to the organizational structure of corresponding object.
Further, the creation user message table includes:
According to the permission of the user group of setting, user is created in corresponding user group, and is weighed according to the user group-dimension Limit relationship assigns corresponding dimension permission for the user.
Further, the subscriber group information table includes father's group and corresponding subgroup, the subgroup in whole or in part after Hold the access authority of father's group;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, to application The new subgroup of creation in the group of family, and according to the user group-dimension authority relation, corresponding dimension power is assigned for the new subgroup Limit.
Further, described corresponding by the user-user group relationship and user-dimension authority relation adjustment user User group and dimension permission, control the data access authority of the user, further includes:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
Further, described corresponding by the user-user group relationship and user-dimension authority relation adjustment user User group and dimension permission, control the data access authority of the user, further includes:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
Correspondingly, a kind of control device of information access rights, comprising:
User group and permission creation module, for creating subscriber group information table, dimension authority list and user group-dimension power Limit relationship;
User and permission creation module, for creating user message table and establishing user-user group relationship and user-dimension Spend authority relation;
Operating right control module, for according to Role Information table, role-menu function information table and the creation User message table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table;
Access Control Module, for according to the user-user group relationship, user group-dimension authority relation and User-dimension authority relation carries out user data access privilege control;
Access authority adjusts module, is used for when carrying out user data access privilege control, by adjusting the user-dimension Authority relation, user group-dimension authority relation and user-user group relationship are spent, to adjust the corresponding user group of user and dimension Spend permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user Range, and when beyond the extent of competence of the user group where the user, user group-dimension authority relation is adjusted, institute is controlled State the data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used Family-user group relationship, controls the data access authority of the user.
Further, the user group and permission creation module creation subscriber group information table are according to corresponding object Organizational structure is created.
Further, user and permission creation module include:
User and permission creation module in group create in corresponding user group for the permission according to the user group of setting User, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
Further, the subscriber group information table includes father's group and corresponding subgroup, the subgroup in whole or in part after Hold the access authority of father's group;
The user group and permission creation module include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the use where the user When the extent of competence of family group, new subgroup is created in corresponding user group, and according to the user group-dimension authority relation, for institute It states new subgroup and assigns corresponding dimension permission.
Further, the access authority adjusts module, is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
Further, the access authority adjusts module, is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
Beneficial effects of the present invention: the control method of information access rights through the invention may be implemented operating right and Data access authority separation, brings more convenient flexible rights management;According in reality business organization's demand setting user group, User in subgroup, group, is more in line with practical application scene;The dynamic of permission is adjusted and is inherited between user group, between user and group; Effectively reduce role's allocation scale in complication system;Advanced level user can simulate subordinate subscriber access completely.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only Some embodiments of the present invention without creative efforts, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is the flow chart of the control method of the information access rights of the embodiment of the present invention.
Fig. 2 is the structural schematic diagram of the control device of the information access rights of the embodiment of the present invention.
Fig. 3 is the structural schematic diagram of bank-user group in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment belongs to the range of protection of the invention.
Fig. 1 is the flow chart of the control method of the information access rights of the embodiment of the present invention.As shown in Figure 1, the information is visited Ask the control method of permission, comprising:
S100, creation subscriber group information table, dimension authority list and user group-dimension authority relation;
S200 creates user message table and establishes user-user group relationship and user-dimension authority relation;
S300 is established according to the user message table of Role Information table, role-menu function information table and the creation User-role relation table, and the control of user's operation permission is carried out according to the user-role relation table;
S400 is closed according to the user-user group relationship, user group-dimension authority relation and user-dimension permission System carries out user data access privilege control;
S500, when carrying out user data access privilege control, by adjusting the user-dimension authority relation, user Group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user Range, and in the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used Family-user group relationship, controls the data access authority of the user.
In the step s 100, subscriber group information table, dimension authority list and user group-dimension authority relation are created, wherein Creating subscriber group information table can be empty table, can also be created according to the organizational structure of corresponding object, and wherein The foundation of dimension authority list is also to be created according to the operating right of corresponding object.It sets subscriber group information table to Empty table can be convenient redesign or adjustment of the administrative staff to user group architectural framework, and avoid from the beginning it is existing right As the deficiency or defect of organizational structure.And creation process can be made more by carrying out creation according to the organizational structure of corresponding object Increase effect, convenient.Therefore the control method of the information access rights can be configured for business organization's demand in reality, more Add and meets practical application scene.
In step s 200, it creates user message table and establishes user-user group relationship and user-dimension permission pass System.In this step, include multiple user informations in the user message table created, and establish the use in the user message table Family and the subscriber group information table established in the step s 100, the relationship of dimension authority list.That is, user-user Group relationship is for specifying, and the user in user message table belongs to which of subscriber group information table group, and wherein user must belong to In a user group;And user-dimension authority relation is specified, the user in the user message table with it is corresponding in dimension authority list Relationship.
In step S300, according to the user information of Role Information table, role-menu function information table and the creation Table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table.In the step In, role is introduced in user message table and function menu information table, different role categories, each role is set as needed Then corresponding certain operating right is user's assigned role by way of establishing user-role relation table, thereby determine that every The user's operation permission of a user.
In step S400, according to the user-user group relationship, user group-dimension authority relation and user-dimension Authority relation carries out user data access privilege control.Because the user in user group has the dimension authority relation of user group, So in this step, user can determine which specific user group belonged to by user-user group relationship, and pass through use Family-dimension authority relation can determine the data access authority of user itself.So the data access authority of user's whole includes The data access authority of user itself and the access authority of the user group where user, the total data access right according to the user Limit carries out user data access privilege control.
In step S500, when carrying out user data access privilege control, closed by adjusting the user-dimension permission System, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission, It include: when the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;When the permission adjusting range of the user Beyond the user by extent of competence determined by user-dimension authority relation, and in the user group where the user Extent of competence when, adjust user group-dimension authority relation, control the data access authority of the user;When the user's When permission adjusting range exceeds the extent of competence of the user group where the user, user-user group relationship is adjusted, described in control The data access authority of user.When smaller for the data permission adjusting range of user, adjustable user-dimension permission is closed System, is modified the data access authority for the user for needing to adjust permission, and when only adjusting, user-dimension authority relation is insufficient When meeting adjustment of the reality to access privilege, the relationship of group and dimension permission where further adjusting user is next to be adjusted indirectly The data access authority of whole user, when using adjustment user group dimension permission relationship can not meet demand when, will adjust The relationship of user and place group adjusts the data access authority of user.
In the present invention when it is implemented, creation subscriber group information table is created according to the organizational structure of corresponding object It builds.Also, the subscriber group information table includes father's group and corresponding subgroup, and the subgroup inherits the visit of father's group in whole or in part Permission is asked, when extent of competence of the permission adjusting range of the user beyond the user group where the user, to application The new subgroup of creation in the group of family, and according to the user group-dimension authority relation, corresponding dimension power is assigned for the new subgroup Limit.
It, can also be according to the power of the user group of setting in the present invention when it is implemented, during creating user message table Limit creates user in corresponding user group, and according to the user group-dimension authority relation, assigns corresponding dimension for the user Spend permission.
It, can be by adjusting the use in the present invention when it is implemented, when the data access rights for needing to reduce user are prescribed a time limit The dimension permission of the user is reduced to the subgroup of place user group before in family;And/or it directly adjusts user-dimension permission and closes System reduces the dimension permission of the user.When the data access rights for needing to increase user are prescribed a time limit, the user is adjusted to institute before In father's group of user group, increase the dimension permission of the user;And/or it directly adjusts described in user-dimension authority relation increase The dimension permission of user.
The above are the elaborations to the specific embodiment of the invention, and below with reference to actual scene, the present invention is further described.
By taking banking information system as an example, firstly, creating subscriber group information table, dimension authority list, needle according to actual needs User group-dimension authority relation is determined to dimension permission corresponding to each user group, wherein use can be set in subscriber group information table Family subgroup, wherein user's subgroup can inherit the data access authority of father's group in whole or in part;Dimension authority list is according to reality The set for the data access authority that the architectural framework of border object is worked out.For example, by taking banking information system as an example, subscriber group information Table is constituted dendrogram with father's group, the relationship of subgroup, with wherein father's group can be " national industrial and commercial bank's group ", " national agricultural bank's group " etc., entirely The subgroup of industrial and commercial bank, state group " can be " Beijing industrial and commercial bank group ", " Tianjin industrial and commercial bank group " etc.;Dimension authority list can permit according to " row Not ", the classification informations such as " line number " are checked, such as " checking industrial and commercial bank's information ", " checking Beijing area bank information ";And user Group-dimension permission can be set as the data access authority that " national industrial and commercial bank's group " possesses " checking industrial and commercial bank's information ".In next step, it creates User message table, and user-user group relationship, user-dimension authority relation are created, it is specified for the user in the user message table Dimension permission possessed by user group, user itself.User message table include multiple users, such as user can for " Zhang ", The specific personnel such as " Mr. Wang ", and initial relevant dimension permission is assigned for these users, construct user-dimension authority relation. In next step, role is established according to existing RBAC model, and according to Role Information table, role-menu function information table and institute The user message table for stating creation establishes user-role relation table, and carries out user's operation according to the user-role relation table Permission control.Here " role " occurred can be " bank management person ", " bank operations person " etc., corresponding different operating rights Limit, and corresponding role is assigned for personnel according to actual needs, realize the control to the operating right of different user.It is a certain when occurring User needs to adjust its data access rights and prescribes a time limit, and closes by adjusting the user-dimension authority relation, user group-dimension permission System and user-user group relationship, to adjust the corresponding user group of the user and dimension permission.The method specifically adjusted includes: When the permission adjusting range of the user is when the user is by extent of competence determined by user-dimension authority relation, adjust Whole user-dimension authority relation, controls the data access authority of the user;When the permission adjusting range of the user exceeds institute User is stated by extent of competence determined by user-dimension authority relation, and in the permission of the user group where the user When range, user group-dimension authority relation is adjusted, the data access authority of the user is controlled;When the permission tune of the user When whole range exceeds the extent of competence of the user group where the user, user-user group relationship is adjusted, controls the user's Data access authority.That is, being tieed up by comparing the permission adjusting range and user-dimension authority relation of user, user group Spend authority relation and the data permission range of user-user group relationship three, it is first determined the adjustment preferentially used is corresponding to close Then system directly or indirectly changes the data access authority of user by the change of the corresponding relationship.
Fig. 3 is the structural schematic diagram of bank-user group in the embodiment of the present invention.
As shown in figure 3, " all banks group " has " national industrial and commercial bank's group ", " national Construction Bank's group ", " complete in subscriber group information table Agricultural bank, state group ", " Bank of Beijing's group " subgroup, wherein " national industrial and commercial bank's group " has " Beijing industrial and commercial bank group ", " Shanghai industrial and commercial bank group ", " day Saliva industrial and commercial bank group " subgroup;" national Construction Bank's group " has " Beijing Construction Bank group ", " Shanghai Construction Bank group ", " Tianjin Construction Bank group " subgroup;It is " complete Agricultural bank, state group " has " Beijing agricultural bank group ", " Shanghai agricultural bank group ", " Tianjin agricultural bank group " subgroup.Correspondingly, passing through user group-dimension Spend authority relation, " all banks group " have check industrial and commercial bank in all parts of the country, Construction Bank, agricultural bank's information permission;" national industrial and commercial bank's group " With the permission for checking national industrial and commercial bank's information;" national Construction Bank's group " has the permission for checking national Construction Bank's information;" national agricultural bank Group " has the permission for checking national agricultural bank's information;" Beijing industrial and commercial bank group " only has the permission for checking Beijing industrial and commercial bank information;" Shanghai Industrial and commercial bank's group " only has the permission for checking Shanghai industrial and commercial bank information;" Tianjin industrial and commercial bank group " only has the permission for checking Tianjin industrial and commercial bank information; " Beijing Construction Bank group " only has the permission for checking Beijing Construction Bank information;" Shanghai Construction Bank group ", which only has, checks Shanghai Construction Bank information Permission;" Tianjin Construction Bank group " only has the permission for checking Tianjin Construction Bank information;" Beijing agricultural bank group ", which only has, checks Beijing agricultural bank The permission of information;" Shanghai agricultural bank group " only has the permission for checking Shanghai agricultural bank information;" Tianjin agricultural bank group ", which only has, checks day The permission of saliva agricultural bank information, " Bank of Beijing's group " have the permission for checking all banks in Beijing area.
User " Zhang " now belongs to the user in " Bank of Beijing's group ", and " Zhang " passes through user-dimension authority relation The permission possessed is including checking Beijing Construction Bank information and checking Beijing agricultural bank information.So the data that user " Zhang " now has Access authority is to check Beijing Construction Bank information and check Beijing agricultural bank information.
Assuming that needing the data access authority by user " Zhang " to be adjusted according to the actual situation, below with regard to how to realize Increasing and decreasing for permission, gives an example:
Assuming that needing to reduce the data access authority of user " Zhang " according to the actual situation, make it that can only check Beijing Construction Bank's information.User-dimension authority relation only need to be adjusted, by the dimension permission of user " Zhang " from " checking Beijing Construction Bank information And check Beijing agricultural bank information " and it is reduced to " checking Beijing Construction Bank information ", it can realize the data access authority of " Zhang " It reduces.
Assuming that needing to reduce the data access authority of user " Zhang " according to the actual situation, make it that can only check Shanghai Industrial and commercial bank's information.It only needs to adjust user-user group authority relation, user " Zhang " is adjusted to " Shanghai from " Bank of Beijing's group " Industrial and commercial bank's group ", the subgroup before being due to group where after adjustment, and only check the permission of Shanghai industrial and commercial bank group information, so through The data access authority of user " Zhang " meets demand after adjustment.
Assuming that needing to increase the data access authority of user " Zhang " according to the actual situation, increase in original permissions base Add and checks Beijing industrial and commercial bank information.User-dimension authority relation only need to be adjusted, the dimension permission of user " Zhang " " is looked into originally See Beijing Construction Bank information and check Beijing agricultural bank information " on the basis of increase " checking Beijing industrial and commercial bank information " permission.
Assuming that needing to increase the data access authority of user " Zhang " according to the actual situation, there is user " Zhang " and look into See the permission of all banks information.It needs to adjust user-user group relationship, user " Zhang " is adjusted to from " Bank of Beijing's group " " all banks group ", can be realized makes user " Zhang " to have the permission for checking all banks information.
It assuming that needing to adjust the data access authority of user " Zhang " according to the actual situation, check user " Zhang " can Shanghai industrial and commercial bank information permission, Shanghai Construction Bank information and Shanghai agricultural bank information.The adjusting range has exceeded " Zhang " and is currently located The range of the data access authority of " Bank of Beijing's group ", there are two types of the modes for realizing adjustment demand: a kind of mode is adjustment user Group-dimension permission makes " Bank of Beijing's group " to have the power for checking Shanghai industrial and commercial bank information, Shanghai Construction Bank information and Shanghai agricultural bank information Limit;Another way is newly to establish under " all banks group " subgroup " Bank of Shanghai's group ", and closed by user group-dimension permission System is that " Bank of Shanghai's group " assigns the permission for checking Shanghai industrial and commercial bank information permission, Shanghai Construction Bank information and Shanghai agricultural bank information, User " Zhang " is adjusted to " Bank of Shanghai's group ".
After the control method for the information access rights for describing the embodiment of the present invention, next, implementing to the present invention The control device of the information access rights of example is introduced.The implementation of the device may refer to the implementation of the above method, repetition Place repeats no more.Term " module " used below, " unit " can be the software and/or hardware for realizing predetermined function.
As shown in Fig. 2, a kind of control device of information access rights, comprising:
User group and permission creation module 100, for creating subscriber group information table, dimension authority list and user group-dimension Spend authority relation;
User and permission creation module 200, for creating user message table and establishing user-user group relationship and use Family-dimension authority relation;
Operating right control module 300, for according to Role Information table, role-menu function information table and the wound The user message table built establishes user-role relation table, and carries out user's operation permission according to the user-role relation table Control;
Access Control Module 400, for according to the user-user group relationship, user group-dimension authority relation with And user-dimension authority relation, carry out user data access privilege control;
Access authority adjusts module 500, is used for when carrying out user data access privilege control, by adjusting the use Family-dimension authority relation, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user With dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user Range, and in the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used Family-user group relationship, controls the data access authority of the user.
In the specific implementation process, the user and permission group creation module creation subscriber group information table are according to corresponding to The organizational structure of object created.
In the specific implementation process, user and permission creation module 200 include:
User and permission creation module in group create in corresponding user group for the permission according to the user group of setting User, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
In the specific implementation process, the subscriber group information table includes father's group and corresponding subgroup, the subgroup all or Person herids the access authority of father's group partially;
The user group and permission creation module 100 include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the use where the user When the extent of competence of family group, new subgroup is created in corresponding user group, and according to the user group-dimension authority relation, for institute It states new subgroup and assigns corresponding dimension permission.
In the specific implementation process, the access authority adjusts module 500, is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;And/or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
In the specific implementation process, the access authority adjusts module 500, is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;And/or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
In the actual implementation process, the control method of information access rights through the invention, may be implemented advanced level user The access of simulation subordinate subscriber completely.Advanced level user can adjust advanced level user to before by changing user-user group relationship The subgroup of place user group, reduces the dimension permission of advanced level user, to simulate number corresponding to subordinate subscriber in current subgroup According to access authority.
Beneficial effects of the present invention: the control method of information access rights through the invention may be implemented operating right and Data access authority separation, brings more convenient flexible rights management;According in reality business organization's demand setting user group, User in subgroup, group, is more in line with practical application scene;The dynamic of permission is adjusted and is inherited between user group, between user and group; Effectively reduce role's allocation scale in complication system;Advanced level user can simulate subordinate subscriber access completely.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include Within protection scope of the present invention.

Claims (12)

1. a kind of control method of information access rights characterized by comprising
Create subscriber group information table, dimension authority list and user group-dimension authority relation;
It creates user message table and establishes user-user group relationship and user-dimension authority relation;
According to the user message table of Role Information table, role-menu function information table and the creation, user-role is established Relation table, and the control of user's operation permission is carried out according to the user-role relation table;
According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, user is carried out Data access authority control;
When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension power Limit relationship and user-user group relationship, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation beyond the user It encloses, and when beyond the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, user-use is adjusted Family group relationship, controls the data access authority of the user.
2. the control method of information access rights according to claim 1, which is characterized in that creation subscriber group information table It is to be created according to the organizational structure of corresponding object.
3. the control method of information access rights according to claim 1, which is characterized in that the creation user information Table includes:
According to the permission of the user group of setting, user is created in corresponding user group, and is closed according to the user group-dimension permission System assigns corresponding dimension permission for the user.
4. the control method of information access rights according to claim 1, which is characterized in that the subscriber group information table Including father's group and corresponding subgroup, the subgroup inherits the access authority of father's group in whole or in part;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, in corresponding user group The interior new subgroup of creation, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the new subgroup.
5. the control method of information access rights according to claim 4, which is characterized in that described when progress number of users When according to access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-use Family group relationship, to adjust the corresponding user group of user and dimension permission, further includes:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
6. the control method of information access rights according to claim 4, which is characterized in that described when progress number of users When according to access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-use Family group relationship, to adjust the corresponding user group of user and dimension permission, further includes:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
7. a kind of control device of information access rights characterized by comprising
User group and permission creation module are closed for creating subscriber group information table, dimension authority list and user group-dimension permission System;
User and permission creation module, for creating user message table and establishing user-user group relationship and user-dimension power Limit relationship;
Operating right control module, for the user according to Role Information table, role-menu function information table and the creation Information table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table;
Access Control Module, for according to the user-user group relationship, user group-dimension authority relation and user- Dimension authority relation carries out user data access privilege control;
Access authority adjusts module, for being weighed by adjusting the user-dimension when carrying out user data access privilege control Limit relationship, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension power Limit comprising:
When the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation beyond the user It encloses, and when beyond the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, user-use is adjusted Family group relationship, controls the data access authority of the user.
8. the control device of information access rights according to claim 7, which is characterized in that the user group and permission Creation module, which creates subscriber group information table, to be created according to the organizational structure of corresponding object.
9. the control device of information access rights according to claim 7, which is characterized in that user and permission create mould Block includes:
User and permission creation module in group create user in corresponding user group for the permission according to the user group of setting, And according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
10. the control device of information access rights according to claim 7, which is characterized in that the subscriber group information Table includes father's group and corresponding subgroup, and the subgroup inherits the access authority of father's group in whole or in part;
The user group and permission creation module include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the user group where the user Extent of competence when, new subgroup is created in corresponding user group, and be described new according to the user group-dimension authority relation Subgroup assigns corresponding dimension permission.
11. the control device of information access rights according to claim 10, which is characterized in that the access authority tune Mould preparation block is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
12. the control device of information access rights according to claim 10, which is characterized in that the access authority tune Mould preparation block is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
CN201611126359.9A 2016-12-09 2016-12-09 The control method and device of information access rights Active CN106599718B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611126359.9A CN106599718B (en) 2016-12-09 2016-12-09 The control method and device of information access rights

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611126359.9A CN106599718B (en) 2016-12-09 2016-12-09 The control method and device of information access rights

Publications (2)

Publication Number Publication Date
CN106599718A CN106599718A (en) 2017-04-26
CN106599718B true CN106599718B (en) 2019-04-05

Family

ID=58597766

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611126359.9A Active CN106599718B (en) 2016-12-09 2016-12-09 The control method and device of information access rights

Country Status (1)

Country Link
CN (1) CN106599718B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107330307A (en) 2017-07-16 2017-11-07 成都牵牛草信息技术有限公司 A kind of form data operating right authorization method
CN109165518A (en) * 2018-09-12 2019-01-08 浪潮软件集团有限公司 Data authority division management method and device
CN110753059B (en) * 2019-10-25 2022-01-04 苏州浪潮智能科技有限公司 Authority management method, equipment and storage medium
CN111352922B (en) * 2020-02-25 2021-02-12 帆软软件有限公司 Data authority inheritance method for multiple data tables in BI tool

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960252A (en) * 2006-06-30 2007-05-09 南京联创科技股份有限公司 Multidimension object access control method based on roles
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN105809021A (en) * 2016-03-04 2016-07-27 深圳市茁壮网络股份有限公司 Method and device for distributing user permissions

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US9418236B2 (en) * 2013-11-13 2016-08-16 Intuit Inc. Method and system for dynamically and automatically managing resource access permissions

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960252A (en) * 2006-06-30 2007-05-09 南京联创科技股份有限公司 Multidimension object access control method based on roles
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN105809021A (en) * 2016-03-04 2016-07-27 深圳市茁壮网络股份有限公司 Method and device for distributing user permissions

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于RBAC的统一权限管理系统研究;夏榆滨,宣明付;《微计算机信息》;20061030;第22卷(第9-3期);第114-116页
基于角色访问控制的权限管理系统研究与实现;吴忠懿;《中国优秀硕士学位论文全文数据库 信息科技辑》;20111215(第S2期);第I139-156页第二、三章
设计模式在数据库访问权限系统中的应用;王彬,靳大尉等;《计算机应用》;20121231;第32卷(第S2期);第113-115页

Also Published As

Publication number Publication date
CN106599718A (en) 2017-04-26

Similar Documents

Publication Publication Date Title
CN106599718B (en) The control method and device of information access rights
CN107104931A (en) A kind of access control method and platform
US7284000B2 (en) Automatic policy generation based on role entitlements and identity attributes
CN109918924A (en) The control method and system of dynamic access permission
JP4903287B2 (en) User classification and leveling management system in image information management system
CN105184144A (en) Multi-system privilege management method
CN101951377A (en) Hierarchical authorization management method and device
CN101729403A (en) Access control method based on attribute and rule
CN102468971A (en) Authority management method and device, and authority control method and device
JP2010537285A5 (en)
CN109067756A (en) A kind of user's synchronization and authority control method suitable for cloudy management
CN110472388A (en) A kind of apparatus management/control system and its user authority control method
Rathod An access control and authorization model with Open stack cloud for Smart Grid
CN106570656A (en) hierarchical authorization
CN104333553A (en) Mass data authority control strategy based on combination of blacklist and whitelist
CN109862001A (en) Multistage authority management method based on cloud management platform
CN108133134A (en) A kind of right management method of map resource, device, equipment and storage medium
CN107147665B (en) Application method of the beam-based alignment model in industrial 4.0 systems
CN102201935B (en) Access control method and device based on VIEW
CN106487770B (en) Method for authenticating and authentication device
CN107566375A (en) Access control method and device
US20240007458A1 (en) Computer user credentialing and verification system
CN110188517A (en) A kind of the user account number login method and device of based role mode
CN106529230A (en) Role-based permission control mechanism
CN109241119A (en) Trans-departmental data sharing method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant