CN106599718B - The control method and device of information access rights - Google Patents
The control method and device of information access rights Download PDFInfo
- Publication number
- CN106599718B CN106599718B CN201611126359.9A CN201611126359A CN106599718B CN 106599718 B CN106599718 B CN 106599718B CN 201611126359 A CN201611126359 A CN 201611126359A CN 106599718 B CN106599718 B CN 106599718B
- Authority
- CN
- China
- Prior art keywords
- user
- group
- dimension
- permission
- relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention proposes a kind of control method and device of information access rights, comprising: creation subscriber group information table, dimension authority list and user group-dimension authority relation;It creates user message table and establishes user-user group relationship and user-dimension authority relation;According to the user message table of Role Information table, role-menu function information table and the creation, user-role relation table is established, and the control of user's operation permission is carried out according to the user-role relation table;According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, user data access privilege control is carried out;When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission.
Description
Technical field
The present invention relates to System right management field more particularly to a kind of control method and device of information access rights.
Background technique
Information system, which generally requires, provides service for multi-user, and needs to carry out different priority assignations (such as to user
The access right of function menu, button), i.e. information system user rights management.In traditional rights management policy, than more typical
Be RBAC model.RBAC model does not have exact definition to role's criteria for classifying, when system complexity is high, needs to define
Role's quantity sharply increase;Secondly, it is difficult to meet flexibility permission demand for control, when especially using in large scale system;
Moreover, the characteristics of RBAC model more controls from software systems angle consideration permission, has ignored the organization structure of the enterprise in reality.Example
Such as, a certain user of a certain organization is frequently necessary to simulate the user query different dimensions path datagram of another organization
Table, i.e. switching role access report.According to traditional RBAC model, user role switching (user in RBAC can not be supported
Role is determining), and need to define a large amount of role, cause the relationship between role-access authorization for resource complicated and be not easy to
Extension.
Summary of the invention
In order to solve the problems, such as that user role defines excessive in Large Information Systems, and better conform to real business organization
Topology requirement, and then the invention proposes a kind of control methods of information access rights, comprising:
Create subscriber group information table, dimension authority list and user group-dimension authority relation;
It creates user message table and establishes user-user group relationship and user-dimension authority relation;
According to the user message table of Role Information table, role-menu function information table and the creation, user-is established
Role relation table, and the control of user's operation permission is carried out according to the user-role relation table;
According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, carry out
User data access privilege control;
When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension
Authority relation and user-user group relationship are spent, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user
When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user
Range, and when beyond the extent of competence of the user group where the user, user group-dimension authority relation is adjusted, institute is controlled
State the data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used
Family-user group relationship, controls the data access authority of the user.
Further, creation subscriber group information table is created according to the organizational structure of corresponding object.
Further, the creation user message table includes:
According to the permission of the user group of setting, user is created in corresponding user group, and is weighed according to the user group-dimension
Limit relationship assigns corresponding dimension permission for the user.
Further, the subscriber group information table includes father's group and corresponding subgroup, the subgroup in whole or in part after
Hold the access authority of father's group;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, to application
The new subgroup of creation in the group of family, and according to the user group-dimension authority relation, corresponding dimension power is assigned for the new subgroup
Limit.
Further, described corresponding by the user-user group relationship and user-dimension authority relation adjustment user
User group and dimension permission, control the data access authority of the user, further includes:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
Further, described corresponding by the user-user group relationship and user-dimension authority relation adjustment user
User group and dimension permission, control the data access authority of the user, further includes:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
Correspondingly, a kind of control device of information access rights, comprising:
User group and permission creation module, for creating subscriber group information table, dimension authority list and user group-dimension power
Limit relationship;
User and permission creation module, for creating user message table and establishing user-user group relationship and user-dimension
Spend authority relation;
Operating right control module, for according to Role Information table, role-menu function information table and the creation
User message table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table;
Access Control Module, for according to the user-user group relationship, user group-dimension authority relation and
User-dimension authority relation carries out user data access privilege control;
Access authority adjusts module, is used for when carrying out user data access privilege control, by adjusting the user-dimension
Authority relation, user group-dimension authority relation and user-user group relationship are spent, to adjust the corresponding user group of user and dimension
Spend permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user
When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user
Range, and when beyond the extent of competence of the user group where the user, user group-dimension authority relation is adjusted, institute is controlled
State the data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used
Family-user group relationship, controls the data access authority of the user.
Further, the user group and permission creation module creation subscriber group information table are according to corresponding object
Organizational structure is created.
Further, user and permission creation module include:
User and permission creation module in group create in corresponding user group for the permission according to the user group of setting
User, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
Further, the subscriber group information table includes father's group and corresponding subgroup, the subgroup in whole or in part after
Hold the access authority of father's group;
The user group and permission creation module include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the use where the user
When the extent of competence of family group, new subgroup is created in corresponding user group, and according to the user group-dimension authority relation, for institute
It states new subgroup and assigns corresponding dimension permission.
Further, the access authority adjusts module, is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
Further, the access authority adjusts module, is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
Beneficial effects of the present invention: the control method of information access rights through the invention may be implemented operating right and
Data access authority separation, brings more convenient flexible rights management;According in reality business organization's demand setting user group,
User in subgroup, group, is more in line with practical application scene;The dynamic of permission is adjusted and is inherited between user group, between user and group;
Effectively reduce role's allocation scale in complication system;Advanced level user can simulate subordinate subscriber access completely.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only
Some embodiments of the present invention without creative efforts, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is the flow chart of the control method of the information access rights of the embodiment of the present invention.
Fig. 2 is the structural schematic diagram of the control device of the information access rights of the embodiment of the present invention.
Fig. 3 is the structural schematic diagram of bank-user group in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment belongs to the range of protection of the invention.
Fig. 1 is the flow chart of the control method of the information access rights of the embodiment of the present invention.As shown in Figure 1, the information is visited
Ask the control method of permission, comprising:
S100, creation subscriber group information table, dimension authority list and user group-dimension authority relation;
S200 creates user message table and establishes user-user group relationship and user-dimension authority relation;
S300 is established according to the user message table of Role Information table, role-menu function information table and the creation
User-role relation table, and the control of user's operation permission is carried out according to the user-role relation table;
S400 is closed according to the user-user group relationship, user group-dimension authority relation and user-dimension permission
System carries out user data access privilege control;
S500, when carrying out user data access privilege control, by adjusting the user-dimension authority relation, user
Group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user
When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user
Range, and in the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control
The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used
Family-user group relationship, controls the data access authority of the user.
In the step s 100, subscriber group information table, dimension authority list and user group-dimension authority relation are created, wherein
Creating subscriber group information table can be empty table, can also be created according to the organizational structure of corresponding object, and wherein
The foundation of dimension authority list is also to be created according to the operating right of corresponding object.It sets subscriber group information table to
Empty table can be convenient redesign or adjustment of the administrative staff to user group architectural framework, and avoid from the beginning it is existing right
As the deficiency or defect of organizational structure.And creation process can be made more by carrying out creation according to the organizational structure of corresponding object
Increase effect, convenient.Therefore the control method of the information access rights can be configured for business organization's demand in reality, more
Add and meets practical application scene.
In step s 200, it creates user message table and establishes user-user group relationship and user-dimension permission pass
System.In this step, include multiple user informations in the user message table created, and establish the use in the user message table
Family and the subscriber group information table established in the step s 100, the relationship of dimension authority list.That is, user-user
Group relationship is for specifying, and the user in user message table belongs to which of subscriber group information table group, and wherein user must belong to
In a user group;And user-dimension authority relation is specified, the user in the user message table with it is corresponding in dimension authority list
Relationship.
In step S300, according to the user information of Role Information table, role-menu function information table and the creation
Table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table.In the step
In, role is introduced in user message table and function menu information table, different role categories, each role is set as needed
Then corresponding certain operating right is user's assigned role by way of establishing user-role relation table, thereby determine that every
The user's operation permission of a user.
In step S400, according to the user-user group relationship, user group-dimension authority relation and user-dimension
Authority relation carries out user data access privilege control.Because the user in user group has the dimension authority relation of user group,
So in this step, user can determine which specific user group belonged to by user-user group relationship, and pass through use
Family-dimension authority relation can determine the data access authority of user itself.So the data access authority of user's whole includes
The data access authority of user itself and the access authority of the user group where user, the total data access right according to the user
Limit carries out user data access privilege control.
In step S500, when carrying out user data access privilege control, closed by adjusting the user-dimension permission
System, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension permission,
It include: when the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user
When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;When the permission adjusting range of the user
Beyond the user by extent of competence determined by user-dimension authority relation, and in the user group where the user
Extent of competence when, adjust user group-dimension authority relation, control the data access authority of the user;When the user's
When permission adjusting range exceeds the extent of competence of the user group where the user, user-user group relationship is adjusted, described in control
The data access authority of user.When smaller for the data permission adjusting range of user, adjustable user-dimension permission is closed
System, is modified the data access authority for the user for needing to adjust permission, and when only adjusting, user-dimension authority relation is insufficient
When meeting adjustment of the reality to access privilege, the relationship of group and dimension permission where further adjusting user is next to be adjusted indirectly
The data access authority of whole user, when using adjustment user group dimension permission relationship can not meet demand when, will adjust
The relationship of user and place group adjusts the data access authority of user.
In the present invention when it is implemented, creation subscriber group information table is created according to the organizational structure of corresponding object
It builds.Also, the subscriber group information table includes father's group and corresponding subgroup, and the subgroup inherits the visit of father's group in whole or in part
Permission is asked, when extent of competence of the permission adjusting range of the user beyond the user group where the user, to application
The new subgroup of creation in the group of family, and according to the user group-dimension authority relation, corresponding dimension power is assigned for the new subgroup
Limit.
It, can also be according to the power of the user group of setting in the present invention when it is implemented, during creating user message table
Limit creates user in corresponding user group, and according to the user group-dimension authority relation, assigns corresponding dimension for the user
Spend permission.
It, can be by adjusting the use in the present invention when it is implemented, when the data access rights for needing to reduce user are prescribed a time limit
The dimension permission of the user is reduced to the subgroup of place user group before in family;And/or it directly adjusts user-dimension permission and closes
System reduces the dimension permission of the user.When the data access rights for needing to increase user are prescribed a time limit, the user is adjusted to institute before
In father's group of user group, increase the dimension permission of the user;And/or it directly adjusts described in user-dimension authority relation increase
The dimension permission of user.
The above are the elaborations to the specific embodiment of the invention, and below with reference to actual scene, the present invention is further described.
By taking banking information system as an example, firstly, creating subscriber group information table, dimension authority list, needle according to actual needs
User group-dimension authority relation is determined to dimension permission corresponding to each user group, wherein use can be set in subscriber group information table
Family subgroup, wherein user's subgroup can inherit the data access authority of father's group in whole or in part;Dimension authority list is according to reality
The set for the data access authority that the architectural framework of border object is worked out.For example, by taking banking information system as an example, subscriber group information
Table is constituted dendrogram with father's group, the relationship of subgroup, with wherein father's group can be " national industrial and commercial bank's group ", " national agricultural bank's group " etc., entirely
The subgroup of industrial and commercial bank, state group " can be " Beijing industrial and commercial bank group ", " Tianjin industrial and commercial bank group " etc.;Dimension authority list can permit according to " row
Not ", the classification informations such as " line number " are checked, such as " checking industrial and commercial bank's information ", " checking Beijing area bank information ";And user
Group-dimension permission can be set as the data access authority that " national industrial and commercial bank's group " possesses " checking industrial and commercial bank's information ".In next step, it creates
User message table, and user-user group relationship, user-dimension authority relation are created, it is specified for the user in the user message table
Dimension permission possessed by user group, user itself.User message table include multiple users, such as user can for " Zhang ",
The specific personnel such as " Mr. Wang ", and initial relevant dimension permission is assigned for these users, construct user-dimension authority relation.
In next step, role is established according to existing RBAC model, and according to Role Information table, role-menu function information table and institute
The user message table for stating creation establishes user-role relation table, and carries out user's operation according to the user-role relation table
Permission control.Here " role " occurred can be " bank management person ", " bank operations person " etc., corresponding different operating rights
Limit, and corresponding role is assigned for personnel according to actual needs, realize the control to the operating right of different user.It is a certain when occurring
User needs to adjust its data access rights and prescribes a time limit, and closes by adjusting the user-dimension authority relation, user group-dimension permission
System and user-user group relationship, to adjust the corresponding user group of the user and dimension permission.The method specifically adjusted includes:
When the permission adjusting range of the user is when the user is by extent of competence determined by user-dimension authority relation, adjust
Whole user-dimension authority relation, controls the data access authority of the user;When the permission adjusting range of the user exceeds institute
User is stated by extent of competence determined by user-dimension authority relation, and in the permission of the user group where the user
When range, user group-dimension authority relation is adjusted, the data access authority of the user is controlled;When the permission tune of the user
When whole range exceeds the extent of competence of the user group where the user, user-user group relationship is adjusted, controls the user's
Data access authority.That is, being tieed up by comparing the permission adjusting range and user-dimension authority relation of user, user group
Spend authority relation and the data permission range of user-user group relationship three, it is first determined the adjustment preferentially used is corresponding to close
Then system directly or indirectly changes the data access authority of user by the change of the corresponding relationship.
Fig. 3 is the structural schematic diagram of bank-user group in the embodiment of the present invention.
As shown in figure 3, " all banks group " has " national industrial and commercial bank's group ", " national Construction Bank's group ", " complete in subscriber group information table
Agricultural bank, state group ", " Bank of Beijing's group " subgroup, wherein " national industrial and commercial bank's group " has " Beijing industrial and commercial bank group ", " Shanghai industrial and commercial bank group ", " day
Saliva industrial and commercial bank group " subgroup;" national Construction Bank's group " has " Beijing Construction Bank group ", " Shanghai Construction Bank group ", " Tianjin Construction Bank group " subgroup;It is " complete
Agricultural bank, state group " has " Beijing agricultural bank group ", " Shanghai agricultural bank group ", " Tianjin agricultural bank group " subgroup.Correspondingly, passing through user group-dimension
Spend authority relation, " all banks group " have check industrial and commercial bank in all parts of the country, Construction Bank, agricultural bank's information permission;" national industrial and commercial bank's group "
With the permission for checking national industrial and commercial bank's information;" national Construction Bank's group " has the permission for checking national Construction Bank's information;" national agricultural bank
Group " has the permission for checking national agricultural bank's information;" Beijing industrial and commercial bank group " only has the permission for checking Beijing industrial and commercial bank information;" Shanghai
Industrial and commercial bank's group " only has the permission for checking Shanghai industrial and commercial bank information;" Tianjin industrial and commercial bank group " only has the permission for checking Tianjin industrial and commercial bank information;
" Beijing Construction Bank group " only has the permission for checking Beijing Construction Bank information;" Shanghai Construction Bank group ", which only has, checks Shanghai Construction Bank information
Permission;" Tianjin Construction Bank group " only has the permission for checking Tianjin Construction Bank information;" Beijing agricultural bank group ", which only has, checks Beijing agricultural bank
The permission of information;" Shanghai agricultural bank group " only has the permission for checking Shanghai agricultural bank information;" Tianjin agricultural bank group ", which only has, checks day
The permission of saliva agricultural bank information, " Bank of Beijing's group " have the permission for checking all banks in Beijing area.
User " Zhang " now belongs to the user in " Bank of Beijing's group ", and " Zhang " passes through user-dimension authority relation
The permission possessed is including checking Beijing Construction Bank information and checking Beijing agricultural bank information.So the data that user " Zhang " now has
Access authority is to check Beijing Construction Bank information and check Beijing agricultural bank information.
Assuming that needing the data access authority by user " Zhang " to be adjusted according to the actual situation, below with regard to how to realize
Increasing and decreasing for permission, gives an example:
Assuming that needing to reduce the data access authority of user " Zhang " according to the actual situation, make it that can only check Beijing
Construction Bank's information.User-dimension authority relation only need to be adjusted, by the dimension permission of user " Zhang " from " checking Beijing Construction Bank information
And check Beijing agricultural bank information " and it is reduced to " checking Beijing Construction Bank information ", it can realize the data access authority of " Zhang "
It reduces.
Assuming that needing to reduce the data access authority of user " Zhang " according to the actual situation, make it that can only check Shanghai
Industrial and commercial bank's information.It only needs to adjust user-user group authority relation, user " Zhang " is adjusted to " Shanghai from " Bank of Beijing's group "
Industrial and commercial bank's group ", the subgroup before being due to group where after adjustment, and only check the permission of Shanghai industrial and commercial bank group information, so through
The data access authority of user " Zhang " meets demand after adjustment.
Assuming that needing to increase the data access authority of user " Zhang " according to the actual situation, increase in original permissions base
Add and checks Beijing industrial and commercial bank information.User-dimension authority relation only need to be adjusted, the dimension permission of user " Zhang " " is looked into originally
See Beijing Construction Bank information and check Beijing agricultural bank information " on the basis of increase " checking Beijing industrial and commercial bank information " permission.
Assuming that needing to increase the data access authority of user " Zhang " according to the actual situation, there is user " Zhang " and look into
See the permission of all banks information.It needs to adjust user-user group relationship, user " Zhang " is adjusted to from " Bank of Beijing's group "
" all banks group ", can be realized makes user " Zhang " to have the permission for checking all banks information.
It assuming that needing to adjust the data access authority of user " Zhang " according to the actual situation, check user " Zhang " can
Shanghai industrial and commercial bank information permission, Shanghai Construction Bank information and Shanghai agricultural bank information.The adjusting range has exceeded " Zhang " and is currently located
The range of the data access authority of " Bank of Beijing's group ", there are two types of the modes for realizing adjustment demand: a kind of mode is adjustment user
Group-dimension permission makes " Bank of Beijing's group " to have the power for checking Shanghai industrial and commercial bank information, Shanghai Construction Bank information and Shanghai agricultural bank information
Limit;Another way is newly to establish under " all banks group " subgroup " Bank of Shanghai's group ", and closed by user group-dimension permission
System is that " Bank of Shanghai's group " assigns the permission for checking Shanghai industrial and commercial bank information permission, Shanghai Construction Bank information and Shanghai agricultural bank information,
User " Zhang " is adjusted to " Bank of Shanghai's group ".
After the control method for the information access rights for describing the embodiment of the present invention, next, implementing to the present invention
The control device of the information access rights of example is introduced.The implementation of the device may refer to the implementation of the above method, repetition
Place repeats no more.Term " module " used below, " unit " can be the software and/or hardware for realizing predetermined function.
As shown in Fig. 2, a kind of control device of information access rights, comprising:
User group and permission creation module 100, for creating subscriber group information table, dimension authority list and user group-dimension
Spend authority relation;
User and permission creation module 200, for creating user message table and establishing user-user group relationship and use
Family-dimension authority relation;
Operating right control module 300, for according to Role Information table, role-menu function information table and the wound
The user message table built establishes user-role relation table, and carries out user's operation permission according to the user-role relation table
Control;
Access Control Module 400, for according to the user-user group relationship, user group-dimension authority relation with
And user-dimension authority relation, carry out user data access privilege control;
Access authority adjusts module 500, is used for when carrying out user data access privilege control, by adjusting the use
Family-dimension authority relation, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user
With dimension permission comprising:
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation in the user
When enclosing, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission determined by user-dimension authority relation beyond the user
Range, and in the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control
The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, adjustment is used
Family-user group relationship, controls the data access authority of the user.
In the specific implementation process, the user and permission group creation module creation subscriber group information table are according to corresponding to
The organizational structure of object created.
In the specific implementation process, user and permission creation module 200 include:
User and permission creation module in group create in corresponding user group for the permission according to the user group of setting
User, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
In the specific implementation process, the subscriber group information table includes father's group and corresponding subgroup, the subgroup all or
Person herids the access authority of father's group partially;
The user group and permission creation module 100 include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the use where the user
When the extent of competence of family group, new subgroup is created in corresponding user group, and according to the user group-dimension authority relation, for institute
It states new subgroup and assigns corresponding dimension permission.
In the specific implementation process, the access authority adjusts module 500, is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;And/or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
In the specific implementation process, the access authority adjusts module 500, is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;And/or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
In the actual implementation process, the control method of information access rights through the invention, may be implemented advanced level user
The access of simulation subordinate subscriber completely.Advanced level user can adjust advanced level user to before by changing user-user group relationship
The subgroup of place user group, reduces the dimension permission of advanced level user, to simulate number corresponding to subordinate subscriber in current subgroup
According to access authority.
Beneficial effects of the present invention: the control method of information access rights through the invention may be implemented operating right and
Data access authority separation, brings more convenient flexible rights management;According in reality business organization's demand setting user group,
User in subgroup, group, is more in line with practical application scene;The dynamic of permission is adjusted and is inherited between user group, between user and group;
Effectively reduce role's allocation scale in complication system;Advanced level user can simulate subordinate subscriber access completely.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
Claims (12)
1. a kind of control method of information access rights characterized by comprising
Create subscriber group information table, dimension authority list and user group-dimension authority relation;
It creates user message table and establishes user-user group relationship and user-dimension authority relation;
According to the user message table of Role Information table, role-menu function information table and the creation, user-role is established
Relation table, and the control of user's operation permission is carried out according to the user-role relation table;
According to the user-user group relationship, user group-dimension authority relation and user-dimension authority relation, user is carried out
Data access authority control;
When carrying out user data access privilege control, by adjusting the user-dimension authority relation, user group-dimension power
Limit relationship and user-user group relationship, to adjust the corresponding user group of user and dimension permission comprising:
When the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user
When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation beyond the user
It encloses, and when beyond the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control
The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, user-use is adjusted
Family group relationship, controls the data access authority of the user.
2. the control method of information access rights according to claim 1, which is characterized in that creation subscriber group information table
It is to be created according to the organizational structure of corresponding object.
3. the control method of information access rights according to claim 1, which is characterized in that the creation user information
Table includes:
According to the permission of the user group of setting, user is created in corresponding user group, and is closed according to the user group-dimension permission
System assigns corresponding dimension permission for the user.
4. the control method of information access rights according to claim 1, which is characterized in that the subscriber group information table
Including father's group and corresponding subgroup, the subgroup inherits the access authority of father's group in whole or in part;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, in corresponding user group
The interior new subgroup of creation, and according to the user group-dimension authority relation, corresponding dimension permission is assigned for the new subgroup.
5. the control method of information access rights according to claim 4, which is characterized in that described when progress number of users
When according to access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-use
Family group relationship, to adjust the corresponding user group of user and dimension permission, further includes:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
6. the control method of information access rights according to claim 4, which is characterized in that described when progress number of users
When according to access privilege control, by adjusting the user-dimension authority relation, user group-dimension authority relation and user-use
Family group relationship, to adjust the corresponding user group of user and dimension permission, further includes:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
7. a kind of control device of information access rights characterized by comprising
User group and permission creation module are closed for creating subscriber group information table, dimension authority list and user group-dimension permission
System;
User and permission creation module, for creating user message table and establishing user-user group relationship and user-dimension power
Limit relationship;
Operating right control module, for the user according to Role Information table, role-menu function information table and the creation
Information table establishes user-role relation table, and carries out the control of user's operation permission according to the user-role relation table;
Access Control Module, for according to the user-user group relationship, user group-dimension authority relation and user-
Dimension authority relation carries out user data access privilege control;
Access authority adjusts module, for being weighed by adjusting the user-dimension when carrying out user data access privilege control
Limit relationship, user group-dimension authority relation and user-user group relationship, to adjust the corresponding user group of user and dimension power
Limit comprising:
When the permission adjusting range of the user passes through extent of competence determined by user-dimension authority relation in the user
When, user-dimension authority relation is adjusted, the data access authority of the user is controlled;
When the permission adjusting range of the user passes through permission model determined by user-dimension authority relation beyond the user
It encloses, and when beyond the extent of competence of the user group where the user, adjusts user group-dimension authority relation, described in control
The data access authority of user;
When extent of competence of the permission adjusting range of the user beyond the user group where the user, user-use is adjusted
Family group relationship, controls the data access authority of the user.
8. the control device of information access rights according to claim 7, which is characterized in that the user group and permission
Creation module, which creates subscriber group information table, to be created according to the organizational structure of corresponding object.
9. the control device of information access rights according to claim 7, which is characterized in that user and permission create mould
Block includes:
User and permission creation module in group create user in corresponding user group for the permission according to the user group of setting,
And according to the user group-dimension authority relation, corresponding dimension permission is assigned for the user.
10. the control device of information access rights according to claim 7, which is characterized in that the subscriber group information
Table includes father's group and corresponding subgroup, and the subgroup inherits the access authority of father's group in whole or in part;
The user group and permission creation module include:
New subgroup and permission creation module, for the permission adjusting range as the user beyond the user group where the user
Extent of competence when, new subgroup is created in corresponding user group, and be described new according to the user group-dimension authority relation
Subgroup assigns corresponding dimension permission.
11. the control device of information access rights according to claim 10, which is characterized in that the access authority tune
Mould preparation block is also used to:
The subgroup for adjusting the user to place user group before, reduces the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation reduces the user.
12. the control device of information access rights according to claim 10, which is characterized in that the access authority tune
Mould preparation block is also used to:
The father's group for adjusting the user to place user group before, increases the dimension permission of the user;Or
Directly adjust the dimension permission that user-dimension authority relation increases the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611126359.9A CN106599718B (en) | 2016-12-09 | 2016-12-09 | The control method and device of information access rights |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611126359.9A CN106599718B (en) | 2016-12-09 | 2016-12-09 | The control method and device of information access rights |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106599718A CN106599718A (en) | 2017-04-26 |
CN106599718B true CN106599718B (en) | 2019-04-05 |
Family
ID=58597766
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611126359.9A Active CN106599718B (en) | 2016-12-09 | 2016-12-09 | The control method and device of information access rights |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106599718B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107330307A (en) | 2017-07-16 | 2017-11-07 | 成都牵牛草信息技术有限公司 | A kind of form data operating right authorization method |
CN109165518A (en) * | 2018-09-12 | 2019-01-08 | 浪潮软件集团有限公司 | Data authority division management method and device |
CN110753059B (en) * | 2019-10-25 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Authority management method, equipment and storage medium |
CN111352922B (en) * | 2020-02-25 | 2021-02-12 | 帆软软件有限公司 | Data authority inheritance method for multiple data tables in BI tool |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1960252A (en) * | 2006-06-30 | 2007-05-09 | 南京联创科技股份有限公司 | Multidimension object access control method based on roles |
CN101917448A (en) * | 2010-08-27 | 2010-12-15 | 山东中创软件工程股份有限公司 | Control method for realizing RBAC access permission in application on basis of.NET |
CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
CN105809021A (en) * | 2016-03-04 | 2016-07-27 | 深圳市茁壮网络股份有限公司 | Method and device for distributing user permissions |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020026592A1 (en) * | 2000-06-16 | 2002-02-28 | Vdg, Inc. | Method for automatic permission management in role-based access control systems |
US9418236B2 (en) * | 2013-11-13 | 2016-08-16 | Intuit Inc. | Method and system for dynamically and automatically managing resource access permissions |
-
2016
- 2016-12-09 CN CN201611126359.9A patent/CN106599718B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1960252A (en) * | 2006-06-30 | 2007-05-09 | 南京联创科技股份有限公司 | Multidimension object access control method based on roles |
CN101917448A (en) * | 2010-08-27 | 2010-12-15 | 山东中创软件工程股份有限公司 | Control method for realizing RBAC access permission in application on basis of.NET |
CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
CN105809021A (en) * | 2016-03-04 | 2016-07-27 | 深圳市茁壮网络股份有限公司 | Method and device for distributing user permissions |
Non-Patent Citations (3)
Title |
---|
基于RBAC的统一权限管理系统研究;夏榆滨,宣明付;《微计算机信息》;20061030;第22卷(第9-3期);第114-116页 |
基于角色访问控制的权限管理系统研究与实现;吴忠懿;《中国优秀硕士学位论文全文数据库 信息科技辑》;20111215(第S2期);第I139-156页第二、三章 |
设计模式在数据库访问权限系统中的应用;王彬,靳大尉等;《计算机应用》;20121231;第32卷(第S2期);第113-115页 |
Also Published As
Publication number | Publication date |
---|---|
CN106599718A (en) | 2017-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106599718B (en) | The control method and device of information access rights | |
CN107104931A (en) | A kind of access control method and platform | |
US7284000B2 (en) | Automatic policy generation based on role entitlements and identity attributes | |
CN109918924A (en) | The control method and system of dynamic access permission | |
JP4903287B2 (en) | User classification and leveling management system in image information management system | |
CN105184144A (en) | Multi-system privilege management method | |
CN101951377A (en) | Hierarchical authorization management method and device | |
CN101729403A (en) | Access control method based on attribute and rule | |
CN102468971A (en) | Authority management method and device, and authority control method and device | |
JP2010537285A5 (en) | ||
CN109067756A (en) | A kind of user's synchronization and authority control method suitable for cloudy management | |
CN110472388A (en) | A kind of apparatus management/control system and its user authority control method | |
Rathod | An access control and authorization model with Open stack cloud for Smart Grid | |
CN106570656A (en) | hierarchical authorization | |
CN104333553A (en) | Mass data authority control strategy based on combination of blacklist and whitelist | |
CN109862001A (en) | Multistage authority management method based on cloud management platform | |
CN108133134A (en) | A kind of right management method of map resource, device, equipment and storage medium | |
CN107147665B (en) | Application method of the beam-based alignment model in industrial 4.0 systems | |
CN102201935B (en) | Access control method and device based on VIEW | |
CN106487770B (en) | Method for authenticating and authentication device | |
CN107566375A (en) | Access control method and device | |
US20240007458A1 (en) | Computer user credentialing and verification system | |
CN110188517A (en) | A kind of the user account number login method and device of based role mode | |
CN106529230A (en) | Role-based permission control mechanism | |
CN109241119A (en) | Trans-departmental data sharing method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |