CN107395577B - Large-scale electric power enterprise salary safety coefficient - Google Patents

Large-scale electric power enterprise salary safety coefficient Download PDF

Info

Publication number
CN107395577B
CN107395577B CN201710546964.XA CN201710546964A CN107395577B CN 107395577 B CN107395577 B CN 107395577B CN 201710546964 A CN201710546964 A CN 201710546964A CN 107395577 B CN107395577 B CN 107395577B
Authority
CN
China
Prior art keywords
salary
data
authority
role
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710546964.XA
Other languages
Chinese (zh)
Other versions
CN107395577A (en
Inventor
王建永
郭威
刘文彬
廖丹
吴广财
方宽
杨春
严宇平
黄杰韬
黄慧欣
陈非
郑杰生
林俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Guangdong Power Grid Co Ltd
Original Assignee
Information Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Guangdong Power Grid Co Ltd filed Critical Information Center of Guangdong Power Grid Co Ltd
Priority to CN201710546964.XA priority Critical patent/CN107395577B/en
Publication of CN107395577A publication Critical patent/CN107395577A/en
Application granted granted Critical
Publication of CN107395577B publication Critical patent/CN107395577B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/105Human resources
    • G06Q10/1057Benefits or employee welfare, e.g. insurance, holiday or retirement packages

Abstract

The invention relates to a salary safety system of a large-scale electric power enterprise, which is characterized in that in the construction of a safety system of a salary system, the salary system is in an enterprise core service network, and has uniform planning on the aspects of system physical safety, network safety, host safety and the like. The system adopts advanced encryption and authentication technology in the system construction system, and also makes perfect structural design in the aspects of data acquisition flow, authority control and the like, in addition to the external environment, according to the aspects of system construction related to the security system, so as to ensure the security audit of internal and external access of the system.

Description

Large-scale electric power enterprise salary safety coefficient
Technical Field
The invention relates to the technical field of enterprise salary system safety, in particular to a large-scale electric power enterprise salary safety system.
Background
For a compensation management system, certain confidentiality requirements exist for data. The system is not only applied to personnel management departments, but also covers management and service of the personnel management departments to each department of an enterprise through a computer and a network, and the expansion of the use range also puts higher requirements on the information safety of the system. According to the requirements of southern power grid companies, the third-level supervision and protection level of information security level protection should be followed, meanwhile, the system also needs to meet the relevant national requirements and standards for information security construction, and the relevant specification requirements are strictly followed in the whole life cycle of design, construction, rectification, operation and maintenance of the system.
Disclosure of Invention
In the construction of the safety system of the compensation system, the compensation system is in the core business network of the enterprise, and has a uniform plan for the aspects of system physical safety, network safety, host safety and the like. The system adopts advanced encryption and authentication technology in the system construction system, and also makes perfect structural design in the aspects of data acquisition flow, authority control and the like, in addition to the external environment, according to the aspects of system construction related to the security system, so as to ensure the security audit of internal and external access of the system.
In order to solve the technical problem, the invention provides a large-scale electric power enterprise salary safety system, which adopts the technical scheme that: a large electric utility compensation safety system, comprising:
and the data encryption storage module is used for encrypting and storing the core fields of the compensation related core table in the database by adopting a private encryption algorithm, so that the risk that database management personnel can inquire the core information from the database is avoided.
And the data transmission security module is used for encoding and then transmitting the form information after the form information is submitted by the client, and the server receives the data, decodes and processes the data, so that the information is prevented from being tampered by various attack means in the transmission process.
The salary data constraint control module is used for carrying out data authority constraint control on two dimensions of an organization range and a subject on salary data, all authorities of salary functions intercept SQL for inquiring data at the bottom layer, and only data in an authority range can be inquired as long as the authority filtering and the authority of the subject in the organization range are automatically increased for the range of a relevant table; and displaying a dynamic generated column for the subject on the interface, wherein only the subject column with the authority is generated, and the column of the subject without the authority is not generated.
The identity authentication module accesses sub-service roles by adopting a mechanism of a unified identity authentication platform, establishes authority service roles of the compensation module in the unified identity authentication system platform in a centralized manner through a service system end, and transmits the established role data to the compensation system through an integrated webservice interface, so that the system does not process the role data independently.
The special login control module adopts a unified login page single-point login of a unified identity authentication platform, before a user accesses a protected system, the identity of the user is firstly identified by an identity authentication system, and then whether the user can access the system is determined according to the identity and authorization of the user; when the unified identity authentication platform passes identity verification, the SSO server side sends a unique identification code of the service, and the unique identification code reaches the service server side through the client browser; a specific service only has one uniqueness, and the system checks whether account information exists or not and whether authority information exists or not and logs in a corresponding module.
The access control security module is mainly controlled based on two security policies of individuals and roles.
Further, the salary data constraint control module comprises: user management, role and function point management, role and control unit management and role and function point field control management; and controlling by adopting a role and control unit and a function point and field, associating different service roles with individual authorities, and controlling the control unit, the function point and the field of the database by using the service roles.
Further, the identity authentication module comprises account information, personal and account association information and menu sleeve information.
The user identity authentication is mainly realized by performing first login verification on a centralized information platform, and verifying whether the system exists or not and whether the service system access authority is verified or not according to login account information. And after single sign-on verification is carried out through the unified login platform, the bill information transmitted by the page is verified again in the service system, and the existence of the account and the function authority information are verified.
Furthermore, the special login control module adopts the unified login page single-point login of the unified identity authentication platform.
Further, in the access control security module, based on the security policy of the individual: the strategies are established by the user individuals as the center, and the lists limit the operation applications which can be realized by different users aiming at specific objects; role group based security policy: development and expansion based on personal strategies mainly mean that the system uses the same access control rules for some users to access the same modules; the access modules of the two modules are logged in and checked through the unified authentication platform, and the access is confirmed through authorization.
Compared with the prior art, the beneficial effects are: because the compensation system is in the core business network of the enterprise, the system has unified planning on the aspects of physical security, network security, host security and the like. The system adopts advanced encryption and authentication technology in the system construction system, and also makes perfect structural design in the aspects of data acquisition flow, authority control and the like, in addition to the external environment, according to the aspects of system construction related to the security system, so as to ensure the security audit of internal and external access of the system.
Drawings
Fig. 1 is a schematic view of the overall structure of the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent; for the purpose of better illustrating the embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted. The positional relationships depicted in the drawings are for illustrative purposes only and are not to be construed as limiting the present patent.
Referring to fig. 1, a large electric power enterprise salary safety system includes: the system comprises a data encryption storage module, a data transmission secrecy module, a salary data constraint control module, an identity authentication module, a special login control module and an access control security module.
The data encryption storage module: the core fields of the core tables related to compensation are encrypted by adopting a private encryption algorithm and then stored in the database, so that the risk that database management personnel can inquire the core information from the database is avoided. (when data is written into a database, the encryption algorithm is called to appointed fields by using a database trigger technology for encryption processing, so that core fields inquired from the database are all combinations of numbers, letters and symbols after encryption, the safety of real data is ensured, and a user-defined decryption algorithm interface is called to decrypt at a data reading end, and the decryption algorithm is also encrypted and packaged to ensure the safety of the decryption algorithm.)
The data transmission security module: after the form information is submitted at the client, the form information is firstly coded and then transmitted, the server receives the data, decodes and processes the data, and various attack means are prevented from tampering the information in the transmission process. (before the data requested by the client is submitted to the server, the data is preprocessed by a front-end public method, the requested data is encoded in the preprocessing, the encrypted request is forwarded to the server, and the server uses a decoding algorithm in a filter for decoding processing
Salary data constraint control module: data authority constraint control of two dimensions of organization range and subjects is carried out on salary data, SQL for inquiring data is intercepted on the bottom layer by authority of all salary functions, and only data in the authority range can be inquired as long as the authority filtering of the organization range and the authority of the subjects are automatically increased in the range of a relevant table. And displaying a dynamic generated column for the subject on the interface, wherein only the subject column with the authority is generated, and the column of the subject without the authority is not generated.
An identity authentication module: and accessing the sub-service roles by adopting a mechanism of a uniform identity authentication platform. The service system side adopts the authority service role of the salary module which is intensively created in the unified identity authentication system platform, and the created role data is transmitted to the salary system through the integrated webservice interface. The system does not process the character data separately. Therefore, the role data can be effectively and efficiently controlled.
The special login control module: the method comprises the steps of adopting a unified login page Single Sign On (SSO) of a unified identity authentication platform, firstly identifying the identity of a user through an identity authentication system before the user accesses a protected system, and then determining whether the user can access the system according to the identity and authorization of the user. And when the unified identity authentication platform passes the identity verification, the SSO server side sends a unique identification code of the service, and the unique identification code reaches the service server side through the client browser. A specific service only has one uniqueness, and the system checks whether account information exists or not and whether authority information exists or not and logs in a corresponding module.
An access control security module: access to the security module is based primarily on two-piece control of individuals and roles. A personal based security policy. The policies are established centrally by the user individuals, and the lists define the operation applications which can be realized by different users for specific objects. Security policies based on role groups. The development and expansion based on personal strategies mainly mean that the system uses the same access control rule for some users to access the same module. Both access modules are logged in and checked through the unified authentication platform, and access is confirmed through authorization.
The salary data constraint control module comprises salary data constraint adoption role and management and control unit control and function point and field control. The individual authority is associated with different service roles, and the service roles control the management and control unit, the function points and the field control of the database. The salary data constraint module mainly comprises: user management, role and function point management, role and management control unit management and role and function point field control management.
The identity authentication module mainly comprises account information, personal and account association information and menu sleeve information.
The user identity authentication is mainly realized by performing first login verification on a centralized information platform, and verifying whether the system exists or not and whether the service system access authority is verified or not according to login account information. And after single sign-on verification is carried out through the unified login platform, the bill information transmitted by the page is verified again in the service system, and the existence of the account and the function authority information are verified.
The special login control module adopts the uniform login page Single Sign On (SSO) of the uniform identity authentication platform, and adds a login jumping single sign on address in a web.xml file in a code of the service system. The single sign-on page analyzes whether the HTTP request contains Service Ticket, if not, the user is not authenticated, the sign-on redirects the user request to an authentication page, and the user is required to provide credentials.
The authentication server verifies the user credential information in the MemCached cache of the LDAP directory server, if the verification is passed, the verification server generates a random Service Ticket, sends a Ticket Gradingcookie (TGC) to the browser of the user, and then redirects to the client (with the Service Ticket generated just now). And after receiving the Service Ticket, the Service system sends the Service Ticket to the authentication server for verification.
And the unified authentication server verifies the Service Ticket, and after the verification is passed, the Ticket is used for checking the user information (the user information is returned to the client in a Json format), and the authentication is passed.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (4)

1. A large electric utility compensation safety system, comprising:
the data encryption storage module is used for encrypting and storing the core fields of the compensation related core table in the database by adopting a private encryption algorithm, so that the risk that database management personnel can inquire the core information from the database is avoided; the data transmission security module is used for encoding and then transmitting the form information after the form information is submitted by the client, and the server receives the data, decodes and processes the data, so that the information is prevented from being tampered by various attack means in the transmission process;
the salary data constraint control module is used for carrying out data authority constraint control on two dimensions of an organization range and a subject on salary data, all authorities of salary functions intercept SQL for inquiring data at the bottom layer, and only data in an authority range can be inquired as long as the authority filtering and the authority of the subject in the organization range are automatically increased for the range of a relevant table; displaying a dynamic generated column of the subject on the interface, wherein only a subject column with authority is generated, and a subject column without authority is not generated;
the identity authentication module accesses sub-service roles by adopting a mechanism of a unified identity authentication platform, centrally creates authority service roles of the salary data constraint control module in the unified identity authentication platform through a service system end, and transmits the created role data to the salary safety system through an integrated webservice interface, wherein the salary safety system does not independently process the role data;
the special login control module adopts a unified login page single-point login of a unified identity authentication platform, before a user accesses a protected system, the identity of the user is firstly identified by an identity authentication system, and then whether the user can access the system is determined according to the identity and authorization of the user; when the unified identity authentication platform passes identity verification, the SSO server side sends a unique identification code of the service, and the unique identification code reaches the service server side through the client browser; only one specific service can be provided, and the salary safety system checks whether account information exists or not and authority information and logs in a corresponding module;
the access control security module is mainly controlled based on two security policies of individuals and roles.
2. The large electric utility enterprise salary safety system of claim 1 wherein the salary data constraint control module comprises: user management, role and function point management, role and control unit management and role and function point field control management; the method adopts the control of a role and control unit, the control of a role and function point and a role and function point field, the association of personal authority with different business roles, and the control of the management and control unit, the role and function point and the role and function point field of a business role control database.
3. The large electric power enterprise salary safety system of claim 1 wherein the identity authentication module includes account information, personal and account association information, menu sleeve information;
the user identity authentication is mainly realized by performing first login verification on a unified login platform, and verifying whether the system exists or not and whether the service system access authority is verified or not according to login account information; and after single sign-on verification is carried out through the unified login platform, the bill information transmitted by the page is verified again in the service system, and the existence of the account and the function authority information are verified.
4. The large electric utility enterprise salary security system of claim 1 wherein, in the access control security module, based on the individual's security policy: the method is characterized in that strategies are established by a user person as a center, and the strategies limit operation applications which can be realized by different users aiming at specific objects; role group based security policy: development and expansion based on personal strategies mainly mean that the system uses the same access control rules for some users to access the same modules; the access modules of the two modules are logged in and checked through the unified authentication platform, and the access is confirmed through authorization.
CN201710546964.XA 2017-07-06 2017-07-06 Large-scale electric power enterprise salary safety coefficient Active CN107395577B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710546964.XA CN107395577B (en) 2017-07-06 2017-07-06 Large-scale electric power enterprise salary safety coefficient

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710546964.XA CN107395577B (en) 2017-07-06 2017-07-06 Large-scale electric power enterprise salary safety coefficient

Publications (2)

Publication Number Publication Date
CN107395577A CN107395577A (en) 2017-11-24
CN107395577B true CN107395577B (en) 2020-06-09

Family

ID=60333812

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710546964.XA Active CN107395577B (en) 2017-07-06 2017-07-06 Large-scale electric power enterprise salary safety coefficient

Country Status (1)

Country Link
CN (1) CN107395577B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379363B (en) * 2018-10-25 2019-07-12 北京开普云信息科技有限公司 A kind of single-sign-on integrated approach and system based on intensive platform
CN110519236B (en) * 2019-08-07 2022-05-24 武汉金百瑞科技股份有限公司 Method for controlling safe account and authority under website cluster
CN112788020A (en) * 2020-12-31 2021-05-11 重庆银行股份有限公司 Multi-mode safety management and control system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1855135A (en) * 2005-04-18 2006-11-01 上华资讯科技股份有限公司 Human resource salary management and computer system
US7516100B1 (en) * 2000-05-12 2009-04-07 The Western Union Company Method and system for transferring money in business-to-business internet transactions
CN103186823A (en) * 2011-12-29 2013-07-03 北京易联戴维企业管理服务有限责任公司 Method and system for integrating human resource information for enterprise
CN104125219A (en) * 2014-07-07 2014-10-29 四川中电启明星信息技术有限公司 Centralized identity and management method aiming at electric power information system
CN105184448A (en) * 2015-08-13 2015-12-23 盐城工学院 Catering chain enterprise store salary management system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092053A (en) * 1998-10-07 2000-07-18 Cybercash, Inc. System and method for merchant invoked electronic commerce
US9165321B1 (en) * 2011-11-13 2015-10-20 Google Inc. Optimistic receipt flow

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7516100B1 (en) * 2000-05-12 2009-04-07 The Western Union Company Method and system for transferring money in business-to-business internet transactions
CN1855135A (en) * 2005-04-18 2006-11-01 上华资讯科技股份有限公司 Human resource salary management and computer system
CN103186823A (en) * 2011-12-29 2013-07-03 北京易联戴维企业管理服务有限责任公司 Method and system for integrating human resource information for enterprise
CN104125219A (en) * 2014-07-07 2014-10-29 四川中电启明星信息技术有限公司 Centralized identity and management method aiming at electric power information system
CN105184448A (en) * 2015-08-13 2015-12-23 盐城工学院 Catering chain enterprise store salary management system

Also Published As

Publication number Publication date
CN107395577A (en) 2017-11-24

Similar Documents

Publication Publication Date Title
US11563728B2 (en) System and method for identity management
US11055391B2 (en) System and method for identity management
EP3036675B1 (en) Method for identity management
CN106534199B (en) Distributed system certification and rights management platform under big data environment based on XACML and SAML
CN103310161B (en) A kind of means of defence for Database Systems and system
CN106203168B (en) Database security accesses system
CN103414562B (en) User authority control method and device based on URL fingerprint techniques
CN100397814C (en) Uniform identication method and system based on network
CN107395577B (en) Large-scale electric power enterprise salary safety coefficient
CN105046125B (en) A kind of OA system application access methods based on grading system
CN106603488A (en) Safety system based on power grid statistical data searching method
CN110889697A (en) Block chain-based railway system and using method thereof
CN104579681A (en) Identity authentication system for mutual-trust application systems
CN1195360C (en) Safety All-in-one-card system realized by intelligent card
CN109450925A (en) User right verification method, device and electronic equipment for electric power secondary system O&M
CN102098282B (en) Secure encryption method for database
RU129673U1 (en) REMOTE PRINTING DEVICE MANAGEMENT SYSTEM
CN202918335U (en) Fusion type identity authentication device based on cloud computing
Wang et al. Design of Portal-Based Uniform Identity Authentication System in Campus Network
Hu et al. Data Security Access Control Model of Cloud Computing
CN116204906A (en) Data safety protection system
Vignesh et al. Secured Data Access and Control Abilities Management over Cloud Environment using Novel Cryptographic Principles
CN203482232U (en) LDAP-based fingerprint authentication system
Dong et al. Design and Implementation of 3G E-Commerce Trading System Based on Data Encryption and Web Service
CN117596595A (en) Working method for carrying out safe login based on photovoltaic power system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant