CN107506658A - A kind of user authority management system and method - Google Patents
A kind of user authority management system and method Download PDFInfo
- Publication number
- CN107506658A CN107506658A CN201710557928.3A CN201710557928A CN107506658A CN 107506658 A CN107506658 A CN 107506658A CN 201710557928 A CN201710557928 A CN 201710557928A CN 107506658 A CN107506658 A CN 107506658A
- Authority
- CN
- China
- Prior art keywords
- user
- role
- function
- data
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
Abstract
The invention discloses a kind of user authority management system and method, wherein, user authority management system includes:Database, include the user role contingency table of the corresponding relation for preserving user and role, for the role function authority contingency table of corresponding relation and the character data authority contingency table of the corresponding relation for preserving role and data permission for preserving role and function privilege, function privilege is used to determine executable function, and data permission is used to determine to allow the data accessed;Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user;Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, to examine whether the function of online user's request can perform;Data permission query unit, the function for being asked as online user can perform, then the role inquiry character data authority contingency table according to corresponding to online user, obtain data permission corresponding to online user.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of user authority management system and method.
Background technology
With the development of computer technology and Internet technology, the world today comes into the big data epoch.Enterprise and political affairs
Informatization and data sharing are increasingly focused in mansion, how to ensure information and data safety also therefore are especially taken seriously.
Business and government generally externally or internally provides various services by forms such as website or application software and data provide
The access in source.If not establishing effective rights management mechanism, once user have access to outside its extent of competence service, data
Or resource, it can undoubtedly bring great potential safety hazard.Therefore, it is necessary to by rights management function, limiting each user can only
Access its authorized data and resource.
Common right management method includes:Self contained navigation (DAC), forced symmetric centralization (MAC), based role
Access control (RBAC) etc..Self contained navigation (DAC) allows the owner of object to be managed its object resource, object
Owner it can also be authorized to other main bodys possess the access rights of object, the access of unauthorized main object is to forbid
's.In forced symmetric centralization (MAC) model, system forces main body to obey access strategy, and subject and object is all marked with fixation
Security attribute, access every time when occurring, system can detect the security attribute of subject and object to confirm whether main body has permission
Access.Access control based roles (RBAC) basic thought is to authorize access rights to role, and user is by being endowed difference
Role is so as to obtaining the authority that role is possessed.A RBAC and DAC and MAC important difference is to define the general of role
Read, role is turned into the bridge between subject and object, the access of main object can be more flexibly controlled by role
Authority, simplify rights management work.
Access control based roles (RBAC) establish user, role, the relational model of authority three, as shown in Figure 1.
However, it is increasingly sophisticated with the application scenarios of rights management, it is necessary to manage increasing user angle in many application scenarios
Color and processing mass data, resource, RBAC basic model can not meet various changeable practical application scene demands.
Therefore, those skilled in the art be directed to developing a kind of more reasonable and safety user authority management system and
Method.
The content of the invention
It is more and more changeable that the technical problems to be solved by the invention are that existing access control based roles can not meet
Practical application scene demand.
In order to solve the above technical problems, the invention provides a kind of user authority management system, including:
Database, include the user role contingency table of the corresponding relation for preserving user and role, for preserving role
With the role function authority contingency table of the corresponding relation of function privilege and for preserving the corresponding relation of role and data permission
Character data authority contingency table, the function privilege are used to determine executable function, and the data permission is used to determine to allow
The data of access;
Role inquiry unit, for inquiring about the user role contingency table, obtain role corresponding to online user;
Function privilege query unit, closed for role function authority described in the role inquiry according to corresponding to the online user
Join table, to examine whether the function of online user's request can perform;
Data permission query unit, the function for being asked as the online user can perform, then according to the online use
Character data authority contingency table described in role inquiry corresponding to family, obtains data permission corresponding to the online user.
Further, the corresponding relation of the role and data permission include role and row data permission corresponding relation and
Role and the corresponding relation of column data authority.
Further, the database also includes:For preserving function privilege and function privilege attribute with user-association
The user function Authorization Attributes table of parameter and for preserve with the data permission of user-association and the use of data Authorization Attributes parameter
User data Authorization Attributes table.
Further, the data permission property parameters include data row Authorization Attributes parameter and data row Authorization Attributes are joined
Number.
Further, the database also includes being used for the resource table for preserving the display information associated with function privilege;Institute
Stating user authority management system also includes:Resource Access unit, when the online user request function can perform, the resource
Extraction unit is used for the function privilege according to corresponding to the function of the request and extracts the display information associated in the resource table.
Further, the database also includes being used for the feature operation table and use for preserving the operation associated with function privilege
In the object information table for preserving the operation object associated with data permission;The user authority management system also includes:Perform list
Member, when the function of online user request can perform, the execution unit is used to be believed according to the feature operation table and object
Cease the function that table performs online user's request.
Further, the database also includes:For preserving user's table of user's mark, for preserving role identification
Role's table, for the data permission table for preserving the function privilege table of function privilege mark and being identified for preserving data permission.
In order to solve the above technical problems, present invention also offers a kind of method of user authority management, comprise the following steps:
Database is pre-established, the database includes the user role for being used to preserve the corresponding relation of user and role
Contingency table, for the role function authority contingency table of the corresponding relation that preserves role and function privilege and for preserving role and number
According to the character data authority contingency table of the corresponding relation of authority, the function privilege is used to determine executable function, the number
It is used to determine to allow the data accessed according to authority;
The user role contingency table is inquired about, obtains role corresponding to online user;
According to role function authority contingency table described in role inquiry corresponding to the online user, to examine the online use
Whether the function of family request can perform;
When the function of online user request can perform, then angle described in the role inquiry according to corresponding to the online user
Color data permission contingency table, obtains data permission corresponding to the online user.
Further, the database also includes being used for the resource table for preserving the display information associated with function privilege;Institute
Stating the method for user authority management also includes:When the online user request function can perform, according to the function of the request
Corresponding function privilege extracts the display information associated in the resource table.
Further, the database also includes being used for the feature operation table and use for preserving the operation associated with function privilege
In the object information table for preserving the operation object associated with data permission;The method for managing user right also includes:When described
The function of online user's request can perform, and perform what the online user asked according to the feature operation table and object information table
Function.
The user authority management system and method for the present invention, changes on access control based roles (RBAC) basic model
Enter, have the following technical effect that:
(1) authority is divided into function privilege and data permission, authority configured from two dimensions of function and data,
Authority configuration is more flexibly, accurately;When managing user's operation behavior, first judge whether user is allowed to hold according to function privilege
Row operation, the data area of user-accessible is limited further according to data permission, rights management flow is more reasonable, safety;Therefore originally
Inventive technique scheme can adapt to various application scenario demands.
(2) in the display of system visualization interface, the resource dependent on authority is splitted out, configures resource and function
The mapping relations of authority, so as to realize the separate configurations to visualization interface resource, showing interface logic becomes apparent from.
(3) can be different use of the configuration with a role by function privilege property parameters and data Authorization Attributes parameter
Family customizes different rights, and the authority for authorizing user is more accurate, and information and data resource more safety are secure.
Design, concrete structure and the caused technique effect of the present invention are described further below with reference to accompanying drawing, with
It is fully understood from the purpose of the present invention, feature and effect.
Brief description of the drawings
Fig. 1 is the basic model schematic diagram of existing access control based roles;
Fig. 2 is the schematic diagram of user authority management system embodiment one of the present invention;
Fig. 3 is the schematic diagram of user authority management system embodiment two of the present invention;
Fig. 4 is the schematic diagram of user authority management system embodiment three of the present invention;
Fig. 5 is the model schematic of user authority management system of the present invention;
Fig. 6 is database schematic diagram in user authority management system of the present invention;
Fig. 7 is that user authority management system embodiment three of the present invention on function privilege instantiation illustrates schematic diagram;
Fig. 8 is that user authority management system embodiment three of the present invention on data permission instantiation illustrates schematic diagram.
Embodiment
Below in conjunction with the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described,
Obviously, described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Based in the present invention
Embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made, all
Belong to the scope of protection of the invention.
Embodiment one
Fig. 2 is the schematic diagram of user authority management system embodiment one of the present invention, as shown in Fig. 2 the user of the present embodiment
Rights Management System includes database, role inquiry unit, function privilege query unit and data permission query unit.
Database, including user role contingency table, role function authority contingency table and character data authority contingency table.
User role contingency table, for preserving the corresponding relation of user and role.
Role function authority contingency table, for preserving the corresponding relation of role and function privilege, wherein function privilege is used for
It is determined that executable function.
Character data authority contingency table, for preserving the corresponding relation of role and data permission, wherein data permission is used for
It is determined that allow the data accessed.The corresponding relation of the role and data permission may further include role and row data permission
Corresponding relation and role and column data authority corresponding relation.
Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user.
Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, with
Whether the function of examining online user's request can perform.
Data permission query unit, the function for being asked as online user can perform, then according to corresponding to online user
Role inquiry character data authority contingency table, obtain data permission corresponding to online user.
Embodiment two
Fig. 3 is the schematic diagram of user authority management system embodiment two of the present invention, as shown in figure 3, the user of the present embodiment
Rights Management System includes database, role inquiry unit, function privilege query unit and data permission query unit.
Database, except including the user role contingency table in embodiment one, role function authority contingency table and role's number
According to authority contingency table, in addition to user's table, Jiao Sebiao, function privilege table, data permission table, feature operation table and object information
This six Basic Information Tables of table.
With reference to shown in Fig. 5, the improved model of access control based roles (RBAC), including user, role, function power
Limit, data permission, operation and operation object, corresponding to user's table in database, Jiao Sebiao, function privilege table, data permission
Table, feature operation table and object information table.
User's table, for preserving the essential information of user, the user is the user of system.As shown in Fig. 6 examples, use
Family table includes user and identifies the fields such as (ID), user name, password.
Role's table, for preserving the essential information of be defined role, role be according to the post in organization and
What post was defined, different job undertakes different functions, and required authority has very big difference, and same post and post
User, required authority is roughly the same, so dividing role with post and post.For example the role in financial post needs
The financial associated rights such as reconciliation, managing bill.The role in occurrences in human life post needs the occurrences in human life phase such as employee information, professional level, salary management
Close authority.As shown in fig. 6, role's table includes the fields such as role name, Role delineation.
Function privilege table, for preserving be defined function privilege, function privilege refers to the license for performing a certain operation.Than
Such as, operation post needs to be managed the content of official website news channel, then corresponding function privilege includes " creating one newly
News ", " deleting certain news ", " editing certain news " etc..As shown in fig. 6, function privilege table includes function privilege code, function
The fields such as authority name, function privilege description.
Data permission table, for preserving be defined data permission, data permission is the data area for allowing to access.Perhaps
The essence of multioperation is all that data are read or write, it is therefore desirable to the data area for allowing to access is limited, when performing operation
Limited according to data permission.From the angle sorting of database, data permission is divided into two dimensions:Row authority and row authority.
Row authority refers to the access permission to lane database a data.For example a company is divided into the whole nation, province, city third market,
The whole nation, province, city's three-level data permission can be then defined, authorizes corresponding level market director.National director can inquire about entirely
The data such as the achievement of state's scope, order, user profile, saving director only allows to check province's data, and city director then only permits
Permitted to check the Urban Data.Row authority refers to the access permission to different field in tables of data.For another example, for a company
Employee's professional level and wage information searching function, occurrences in human life director can check all employee's data;Department head only allows to look into
See department employee's data;Common employee only allows to check self data.This point can use row authority to limit.But employee
Some sensitive information in professional level and wage information, limits company's occurrences in human life and employee is visible.Wage can be so defined to pluck
Want, wage details two-stage data permission, wage summary authority allows to access the non-sensitive field in wage information, wage details power
Limit allows to access all fields in wage information.User possesses the authority for inquiring about my wage details;Occurrences in human life director looks into
The authority of all employee compensation's details is ask, including sensitive information can be accessed;And department head only has all members of inquiry department
The authority of work wage summary, the not sensitive information including employee.As shown in fig. 6, data permission table includes data permission code, data
The fields such as authority name, data permission description.
Feature operation table, for preserving be defined operation, object information table, for preserving be defined operation pair
As (also referred to as object).Operation and object are two elements in authority concept, and authority refers to the license for performing a certain operation.Than
Such as, employee allows to inquire about my wage information.In this authority, operation is User behavior, and operation object is wage information.Such as
Shown in Fig. 6, feature operation table includes the fields such as function code, function name, function privilege code, function description.Pass through feature operation table
In function privilege code be associated with the function privilege code in function privilege table, indicate the function power that the feature operation belonged to
Limit.Likewise, object information table includes data permission code.Pass through the data permission code in object information table and data permission table
In data permission code be associated, indicate the data permission that the object is belonged to.
In the present embodiment, database is used to preserve incidence relation between user, role, function privilege and data permission
Contingency table, specifically include user role contingency table, role function authority contingency table and character data authority contingency table.
User role contingency table, for preserving all corresponding relations of user and role, for example, user is corresponding with role
Relation is preserved in the form of the corresponding relation that user identifies (ID in user's table) and role identification (role name in role's table)
In user role contingency table.As shown in fig. 6, user role contingency table includes the fields such as ID, role name.Every number in table
User and role are associated by ID and role name in, show that the user possesses the authority of the role, including function power
Limit and data permission.
Role function authority contingency table, for preserving corresponding pass all between each role and its function privilege possessed
System, for example, the corresponding relation of role and function privilege is with role identification (role name in role's table) and function privilege mark (function
Function privilege code in authority list) the form of corresponding relation be stored in role function authority contingency table.As shown in fig. 6, angle
Color function privilege contingency table includes the fields such as ID, role name, function privilege code.Role name and function power in table in every data
Role and function privilege are associated by limit code, show that the role possesses the function privilege.
Character data authority contingency table, for preserving corresponding pass all between each role and its data permission possessed
System.For example, the corresponding relation of role and data permission is with role identification (role name in role's table) and data permission mark (data
Data permission code in authority list) the form of corresponding relation be stored in character data authority contingency table, as shown in fig. 6, angle
Color data permission contingency table includes the fields such as ID, role name, data permission code.Role name and data power in table in every data
Role and data permission are associated by limit code, show that the role possesses the data permission.
In the present embodiment, functional unit includes role inquiry unit, function privilege query unit and data permission inquiry
Unit.
Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user.For example it is new
After user creates account, role is configured for it, the corresponding relation of the user and the role of configuration are stored in user role contingency table
In, when users log on, the role of the user is inquired about in user role contingency table, user is carried out under the limitation of role-security
Associative operation.
Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, with
Whether the function of examining online user's request can perform.Such as when user initiates to operate, first in user role contingency table
The role of the user is inquired about, the function privilege that the role possesses then is inquired about in role function authority contingency table, judges user
Initiate operation whether in the range of the function privilege that the role possesses (i.e. inquire about user whether possess initiate operation function power
Limit), if user does not initiate the function privilege of operation, refuse the operation, if function privilege then enters in next step.
Data permission query unit, the function for being asked as online user can perform, then according to corresponding to online user
Role inquiry character data authority contingency table, obtain data permission corresponding to online user.For example initiate the behaviour when user possesses
During work energy authority, data permission (the addressable number that the role possesses then is inquired about in character data authority contingency table
According to scope) restrictive condition under, to user return operating result.
It should be noted that in other embodiments, user's table, Jiao Sebiao, function power can also need not be separately configured
Table, feature operation table, data permission table and object information table are limited, such as:The content of user's table and role's table can be stored in use
In the role association table of family;The content of function privilege table and feature operation table can be stored in role function authority contingency table, or
The content of person's feature operation table can be stored in function privilege table;The content of data permission table and object information table can preserve
In character data authority contingency table, or the content of object information table can be stored in data permission table.
Embodiment three
Fig. 4 is the schematic diagram of user authority management system embodiment three of the present invention, as shown in figure 4, the user of the present embodiment
It is (including user's table, Jiao Sebiao, function privilege table, data permission table, feature operation table, right that Rights Management System includes database
Image information table, user role contingency table, role function authority contingency table and character data authority contingency table), role inquiry unit,
Function privilege query unit and data permission query unit.These are similar with embodiment two, and here is omitted.
In the present embodiment, database also includes user function Authorization Attributes table, user data authority attribute list and resource
Table;Functional unit also includes Resource Access unit and execution unit.
User function Authorization Attributes table, for preserving function privilege and function privilege property parameters with user-association, i.e.,
The property value of user function authority is have recorded, as shown in fig. 6, user function Authorization Attributes table includes ID, ID, function privilege
The field such as code, parameter 1, parameter 2, parameter 3.
User data authority attribute list, for preserving data permission and data Authorization Attributes parameter with user-association, i.e.,
The property value of user data authority is have recorded, as shown in fig. 6, user data authority attribute list includes ID, ID, data permission
The field such as code, parameter 1, parameter 2, parameter 3.Data permission property parameters may further include data row Authorization Attributes parameter and
Data row Authorization Attributes parameter.
It should be noted that the property value of function privilege can include the limit of the attributes such as the time to function privilege, number
It is fixed, such as, the user can only inquire about data after 9 points, and wherein function privilege is inquiry, and the attribute of function privilege is after 9 points.Number
The restriction to attributes such as the row, column of data permission can be included according to the property value of authority, because data have row in database
With two dimensions of row, the data area for allowing to access according to authority by data row Authorization Attributes parameter logistic is expert at property rights
Limit the lower addressable number of data of diminution;The data for allowing to access according to authority by data row Authorization Attributes parameter logistic are arranging
Reduced under the restriction of property rights and may have access to data columns.Such as market department city director be specifically responsible for Zhejiang, Hangzhou this two
Individual city, then data permission is city rank, and the attribute of data permission is Zhejiang and Hangzhou, and the attribute of the data permission is to pass through
Data row Authorization Attributes parameter limits;For another example, market department city director can only check the related data of market department, it is impossible to look into
The data in other portions are seen, then data permission is city rank, and the attribute of data permission is market department, and the attribute of the data permission is
Limited by data row Authorization Attributes parameter.
In summary, user function Authorization Attributes table and user data authority attribute list make priority assignation more have levels, work(
The setting of energy authority and data permission can set a big extent of competence with based role (such as organizational structure employee rank),
The each user being related under each role, the scope that can be specifically related to according to user, in user function Authorization Attributes table and
Further limited in user data authority attribute list.For example as long as the user of market department's city director's rank can set
It is city rank to put data permission, the city being specifically responsible for, can do concrete power limit limitation using data row Authorization Attributes parameter,
Authority without directly setting that specific city in data permission, to avoid data permission table and function privilege table mistake
In huge, retrieval time length.
Resource table, for preserving the resource table of display information associated with function privilege, that is, preserve and all depend on authority
Visualization interface resource.System would generally provide visualization interface for users to use, and different user corresponds to different role, gather around
Some authorities are also different.After user logs in, system needs to show visualization interface according to the authority of user, and displaying user has permission
The resource (including functional entrance and information) of access, hide user and the resource not having permission to access.For example user is with financial role
During login, system can show financial management module, include the finance function entrance such as reconciliation, managing bill.User is with occurrences in human life role
During login, system exhibitions is leted others have a look at thing management module, comprising wage, the personnel function entrance such as ask for leave, without showing financial management
Module.As shown in fig. 6, resource table includes the fields such as resource code, resource name, function privilege code and resource description.Pass through resource table
In function privilege code be associated with the function privilege code in function privilege table, indicate the function privilege that the resource is relied on.
Resource Access unit, the function for being asked as online user can perform, the function according to corresponding to the function of request
The display information associated in authority extraction resource table.
Execution unit, the function for being asked as online user can perform, according to feature operation table and in object information table
Perform the function of online user's request.
It should be noted that user can possess multiple roles, operation circle corresponding to each role can be respectively enterd
Face, or enter the operation interface for all permissions that multiple roles possess.
During the following detailed description of the user authority management system that the present embodiment is used as user, the workflow of the system is such as
Under:
1) role is created according to demand, configures the function privilege and data permission of role;
2) user is created, configures user role;
3) the function privilege property parameters and/or data permission property parameters of user are configured according to demand;
4) when user logs in for the first time, the authority of systems inspection user, if user is configured without role, (i.e. user does not have
Authority limits) then login failure, into next step if the configured role of user (i.e. user has permission limitation);
5) after user logins successfully, system creation session, user is by session activation role, with role association;
6) function privilege that the system queries role is possessed, the interface resources that can be shown according to function privilege inquiry, and
Corresponding function entrance and information are shown to user;
7) when operated by the user, whether system queries user possesses the function privilege of the operation, if without required
Function privilege then refuse the operation, if so, then enter in next step;
8) the function privilege category of the data permission of the system queries role, the data permission attribute of the user or the user
Property, operation is performed under the qualifications of Authorization Attributes, and operating result is returned to user.
Below by by example illustrate how association user, role, data permission, function privilege, data permission
Attribute, and working-flow.
As shown in Figure 7 and Figure 8, user user1 is created, the user is market department's city director's rank;In role's table
The role of role entitled " marketing_city_manager " is defined, represents the role of market department-city director;In data
Data permission code is " area_city " defined in authority list, represents that the access profile of data is limited to city rank, is weighed in function
It is " query_order " to limit function privilege code defined in table, represents service order search access right.In character data authority contingency table
Role and data permission are associated by a data, the entitled " marketing_city_ of the role in this data
Manager ", data permission code are " area_city ", show that the role possesses the data permission;Role function authority contingency table
In role and function privilege are associated by a data, the entitled " marketing_city_ of the role in this data
Manager ", function privilege code are " query_order ", show that the role possesses the function privilege.The tool that the user is responsible for
When body city is " Zhejiang " and " Hangzhou ", then add a data in user data authority attribute list, record the user this
The property value of data permission, the ID in this data is the ID, and data permission code is " area_city ", and parameter 1 is
The user is responsible for the affiliated province title " Zhejiang " in city, and parameter 2 is that the user is responsible for city name " Hangzhou ".
When user user1 initiates service order inquiry, the workflow of the user authority management system of the present embodiment is such as
Under:
1) user inputs username and password login system;
2) system inquires about the user role according to ID in user role contingency table, is selected for user;
3) user creates session and selects to activate role " marketing_city_manager ";
4) system queries role function authority contingency table, judge whether the role is licensed and perform service order inquiry behaviour
Make.Because the user role is market department city director, a data, role name be present in role function authority contingency table
For " marketing_city_manager ", function privilege code is " query_order ", illustrates that business has been awarded in the role
Order inquiries authority;
5) system queries character data authority contingency table, the data permission " area_city " of the role is obtained;
6) system queries user data authority attribute list, the property value of the data permission " area_city " of the user is obtained
For " Zhejiang " and " Hangzhou ";
7) system performs service order inquiry operation, and the territorial scope of data is limited in " Zhejiang-Hangzhou ", and returning should
The order data in city, complete operation.
The row authority for how managing data, row authority will be illustrated by example below and data permission attribute ginseng is set
Number.
As shown in figure 8, exemplified by inquiring about wage information, Human Resources Department-chief inspector allows the wage details for checking all employees, city
Field portion-chief inspector allows the wage summary for checking all employees of market department.Role's table defines HR Director role " hr_
Director " and market department chief inspector role " marketing_director ".Data permission table defines the number of " wage summary "
According to authority code " salary_summary " (the row authority for limiting data), the data permission code " salary_ of " payroll "
Desc " (the row authority for limiting data), the data permission code " scope_company " of " firm-wide " (limit the row power of data
Limit) and " department's scope " data permission code " scope_department " the row authorities of data (restriction).Weighed in character data
Limit contingency table, wherein a data by role " hr_director " respectively with data permission " salary_desc " and " scope_
Company " is associated, represents the data permission that the role of Human Resources Department-chief inspector is possessed;Wherein a data is by role
" marketing_director " is associated with data permission " salary_summary " and " scope_department " respectively,
Represent the data permission that the role of market department-chief inspector is possessed.
In addition, in user data authority attribute list, the user also for the role of market department-chief inspector defines a number
According to ID, data permission code " scope_department " and parameter 1 " marketing " being have recorded, so as to limit the user
" department's scope " data permission is market department.
As shown in figure 8, user user2 is associated with Human Resources Department-chief inspector " hr_director " role, the user inquires about employee
During wage information, data permission is " salary_desc " and " scope_company ", can view the work of full company personnel
Provide details, including pre-tax salary, individual pay social security, individual pays common reserve fund, Individual Income Tax, wage garnishment, it is real pay out wages,
Company pays social security, company pays common reserve fund etc..User user3 is associated with market department-chief inspector " marketing_director "
Role, the user inquire about employee compensation's information when, data permission is " salary_summary " and " scope_
Department ", data permission property parameters are market department " marketing ", can check the wage summary of market department employee,
Only include pre-tax salary and pay out wages in fact, conceal other wage details.
The property parameters for how using function privilege will be illustrated by example below.
For example, checking and counting order for the ease of offline, system provides generation order form and exports excel
The function of file.When order data amount is larger, Report Operations can produce higher load to server.In view of order form
Function is not that high frequency uses function, and in order to avoid it is impacted to systematic function, system is entered to the usage time of this function
Row limitation.For example the most of user for possessing the authority of limitation only allows to carry out this operation in server load off-peak period,
The operation that all the period of time is only opened to individual user is permitted.As shown in fig. 7, user user4 is associated with market department _ employee
" marketing_staff " role;Function privilege table defines authority code " export_order_report ", represents export order
The authority of form.User user4, only allow to export order form in server load off-peak period, therefore in user function
A data is have recorded in Authorization Attributes table, have recorded the ID, function privilege code " export_order_report " and ginseng
Number 1 " server_free_time ", so as to realize the limitation to the user operation time;User user3 is associated with market department _ total
" marketing_director " role is supervised, is not provided with the function privilege property parameters of the user, illustrates the user to export
The no time restriction of operation of order form.
Preferred embodiment of the invention described in detail above.It should be appreciated that one of ordinary skill in the art without
Creative work can is needed to make many modifications and variations according to the design of the present invention.Therefore, all technologies in the art
Personnel are available by logical analysis, reasoning, or a limited experiment on the basis of existing technology under this invention's idea
Technical scheme, all should be in the protection domain being defined in the patent claims.
Claims (10)
- A kind of 1. user authority management system, it is characterised in that including:Database, include the user role contingency table of the corresponding relation for preserving user and role, for preserving role and work( The role function authority contingency table of corresponding relation of energy authority and the role of the corresponding relation for preserving role and data permission Data permission contingency table, the function privilege are used to determine executable function, and the data permission, which is used for determination, to be allowed to access Data;Role inquiry unit, for inquiring about the user role contingency table, obtain role corresponding to online user;Function privilege query unit, associated for role function authority described in the role inquiry according to corresponding to the online user Table, to examine whether the function of online user's request can perform;Data permission query unit, the function for being asked as the online user can perform, then according to the online user couple Character data authority contingency table described in the role inquiry answered, obtains data permission corresponding to the online user.
- 2. user authority management system as claimed in claim 1, it is characterised in that the role is corresponding with data permission to close System includes the corresponding relation and role and the corresponding relation of column data authority of role and row data permission.
- 3. user authority management system as claimed in claim 1, it is characterised in that the database also includes:For preserving Closed with the function privilege of user-association and the user function Authorization Attributes table of function privilege property parameters and for preserving with user The data permission of connection and the user data authority attribute list of data Authorization Attributes parameter.
- 4. user authority management system as claimed in claim 3, it is characterised in that the data permission property parameters include number According to row Authorization Attributes parameter and data row Authorization Attributes parameter.
- 5. user authority management system as claimed in claim 1, it is characterised in thatThe database also includes being used for the resource table for preserving the display information associated with function privilege;The user authority management system also includes:Resource Access unit, when the online user request function can perform, institute State the display that Resource Access unit is used in the function privilege extraction resource table according to corresponding to the function of the request associate Information.
- 6. the user authority management system as described in claim 1 or 5, it is characterised in thatThe database also includes being used for the feature operation table for the operation that preservation associates with function privilege and for preservation and data The object information table of the operation object of authority association;The user authority management system also includes:Execution unit, when the online user request function can perform, it is described to hold Row unit is used for the function of performing the online user according to the feature operation table and object information table and ask.
- 7. user authority management system as claimed in claim 1, it is characterised in that the database also includes:For preserving User mark user's table, for preserving role's table of role identification, for preserve function privilege mark function privilege table and For preserving the data permission table of data permission mark.
- A kind of 8. method of user authority management, it is characterised in that comprise the following steps:Database is pre-established, the database includes associating with the user role of the corresponding relation of role for preserving user Table, weighed for the role function authority contingency table of the corresponding relation that preserves role and function privilege and for preserving role with data The character data authority contingency table of the corresponding relation of limit, the function privilege are used to determine executable function, the data power Limit the use of in it is determined that allowing the data accessed;The user role contingency table is inquired about, obtains role corresponding to online user;, please to examine the online user according to role function authority contingency table described in role inquiry corresponding to the online user Whether the function of asking can perform;When the function of online user request can perform, then role's number described in the role inquiry according to corresponding to the online user According to authority contingency table, data permission corresponding to the online user is obtained.
- 9. the method for user authority management as claimed in claim 8, it is characterised in thatThe database also includes being used for the resource table for preserving the display information associated with function privilege;The method of the user authority management also includes:When the online user request function can perform, according to the request Function corresponding to function privilege extract the display information associated in the resource table.
- 10. the method for user authority management as claimed in claim 8, it is characterised in thatThe database also includes being used for the feature operation table for the operation that preservation associates with function privilege and for preservation and data The object information table of the operation object of authority association;The method for managing user right also includes:When the online user request function can perform, according to the function grasp Make table and object information table performs the function of online user's request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710557928.3A CN107506658A (en) | 2017-07-10 | 2017-07-10 | A kind of user authority management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710557928.3A CN107506658A (en) | 2017-07-10 | 2017-07-10 | A kind of user authority management system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107506658A true CN107506658A (en) | 2017-12-22 |
Family
ID=60679613
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710557928.3A Pending CN107506658A (en) | 2017-07-10 | 2017-07-10 | A kind of user authority management system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107506658A (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108614510A (en) * | 2018-05-30 | 2018-10-02 | 青岛城投双元水务有限公司 | sewage plant operation management method and system |
CN108776756A (en) * | 2018-06-04 | 2018-11-09 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
CN109309716A (en) * | 2018-09-27 | 2019-02-05 | 北京维艾思气象信息科技有限公司 | For sharing the cloud platform and its construction method and purposes of three-level Products of Meteorological Services |
CN109739870A (en) * | 2019-01-09 | 2019-05-10 | 湖北凌晖信息科技有限公司 | A kind of inquiry system for the network information |
CN109815714A (en) * | 2019-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Authority control method, device and computer readable storage medium |
CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
WO2019223091A1 (en) * | 2018-05-21 | 2019-11-28 | 平安科技(深圳)有限公司 | Workbook processing method and apparatus, computer device and storage medium |
CN110941853A (en) * | 2019-11-22 | 2020-03-31 | 星环信息科技(上海)有限公司 | Database permission control method, computer equipment and storage medium |
CN110968580A (en) * | 2018-09-30 | 2020-04-07 | 北京国双科技有限公司 | Method and device for creating data storage structure |
CN111090804A (en) * | 2019-12-12 | 2020-05-01 | 聚好看科技股份有限公司 | Data filtering method and device and computer storage medium |
CN111159729A (en) * | 2019-12-13 | 2020-05-15 | 中移(杭州)信息技术有限公司 | Authority control method, device and storage medium |
CN111191251A (en) * | 2018-11-14 | 2020-05-22 | 中移(杭州)信息技术有限公司 | Data authority control method, device and storage medium |
WO2020134701A1 (en) * | 2018-12-25 | 2020-07-02 | 阿里巴巴集团控股有限公司 | Service processing method, device and apparatus |
CN112163206A (en) * | 2020-10-30 | 2021-01-01 | 平安数字信息科技(深圳)有限公司 | Data permission setting method and device, computer equipment and storage medium |
CN112307444A (en) * | 2020-10-30 | 2021-02-02 | 平安数字信息科技(深圳)有限公司 | Role creation method, role creation device, computer equipment and storage medium |
CN112528249A (en) * | 2020-12-18 | 2021-03-19 | 杭州立思辰安科科技有限公司 | Authority management method and device suitable for network security management platform |
CN112632492A (en) * | 2020-12-18 | 2021-04-09 | 杭州新中大科技股份有限公司 | Multidimensional authority model design method for matrixing management |
CN112667639A (en) * | 2020-12-31 | 2021-04-16 | 恩亿科(北京)数据科技有限公司 | Authority design method, system, equipment and storage medium based on SaaS multi-tenant |
CN115314245A (en) * | 2022-06-30 | 2022-11-08 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102724221A (en) * | 2011-03-30 | 2012-10-10 | 上海微河信息科技有限公司 | Enterprise information system using cloud computing and method for setting user authority thereof |
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
CN103390126A (en) * | 2012-05-09 | 2013-11-13 | 腾讯科技(深圳)有限公司 | Use permission management method and device |
CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
CN104735055A (en) * | 2015-02-12 | 2015-06-24 | 河南理工大学 | Cross-domain security access control method based on credibility |
CN105488366A (en) * | 2014-10-13 | 2016-04-13 | 阿里巴巴集团控股有限公司 | Data permission control method and system |
-
2017
- 2017-07-10 CN CN201710557928.3A patent/CN107506658A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102724221A (en) * | 2011-03-30 | 2012-10-10 | 上海微河信息科技有限公司 | Enterprise information system using cloud computing and method for setting user authority thereof |
CN103390126A (en) * | 2012-05-09 | 2013-11-13 | 腾讯科技(深圳)有限公司 | Use permission management method and device |
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
CN105488366A (en) * | 2014-10-13 | 2016-04-13 | 阿里巴巴集团控股有限公司 | Data permission control method and system |
CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
CN104735055A (en) * | 2015-02-12 | 2015-06-24 | 河南理工大学 | Cross-domain security access control method based on credibility |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019223091A1 (en) * | 2018-05-21 | 2019-11-28 | 平安科技(深圳)有限公司 | Workbook processing method and apparatus, computer device and storage medium |
CN108614510A (en) * | 2018-05-30 | 2018-10-02 | 青岛城投双元水务有限公司 | sewage plant operation management method and system |
CN108776756A (en) * | 2018-06-04 | 2018-11-09 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
CN109309716A (en) * | 2018-09-27 | 2019-02-05 | 北京维艾思气象信息科技有限公司 | For sharing the cloud platform and its construction method and purposes of three-level Products of Meteorological Services |
CN109309716B (en) * | 2018-09-27 | 2021-10-22 | 北京维艾思气象信息科技有限公司 | Cloud platform for sharing three-level weather service product and construction method and application thereof |
CN110968580B (en) * | 2018-09-30 | 2023-05-23 | 北京国双科技有限公司 | Method and device for creating data storage structure |
CN110968580A (en) * | 2018-09-30 | 2020-04-07 | 北京国双科技有限公司 | Method and device for creating data storage structure |
CN111191251A (en) * | 2018-11-14 | 2020-05-22 | 中移(杭州)信息技术有限公司 | Data authority control method, device and storage medium |
WO2020134701A1 (en) * | 2018-12-25 | 2020-07-02 | 阿里巴巴集团控股有限公司 | Service processing method, device and apparatus |
CN109815714A (en) * | 2019-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Authority control method, device and computer readable storage medium |
CN109739870A (en) * | 2019-01-09 | 2019-05-10 | 湖北凌晖信息科技有限公司 | A kind of inquiry system for the network information |
CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
CN110941853A (en) * | 2019-11-22 | 2020-03-31 | 星环信息科技(上海)有限公司 | Database permission control method, computer equipment and storage medium |
CN111090804A (en) * | 2019-12-12 | 2020-05-01 | 聚好看科技股份有限公司 | Data filtering method and device and computer storage medium |
CN111090804B (en) * | 2019-12-12 | 2024-03-08 | 聚好看科技股份有限公司 | Data filtering method, device and computer storage medium |
CN111159729A (en) * | 2019-12-13 | 2020-05-15 | 中移(杭州)信息技术有限公司 | Authority control method, device and storage medium |
CN112307444A (en) * | 2020-10-30 | 2021-02-02 | 平安数字信息科技(深圳)有限公司 | Role creation method, role creation device, computer equipment and storage medium |
CN112163206A (en) * | 2020-10-30 | 2021-01-01 | 平安数字信息科技(深圳)有限公司 | Data permission setting method and device, computer equipment and storage medium |
CN112632492A (en) * | 2020-12-18 | 2021-04-09 | 杭州新中大科技股份有限公司 | Multidimensional authority model design method for matrixing management |
CN112528249A (en) * | 2020-12-18 | 2021-03-19 | 杭州立思辰安科科技有限公司 | Authority management method and device suitable for network security management platform |
CN112667639A (en) * | 2020-12-31 | 2021-04-16 | 恩亿科(北京)数据科技有限公司 | Authority design method, system, equipment and storage medium based on SaaS multi-tenant |
CN115314245A (en) * | 2022-06-30 | 2022-11-08 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
CN115314245B (en) * | 2022-06-30 | 2024-03-22 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107506658A (en) | A kind of user authority management system and method | |
US7363650B2 (en) | System and method for incrementally distributing a security policy in a computer network | |
US7350226B2 (en) | System and method for analyzing security policies in a distributed computer network | |
Hu et al. | Assessment of access control systems | |
US7467414B2 (en) | Entitlement security and control for information system entitlement | |
Moffett et al. | The uses of role hierarchies in access control | |
Moffett | Specification of management policies and discretionary access control | |
US20040186809A1 (en) | Entitlement security and control | |
US20020083059A1 (en) | Workflow access control | |
CN103729582B (en) | A kind of secure storage management method and system based on separation of the three powers | |
Miege | Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. | |
Zhezhnych et al. | Methods of data processing restriction in ERP systems | |
Feltus et al. | ReMoLa: Responsibility model language to align access rights with business process requirements | |
Egelstaff et al. | Data governance frameworks and change management | |
CN105430013A (en) | Information access control method and information access control system | |
Sokołowska-Durkalec | Identification of social irresponsibility manifestations in the social responsibility management system in a small enterprise—Importance, Place and Conditions | |
Damon et al. | Towards a generic Identity and Access Assurance model by component analysis-A conceptual review | |
Sun et al. | PRES: a practical flexible RBAC workflow system | |
Khajaria et al. | Modeling of security requirements for decision information systems | |
Othman et al. | A Conceptual Framework of Information Security Database Audit and Assessment | |
Souabni et al. | Secure Data Acces in Odoo System | |
Feltus et al. | Building a responsibility model using modal logic-towards Accountability, Aapability and Commitment concepts | |
Hassan | A New Model of Attribute Based Access Control (ABAC) for RDBMS Enterprise Applications | |
Hassan et al. | Governance Policies for Privacy Access Control and their Interactions. | |
Zhezhnych et al. | On restricted set of DML operations in an ERP System’s database |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171222 |