CN107506658A - A kind of user authority management system and method - Google Patents

A kind of user authority management system and method Download PDF

Info

Publication number
CN107506658A
CN107506658A CN201710557928.3A CN201710557928A CN107506658A CN 107506658 A CN107506658 A CN 107506658A CN 201710557928 A CN201710557928 A CN 201710557928A CN 107506658 A CN107506658 A CN 107506658A
Authority
CN
China
Prior art keywords
user
role
function
data
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710557928.3A
Other languages
Chinese (zh)
Inventor
麦林
盛运林
李心语
黄涛
彭庭坤
王鹏
杨�一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Best Network Technology Co Ltd
Original Assignee
Shanghai Best Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Best Network Technology Co Ltd filed Critical Shanghai Best Network Technology Co Ltd
Priority to CN201710557928.3A priority Critical patent/CN107506658A/en
Publication of CN107506658A publication Critical patent/CN107506658A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models

Abstract

The invention discloses a kind of user authority management system and method, wherein, user authority management system includes:Database, include the user role contingency table of the corresponding relation for preserving user and role, for the role function authority contingency table of corresponding relation and the character data authority contingency table of the corresponding relation for preserving role and data permission for preserving role and function privilege, function privilege is used to determine executable function, and data permission is used to determine to allow the data accessed;Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user;Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, to examine whether the function of online user's request can perform;Data permission query unit, the function for being asked as online user can perform, then the role inquiry character data authority contingency table according to corresponding to online user, obtain data permission corresponding to online user.

Description

A kind of user authority management system and method
Technical field
The present invention relates to field of computer technology, more particularly to a kind of user authority management system and method.
Background technology
With the development of computer technology and Internet technology, the world today comes into the big data epoch.Enterprise and political affairs Informatization and data sharing are increasingly focused in mansion, how to ensure information and data safety also therefore are especially taken seriously.
Business and government generally externally or internally provides various services by forms such as website or application software and data provide The access in source.If not establishing effective rights management mechanism, once user have access to outside its extent of competence service, data Or resource, it can undoubtedly bring great potential safety hazard.Therefore, it is necessary to by rights management function, limiting each user can only Access its authorized data and resource.
Common right management method includes:Self contained navigation (DAC), forced symmetric centralization (MAC), based role Access control (RBAC) etc..Self contained navigation (DAC) allows the owner of object to be managed its object resource, object Owner it can also be authorized to other main bodys possess the access rights of object, the access of unauthorized main object is to forbid 's.In forced symmetric centralization (MAC) model, system forces main body to obey access strategy, and subject and object is all marked with fixation Security attribute, access every time when occurring, system can detect the security attribute of subject and object to confirm whether main body has permission Access.Access control based roles (RBAC) basic thought is to authorize access rights to role, and user is by being endowed difference Role is so as to obtaining the authority that role is possessed.A RBAC and DAC and MAC important difference is to define the general of role Read, role is turned into the bridge between subject and object, the access of main object can be more flexibly controlled by role Authority, simplify rights management work.
Access control based roles (RBAC) establish user, role, the relational model of authority three, as shown in Figure 1. However, it is increasingly sophisticated with the application scenarios of rights management, it is necessary to manage increasing user angle in many application scenarios Color and processing mass data, resource, RBAC basic model can not meet various changeable practical application scene demands.
Therefore, those skilled in the art be directed to developing a kind of more reasonable and safety user authority management system and Method.
The content of the invention
It is more and more changeable that the technical problems to be solved by the invention are that existing access control based roles can not meet Practical application scene demand.
In order to solve the above technical problems, the invention provides a kind of user authority management system, including:
Database, include the user role contingency table of the corresponding relation for preserving user and role, for preserving role With the role function authority contingency table of the corresponding relation of function privilege and for preserving the corresponding relation of role and data permission Character data authority contingency table, the function privilege are used to determine executable function, and the data permission is used to determine to allow The data of access;
Role inquiry unit, for inquiring about the user role contingency table, obtain role corresponding to online user;
Function privilege query unit, closed for role function authority described in the role inquiry according to corresponding to the online user Join table, to examine whether the function of online user's request can perform;
Data permission query unit, the function for being asked as the online user can perform, then according to the online use Character data authority contingency table described in role inquiry corresponding to family, obtains data permission corresponding to the online user.
Further, the corresponding relation of the role and data permission include role and row data permission corresponding relation and Role and the corresponding relation of column data authority.
Further, the database also includes:For preserving function privilege and function privilege attribute with user-association The user function Authorization Attributes table of parameter and for preserve with the data permission of user-association and the use of data Authorization Attributes parameter User data Authorization Attributes table.
Further, the data permission property parameters include data row Authorization Attributes parameter and data row Authorization Attributes are joined Number.
Further, the database also includes being used for the resource table for preserving the display information associated with function privilege;Institute Stating user authority management system also includes:Resource Access unit, when the online user request function can perform, the resource Extraction unit is used for the function privilege according to corresponding to the function of the request and extracts the display information associated in the resource table.
Further, the database also includes being used for the feature operation table and use for preserving the operation associated with function privilege In the object information table for preserving the operation object associated with data permission;The user authority management system also includes:Perform list Member, when the function of online user request can perform, the execution unit is used to be believed according to the feature operation table and object Cease the function that table performs online user's request.
Further, the database also includes:For preserving user's table of user's mark, for preserving role identification Role's table, for the data permission table for preserving the function privilege table of function privilege mark and being identified for preserving data permission.
In order to solve the above technical problems, present invention also offers a kind of method of user authority management, comprise the following steps:
Database is pre-established, the database includes the user role for being used to preserve the corresponding relation of user and role Contingency table, for the role function authority contingency table of the corresponding relation that preserves role and function privilege and for preserving role and number According to the character data authority contingency table of the corresponding relation of authority, the function privilege is used to determine executable function, the number It is used to determine to allow the data accessed according to authority;
The user role contingency table is inquired about, obtains role corresponding to online user;
According to role function authority contingency table described in role inquiry corresponding to the online user, to examine the online use Whether the function of family request can perform;
When the function of online user request can perform, then angle described in the role inquiry according to corresponding to the online user Color data permission contingency table, obtains data permission corresponding to the online user.
Further, the database also includes being used for the resource table for preserving the display information associated with function privilege;Institute Stating the method for user authority management also includes:When the online user request function can perform, according to the function of the request Corresponding function privilege extracts the display information associated in the resource table.
Further, the database also includes being used for the feature operation table and use for preserving the operation associated with function privilege In the object information table for preserving the operation object associated with data permission;The method for managing user right also includes:When described The function of online user's request can perform, and perform what the online user asked according to the feature operation table and object information table Function.
The user authority management system and method for the present invention, changes on access control based roles (RBAC) basic model Enter, have the following technical effect that:
(1) authority is divided into function privilege and data permission, authority configured from two dimensions of function and data, Authority configuration is more flexibly, accurately;When managing user's operation behavior, first judge whether user is allowed to hold according to function privilege Row operation, the data area of user-accessible is limited further according to data permission, rights management flow is more reasonable, safety;Therefore originally Inventive technique scheme can adapt to various application scenario demands.
(2) in the display of system visualization interface, the resource dependent on authority is splitted out, configures resource and function The mapping relations of authority, so as to realize the separate configurations to visualization interface resource, showing interface logic becomes apparent from.
(3) can be different use of the configuration with a role by function privilege property parameters and data Authorization Attributes parameter Family customizes different rights, and the authority for authorizing user is more accurate, and information and data resource more safety are secure.
Design, concrete structure and the caused technique effect of the present invention are described further below with reference to accompanying drawing, with It is fully understood from the purpose of the present invention, feature and effect.
Brief description of the drawings
Fig. 1 is the basic model schematic diagram of existing access control based roles;
Fig. 2 is the schematic diagram of user authority management system embodiment one of the present invention;
Fig. 3 is the schematic diagram of user authority management system embodiment two of the present invention;
Fig. 4 is the schematic diagram of user authority management system embodiment three of the present invention;
Fig. 5 is the model schematic of user authority management system of the present invention;
Fig. 6 is database schematic diagram in user authority management system of the present invention;
Fig. 7 is that user authority management system embodiment three of the present invention on function privilege instantiation illustrates schematic diagram;
Fig. 8 is that user authority management system embodiment three of the present invention on data permission instantiation illustrates schematic diagram.
Embodiment
Below in conjunction with the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, Obviously, described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.Based in the present invention Embodiment, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made, all Belong to the scope of protection of the invention.
Embodiment one
Fig. 2 is the schematic diagram of user authority management system embodiment one of the present invention, as shown in Fig. 2 the user of the present embodiment Rights Management System includes database, role inquiry unit, function privilege query unit and data permission query unit.
Database, including user role contingency table, role function authority contingency table and character data authority contingency table.
User role contingency table, for preserving the corresponding relation of user and role.
Role function authority contingency table, for preserving the corresponding relation of role and function privilege, wherein function privilege is used for It is determined that executable function.
Character data authority contingency table, for preserving the corresponding relation of role and data permission, wherein data permission is used for It is determined that allow the data accessed.The corresponding relation of the role and data permission may further include role and row data permission Corresponding relation and role and column data authority corresponding relation.
Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user.
Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, with Whether the function of examining online user's request can perform.
Data permission query unit, the function for being asked as online user can perform, then according to corresponding to online user Role inquiry character data authority contingency table, obtain data permission corresponding to online user.
Embodiment two
Fig. 3 is the schematic diagram of user authority management system embodiment two of the present invention, as shown in figure 3, the user of the present embodiment Rights Management System includes database, role inquiry unit, function privilege query unit and data permission query unit.
Database, except including the user role contingency table in embodiment one, role function authority contingency table and role's number According to authority contingency table, in addition to user's table, Jiao Sebiao, function privilege table, data permission table, feature operation table and object information This six Basic Information Tables of table.
With reference to shown in Fig. 5, the improved model of access control based roles (RBAC), including user, role, function power Limit, data permission, operation and operation object, corresponding to user's table in database, Jiao Sebiao, function privilege table, data permission Table, feature operation table and object information table.
User's table, for preserving the essential information of user, the user is the user of system.As shown in Fig. 6 examples, use Family table includes user and identifies the fields such as (ID), user name, password.
Role's table, for preserving the essential information of be defined role, role be according to the post in organization and What post was defined, different job undertakes different functions, and required authority has very big difference, and same post and post User, required authority is roughly the same, so dividing role with post and post.For example the role in financial post needs The financial associated rights such as reconciliation, managing bill.The role in occurrences in human life post needs the occurrences in human life phase such as employee information, professional level, salary management Close authority.As shown in fig. 6, role's table includes the fields such as role name, Role delineation.
Function privilege table, for preserving be defined function privilege, function privilege refers to the license for performing a certain operation.Than Such as, operation post needs to be managed the content of official website news channel, then corresponding function privilege includes " creating one newly News ", " deleting certain news ", " editing certain news " etc..As shown in fig. 6, function privilege table includes function privilege code, function The fields such as authority name, function privilege description.
Data permission table, for preserving be defined data permission, data permission is the data area for allowing to access.Perhaps The essence of multioperation is all that data are read or write, it is therefore desirable to the data area for allowing to access is limited, when performing operation Limited according to data permission.From the angle sorting of database, data permission is divided into two dimensions:Row authority and row authority. Row authority refers to the access permission to lane database a data.For example a company is divided into the whole nation, province, city third market, The whole nation, province, city's three-level data permission can be then defined, authorizes corresponding level market director.National director can inquire about entirely The data such as the achievement of state's scope, order, user profile, saving director only allows to check province's data, and city director then only permits Permitted to check the Urban Data.Row authority refers to the access permission to different field in tables of data.For another example, for a company Employee's professional level and wage information searching function, occurrences in human life director can check all employee's data;Department head only allows to look into See department employee's data;Common employee only allows to check self data.This point can use row authority to limit.But employee Some sensitive information in professional level and wage information, limits company's occurrences in human life and employee is visible.Wage can be so defined to pluck Want, wage details two-stage data permission, wage summary authority allows to access the non-sensitive field in wage information, wage details power Limit allows to access all fields in wage information.User possesses the authority for inquiring about my wage details;Occurrences in human life director looks into The authority of all employee compensation's details is ask, including sensitive information can be accessed;And department head only has all members of inquiry department The authority of work wage summary, the not sensitive information including employee.As shown in fig. 6, data permission table includes data permission code, data The fields such as authority name, data permission description.
Feature operation table, for preserving be defined operation, object information table, for preserving be defined operation pair As (also referred to as object).Operation and object are two elements in authority concept, and authority refers to the license for performing a certain operation.Than Such as, employee allows to inquire about my wage information.In this authority, operation is User behavior, and operation object is wage information.Such as Shown in Fig. 6, feature operation table includes the fields such as function code, function name, function privilege code, function description.Pass through feature operation table In function privilege code be associated with the function privilege code in function privilege table, indicate the function power that the feature operation belonged to Limit.Likewise, object information table includes data permission code.Pass through the data permission code in object information table and data permission table In data permission code be associated, indicate the data permission that the object is belonged to.
In the present embodiment, database is used to preserve incidence relation between user, role, function privilege and data permission Contingency table, specifically include user role contingency table, role function authority contingency table and character data authority contingency table.
User role contingency table, for preserving all corresponding relations of user and role, for example, user is corresponding with role Relation is preserved in the form of the corresponding relation that user identifies (ID in user's table) and role identification (role name in role's table) In user role contingency table.As shown in fig. 6, user role contingency table includes the fields such as ID, role name.Every number in table User and role are associated by ID and role name in, show that the user possesses the authority of the role, including function power Limit and data permission.
Role function authority contingency table, for preserving corresponding pass all between each role and its function privilege possessed System, for example, the corresponding relation of role and function privilege is with role identification (role name in role's table) and function privilege mark (function Function privilege code in authority list) the form of corresponding relation be stored in role function authority contingency table.As shown in fig. 6, angle Color function privilege contingency table includes the fields such as ID, role name, function privilege code.Role name and function power in table in every data Role and function privilege are associated by limit code, show that the role possesses the function privilege.
Character data authority contingency table, for preserving corresponding pass all between each role and its data permission possessed System.For example, the corresponding relation of role and data permission is with role identification (role name in role's table) and data permission mark (data Data permission code in authority list) the form of corresponding relation be stored in character data authority contingency table, as shown in fig. 6, angle Color data permission contingency table includes the fields such as ID, role name, data permission code.Role name and data power in table in every data Role and data permission are associated by limit code, show that the role possesses the data permission.
In the present embodiment, functional unit includes role inquiry unit, function privilege query unit and data permission inquiry Unit.
Role inquiry unit, for inquiring about user role contingency table, obtain role corresponding to online user.For example it is new After user creates account, role is configured for it, the corresponding relation of the user and the role of configuration are stored in user role contingency table In, when users log on, the role of the user is inquired about in user role contingency table, user is carried out under the limitation of role-security Associative operation.
Function privilege query unit, for the role inquiry role function authority contingency table according to corresponding to online user, with Whether the function of examining online user's request can perform.Such as when user initiates to operate, first in user role contingency table The role of the user is inquired about, the function privilege that the role possesses then is inquired about in role function authority contingency table, judges user Initiate operation whether in the range of the function privilege that the role possesses (i.e. inquire about user whether possess initiate operation function power Limit), if user does not initiate the function privilege of operation, refuse the operation, if function privilege then enters in next step.
Data permission query unit, the function for being asked as online user can perform, then according to corresponding to online user Role inquiry character data authority contingency table, obtain data permission corresponding to online user.For example initiate the behaviour when user possesses During work energy authority, data permission (the addressable number that the role possesses then is inquired about in character data authority contingency table According to scope) restrictive condition under, to user return operating result.
It should be noted that in other embodiments, user's table, Jiao Sebiao, function power can also need not be separately configured Table, feature operation table, data permission table and object information table are limited, such as:The content of user's table and role's table can be stored in use In the role association table of family;The content of function privilege table and feature operation table can be stored in role function authority contingency table, or The content of person's feature operation table can be stored in function privilege table;The content of data permission table and object information table can preserve In character data authority contingency table, or the content of object information table can be stored in data permission table.
Embodiment three
Fig. 4 is the schematic diagram of user authority management system embodiment three of the present invention, as shown in figure 4, the user of the present embodiment It is (including user's table, Jiao Sebiao, function privilege table, data permission table, feature operation table, right that Rights Management System includes database Image information table, user role contingency table, role function authority contingency table and character data authority contingency table), role inquiry unit, Function privilege query unit and data permission query unit.These are similar with embodiment two, and here is omitted.
In the present embodiment, database also includes user function Authorization Attributes table, user data authority attribute list and resource Table;Functional unit also includes Resource Access unit and execution unit.
User function Authorization Attributes table, for preserving function privilege and function privilege property parameters with user-association, i.e., The property value of user function authority is have recorded, as shown in fig. 6, user function Authorization Attributes table includes ID, ID, function privilege The field such as code, parameter 1, parameter 2, parameter 3.
User data authority attribute list, for preserving data permission and data Authorization Attributes parameter with user-association, i.e., The property value of user data authority is have recorded, as shown in fig. 6, user data authority attribute list includes ID, ID, data permission The field such as code, parameter 1, parameter 2, parameter 3.Data permission property parameters may further include data row Authorization Attributes parameter and Data row Authorization Attributes parameter.
It should be noted that the property value of function privilege can include the limit of the attributes such as the time to function privilege, number It is fixed, such as, the user can only inquire about data after 9 points, and wherein function privilege is inquiry, and the attribute of function privilege is after 9 points.Number The restriction to attributes such as the row, column of data permission can be included according to the property value of authority, because data have row in database With two dimensions of row, the data area for allowing to access according to authority by data row Authorization Attributes parameter logistic is expert at property rights Limit the lower addressable number of data of diminution;The data for allowing to access according to authority by data row Authorization Attributes parameter logistic are arranging Reduced under the restriction of property rights and may have access to data columns.Such as market department city director be specifically responsible for Zhejiang, Hangzhou this two Individual city, then data permission is city rank, and the attribute of data permission is Zhejiang and Hangzhou, and the attribute of the data permission is to pass through Data row Authorization Attributes parameter limits;For another example, market department city director can only check the related data of market department, it is impossible to look into The data in other portions are seen, then data permission is city rank, and the attribute of data permission is market department, and the attribute of the data permission is Limited by data row Authorization Attributes parameter.
In summary, user function Authorization Attributes table and user data authority attribute list make priority assignation more have levels, work( The setting of energy authority and data permission can set a big extent of competence with based role (such as organizational structure employee rank), The each user being related under each role, the scope that can be specifically related to according to user, in user function Authorization Attributes table and Further limited in user data authority attribute list.For example as long as the user of market department's city director's rank can set It is city rank to put data permission, the city being specifically responsible for, can do concrete power limit limitation using data row Authorization Attributes parameter, Authority without directly setting that specific city in data permission, to avoid data permission table and function privilege table mistake In huge, retrieval time length.
Resource table, for preserving the resource table of display information associated with function privilege, that is, preserve and all depend on authority Visualization interface resource.System would generally provide visualization interface for users to use, and different user corresponds to different role, gather around Some authorities are also different.After user logs in, system needs to show visualization interface according to the authority of user, and displaying user has permission The resource (including functional entrance and information) of access, hide user and the resource not having permission to access.For example user is with financial role During login, system can show financial management module, include the finance function entrance such as reconciliation, managing bill.User is with occurrences in human life role During login, system exhibitions is leted others have a look at thing management module, comprising wage, the personnel function entrance such as ask for leave, without showing financial management Module.As shown in fig. 6, resource table includes the fields such as resource code, resource name, function privilege code and resource description.Pass through resource table In function privilege code be associated with the function privilege code in function privilege table, indicate the function privilege that the resource is relied on.
Resource Access unit, the function for being asked as online user can perform, the function according to corresponding to the function of request The display information associated in authority extraction resource table.
Execution unit, the function for being asked as online user can perform, according to feature operation table and in object information table Perform the function of online user's request.
It should be noted that user can possess multiple roles, operation circle corresponding to each role can be respectively enterd Face, or enter the operation interface for all permissions that multiple roles possess.
During the following detailed description of the user authority management system that the present embodiment is used as user, the workflow of the system is such as Under:
1) role is created according to demand, configures the function privilege and data permission of role;
2) user is created, configures user role;
3) the function privilege property parameters and/or data permission property parameters of user are configured according to demand;
4) when user logs in for the first time, the authority of systems inspection user, if user is configured without role, (i.e. user does not have Authority limits) then login failure, into next step if the configured role of user (i.e. user has permission limitation);
5) after user logins successfully, system creation session, user is by session activation role, with role association;
6) function privilege that the system queries role is possessed, the interface resources that can be shown according to function privilege inquiry, and Corresponding function entrance and information are shown to user;
7) when operated by the user, whether system queries user possesses the function privilege of the operation, if without required Function privilege then refuse the operation, if so, then enter in next step;
8) the function privilege category of the data permission of the system queries role, the data permission attribute of the user or the user Property, operation is performed under the qualifications of Authorization Attributes, and operating result is returned to user.
Below by by example illustrate how association user, role, data permission, function privilege, data permission Attribute, and working-flow.
As shown in Figure 7 and Figure 8, user user1 is created, the user is market department's city director's rank;In role's table The role of role entitled " marketing_city_manager " is defined, represents the role of market department-city director;In data Data permission code is " area_city " defined in authority list, represents that the access profile of data is limited to city rank, is weighed in function It is " query_order " to limit function privilege code defined in table, represents service order search access right.In character data authority contingency table Role and data permission are associated by a data, the entitled " marketing_city_ of the role in this data Manager ", data permission code are " area_city ", show that the role possesses the data permission;Role function authority contingency table In role and function privilege are associated by a data, the entitled " marketing_city_ of the role in this data Manager ", function privilege code are " query_order ", show that the role possesses the function privilege.The tool that the user is responsible for When body city is " Zhejiang " and " Hangzhou ", then add a data in user data authority attribute list, record the user this The property value of data permission, the ID in this data is the ID, and data permission code is " area_city ", and parameter 1 is The user is responsible for the affiliated province title " Zhejiang " in city, and parameter 2 is that the user is responsible for city name " Hangzhou ".
When user user1 initiates service order inquiry, the workflow of the user authority management system of the present embodiment is such as Under:
1) user inputs username and password login system;
2) system inquires about the user role according to ID in user role contingency table, is selected for user;
3) user creates session and selects to activate role " marketing_city_manager ";
4) system queries role function authority contingency table, judge whether the role is licensed and perform service order inquiry behaviour Make.Because the user role is market department city director, a data, role name be present in role function authority contingency table For " marketing_city_manager ", function privilege code is " query_order ", illustrates that business has been awarded in the role Order inquiries authority;
5) system queries character data authority contingency table, the data permission " area_city " of the role is obtained;
6) system queries user data authority attribute list, the property value of the data permission " area_city " of the user is obtained For " Zhejiang " and " Hangzhou ";
7) system performs service order inquiry operation, and the territorial scope of data is limited in " Zhejiang-Hangzhou ", and returning should The order data in city, complete operation.
The row authority for how managing data, row authority will be illustrated by example below and data permission attribute ginseng is set Number.
As shown in figure 8, exemplified by inquiring about wage information, Human Resources Department-chief inspector allows the wage details for checking all employees, city Field portion-chief inspector allows the wage summary for checking all employees of market department.Role's table defines HR Director role " hr_ Director " and market department chief inspector role " marketing_director ".Data permission table defines the number of " wage summary " According to authority code " salary_summary " (the row authority for limiting data), the data permission code " salary_ of " payroll " Desc " (the row authority for limiting data), the data permission code " scope_company " of " firm-wide " (limit the row power of data Limit) and " department's scope " data permission code " scope_department " the row authorities of data (restriction).Weighed in character data Limit contingency table, wherein a data by role " hr_director " respectively with data permission " salary_desc " and " scope_ Company " is associated, represents the data permission that the role of Human Resources Department-chief inspector is possessed;Wherein a data is by role " marketing_director " is associated with data permission " salary_summary " and " scope_department " respectively, Represent the data permission that the role of market department-chief inspector is possessed.
In addition, in user data authority attribute list, the user also for the role of market department-chief inspector defines a number According to ID, data permission code " scope_department " and parameter 1 " marketing " being have recorded, so as to limit the user " department's scope " data permission is market department.
As shown in figure 8, user user2 is associated with Human Resources Department-chief inspector " hr_director " role, the user inquires about employee During wage information, data permission is " salary_desc " and " scope_company ", can view the work of full company personnel Provide details, including pre-tax salary, individual pay social security, individual pays common reserve fund, Individual Income Tax, wage garnishment, it is real pay out wages, Company pays social security, company pays common reserve fund etc..User user3 is associated with market department-chief inspector " marketing_director " Role, the user inquire about employee compensation's information when, data permission is " salary_summary " and " scope_ Department ", data permission property parameters are market department " marketing ", can check the wage summary of market department employee, Only include pre-tax salary and pay out wages in fact, conceal other wage details.
The property parameters for how using function privilege will be illustrated by example below.
For example, checking and counting order for the ease of offline, system provides generation order form and exports excel The function of file.When order data amount is larger, Report Operations can produce higher load to server.In view of order form Function is not that high frequency uses function, and in order to avoid it is impacted to systematic function, system is entered to the usage time of this function Row limitation.For example the most of user for possessing the authority of limitation only allows to carry out this operation in server load off-peak period, The operation that all the period of time is only opened to individual user is permitted.As shown in fig. 7, user user4 is associated with market department _ employee " marketing_staff " role;Function privilege table defines authority code " export_order_report ", represents export order The authority of form.User user4, only allow to export order form in server load off-peak period, therefore in user function A data is have recorded in Authorization Attributes table, have recorded the ID, function privilege code " export_order_report " and ginseng Number 1 " server_free_time ", so as to realize the limitation to the user operation time;User user3 is associated with market department _ total " marketing_director " role is supervised, is not provided with the function privilege property parameters of the user, illustrates the user to export The no time restriction of operation of order form.
Preferred embodiment of the invention described in detail above.It should be appreciated that one of ordinary skill in the art without Creative work can is needed to make many modifications and variations according to the design of the present invention.Therefore, all technologies in the art Personnel are available by logical analysis, reasoning, or a limited experiment on the basis of existing technology under this invention's idea Technical scheme, all should be in the protection domain being defined in the patent claims.

Claims (10)

  1. A kind of 1. user authority management system, it is characterised in that including:
    Database, include the user role contingency table of the corresponding relation for preserving user and role, for preserving role and work( The role function authority contingency table of corresponding relation of energy authority and the role of the corresponding relation for preserving role and data permission Data permission contingency table, the function privilege are used to determine executable function, and the data permission, which is used for determination, to be allowed to access Data;
    Role inquiry unit, for inquiring about the user role contingency table, obtain role corresponding to online user;
    Function privilege query unit, associated for role function authority described in the role inquiry according to corresponding to the online user Table, to examine whether the function of online user's request can perform;
    Data permission query unit, the function for being asked as the online user can perform, then according to the online user couple Character data authority contingency table described in the role inquiry answered, obtains data permission corresponding to the online user.
  2. 2. user authority management system as claimed in claim 1, it is characterised in that the role is corresponding with data permission to close System includes the corresponding relation and role and the corresponding relation of column data authority of role and row data permission.
  3. 3. user authority management system as claimed in claim 1, it is characterised in that the database also includes:For preserving Closed with the function privilege of user-association and the user function Authorization Attributes table of function privilege property parameters and for preserving with user The data permission of connection and the user data authority attribute list of data Authorization Attributes parameter.
  4. 4. user authority management system as claimed in claim 3, it is characterised in that the data permission property parameters include number According to row Authorization Attributes parameter and data row Authorization Attributes parameter.
  5. 5. user authority management system as claimed in claim 1, it is characterised in that
    The database also includes being used for the resource table for preserving the display information associated with function privilege;
    The user authority management system also includes:Resource Access unit, when the online user request function can perform, institute State the display that Resource Access unit is used in the function privilege extraction resource table according to corresponding to the function of the request associate Information.
  6. 6. the user authority management system as described in claim 1 or 5, it is characterised in that
    The database also includes being used for the feature operation table for the operation that preservation associates with function privilege and for preservation and data The object information table of the operation object of authority association;
    The user authority management system also includes:Execution unit, when the online user request function can perform, it is described to hold Row unit is used for the function of performing the online user according to the feature operation table and object information table and ask.
  7. 7. user authority management system as claimed in claim 1, it is characterised in that the database also includes:For preserving User mark user's table, for preserving role's table of role identification, for preserve function privilege mark function privilege table and For preserving the data permission table of data permission mark.
  8. A kind of 8. method of user authority management, it is characterised in that comprise the following steps:
    Database is pre-established, the database includes associating with the user role of the corresponding relation of role for preserving user Table, weighed for the role function authority contingency table of the corresponding relation that preserves role and function privilege and for preserving role with data The character data authority contingency table of the corresponding relation of limit, the function privilege are used to determine executable function, the data power Limit the use of in it is determined that allowing the data accessed;
    The user role contingency table is inquired about, obtains role corresponding to online user;
    , please to examine the online user according to role function authority contingency table described in role inquiry corresponding to the online user Whether the function of asking can perform;
    When the function of online user request can perform, then role's number described in the role inquiry according to corresponding to the online user According to authority contingency table, data permission corresponding to the online user is obtained.
  9. 9. the method for user authority management as claimed in claim 8, it is characterised in that
    The database also includes being used for the resource table for preserving the display information associated with function privilege;
    The method of the user authority management also includes:When the online user request function can perform, according to the request Function corresponding to function privilege extract the display information associated in the resource table.
  10. 10. the method for user authority management as claimed in claim 8, it is characterised in that
    The database also includes being used for the feature operation table for the operation that preservation associates with function privilege and for preservation and data The object information table of the operation object of authority association;
    The method for managing user right also includes:When the online user request function can perform, according to the function grasp Make table and object information table performs the function of online user's request.
CN201710557928.3A 2017-07-10 2017-07-10 A kind of user authority management system and method Pending CN107506658A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710557928.3A CN107506658A (en) 2017-07-10 2017-07-10 A kind of user authority management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710557928.3A CN107506658A (en) 2017-07-10 2017-07-10 A kind of user authority management system and method

Publications (1)

Publication Number Publication Date
CN107506658A true CN107506658A (en) 2017-12-22

Family

ID=60679613

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710557928.3A Pending CN107506658A (en) 2017-07-10 2017-07-10 A kind of user authority management system and method

Country Status (1)

Country Link
CN (1) CN107506658A (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108614510A (en) * 2018-05-30 2018-10-02 青岛城投双元水务有限公司 sewage plant operation management method and system
CN108776756A (en) * 2018-06-04 2018-11-09 北京奇虎科技有限公司 Access authorization for resource management method and device
CN109309716A (en) * 2018-09-27 2019-02-05 北京维艾思气象信息科技有限公司 For sharing the cloud platform and its construction method and purposes of three-level Products of Meteorological Services
CN109739870A (en) * 2019-01-09 2019-05-10 湖北凌晖信息科技有限公司 A kind of inquiry system for the network information
CN109815714A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Authority control method, device and computer readable storage medium
CN110472111A (en) * 2019-08-08 2019-11-19 广州城市信息研究所有限公司 Rights management, user right inquiry and resource information authorization method
WO2019223091A1 (en) * 2018-05-21 2019-11-28 平安科技(深圳)有限公司 Workbook processing method and apparatus, computer device and storage medium
CN110941853A (en) * 2019-11-22 2020-03-31 星环信息科技(上海)有限公司 Database permission control method, computer equipment and storage medium
CN110968580A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Method and device for creating data storage structure
CN111090804A (en) * 2019-12-12 2020-05-01 聚好看科技股份有限公司 Data filtering method and device and computer storage medium
CN111159729A (en) * 2019-12-13 2020-05-15 中移(杭州)信息技术有限公司 Authority control method, device and storage medium
CN111191251A (en) * 2018-11-14 2020-05-22 中移(杭州)信息技术有限公司 Data authority control method, device and storage medium
WO2020134701A1 (en) * 2018-12-25 2020-07-02 阿里巴巴集团控股有限公司 Service processing method, device and apparatus
CN112163206A (en) * 2020-10-30 2021-01-01 平安数字信息科技(深圳)有限公司 Data permission setting method and device, computer equipment and storage medium
CN112307444A (en) * 2020-10-30 2021-02-02 平安数字信息科技(深圳)有限公司 Role creation method, role creation device, computer equipment and storage medium
CN112528249A (en) * 2020-12-18 2021-03-19 杭州立思辰安科科技有限公司 Authority management method and device suitable for network security management platform
CN112632492A (en) * 2020-12-18 2021-04-09 杭州新中大科技股份有限公司 Multidimensional authority model design method for matrixing management
CN112667639A (en) * 2020-12-31 2021-04-16 恩亿科(北京)数据科技有限公司 Authority design method, system, equipment and storage medium based on SaaS multi-tenant
CN115314245A (en) * 2022-06-30 2022-11-08 青岛海尔科技有限公司 Authority management method, system, storage medium and electronic device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724221A (en) * 2011-03-30 2012-10-10 上海微河信息科技有限公司 Enterprise information system using cloud computing and method for setting user authority thereof
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights
CN103390126A (en) * 2012-05-09 2013-11-13 腾讯科技(深圳)有限公司 Use permission management method and device
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility
CN105488366A (en) * 2014-10-13 2016-04-13 阿里巴巴集团控股有限公司 Data permission control method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724221A (en) * 2011-03-30 2012-10-10 上海微河信息科技有限公司 Enterprise information system using cloud computing and method for setting user authority thereof
CN103390126A (en) * 2012-05-09 2013-11-13 腾讯科技(深圳)有限公司 Use permission management method and device
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights
CN105488366A (en) * 2014-10-13 2016-04-13 阿里巴巴集团控股有限公司 Data permission control method and system
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN104735055A (en) * 2015-02-12 2015-06-24 河南理工大学 Cross-domain security access control method based on credibility

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019223091A1 (en) * 2018-05-21 2019-11-28 平安科技(深圳)有限公司 Workbook processing method and apparatus, computer device and storage medium
CN108614510A (en) * 2018-05-30 2018-10-02 青岛城投双元水务有限公司 sewage plant operation management method and system
CN108776756A (en) * 2018-06-04 2018-11-09 北京奇虎科技有限公司 Access authorization for resource management method and device
CN109309716A (en) * 2018-09-27 2019-02-05 北京维艾思气象信息科技有限公司 For sharing the cloud platform and its construction method and purposes of three-level Products of Meteorological Services
CN109309716B (en) * 2018-09-27 2021-10-22 北京维艾思气象信息科技有限公司 Cloud platform for sharing three-level weather service product and construction method and application thereof
CN110968580B (en) * 2018-09-30 2023-05-23 北京国双科技有限公司 Method and device for creating data storage structure
CN110968580A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Method and device for creating data storage structure
CN111191251A (en) * 2018-11-14 2020-05-22 中移(杭州)信息技术有限公司 Data authority control method, device and storage medium
WO2020134701A1 (en) * 2018-12-25 2020-07-02 阿里巴巴集团控股有限公司 Service processing method, device and apparatus
CN109815714A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Authority control method, device and computer readable storage medium
CN109739870A (en) * 2019-01-09 2019-05-10 湖北凌晖信息科技有限公司 A kind of inquiry system for the network information
CN110472111A (en) * 2019-08-08 2019-11-19 广州城市信息研究所有限公司 Rights management, user right inquiry and resource information authorization method
CN110941853A (en) * 2019-11-22 2020-03-31 星环信息科技(上海)有限公司 Database permission control method, computer equipment and storage medium
CN111090804A (en) * 2019-12-12 2020-05-01 聚好看科技股份有限公司 Data filtering method and device and computer storage medium
CN111090804B (en) * 2019-12-12 2024-03-08 聚好看科技股份有限公司 Data filtering method, device and computer storage medium
CN111159729A (en) * 2019-12-13 2020-05-15 中移(杭州)信息技术有限公司 Authority control method, device and storage medium
CN112307444A (en) * 2020-10-30 2021-02-02 平安数字信息科技(深圳)有限公司 Role creation method, role creation device, computer equipment and storage medium
CN112163206A (en) * 2020-10-30 2021-01-01 平安数字信息科技(深圳)有限公司 Data permission setting method and device, computer equipment and storage medium
CN112632492A (en) * 2020-12-18 2021-04-09 杭州新中大科技股份有限公司 Multidimensional authority model design method for matrixing management
CN112528249A (en) * 2020-12-18 2021-03-19 杭州立思辰安科科技有限公司 Authority management method and device suitable for network security management platform
CN112667639A (en) * 2020-12-31 2021-04-16 恩亿科(北京)数据科技有限公司 Authority design method, system, equipment and storage medium based on SaaS multi-tenant
CN115314245A (en) * 2022-06-30 2022-11-08 青岛海尔科技有限公司 Authority management method, system, storage medium and electronic device
CN115314245B (en) * 2022-06-30 2024-03-22 青岛海尔科技有限公司 Authority management method, system, storage medium and electronic device

Similar Documents

Publication Publication Date Title
CN107506658A (en) A kind of user authority management system and method
US7363650B2 (en) System and method for incrementally distributing a security policy in a computer network
US7350226B2 (en) System and method for analyzing security policies in a distributed computer network
Hu et al. Assessment of access control systems
US7467414B2 (en) Entitlement security and control for information system entitlement
Moffett et al. The uses of role hierarchies in access control
Moffett Specification of management policies and discretionary access control
US20040186809A1 (en) Entitlement security and control
US20020083059A1 (en) Workflow access control
CN103729582B (en) A kind of secure storage management method and system based on separation of the three powers
Miege Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.
Zhezhnych et al. Methods of data processing restriction in ERP systems
Feltus et al. ReMoLa: Responsibility model language to align access rights with business process requirements
Egelstaff et al. Data governance frameworks and change management
CN105430013A (en) Information access control method and information access control system
Sokołowska-Durkalec Identification of social irresponsibility manifestations in the social responsibility management system in a small enterprise—Importance, Place and Conditions
Damon et al. Towards a generic Identity and Access Assurance model by component analysis-A conceptual review
Sun et al. PRES: a practical flexible RBAC workflow system
Khajaria et al. Modeling of security requirements for decision information systems
Othman et al. A Conceptual Framework of Information Security Database Audit and Assessment
Souabni et al. Secure Data Acces in Odoo System
Feltus et al. Building a responsibility model using modal logic-towards Accountability, Aapability and Commitment concepts
Hassan A New Model of Attribute Based Access Control (ABAC) for RDBMS Enterprise Applications
Hassan et al. Governance Policies for Privacy Access Control and their Interactions.
Zhezhnych et al. On restricted set of DML operations in an ERP System’s database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171222