CN108881197A - High score grid system authentication system based on RBAC model - Google Patents

High score grid system authentication system based on RBAC model Download PDF

Info

Publication number
CN108881197A
CN108881197A CN201810580547.1A CN201810580547A CN108881197A CN 108881197 A CN108881197 A CN 108881197A CN 201810580547 A CN201810580547 A CN 201810580547A CN 108881197 A CN108881197 A CN 108881197A
Authority
CN
China
Prior art keywords
user
high score
role
authentication
score grid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810580547.1A
Other languages
Chinese (zh)
Inventor
罗智凌
唐文博
尹建伟
赵文波
尚永衡
吴朝晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201810580547.1A priority Critical patent/CN108881197A/en
Publication of CN108881197A publication Critical patent/CN108881197A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of high score grid system authentication systems of RBAC model, including:For industry user and zone user, grouping is provided for industry user and zone user, a user Group administrators are set in each grouping, user Group administrators are responsible for the authentication and authority distribution of the user in grouping;For public user, system manager is responsible for the authentication and authority distribution of public user;Authentication is realized by the certain access authority of type ascribed role and by checking the role of user.The system can satisfy the access control of high score grid system and the demand of authentication, lay the foundation for the popularization of high score grid system.

Description

High score grid system authentication system based on RBAC model
Technical field
The invention belongs to software systems rights management techniques field, a kind of particularly high subnetting based on RBAC model Case system authentication system.
Background technique
The rights management and authentication of modern system mostly use RBAC mode, directly do not authorize permission to user, and It is to be completed by intermediate level role.On the one hand role is associated with permission, represent the set of one group of permission;Another aspect and user Association, user, which is assigned after certain role, just has all permissions associated by the role.In existing technology, the process one As concentrated and complete by system manager, i.e., system manager is responsible for Partition of role and award to each of system personnel Power, organizational structure is relatively easy, is a kind of effective mode in the relatively small number of system of user.
Complication system this for high score grid, user are generally divided into three kinds, industry user, zone user, Gong Zhongyong Family, and industry user and zone user generally possess compared with multi-layer, and organizational structure is usually tree-shaped unit;And high score grid In data level of confidentiality there are many, the user of different levels also has any different to the access authority of different data, therefore, if directly It connects and carries out authentication rights management using RBAC mode and can have the following problems:
(1) system manager needs to carry out role association for users all in system, and there are many user, make to system manager At larger pressure.
(2) in high score grid system there are different types of user, the user of different levels is possessed in same class user Permission should be different, if by system manager to system user carry out role's distribution, need system manager to fill Divide the specific hierarchical relationship for understanding every class user and its permission that can have, it is clear that system manager does not accomplish this abundant The degree of solution implements relatively difficult.
(3) since the data of high score grid system are divided into multiple levels of confidentiality, the role of different rights should access corresponding level of confidentiality The data of grade, common RBAC mode are not able to satisfy such requirement.
Summary of the invention
To solve the above problems, the purpose of the present invention is to provide a kind of high score grid system identity based on RBAC model Verifying system, by the way that variety classes user to be grouped, group user Group administrators belonging to corresponding to distribute role and authorize, It fully considers the classification of user and the classification of data, the permission for the user for having the requirement of regulation level of confidentiality and has same by role Etc. the data of levels of confidentiality be associated, realize the safe handling of data.
To achieve the above object, solution of the invention is:
A kind of high score grid system authentication system based on RBAC model, including:
For industry user and zone user, grouping, setting one in each grouping are provided for industry user and zone user A user Group administrators, user Group administrators are responsible for the authentication of the user in grouping;
For public user, system manager is responsible for the authentication of public user;
Specifically verification process is:
When registration, system manager or user Group administrators pass through distribution role's completion role authorization;
The user on the regular payroll that registration audit passes through sends authentication request, system manager or user to high score grid system Group administrators, which can inquire acquired authentication information, whether there is in identity information library, if so, passing through session control Technological means judge user on the regular payroll whether only one login sessions, if be verified currently without login sessions;If It is no, then prompt authentication to fail;
When user on the regular payroll in high score grid system data, page elements send access request when, system manager or User Group administrators can obtain the role of the user first, and use permission corresponding to the role and data, page elements institute Corresponding level of confidentiality compares, on the regular payroll if the permission that the role is possessed is greater than level of confidentiality corresponding to data, page elements Corresponding resource can be used in user;Otherwise the insufficient information of permission is returned.
If user feels like doing customer administrator, user completes user group pipe according to oneself tissue generic and permission demand The registration of reason person's identity and corresponding role application.Wherein, permission demand can be a business license, Copy of ID Card etc..
In high score grid system, user Group administrators are complete by distribution role for the user in the organizational unit of its management At authorization, organizing user includes specific personnel and subelement, and for user Group administrators in authorization, delegatable role derives from tissue Unit authorizes role set.
Public user can be divided into the unit of research unit with secrecy qualification, university and some special industries, simultaneously It also include commercial company and the individual of no any secrecy qualification, therefore, it is necessary to be requested according to the use of user to confirm that its is right The role authorization answered, this is a dynamic confirmation process.Preferably for public user, system manager is according to user's The different of application materials carry out internal dynamic authorization, complete role authorization.
Preferably, the technological means by session control judge user on the regular payroll whether only one login sessions packet It includes:Guarantee that only one login is effective every time by single-sign-on means.
Preferably, the technological means by session control judge user on the regular payroll whether only one login sessions packet It includes:Guarantee that only one login is effective every time by IP control means.
The technological means of session control can be further ensured that the data safety in high score grid system.If stepped in user During record, the information for having the user logging in other IP address is found, then can issue information warning automatically to entire system The system manager of system simultaneously closes off the user account logged at this time.
Compared with prior art, the device have the advantages that being:High score provided by the invention based on RBAC model Grid system authentication system is a kind of with dynamic expansion ability, high security, the base for being suitble to distributed big data cloud service In the access control model of RBAC, it is able to satisfy the access control of high score grid system and the demand of authentication, is high score grid The popularization of system lays the foundation.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art, can be with root under the premise of not making the creative labor Other accompanying drawings are obtained according to these attached drawings.
Fig. 1 is user structure schematic diagram in the high score grid system of embodiment offer;
Fig. 2 is permission classification schematic diagram in the high score grid system authentication system of embodiment offer;
Fig. 3 is user-role in the high score grid system authentication system of embodiment offer-permission association schematic diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, with reference to the accompanying drawings and embodiments to this Invention is described in further detail.It should be appreciated that the specific embodiments described herein are only used to explain the present invention, And the scope of protection of the present invention is not limited.
High score grid system is a kind of complication system being made of industry user, zone user, public user, wherein row Industry user and zone user generally possess compared with multi-layer, and organizational structure is usually tree-shaped unit, as shown in Figure 1, meteorology therein Office, Land and Resources Bureau etc. just belong to industry user, are zone user for the position grade public, the region class public and general public. Public user can be divided into the unit of research unit with secrecy qualification, university and some special industries, while also include not There are commercial company and the individual of any secrecy qualification.
For such high score grid system, the authentication of user is realized using authentication system provided by the invention And authority distribution, it specifically includes:
Step 1, user's authorization subsystem designs
Start with first from user terminal classification.According to the total demand of entire high score grid system, user is divided into industry user, Zone user and public user, and the organizational structure of industry user and zone user belongs to tree-like organizational structure, public user is then It can include many subclasses, it is therefore desirable to be grouped according to the unit where user to user.
The user of high score grid system completes user Group administrators identity according to oneself tissue generic and permission demand Registration and corresponding role application;If registration audit passes through, registration user can send authentication to high score grid system Request, system, which can inquire acquired authentication information, whether there is in identity information library, if so, passing through single-sign-on Technological means judge user whether only one login sessions, if be verified currently without login sessions;If it is not, Then authentication is prompted to fail.And the authorization of user towards the public Internet-based is then by network administrator according to user's Application materials carry out dynamic authorization, can thus allow entire custom system according to dynamic inside the variation progress of group inside Framework of the state permission modification without influencing whether whole network system.
It, then can be certainly if finding the information for thering is the user logging in other IP address in process of user login The system manager for issuing information warning to whole system is moved, and information warning is pushed by the contact method that user reserves, together When close the user account that is logging at this time.
Step 2, role authorization subsystem designs
Different role has different permissions for the operation of high score grid data, as shown in Figure 2.Its movement mainly includes To the search of image provided by high score grid and service, check, run, download, to data to be sharing needed for oneself into Row is uploaded and is shared.Simultaneously because the security classification of data caused by different units is different, so considering role Authorization when the permission of operable data and movement must be taken into consideration, prevent sensitive data from getting compromised.
According to the analysis to user and permission, for entire high score grid system, user-role-authority list figure is for example attached Shown in Fig. 3.The RBAC permission of entire high score grid system can be summarized as several tables and realize:1) user's table;2) angle Color table;3) authority list;4) feature operation meter;5) user group and user-association table;6) user group and role association table;7) permission dish Single contingency table;8) authority page element contingency table and 9) authority file association table.But be not limited to that these tables, are especially weighed Table is limited, lateral expansion can be carried out according to the popularization of application.It is interrelated between these tables, it realizes and the identity of user is tested Card and authority distribution.
Technical solution of the present invention and beneficial effect is described in detail in above-described specific embodiment, Ying Li Solution is not intended to restrict the invention the foregoing is merely presently most preferred embodiment of the invention, all in principle model of the invention Interior done any modification, supplementary, and equivalent replacement etc. are enclosed, should all be included in the protection scope of the present invention.

Claims (6)

1. a kind of high score grid system authentication system based on RBAC model, including:
For industry user and zone user, grouping is provided for industry user and zone user, sets a use in each grouping Family Group administrators, user Group administrators are responsible for the authentication of the user in grouping;
For public user, system manager is responsible for the authentication of public user;
Specifically verification process is:
When registration, system manager or user Group administrators pass through distribution role's completion role authorization;
The user on the regular payroll that registration audit passes through sends authentication request, system manager or user group pipe to high score grid system Reason person, which can inquire acquired authentication information, whether there is in identity information library, if so, the skill for passing through session control Art means judge user on the regular payroll whether only one login sessions, if be verified currently without login sessions;If it is not, Then authentication is prompted to fail;
When user on the regular payroll sends access request to the data in high score grid system, page elements, system manager or user Group administrators can obtain the role of the user first, and using corresponding to permission corresponding to the role and data, page elements Level of confidentiality compare, if the permission that is possessed of the role is greater than level of confidentiality corresponding to data, page elements, user on the regular payroll Corresponding resource can be used;Otherwise the insufficient information of permission is returned.
2. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that user The registration and corresponding role application of user Group administrators identity are completed according to oneself tissue generic and permission demand.
3. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that user For Group administrators in authorization, delegatable role authorizes role set from organizational unit.
4. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that for Public user, system manager carry out internal dynamic authorization according to the different of application materials of user, complete role authorization.
5. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that described Judge whether only one login sessions includes user on the regular payroll by the technological means of session control:It is protected by single-sign-on means It is effective for demonstrate,proving only one login every time.
6. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that described Judge whether only one login sessions includes user on the regular payroll by the technological means of session control:Guaranteed by IP control means Only one each login is effective.
CN201810580547.1A 2018-06-07 2018-06-07 High score grid system authentication system based on RBAC model Pending CN108881197A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810580547.1A CN108881197A (en) 2018-06-07 2018-06-07 High score grid system authentication system based on RBAC model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810580547.1A CN108881197A (en) 2018-06-07 2018-06-07 High score grid system authentication system based on RBAC model

Publications (1)

Publication Number Publication Date
CN108881197A true CN108881197A (en) 2018-11-23

Family

ID=64337243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810580547.1A Pending CN108881197A (en) 2018-06-07 2018-06-07 High score grid system authentication system based on RBAC model

Country Status (1)

Country Link
CN (1) CN108881197A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818090A (en) * 2020-08-04 2020-10-23 蝉鸣科技(西安)有限公司 Authority management method and system on SaaS platform
CN111898149A (en) * 2020-08-05 2020-11-06 湖南优美科技发展有限公司 User management system and method for multiple organizations

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771698A (en) * 2010-01-15 2010-07-07 南京邮电大学 Grid visit control method based on extendible markup language security policy
CN102053969A (en) * 2009-10-28 2011-05-11 上海宝信软件股份有限公司 Web ERP (enterprise resource planning) user right management system
CN102184008A (en) * 2011-05-03 2011-09-14 北京天盛世纪科技发展有限公司 Interactive projection system and method
CN103107899A (en) * 2011-11-10 2013-05-15 天津市国瑞数码安全系统有限公司 Separation-of-three-powers hierarchical authorization management system and method thereof
CN103516679A (en) * 2012-06-25 2014-01-15 上海博腾信息科技有限公司 Office system based on character accessing control and realization method thereof
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104408767A (en) * 2014-11-20 2015-03-11 浙江大学 Method for building sparse consistent three-dimensional human face mesh deformation model
CN106570656A (en) * 2016-11-11 2017-04-19 南京南瑞继保电气有限公司 hierarchical authorization

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102053969A (en) * 2009-10-28 2011-05-11 上海宝信软件股份有限公司 Web ERP (enterprise resource planning) user right management system
CN101771698A (en) * 2010-01-15 2010-07-07 南京邮电大学 Grid visit control method based on extendible markup language security policy
CN102184008A (en) * 2011-05-03 2011-09-14 北京天盛世纪科技发展有限公司 Interactive projection system and method
CN103107899A (en) * 2011-11-10 2013-05-15 天津市国瑞数码安全系统有限公司 Separation-of-three-powers hierarchical authorization management system and method thereof
CN103516679A (en) * 2012-06-25 2014-01-15 上海博腾信息科技有限公司 Office system based on character accessing control and realization method thereof
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104408767A (en) * 2014-11-20 2015-03-11 浙江大学 Method for building sparse consistent three-dimensional human face mesh deformation model
CN106570656A (en) * 2016-11-11 2017-04-19 南京南瑞继保电气有限公司 hierarchical authorization

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DEQING ZOU,ET.AL: "《An Authentication and Access Control Framework for Group Communication Systems in Grid Environment》", 《IEEE》 *
XUEBIN CHEN,ET.AL: "《Based on Expand RBAC Grid Collaborative Design System Access Control Model》", 《INTERNATIONAL CONFERENCE ON CONVERGENCE AND HYBRID INFORMATION TECHNOLOGY》 *
孙连明: "《中国气象应用网格门户用户管理关键技术研究与实现》", 《优秀硕士学位论文全文数据库(电子期刊)》 *
韩伟力等: "《权限约束支持的基于角色的约束访问控制模型与实现》", 《计算机辅助设计与图形学学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818090A (en) * 2020-08-04 2020-10-23 蝉鸣科技(西安)有限公司 Authority management method and system on SaaS platform
CN111818090B (en) * 2020-08-04 2022-09-23 蝉鸣科技(西安)有限公司 Authority management method and system on SaaS platform
CN111898149A (en) * 2020-08-05 2020-11-06 湖南优美科技发展有限公司 User management system and method for multiple organizations
CN111898149B (en) * 2020-08-05 2023-12-22 湖南优美科技发展有限公司 User management system and method for multiple organizations

Similar Documents

Publication Publication Date Title
CN105656903B (en) A kind of user safety management system of Hive platforms and application
CN101286845B (en) Control system for access between domains based on roles
CN103310161B (en) A kind of means of defence for Database Systems and system
CN105429999B (en) Unified single sign-on system based on cloud platform
CN109670768A (en) Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
CN107104931A (en) A kind of access control method and platform
CN109831322B (en) Multi-system account permission centralized management method, equipment and storage medium
CN104253810B (en) Safe login method and system
CN104202293A (en) IP for switch-based ACL
CN103763369B (en) A kind of multiple authority distributing method based on SAN storage system
CN109413080B (en) Cross-domain dynamic authority control method and system
CN103685305A (en) Method and system for logging multiple business application system by single point
CN105046125B (en) A kind of OA system application access methods based on grading system
CN107026825A (en) A kind of method and system for accessing big data system
CN109995791B (en) Data authorization method and system
CN106992988A (en) A kind of cross-domain anonymous resource sharing platform and its implementation
CN106921678A (en) A kind of unified safety authentication platform of the carrier-borne information system of integrated isomery
CN104424407A (en) Storage management system and method
CN105577656A (en) Unified identity authentication method based on cloud platform
CN106445399A (en) Control method of storage system, and storage system
CN105516160A (en) Domain management object mapping apparatus and unified identity authentication system
CN114866346B (en) Password service platform based on decentralization
CN108966216A (en) A kind of method of mobile communication and device applied to power distribution network
CN111010396A (en) Internet identity authentication management method
CN108377244A (en) A kind of Intranet uniform authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181123

RJ01 Rejection of invention patent application after publication