CN108881197A - High score grid system authentication system based on RBAC model - Google Patents
High score grid system authentication system based on RBAC model Download PDFInfo
- Publication number
- CN108881197A CN108881197A CN201810580547.1A CN201810580547A CN108881197A CN 108881197 A CN108881197 A CN 108881197A CN 201810580547 A CN201810580547 A CN 201810580547A CN 108881197 A CN108881197 A CN 108881197A
- Authority
- CN
- China
- Prior art keywords
- user
- high score
- role
- authentication
- score grid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of high score grid system authentication systems of RBAC model, including:For industry user and zone user, grouping is provided for industry user and zone user, a user Group administrators are set in each grouping, user Group administrators are responsible for the authentication and authority distribution of the user in grouping;For public user, system manager is responsible for the authentication and authority distribution of public user;Authentication is realized by the certain access authority of type ascribed role and by checking the role of user.The system can satisfy the access control of high score grid system and the demand of authentication, lay the foundation for the popularization of high score grid system.
Description
Technical field
The invention belongs to software systems rights management techniques field, a kind of particularly high subnetting based on RBAC model
Case system authentication system.
Background technique
The rights management and authentication of modern system mostly use RBAC mode, directly do not authorize permission to user, and
It is to be completed by intermediate level role.On the one hand role is associated with permission, represent the set of one group of permission;Another aspect and user
Association, user, which is assigned after certain role, just has all permissions associated by the role.In existing technology, the process one
As concentrated and complete by system manager, i.e., system manager is responsible for Partition of role and award to each of system personnel
Power, organizational structure is relatively easy, is a kind of effective mode in the relatively small number of system of user.
Complication system this for high score grid, user are generally divided into three kinds, industry user, zone user, Gong Zhongyong
Family, and industry user and zone user generally possess compared with multi-layer, and organizational structure is usually tree-shaped unit;And high score grid
In data level of confidentiality there are many, the user of different levels also has any different to the access authority of different data, therefore, if directly
It connects and carries out authentication rights management using RBAC mode and can have the following problems:
(1) system manager needs to carry out role association for users all in system, and there are many user, make to system manager
At larger pressure.
(2) in high score grid system there are different types of user, the user of different levels is possessed in same class user
Permission should be different, if by system manager to system user carry out role's distribution, need system manager to fill
Divide the specific hierarchical relationship for understanding every class user and its permission that can have, it is clear that system manager does not accomplish this abundant
The degree of solution implements relatively difficult.
(3) since the data of high score grid system are divided into multiple levels of confidentiality, the role of different rights should access corresponding level of confidentiality
The data of grade, common RBAC mode are not able to satisfy such requirement.
Summary of the invention
To solve the above problems, the purpose of the present invention is to provide a kind of high score grid system identity based on RBAC model
Verifying system, by the way that variety classes user to be grouped, group user Group administrators belonging to corresponding to distribute role and authorize,
It fully considers the classification of user and the classification of data, the permission for the user for having the requirement of regulation level of confidentiality and has same by role
Etc. the data of levels of confidentiality be associated, realize the safe handling of data.
To achieve the above object, solution of the invention is:
A kind of high score grid system authentication system based on RBAC model, including:
For industry user and zone user, grouping, setting one in each grouping are provided for industry user and zone user
A user Group administrators, user Group administrators are responsible for the authentication of the user in grouping;
For public user, system manager is responsible for the authentication of public user;
Specifically verification process is:
When registration, system manager or user Group administrators pass through distribution role's completion role authorization;
The user on the regular payroll that registration audit passes through sends authentication request, system manager or user to high score grid system
Group administrators, which can inquire acquired authentication information, whether there is in identity information library, if so, passing through session control
Technological means judge user on the regular payroll whether only one login sessions, if be verified currently without login sessions;If
It is no, then prompt authentication to fail;
When user on the regular payroll in high score grid system data, page elements send access request when, system manager or
User Group administrators can obtain the role of the user first, and use permission corresponding to the role and data, page elements institute
Corresponding level of confidentiality compares, on the regular payroll if the permission that the role is possessed is greater than level of confidentiality corresponding to data, page elements
Corresponding resource can be used in user;Otherwise the insufficient information of permission is returned.
If user feels like doing customer administrator, user completes user group pipe according to oneself tissue generic and permission demand
The registration of reason person's identity and corresponding role application.Wherein, permission demand can be a business license, Copy of ID Card etc..
In high score grid system, user Group administrators are complete by distribution role for the user in the organizational unit of its management
At authorization, organizing user includes specific personnel and subelement, and for user Group administrators in authorization, delegatable role derives from tissue
Unit authorizes role set.
Public user can be divided into the unit of research unit with secrecy qualification, university and some special industries, simultaneously
It also include commercial company and the individual of no any secrecy qualification, therefore, it is necessary to be requested according to the use of user to confirm that its is right
The role authorization answered, this is a dynamic confirmation process.Preferably for public user, system manager is according to user's
The different of application materials carry out internal dynamic authorization, complete role authorization.
Preferably, the technological means by session control judge user on the regular payroll whether only one login sessions packet
It includes:Guarantee that only one login is effective every time by single-sign-on means.
Preferably, the technological means by session control judge user on the regular payroll whether only one login sessions packet
It includes:Guarantee that only one login is effective every time by IP control means.
The technological means of session control can be further ensured that the data safety in high score grid system.If stepped in user
During record, the information for having the user logging in other IP address is found, then can issue information warning automatically to entire system
The system manager of system simultaneously closes off the user account logged at this time.
Compared with prior art, the device have the advantages that being:High score provided by the invention based on RBAC model
Grid system authentication system is a kind of with dynamic expansion ability, high security, the base for being suitble to distributed big data cloud service
In the access control model of RBAC, it is able to satisfy the access control of high score grid system and the demand of authentication, is high score grid
The popularization of system lays the foundation.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art, can be with root under the premise of not making the creative labor
Other accompanying drawings are obtained according to these attached drawings.
Fig. 1 is user structure schematic diagram in the high score grid system of embodiment offer;
Fig. 2 is permission classification schematic diagram in the high score grid system authentication system of embodiment offer;
Fig. 3 is user-role in the high score grid system authentication system of embodiment offer-permission association schematic diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, with reference to the accompanying drawings and embodiments to this
Invention is described in further detail.It should be appreciated that the specific embodiments described herein are only used to explain the present invention,
And the scope of protection of the present invention is not limited.
High score grid system is a kind of complication system being made of industry user, zone user, public user, wherein row
Industry user and zone user generally possess compared with multi-layer, and organizational structure is usually tree-shaped unit, as shown in Figure 1, meteorology therein
Office, Land and Resources Bureau etc. just belong to industry user, are zone user for the position grade public, the region class public and general public.
Public user can be divided into the unit of research unit with secrecy qualification, university and some special industries, while also include not
There are commercial company and the individual of any secrecy qualification.
For such high score grid system, the authentication of user is realized using authentication system provided by the invention
And authority distribution, it specifically includes:
Step 1, user's authorization subsystem designs
Start with first from user terminal classification.According to the total demand of entire high score grid system, user is divided into industry user,
Zone user and public user, and the organizational structure of industry user and zone user belongs to tree-like organizational structure, public user is then
It can include many subclasses, it is therefore desirable to be grouped according to the unit where user to user.
The user of high score grid system completes user Group administrators identity according to oneself tissue generic and permission demand
Registration and corresponding role application;If registration audit passes through, registration user can send authentication to high score grid system
Request, system, which can inquire acquired authentication information, whether there is in identity information library, if so, passing through single-sign-on
Technological means judge user whether only one login sessions, if be verified currently without login sessions;If it is not,
Then authentication is prompted to fail.And the authorization of user towards the public Internet-based is then by network administrator according to user's
Application materials carry out dynamic authorization, can thus allow entire custom system according to dynamic inside the variation progress of group inside
Framework of the state permission modification without influencing whether whole network system.
It, then can be certainly if finding the information for thering is the user logging in other IP address in process of user login
The system manager for issuing information warning to whole system is moved, and information warning is pushed by the contact method that user reserves, together
When close the user account that is logging at this time.
Step 2, role authorization subsystem designs
Different role has different permissions for the operation of high score grid data, as shown in Figure 2.Its movement mainly includes
To the search of image provided by high score grid and service, check, run, download, to data to be sharing needed for oneself into
Row is uploaded and is shared.Simultaneously because the security classification of data caused by different units is different, so considering role
Authorization when the permission of operable data and movement must be taken into consideration, prevent sensitive data from getting compromised.
According to the analysis to user and permission, for entire high score grid system, user-role-authority list figure is for example attached
Shown in Fig. 3.The RBAC permission of entire high score grid system can be summarized as several tables and realize:1) user's table;2) angle
Color table;3) authority list;4) feature operation meter;5) user group and user-association table;6) user group and role association table;7) permission dish
Single contingency table;8) authority page element contingency table and 9) authority file association table.But be not limited to that these tables, are especially weighed
Table is limited, lateral expansion can be carried out according to the popularization of application.It is interrelated between these tables, it realizes and the identity of user is tested
Card and authority distribution.
Technical solution of the present invention and beneficial effect is described in detail in above-described specific embodiment, Ying Li
Solution is not intended to restrict the invention the foregoing is merely presently most preferred embodiment of the invention, all in principle model of the invention
Interior done any modification, supplementary, and equivalent replacement etc. are enclosed, should all be included in the protection scope of the present invention.
Claims (6)
1. a kind of high score grid system authentication system based on RBAC model, including:
For industry user and zone user, grouping is provided for industry user and zone user, sets a use in each grouping
Family Group administrators, user Group administrators are responsible for the authentication of the user in grouping;
For public user, system manager is responsible for the authentication of public user;
Specifically verification process is:
When registration, system manager or user Group administrators pass through distribution role's completion role authorization;
The user on the regular payroll that registration audit passes through sends authentication request, system manager or user group pipe to high score grid system
Reason person, which can inquire acquired authentication information, whether there is in identity information library, if so, the skill for passing through session control
Art means judge user on the regular payroll whether only one login sessions, if be verified currently without login sessions;If it is not,
Then authentication is prompted to fail;
When user on the regular payroll sends access request to the data in high score grid system, page elements, system manager or user
Group administrators can obtain the role of the user first, and using corresponding to permission corresponding to the role and data, page elements
Level of confidentiality compare, if the permission that is possessed of the role is greater than level of confidentiality corresponding to data, page elements, user on the regular payroll
Corresponding resource can be used;Otherwise the insufficient information of permission is returned.
2. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that user
The registration and corresponding role application of user Group administrators identity are completed according to oneself tissue generic and permission demand.
3. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that user
For Group administrators in authorization, delegatable role authorizes role set from organizational unit.
4. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that for
Public user, system manager carry out internal dynamic authorization according to the different of application materials of user, complete role authorization.
5. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that described
Judge whether only one login sessions includes user on the regular payroll by the technological means of session control:It is protected by single-sign-on means
It is effective for demonstrate,proving only one login every time.
6. the high score grid system authentication system based on RBAC model as described in claim 1, which is characterized in that described
Judge whether only one login sessions includes user on the regular payroll by the technological means of session control:Guaranteed by IP control means
Only one each login is effective.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810580547.1A CN108881197A (en) | 2018-06-07 | 2018-06-07 | High score grid system authentication system based on RBAC model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810580547.1A CN108881197A (en) | 2018-06-07 | 2018-06-07 | High score grid system authentication system based on RBAC model |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108881197A true CN108881197A (en) | 2018-11-23 |
Family
ID=64337243
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810580547.1A Pending CN108881197A (en) | 2018-06-07 | 2018-06-07 | High score grid system authentication system based on RBAC model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108881197A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111818090A (en) * | 2020-08-04 | 2020-10-23 | 蝉鸣科技(西安)有限公司 | Authority management method and system on SaaS platform |
CN111898149A (en) * | 2020-08-05 | 2020-11-06 | 湖南优美科技发展有限公司 | User management system and method for multiple organizations |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101771698A (en) * | 2010-01-15 | 2010-07-07 | 南京邮电大学 | Grid visit control method based on extendible markup language security policy |
CN102053969A (en) * | 2009-10-28 | 2011-05-11 | 上海宝信软件股份有限公司 | Web ERP (enterprise resource planning) user right management system |
CN102184008A (en) * | 2011-05-03 | 2011-09-14 | 北京天盛世纪科技发展有限公司 | Interactive projection system and method |
CN103107899A (en) * | 2011-11-10 | 2013-05-15 | 天津市国瑞数码安全系统有限公司 | Separation-of-three-powers hierarchical authorization management system and method thereof |
CN103516679A (en) * | 2012-06-25 | 2014-01-15 | 上海博腾信息科技有限公司 | Office system based on character accessing control and realization method thereof |
CN104052747A (en) * | 2014-06-23 | 2014-09-17 | 桂林长海科技有限责任公司 | Permission management system based on RBAC |
CN104408767A (en) * | 2014-11-20 | 2015-03-11 | 浙江大学 | Method for building sparse consistent three-dimensional human face mesh deformation model |
CN106570656A (en) * | 2016-11-11 | 2017-04-19 | 南京南瑞继保电气有限公司 | hierarchical authorization |
-
2018
- 2018-06-07 CN CN201810580547.1A patent/CN108881197A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102053969A (en) * | 2009-10-28 | 2011-05-11 | 上海宝信软件股份有限公司 | Web ERP (enterprise resource planning) user right management system |
CN101771698A (en) * | 2010-01-15 | 2010-07-07 | 南京邮电大学 | Grid visit control method based on extendible markup language security policy |
CN102184008A (en) * | 2011-05-03 | 2011-09-14 | 北京天盛世纪科技发展有限公司 | Interactive projection system and method |
CN103107899A (en) * | 2011-11-10 | 2013-05-15 | 天津市国瑞数码安全系统有限公司 | Separation-of-three-powers hierarchical authorization management system and method thereof |
CN103516679A (en) * | 2012-06-25 | 2014-01-15 | 上海博腾信息科技有限公司 | Office system based on character accessing control and realization method thereof |
CN104052747A (en) * | 2014-06-23 | 2014-09-17 | 桂林长海科技有限责任公司 | Permission management system based on RBAC |
CN104408767A (en) * | 2014-11-20 | 2015-03-11 | 浙江大学 | Method for building sparse consistent three-dimensional human face mesh deformation model |
CN106570656A (en) * | 2016-11-11 | 2017-04-19 | 南京南瑞继保电气有限公司 | hierarchical authorization |
Non-Patent Citations (4)
Title |
---|
DEQING ZOU,ET.AL: "《An Authentication and Access Control Framework for Group Communication Systems in Grid Environment》", 《IEEE》 * |
XUEBIN CHEN,ET.AL: "《Based on Expand RBAC Grid Collaborative Design System Access Control Model》", 《INTERNATIONAL CONFERENCE ON CONVERGENCE AND HYBRID INFORMATION TECHNOLOGY》 * |
孙连明: "《中国气象应用网格门户用户管理关键技术研究与实现》", 《优秀硕士学位论文全文数据库(电子期刊)》 * |
韩伟力等: "《权限约束支持的基于角色的约束访问控制模型与实现》", 《计算机辅助设计与图形学学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111818090A (en) * | 2020-08-04 | 2020-10-23 | 蝉鸣科技(西安)有限公司 | Authority management method and system on SaaS platform |
CN111818090B (en) * | 2020-08-04 | 2022-09-23 | 蝉鸣科技(西安)有限公司 | Authority management method and system on SaaS platform |
CN111898149A (en) * | 2020-08-05 | 2020-11-06 | 湖南优美科技发展有限公司 | User management system and method for multiple organizations |
CN111898149B (en) * | 2020-08-05 | 2023-12-22 | 湖南优美科技发展有限公司 | User management system and method for multiple organizations |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105656903B (en) | A kind of user safety management system of Hive platforms and application | |
CN101286845B (en) | Control system for access between domains based on roles | |
CN103310161B (en) | A kind of means of defence for Database Systems and system | |
CN105429999B (en) | Unified single sign-on system based on cloud platform | |
CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
CN107104931A (en) | A kind of access control method and platform | |
CN109831322B (en) | Multi-system account permission centralized management method, equipment and storage medium | |
CN104253810B (en) | Safe login method and system | |
CN104202293A (en) | IP for switch-based ACL | |
CN103763369B (en) | A kind of multiple authority distributing method based on SAN storage system | |
CN109413080B (en) | Cross-domain dynamic authority control method and system | |
CN103685305A (en) | Method and system for logging multiple business application system by single point | |
CN105046125B (en) | A kind of OA system application access methods based on grading system | |
CN107026825A (en) | A kind of method and system for accessing big data system | |
CN109995791B (en) | Data authorization method and system | |
CN106992988A (en) | A kind of cross-domain anonymous resource sharing platform and its implementation | |
CN106921678A (en) | A kind of unified safety authentication platform of the carrier-borne information system of integrated isomery | |
CN104424407A (en) | Storage management system and method | |
CN105577656A (en) | Unified identity authentication method based on cloud platform | |
CN106445399A (en) | Control method of storage system, and storage system | |
CN105516160A (en) | Domain management object mapping apparatus and unified identity authentication system | |
CN114866346B (en) | Password service platform based on decentralization | |
CN108966216A (en) | A kind of method of mobile communication and device applied to power distribution network | |
CN111010396A (en) | Internet identity authentication management method | |
CN108377244A (en) | A kind of Intranet uniform authentication method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181123 |
|
RJ01 | Rejection of invention patent application after publication |