Specific embodiment
The application is described in detail below with reference to attached drawing and in conjunction with the embodiments.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of user authority control method is provided in the present embodiment, as shown in Figure 1, this method comprises:
The log-on message of the user obtained when step 101, according to user's registration terminal equipment generates authority acquiring request.
In order to guarantee the information security of terminal device, use of the different user to device resource is limited, is somebody's turn to do when user logs in
When terminal device, the log-on message of user is obtained, log-on message can determine unique subscriber for the employee number etc. of user
The information of identity generates authority acquiring request, according to the log-on message of user to obtain the authority information of the user.
Wherein, terminal device can be computer equipment, such as laptop, desktop computer, tablet computer.
Step 102, sending permission acquisition request is to Intranet right management server, so that Intranet right management server root
The authority information of user is determined according to authority acquiring request.
Authority acquiring request is sent to Intranet right management server, is stored in advance in Intranet right management server
The authority information of different user, thus when receiving authority acquiring request, it can be according to included in authority acquiring request
The log-on messages such as employee number determine the authority information that the user has.
For example, the permission that has of user that employee number is 123 be stored in advance in Intranet right management server including
Use the softwares such as Word, PPT, Excel;And the permission that has of user that employee number is 456 include using Word, PPT,
The softwares such as Excel and use printer.
Step 103, the authority information of Intranet right management server feedback is received.
It is after Intranet right management server determines the authority information of user according to authority acquiring request, the user is corresponding
Authority information feeds back to terminal device, so that terminal device can receive the permission from Intranet right management server feedback
Information.The authority information can be used for limiting operation of the user on the terminal device, such as whether determine user
It can star certain software, whether can modify to the file in terminal device.
Step 104, according to authority information, the resource access request that user submits on the terminal device is handled.
When operating after user's registration terminal equipment to terminal device, equipment can generate resource visit depending on the user's operation
Ask request, in order to guarantee the information security of terminal device, the permission of the user sent at this time according to Intranet right management server
Information, the resource access request submitted to user are handled.
It should be noted that the resource in terminal device can specifically be divided into locked resource and non-protected resource,
When the resource access request that user submits is to access non-protected resource, equipment can directly ring the access request of user
It answers, and when the resource access request that user submits is access locked resource, terminal device handles the money according to authority information
Source access request.To not only ensure that the safety of resource, the working efficiency of user is also improved.
Technical solution by applying this embodiment, it is raw according to the log-on message of user in user's registration terminal equipment
It at authority acquiring request and is sent in Intranet right management server, receives Intranet right management server according to authority acquiring
The authority information of the user of feedback is requested, to be terminal equipment configuration access right, is handled and is used according to the authority information of user
The resource access request that family is submitted on the terminal device makes user that can only access its resource for having permission on the terminal device,
It prevents user from arbitrarily checking, the resource in using terminal equipment, ensures information security.
Further, as the refinement and extension of above-described embodiment specific embodiment, in order to completely illustrate the present embodiment
Specific implementation process, provide another user authority control method, as shown in Fig. 2, this method comprises:
Step 201, terminal device sends the resource information in terminal device to Intranet right management server, so that Intranet
Right management server according to the position hierarchy of each user, respectively each user distribute corresponding personal authority information and
For the corresponding public authority information of each sector disrtibution, wherein personal authority information includes the resource that user has access authority
Information, public authority information include the publicly-owned resource information for having access authority of the department.
It in the above-described embodiments, further include the personal authority for configuring each user in Intranet right management server in advance
The step of information and the public permission information of each department, is specifically believed the resource for including in equipment by terminal device
Breath is sent in Intranet right management server, and resource information can specifically include executable file such as document, table, picture
Deng can runs software such as QQ, browser etc..Then determine each user have access authority resource information and each
The publicly-owned access authority for the resource information that all users of department have establishes authority information library and saves visit of the user to each resource
It asks permission, i.e., the personal authority information of user and saves the publicly-owned access authority and portion that each department has each resource
The public permission information of door.
Wherein, when distributing permission for each user can according to the department of user, user position priority etc. because
Element is allocated, such as has the common employee of finance of colleges and universities to the access authority of A class resource, and Finance Department
Manager also has the access authority to softwares such as QQ, wechat and browsers in addition to having to the access authority of A class resource.
In addition, can also be allocated according to the attribute of file when allocation of access rights, such as financial statement is by user
What first was established, user's first has access authority to finance registration.It should be noted that those skilled in the art can be according to reality
Border needs to select above-mentioned the access authority method of salary distribution or other methods of salary distribution, and the application is it is not limited here.
Step 202, when user's registration terminal equipment, the log-on message of user and the mark letter of terminal device are obtained
Breath.
When user's registration terminal equipment, the mark letter for the terminal device that the log-on message and user for obtaining user are logged in
Breath, wherein unique user can be determined according to the log-on message of user, can be determined only according to the identification information of terminal device
One terminal device.
Step 203, according to log-on message and identification information, authority acquiring request is generated.
According to the log-on message of user and the identification information of terminal device, authority acquiring request is generated, so as to according to power
Limit acquisition request is from obtaining access authority of the user on this terminal device in Intranet right management server.
Step 204, sending permission acquisition request is to Intranet right management server, so that Intranet right management server root
The authority information of user is determined according to authority acquiring request.
In the above-described embodiments, specifically, Intranet right management server determines the power of user according to authority acquiring request
The step of limit information, is as follows:
Step 2041, Intranet right management server is according to the identification information judgment terminal device in authority acquiring request
No is public terminals equipment.
Intranet right management server is first set according to the terminal in authority acquiring request after receiving authority acquiring request
Whether the standby identification information judgment terminal device is public terminals equipment.For example, the ordinary user of personnel department uses oneself
Exclusive computer equipment can complete most work for example using office software, and least a portion of work is for example beaten
Print material etc. needs user to complete using public terminals equipment, to increase operating cost, the time cost of user's printed material, keeps away
Exempt to waste print paper.To which Intranet right management server judges whether terminal device is Ke Yigen after public terminals equipment
According to different types of terminal device, the access authority of user on the device is determined.
Step 2042, if terminal device is public terminals equipment, Intranet right management server is asked according to authority acquiring
Log-on message in asking determines the corresponding public authority information of the corresponding personal authority information of user and user department.
If being public terminals equipment according to the identification information judgment of the terminal device terminal device, illustrate that user needs
Work is completed in public terminals equipment, then Intranet right management server is according to the log-on message of user, in pre-stored power
The personal authority information of user is inquired in limit information library, and the department of user is determined according to the log-on message of user, into
And determine the corresponding public authority information of the department.
Step 2043, personal authority information and public authority information are merged, generates the authority information of user.
If user logs in public terminals equipment, illustrate that user needs to complete work in public terminals equipment, this
When the corresponding public authority information of the personal authority information of user and user department is merged, generate the user herein
Authority information on terminal device.To which terminal device can be carried out according to access operation of the authority information got to user
Limitation guarantees the resource security of enterprise terminal equipment on the basis of guaranteeing that user can complete office duties.
For example, the personal authority information of certain user includes access A class resource, uses office office software etc., the user
The public authority information of department includes using printing tools, then user is after the login of public terminals equipment, Intranet permission pipe
Reason server merges the public authority information of the personal authority information of user and department, generates the permission letter of user
Breath, the user right information for merging generation includes access A class resource, using office office software, also includes using printing work
Tool.The user then can open A class resource by office office software, complete printing after public terminals equipment.
Step 2044, if terminal device is not public terminals equipment, Intranet right management server is according to authority acquiring
Log-on message in request determines the authority information of user, wherein the authority information of user is the corresponding personal authority letter of user
Breath.
If the terminal device that user logs in is not public terminals equipment, illustrate that the user is not needed at this time using public permission
Office, then be determined as user in the authority information of registration terminal equipment for the personal authority information of the user.To terminal device
It can be limited according to access operation of the authority information got to user, office duties can be completed in guarantee user
On the basis of, it prevents user from arbitrarily checking in equipment, using resource, guarantees the resource security of enterprise terminal equipment.
Step 205, the authority information of Intranet right management server feedback is received.
After Intranet right management server determines the authority information of user according to the authority acquiring request that terminal device is sent,
The authority information of the user is sent to terminal device, the access of user on the device is controlled according to the authority information to realize
Permission, to improve the safety of corporate resources.
Step 206, the local cache of terminal device is emptied, authority information is stored.
After receiving the authority information that Intranet right management server is sent, the local cache in terminal device is emptied
Processing prevents the safety to resource in equipment from impacting to remove some history resources access record in the equipment, then
The permissions data of the user is stored in terminal device, consequently facilitating user can be according to correspondence when using the terminal device
Authority information access resource.
Step 207, the resource access request that user submits is intercepted, resource access request includes resource identification.
After user's registration terminal equipment, when user starts the software in terminal device, checks etc. to file
When operation, terminal device generates resource access request, terminal device is to resource access request according to the resource of the estimated access of user
It is intercepted, to control access operation of the user in terminal device.Wherein, including in resource access request can be with
Determine the resource identification of unique resource type, such as the corresponding resource identification of A class document is Adoc.
Step 208, according to resource identification, search access right information whether include resource corresponding with resource identification access right
Limit.
According to resource identification, the corresponding resource information of the resource identification is determined, and then be in the authority information of inquiry user
No includes the access authority to the corresponding resource of the resource identification, to realize the access operation to user in terminal device
Control.
Step 209, if authority information includes the access authority to resource, receive resource access request.
If authority information includes the access authority to above-mentioned resource, illustrate that the user has access authority to the resource,
Intercepted resource access request is then executed, to guarantee that user may only be to the resource for having access authority in terminal device
It accesses, realizes the permission control to user, guarantee the safety of resource.
For example, the resource access authority of the user intercepted is access A document, then judging that user has to A document
After access authority, the access operation to A document is executed.
Step 210, if authority information does not include the access authority to resource, refuse resource access request.
And if authority information does not include the access authority to above-mentioned resource, illustrate that user does not have access right to the resource
Limit, then refuse the resource access request of user, furthermore it is also possible to user be prompted, since user does not have the access to the resource
Permission can not access to the resource.To prevent user from accessing the resource that it does not have access authority, improves terminal and set
The safety of standby resource.
Technical solution by applying this embodiment, according to the log-on message of user and the identification information of terminal device,
From authority information of the user on this terminal device is obtained in Intranet right management server, realizes user right information and exist
Distribution on terminal device.And then when user submits resource access request, first resource access request is intercepted, and is sentencing
The permission of disconnected user include the resource access request is executed to after the corresponding permission of resource access request, thus realize to
The control of family permission on the terminal device prevents user from arbitrarily accessing the resource in equipment and generates security risk, promotes enterprise
The safety of resource.
Further, the specific implementation as Fig. 1 method, the embodiment of the present application provide a kind of user right control dress
It sets, as shown in figure 3, the device includes: that log-on message acquiring unit 31, authority acquiring request transmission unit 32, authority information connect
Receive unit 33, resource access request processing unit 34.
Log-on message acquiring unit 31, the log-on message of the user obtained when for according to user's registration terminal equipment are raw
At authority acquiring request;
Authority acquiring request transmission unit 32, for sending permission acquisition request to Intranet right management server, so that
Intranet right management server determines the authority information of user according to authority acquiring request;
Authority information receiving unit 33, for receiving the authority information of Intranet right management server feedback;
Resource access request processing unit 34, for handling the money that user submits on the terminal device according to authority information
Source access request.
In specific application scenarios, as shown in figure 4, log-on message acquiring unit 31, specifically includes: log-on message obtains
Subelement 311, authority acquiring request transmission unit 312.
Log-on message obtains subelement 311, for when user's registration terminal equipment, obtain user log-on message and
The identification information of terminal device;
Authority acquiring request transmission unit 312, for generating authority acquiring and asking according to log-on message and identification information
It asks.
Intranet right management server, for according to the identification information judgment terminal device in authority acquiring request whether be
Public terminals equipment;
If terminal device is public terminals equipment, Intranet right management server is according to the login in authority acquiring request
Information determines the corresponding public authority information of the corresponding personal authority information of user and user department;
Personal authority information and public authority information are merged, the authority information of user is generated;
If terminal device is not public terminals equipment, Intranet right management server is according to stepping in authority acquiring request
Information is recorded, determines the authority information of user, wherein the authority information of user is the corresponding personal authority information of user.
In specific application scenarios, as shown in figure 4, resource access request processing unit 34, specifically includes: resource access
Interception unit 341, authority information query unit 342, first resource access request processing subelement 343, Secondary resource is requested to be visited
Ask request processing subelement 344.
Resource access request interception unit 341, for intercepting the resource access request of user's submission, resource access request packet
Include resource identification;
Authority information query unit 342, for according to resource identification, search access right information whether include and resource identification pair
The access authority for the resource answered;
First resource access request processing subelement 343 connects if including the access authority to resource for authority information
By resource access request;
Secondary resource access request handles subelement 344, if for authority information not including the access authority to resource,
Refuse resource access request.
In specific application scenarios, as shown in figure 4, the device further include: caching empties unit 35.
Caching empties unit 35, after the authority information for receiving Intranet right management server feedback, empties terminal
The local cache of equipment stores authority information.
In specific application scenarios, as shown in figure 4, the device further include: resource information transmission unit 36.
Resource information transmission unit 36, the log-on message of the user obtained when for according to user's registration terminal equipment are raw
Before authority acquiring request, terminal device sends the resource information in terminal device to Intranet right management server, so that
Intranet right management server distributes corresponding personal authority information according to the position hierarchy of each user, respectively each user
It and is the corresponding public authority information of each sector disrtibution, wherein personal authority information includes that user has access authority
Resource information, public authority information include the publicly-owned resource information for having access authority of department.
It should be noted that each functional unit involved by a kind of user right control device provided by the embodiments of the present application
Other are accordingly described, can be with reference to the corresponding description in Fig. 1 and Fig. 2, and details are not described herein.
Based on above-mentioned method as depicted in figs. 1 and 2, correspondingly, the embodiment of the present application also provides a kind of storage medium,
On be stored with computer program, which realizes above-mentioned user right controlling party as depicted in figs. 1 and 2 when being executed by processor
Method.
Based on this understanding, the technical solution of the application can be embodied in the form of software products, which produces
Product can store in a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions
With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution the application is each
Method described in implement scene.
Based on above-mentioned method as shown in Figure 1 and Figure 2 and Fig. 3, virtual bench embodiment shown in Fig. 4, in order to realize
Above-mentioned purpose, the embodiment of the present application also provides a kind of computer equipments, are specifically as follows personal computer, server, network
Equipment etc., the computer equipment include storage medium and processor;Storage medium, for storing computer program;Processor is used
In execution computer program to realize above-mentioned user authority control method as depicted in figs. 1 and 2.
Optionally, which can also include user interface, network interface, camera, radio frequency (Radio
Frequency, RF) circuit, sensor, voicefrequency circuit, WI-FI module etc..User interface may include display screen
(Display), input unit such as keyboard (Keyboard) etc., optional user interface can also connect including USB interface, card reader
Mouthful etc..Network interface optionally may include standard wireline interface and wireless interface (such as blue tooth interface, WI-FI interface).
It will be understood by those skilled in the art that a kind of computer equipment structure provided in this embodiment is not constituted to the meter
The restriction for calculating machine equipment, may include more or fewer components, perhaps combine certain components or different component layouts.
It can also include operating system, network communication module in storage medium.Operating system is management and preservation computer
The program of device hardware and software resource supports the operation of message handling program and other softwares and/or program.Network communication
Module is for realizing the communication between each component in storage medium inside, and between other hardware and softwares in the entity device
Communication.
Through the above description of the embodiments, those skilled in the art can be understood that the application can borrow
Help software that the mode of necessary general hardware platform is added to realize, it can also be by hardware realization in user's registration terminal equipment
When, authority acquiring request is generated according to the log-on message of user and is sent in Intranet right management server, Intranet power is received
The authority information for the user that limit management server is fed back according to authority acquiring request, thus be terminal equipment configuration access right,
The resource access request that user submits on the terminal device is handled according to the authority information of user, makes user can only be in terminal device
Upper its resource for having permission of access, prevents user from arbitrarily checking, the resource in using terminal equipment, ensures information security.
The embodiment of the invention provides following technical schemes:
A1, a kind of user authority control method, comprising:
The log-on message of the user obtained when according to user's registration terminal equipment generates authority acquiring request;
The authority acquiring request is sent to Intranet right management server, so that the Intranet right management server root
The authority information of the user is determined according to the authority acquiring request;
Receive the authority information of the Intranet right management server feedback;
According to the authority information, the resource access request that the user submits on the terminal device is handled.
A2, method according to a1, the login letter for the user that when registration terminal equipment according to user obtains
Breath generates authority acquiring request, specifically includes:
When the user logs in the terminal device, obtain the user log-on message and the terminal device
Identification information;
According to the log-on message and the identification information, the authority acquiring request is generated.
A3, the method according to A2, the Intranet right management server are true according to the authority acquiring request
The authority information of the fixed user, specifically includes:
The Intranet right management server is whole according to the identification information judgment in the authority acquiring request
Whether end equipment is public terminals equipment;
If the terminal device is the public terminals equipment, the Intranet right management server is according to the permission
The log-on message in acquisition request determines the corresponding personal authority information of the user and the user department pair
The public authority information answered;
The personal authority information and the public authority information are merged, the permission letter of the user is generated
Breath.
A4, method according to a3, further includes:
If the terminal device is not the public terminals equipment, the Intranet right management server is according to the power
The log-on message in acquisition request is limited, determines the authority information of the user, wherein the authority information of the user is institute
State the corresponding personal authority information of user.
A5, method according to a1, it is described according to the authority information, the user is handled on the terminal device
The resource access request of submission, specifically includes:
The resource access request that the user submits is intercepted, the resource access request includes resource identification;
According to the resource identification, inquire the authority information whether include resource corresponding with the resource identification visit
Ask permission;
If the authority information includes the access authority to the resource, receive the resource access request;
If the authority information does not include the access authority to the resource, refuse the resource access request.
A6, the method according to any one of A1 to A5, it is described to receive what the Intranet right management server was fed back
After the authority information, further includes:
The local cache for emptying the terminal device stores the authority information.
A7, the method according to any one of A1 to A5, described in when registration terminal equipment according to user obtains
The log-on message of user, generate authority acquiring request before, further includes:
The terminal device sends the resource information in the terminal device to the Intranet right management server, so that
For the Intranet right management server according to the position hierarchy of each user, the respectively described each user distributes corresponding individual
Authority information and be the corresponding public authority information of each sector disrtibution, wherein the personal authority information includes the use
Family has the resource information of access authority, and the public authority information includes the publicly-owned resource for having access authority of the department
Information.
B8, a kind of user right control device, comprising:
Log-on message acquiring unit, the log-on message of the user obtained when for according to user's registration terminal equipment,
Generate authority acquiring request;
Authority acquiring request transmission unit, for sending the authority acquiring request to Intranet right management server, with
The Intranet right management server is set to determine the authority information of the user according to the authority acquiring request;
Authority information receiving unit, for receiving the authority information of the Intranet right management server feedback;
Resource access request processing unit, for handling the user in the terminal device according to the authority information
The resource access request of upper submission.
B9, the device according to A8, the log-on message acquiring unit, specifically include:
Log-on message obtains subelement, for obtaining stepping on for the user when the user logs in the terminal device
Record the identification information of information and the terminal device;
Authority acquiring request transmission unit, for generating the power according to the log-on message and the identification information
Limit acquisition request.
B10, the device according to B9, the Intranet right management server, for according to the authority acquiring request
In the identification information judgment described in terminal device whether be public terminals equipment;
If the terminal device is the public terminals equipment, the Intranet right management server is according to the permission
The log-on message in acquisition request determines the corresponding personal authority information of the user and the user department pair
The public authority information answered;
The personal authority information and the public authority information are merged, the permission letter of the user is generated
Breath.
B11, device according to b10, the Intranet right management server, if being also used to the terminal device is not
The public terminals equipment, then the Intranet right management server is believed according to the login in the authority acquiring request
Breath, determines the authority information of the user, wherein the authority information of the user is the corresponding personal authority letter of the user
Breath.
B12, the device according to B8, the resource access request processing unit, specifically include:
Resource access request interception unit, the resource access request submitted for intercepting the user, the resource access
Request includes resource identification;
Authority information query unit, for according to the resource identification, inquire the authority information whether include with it is described
The access authority of the corresponding resource of resource identification;
First resource access request handles subelement, if including the access right to the resource for the authority information
Limit, then receive the resource access request;
Secondary resource access request handles subelement, if not including the access right to the resource for the authority information
Limit, then refuse the resource access request.
B13, the device according to any one of B8 to B12, described device further include:
Caching empties unit, after the authority information for receiving the Intranet right management server feedback, clearly
The local cache of the empty terminal device, stores the authority information.
B14, the device according to any one of B8 to B12, described device further include:
Resource information transmission unit, the log-on message of the user obtained when for according to user's registration terminal equipment,
Before generating authority acquiring request, the terminal device is sent in the terminal device to the Intranet right management server
Resource information, so that position hierarchy of the Intranet right management server according to each user, respectively described each user
Distribute corresponding personal authority information and for the corresponding public authority information of each sector disrtibution, wherein the personal authority
Information includes the resource information that the user has access authority, and the public authority information, which includes that the department is publicly-owned, to be had
The resource information of access authority.
C15, a kind of storage medium, are stored thereon with computer program, realize A1 extremely when described program is executed by processor
User authority control method described in any one of A7.
D16, a kind of computer equipment, including storage medium, processor and storage are on a storage medium and can be in processor
The computer program of upper operation, the processor realize user right control described in any one of A1 to A7 when executing described program
Method processed.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.It will be appreciated by those skilled in the art that the mould in device in implement scene
Block can according to implement scene describe be distributed in the device of implement scene, can also carry out corresponding change be located at be different from
In one or more devices of this implement scene.The module of above-mentioned implement scene can be merged into a module, can also be into one
Step splits into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.Disclosed above is only the application
Several specific implementation scenes, still, the application is not limited to this, and the changes that any person skilled in the art can think of is all
The protection scope of the application should be fallen into.