CN109948350A - A kind of hierarchical organization structure account authority distributing method and its system and storage medium - Google Patents
A kind of hierarchical organization structure account authority distributing method and its system and storage medium Download PDFInfo
- Publication number
- CN109948350A CN109948350A CN201910049342.5A CN201910049342A CN109948350A CN 109948350 A CN109948350 A CN 109948350A CN 201910049342 A CN201910049342 A CN 201910049342A CN 109948350 A CN109948350 A CN 109948350A
- Authority
- CN
- China
- Prior art keywords
- role
- user
- actor
- administrator
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of hierarchical organization structure account authority distributing method and its system and storage medium, method is the following steps are included: step 1, system-level administrator create system actor, configure the essential attribute of system actor;Step 2, layering analysis is carried out to the organizational hierarchy that the system actor comes into force is increased newly using right assignment system;Step 3, the system operatio permission that system-level administrator specifies the newly-increased system actor to be possessed;Step 4, regional-level or department level administrator increases system user newly;Step 5, regional-level or department level administrator is that newly-increased system user distributes the system actor;Wherein, the essential attribute of step 1 system actor includes priority attribute, and rank is marked with number in the system actor priority attribute, and the small rank of the system actor reference numerals numerical value is high, and the big rank of numerical value is low;The system actor is under the jurisdiction of several organizational hierarchies, and the system user is assigned several system actors.
Description
Technical field
The present invention relates to a kind of authority distributing method, in particular to a kind of hierarchical organization structure account authority distributing method and
Its system and storage medium.
Background technique
In today that science and technology is constantly progressive, RBAC rights management mechanism applies very extensive, the system account in the mechanism
The work of management concentrates on the body of a few positions " system manager " user.But can have problem in some cases, such as
Large enterprise that is wide for Regional Distribution, having hierarchical structure, personnel numerous, such system account way to manage low efficiency and meeting
Cause poor feasibility.
How perfect, support is carried out to existing RBAC rights management mechanism to realize flexibly in the tissue with hierarchical structure
User account management, i.e. the work of permission lowering system account management while can guarantee that permission is awarded to section or department again
Give controlled, this is current urgent problem to be solved.
The present inventor is to solve the above problems, propose following scheme:
A: being assigned to " section administrator " or " department manager " for system account administration authority, them is allowed to be the piece being in charge of
Area/department management system account, existing rights management mechanism existing defects: missing can authorized appropriation operating rights to management role
The mechanism that the range of limit is defined.
B: making certain section administrator have " distributing user role " operating right, then administrator can be for the user point
All roles in match system.It that is to say, these " section administrators " or " department manager " are the employee point for being in charge of section
The role of role or upper level with other sections, cause user have surmount " the section administrator " can the scope of authority be
System operating right.
Based on above scheme the invention proposes a kind of hierarchical organization structure account authority distributing method and its system with deposit
Storage media, it is intended to solve the large size that existing RBAC rights management mechanism is wide applied to Regional Distribution, has hierarchical structure, personnel numerous
Various problems present in enterprise.
Summary of the invention
In order to meet above-mentioned requirements, it is an object of the present invention to provide a kind of hierarchical organization structure account authority distributions
Method, this method can flexibly and effectively to certain management role can the range of authorized appropriation operating right be defined, improve system
Account management mode low efficiency and the adverse effect that will cause poor feasibility.
It is another object of the present invention to provide a kind of account right assignment system, it is able to satisfy the work of " account management "
Certain section/department " administrator " is transferred to, them is allowed to be the section/department management system account being in charge of and grasp for its distribution
Make permission;Meanwhile and being avoided that " administrator " of each section/department is suitable for other regions to user's distribution in New Account
Or belong to the operating right of level, surmounting the section/department manager can the scope of authority.
Third object of the present invention is to provide another account right assignment system.
Fourth object of the present invention is to propose a kind of non-transitorycomputer readable storage medium, is stored thereon with meter
Calculation machine program.
To achieve the goals above, the invention adopts the following technical scheme:
A kind of account authority distributing method based on hierarchical organization structure, comprising the following steps:
Step 1, system-level administrator creates system actor, configures the essential attribute of system actor;
Step 2, layering analysis is carried out to the organizational hierarchy that the system actor comes into force is increased newly using right assignment system;
Step 3, the system operatio permission that system-level administrator specifies the newly-increased system actor to be possessed;
Step 4, regional-level or department level administrator increases system user newly;
Step 5, regional-level or department level administrator is that newly-increased system user distributes the system actor;
Wherein, the essential attribute of step 1 system actor includes priority attribute, the system actor priority attribute
Rank is marked with number, the small rank of the system actor reference numerals numerical value is high, and the big rank of numerical value is low;
The system actor is under the jurisdiction of several organizational hierarchies, and the system user is assigned several system actors.
Further technical solution is that the method also includes the step 4 further includes the right assignment system based on
The tissue item calculating logic of tissue item can be operated by calculating current administrator;The tissue item calculating logic includes utilizing permission point
Match system get administrator's current operation all roles it is corresponding organized item, obtained tissue item is pooled to tissue
Item set;The tissue item is under the jurisdiction of tissue belonging to administrator;
The step 5 further includes that the administrator is the priority calculating logic of system user distribution system role;It is described
Priority calculating logic include each tissue for utilizing the right assignment system to obtain tissue belonging to newly-increased system user
Corresponding role of coming into force takes out the reference numerals in the role of coming into force, and from small to large with the reference numerals
Sequence forms the priority attribute table of newly-increased system user;
The role of coming into force belongs to the role that current administrator is possessed;
The step 5 further includes that presently described administrator is that the role of system user distribution system role distributes logic;Institute
It includes that the role of coming into force, which is pooled to newly-increased system user, can distribute role's table that the role stated, which distributes logic,;
The newly-increased system user can distribute the value of role's priority reference numerals in role's table not less than described
Priority attribute table in reference numerals value.
Further technical solution is that the method also includes the steps 4 further include:
Sub-step 1 obtains all system actors of current operation system user;
Sub-step 2, administrator enter the system user page and execute system user operation;
Sub-step 3, right assignment system calculate the tissue that current administrator can be managed system user operation;
Sub-step 4, the basic information of the specified newly-increased system user of administrator;
Wherein, the sub-step 3 is calculated according to the tissue item calculating logic can be managed system user operation
Tissue.
Further technical solution is that the method also includes the sub-step 1 further includes decision logic, the judgement
If logic is that the current operation system user possesses management system user's operation permission, sub-step 2 is executed;If described current
Operating system user does not possess management system user's operation permission, then process terminates, result produced by step S1-S4 before deletion
And reservation operations record, and do not execute step 5.
Further technical solution is that the method also includes the steps 5 further include:
Sub-step 1, for the affiliated each tissue that Adds User, it can be system that right assignment system, which calculates current administrator,
The highest priority of user allocation system role;
Sub-step 2, for each tissue belonging to newly-increased system user, right assignment system, which calculates current administrator, to be
The assignable system actor of the user;
Sub-step 3, administrator are the specified one or more system actors of system user;
Wherein, it can be system user that the sub-step 1 distributes logic calculation and obtain current administrator according to the role
The highest priority of distribution system role;
The sub-step 2 is distributed logic calculation and is obtained currently according to role to be the system actor of system user distribution.
The invention also discloses a kind of right assignment system, including server, user terminals;Wherein, the server is held
The row account authority distributing method as described in any one of the above embodiments based on hierarchical organization structure.
Further technical solution is that the server further includes role's configuration module and user role configuration module;It is described
Role's editor module includes following three submodules: role's creation and editor module, role and weave connection relationship are established and are conciliate
Analysis module, role and operating right incidence relation establish module;
The submodule role creates and editor module is used to that the title of system actor to be arranged, the group that system actor comes into force
The system operatio permission etc. that tissue layer grade, system actor priority and appointing system role have;
The submodule role and weave connection relationship are established and parsing module according to what System Operation User selected is
Unite role, the organization where the system actor that comes into force, and follows lower-hierarchy level and inherit level system angle automatically
The principle of color traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module and newly creates system actor tool according to administrator
Some system operatio permissions, updating system role and operating right incidence relation table.
The user role configuration module includes permission extraction module, system actor parsing module, and relationship establishes module;
The permission extraction module obtains all system actors of system user, and whether judge wherein to have includes management
The role of system user operating right calculates the tissue item that current operation people can be managed system user operation.
For the system actor parsing module for each tissue belonging to user, calculating current administrator can be the user point
Highest priority and candidate system role with role refresh corresponding interim table;
The relationship establishes the system actor that module is selected according to administrator, refreshes user role relation table.
Another kind right assignment system disclosed by the invention, including server, user terminal;Wherein, the server packet
It includes memory, processor and is stored in the authority distribution program that can be run on the memory and on the processor, wherein
The authority distribution program realizes the account as described in any one of the above embodiments based on hierarchical organization structure when being executed by the processor
Number authority distributing method.
Further technical solution is that the server further includes role's configuration module and user role configuration module;It is described
Role's editor module includes following three submodules: role's creation and editor module, role and weave connection relationship are established and are conciliate
Analysis module, role and operating right incidence relation establish module;
The submodule role creates and editor module is used to that the title of system actor to be arranged, the group that system actor comes into force
The system operatio permission etc. that tissue layer grade, system actor priority and appointing system role have;
The submodule role and weave connection relationship are established and parsing module according to what System Operation User selected is
Unite role, the organization where the system actor that comes into force, and follows lower-hierarchy level and inherit level system angle automatically
The principle of color traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module and newly creates system actor tool according to administrator
Some system operatio permissions, updating system role and operating right incidence relation table.
The user role configuration module includes permission extraction module, system actor parsing module, and relationship establishes module;
The permission extraction module obtains all system actors of system user, and whether judge wherein to have includes management
The role of system user operating right calculates the tissue item that current operation people can be managed system user operation.
For the system actor parsing module for each tissue belonging to user, calculating current administrator can be the user point
Highest priority and candidate system role with role refresh corresponding interim table;
The relationship establishes the system actor that module is selected according to administrator, refreshes user role relation table.
The invention also discloses a kind of non-transitorycomputer readable storage mediums, are stored thereon with computer program, should
The account authority distributing method as described in any one of the above embodiments based on hierarchical organization structure is realized when program is executed by processor.
Compared with the prior art, it can flexibly, effectively can to certain management role the beneficial effects of the present invention are: this method
The range of authorized appropriation operating right is defined, and is improved system account way to manage low efficiency and is caused the bad of poor feasibility
It influences, promotes enterprise's office efficiency.Based on the user right distribution system that this method proposes, it is able to satisfy the work of " account management "
Certain section/department " administrator " is transferred to, them is allowed to be the section/department management system account being in charge of and grasp for its distribution
Make permission;Meanwhile and being avoided that " administrator " of each section/department is suitable for other regions to user's distribution in New Account
Or belong to the operating right of level, surmounting the section/department manager can the scope of authority.
The invention will be further described in the following with reference to the drawings and specific embodiments.
Detailed description of the invention
Fig. 1 is a kind of process schematic block diagram of the account authority distributing method based on hierarchical organization structure of the present invention;
Fig. 2 is a kind of right assignment system compositional block diagram of the present invention;
Fig. 3 is server compositional block diagram in Fig. 2 embodiment;
Fig. 4 is role's configuration module compositional block diagram of Fig. 3 embodiment;
Fig. 5 is the user role configuration module compositional block diagram of Fig. 3 embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawing and specific implementation
Invention is further described in detail for mode.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those skilled in the art's every other implementation obtained without creative efforts
Example, shall fall within the protection scope of the present invention.
A kind of account authority distributing method based on hierarchical organization structure, includes the steps that flow chart as shown in Figure 1:
Step 1, system-level administrator creates system actor, configures the essential attribute of system actor;Possess " management system angle
The user (usually " system manager ") of color " operating right creates a system actor, specifies the title, preferential of the role
The fields such as grade, the organizational hierarchy to come into force.After the completion of role's creation, system update " system actor " table.Remember in " system actor " table
All system actors to come into force in current system are recorded.
Step 2, layering analysis is carried out to the organizational hierarchy that the system actor comes into force is increased newly using right assignment system;Root
It is the tissue that the role specifies according to (system-level) administrator, it then follows lower-hierarchy level inherits level system specified angle automatically
The principle of color, right assignment system traverse organization tree, refresh " tissue-role " incidence relation table, are denoted as Org-Role-
Relation-Table.The system actor to come into force on each tissue item is had recorded in table.
Step 3, the system operatio permission that system-level administrator specifies the newly-increased system actor to be possessed;Role's creation
After the completion, (system-level) administrator chooses the system operatio permission that the role has.After the completion, system update " role-operating rights
Limit " incidence relation table.All operating rights that each role is possessed are had recorded in " role-operating right " incidence relation table.
Step 4, regional-level or department level administrator increases system user newly;After the completion of creation, system update " user " table and
" user-group is knitted " incidence relation table.All system users to come into force in current system are had recorded in " user " table in the table, " are used
Each user tissue subjected is had recorded in the relation table of family-tissue ".
Step 5, regional-level or department level administrator is that newly-increased system user distributes the system actor;
Wherein, the essential attribute of step 1 system actor includes priority attribute, the system actor priority attribute
Rank is marked with number, the small rank of the system actor reference numerals numerical value is high, and the big rank of numerical value is low;Such as system
Role increases by 0 grade of " Priority " attribute physically as highest level, 1 grade take second place, 2 grades again, and so on.Just using other
In digital group used or other character groups or other label code name group echos ought to also belong to by the present invention to inspiration and
The technological means being readily apparent that, should belong to protection scope of the present invention.
The present invention mainly passes through increase system actor and is associated with organizational hierarchy, increases " Priority " priority category to role
Property, and " management system role " and " distributing user role " is operated to isolated design, certain management role can be in charge of by realizing
Organizational hierarchy and operating right range controlled.Wherein, a system actor can be under the jurisdiction of one or more
Organizational hierarchy;The system user is assigned several system actors.
Further technical solution is that the method also includes the step 4 further includes the right assignment system based on
The tissue item calculating logic of tissue item can be operated by calculating current administrator;The tissue item calculating logic includes utilizing permission point
Match system get administrator's current operation all roles it is corresponding organized item, obtained tissue item is pooled to tissue
Item set;The tissue item is under the jurisdiction of tissue belonging to administrator;
Circular is right assignment system from Org-Role-Relation-Table, finds Role ∈
All records of CurrentOperator.ManagerRoles extract the tissue item in record, and need to meet the tissue item
It is under the jurisdiction of tissue belonging to the administrator, the result acquired is denoted as CurrentOperator.MgmtOrg set.Here it is work as
Preceding administrator can carry out the organized item of institute of " management system user " operation.
The step 5 further includes that the administrator is the priority calculating logic of system user distribution system role;It is described
Priority calculating logic include each tissue for utilizing the right assignment system to obtain tissue belonging to newly-increased system user
Corresponding role of coming into force takes out the reference numerals in the role of coming into force, and from small to large with the reference numerals
Sequence forms the priority attribute table of newly-increased system user;
The role of coming into force belongs to the role that current administrator is possessed;
Circular is to substitute into Org- for each of tissue NewUser.Orgs tissue item belonging to new user
It searches, is obtained in all roles come into force of the tissue in Role-Relation-Table;Role, which also needs to meet, simultaneously is
One of the role that current administrator is possessed, takes out wherein highest role's priority (value is minimum), query result is written
NewUserOrg-HightestRolePriority-Table.This affiliated each tissue item that Adds User is had recorded in table
On, it can be by the priority for the highest level system actor that current administrator assigns.
The step 5 further includes that presently described administrator is that the role of system user distribution system role distributes logic;Institute
It includes that the role of coming into force, which is pooled to newly-increased system user, can distribute role's table that the role stated, which distributes logic,;
The newly-increased system user can distribute role's priority reference numerals value in role's table not less than described
Reference numerals value in priority attribute table.
Circular is substituted into for each of affiliated tissue NewUser.Orgs tissue item that Adds User
It searches, is obtained in all roles come into force of the tissue in Org-Role-Relation-Table;Role also needs full simultaneously
Its priority of foot is equal to or less than (value, which is greater than, to be equal to) in NewUserOrg-HightestRolePriority-Table
NewUserOrg-AvailableRole Table is written in calculated result by the corresponding role's priority value of the tissue item.Table
In have recorded the affiliated each tissue that Adds User for this, the system actor that can be distributed by current administrator.
Further technical solution is that the method also includes the steps 4 further include:
Sub-step 1 obtains all system actors of current operation system user;For current operation user, system is obtained
All system actors of the user, and judge wherein whether have include " management system user " operating right role, be denoted as
CurrentOperator.ManagerRoles set
Sub-step 2, administrator enter the system user page and execute system user operation;Such as corresponding system angle of the user
There is the role for possessing " management system user " operating right in color, then the user will have permission entrance " newly-built system user
The page " and the operation for executing " newly-built system user "
Sub-step 3, right assignment system calculate the tissue that current administrator can be managed system user operation;
Sub-step 4, the basic information of the specified newly-increased system user of administrator;(regional-level) administrator is in " newly-increased system use
It increases a system user on the page of family " newly, specifies other basic informations such as user name, Real Name, the affiliated tissue of the user.
Wherein, " affiliated tissue " range which can specify for new user is wrapped in CurrentOperator.MgmtOrg set
The tissue contained.NewUser.Orgs is denoted as the affiliated tissue that new user specifies.Tissue belonging to one system user can be
One or more.
After the completion of creation, system update " user " table and " user-group is knitted " incidence relation table.Wherein table in " user " table
In have recorded all system users to come into force in current system, have recorded each user in " user-group is knitted " relation table and be subordinate to
Tissue.
Wherein, the sub-step 3 is calculated according to the tissue item calculating logic can be managed system user operation
Tissue.
In embodiment as shown in Figure 1, the method also includes, the sub-step 1 of the step 4 further includes decision logic,
If the decision logic is that the current operation system user possesses management system user's operation permission, sub-step 2 is executed;
If the current operation system user does not possess management system user's operation permission, process terminates, step S1-S4 before deletion
Produced result and reservation operations record, do not execute step 5.
It in other embodiments, is the reliability for preventing other malicious users from the modes such as injection being used to destroy system, in step
Rapid 4 sub-step 1 is also equipped with another road protection and determines, when the system actor that the user for being unsatisfactory for sub-step 1 is created reaches
The measure of deletion is all made of after presetting amount threshold.
In embodiment as shown in Figure 1, the method also includes the steps 5 further include:
Sub-step 1, for the affiliated each tissue that Adds User, it can be system that right assignment system, which calculates current administrator,
The highest priority of user allocation system role;
Sub-step 2, for each tissue belonging to newly-increased system user, right assignment system, which calculates current administrator, to be
The assignable system actor of the user;
Sub-step 3, administrator are the specified one or more system actors of system user;Rights Management System is according to administrator
Selection, refresh " user-role " table.System actor possessed by each user is had recorded in " user-role " relation table
Wherein, it can be system user that the sub-step 1 distributes logic calculation and obtain current administrator according to the role
The highest priority of distribution system role;
The sub-step 2 is distributed logic calculation and is obtained currently according to role to be the system actor of system user distribution.
System block diagram as shown in Figure 2, the invention also discloses a kind of right assignment systems, including server 100, use
Family terminal 200;Wherein, the server 100 executes the account permission as described in any one of the above embodiments based on hierarchical organization structure
Distribution method.
In embodiment as shown in Figure 3, the server 100 further includes role's configuration module 110 and user role configuration
Module 120
In embodiment as shown in Figure 4, specifically, role's editor module 110 includes following three submodules: role
Creation and editor module 111, role and the foundation of weave connection relationship and parsing module 112, role and operating right incidence relation
Establish module 113;
The submodule role creation and editor module 111 are used to that the title of system actor to be arranged, system actor comes into force
The system operatio permission etc. that has of organizational hierarchy, system actor priority and appointing system role;
What the submodule role and the foundation of weave connection relationship and parsing module 112 were selected according to System Operation User
System actor, the organization where the system actor that comes into force, and follow lower-hierarchy level and inherit hierarchical system automatically
The principle of role traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module 113 and newly creates system actor according to administrator
The system operatio permission having, updating system role and operating right incidence relation table.
Specifically, role's creation and 111 inside of editor module and role and the foundation of weave connection relationship and parsing module 112
Module 113 is established with operating right incidence relation with role to interact: being set completing role by role's creation and editor module 111
After fixed, role and weave connection relationship are established and parsing module 112 comes into force organization according to the role that operator selects, it then follows
Lower-hierarchy level inherits the principle of level system actor automatically, traverses organization tree, refreshes " tissue-role " incidence relation
Table.The system actor to come into force on each tissue item is had recorded in table;Role and operating right incidence relation establish 113 basis of module
The system operatio permission that certain role that administrator chooses on " role's creation and editor " interface has, refreshes " role-operating rights
Limit " incidence relation table.All operating rights that each role is possessed are had recorded in the table.
With " increase/deletion/modify/check system user ", " distributing user operating right (namely role) " operating rights
The user (usually section/department manager) of limit is to believe user base by " creation and editor user " module of system
Breath is edited, and is user allocation system permission.
In operation, creating and edit line module 111 will match with the user role in user right distribution system
It sets module 120 to interact, be provided by user role configuration module 120 for whether current operation people has " management system use
The judgement of family " operating right as a result, and current operation people the operation of " management system user " can be carried out in which tissue;
User role configuration module 120 is directed to the affiliated each tissue that Adds User, and calculating current operation people can be user distribution
Role's highest priority and candidate system Role Information;Finally, user role configuration module 120 refers to according to the artificial new user of operation
Fixed role, " user-role " table in updating system.
In embodiment as shown in Figure 5, user role configuration module 120 is specifically included, permission extraction module 121, system
Role Parsing module 122, relationship establish module 123;
The permission extraction module 121 obtains all system actors of system user, and judge wherein whether to have include
The role of management system user's operation permission calculates the tissue item that current operation people can be managed system user operation.
For the system actor parsing module 122 for each tissue belonging to user, calculating current administrator can be the use
Highest priority and the candidate system role of role is distributed at family, refreshes corresponding interim table;It is new that this is had recorded in the interim table
Each tissue item belonging to family is added, it can be by the priority and candidate system for the highest level system actor that current administrator assigns
Role.
The relationship establishes the system actor that module 123 is selected according to administrator, refreshes user role relation table.In relation table
Have recorded system actor possessed by each user.
As shown in figure 3, another kind right assignment system disclosed by the invention, including server 100, user terminal 200;Its
In, the server 100 includes memory, processor and is stored on the memory and can run on the processor
Authority distribution program, wherein the authority distribution program realizes base as described in any one of the above embodiments when being executed by the processor
In the account authority distributing method of hierarchical organization structure.Memory can be read-only memory (read-only memory, ROM)
Or the other types of static storage device of static information and instruction can be stored, random access memory (random access
Memory, RAM)) or the other types of dynamic memory of information and instruction can be stored, it is also possible to electric erazable programmable
Read-only memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), read-only light
Disk (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc,
Laser disc, optical disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can
For carry or store have instruction or data structure form desired program code and can be by any of computer access
Other media, but not limited to this.Memory, which can be, to be individually present, and is connected by communication bus with processor.Memory
It can be integrated with processor.
In embodiment as shown in Figure 3, the server 100 further includes role's configuration module 110 and user right distribution
120 modules;
In embodiment as shown in Figure 4, specifically, role's editor module 110 includes following three submodules: role
Creation and editor module 111, role and the foundation of weave connection relationship and parsing module 112, role and operating right incidence relation
Establish module 113;
The submodule role creation and editor module 111 are used to that the title of system actor to be arranged, system actor comes into force
The system operatio permission etc. that has of organizational hierarchy, system actor priority and appointing system role;
What the submodule role and the foundation of weave connection relationship and parsing module 112 were selected according to System Operation User
System actor, the organization where the system actor that comes into force, and follow lower-hierarchy level and inherit hierarchical system automatically
The principle of role traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module 113 and newly creates system actor according to administrator
The system operatio permission having, updating system role and operating right incidence relation table.
Specifically, role's creation and 111 inside of editor module and role and the foundation of weave connection relationship and parsing module 112
Module 113 is established with operating right incidence relation with role to interact: being set completing role by role's creation and editor module 111
After fixed, role and weave connection relationship are established and parsing module 112 comes into force organization according to the role that operator selects, it then follows
Lower-hierarchy level inherits the principle of level system actor automatically, traverses organization tree, refreshes " tissue-role " incidence relation
Table.The system actor to come into force on each tissue item is had recorded in table;Role and operating right incidence relation establish 113 basis of module
The system operatio permission that certain role that administrator chooses on " role's creation and editor " interface has, refreshes " role-operating rights
Limit " incidence relation table.All operating rights that each role is possessed are had recorded in the table.
With " increase/deletion/modify/check system user ", " distributing user operating right (namely role) " operating rights
The user (usually section/department manager) of limit is to believe user base by " creation and editor user " module of system
Breath is edited, and is user allocation system permission.
In operation, creating and edit line module 111 will match with the user role in user right distribution system
It sets module 120 to interact, be provided by user role configuration module 120 for whether current operation people has " management system use
The judgement of family " operating right as a result, and current operation people the operation of " management system user " can be carried out in which tissue;
User role configuration module 120 is directed to the affiliated each tissue that Adds User, and calculating current operation people can be user distribution
Role's highest priority and candidate system Role Information;Finally, user role configuration module 120 refers to according to the artificial new user of operation
Fixed role, " user-role " table in updating system.
In embodiment as shown in Figure 5, user role configuration module 120 is specifically included, permission extraction module 121, system
Role Parsing module 122, relationship establish module 123;
The permission extraction module 121 obtains all system actors of system user, and judge wherein whether to have include
The role of management system user's operation permission calculates the tissue item that current operation people can be managed system user operation.
For the system actor parsing module 122 for each tissue belonging to user, calculating current administrator can be the use
Highest priority and the candidate system role of role is distributed at family, refreshes corresponding interim table;It is new that this is had recorded in the interim table
Each tissue item belonging to family is added, it can be by the priority and candidate system for the highest level system actor that current administrator assigns
Role.
The relationship establishes the system actor that module 123 is selected according to administrator, refreshes user role relation table.In relation table
Have recorded system actor possessed by each user.
The invention also discloses a kind of non-transitorycomputer readable storage mediums, are stored thereon with computer program, should
The account authority distributing method as described in any one of the above embodiments based on hierarchical organization structure is realized when program is executed by processor.Institute
Stating storage medium can be the internal storage unit of aforementioned server, such as the hard disk or memory of server.The storage medium
It is also possible to the plug-in type hard disk being equipped on the External memory equipment of the equipment, such as the equipment, intelligent memory card
(Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Into
One step, the storage medium can also both internal storage units including the equipment or including External memory equipment
In conclusion this method can flexibly, effectively to certain management role can authorized appropriation operating right range carry out
It limits, improve system account way to manage low efficiency and causes the adverse effect of poor feasibility, promote enterprise's office efficiency.It is based on
The user right distribution system that this method proposes is able to satisfy the work of " account management " transferring to certain section/department " management
Member ", allows them to be the section/department management system account being in charge of and be its batch operation permission;Meanwhile and being avoided that each
Area/department " administrator " is suitable for other regions to user's distribution in New Account or belongs to the operating rights of upper level
Limit, surmounting the section/department manager can the scope of authority.
It will be apparent to those skilled in the art that it is various that other can be made according to the above description of the technical scheme and ideas
It is corresponding to change and deformation, and all these change and deformation should belong to the claims in the present invention protection scope it
It is interior.
Claims (10)
1. a kind of account authority distributing method based on hierarchical organization structure, which comprises the following steps:
Step 1, system-level administrator creates system actor, configures the essential attribute of system actor;
Step 2, layering analysis is carried out to the organizational hierarchy that the system actor comes into force is increased newly using right assignment system;
Step 3, the system operatio permission that system-level administrator specifies the newly-increased system actor to be possessed;
Step 4, regional-level or department level administrator increases system user newly;
Step 5, regional-level or department level administrator is that newly-increased system user distributes the system actor;
Wherein, the essential attribute of step 1 system actor includes priority attribute, and the system actor priority attribute is with number
Rank is marked in word, and the small rank of the system actor reference numerals numerical value is high, and the big rank of numerical value is low;
The system actor is under the jurisdiction of several organizational hierarchies, and the system user is assigned several system actors.
2. a kind of account authority distributing method based on hierarchical organization structure according to claim 1, which is characterized in that institute
Stating step 4, to further include the right assignment system can operate the tissue item calculating logic of tissue item for calculating current administrator;
The tissue item calculating logic includes that all roles for getting administrator's current operation using right assignment system are corresponding
The organized item of institute, is pooled to tissue item set for obtained tissue item;The tissue item is under the jurisdiction of affiliated group of administrator
It knits;
The step 5 further includes that the administrator is the priority calculating logic of system user distribution system role;Described is excellent
First grade calculating logic includes that each the tissue item for obtaining tissue belonging to newly-increased system user using the right assignment system is right
The role of coming into force answered takes out the reference numerals in the role of coming into force, and the sequence with the reference numerals from small to large
Form the priority attribute table of newly-increased system user;
The role of coming into force belongs to the role that current administrator is possessed;
The step 5 further includes that presently described administrator is that the role of system user distribution system role distributes logic;Described
It includes that the role of coming into force, which is pooled to newly-increased system user, can distribute role's table that role, which distributes logic,;
It is excellent not less than described that the newly-increased system user can distribute the values of role's priority reference numerals in role's table
The value of first grade attribute table acceptance of the bid numeration word.
3. a kind of account authority distributing method based on hierarchical organization structure according to claim 2, which is characterized in that institute
State step 4 further include:
Sub-step 1 obtains all system actors of current operation system user;
Sub-step 2, administrator enter the system user page and execute system user operation;
Sub-step 3, right assignment system calculate the tissue that current administrator can be managed system user operation;
Sub-step 4, the basic information of the specified newly-increased system user of administrator;
Wherein, the sub-step 3 calculates the tissue that can be managed system user operation according to the tissue item calculating logic.
4. a kind of account authority distributing method based on hierarchical organization structure according to claim 3, which is characterized in that institute
Stating sub-step 1 further includes decision logic, if the decision logic is that the current operation system user possesses management system use
Family operating right then executes sub-step 2;If the current operation system user does not possess management system user's operation permission,
Process terminates, and deletes result produced by step S1-S4 and reservation operations record, does not execute step 5.
5. a kind of account authority distributing method based on hierarchical organization structure according to claim 2, which is characterized in that institute
State step 5 further include:
Sub-step 1, for the affiliated each tissue that Adds User, it can be system user that right assignment system, which calculates current administrator,
The highest priority of distribution system role;
Sub-step 2, for each tissue belonging to newly-increased system user, it can be the use that right assignment system, which calculates current administrator,
The assignable system actor in family;
Sub-step 3, administrator are the specified one or more system actors of system user;
Wherein, the sub-step 1 distributes logic calculation according to the role and obtains current administrator and can distribute for system user
The highest priority of system actor;
The sub-step 2 is distributed logic calculation and is obtained currently according to role to be the system actor of system user distribution.
6. a kind of right assignment system, which is characterized in that including server, user terminal;Wherein, the server is executed as weighed
Benefit requires the account authority distributing method described in any one of 1-5 based on hierarchical organization structure.
7. a kind of right assignment system according to claim 6, which is characterized in that the server further includes role's configuration
Module and user role configuration module;Role's editor module includes following three submodules: role creation and editor module,
Role and weave connection relationship are established and parsing module, role and operating right incidence relation establish module;
The submodule role creates and editor module is used to that the title of system actor to be arranged, the organized layer that system actor comes into force
The system operatio permission etc. that grade, system actor priority and appointing system role have;
The system angle that the submodule role and weave connection relationship establishes and parsing module is selected according to System Operation User
Color, the organization where the system actor that comes into force, and follow lower-hierarchy level and inherit level system actor automatically
Principle traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module and newly creates what system actor had according to administrator
System operatio permission, updating system role and operating right incidence relation table;
The user role configuration module includes permission extraction module, system actor parsing module, and relationship establishes module;
The permission extraction module obtains all system actors of system user, and judges that wherein whether having includes management system
The role of user's operation permission calculates the tissue item that current operation people can be managed system user operation;
For the system actor parsing module for each tissue belonging to user, angle can be distributed for the user by calculating current administrator
The highest priority of color and candidate system role refresh corresponding interim table;
The relationship establishes the system actor that module is selected according to administrator, refreshes user role relation table.
8. a kind of right assignment system, which is characterized in that including server, user terminal;Wherein, the server includes storage
Device, processor and it is stored in the authority distribution program that can be run on the memory and on the processor, wherein the power
Limit distribution program is realized when being executed by the processor according to any one of claims 1 to 5 based on hierarchical organization structure
Account authority distributing method.
9. a kind of right assignment system according to claim 8, which is characterized in that the server further includes role's configuration
Module and user role configuration module;Role's editor module includes following three submodules: role creation and editor module,
Role and weave connection relationship are established and parsing module, role and operating right incidence relation establish module;
The submodule role creates and editor module is used to that the title of system actor to be arranged, the organized layer that system actor comes into force
The system operatio permission etc. that grade, system actor priority and appointing system role have;
The system angle that the submodule role and weave connection relationship establishes and parsing module is selected according to System Operation User
Color, the organization where the system actor that comes into force, and follow lower-hierarchy level and inherit level system actor automatically
Principle traverses organization tree, refreshes organizational roles incidence relation table;
The submodule role and operating right incidence relation establishes module and newly creates what system actor had according to administrator
System operatio permission, updating system role and operating right incidence relation table;
The user role configuration module includes permission extraction module, system actor parsing module, and relationship establishes module;
The permission extraction module obtains all system actors of system user, and judges that wherein whether having includes management system
The role of user's operation permission calculates the tissue item that current operation people can be managed system user operation;
For the system actor parsing module for each tissue belonging to user, angle can be distributed for the user by calculating current administrator
The highest priority of color and candidate system role refresh corresponding interim table;
The relationship establishes the system actor that module is selected according to administrator, refreshes user role relation table.
10. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program
The account authority distribution side according to any one of claims 1 to 5 based on hierarchical organization structure is realized when being executed by processor
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910049342.5A CN109948350B (en) | 2019-01-18 | 2019-01-18 | Hierarchical organization account authority allocation method and system and storage medium thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910049342.5A CN109948350B (en) | 2019-01-18 | 2019-01-18 | Hierarchical organization account authority allocation method and system and storage medium thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109948350A true CN109948350A (en) | 2019-06-28 |
CN109948350B CN109948350B (en) | 2023-06-02 |
Family
ID=67006703
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910049342.5A Active CN109948350B (en) | 2019-01-18 | 2019-01-18 | Hierarchical organization account authority allocation method and system and storage medium thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109948350B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110413620A (en) * | 2019-07-31 | 2019-11-05 | 四川长虹电器股份有限公司 | Visualized data structure configuration method and system |
CN110619198A (en) * | 2019-09-11 | 2019-12-27 | 郑州地铁集团有限公司 | Rail transit management control system and authority distribution method thereof |
CN110674516A (en) * | 2019-09-18 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Permission configuration method and device of electronic bill management system and computer equipment |
CN111428212A (en) * | 2020-04-15 | 2020-07-17 | 上海嘉银金融科技股份有限公司 | Data visualization system and data authority management method thereof |
CN111475825A (en) * | 2020-03-27 | 2020-07-31 | 杭州数梦工场科技有限公司 | Role authority setting method and device |
CN111552671A (en) * | 2019-12-31 | 2020-08-18 | 远景智能国际私人投资有限公司 | Permission setting method, device and equipment of file directory and storage medium |
CN111581634A (en) * | 2020-04-16 | 2020-08-25 | 上海市人民代表大会常务委员会信息中心 | Authority management method of budget platform |
CN111581156A (en) * | 2020-04-27 | 2020-08-25 | 上海鸿翼软件技术股份有限公司 | File authority control method, device, equipment and medium |
CN111861392A (en) * | 2020-07-16 | 2020-10-30 | 北京金和网络股份有限公司 | Organization level external relation creating method and device |
CN112465477A (en) * | 2020-12-17 | 2021-03-09 | 中国航空工业集团公司成都飞机设计研究所 | Project plan authority control method based on classification |
CN112597518A (en) * | 2020-12-26 | 2021-04-02 | 中国农业银行股份有限公司 | Graph database-based authority management method, device and equipment |
CN112632500A (en) * | 2020-12-30 | 2021-04-09 | 绿盟科技集团股份有限公司 | Data management method and electronic equipment |
CN112751867A (en) * | 2020-12-31 | 2021-05-04 | 南京航空航天大学 | Access control authorization method based on logic unit and trust evaluation |
WO2022052682A1 (en) * | 2020-09-11 | 2022-03-17 | 京东方科技集团股份有限公司 | Medical system and permission management method therefor |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030037263A1 (en) * | 2001-08-08 | 2003-02-20 | Trivium Systems Inc. | Dynamic rules-based secure data access system for business computer platforms |
CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
US20130232539A1 (en) * | 2012-03-01 | 2013-09-05 | Humanconcepts | Method and system for controlling data access to organizational data maintained in hierarchical |
CN103500298A (en) * | 2013-10-12 | 2014-01-08 | 彩虹集团公司 | Method for achieving authorization distribution based on rule management |
CN105930741A (en) * | 2016-04-14 | 2016-09-07 | 国网浙江省电力公司电力科学研究院 | Power system resource permission management system |
CN107301354A (en) * | 2017-06-27 | 2017-10-27 | 北京微影时代科技有限公司 | A kind of System right management method and device |
-
2019
- 2019-01-18 CN CN201910049342.5A patent/CN109948350B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030037263A1 (en) * | 2001-08-08 | 2003-02-20 | Trivium Systems Inc. | Dynamic rules-based secure data access system for business computer platforms |
CN101453475A (en) * | 2009-01-06 | 2009-06-10 | 中国人民解放军信息工程大学 | Authentication management system and method |
US20130232539A1 (en) * | 2012-03-01 | 2013-09-05 | Humanconcepts | Method and system for controlling data access to organizational data maintained in hierarchical |
CN103500298A (en) * | 2013-10-12 | 2014-01-08 | 彩虹集团公司 | Method for achieving authorization distribution based on rule management |
CN105930741A (en) * | 2016-04-14 | 2016-09-07 | 国网浙江省电力公司电力科学研究院 | Power system resource permission management system |
CN107301354A (en) * | 2017-06-27 | 2017-10-27 | 北京微影时代科技有限公司 | A kind of System right management method and device |
Non-Patent Citations (2)
Title |
---|
卞宝银等: "煤矿企业信息管理系统权限访问控制应用研究", 《煤炭技术》 * |
李佳等: "角色管理自动化的访问控制", 《计算机工程》 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110413620A (en) * | 2019-07-31 | 2019-11-05 | 四川长虹电器股份有限公司 | Visualized data structure configuration method and system |
CN110619198A (en) * | 2019-09-11 | 2019-12-27 | 郑州地铁集团有限公司 | Rail transit management control system and authority distribution method thereof |
CN110674516A (en) * | 2019-09-18 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Permission configuration method and device of electronic bill management system and computer equipment |
CN111552671A (en) * | 2019-12-31 | 2020-08-18 | 远景智能国际私人投资有限公司 | Permission setting method, device and equipment of file directory and storage medium |
CN111552671B (en) * | 2019-12-31 | 2024-01-05 | 远景智能国际私人投资有限公司 | File directory authority setting method, device, equipment and storage medium |
CN111475825B (en) * | 2020-03-27 | 2023-03-17 | 杭州数梦工场科技有限公司 | Role authority setting method and device |
CN111475825A (en) * | 2020-03-27 | 2020-07-31 | 杭州数梦工场科技有限公司 | Role authority setting method and device |
CN111428212A (en) * | 2020-04-15 | 2020-07-17 | 上海嘉银金融科技股份有限公司 | Data visualization system and data authority management method thereof |
CN111428212B (en) * | 2020-04-15 | 2023-05-05 | 上海嘉银金融科技股份有限公司 | Data visualization system and data authority management method thereof |
CN111581634A (en) * | 2020-04-16 | 2020-08-25 | 上海市人民代表大会常务委员会信息中心 | Authority management method of budget platform |
CN111581156A (en) * | 2020-04-27 | 2020-08-25 | 上海鸿翼软件技术股份有限公司 | File authority control method, device, equipment and medium |
CN111581156B (en) * | 2020-04-27 | 2024-03-29 | 上海鸿翼软件技术股份有限公司 | File permission control method, device, equipment and medium |
CN111861392A (en) * | 2020-07-16 | 2020-10-30 | 北京金和网络股份有限公司 | Organization level external relation creating method and device |
WO2022052682A1 (en) * | 2020-09-11 | 2022-03-17 | 京东方科技集团股份有限公司 | Medical system and permission management method therefor |
CN112465477A (en) * | 2020-12-17 | 2021-03-09 | 中国航空工业集团公司成都飞机设计研究所 | Project plan authority control method based on classification |
CN112465477B (en) * | 2020-12-17 | 2023-08-04 | 中国航空工业集团公司成都飞机设计研究所 | Project plan authority control method based on classification |
CN112597518A (en) * | 2020-12-26 | 2021-04-02 | 中国农业银行股份有限公司 | Graph database-based authority management method, device and equipment |
CN112597518B (en) * | 2020-12-26 | 2024-06-11 | 中国农业银行股份有限公司 | Rights management method, device and equipment based on graph database |
CN112632500A (en) * | 2020-12-30 | 2021-04-09 | 绿盟科技集团股份有限公司 | Data management method and electronic equipment |
CN112751867B (en) * | 2020-12-31 | 2022-07-05 | 南京航空航天大学 | Access control authorization method based on logic unit and trust evaluation |
CN112751867A (en) * | 2020-12-31 | 2021-05-04 | 南京航空航天大学 | Access control authorization method based on logic unit and trust evaluation |
Also Published As
Publication number | Publication date |
---|---|
CN109948350B (en) | 2023-06-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109948350A (en) | A kind of hierarchical organization structure account authority distributing method and its system and storage medium | |
CN111935131B (en) | SaaS resource access control method based on resource authority tree | |
CN104615710B (en) | A kind of electronic map frame data update method | |
EP2405607A1 (en) | Privilege management system and method based on object | |
CN105373726A (en) | User authority management system | |
CN103929325A (en) | Organization mechanism and user right uniform control method in information system integration | |
CN109542967A (en) | Smart city data-sharing systems and method based on XBRL standard | |
CN101770518A (en) | Metadata management method of power grid enterprise integrated information die | |
CN111428257A (en) | System and method for opening database metadata through automatic approval | |
CN106021344A (en) | A multi-adaptive CIME power grid model sharing method | |
CN112990861A (en) | Daily newspaper step-by-step summarizing system | |
CN104915412B (en) | A kind of method and system of dynamic management data library connection | |
CN108846755A (en) | A kind of right management method and device based on intelligent contract | |
CN107220280B (en) | Disaster information acquisition and reporting method and system based on zoning mapping | |
CN110033195A (en) | Adjust grid model splicing method to a kind of province based on CIM/CIS | |
CN111680087B (en) | Main data model management platform and method | |
CN112965977A (en) | Report system supporting multi-cluster and multi-organization distribution | |
CN111737655A (en) | User authority management method, system and storage medium of cloud management platform | |
CN114862375B (en) | Personnel identity management method, device, terminal and storage medium | |
CN107273443A (en) | A kind of hybrid index method based on big data model metadata | |
CN111611220A (en) | File sharing method and system based on hierarchical nodes | |
CN107766001A (en) | A kind of storage quota method based on groups of users | |
CN107392437A (en) | Power marketing digitizes management and control index system and method for exhibiting data | |
CN104917767A (en) | Family business access control method based on RBAC (Role-based Access Control) model | |
CN109840184B (en) | Scheduling method, system and equipment for operation display of power grid equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |