CN110298192A - A kind of classification rights manager component of the management information system of adapted to multi-type tissue - Google Patents

A kind of classification rights manager component of the management information system of adapted to multi-type tissue Download PDF

Info

Publication number
CN110298192A
CN110298192A CN201910487654.4A CN201910487654A CN110298192A CN 110298192 A CN110298192 A CN 110298192A CN 201910487654 A CN201910487654 A CN 201910487654A CN 110298192 A CN110298192 A CN 110298192A
Authority
CN
China
Prior art keywords
user
tissue
data
role
awarded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910487654.4A
Other languages
Chinese (zh)
Inventor
周竞亮
朱强
赵丽娟
谭业贵
郭晓松
周益龙
裴宇锋
李喜邦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Three Gorges High Technology Information Technology Co Ltd
China Three Gorges Corp
Original Assignee
Three Gorges High Technology Information Technology Co Ltd
China Three Gorges Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Three Gorges High Technology Information Technology Co Ltd, China Three Gorges Corp filed Critical Three Gorges High Technology Information Technology Co Ltd
Priority to CN201910487654.4A priority Critical patent/CN110298192A/en
Publication of CN110298192A publication Critical patent/CN110298192A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A kind of classification rights manager component of the management information system of adapted to multi-type tissue, it include: the configuration of application program filtering condition, the condition that should meet for defining currently logged on user into the data that the application program can check, conditional definition uses parameterized approach, is expressed as tables of data attribute value satisfaction within the scope of some type of data permission of currently logged on user or there are data lines under the conditions of intersection to check.User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role and application program conditions relevant, also with user-association.User data authority control, can check data area for controlling current system login user in application-specific.By the functional module, role and the tissue of the filter condition of application program configuration and user data authority hierarchical arrangement where current system login user can be obtained.The present invention is classified the purpose that rights manager component can reduce management information system totality construction cost, improve development efficiency and construction quality.

Description

A kind of classification rights manager component of the management information system of adapted to multi-type tissue
Technical field
The present invention relates to management information system security technology area, the management information of specifically a kind of adapted to multi-type tissue The classification rights manager component of system.
Background technique
Rights management is the fundamental functional modules of management information system and the safety guarantee of management information system, is being Effect in system is indispensable.But in terms of data level permission, authority configuration and control are realized always less desirable at present, The technical method of use, generally hard coded combined data rule are realized, without a kind of generally applicable, easy-to-use rights management group Part.
Realization in terms of data level permission is the technological difficulties of management information system construction.Specific to system different business function Energy module data grade permission is realized, needs to modify configuration and code, once each business function module data are related to different type group It knits, the authority configuration of system and the realization of control are even more complexity.Technical ability and business familiarity in the development phase, to developer It is more demanding;In the system O&M stage, it is also complex that administrator carries out authorization configuration.Data are realized using current technical method Grade rights management, requires to pay larger cost in manpower, time, quality assurance cost, and in addition will also result in system can Expansion and ease for maintenance be not high.
Summary of the invention
The purpose of the invention is in data level authority configuration can data permission to user in role according to tree-shaped Tissue realizes that classification is authorized, and realizes that the data level permission of user in specific type role is matched according to business datum by system automatically It sets, so that data level authority configuration facilitation, and a kind of classification permission of the management information system of adapted to multi-type tissue is provided Management assembly, data filtering condition can carry out parametrization configuration in the control of data level permission, and data permission filtering control passes through Docking unified Component service interface can be realized, without writing additional code, so that the control of data level permission is simplified.Reach The purpose for reducing management information system totality construction cost, improving development efficiency and construction quality.
The technical scheme adopted by the invention is as follows:
A kind of classification rights manager component of the management information system of adapted to multi-type tissue, including following functions module:
The configuration of application program filtering condition should meet for defining currently logged on user into the data that the application program can check Condition, conditional definition use parameterized approach, be expressed as tables of data attribute value meet in some type of number of currently logged on user According in extent of competence or there are the data lines under the conditions of intersection to check;
User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role with apply journey Sequence conditions relevant, also with user-association, such user is associated with the data filtering condition that application program there is, in a role In, if same user possesses more than one organization authority limit, this user can be allocated to the role repeatedly and authorized corresponding Different tissues;
User data authority control, can check data area for controlling current system login user in application-specific. By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL Scope control.
A kind of classification rights manager component of the management information system of adapted to multi-type tissue of the present invention, technical effect is such as Under:
(1): invention components are developed using JAVA language, can be conveniently integrated into the management information system of JAVA environment, component Cost is relatively low for collection.
(2): invention components are suitable for the management information system of multiple types tissue, it can be achieved that different type tissue registration Business datum data query scope control, adaptability range is wider.
(3): invention components realize that data permission control is simple, only need to can be real to service interface unified in connected components Existing data query scope control has positive effect to progress, cost, the quality control of management information system construction;
(4): the configuration of invention components user data authority is easy to use, it is another can be achieved with the user of business datum relative role and The automatic distribution of its organization authority limit.Such as ordinary party member role, it can be carried out automatically according to party member in system and its leading Party group's organization data Distribution largely reduces system O&M phase workload, can effectively reduce system O&M cost of labor;
(5): using invention components, system is higher in the maintainability and scalability of data permission control function, especially industry Business, which changes, need to only modify configuration parameter.
Detailed description of the invention
Fig. 1 is application program filtering condition of the present invention configuration and the Entity-Relationship that user data authority hierarchical arrangement is related to Scheme (ER figure).
Fig. 2 is user data authority control algolithm flow chart of the present invention.
Specific embodiment
A kind of classification rights manager component of the management information system of adapted to multi-type tissue, mainly by application program filtering Condition configuration, user data authority hierarchical arrangement and user data authority control three parts functional module are constituted.Specific technology Implementation is as follows:
(1), application program filtering condition configures:
The configuration of application program filtering condition is should to accord with for defining currently logged on user into the data that the application program can check The condition of conjunction, conditional definition use parameterized approach, and general expression is that tables of data attribute value meets in currently logged on user's class Within the scope of the data permission of type or there are the data lines under the conditions of intersection to check.
Data permission type can be divided into the tissue itself being awarded, the tissue itself being awarded and its straight according to tree-like tissue Belong to subordinate organization, the tissue itself being awarded directly under subordinate organization, the tissue itself being awarded and its all sub- grade tissue, from The sub- grade tissue of the whole for the tissue that body is awarded, itself be awarded tissue and its directly under parent organization, the group itself being awarded The whole parents directly under parent organization, the tissue itself being awarded and its whole parent tissues, the tissue itself being awarded knitted Tissue.Data permission type carries out tagging management, and each type corresponds to its tag identification code.
(2), user data authority hierarchical arrangement:
User data authority hierarchical arrangement is and to authorize respective organization for user to be allocated to assigned role.Role and application Procedure condition association, also with user-association, such user is associated with the data filtering condition that application program there is.At an angle If same user possesses more than one organization authority limit in color, this user can be allocated to the role repeatedly and authorized corresponding Different tissues.For the ease of the realization of user data authority control, and the tissue of adapted to multi-type, and also to user data Authority classification configures convenient, need to classify to role and set respective rule.
According to actual needs, character types are designed as four classes, respectively system manager, differentiated control person, conventional character, Special role.Dependency rule is as follows:
[1] system manager is system-level administrator, does not need association tissue, and the type role does not need to weigh in user data It limits and carries out user's distribution in hierarchical arrangement, in System right management module Role Management distributing user.System pipes are awarded The user of reason person role can carry out the configuration of user and its tissue in user data authority hierarchical arrangement.
[2] differentiated control person, conventional character, special role need to be associated with tissue, and system may relate to polymorphic type group It knits, needs and only limit one histioid Data source table of binding, the Data source table for binding tissue need to include attribute are as follows: tissue data source Table table name, organization identification attribute-name, organization name attribute-name, parent organization identification attribute-name.
[3] differentiated control person role is that grading authorized role can be carried out according to tree-like tissue.In differentiated control person role User can distributing user to differentiated control person role, but the tissue configured can only be the tissue itself being awarded directly under junior's group It knits;In differentiated control person role user can distributing user to conventional character, but the tissue configured can only be the group itself being awarded It knits.
[4] special role is the role of the specific type according to the automatic distributing user of business datum and its organization authority limit, is needed It binds distributing user and authorizes the function name of tissue.The user of another special role and its organization authority limit are distributed automatically by system, Then special role does not allow to be allocated in user data authority hierarchical arrangement.
(3), user data authority controls:
User data authority control is that data area can be checked in application-specific for controlling current system login user. By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL Scope control.Therefore using classification rights manager component, the uniform service interface in user data authority control need to be only docked, i.e., Data query scope control can be realized automatically.
Embodiment 1:
See Fig. 1, the present embodiment entity includes: 1. application program, 2. filter condition, 3. role, 4. user group's relationship, entity Between relationship be that 1. application program and 2. filter condition are one-to-many configuration relations, 3. role and 1. application program are multipair More authorizes relationship, and 3. role is the relationship of authorizing of multi-to-multi with 2. filter condition, and 3. role and 4. user group's relationship are more To more relations of distribution.
Embodiment 2:
Specific step is as follows for user data authority control method:
Step 1: system currently logged on user access application A, initial filter criteria SQL are " " beginning;
Step 2: obtaining the role that user authorizes application program A;
Step 3: judging whether role's quantity that user authorizes is 0, if yes then enter next step, if otherwise entering step 5;
Step 4: setting filter condition SQL is " 1!=1 ", enter step 16;
Step 5: the inquiry relative role application program A authorized and its filter condition of configuration;
Step 6: obtain i-th (i=1 ..., M[user is assigned and possesses the quantity of the role of application program A]) a role authorizes Application program A and its configuration filter condition;
Step 7: judge whether current character authorizes application program A filter condition, if otherwise enter in next step, if it is into Enter step 9;
Step 8: setting filter condition SQL is " 1=1 ", enters step 16;
Step 9: inquiring and obtain the tissue that the active user of current character distribution is awarded;
Step 10: obtaining the filtering of current character jth (j=1 ... N [quantity for the filter condition that current character is authorized]) a configuration Condition;
Step 11: the label for parsing filter condition obtains current filter condition SQL and connects so that " AND " is assembled;
Judge whether j is less than or equal to the quantity for the filter condition that current character is authorized after step 12:j=j+1, if it is returns Step 10 is returned, if otherwise entered in next step;
Step 13: judge current filter condition SQL whether with the filter condition SQL of front role there are consistent, if it is mistake The not assembled current filter condition SQL of filter condition SQL simultaneously enters step 15, if otherwise entered in next step;
Step 14: setting filter condition SQL be filter condition SQL with " the assembled connection current filter condition SQL of OR ";
Judge whether i is less than or equal to the quantity that user was assigned and possessed the role of application program A after step 15:i=i+1, such as Fruit is then return step 6, if otherwise entered in next step;
Step 16: by filter condition SQL assembly into application program query statement, realizing the data of business datum table data line Scope control.

Claims (6)

1. a kind of classification rights manager component of the management information system of adapted to multi-type tissue, it is characterised in that including following function Energy module:
The configuration of application program filtering condition should meet for defining currently logged on user into the data that the application program can check Condition, conditional definition use parameterized approach, be expressed as tables of data attribute value meet in some type of number of currently logged on user According in extent of competence or there are the data lines under the conditions of intersection to check;
User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role with apply journey Sequence conditions relevant, also with user-association, such user is associated with the data filtering condition that application program there is, in a role In, if same user possesses more than one organization authority limit, this user can be allocated to the role repeatedly and authorized corresponding Different tissues;
User data authority control, can check data area for controlling current system login user in application-specific; By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL Scope control.
2. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 1, Be characterized in that: in application program filtering condition configuration feature module, data permission type is divided into according to tree-like tissue: itself is awarded The tissue that gives, the tissue itself being awarded and its directly under subordinate organization, the tissue itself being awarded directly under subordinate organization, itself The tissue that is awarded and its all sub- grade tissue, the tissue itself being awarded whole sub- grade tissue, the tissue that itself is awarded And its directly under parent organization, the tissue itself being awarded directly under parent organization, the tissue itself being awarded and its whole parent Whole parent tissues of tissue, the tissue itself being awarded.
3. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 2, Be characterized in that: data permission type carries out tagging management, and each type corresponds to its tag identification code.
4. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 1, It is characterized in that: in user data authority hierarchical arrangement functional module,
Character types include system manager, differentiated control person, conventional character, special role, and dependency rule is as follows:
System manager is system-level administrator, does not need association tissue, and the type role does not need in user data authority User's distribution is carried out in hierarchical arrangement, and system administration is awarded in System right management module Role Management distributing user The user of member role can carry out the configuration of user and its tissue in user data authority hierarchical arrangement;
Differentiated control person is that grading authorized role can be carried out according to tree-like tissue, and user can distribute use in differentiated control person role Family is to differentiated control person role, but the tissue configured can only be the tissue itself being awarded directly under subordinate organization;Differentiated control In member role user can distributing user to conventional character, but the tissue configured can only be the tissue itself being awarded;
Special role is the role of the specific type according to the automatic distributing user of business datum and its organization authority limit, needs to bind and divide With user and the function name of tissue is authorized, the user of another special role and its organization authority limit are distributed automatically by system, then special angle Color does not allow to be allocated in user data authority hierarchical arrangement.
5. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 4, Be characterized in that: differentiated control person, conventional character, special role need to be associated with tissue, and system may relate to polymorphic type group It knits, needs and only limit one histioid Data source table of binding, the Data source table for binding tissue includes attribute are as follows: tissue Data source table Table name, organization identification attribute-name, organization name attribute-name, parent organization identification attribute-name.
6. any one classification rights manager component as described in claim 1-5, it is characterised in that: the component uses JAVA language Exploitation.
CN201910487654.4A 2019-06-05 2019-06-05 A kind of classification rights manager component of the management information system of adapted to multi-type tissue Pending CN110298192A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910487654.4A CN110298192A (en) 2019-06-05 2019-06-05 A kind of classification rights manager component of the management information system of adapted to multi-type tissue

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910487654.4A CN110298192A (en) 2019-06-05 2019-06-05 A kind of classification rights manager component of the management information system of adapted to multi-type tissue

Publications (1)

Publication Number Publication Date
CN110298192A true CN110298192A (en) 2019-10-01

Family

ID=68027740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910487654.4A Pending CN110298192A (en) 2019-06-05 2019-06-05 A kind of classification rights manager component of the management information system of adapted to multi-type tissue

Country Status (1)

Country Link
CN (1) CN110298192A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110728452A (en) * 2019-10-14 2020-01-24 普元信息技术股份有限公司 System and method for realizing selection control of multidimensional organization integration personnel in distributed flow system
CN111444543A (en) * 2020-04-02 2020-07-24 深圳市康拓普信息技术有限公司 Data authority management method and system
CN112559580A (en) * 2021-02-19 2021-03-26 北京宇信科技集团股份有限公司 Data query method, device and equipment
CN112765627A (en) * 2021-01-22 2021-05-07 重庆允成互联网科技有限公司 Business report data authority control method based on double-layer authority control
CN113377882A (en) * 2021-06-08 2021-09-10 北京巨网云互联科技有限公司 Method for realizing relation model in internet organization and among organizations
CN116633636A (en) * 2023-05-29 2023-08-22 三峡高科信息技术有限责任公司 Hierarchical access control method in enterprise information system
CN117708884A (en) * 2024-02-04 2024-03-15 珠海金智维信息科技有限公司 Data authority database middleware based on field tagging

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
US10169571B1 (en) * 2012-07-18 2019-01-01 Sequitur Labs, Inc. System and method for secure, policy-based access control for mobile computing devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
US10169571B1 (en) * 2012-07-18 2019-01-01 Sequitur Labs, Inc. System and method for secure, policy-based access control for mobile computing devices
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110728452A (en) * 2019-10-14 2020-01-24 普元信息技术股份有限公司 System and method for realizing selection control of multidimensional organization integration personnel in distributed flow system
CN110728452B (en) * 2019-10-14 2024-02-06 普元信息技术股份有限公司 System and method for realizing multi-dimensional organization integrated personnel selection control in distributed flow system
CN111444543A (en) * 2020-04-02 2020-07-24 深圳市康拓普信息技术有限公司 Data authority management method and system
CN111444543B (en) * 2020-04-02 2023-02-28 南方电网数字平台科技(广东)有限公司 Data authority management method and system
CN112765627A (en) * 2021-01-22 2021-05-07 重庆允成互联网科技有限公司 Business report data authority control method based on double-layer authority control
CN112765627B (en) * 2021-01-22 2022-02-18 重庆允成互联网科技有限公司 Business report data authority control method based on double-layer authority control
CN112559580A (en) * 2021-02-19 2021-03-26 北京宇信科技集团股份有限公司 Data query method, device and equipment
CN112559580B (en) * 2021-02-19 2021-05-14 北京宇信科技集团股份有限公司 Data query method, device and equipment
CN113377882A (en) * 2021-06-08 2021-09-10 北京巨网云互联科技有限公司 Method for realizing relation model in internet organization and among organizations
CN113377882B (en) * 2021-06-08 2022-10-04 巨网云互联(北京)科技股份有限公司 Method for realizing relation model in internet organization and among organizations
CN116633636A (en) * 2023-05-29 2023-08-22 三峡高科信息技术有限责任公司 Hierarchical access control method in enterprise information system
CN117708884A (en) * 2024-02-04 2024-03-15 珠海金智维信息科技有限公司 Data authority database middleware based on field tagging

Similar Documents

Publication Publication Date Title
CN110298192A (en) A kind of classification rights manager component of the management information system of adapted to multi-type tissue
CN108984715B (en) Method for setting approval process based on basis field
CN109086627A (en) The checking method of form data operation
CN109214150B (en) Form operation authority authorization method based on role
Giuri et al. A formal model for role-based access control with constraints
CN107103228B (en) Role-based one-to-one authorization method and system for user permission
CN100565453C (en) A kind of field basic business platform and construction method thereof based on member
CN108932610B (en) System dispatching method
CN110472388B (en) Equipment management and control system and user permission control method thereof
Chen et al. A distributed algorithm for graphic objects replication in real-time group editors
CN109032458A (en) The authorization method for the form data that based role obtains
CN109167717A (en) The method for presetting instant messaging account contact person and default address list according to the communication relations between role
CN105184144A (en) Multi-system privilege management method
CN104243453A (en) Access control method and system based on attribute and role
CN102571815B (en) A kind of method of e-procurement privately owned cloud integrating ERP authenticating user identification
CN107808103A (en) The control method and control device of a kind of data permission
CN107392053A (en) A kind of data permission control method in enterprise staff information database
CN110298189A (en) Data base authority management method and equipment
CN108875391B (en) Authority display method for system after employee logs in account
CN109102253A (en) Approver is directed to the method that examination & approval task consults advisory opinion
CN108509807A (en) A kind of the table data authority control system and method for based role
CN110245499A (en) Web application rights management method and system
CN108921520A (en) Count list operation permission grant method
CN108958870B (en) Shortcut function setting method
CN106534202A (en) Permission processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191001

RJ01 Rejection of invention patent application after publication