CN110298192A - A kind of classification rights manager component of the management information system of adapted to multi-type tissue - Google Patents
A kind of classification rights manager component of the management information system of adapted to multi-type tissue Download PDFInfo
- Publication number
- CN110298192A CN110298192A CN201910487654.4A CN201910487654A CN110298192A CN 110298192 A CN110298192 A CN 110298192A CN 201910487654 A CN201910487654 A CN 201910487654A CN 110298192 A CN110298192 A CN 110298192A
- Authority
- CN
- China
- Prior art keywords
- user
- tissue
- data
- role
- awarded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
A kind of classification rights manager component of the management information system of adapted to multi-type tissue, it include: the configuration of application program filtering condition, the condition that should meet for defining currently logged on user into the data that the application program can check, conditional definition uses parameterized approach, is expressed as tables of data attribute value satisfaction within the scope of some type of data permission of currently logged on user or there are data lines under the conditions of intersection to check.User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role and application program conditions relevant, also with user-association.User data authority control, can check data area for controlling current system login user in application-specific.By the functional module, role and the tissue of the filter condition of application program configuration and user data authority hierarchical arrangement where current system login user can be obtained.The present invention is classified the purpose that rights manager component can reduce management information system totality construction cost, improve development efficiency and construction quality.
Description
Technical field
The present invention relates to management information system security technology area, the management information of specifically a kind of adapted to multi-type tissue
The classification rights manager component of system.
Background technique
Rights management is the fundamental functional modules of management information system and the safety guarantee of management information system, is being
Effect in system is indispensable.But in terms of data level permission, authority configuration and control are realized always less desirable at present,
The technical method of use, generally hard coded combined data rule are realized, without a kind of generally applicable, easy-to-use rights management group
Part.
Realization in terms of data level permission is the technological difficulties of management information system construction.Specific to system different business function
Energy module data grade permission is realized, needs to modify configuration and code, once each business function module data are related to different type group
It knits, the authority configuration of system and the realization of control are even more complexity.Technical ability and business familiarity in the development phase, to developer
It is more demanding;In the system O&M stage, it is also complex that administrator carries out authorization configuration.Data are realized using current technical method
Grade rights management, requires to pay larger cost in manpower, time, quality assurance cost, and in addition will also result in system can
Expansion and ease for maintenance be not high.
Summary of the invention
The purpose of the invention is in data level authority configuration can data permission to user in role according to tree-shaped
Tissue realizes that classification is authorized, and realizes that the data level permission of user in specific type role is matched according to business datum by system automatically
It sets, so that data level authority configuration facilitation, and a kind of classification permission of the management information system of adapted to multi-type tissue is provided
Management assembly, data filtering condition can carry out parametrization configuration in the control of data level permission, and data permission filtering control passes through
Docking unified Component service interface can be realized, without writing additional code, so that the control of data level permission is simplified.Reach
The purpose for reducing management information system totality construction cost, improving development efficiency and construction quality.
The technical scheme adopted by the invention is as follows:
A kind of classification rights manager component of the management information system of adapted to multi-type tissue, including following functions module:
The configuration of application program filtering condition should meet for defining currently logged on user into the data that the application program can check
Condition, conditional definition use parameterized approach, be expressed as tables of data attribute value meet in some type of number of currently logged on user
According in extent of competence or there are the data lines under the conditions of intersection to check;
User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role with apply journey
Sequence conditions relevant, also with user-association, such user is associated with the data filtering condition that application program there is, in a role
In, if same user possesses more than one organization authority limit, this user can be allocated to the role repeatedly and authorized corresponding
Different tissues;
User data authority control, can check data area for controlling current system login user in application-specific.
By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained
What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair
The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL
Scope control.
A kind of classification rights manager component of the management information system of adapted to multi-type tissue of the present invention, technical effect is such as
Under:
(1): invention components are developed using JAVA language, can be conveniently integrated into the management information system of JAVA environment, component
Cost is relatively low for collection.
(2): invention components are suitable for the management information system of multiple types tissue, it can be achieved that different type tissue registration
Business datum data query scope control, adaptability range is wider.
(3): invention components realize that data permission control is simple, only need to can be real to service interface unified in connected components
Existing data query scope control has positive effect to progress, cost, the quality control of management information system construction;
(4): the configuration of invention components user data authority is easy to use, it is another can be achieved with the user of business datum relative role and
The automatic distribution of its organization authority limit.Such as ordinary party member role, it can be carried out automatically according to party member in system and its leading Party group's organization data
Distribution largely reduces system O&M phase workload, can effectively reduce system O&M cost of labor;
(5): using invention components, system is higher in the maintainability and scalability of data permission control function, especially industry
Business, which changes, need to only modify configuration parameter.
Detailed description of the invention
Fig. 1 is application program filtering condition of the present invention configuration and the Entity-Relationship that user data authority hierarchical arrangement is related to
Scheme (ER figure).
Fig. 2 is user data authority control algolithm flow chart of the present invention.
Specific embodiment
A kind of classification rights manager component of the management information system of adapted to multi-type tissue, mainly by application program filtering
Condition configuration, user data authority hierarchical arrangement and user data authority control three parts functional module are constituted.Specific technology
Implementation is as follows:
(1), application program filtering condition configures:
The configuration of application program filtering condition is should to accord with for defining currently logged on user into the data that the application program can check
The condition of conjunction, conditional definition use parameterized approach, and general expression is that tables of data attribute value meets in currently logged on user's class
Within the scope of the data permission of type or there are the data lines under the conditions of intersection to check.
Data permission type can be divided into the tissue itself being awarded, the tissue itself being awarded and its straight according to tree-like tissue
Belong to subordinate organization, the tissue itself being awarded directly under subordinate organization, the tissue itself being awarded and its all sub- grade tissue, from
The sub- grade tissue of the whole for the tissue that body is awarded, itself be awarded tissue and its directly under parent organization, the group itself being awarded
The whole parents directly under parent organization, the tissue itself being awarded and its whole parent tissues, the tissue itself being awarded knitted
Tissue.Data permission type carries out tagging management, and each type corresponds to its tag identification code.
(2), user data authority hierarchical arrangement:
User data authority hierarchical arrangement is and to authorize respective organization for user to be allocated to assigned role.Role and application
Procedure condition association, also with user-association, such user is associated with the data filtering condition that application program there is.At an angle
If same user possesses more than one organization authority limit in color, this user can be allocated to the role repeatedly and authorized corresponding
Different tissues.For the ease of the realization of user data authority control, and the tissue of adapted to multi-type, and also to user data
Authority classification configures convenient, need to classify to role and set respective rule.
According to actual needs, character types are designed as four classes, respectively system manager, differentiated control person, conventional character,
Special role.Dependency rule is as follows:
[1] system manager is system-level administrator, does not need association tissue, and the type role does not need to weigh in user data
It limits and carries out user's distribution in hierarchical arrangement, in System right management module Role Management distributing user.System pipes are awarded
The user of reason person role can carry out the configuration of user and its tissue in user data authority hierarchical arrangement.
[2] differentiated control person, conventional character, special role need to be associated with tissue, and system may relate to polymorphic type group
It knits, needs and only limit one histioid Data source table of binding, the Data source table for binding tissue need to include attribute are as follows: tissue data source
Table table name, organization identification attribute-name, organization name attribute-name, parent organization identification attribute-name.
[3] differentiated control person role is that grading authorized role can be carried out according to tree-like tissue.In differentiated control person role
User can distributing user to differentiated control person role, but the tissue configured can only be the tissue itself being awarded directly under junior's group
It knits;In differentiated control person role user can distributing user to conventional character, but the tissue configured can only be the group itself being awarded
It knits.
[4] special role is the role of the specific type according to the automatic distributing user of business datum and its organization authority limit, is needed
It binds distributing user and authorizes the function name of tissue.The user of another special role and its organization authority limit are distributed automatically by system,
Then special role does not allow to be allocated in user data authority hierarchical arrangement.
(3), user data authority controls:
User data authority control is that data area can be checked in application-specific for controlling current system login user.
By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained
What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair
The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL
Scope control.Therefore using classification rights manager component, the uniform service interface in user data authority control need to be only docked, i.e.,
Data query scope control can be realized automatically.
Embodiment 1:
See Fig. 1, the present embodiment entity includes: 1. application program, 2. filter condition, 3. role, 4. user group's relationship, entity
Between relationship be that 1. application program and 2. filter condition are one-to-many configuration relations, 3. role and 1. application program are multipair
More authorizes relationship, and 3. role is the relationship of authorizing of multi-to-multi with 2. filter condition, and 3. role and 4. user group's relationship are more
To more relations of distribution.
Embodiment 2:
Specific step is as follows for user data authority control method:
Step 1: system currently logged on user access application A, initial filter criteria SQL are " " beginning;
Step 2: obtaining the role that user authorizes application program A;
Step 3: judging whether role's quantity that user authorizes is 0, if yes then enter next step, if otherwise entering step 5;
Step 4: setting filter condition SQL is " 1!=1 ", enter step 16;
Step 5: the inquiry relative role application program A authorized and its filter condition of configuration;
Step 6: obtain i-th (i=1 ..., M[user is assigned and possesses the quantity of the role of application program A]) a role authorizes
Application program A and its configuration filter condition;
Step 7: judge whether current character authorizes application program A filter condition, if otherwise enter in next step, if it is into
Enter step 9;
Step 8: setting filter condition SQL is " 1=1 ", enters step 16;
Step 9: inquiring and obtain the tissue that the active user of current character distribution is awarded;
Step 10: obtaining the filtering of current character jth (j=1 ... N [quantity for the filter condition that current character is authorized]) a configuration
Condition;
Step 11: the label for parsing filter condition obtains current filter condition SQL and connects so that " AND " is assembled;
Judge whether j is less than or equal to the quantity for the filter condition that current character is authorized after step 12:j=j+1, if it is returns
Step 10 is returned, if otherwise entered in next step;
Step 13: judge current filter condition SQL whether with the filter condition SQL of front role there are consistent, if it is mistake
The not assembled current filter condition SQL of filter condition SQL simultaneously enters step 15, if otherwise entered in next step;
Step 14: setting filter condition SQL be filter condition SQL with " the assembled connection current filter condition SQL of OR ";
Judge whether i is less than or equal to the quantity that user was assigned and possessed the role of application program A after step 15:i=i+1, such as
Fruit is then return step 6, if otherwise entered in next step;
Step 16: by filter condition SQL assembly into application program query statement, realizing the data of business datum table data line
Scope control.
Claims (6)
1. a kind of classification rights manager component of the management information system of adapted to multi-type tissue, it is characterised in that including following function
Energy module:
The configuration of application program filtering condition should meet for defining currently logged on user into the data that the application program can check
Condition, conditional definition use parameterized approach, be expressed as tables of data attribute value meet in some type of number of currently logged on user
According in extent of competence or there are the data lines under the conditions of intersection to check;
User data authority hierarchical arrangement for user to be allocated to assigned role, and authorizes respective organization, role with apply journey
Sequence conditions relevant, also with user-association, such user is associated with the data filtering condition that application program there is, in a role
In, if same user possesses more than one organization authority limit, this user can be allocated to the role repeatedly and authorized corresponding
Different tissues;
User data authority control, can check data area for controlling current system login user in application-specific;
By the functional module, the filter condition and user data authority of application program configuration where current system login user can be obtained
What the role of hierarchical arrangement and tissue, the label of combined filtering conditional expression and user were awarded organizes the formation of application program pair
The filter condition SQL statement of data table related is answered, and assembly realizes data query into corresponding application programs data query SQL
Scope control.
2. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 1,
Be characterized in that: in application program filtering condition configuration feature module, data permission type is divided into according to tree-like tissue: itself is awarded
The tissue that gives, the tissue itself being awarded and its directly under subordinate organization, the tissue itself being awarded directly under subordinate organization, itself
The tissue that is awarded and its all sub- grade tissue, the tissue itself being awarded whole sub- grade tissue, the tissue that itself is awarded
And its directly under parent organization, the tissue itself being awarded directly under parent organization, the tissue itself being awarded and its whole parent
Whole parent tissues of tissue, the tissue itself being awarded.
3. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 2,
Be characterized in that: data permission type carries out tagging management, and each type corresponds to its tag identification code.
4. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 1,
It is characterized in that: in user data authority hierarchical arrangement functional module,
Character types include system manager, differentiated control person, conventional character, special role, and dependency rule is as follows:
System manager is system-level administrator, does not need association tissue, and the type role does not need in user data authority
User's distribution is carried out in hierarchical arrangement, and system administration is awarded in System right management module Role Management distributing user
The user of member role can carry out the configuration of user and its tissue in user data authority hierarchical arrangement;
Differentiated control person is that grading authorized role can be carried out according to tree-like tissue, and user can distribute use in differentiated control person role
Family is to differentiated control person role, but the tissue configured can only be the tissue itself being awarded directly under subordinate organization;Differentiated control
In member role user can distributing user to conventional character, but the tissue configured can only be the tissue itself being awarded;
Special role is the role of the specific type according to the automatic distributing user of business datum and its organization authority limit, needs to bind and divide
With user and the function name of tissue is authorized, the user of another special role and its organization authority limit are distributed automatically by system, then special angle
Color does not allow to be allocated in user data authority hierarchical arrangement.
5. a kind of classification rights manager component of the management information system of adapted to multi-type tissue according to claim 4,
Be characterized in that: differentiated control person, conventional character, special role need to be associated with tissue, and system may relate to polymorphic type group
It knits, needs and only limit one histioid Data source table of binding, the Data source table for binding tissue includes attribute are as follows: tissue Data source table
Table name, organization identification attribute-name, organization name attribute-name, parent organization identification attribute-name.
6. any one classification rights manager component as described in claim 1-5, it is characterised in that: the component uses JAVA language
Exploitation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910487654.4A CN110298192A (en) | 2019-06-05 | 2019-06-05 | A kind of classification rights manager component of the management information system of adapted to multi-type tissue |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910487654.4A CN110298192A (en) | 2019-06-05 | 2019-06-05 | A kind of classification rights manager component of the management information system of adapted to multi-type tissue |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110298192A true CN110298192A (en) | 2019-10-01 |
Family
ID=68027740
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910487654.4A Pending CN110298192A (en) | 2019-06-05 | 2019-06-05 | A kind of classification rights manager component of the management information system of adapted to multi-type tissue |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110298192A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110728452A (en) * | 2019-10-14 | 2020-01-24 | 普元信息技术股份有限公司 | System and method for realizing selection control of multidimensional organization integration personnel in distributed flow system |
CN111444543A (en) * | 2020-04-02 | 2020-07-24 | 深圳市康拓普信息技术有限公司 | Data authority management method and system |
CN112559580A (en) * | 2021-02-19 | 2021-03-26 | 北京宇信科技集团股份有限公司 | Data query method, device and equipment |
CN112765627A (en) * | 2021-01-22 | 2021-05-07 | 重庆允成互联网科技有限公司 | Business report data authority control method based on double-layer authority control |
CN113377882A (en) * | 2021-06-08 | 2021-09-10 | 北京巨网云互联科技有限公司 | Method for realizing relation model in internet organization and among organizations |
CN116633636A (en) * | 2023-05-29 | 2023-08-22 | 三峡高科信息技术有限责任公司 | Hierarchical access control method in enterprise information system |
CN117708884A (en) * | 2024-02-04 | 2024-03-15 | 珠海金智维信息科技有限公司 | Data authority database middleware based on field tagging |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
US10169571B1 (en) * | 2012-07-18 | 2019-01-01 | Sequitur Labs, Inc. | System and method for secure, policy-based access control for mobile computing devices |
-
2019
- 2019-06-05 CN CN201910487654.4A patent/CN110298192A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
US10169571B1 (en) * | 2012-07-18 | 2019-01-01 | Sequitur Labs, Inc. | System and method for secure, policy-based access control for mobile computing devices |
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110728452A (en) * | 2019-10-14 | 2020-01-24 | 普元信息技术股份有限公司 | System and method for realizing selection control of multidimensional organization integration personnel in distributed flow system |
CN110728452B (en) * | 2019-10-14 | 2024-02-06 | 普元信息技术股份有限公司 | System and method for realizing multi-dimensional organization integrated personnel selection control in distributed flow system |
CN111444543A (en) * | 2020-04-02 | 2020-07-24 | 深圳市康拓普信息技术有限公司 | Data authority management method and system |
CN111444543B (en) * | 2020-04-02 | 2023-02-28 | 南方电网数字平台科技(广东)有限公司 | Data authority management method and system |
CN112765627A (en) * | 2021-01-22 | 2021-05-07 | 重庆允成互联网科技有限公司 | Business report data authority control method based on double-layer authority control |
CN112765627B (en) * | 2021-01-22 | 2022-02-18 | 重庆允成互联网科技有限公司 | Business report data authority control method based on double-layer authority control |
CN112559580A (en) * | 2021-02-19 | 2021-03-26 | 北京宇信科技集团股份有限公司 | Data query method, device and equipment |
CN112559580B (en) * | 2021-02-19 | 2021-05-14 | 北京宇信科技集团股份有限公司 | Data query method, device and equipment |
CN113377882A (en) * | 2021-06-08 | 2021-09-10 | 北京巨网云互联科技有限公司 | Method for realizing relation model in internet organization and among organizations |
CN113377882B (en) * | 2021-06-08 | 2022-10-04 | 巨网云互联(北京)科技股份有限公司 | Method for realizing relation model in internet organization and among organizations |
CN116633636A (en) * | 2023-05-29 | 2023-08-22 | 三峡高科信息技术有限责任公司 | Hierarchical access control method in enterprise information system |
CN117708884A (en) * | 2024-02-04 | 2024-03-15 | 珠海金智维信息科技有限公司 | Data authority database middleware based on field tagging |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110298192A (en) | A kind of classification rights manager component of the management information system of adapted to multi-type tissue | |
CN108984715B (en) | Method for setting approval process based on basis field | |
CN109086627A (en) | The checking method of form data operation | |
CN109214150B (en) | Form operation authority authorization method based on role | |
Giuri et al. | A formal model for role-based access control with constraints | |
CN107103228B (en) | Role-based one-to-one authorization method and system for user permission | |
CN100565453C (en) | A kind of field basic business platform and construction method thereof based on member | |
CN108932610B (en) | System dispatching method | |
CN110472388B (en) | Equipment management and control system and user permission control method thereof | |
Chen et al. | A distributed algorithm for graphic objects replication in real-time group editors | |
CN109032458A (en) | The authorization method for the form data that based role obtains | |
CN109167717A (en) | The method for presetting instant messaging account contact person and default address list according to the communication relations between role | |
CN105184144A (en) | Multi-system privilege management method | |
CN104243453A (en) | Access control method and system based on attribute and role | |
CN102571815B (en) | A kind of method of e-procurement privately owned cloud integrating ERP authenticating user identification | |
CN107808103A (en) | The control method and control device of a kind of data permission | |
CN107392053A (en) | A kind of data permission control method in enterprise staff information database | |
CN110298189A (en) | Data base authority management method and equipment | |
CN108875391B (en) | Authority display method for system after employee logs in account | |
CN109102253A (en) | Approver is directed to the method that examination & approval task consults advisory opinion | |
CN108509807A (en) | A kind of the table data authority control system and method for based role | |
CN110245499A (en) | Web application rights management method and system | |
CN108921520A (en) | Count list operation permission grant method | |
CN108958870B (en) | Shortcut function setting method | |
CN106534202A (en) | Permission processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191001 |
|
RJ01 | Rejection of invention patent application after publication |